From 7939f02d38249957e6be5891b026bc5d15f7fd24 Mon Sep 17 00:00:00 2001 From: Paige Young Date: Sun, 19 Apr 2026 20:07:13 +0200 Subject: [PATCH] Change current doc version to 7.0, create a 6.3 version, and re-use images --- .../references-connectors/scim/index.md | 2 +- .../6.2/installation-guide/overview/index.md | 6 +- .../production-ready/agent/index.md | 4 +- .../production-ready/database/index.md | 2 +- .../production-ready/server/index.md | 8 +- .../installation-guide/quick-start/index.md | 8 +- .../installation-guide/reverse-proxy/index.md | 6 +- .../6.2/integration-guide/api/index.md | 2 +- .../integration-guide/api/pagination/index.md | 2 +- .../api/request-postman/index.md | 20 +- .../integration-guide/architecture/index.md | 2 +- .../architecture/on-prem/index.md | 2 +- .../index.md | 2 +- .../architecture/saas/index.md | 2 +- .../azuread-register/index.md | 12 +- .../configure-secured-options/index.md | 16 +- .../connections/index.md | 10 +- .../create-connector/entra-ID/index.md | 6 +- .../create-connector/index.md | 2 +- .../demoapp-banking/index.md | 4 +- .../configuration-details/demoapp-hr/index.md | 4 +- .../interact-gui-robotframework/index.md | 4 +- .../interact-web-page-robotframework/index.md | 4 +- .../powershell-fulfill/index.md | 14 +- .../scim-cyberark-export/index.md | 6 +- .../sharepoint-export/index.md | 4 +- .../entitypropertymapping-format/index.md | 4 +- .../6.2/integration-guide/connectors/index.md | 6 +- .../activedirectory/index.md | 12 +- .../references-connectors/azure/index.md | 2 +- .../references-connectors/csv/index.md | 4 +- .../references-connectors/easyvista/index.md | 4 +- .../easyvistaticket/index.md | 2 +- .../references-connectors/excel/index.md | 4 +- .../googleworkspace/index.md | 2 +- .../references-connectors/homefolder/index.md | 2 +- .../internalresources/index.md | 4 +- .../internalworkflow/index.md | 2 +- .../references-connectors/json/index.md | 2 +- .../references-connectors/ldap/index.md | 8 +- .../references-connectors/ldif/index.md | 2 +- .../microsoftentraid/index.md | 2 +- .../microsoftexchange/index.md | 2 +- .../references-connectors/odata/index.md | 2 +- .../references-connectors/okta/index.md | 2 +- .../references-connectors/openldap/index.md | 2 +- .../powershellprov/index.md | 2 +- .../powershellsync/index.md | 2 +- .../references-connectors/racf/index.md | 2 +- .../robotframework/index.md | 2 +- .../references-connectors/saperp6/index.md | 10 +- .../sapnetweaver/index.md | 2 +- .../references-connectors/scim/index.md | 36 +- .../servicenowentitymanagement/index.md | 2 +- .../servicenowticket/index.md | 2 +- .../sharedfolder/index.md | 4 +- .../references-connectors/sharepoint/index.md | 2 +- .../references-connectors/sql/index.md | 18 +- .../sqlserverentitlements/index.md | 2 +- .../references-connectors/topsecret/index.md | 2 +- .../references-connectors/workday/index.md | 2 +- .../integration-guide/entity-model/index.md | 2 +- .../references/create-databaseviews/index.md | 2 +- .../references/export-configuration/index.md | 2 +- .../references/invoke-job/index.md | 2 +- .../references/manage-history/index.md | 2 +- .../prepare-synchronization/index.md | 2 +- .../governance/accesscertification/index.md | 2 +- .../reporting/analyze-powerbi/index.md | 2 +- .../reporting/connect-powerbi/index.md | 12 +- .../how-tos/analyze-powerbi/index.md | 2 +- .../how-tos/connect-powerbi/index.md | 12 +- .../governance/risks/index.md | 10 +- .../identity-repository/index.md | 6 +- .../on-offboarding/index.md | 2 +- .../position-change/index.md | 10 +- .../configure-okta/index.md | 12 +- .../network-configuration/index.md | 2 +- .../end-users-authentication/index.md | 4 +- .../network-configuration/settings/index.md | 4 +- .../assignments-of-entitlements/index.md | 4 +- .../configureindirectpermissions/index.md | 16 +- .../role-assignment/evaluate-policy/index.md | 26 +- .../existingassignmentsdeduction/index.md | 6 +- .../generate-contexts/index.md | 10 +- .../indirectpermissions/index.md | 2 +- .../role-assignment/role-model-rules/index.md | 2 +- .../integration-guide/role-mining/index.md | 22 +- .../role-model/role-model-rules/index.md | 2 +- .../synchronization/upward-data-sync/index.md | 6 +- .../troubleshoot-connector-jobs/index.md | 2 +- .../toolkit/deploy-configuration/index.md | 2 +- .../toolkit/export-configuration/index.md | 2 +- .../toolkit/expressions/index.md | 6 +- .../6.2/integration-guide/toolkit/index.md | 2 +- .../toolkit/recommendations/index.md | 4 +- .../access-control/accesscontrolrule/index.md | 4 +- .../business-intelligence/universe/index.md | 8 +- .../index.md | 2 +- .../index.md | 2 +- .../assignprofileaccesscontrolrules/index.md | 2 +- .../index.md | 4 +- .../queries/reportaccesscontrolrules/index.md | 2 +- .../index.md | 2 +- .../index.md | 2 +- .../index.md | 2 +- .../index.md | 2 +- .../index.md | 2 +- .../index.md | 2 +- .../reviewrolesaccesscontrolrules/index.md | 2 +- .../index.md | 2 +- .../userinterfaces/manageaccounts/index.md | 2 +- .../workflowaccesscontrolrules/index.md | 4 +- .../workflowoverviewcontrolrules/index.md | 2 +- .../entitytypes/connectormappings/index.md | 2 +- .../queries/universedatamodel/index.md | 36 +- .../connectorsaccesscontrolrules/index.md | 2 +- .../servicenowresourcetypemapping/index.md | 2 +- .../settings/appdisplaysetting/index.md | 12 +- .../provisioning/automationrule/index.md | 2 +- .../provisioning/contextrule/index.md | 2 +- .../provisioning/recordsection/index.md | 2 +- .../provisioning/resourcetype/index.md | 40 +- .../user-interface/displayentitytype/index.md | 2 +- .../displaypropertygroup/index.md | 2 +- .../user-interface/displaytable/index.md | 6 +- .../user-interface/form/index.md | 26 +- .../aspects/addchangeaspect/index.md | 2 +- .../aspects/assertvalueaspect/index.md | 2 +- .../assertvaluerequiredaspect/index.md | 2 +- .../aspects/builduniquevalueaspect/index.md | 4 +- .../aspects/invokescriptaspect/index.md | 2 +- .../aspects/invokeworkflowaspect/index.md | 2 +- .../aspects/notificationaspect/index.md | 2 +- .../index.md | 4 +- .../workflowaddrecordentityform/index.md | 4 +- .../forms/workflowcreateentityform/index.md | 4 +- .../workflowcreaterecordentityform/index.md | 2 +- .../index.md | 2 +- .../forms/workfloweditentityform/index.md | 4 +- .../workflowupdaterecordentitiesform/index.md | 2 +- .../workflowupdaterecordentityform/index.md | 4 +- .../index.md | 4 +- .../ui/create-menu-items/index.md | 6 +- .../ui/custom-display-table/index.md | 6 +- .../ui/custom-search-bar/index.md | 4 +- .../ui/how-tos/create-menu-items/index.md | 6 +- .../ui/how-tos/custom-display-table/index.md | 6 +- .../ui/how-tos/custom-search-bar/index.md | 4 +- .../workflows/activity-templates/index.md | 14 +- .../workflow-create-mono/index.md | 8 +- .../workflow-create-multi/index.md | 6 +- .../workflow-update-mono/index.md | 4 +- .../workflow-update-multi/index.md | 4 +- .../workflow-update-resource/index.md | 6 +- .../introduction-guide/architecture/index.md | 4 +- .../overview/entitlement-management/index.md | 20 +- .../overview/governance/index.md | 2 +- .../overview/identity-management/index.md | 12 +- .../6.2/introduction-guide/overview/index.md | 8 +- .../certification-campaign-execution/index.md | 24 +- .../index.md | 18 +- .../administrate/assigned-roles/index.md | 4 +- .../manual-assignment-request/index.md | 16 +- .../property-reconciliation/index.md | 34 +- .../role-reconciliation/index.md | 26 +- .../unauthorized-account-review/index.md | 22 +- .../orphan-unused-account-review/index.md | 24 +- .../automatic-provisioning/index.md | 6 +- .../administrate/provisioning/index.md | 6 +- .../provisioning/manual-provisioning/index.md | 18 +- .../provisioning/provisioning-review/index.md | 54 +- .../administrate/reporting/index.md | 18 +- .../deploy/change-management/index.md | 6 +- .../directory-permissions/index.md | 12 +- .../iis-configuration/index.md | 16 +- .../iis-installation/index.md | 12 +- .../howto-maintaindirectory/index.md | 2 +- .../global-process/howto-newsystem/index.md | 2 +- .../global-process/howto-start/index.md | 2 +- .../individual-update/index.md | 14 +- .../mass-update/index.md | 22 +- .../multiple-update/index.md | 12 +- .../maintain/troubleshooting/index.md | 6 +- .../automate-role-assignment/index.md | 14 +- .../optimize/assignment-automation/index.md | 22 +- .../remove-redundant-assignments/index.md | 16 +- .../role-mining/index.md | 18 +- .../optimize/composite-role-creation/index.md | 12 +- .../optimize/hr-connector-creation/index.md | 20 +- .../identity-datamodel-modification/index.md | 14 +- .../index.md | 12 +- .../optimize/parameterized-role/index.md | 18 +- .../optimize/policy-creation/index.md | 6 +- .../optimize/risk-management/index.md | 14 +- .../user-guide/optimize/simulation/index.md | 28 +- .../categorization/classification/index.md | 24 +- .../categorization/correlation/index.md | 24 +- .../user-guide/set-up/categorization/index.md | 14 +- .../resource-type-creation/index.md | 10 +- .../set-up/configure-global-settings/index.md | 8 +- .../set-up/configure-workflows/index.md | 16 +- .../connection-creation/index.md | 20 +- .../connector-declaration/index.md | 10 +- .../connector-modeling/index.md | 36 +- .../datasheet-organization/index.md | 14 +- .../display-name-setting/index.md | 16 +- .../entity-type-declaration/index.md | 12 +- .../entity-type-creation/index.md | 4 +- .../key-selection/index.md | 4 +- .../navigation-property-definition/index.md | 18 +- .../scalar-property-definition/index.md | 16 +- .../user-guide/set-up/connect-system/index.md | 8 +- .../adjust-datamodel/index.md | 18 +- .../generate-unique-properties/index.md | 16 +- .../initial-identities-loading/index.md | 6 +- .../load-identities/index.md | 20 +- .../template-description/index.md | 2 +- .../navigation-property-computation/index.md | 30 +- .../resource-creation/index.md | 18 +- .../scalar-property-computation/index.md | 18 +- .../category-creation/index.md | 8 +- .../single-roles-catalog-creation/index.md | 18 +- .../role-manual-creation/index.md | 24 +- .../role-naming-rule-creation/index.md | 24 +- .../set-up/synchronization/index.md | 38 +- .../set-up/user-profile-assignment/index.md | 10 +- .../user-profile-configuration/index.md | 12 +- docs/identitymanager/6.3/_partials/README.md | 43 + .../6.3/_partials/argumentsexpression.mdx | 5 + .../_partials/contextrule-certification.mdx | 5 + .../_partials/ignoreHistorization-intro.mdx | 3 + .../6.3/_partials/parameterized-role.mdx | 5 + .../resourcetypemapping-identifier.mdx | 3 + docs/identitymanager/6.3/index.md | 22 + .../6.3/installation-guide/index.md | 24 + .../6.3/installation-guide/overview.md | 99 + .../production-ready/agent.md | 427 ++ .../production-ready/database.md | 64 + .../production-ready/email-server.md | 84 + .../production-ready/index.md | 36 + .../production-ready/server.md | 400 ++ .../production-ready/working-directory.md | 55 + .../6.3/installation-guide/quick-start.md | 81 + .../requirements/agent-requirements.md | 113 + .../requirements/database-requirements.md | 101 + .../requirements/device-requirements.md | 42 + .../installation-guide/requirements/index.md | 15 + .../requirements/server-requirements.md | 109 + .../6.3/installation-guide/reverse-proxy.md | 172 + .../integration-guide/api/authentication.md | 24 + .../6.3/integration-guide/api/index.md | 26 + .../6.3/integration-guide/api/pagination.md | 19 + .../integration-guide/api/request-postman.md | 95 + .../api/server/accesscertification.md | 162 + .../api/server/accesscontrol.md | 717 ++ .../api/server/connectors.md | 671 ++ .../6.3/integration-guide/api/server/files.md | 106 + .../6.3/integration-guide/api/server/index.md | 24 + .../6.3/integration-guide/api/server/job.md | 978 +++ .../integration-guide/api/server/metadata.md | 755 ++ .../api/server/provisioningentityinstance.md | 58 + .../api/server/provisioningpolicy.md | 2860 ++++++++ .../integration-guide/api/server/report.md | 111 + .../integration-guide/api/server/resource.md | 116 + .../api/server/resourcechange.md | 35 + .../api/server/resourcefilechange.md | 34 + .../api/server/resourcelinkchange.md | 35 + .../api/server/robots.txt.md | 14 + .../integration-guide/api/server/universes.md | 100 + .../integration-guide/api/server/workflows.md | 550 ++ .../6.3/integration-guide/api/squery.md | 202 + .../integration-guide/architecture/index.md | 55 + .../integration-guide/architecture/on-prem.md | 31 + .../protect-agent-server-communication.md | 121 + .../integration-guide/architecture/saas.md | 19 + .../integration-guide/architecture/sbom.md | 47 + ...rtificationcampaign_class_diagram.plantuml | 47 + ...ationcampaignpolicy_class_diagram.plantuml | 16 + ...ificationdatafilter_class_diagram.plantuml | 45 + ...sscertificationitem_class_diagram.plantuml | 72 + ...ficationownerfilter_class_diagram.plantuml | 26 + ...ntrolentityproperty_class_diagram.plantuml | 20 + ...sscontrolentitytype_class_diagram.plantuml | 15 + .../accesscontrolentry_class_diagram.plantuml | 32 + ...accesscontrolfilter_class_diagram.plantuml | 34 + ...sscontrolpermission_class_diagram.plantuml | 22 + ...ontrolpropertygroup_class_diagram.plantuml | 22 + .../accesscontrolrule_class_diagram.plantuml | 34 + .../diagrams/activity_class_diagram.plantuml | 57 + .../activityinstance_class_diagram.plantuml | 67 + .../activityinstancecc_class_diagram.plantuml | 20 + ...ivityinstancesactor_class_diagram.plantuml | 15 + .../activitytemplate_class_diagram.plantuml | 24 + ...tivitytemplatestate_class_diagram.plantuml | 58 + ...ytemplatetransition_class_diagram.plantuml | 25 + .../diagrams/agent_class_diagram.plantuml | 42 + ...ednavigationbinding_class_diagram.plantuml | 32 + .../diagrams/aspect_class_diagram.plantuml | 41 + ...signedcompositerole_class_diagram.plantuml | 72 + .../assignedprofile_class_diagram.plantuml | 31 + ...ignedresourcebinary_class_diagram.plantuml | 35 + ...signedresourceerror_class_diagram.plantuml | 17 + ...dresourcenavigation_class_diagram.plantuml | 54 + ...ignedresourcescalar_class_diagram.plantuml | 44 + ...ssignedresourcetype_class_diagram.plantuml | 91 + .../assignedsinglerole_class_diagram.plantuml | 72 + ...associationinstance_class_diagram.plantuml | 29 + .../automationrule_class_diagram.plantuml | 55 + .../diagrams/binding_class_diagram.plantuml | 221 + .../bindingexpression_class_diagram.plantuml | 22 + .../diagrams/category_class_diagram.plantuml | 93 + .../diagrams/change_class_diagram.plantuml | 24 + .../compositerole_class_diagram.plantuml | 84 + .../compositerolerule_class_diagram.plantuml | 39 + ...positerolescategory_class_diagram.plantuml | 20 + .../configurationdll_class_diagram.plantuml | 10 + .../configurationfile_class_diagram.plantuml | 15 + ...nfigurationfileitem_class_diagram.plantuml | 18 + .../connection_class_diagram.plantuml | 44 + .../connectioncolumn_class_diagram.plantuml | 25 + .../connectionpackage_class_diagram.plantuml | 36 + .../connectiontable_class_diagram.plantuml | 24 + ...ctiontransformation_class_diagram.plantuml | 30 + .../diagrams/connector_class_diagram.plantuml | 66 + .../diagrams/context_class_diagram.plantuml | 34 + .../contextrule_class_diagram.plantuml | 45 + .../diagrams/dimension_class_diagram.plantuml | 43 + ...ayentityassociation_class_diagram.plantuml | 8 + ...splayentityproperty_class_diagram.plantuml | 62 + .../displayentitytype_class_diagram.plantuml | 28 + ...isplaypropertygroup_class_diagram.plantuml | 16 + .../displaytable_class_diagram.plantuml | 59 + .../displaytablecolumn_class_diagram.plantuml | 43 + ...ytabledesignelement_class_diagram.plantuml | 16 + .../entityassociation_class_diagram.plantuml | 32 + ...yassociationmapping_class_diagram.plantuml | 30 + .../entityinstance_class_diagram.plantuml | 48 + .../entityproperty_class_diagram.plantuml | 216 + ...ypropertyexpression_class_diagram.plantuml | 31 + ...titypropertymapping_class_diagram.plantuml | 19 + .../entitytype_class_diagram.plantuml | 314 + .../entitytypemapping_class_diagram.plantuml | 29 + .../diagrams/form_class_diagram.plantuml | 80 + .../formcontrol_class_diagram.plantuml | 86 + .../diagrams/formtype_class_diagram.plantuml | 15 + ...sscertificationitem_class_diagram.plantuml | 18 + .../homonymentitylink_class_diagram.plantuml | 33 + ...nymentitylinkfilter_class_diagram.plantuml | 24 + .../identifiedrisk_class_diagram.plantuml | 45 + .../diagrams/indicator_class_diagram.plantuml | 30 + .../indicatoritem_class_diagram.plantuml | 18 + ...ndirectresourcerule_class_diagram.plantuml | 32 + .../diagrams/inputtype_class_diagram.plantuml | 27 + .../diagrams/job_class_diagram.plantuml | 36 + .../jobinstance_class_diagram.plantuml | 34 + .../diagrams/jobstep_class_diagram.plantuml | 22 + .../diagrams/language_class_diagram.plantuml | 18 + .../diagrams/menuitem_class_diagram.plantuml | 48 + .../miningrule_class_diagram.plantuml | 37 + .../notification_class_diagram.plantuml | 33 + ...otificationinstance_class_diagram.plantuml | 21 + ...otificationtemplate_class_diagram.plantuml | 10 + .../openidclient_class_diagram.plantuml | 42 + .../outputtype_class_diagram.plantuml | 21 + ...sswordresetsettings_class_diagram.plantuml | 39 + .../pendingwork_class_diagram.plantuml | 13 + .../diagrams/pointcut_class_diagram.plantuml | 27 + .../diagrams/policy_class_diagram.plantuml | 155 + .../policysimulation_class_diagram.plantuml | 53 + .../diagrams/profile_class_diagram.plantuml | 41 + .../profilecontext_class_diagram.plantuml | 51 + .../profilerule_class_diagram.plantuml | 29 + .../profilerulecontext_class_diagram.plantuml | 35 + .../diagrams/recipient_class_diagram.plantuml | 36 + .../recordproperty_class_diagram.plantuml | 22 + .../recordsection_class_diagram.plantuml | 38 + .../reportquery_class_diagram.plantuml | 23 + .../diagrams/resource_class_diagram.plantuml | 176 + .../resourcebinaryrule_class_diagram.plantuml | 47 + .../resourcechange_class_diagram.plantuml | 18 + ...eclassificationrule_class_diagram.plantuml | 30 + ...ourcecorrelationkey_class_diagram.plantuml | 17 + ...urcecorrelationrule_class_diagram.plantuml | 38 + .../resourcefile_class_diagram.plantuml | 24 + .../resourcefilechange_class_diagram.plantuml | 13 + .../resourcelink_class_diagram.plantuml | 22 + .../resourcelinkchange_class_diagram.plantuml | 10 + ...ourcenavigationrule_class_diagram.plantuml | 59 + ...urcepropertymapping_class_diagram.plantuml | 31 + .../resourcequeryrule_class_diagram.plantuml | 46 + .../resourceriskscore_class_diagram.plantuml | 11 + .../resourcescalarrule_class_diagram.plantuml | 51 + .../resourcetype_class_diagram.plantuml | 175 + ...resourcetypemapping_class_diagram.plantuml | 38 + .../resourcetyperule_class_diagram.plantuml | 45 + ...sourcetypescategory_class_diagram.plantuml | 20 + .../diagrams/risk_class_diagram.plantuml | 45 + .../diagrams/riskrule_class_diagram.plantuml | 27 + .../riskruleitem_class_diagram.plantuml | 45 + .../rolemapping_class_diagram.plantuml | 73 + .../rolemappingrule_class_diagram.plantuml | 21 + ...rolemappingruleitem_class_diagram.plantuml | 22 + .../scaffolding_class_diagram.plantuml | 69 + ...scaffoldingargument_class_diagram.plantuml | 34 + .../diagrams/searchbar_class_diagram.plantuml | 40 + .../searchbarcriterion_class_diagram.plantuml | 34 + ...rchbardesignelement_class_diagram.plantuml | 16 + .../diagrams/sequence_class_diagram.plantuml | 8 + .../diagrams/setting_class_diagram.plantuml | 11 + .../singlerole_class_diagram.plantuml | 107 + .../singlerolerule_class_diagram.plantuml | 43 + ...singlerolescategory_class_diagram.plantuml | 20 + ...chronizationhistory_class_diagram.plantuml | 23 + .../diagrams/task_class_diagram.plantuml | 99 + .../taskdependontask_class_diagram.plantuml | 16 + .../taskdimension_class_diagram.plantuml | 20 + .../taskentitytype_class_diagram.plantuml | 20 + .../taskinstance_class_diagram.plantuml | 47 + .../taskresourcetype_class_diagram.plantuml | 20 + .../diagrams/tile_class_diagram.plantuml | 46 + .../tiledesignelement_class_diagram.plantuml | 16 + .../diagrams/tileitem_class_diagram.plantuml | 25 + .../unicitycheckrule_class_diagram.plantuml | 30 + .../diagrams/universe_class_diagram.plantuml | 29 + .../diagrams/workflow_class_diagram.plantuml | 43 + .../workflowinstance_class_diagram.plantuml | 95 + .../workflowstate_class_diagram.plantuml | 9 + .../configuration-details/azuread-register.md | 105 + .../configure-secured-options.md | 60 + .../configuration-details/connections.md | 75 + .../create-connector/entra-ID.md | 322 + .../create-connector/index.md | 124 + .../credential-protection.md | 10 + .../configuration-details/demoapp-banking.md | 82 + .../configuration-details/demoapp-hr.md | 37 + .../connectors/configuration-details/index.md | 15 + .../interact-gui-robotframework.md | 220 + .../interact-web-page-robotframework.md | 339 + .../powershell-fulfill.md | 504 ++ .../scim-cyberark-export.md | 790 ++ ...im-salesforce-provisioning-entitlements.md | 37 + .../setup-incremental-sync/entra-ID.md | 108 + .../setup-incremental-sync/index.md | 170 + .../sharepoint-export.md | 618 ++ .../write-fulfill-powershell-script.md | 309 + .../write-fulfill-robotframework-script.md | 433 ++ .../write-sync-powershell-script.md | 12 + .../write-ticket-template.md | 82 + .../entitypropertymapping-format.md | 133 + .../6.3/integration-guide/connectors/index.md | 141 + .../references-connectors/activedirectory.md | 356 + .../connectors/references-connectors/azure.md | 127 + .../connectors/references-connectors/csv.md | 186 + .../references-connectors/easyvista.md | 209 + .../references-connectors/easyvistaticket.md | 72 + .../connectors/references-connectors/excel.md | 210 + .../references-connectors/googleworkspace.md | 156 + .../references-connectors/homefolder.md | 126 + .../connectors/references-connectors/index.md | 146 + .../internalresources.md | 23 + .../references-connectors/internalworkflow.md | 192 + .../connectors/references-connectors/json.md | 16 + .../connectors/references-connectors/ldap.md | 269 + .../connectors/references-connectors/ldif.md | 100 + .../references-connectors/microsoftentraid.md | 212 + .../microsoftexchange.md | 134 + .../references-connectors/nimprofile.md | 270 + .../connectors/references-connectors/odata.md | 131 + .../connectors/references-connectors/okta.md | 254 + .../references-connectors/openldap.md | 232 + .../references-connectors/powershellprov.md | 140 + .../references-connectors/powershellsync.md | 102 + .../connectors/references-connectors/racf.md | 107 + .../references-connectors/robotframework.md | 131 + .../references-connectors/saperp6.md | 293 + .../references-connectors/sapnetweaver.md | 169 + .../connectors/references-connectors/scim.md | 332 + .../servicenowentitymanagement.md | 261 + .../references-connectors/servicenowticket.md | 111 + .../references-connectors/sharedfolder.md | 165 + .../references-connectors/sharepoint.md | 264 + .../connectors/references-connectors/sql.md | 219 + .../sqlserverentitlements.md | 166 + .../references-connectors/topsecret.md | 16 + .../references-connectors/workday.md | 191 + .../references-packages/active-directory.md | 18 + .../references-packages/apache-directory.md | 18 + .../azure-active-directory.md | 18 + .../connectors/references-packages/azure.md | 18 + .../connectors/references-packages/csv.md | 18 + .../references-packages/cyberark.md | 18 + .../references-packages/easyvista.md | 18 + .../references-packages/easyvistaticket.md | 18 + .../connectors/references-packages/excel.md | 18 + .../references-packages/generic-ldap.md | 18 + .../references-packages/generic-scim.md | 18 + .../references-packages/generic-sql.md | 21 + .../references-packages/googleworkspace.md | 18 + .../references-packages/home-folders.md | 18 + .../identitymanager-database.md | 18 + .../connectors/references-packages/index.md | 206 + .../connectors/references-packages/json.md | 18 + .../connectors/references-packages/ldif.md | 18 + .../manual-ticket-and-cud-resources.md | 36 + .../references-packages/manual-ticket.md | 18 + .../references-packages/microsoft-exchange.md | 18 + .../connectors/references-packages/mysql.md | 24 + .../references-packages/nimprofile.md | 18 + .../connectors/references-packages/odata.md | 17 + .../connectors/references-packages/odbc.md | 20 + .../references-packages/open-ldap.md | 18 + .../references-packages/oracle-database.md | 29 + .../references-packages/oracle-ldap.md | 18 + .../references-packages/postgresql.md | 20 + .../references-packages/powershellprov.md | 18 + .../references-packages/powershellsync.md | 18 + .../connectors/references-packages/racf.md | 18 + .../red-hat-directory-server.md | 18 + .../references-packages/robot-framework.md | 18 + .../references-packages/salesforce.md | 18 + .../connectors/references-packages/sapase.md | 20 + .../connectors/references-packages/saperp6.md | 18 + .../connectors/references-packages/saphana.md | 18 + .../references-packages/servicenow-ticket.md | 18 + .../references-packages/servicenow.md | 18 + .../references-packages/shared-folders.md | 18 + .../references-packages/sharepoint.md | 18 + .../connectors/references-packages/slack.md | 18 + .../sql-server-entitlements.md | 18 + .../references-packages/sql-server.md | 18 + .../connectors/references-packages/tss.md | 18 + .../references-packages/unplugged.md | 18 + .../connectors/references-packages/workday.md | 18 + .../references-packages/workflow.md | 18 + .../6.3/integration-guide/entity-model.md | 180 + .../integration-guide/executables/index.md | 11 + .../executables/references/agent.md | 31 + .../executables/references/anonymize.md | 111 + .../check-expressionsconsistency.md | 32 + .../references/compute-correlationkeys.md | 37 + .../references/configuration-transform.md | 47 + .../references/create-databaseviews.md | 40 + .../executables/references/csv-transform.md | 64 + .../executables/references/decrypt-file.md | 30 + .../references/deploy-configuration.md | 64 + .../easyvistaticket-updatefulfillmentstate.md | 61 + .../executables/references/encrypt-file.md | 37 + .../executables/references/export-bacpac.md | 38 + .../references/export-configuration.md | 147 + .../executables/references/export-csv.md | 57 + .../references/export-easyvista.md | 47 + .../executables/references/export-excel.md | 68 + .../executables/references/export-scim.md | 63 + .../references/fillbankingdatabase.md | 25 + .../references/fulfill-easyvista.md | 55 + .../executables/references/fulfill-scim.md | 50 + .../references/fulfill-toeasyvistaticket.md | 55 + .../references/generate-configuration.md | 80 + .../executables/references/get-jobsteps.md | 78 + .../executables/references/index.md | 170 + .../executables/references/invoke-job.md | 84 + .../references/invoke-serverjob.md | 35 + .../executables/references/login.md | 39 + .../manage-configurationdependantindexes.md | 39 + .../executables/references/manage-history.md | 106 + .../references/new-openidsecret.md | 29 + .../references/passwordgenerator.md | 30 + .../references/prepare-synchronization.md | 105 + .../references/protect-certificatepassword.md | 44 + .../references/protect-x509jsonfile.md | 115 + .../references/protect-x509jsonvalue.md | 81 + .../executables/references/refreshschema.md | 32 + .../references/send-passwordnotification.md | 31 + .../executables/references/server.md | 30 + .../update-entitypropertyexpressions.md | 38 + .../upgrade-configurationversion.md | 30 + .../references/upgrade-databaseversion.md | 44 + .../governance/accesscertification.md | 189 + .../6.3/integration-guide/governance/index.md | 34 + .../governance/reporting/analyze-powerbi.md | 100 + .../governance/reporting/connect-powerbi.md | 63 + .../reporting/how-tos/analyze-powerbi.md | 94 + .../reporting/how-tos/connect-powerbi.md | 57 + .../governance/reporting/index.md | 12 + .../review-prolonged-entitlements.md | 22 + .../6.3/integration-guide/governance/risks.md | 123 + .../identity-repository.md | 57 + .../identity-management/index.md | 29 + .../joiners-movers-leavers/index.md | 14 + .../joiners-movers-leavers/on-offboarding.md | 55 + .../joiners-movers-leavers/position-change.md | 158 + .../6.3/integration-guide/index.md | 39 + .../6.3/integration-guide/modules.md | 19 + .../6.3/integration-guide/monitoring/index.md | 503 ++ .../monitoring/qradar-setting.md | 302 + .../monitoring/references.md | 89 + .../agent-configuration/appsettings-agent.md | 137 + .../agent-configuration/appsettings.md | 307 + .../agent-configuration/azure-key-vault.md | 90 + ...ion-access-manager-credential-providers.md | 271 + .../agent-configuration/index.md | 63 + .../agent-configuration/rsa-encryption.md | 57 + .../network-configuration/configure-okta.md | 74 + .../network-configuration/how-tos/okta.md | 68 + .../network-configuration/index.md | 173 + .../password-management.md | 49 + .../network-configuration/proxy.md | 187 + .../database-connection.md | 80 + .../end-users-authentication.md | 895 +++ .../server-configuration/general-purpose.md | 293 + .../server-configuration/index.md | 59 + .../server-configuration/rsa-encryption.md | 57 + .../network-configuration/settings.md | 196 + .../technical-files/appsettings.connection.md | 18 + .../technical-files/index.md | 12 + .../integration-guide/notifications/custom.md | 29 + .../how-tos/customize-native-notification.md | 40 + .../notifications/how-tos/set-language.md | 46 + .../integration-guide/notifications/index.md | 14 + .../native/access-certification.md | 9 + .../native/customize-native-notification.md | 46 + .../notifications/native/errored-jobs.md | 12 + .../notifications/native/index.md | 35 + .../native/manual-provisioning.md | 25 + .../notifications/native/password-reset.md | 9 + .../native/provisioning-review.md | 9 + .../notifications/native/role-review.md | 9 + .../notifications/set-language.md | 52 + .../create-assign-profiles/index.md | 65 + .../profiles-permissions/index.md | 0 .../profiles-permissions/permissions/index.md | 1997 ++++++ .../rightsrestriction/index.md | 145 + .../provisioning/argumentsexpression.md | 86 + .../how-tos/argumentsexpression.md | 80 + .../integration-guide/provisioning/index.md | 12 + .../provisioning/prov-thresholds.md | 30 + .../6.3/integration-guide/resources.md | 33 + .../role-assignment/assignment-dates.md | 25 + .../assignments-of-entitlements.md | 152 + .../configureindirectpermissions.md | 127 + .../conformingassignmentcomputation.md | 100 + .../role-assignment/evaluate-policy.md | 364 + .../existingassignmentsdeduction.md | 93 + .../role-assignment/generate-contexts.md | 140 + .../how-tos/configureindirectpermissions.md | 121 + .../how-tos/infer-single-roles.md | 42 + .../how-tos/restrict-assignment.md | 70 + .../role-assignment/index.md | 12 + .../role-assignment/indirectpermissions.md | 69 + .../role-assignment/infer-single-roles.md | 48 + .../role-assignment/nonconformingdetection.md | 50 + .../role-assignment/restrict-assignment.md | 76 + .../role-assignment/role-model-rules.md | 169 + .../6.3/integration-guide/role-mining.md | 127 + .../6.3/integration-guide/role-model/index.md | 48 + .../role-model/role-model-rules.md | 163 + .../6.3/integration-guide/simulation.md | 41 + .../synchronization/index.md | 16 + .../synchronization/synchro-thresholds.md | 62 + .../synchronization/upward-data-sync.md | 318 + .../tasks-jobs/build-efficient-jobs.md | 123 + .../tasks-jobs/configure-incremental-job.md | 59 + .../tasks-jobs/configure-jobs.md | 22 + .../tasks-jobs/fulfillldap.md | 67 + .../6.3/integration-guide/tasks-jobs/index.md | 30 + .../integration-guide/tasks-jobs/jobdaily.md | 160 + .../integration-guide/tasks-jobs/jobfast.md | 183 + .../6.3/integration-guide/tasks-jobs/jobs.md | 64 + .../6.3/integration-guide/tasks-jobs/tasks.md | 40 + .../tasks-jobs/troubleshoot-connector-jobs.md | 93 + .../toolkit/adjust-scaffoldings.md | 169 + .../6.3/integration-guide/toolkit/bindings.md | 29 + .../toolkit/deploy-configuration.md | 98 + .../toolkit/export-configuration.md | 97 + .../expressions/csharp-utility-functions.md | 66 + .../toolkit/expressions/index.md | 283 + .../expressions/predefined-functions.md | 45 + .../toolkit/file-hierarchy.md | 27 + .../toolkit/how-tos/adjust-scaffoldings.md | 163 + .../toolkit/how-tos/deploy-configuration.md | 92 + .../toolkit/how-tos/export-configuration.md | 93 + .../6.3/integration-guide/toolkit/index.md | 18 + .../integration-guide/toolkit/languages.md | 23 + .../toolkit/parameter-names.md | 67 + .../toolkit/recommendations.md | 65 + .../toolkit/reservedidentifiers.md | 54 + .../accesscertificationcampaignpolicy.md | 14 + .../accesscertificationdatafilter.md | 34 + .../accesscertificationownerfilter.md | 20 + .../access-certification/index.md | 10 + .../access-control/accesscontrolpermission.md | 23 + .../accesscontrolpropertygroup.md | 61 + .../access-control/accesscontrolrule.md | 182 + .../access-control/assignedprofile.md | 26 + .../xml-configuration/access-control/index.md | 15 + .../access-control/openidclient.md | 45 + .../access-control/profile.md | 22 + .../access-control/profilecontext.md | 27 + .../access-control/profilerulecontext.md | 48 + .../business-intelligence/index.md | 8 + .../business-intelligence/universe.md | 87 + .../xml-configuration/configuration/index.md | 8 + ...sreviewadministrationaccesscontrolrules.md | 181 + .../accesscontrolrules/accessreviews/index.md | 10 + .../connectorresourcetypeaccesscontrol.md | 66 + .../accesscontrolrules/connectors/index.md | 13 + .../connectors/settingsaccesscontrolrules.md | 45 + .../scaffoldings/accesscontrolrules/index.md | 18 + ...tjoblogadministrationaccesscontrolrules.md | 40 + .../accesscontrolrules/jobs/index.md | 52 + .../jobadministrationaccesscontrolrules.md | 39 + ...jobtaskadministrationaccesscontrolrules.md | 15 + ...assignedresourcetypesaccesscontrolrules.md | 144 + .../jobs/provisioningaccesscontrolrules.md | 52 + .../resourcechangesviewaccesscontrolrules.md | 264 + .../jobs/resourcetypemappingcontrolrules.md | 36 + .../runjobadministrationaccesscontrolrules.md | 38 + .../runjobnotificationaccesscontrolrules.md | 36 + ...brepairadministrationaccesscontrolrules.md | 35 + ...jobrepairnotificationaccesscontrolrules.md | 36 + .../jobs/synchronizationaccesscontrolrules.md | 41 + .../taskadministrationaccesscontrolrules.md | 69 + ...nstanceadministrationaccesscontrolrules.md | 15 + .../jobs/workflowfulfillmentcontrolrules.md | 38 + .../accesscontrolrules/monitoring/index.md | 10 + ...itoringadministrationaccesscontrolrules.md | 36 + .../assignprofileaccesscontrolrules.md | 95 + .../accesscontrolrules/profiles/index.md | 16 + ...dclientadministrationaccesscontrolrules.md | 15 + ...profileadministrationaccesscontrolrules.md | 46 + .../accesscontrolrules/queries/index.md | 19 + .../queries/managesettingaccesscontrolrule.md | 15 + .../queries/reportaccesscontrolrules.md | 40 + .../targetresourcereportaccesscontrolrules.md | 42 + .../queries/universeaccesscontrolrules.md | 36 + ...teresourceincrementalaccesscontrolrules.md | 36 + .../accesscontrolrules/resources/index.md | 22 + .../resources/resourceapiadministration.md | 40 + .../resources/resourcepickercontrolrules.md | 36 + .../resources/viewaccesscontrolrules.md | 68 + .../resources/viewhistoryresourcetemplate.md | 37 + .../assignedrolesaccesscontrolrules.md | 46 + .../rolemodels/basketrulescontrolrules.md | 69 + ...ormmanualprovisioningaccesscontrolrules.md | 41 + ...esourcereconciliationaccesscontrolrules.md | 41 + ...ulkreviewprovisioningaccesscontrolrules.md | 41 + ...ulkrolereconciliationaccesscontrolrules.md | 22 + .../governancerolesaccesscontrolrules.md | 20 + .../accesscontrolrules/rolemodels/index.md | 55 + ...ormmanualprovisioningaccesscontrolrules.md | 78 + ...reconciliateresourcesaccesscontrolrules.md | 107 + .../reconciliaterolesaccesscontrolrules.md | 70 + .../redundantassignmentaccesscontrolrule.md | 39 + .../reviewprovisioningaccesscontrolrules.md | 107 + .../reviewrolesaccesscontrolrules.md | 67 + .../risksadministrationaccesscontrolrules.md | 67 + .../roleadministrationaccesscontrolrules.md | 545 ++ .../rolenamingaccesscontrolrules.md | 59 + .../accesscontrolrules/simulations/index.md | 13 + .../policysimulationcontrolrules.md | 110 + .../roleandsimulationcontrolrules.md | 131 + .../userinterfaces/index.md | 13 + .../userinterfaces/manageaccounts.md | 52 + .../searchbarpageaccesscontrol.md | 29 + .../createupdatedeleteaccesscontrolrules.md | 53 + .../accesscontrolrules/workflows/index.md | 25 + .../updateresourcesaccesscontrolrules.md | 37 + .../workflows/workflowaccesscontrolrules.md | 114 + .../workflows/workflowaspect.md | 36 + .../workflowconfigurationcontrolrules.md | 38 + .../workflows/workflowoverviewcontrolrules.md | 85 + .../entitytypes/connectormappings.md | 111 + .../entitytypes/entitytypedisplayname.md | 43 + .../entitytypes/entitytypedisplaytable.md | 41 + .../entitytypedisplaytableadaptable.md | 41 + .../entitytypedisplaytargetresourcetable.md | 36 + .../entitytypes/entitytypemenuitem.md | 39 + .../entitytypes/entitytypesearchbar.md | 34 + .../entitytypes/entitytypes/index.md | 31 + .../entitytypes/targetresourcereportmenus.md | 34 + .../scaffoldings/entitytypes/index.md | 9 + .../workflows/createupdatedeletemenus.md | 48 + .../workflows/createupdatedeleteworkflows.md | 45 + .../entitytypes/workflows/index.md | 37 + .../workflows/updateresourcesmenus.md | 36 + .../workflows/updateresourcesworkflows.md | 37 + .../workflows/workflowactorsnotification.md | 413 ++ .../workflows/workflowentitytype.md | 40 + .../workflowentitytypedisplayentitytype.md | 34 + .../workflowentitytypedisplaytable.md | 51 + .../workflows/workflowentitytypesearchbar.md | 46 + .../workflowperformernotification.md | 411 ++ .../configuration/scaffoldings/index.md | 462 ++ .../scaffoldings/jobs/cleandatabasejob.md | 29 + .../jobs/createaccesscertificationjob.md | 73 + .../jobs/createagentsynchrocomplete.md | 275 + .../jobs/createagentsynchroincremental.md | 218 + .../scaffoldings/jobs/createconnectorsjobs.md | 290 + .../jobs/createconnectorsynchrocomplete.md | 155 + .../jobs/createconnectorsynchroincremental.md | 149 + .../jobs/createinitializationjob.md | 526 ++ .../configuration/scaffoldings/jobs/index.md | 31 + .../scaffoldings/optimizations/index.md | 10 + .../optimizations/optimizedisplaytable.md | 142 + .../scaffoldings/queries/index.md | 13 + .../queries/targetresourcereport.md | 37 + .../scaffoldings/queries/universedatamodel.md | 306 + .../templates/connectorsaccesscontrolrules.md | 210 + .../templates/createadministratorprofile.md | 196 + .../templates/createupdatedeletetemplate.md | 70 + .../templates/entityreportdefault.md | 30 + .../scaffoldings/templates/index.md | 43 + .../jobexecutionaccesscontrolrules.md | 55 + .../templates/jobviewaccesscontrolrules.md | 63 + .../templates/simulationaccesscontrolrules.md | 45 + .../templates/updateresourcestemplate.md | 66 + .../templates/viewsourceresourcetemplate.md | 17 + .../templates/viewtargetresourcetemplate.md | 62 + .../scaffoldings/templates/viewtemplate.md | 50 + .../templates/viewtemplateadaptable.md | 49 + .../scaffoldings/workforce/bootstrapmodule.md | 8 + .../scaffoldings/workforce/index.md | 16 + .../scaffoldings/workforce/profilemodule.md | 24 + .../scaffoldings/workforce/workforcemodule.md | 6378 +++++++++++++++++ .../xml-configuration/connectors/agent.md | 16 + .../connectors/connection.md | 127 + .../connectors/connectiontable.md | 33 + .../xml-configuration/connectors/connector.md | 122 + .../connectors/entityassociationmapping.md | 25 + .../connectors/entitytypemapping.md | 39 + .../xml-configuration/connectors/index.md | 15 + .../connectors/passwordresetsettings.md | 70 + .../azureadresourcetypemapping.mdx | 33 + .../easyvistaresourcetypemapping.mdx | 30 + .../easyvistauserresourcetypemapping.md | 14 + .../connectors/resourcetypemappings/index.md | 40 + .../ldapresourcetypemapping.mdx | 42 + .../manualprovisioningresourcetypemapping.mdx | 23 + .../microsoftentraidresourcetypemapping.md | 29 + .../nimresourcetypemapping.mdx | 35 + .../oktaresourcetypemapping.md | 16 + .../sapresourcetypemapping.mdx | 27 + .../scimresourcetypemapping.mdx | 25 + .../servicenowresourcetypemapping.mdx | 40 + .../sharepointresourcetypemapping.mdx | 18 + .../toolkit/xml-configuration/index.md | 20 + .../toolkit/xml-configuration/jobs/index.md | 9 + .../toolkit/xml-configuration/jobs/job.md | 144 + .../tasks/agent/activityinstanceactortask.md | 27 + .../tasks/agent/createdatabaseviewstask.md | 25 + .../jobs/tasks/agent/exporttask.md | 28 + .../jobs/tasks/agent/fulfilltask.md | 60 + .../jobs/tasks/agent/index.md | 34 + .../jobs/tasks/agent/invokeapitask.md | 27 + .../jobs/tasks/agent/invokeaspectstask.md | 18 + .../jobs/tasks/agent/invokeexpressiontask.md | 26 + .../jobs/tasks/agent/invokesqlcommandtask.md | 35 + .../tasks/agent/preparesynchronizationtask.md | 102 + .../xml-configuration/jobs/tasks/index.md | 9 + .../jobs/tasks/server/buildrolemodeltask.md | 27 + .../server/computecorrelationkeystask.md | 35 + .../tasks/server/computeriskscorestask.md | 25 + .../jobs/tasks/server/computerolemodeltask.md | 82 + .../tasks/server/deployconfigurationtask.md | 26 + .../jobs/tasks/server/fulfilltask.md | 60 + .../server/generateprovisioningorderstask.md | 43 + .../jobs/tasks/server/getroleminingtask.md | 35 + .../jobs/tasks/server/index.md | 82 + .../jobs/tasks/server/invokeexpressiontask.md | 26 + .../jobs/tasks/server/invokesqlcommandtask.md | 35 + .../jobs/tasks/server/maintainindexestask.md | 29 + .../server/manageconfigurationindexestask.md | 21 + .../processaccesscertificationitemstask.md | 21 + .../jobs/tasks/server/resetvalidfromtask.md | 22 + .../server/savepreexistingaccessrightstask.md | 32 + ...sendaccesscertificationnotificationtask.md | 22 + .../tasks/server/sendnotificationstask.md | 38 + .../server/sendrolemodelnotificationstask.md | 220 + .../setaccesscertificationreviewertask.md | 22 + .../server/setinternaluserprofilestask.md | 47 + .../server/setrecentlymodifiedflagtask.md | 28 + .../jobs/tasks/server/synchronizetask.md | 32 + .../updateaccesscertificationcampaigntask.md | 22 + .../tasks/server/updateclassificationtask.md | 38 + .../updateentitypropertyexpressionstask.md | 34 + .../metadata/accesscontrolentitytype.md | 17 + .../xml-configuration/metadata/binding.md | 10 + .../xml-configuration/metadata/dimension.md | 43 + .../metadata/entityassociation.md | 36 + .../metadata/entitypropertyexpression.md | 28 + .../xml-configuration/metadata/entitytype.md | 91 + .../xml-configuration/metadata/index.md | 15 + .../xml-configuration/metadata/language.md | 23 + .../metadata/settings/appdisplaysetting.md | 61 + .../settings/configurationversionsetting.md | 24 + .../metadata/settings/customlink1setting.md | 16 + .../metadata/settings/customlink2setting.md | 16 + .../settings/dashboarditemnumbersetting.md | 21 + .../metadata/settings/index.md | 43 + .../metadata/settings/mailsetting.md | 25 + .../settings/passwordgenerationsetting.md | 15 + .../metadata/settings/passwordtestssetting.md | 28 + .../schedulingcleandatabasesetting.md | 23 + ...rformedbyassociationqueryhandlersetting.md | 24 + ...lectpersonasbyfilterqueryhandlersetting.md | 27 + ...selectuserbyidentityqueryhandlersetting.md | 55 + .../xml-configuration/notifications/index.md | 10 + .../notifications/notification.md | 38 + .../accesscertificationnotification.md | 35 + .../notifications/notifications/index.md | 22 + .../manualprovisioningnotification.md | 35 + .../provisioningreviewnotification.md | 35 + .../notifications/rolepolicynotification.md | 14 + .../notifications/rolereviewnotification.md | 35 + .../notifications/notificationtemplate.md | 34 + .../provisioning/automationrule.md | 90 + .../provisioning/category.md | 26 + .../provisioning/compositerole.md | 49 + .../provisioning/compositerolerule.md | 29 + .../xml-configuration/provisioning/context.md | 18 + .../provisioning/contextrule.md | 159 + .../xml-configuration/provisioning/index.md | 24 + .../provisioning/indirectresourcerule.md | 31 + .../provisioning/miningrule.md | 64 + .../xml-configuration/provisioning/policy.md | 43 + .../provisioning/recordsection.md | 180 + .../resourceclassificationrule.md | 26 + .../provisioning/resourcecorrelationrule.md | 52 + .../provisioning/resourcetype.md | 461 ++ .../xml-configuration/provisioning/risk.md | 35 + .../provisioning/rolemapping.md | 73 + .../provisioning/singlerole.md | 55 + .../provisioning/singlerolerule.md | 29 + .../xml-configuration/reporting/index.md | 8 + .../reporting/reportquery.md | 33 + .../xml-configuration/resources/index.md | 8 + .../xml-configuration/resources/resource.md | 58 + .../displayentityassociation.md | 13 + .../user-interface/displayentitytype.md | 137 + .../user-interface/displaypropertygroup.md | 43 + .../user-interface/displaytable.md | 100 + .../xml-configuration/user-interface/form.md | 141 + .../xml-configuration/user-interface/index.md | 16 + .../user-interface/indicator.md | 67 + .../user-interface/menuitem.md | 31 + .../user-interface/searchbar.md | 47 + .../xml-configuration/user-interface/tile.md | 54 + .../workflows/aspects/addchangeaspect.md | 61 + .../workflows/aspects/assertvalueaspect.md | 81 + .../aspects/assertvaluerequiredaspect.md | 47 + .../aspects/builduniquevalueaspect.md | 199 + .../workflows/aspects/index.md | 28 + .../workflows/aspects/invokescriptaspect.md | 45 + .../workflows/aspects/invokeworkflowaspect.md | 43 + .../workflows/aspects/notificationaspect.md | 123 + .../workflows/forms/index.md | 34 + .../workflowaddandendrecordentityform.md | 98 + .../forms/workflowaddrecordentityform.md | 103 + .../forms/workflowcreateentityform.md | 84 + .../forms/workflowcreaterecordentityform.md | 97 + .../workflowcreateseveralrecordsentityform.md | 105 + .../workflows/forms/workfloweditentityform.md | 52 + .../forms/workflowupdaterecordentitiesform.md | 102 + .../forms/workflowupdaterecordentityform.md | 127 + .../workflowupdateseveralrecordsentityform.md | 130 + .../workflows/homonymentitylink.md | 45 + .../xml-configuration/workflows/index.md | 11 + .../xml-configuration/workflows/workflow.md | 56 + .../integration-guide/ui/create-menu-items.md | 43 + .../ui/custom-display-table.md | 63 + .../6.3/integration-guide/ui/custom-forms.md | 68 + .../integration-guide/ui/custom-search-bar.md | 47 + .../ui/how-tos/create-menu-items.md | 37 + .../ui/how-tos/custom-display-table.md | 57 + .../ui/how-tos/custom-forms.md | 62 + .../ui/how-tos/custom-search-bar.md | 41 + .../ui/how-tos/producttranslations.md | 69 + .../6.3/integration-guide/ui/index.md | 9 + .../ui/producttranslations.md | 77 + .../workflows/activity-templates.md | 134 + .../create-workflow/configure-homonym-test.md | 116 + .../workflows/create-workflow/index.md | 52 + .../create-workflow/workflow-create-mono.md | 167 + .../create-workflow/workflow-create-multi.md | 179 + .../create-workflow/workflow-update-mono.md | 110 + .../create-workflow/workflow-update-multi.md | 144 + .../workflow-update-resource.md | 99 + .../6.3/integration-guide/workflows/index.md | 135 + .../workflows/workflow-uses.md | 51 + .../workflows/workflowhomonym.md | 148 + .../6.3/introduction-guide/architecture.md | 44 + .../6.3/introduction-guide/configuration.md | 53 + .../6.3/introduction-guide/index.md | 27 + .../overview/entitlement-management.md | 158 + .../introduction-guide/overview/governance.md | 42 + .../overview/identity-management.md | 107 + .../6.3/introduction-guide/overview/index.md | 67 + .../introduction-guide/overview/use-cases.md | 49 + .../6.3/migration-guide/index.md | 49 + .../certification-campaign-execution.md | 99 + .../certification-campaign-scheduling.md | 97 + .../access-certification/index.md | 40 + .../user-guide/administrate/assigned-roles.md | 176 + .../6.3/user-guide/administrate/index.md | 70 + .../administrate/manual-assignment-request.md | 83 + .../non-conforming-assignment-review/index.md | 54 + .../property-reconciliation.md | 154 + .../role-reconciliation.md | 114 + .../unauthorized-account-review.md | 92 + .../orphan-unused-account-review.md | 165 + .../provisioning/automatic-provisioning.md | 53 + .../administrate/provisioning/index.md | 84 + .../provisioning/manual-provisioning.md | 81 + .../provisioning/provisioning-review.md | 213 + .../6.3/user-guide/administrate/reporting.md | 106 + .../6.3/user-guide/deploy/authentication.md | 10 + .../user-guide/deploy/change-management.md | 97 + .../6.3/user-guide/deploy/index.md | 40 + .../deploy/production-agent-installation.md | 61 + .../directory-permissions.md | 60 + .../finalization.md | 30 + .../iis-configuration.md | 68 + .../iis-installation.md | 50 + .../production-agent-installation/index.md | 64 + .../settings-files.md | 121 + .../global-process/howto-maintaindirectory.md | 18 + .../global-process/howto-newsystem.md | 58 + .../user-guide/global-process/howto-start.md | 83 + .../6.3/user-guide/global-process/index.md | 26 + docs/identitymanager/6.3/user-guide/index.md | 81 + .../identity-data-modification/index.md | 45 + .../individual-update.md | 73 + .../identity-data-modification/mass-update.md | 128 + .../multiple-update.md | 67 + .../6.3/user-guide/maintain/index.md | 28 + .../user-guide/maintain/troubleshooting.md | 116 + .../automate-role-assignment.md | 97 + .../optimize/assignment-automation/index.md | 164 + .../remove-redundant-assignments.md | 104 + .../assignment-automation/role-mining.md | 133 + .../optimize/composite-role-creation.md | 99 + .../optimize/hr-connector-creation.md | 0 .../identity-datamodel-modification.md | 106 + .../6.3/user-guide/optimize/index.md | 56 + ...conforming-assignment-review-automation.md | 91 + .../user-guide/optimize/parameterized-role.md | 94 + .../user-guide/optimize/policy-creation.md | 82 + .../user-guide/optimize/risk-management.md | 146 + .../6.3/user-guide/optimize/simulation.md | 124 + .../set-up/categorization/classification.md | 150 + .../set-up/categorization/correlation.md | 167 + .../user-guide/set-up/categorization/index.md | 122 + .../categorization/resource-type-creation.md | 160 + .../set-up/configure-global-settings.md | 49 + .../user-guide/set-up/configure-workflows.md | 106 + .../connect-system/connection-creation.md | 145 + .../connect-system/connector-declaration.md | 62 + .../connect-system/connector-modeling.md | 373 + .../datasheet-organization.md | 69 + .../display-name-setting.md | 65 + .../entity-type-declaration.md | 77 + .../entity-type-creation/index.md | 55 + .../entity-type-creation/key-selection.md | 100 + .../navigation-property-definition.md | 155 + .../scalar-property-definition.md | 137 + .../user-guide/set-up/connect-system/index.md | 128 + .../development-environment-installation.md | 38 + .../6.3/user-guide/set-up/index.md | 120 + .../adjust-datamodel.md | 105 + .../generate-unique-properties.md | 107 + .../initial-identities-loading/index.md | 101 + .../load-identities.md | 160 + .../template-description.md | 249 + .../provisioning-rule-creation/index.md | 52 + .../navigation-property-computation.md | 246 + .../resource-creation.md | 103 + .../scalar-property-computation.md | 149 + .../category-creation.md | 71 + .../single-roles-catalog-creation/index.md | 170 + .../role-manual-creation.md | 162 + .../role-naming-rule-creation.md | 145 + .../6.3/user-guide/set-up/synchronization.md | 225 + .../set-up/user-profile-assignment.md | 92 + .../set-up/user-profile-configuration.md | 109 + docs/identitymanager/current/index.md | 4 +- .../current/installation-guide/overview.md | 8 +- .../production-ready/agent.md | 6 +- .../production-ready/database.md | 4 +- .../production-ready/server.md | 10 +- .../current/installation-guide/quick-start.md | 10 +- .../installation-guide/reverse-proxy.md | 8 +- .../current/integration-guide/api/index.md | 4 +- .../integration-guide/api/pagination.md | 4 +- .../integration-guide/api/request-postman.md | 22 +- .../api/server/accesscontrol.md | 26 +- .../api/server/connectors.md | 8 +- .../integration-guide/api/server/job.md | 8 +- .../integration-guide/api/server/metadata.md | 24 +- .../api/server/provisioningpolicy.md | 4 +- .../integration-guide/api/server/workflows.md | 8 +- .../integration-guide/architecture/index.md | 4 +- .../integration-guide/architecture/on-prem.md | 4 +- .../protect-agent-server-communication.md | 4 +- .../integration-guide/architecture/saas.md | 4 +- .../configuration-details/azuread-register.md | 14 +- .../configure-secured-options.md | 18 +- .../configuration-details/connections.md | 12 +- .../create-connector/entra-ID.md | 8 +- .../create-connector/index.md | 4 +- .../configuration-details/demoapp-banking.md | 6 +- .../configuration-details/demoapp-hr.md | 6 +- .../interact-gui-robotframework.md | 6 +- .../interact-web-page-robotframework.md | 6 +- .../powershell-fulfill.md | 16 +- .../scim-cyberark-export.md | 8 +- .../sharepoint-export.md | 6 +- .../entitypropertymapping-format.md | 6 +- .../integration-guide/connectors/index.md | 8 +- .../references-connectors/activedirectory.md | 14 +- .../connectors/references-connectors/azure.md | 4 +- .../connectors/references-connectors/csv.md | 6 +- .../references-connectors/easyvista.md | 6 +- .../references-connectors/easyvistaticket.md | 4 +- .../connectors/references-connectors/excel.md | 6 +- .../references-connectors/googleworkspace.md | 16 +- .../references-connectors/homefolder.md | 4 +- .../internalresources.md | 6 +- .../references-connectors/internalworkflow.md | 4 +- .../connectors/references-connectors/json.md | 4 +- .../connectors/references-connectors/ldap.md | 10 +- .../connectors/references-connectors/ldif.md | 4 +- .../references-connectors/microsoftentraid.md | 4 +- .../microsoftexchange.md | 4 +- .../references-connectors/nimprofile.md | 8 +- .../connectors/references-connectors/odata.md | 4 +- .../connectors/references-connectors/okta.md | 4 +- .../references-connectors/openldap.md | 4 +- .../references-connectors/powershellprov.md | 4 +- .../references-connectors/powershellsync.md | 4 +- .../connectors/references-connectors/racf.md | 4 +- .../references-connectors/robotframework.md | 4 +- .../references-connectors/saperp6.md | 12 +- .../references-connectors/sapnetweaver.md | 4 +- .../connectors/references-connectors/scim.md | 38 +- .../servicenowentitymanagement.md | 4 +- .../references-connectors/servicenowticket.md | 4 +- .../references-connectors/sharedfolder.md | 6 +- .../references-connectors/sharepoint.md | 4 +- .../connectors/references-connectors/sql.md | 20 +- .../sqlserverentitlements.md | 4 +- .../references-connectors/topsecret.md | 4 +- .../references-connectors/workday.md | 4 +- .../current/integration-guide/entity-model.md | 4 +- .../references/create-databaseviews.md | 4 +- .../references/export-configuration.md | 4 +- .../executables/references/invoke-job.md | 4 +- .../manage-configurationdependantindexes.md | 23 + .../executables/references/manage-history.md | 17 +- .../references/prepare-synchronization.md | 4 +- .../governance/accesscertification.md | 4 +- .../governance/reporting/analyze-powerbi.md | 4 +- .../governance/reporting/connect-powerbi.md | 14 +- .../reporting/how-tos/analyze-powerbi.md | 4 +- .../reporting/how-tos/connect-powerbi.md | 14 +- .../integration-guide/governance/risks.md | 12 +- .../identity-repository.md | 8 +- .../joiners-movers-leavers/on-offboarding.md | 4 +- .../joiners-movers-leavers/position-change.md | 12 +- .../agent-configuration/appsettings-agent.md | 2 +- .../network-configuration/configure-okta.md | 14 +- .../network-configuration/how-tos/okta.md | 14 +- .../network-configuration/index.md | 4 +- .../end-users-authentication.md | 6 +- .../network-configuration/settings.md | 6 +- .../notifications/native/errored-jobs.md | 2 +- .../notifications/native/index.md | 2 +- .../create-assign-profiles.md | 8 +- .../profiles-permissions/index.md | 9 + .../profiles-permissions/permissions.md | 8 +- .../profiles-permissions/rightsrestriction.md | 12 +- .../assignments-of-entitlements.md | 6 +- .../configureindirectpermissions.md | 18 +- .../role-assignment/evaluate-policy.md | 28 +- .../existingassignmentsdeduction.md | 8 +- .../role-assignment/generate-contexts.md | 12 +- .../how-tos/configureindirectpermissions.md | 18 +- .../role-assignment/indirectpermissions.md | 4 +- .../role-assignment/role-model-rules.md | 4 +- .../current/integration-guide/role-mining.md | 24 +- .../role-model/role-model-rules.md | 4 +- .../synchronization/upward-data-sync.md | 8 +- .../tasks-jobs/troubleshoot-connector-jobs.md | 4 +- .../toolkit/deploy-configuration.md | 4 +- .../toolkit/export-configuration.md | 4 +- .../toolkit/expressions/index.md | 25 +- .../toolkit/how-tos/deploy-configuration.md | 4 +- .../toolkit/how-tos/export-configuration.md | 4 +- .../integration-guide/toolkit/index.md | 4 +- .../toolkit/recommendations.md | 6 +- .../AccessCertificationItemReviewer.md | 15 + .../access-control/accesscontrolrule.md | 6 +- .../business-intelligence/universe.md | 10 +- ...sreviewadministrationaccesscontrolrules.md | 4 +- .../jobadministrationaccesscontrolrules.md | 4 +- .../assignprofileaccesscontrolrules.md | 4 +- ...profileadministrationaccesscontrolrules.md | 6 +- .../queries/reportaccesscontrolrules.md | 4 +- .../governancerolesaccesscontrolrules.md | 4 +- ...ormmanualprovisioningaccesscontrolrules.md | 4 +- ...reconciliateresourcesaccesscontrolrules.md | 4 +- .../reconciliaterolesaccesscontrolrules.md | 4 +- .../redundantassignmentaccesscontrolrule.md | 4 +- .../reviewprovisioningaccesscontrolrules.md | 4 +- .../reviewrolesaccesscontrolrules.md | 4 +- .../roleadministrationaccesscontrolrules.md | 4 +- .../userinterfaces/manageaccounts.md | 4 +- .../workflows/workflowaccesscontrolrules.md | 6 +- .../workflows/workflowoverviewcontrolrules.md | 4 +- .../entitytypes/connectormappings.md | 4 +- .../scaffoldings/queries/universedatamodel.md | 38 +- .../templates/connectorsaccesscontrolrules.md | 4 +- .../xml-configuration/connectors/connector.md | 10 +- .../connectors/entityassociationmapping.md | 4 +- .../connectors/entitytypemapping.md | 6 +- .../servicenowresourcetypemapping.mdx | 2 +- .../server/sendrolemodelnotificationstask.md | 1 - .../xml-configuration/metadata/language.md | 4 +- .../metadata/settings/appdisplaysetting.md | 12 +- .../accesscertificationnotification.md | 4 +- .../manualprovisioningnotification.md | 4 +- .../provisioningreviewnotification.md | 4 +- .../notifications/rolereviewnotification.md | 4 +- .../notifications/notificationtemplate.md | 6 + .../provisioning/automationrule.md | 4 +- .../provisioning/contextrule.md | 4 +- .../provisioning/recordsection.md | 4 +- .../provisioning/resourcetype.md | 24 +- .../user-interface/displayentitytype.md | 4 +- .../user-interface/displaypropertygroup.md | 4 +- .../user-interface/displaytable.md | 8 +- .../xml-configuration/user-interface/form.md | 10 +- .../user-interface/menuitem.md | 2 +- .../workflows/aspects/addchangeaspect.md | 4 +- .../workflows/aspects/assertvalueaspect.md | 4 +- .../aspects/assertvaluerequiredaspect.md | 4 +- .../aspects/builduniquevalueaspect.md | 6 +- .../workflows/aspects/invokescriptaspect.md | 4 +- .../workflows/aspects/invokeworkflowaspect.md | 4 +- .../workflows/aspects/notificationaspect.md | 10 +- .../workflowaddandendrecordentityform.md | 6 +- .../forms/workflowaddrecordentityform.md | 6 +- .../forms/workflowcreateentityform.md | 4 +- .../forms/workflowcreaterecordentityform.md | 4 +- .../workflowcreateseveralrecordsentityform.md | 4 +- .../workflows/forms/workfloweditentityform.md | 6 +- .../forms/workflowupdaterecordentitiesform.md | 4 +- .../forms/workflowupdaterecordentityform.md | 6 +- .../workflowupdateseveralrecordsentityform.md | 6 +- .../integration-guide/ui/create-menu-items.md | 10 +- .../ui/custom-display-table.md | 8 +- .../integration-guide/ui/custom-search-bar.md | 6 +- .../ui/how-tos/create-menu-items.md | 10 +- .../ui/how-tos/custom-display-table.md | 8 +- .../ui/how-tos/custom-search-bar.md | 6 +- .../ui/producttranslations.md | 2 +- .../workflows/activity-templates.md | 16 +- .../create-workflow/workflow-create-mono.md | 10 +- .../create-workflow/workflow-create-multi.md | 8 +- .../create-workflow/workflow-update-mono.md | 6 +- .../create-workflow/workflow-update-multi.md | 6 +- .../workflow-update-resource.md | 8 +- .../introduction-guide/architecture.md | 6 +- .../overview/entitlement-management.md | 22 +- .../introduction-guide/overview/governance.md | 4 +- .../overview/identity-management.md | 14 +- .../introduction-guide/overview/index.md | 10 +- .../current/preview-features.md | 148 + .../certification-campaign-execution.md | 26 +- .../certification-campaign-scheduling.md | 20 +- .../user-guide/administrate/assigned-roles.md | 6 +- .../administrate/manual-assignment-request.md | 18 +- .../property-reconciliation.md | 36 +- .../role-reconciliation.md | 28 +- .../unauthorized-account-review.md | 24 +- .../orphan-unused-account-review.md | 26 +- .../provisioning/automatic-provisioning.md | 8 +- .../administrate/provisioning/index.md | 8 +- .../provisioning/manual-provisioning.md | 20 +- .../provisioning/provisioning-review.md | 56 +- .../user-guide/administrate/reporting.md | 20 +- .../user-guide/deploy/change-management.md | 8 +- .../directory-permissions.md | 14 +- .../iis-configuration.md | 18 +- .../iis-installation.md | 14 +- .../settings-files.md | 2 +- .../global-process/howto-maintaindirectory.md | 4 +- .../global-process/howto-newsystem.md | 4 +- .../user-guide/global-process/howto-start.md | 4 +- .../individual-update.md | 16 +- .../identity-data-modification/mass-update.md | 24 +- .../multiple-update.md | 14 +- .../user-guide/maintain/troubleshooting.md | 8 +- .../automate-role-assignment.md | 16 +- .../optimize/assignment-automation/index.md | 24 +- .../remove-redundant-assignments.md | 18 +- .../assignment-automation/role-mining.md | 20 +- .../optimize/composite-role-creation.md | 14 +- .../optimize/hr-connector-creation.md | 127 +- .../identity-datamodel-modification.md | 16 +- ...conforming-assignment-review-automation.md | 14 +- .../user-guide/optimize/parameterized-role.md | 20 +- .../user-guide/optimize/policy-creation.md | 8 +- .../user-guide/optimize/risk-management.md | 16 +- .../current/user-guide/optimize/simulation.md | 30 +- .../set-up/categorization/classification.md | 26 +- .../set-up/categorization/correlation.md | 26 +- .../user-guide/set-up/categorization/index.md | 16 +- .../categorization/resource-type-creation.md | 12 +- .../set-up/configure-global-settings.md | 10 +- .../user-guide/set-up/configure-workflows.md | 18 +- .../connect-system/connection-creation.md | 22 +- .../connect-system/connector-declaration.md | 12 +- .../connect-system/connector-modeling.md | 38 +- .../datasheet-organization.md | 16 +- .../display-name-setting.md | 18 +- .../entity-type-declaration.md | 16 +- .../entity-type-creation/index.md | 6 +- .../entity-type-creation/key-selection.md | 6 +- .../navigation-property-definition.md | 22 +- .../scalar-property-definition.md | 20 +- .../user-guide/set-up/connect-system/index.md | 10 +- .../adjust-datamodel.md | 20 +- .../generate-unique-properties.md | 18 +- .../initial-identities-loading/index.md | 8 +- .../load-identities.md | 22 +- .../template-description.md | 4 +- .../navigation-property-computation.md | 32 +- .../resource-creation.md | 20 +- .../scalar-property-computation.md | 20 +- .../category-creation.md | 10 +- .../single-roles-catalog-creation/index.md | 20 +- .../role-manual-creation.md | 26 +- .../role-naming-rule-creation.md | 26 +- .../user-guide/set-up/synchronization.md | 40 +- .../set-up/user-profile-assignment.md | 14 +- .../set-up/user-profile-configuration.md | 16 +- package-lock.json | 550 +- package.json | 2 +- sidebars/identitymanager/6.3.js | 8 + src/config/products.js | 22 +- .../118_givenbyarole_v603.webp | Bin .../16_approved_v603.webp | Bin .../automationrule => }/17_declined_v603.webp | Bin .../18_calculated_v603.webp | Bin .../1_nonconforming_v603.webp | Bin .../20_cancellation_v603.webp | Bin .../21_suggested_v603.webp | Bin .../24_approvedquestioned_v603.webp | Bin .../25_pendingapprovalrisk_v603.webp | Bin .../27_prolonged_v603.webp | Bin .../3_preexisting_v603.webp | Bin .../4_requested_v603.webp | Bin .../5_calculatedmissingparameters_v603.webp | Bin .../8_pendingapproval_v603.webp | Bin .../AccessControl_Profiles_V603.webp | Bin .../AppDisplaySetting_tab_V603.webp | Bin .../ControlInputType_checkbox_V603.webp | Bin ...InputType_comboboxMultiselection_V603.webp | Bin .../ControlInputType_combobox_V603.webp | Bin .../ControlInputType_date_V603.webp | Bin .../ControlInputType_image_V603.webp | Bin .../ControlInputType_picker_V603.webp | Bin .../ControlInputType_textArea_V603.webp | Bin .../ControlInputType_text_V603.webp | Bin ...ontrolOutputType_basicCollection_V603.webp | Bin .../ControlOutputType_date_V603.webp | Bin .../ControlOutputType_image_V603.webp | Bin ...ontrolOutputType_layoutContainer_V603.webp | Bin ...ControlOutputType_layoutFieldset_V603.webp | Bin .../ControlOutputType_layoutRowset_V603.webp | Bin .../ControlOutputType_textArea_V603.webp | Bin .../ControlOutputType_text_V603.webp | Bin .../DiscardManualAssignments_state0_V602.webp | Bin .../DiscardManualAssignments_state1_V602.webp | Bin .../DiscardManualAssignments_state2_V602.webp | Bin .../DiscardManualAssignments_state3_V602.webp | Bin .../DiscardManualAssignments_state4_V602.webp | Bin .../DiscardManualAssignments_step1_V602.webp | Bin .../DiscardManualAssignments_step2_V602.webp | Bin .../DisplayTableDesignElement_table_V602.webp | Bin .../Form_hideRoles_V603.webp | Bin .../Form_requestTypeHelpdesk_V603.webp | Bin .../ServiceNow_example.webp | Bin .../Universe_OwnedCompositeRoles.webp | Bin .../Universe_OwnedCompositeRolesSchema.webp | Bin .../Universe_OwnedResourceTypes.webp | Bin .../Universe_OwnedResourceTypesSchema.webp | Bin .../Universe_OwnedSingleRoles.webp | Bin .../Universe_OwnedSingleRolesSchema.webp | Bin .../Universe_ResourceResourceTypes.webp | Bin .../Universe_ResourceResourceTypesSchema.webp | Bin .../Universe_noTemplate.webp | Bin .../Universe_rootInstance.webp | Bin .../Universe_severalDuplication.webp | Bin .../Universe_severalDuplicationSchema.webp | Bin .../Universe_severalNoDuplication.webp | Bin .../Universe_severalNoDuplicationSchema.webp | Bin ...certificationonlyapprovedeny-disabled.webp | Bin .../accesscertificationonlyapprovedeny.webp | Bin ...scertificationonlyapprovedenysettings.webp | Bin .../accesscontrol_manageaccounts_v603.webp | Bin .../accesscontrolfilter_schema.webp | Bin .../activity_actionwithrefine_v602.webp | Bin .../activity_reviewwithfeedback_v602.webp | Bin .../activitytemplates_action.webp | Bin .../activitytemplates_actionwithrefine.webp | Bin .../activitytemplates_example.webp | Bin .../activitytemplates_review.webp | Bin .../activitytemplates_reviewwithfeedback.webp | Bin .../ad_export_example.webp | Bin .../ad_preparesynchro_example.webp | Bin .../ad_synchro_example.webp | Bin .../adassignednavigations_5.2.1.webp | Bin .../agent-server-communication.webp | Bin ...rovingdenyingaccesscertificationitems.webp | Bin .../allworkflowinresourceview.webp | Bin .../appdisplaysetting_counters_v603.webp | Bin .../appdisplaysetting_nocounters_v603.webp | Bin .../appdisplaysetting_screen1_v603.webp | Bin .../appdisplaysetting_screen2_v603.webp | Bin .../architecture => }/architecture.webp | Bin .../on-prem => }/architecture_onprem.webp | Bin .../saas => }/architecture_saas.webp | Bin .../aspects_unicitycheck.webp | Bin .../assignedprofile_example_v603.webp | Bin .../assigned-roles => }/assignedroles.webp | Bin .../assignedrolesscreen.webp | Bin .../assignmentrules_newsrolerule_v602.webp | Bin .../authent_1.webp | Bin .../authent_2.webp | Bin .../quick-start => }/authentication_v601.webp | Bin .../recommendations => }/autocomplete.webp | Bin .../automation_dataquality_ex.webp | Bin .../automation_dataquality_ex2.webp | Bin .../automation_dataquality_ex3.webp | Bin .../automation_dataquality_ex4.webp | Bin .../automation_optimalcost.webp | Bin ...mation_optimalcost_automationbenefits.webp | Bin ...tomation_optimalcost_automationlimits.webp | Bin .../automation_optimalcost_data.webp | Bin .../automation_optimalcost_manual.webp | Bin .../automation_optimalcost_rolemining.webp | Bin .../automation_schema.webp | Bin .../universe => }/bi_universeexample.webp | Bin .../bi_universeexampledisplaynames.webp | Bin .../bitprov_property_v603.webp | Bin .../production-ready/server => }/bulk.webp | Bin .../buttons/Home_settings_V523.webp | Bin 1292 -> 0 bytes .../buttons/Home_topBar_V601.webp | Bin 1790 -> 0 bytes .../categorization_categschema.webp | Bin .../categorization_classifschema.webp | Bin .../categorization_correlschema.webp | Bin .../categorization_exampleadminad.webp | Bin .../categorization_exampleadminuser.webp | Bin .../categorization_examplebasicad.webp | Bin .../categorization_examplebasicuser.webp | Bin ...zation_reviewsprovisioningreview_v603.webp | Bin ...on_reviewsresourcereconciliation_v603.webp | Bin .../categorycreation_test_v602.webp | Bin ...rtifcampaign_accesscertification_v602.webp | Bin .../certifcampaign_applydecisions_v602.webp | Bin .../certifcampaign_campaigns_v602.webp | Bin .../certifcampaign_decisions_v522.webp | Bin .../certifcampaign_example_v602.webp | Bin .../certifcampaign_iconapproval_v522.svg | 0 .../certifcampaign_iconcomment_v522.svg | 0 .../certifcampaign_icondecline_v522.svg | 0 ...certifcampaign_icondiscouragement_v522.svg | 0 .../certifcampaign_iconforward_v522.svg | 0 ...certifcampaign_iconrecommendation_v522.svg | 0 .../certifcampaign_job_v522.webp | Bin ...ampaign_newcertificationcampaign_v602.webp | Bin .../certifcampaign_newlycreated_v603.webp | Bin .../certifcampaign_targetowners_v602.webp | Bin ...fcampaign_targetownersadditional_v603.webp | Bin ...rtifcampaign_targetspecificities_v602.webp | Bin .../changemanagement_actors.webp | Bin .../changemanagement_populations.webp | Bin .../changemanagement_process.webp | Bin .../classification_example_v602.webp | Bin .../classification_test_v522.webp | Bin .../classification_unclassified_v600.webp | Bin .../overview => }/components_data_flow.webp | Bin .../compositeroles_applicativeroles.webp | Bin .../compositeroles_schema.webp | Bin .../compositeroles_testroles_v602.webp | Bin .../compute-expected-1.webp | Bin .../compute-expected-2.webp | Bin .../compute-find-matching.webp | Bin .../toolkit => }/configurationcycle.webp | Bin .../connection_newconnection_v602.webp | Bin .../connection_notrecovered_v523.webp | Bin .../connection_upload_v602.webp | Bin ...nnectioncreation_checkconnection_v602.webp | Bin ...ctioncreation_connectioncreation_v602.webp | Bin ...nnectioncreation_failedindicator_v602.webp | Bin .../connectioncreation_noschema_v522.webp | Bin .../connectioncreation_refreshall_v602.webp | Bin ...connectioncreation_refreshschema_v522.webp | Bin .../connectiontables_ui_v60.webp | Bin .../connectorcreation_connectorpage_v602.webp | Bin .../connectorcreation_connectorschema.webp | Bin ...ctorcreation_connectortechnicalschema.webp | Bin .../connectorcreation_declaration_v602.webp | Bin .../connectorcreation_inbound.webp | Bin .../connectorcreation_outbound.webp | Bin .../connectorcreation_test_v602.webp | Bin .../connectormodel_ad-step1.webp | Bin .../connectormodel_ad.webp | Bin .../connectormodel_adentry.webp | Bin .../connectormodel_key.webp | Bin .../connectormodel_profiles.webp | Bin .../connectormodel_profiletransaction.webp | Bin .../connectormodel_racf.webp | Bin .../connectormodel_sab.webp | Bin .../connectormodel_sdge.webp | Bin .../connectormodel_star.webp | Bin .../connectormodel_starmodel.webp | Bin .../connectormodel_tss-prof-trans.webp | Bin .../connectormodel_tss.webp | Bin .../connectormodel_user-canteen.webp | Bin .../connectormodel_user-mailbox.webp | Bin .../connectormodel_user.webp | Bin .../connectormodel_usergroup.webp | Bin .../connectorreadprerequisites1.webp | Bin .../connectorreadprerequisites2.webp | Bin .../connectorwriteprerequisites.webp | Bin .../connectorwriteprerequisites2.webp | Bin .../contextrules_rolemining.webp | Bin .../evaluate-policy => }/correlation.webp | Bin .../correlation_example_v602.webp | Bin .../correlation_test_v522.webp | Bin .../correlation_uncorrelated_v600.webp | Bin .../crconf_5.2.1.webp | Bin .../policy-creation => }/createpolicy.webp | Bin .../createsinglerole.webp | Bin .../creation_5.1.6.webp | Bin .../customlinksusermenu_v523.webp | Bin .../settings => }/dashboarditemnumber.webp | Bin ...atamodel_scalarrule_timeoffsetdefault.webp | Bin ...atamodel_scalarrule_timeoffsetexample.webp | Bin ...atamodel_scalarrule_timeoffsetoverlap.webp | Bin .../datamodelmodif_scan_v600.webp | Bin .../datamodif_changeuser_v602.webp | Bin .../datamodif_downloadtemplatedata_v602.webp | Bin .../datamodif_downloadtemplateempty_v602.webp | Bin .../datamodif_multipleform_v602.webp | Bin .../datamodif_newuser_v602.webp | Bin .../datamodif_reviewpending_v523.webp | Bin .../datamodif_user_v602.webp | Bin .../demoapps_banking_userdetails.webp | Bin .../demoapps_banking_userslist.webp | Bin .../demoapps_hr_userdetails.webp | Bin .../demoapps_hr_userslist.webp | Bin .../quick-start => }/directory_v602.webp | Bin .../discardmanualassignments_schema.webp | Bin .../displaypropertygroup_example_v603.webp | Bin .../displaytabledesignelement_list_v602.webp | Bin ...tabledesignelement_resourcetable_v602.webp | Bin .../displaytablesresourcetable.webp | Bin .../displaytablestable.webp | Bin .../displaytablestiles.webp | Bin .../overview => }/distribution_1.webp | Bin .../overview => }/distribution_2.webp | Bin .../easyvista => }/easyvista_view_v523.webp | Bin .../enforce-assignment-policy-summary.webp | Bin .../evaluate-policy => }/enforce-context.webp | Bin .../enter-the-object-names-to-select.webp | Bin .../entitlements_assignmentrules.webp | Bin .../entitlements_categorizationrules.webp | Bin .../entitlements_compositeroles.webp | Bin .../entitlements_dimension1.webp | Bin .../entitlements_dimension2.webp | Bin .../entitlements_dimension3.webp | Bin .../entitlements_provisioningrules.webp | Bin .../entitlements_rolecatalogusers.webp | Bin .../entitlements_rolemodel.webp | Bin ...ntitypropertymapping-format-flowchart.webp | Bin .../entitytype_format_v523.webp | Bin .../entitytype_sourcecolumn_v602.webp | Bin .../entitytype_template_v602.webp | Bin ...ecreation_displaygroups_example1_v603.webp | Bin ...ecreation_displaygroups_example2_v603.webp | Bin ...on_displaygroups_example2results_v603.webp | Bin ...ypecreation_displaygroups_fields_v603.webp | Bin ...entitytypecreation_displaygroups_v603.webp | Bin ...pecreation_displaygroups_without_v603.webp | Bin .../entitytypecreation_displayname_v603.webp | Bin ...ytypecreation_displaynameexample_v600.webp | Bin ...ytypecreation_entitytypecreation_v602.webp | Bin .../entitytypecreation_examplead2_v602.webp | Bin .../entitytypecreation_examplead3_v603.webp | Bin ...tytypecreation_examplead4-result_v602.webp | Bin .../entitytypecreation_examplead4_v602.webp | Bin ...itytypecreation_examplehr-result_v602.webp | Bin .../entitytypecreation_examplehr_v602.webp | Bin .../entitytypecreation_keys_v522.webp | Bin .../entitytypecreation_manager_v600.webp | Bin .../entitytypecreation_managerof_v600.webp | Bin .../entitytypecreation_member_v600.webp | Bin .../entitytypecreation_memberof_v600.webp | Bin ...ypecreation_navigationproperties_v602.webp | Bin ...ytypecreation_propertiessettings_v602.webp | Bin ...itytypecreation_propertiessource_v522.webp | Bin .../entitytypecreation_reload_v522.webp | Bin .../entitytypecreation_scalarex_v600.webp | Bin ...itytypecreation_scalarproperties_v603.webp | Bin ...typecreation_scalarpropertiesmap_v602.webp | Bin ...on_scalarpropertieswithoutformat_v522.webp | Bin .../entitytypecreation_schema.webp | Bin ...ecreation_sourceexpressionexample_v60.webp | Bin .../entitytypecreation_test_v602.webp | Bin .../entitytypecreation_troubleprop_v602.webp | Bin ...pecreation_troubleshootingschema_v603.webp | Bin .../evaluate-policy-1.webp | Bin .../database => }/execute_query.webp | Bin ...expression-propertypath-example1_v602.webp | Bin ...expression-propertypath-example2_v602.webp | Bin .../expression-propertypath_v602.webp | Bin .../quick-start => }/extranet_v601.webp | Bin .../form => }/form_recordtable_v603.webp | Bin .../form => }/form_requesttypeself_v603.webp | Bin ...ddandendrecordentityform_summary_v603.webp | Bin ...orkflowaddandendrecordentityform_v603.webp | Bin ...kflowaddrecordentityform_summary_v603.webp | Bin ...mple_workflowaddrecordentityform_v603.webp | Bin ...workflowcreateentityform_summary_v603.webp | Bin ...example_workflowcreateentityform_v603.webp | Bin ...e_workflowcreaterecordentityform_v603.webp | Bin ...owcreateseveralrecordsentityform_v603.webp | Bin ...e_workfloweditentityform_summary_v603.webp | Bin ...rmexample_workfloweditentityform_v603.webp | Bin ...workflowupdaterecordentitiesform_v603.webp | Bin ...owupdaterecordentityform_summary_v603.webp | Bin ...e_workflowupdaterecordentityform_v603.webp | Bin ...veralrecordsentityform_newrecord_v603.webp | Bin ...owupdateseveralrecordsentityform_v603.webp | Bin .../globalprocess_schemaconnectsyst.webp | Bin .../globalprocess_schemamaintain.webp | Bin .../globalprocess_schemastart.webp | Bin .../governance_nonconforming.webp | Bin .../home_accesscertification_v523.webp | Bin ...ome_accesscertificationcampaigns_v602.webp | Bin .../home_accesspolicies_v602.webp | Bin .../home_assignedprofiles_v602.webp | Bin .../home_configuration_v603.webp | Bin .../home_connectors_v602.webp | Bin .../home_directorydepartment_v523.webp | Bin .../home_directoryuser_v523.webp | Bin .../home_entitytypes_v602.webp | Bin .../home_identifiedrisks_v602.webp | Bin .../home_jobexecution_v602.webp | Bin .../home_manualprovisioning_v523.webp | Bin .../home_multipleupdates_v523.webp | Bin .../home_mytasks_v523.webp | Bin .../home_newemployee_v600.webp | Bin .../home_provisioningreview_v523.webp | Bin .../reporting => }/home_query_v602.webp | Bin .../home_redundantassignments_v602.webp | Bin .../reporting => }/home_reports_v602.webp | Bin .../home_resourcereconciliation_v523.webp | Bin .../risk-management => }/home_risks_v602.webp | Bin .../role-mining => }/home_rolemining_v60.webp | Bin .../home_rolereconciliation_v523.webp | Bin .../home_rolereview_v523.webp | Bin .../home_roles_v602.webp | Bin .../classification => }/home_rules_v602.webp | Bin .../home_settings_v523.webp | Bin .../home_simulations_v600.webp | Bin .../home_topbar_v601.webp | Bin .../home_workflowoverview_v602.webp | Bin .../howto_resourcecreationmono_form_v602.webp | Bin ...wto_resourcecreationmono_homonym_v603.webp | Bin ...wto_resourcecreationmono_summary_v602.webp | Bin ...howto_resourcecreationmulti_form_v603.webp | Bin .../howto_resourceupdatemono_form_v603.webp | Bin .../howto_resourceupdatemulti_form_v603.webp | Bin .../howto_resourceupdateno_form_v603.webp | Bin .../howto_resourceupdateno_summary_v603.webp | Bin .../howtos_azure_menuitem_v603.webp | Bin .../howtos_azure_navproperties_v603.webp | Bin .../azuread => }/howtos_azure_table_v603.webp | Bin .../howtos_azuread_exportadminconsent.webp | Bin .../howtos_azuread_exportapplicationid.webp | Bin ...tos_azuread_exportdirectorypermission.webp | Bin .../howtos_azuread_exportpermissions.webp | Bin .../howtos_azuread_exportregistration.webp | Bin .../howtos_azuread_exportsecret.webp | Bin .../hr_connection_v602.webp | Bin .../hr_connectordeclaration_v602.webp | Bin .../hr_entitytypen_v602.webp | Bin .../hr_entitytypes_v602.webp | Bin .../hr_validatemenu_v600.webp | Bin .../ic_fluent_flow_20_regular.webp | Bin .../classification => }/iconadd_v602.svg | 0 .../iconadd_v602.webp | Bin .../icondownload_v602.svg | 0 .../synchronization => }/iconeye_v600.svg | 0 .../iconsave_v602.svg | 0 .../iconscandatamodel_v602.svg | 0 .../load-identities => }/iconupload_v602.svg | 0 .../identities_repository.webp | Bin ...titymanager-create-databaseviews_ssms.webp | Bin .../identitymanager-export-configuration.webp | Bin .../identitymanager-login_success_v602.webp | Bin .../identityrepository-example.webp | Bin .../identityrepository-person_v602.webp | Bin .../identityrepository_v602.webp | Bin .../server => }/iis_settings.webp | Bin .../indirectpermissionsadexample.webp | Bin ...itialload_dataupload-synchronize_v602.webp | Bin .../initialload_departments_v602.webp | Bin .../initialload_directoryusers_v602.webp | Bin .../initialload_scan-example2_v523.webp | Bin .../initialload_scan-example3_v523.webp | Bin .../initialload_scan-example_v523.webp | Bin ...initialload_scandatamodel-result_v523.webp | Bin .../initialload_scandatamodel_v60.webp | Bin .../initialload_templateexample_v602.webp | Bin .../initialload_templatemodel_v603.webp | Bin .../initialload_templatereco_v600.webp | Bin .../initialload_uniqueemail_v602.webp | Bin .../initialload_uniqueidentifier_v602.webp | Bin .../initialload_uniquelogin_v602.webp | Bin .../form => }/inputtypeattachment.webp | Bin .../form => }/inputtypecheckbox.webp | Bin .../form => }/inputtypecombobox.webp | Bin .../inputtypecomboboxmultiselection.webp | Bin .../form => }/inputtypedate.webp | Bin .../form => }/inputtypeimage.webp | Bin .../form => }/inputtypepicker.webp | Bin .../form => }/inputtypetext.webp | Bin .../form => }/inputtypetextarea.webp | Bin .../datamodel/BI_universeExample.webp | Bin 2438 -> 0 bytes .../Universe_columnNameDisplayName.webp | Bin 1972 -> 0 bytes .../Universe_columnNameIdentifier.webp | Bin 2596 -> 0 bytes ...atamodel_scalarRule_timeOffsetDefault.webp | Bin 8466 -> 0 bytes .../accesscontrol_profiles_v603.webp | Bin 14258 -> 0 bytes .../universe_notemplate.webp | Bin 13008 -> 0 bytes .../universe_ownedcompositeroles.webp | Bin 5132 -> 0 bytes .../universe_ownedcompositerolesschema.webp | Bin 6202 -> 0 bytes .../universe_ownedresourcetypes.webp | Bin 60950 -> 0 bytes .../universe_ownedresourcetypesschema.webp | Bin 21266 -> 0 bytes .../universe_ownedsingleroles.webp | Bin 5086 -> 0 bytes .../universe_ownedsinglerolesschema.webp | Bin 5654 -> 0 bytes .../universe_resourceresourcetypes.webp | Bin 37210 -> 0 bytes .../universe_resourceresourcetypesschema.webp | Bin 17218 -> 0 bytes .../universe_rootinstance.webp | Bin 6912 -> 0 bytes .../universe_severalduplication.webp | Bin 21850 -> 0 bytes .../universe_severalduplicationschema.webp | Bin 10554 -> 0 bytes .../universe_severalnoduplication.webp | Bin 23716 -> 0 bytes .../universe_severalnoduplicationschema.webp | Bin 10130 -> 0 bytes .../servicenow_example.webp | Bin 19180 -> 0 bytes .../discardmanualassignments_state0_v602.webp | Bin 12928 -> 0 bytes .../discardmanualassignments_state1_v602.webp | Bin 12642 -> 0 bytes .../discardmanualassignments_state2_v602.webp | Bin 13124 -> 0 bytes .../discardmanualassignments_state3_v602.webp | Bin 23344 -> 0 bytes .../discardmanualassignments_state4_v602.webp | Bin 12866 -> 0 bytes .../discardmanualassignments_step1_v602.webp | Bin 25330 -> 0 bytes .../discardmanualassignments_step2_v602.webp | Bin 43364 -> 0 bytes .../displaytabledesignelement_table_v602.webp | Bin 17662 -> 0 bytes .../form/form_hideroles_v603.webp | Bin 2144 -> 0 bytes .../form/form_requesttypehelpdesk_v603.webp | Bin 4560 -> 0 bytes ...orkflowAddAndEndRecordEntityForm_V603.webp | Bin 106548 -> 0 bytes ...mple_WorkflowAddRecordEntityForm_V603.webp | Bin 90702 -> 0 bytes ...rmExample_WorkflowEditEntityForm_V603.webp | Bin 7642 -> 0 bytes ...e_WorkflowUpdateRecordEntityForm_V603.webp | Bin 139086 -> 0 bytes ...owUpdateSeveralRecordsEntityForm_V603.webp | Bin 168730 -> 0 bytes .../invoke-job => }/job_operation.webp | Bin .../launch_v603.webp | Bin .../menuitems_userslist_v603.webp | Bin .../menuitems_userview_v603.webp | Bin ...nge_fulfill_display_entity_type_5.1.7.webp | Bin ...texchange_fulfill_display_table_5.1.7.webp | Bin ...osoftexchange_fulfill_menu_item_5.1.7.webp | Bin .../microsoftexchange_jobs_5.1.7.webp | Bin .../namingrulecreation_example_v602.webp | Bin ...ngrulecreation_exampleroleresult_v602.webp | Bin ...ngrulecreation_exampleruleresult_v523.webp | Bin .../namingrulecreation_newrule_v602.webp | Bin .../namingrulecreation_testroles_v602.webp | Bin .../namingrulecreation_testrules_v602.webp | Bin .../navrule_5.2.1.webp | Bin .../server => }/newlogin.webp | Bin .../nimprofile => }/nimProfileModal_v63.png | Bin .../nimProfile_MenuItem_v63.png | Bin .../scim => }/oauthauthentication.webp | Bin .../references-connectors/okta => }/okta.webp | Bin .../okta => }/okta_addapplication.webp | Bin .../okta => }/okta_applicationsection.webp | Bin .../okta => }/okta_clientcredentials.webp | Bin .../okta => }/okta_createnativeapp.webp | Bin .../how-tos/okta => }/okta_createnewapp.webp | Bin .../okta => }/okta_saveapplication.webp | Bin .../orphan_bulkreconcile_v603.webp | Bin .../orphan_entitytype_v523.webp | Bin .../orphan_iconapprove_v602.svg | 0 .../orphan_icondecline_v522.svg | 0 .../orphan_propertyview_v603.webp | Bin .../orphan_resourceview_v523.webp | Bin .../orphan_revieworphans-owners_v602.webp | Bin .../orphan_revieworphans_v602.webp | Bin .../orphan_serviceaccounts.webp | Bin .../orphan_unusedquery_v602.webp | Bin .../overview => }/overview_calculation.webp | Bin .../overview => }/overview_connectors.webp | Bin .../overview => }/overview_provisioning.webp | Bin .../overview_synchronization.webp | Bin .../packages_ad_v603.webp | Bin .../azure => }/packages_azure_v603.webp | Bin .../packages_azuread_v603.webp | Bin .../csv => }/packages_csv_v603.webp | Bin .../scim => }/packages_cyberark_v603.webp | Bin .../packages_easyvista_v603.webp | Bin .../packages_easyvistaticket_v603.webp | Bin .../excel => }/packages_excel_v603.webp | Bin .../packages_exchange_v603.webp | Bin .../packages_homefolders_v603.webp | Bin .../packages_identitymanagerticket_v603.webp | Bin ...ackages_identitymanagerticketcud_v603.webp | Bin .../json => }/packages_json_v603.webp | Bin .../ldap => }/packages_ldapapache_v603.webp | Bin .../ldap => }/packages_ldapgeneric_v603.webp | Bin .../openldap => }/packages_ldapopen_v603.webp | Bin .../ldap => }/packages_ldaporacle_v603.webp | Bin .../ldap => }/packages_ldapredhat_v603.webp | Bin .../ldif => }/packages_ldif_v603.webp | Bin .../packages_nimprofile_v63.png | Bin .../odata => }/packages_odata_v603.webp | Bin .../packages_powershellprov_v603.webp | Bin .../packages_powershellsync_v603.webp | Bin .../racf => }/packages_racf_v603.webp | Bin .../packages_robot_v603.webp | Bin .../scim => }/packages_salesforce_v603.webp | Bin .../sapnetweaver => }/packages_sap_v603.webp | Bin .../saperp6 => }/packages_saperp6_v603.webp | Bin .../scim => }/packages_scim_v603.webp | Bin .../packages_servicenow_v603.webp | Bin .../packages_servicenowticket_v603.webp | Bin .../packages_sharedfolders_v603.webp | Bin .../packages_sharepoint_v603.webp | Bin .../scim => }/packages_slack_v603.webp | Bin .../sql => }/packages_sqlgeneric_v603.webp | Bin .../sql => }/packages_sqlmy_v603.webp | Bin .../sql => }/packages_sqlodbc_v603.webp | Bin .../sql => }/packages_sqloracle_v603.webp | Bin .../sql => }/packages_sqlpostgre_v603.webp | Bin .../sql => }/packages_sqlsap_v603.webp | Bin .../sql => }/packages_sqlserver_v603.webp | Bin .../packages_sqlservermanagement_v603.webp | Bin .../topsecret => }/packages_tss_v603.webp | Bin .../workday => }/packages_workday_v603.webp | Bin .../packages_workflow_v603.webp | Bin .../packages_workspace_v603.webp | Bin .../api/pagination => }/pagination.webp | Bin .../parameterizedrole_examplerole_v603.webp | Bin ...terizedrole_exampleroleparameter_v603.webp | Bin ...erizedrole_examplerolesuggestion_v603.webp | Bin .../parameterizedrole_examplerule_v603.webp | Bin .../parameterizedroles_numerousroles.webp | Bin ...rizedroles_parameterexamplestep1_v603.webp | Bin ...rizedroles_parameterexamplestep2_v603.webp | Bin .../parameterizedroles_parameters.webp | Bin .../parameterizedroles_simplerole.webp | Bin .../addchangeaspect => }/pointcut.webp | Bin .../policycreation_policies_v602.webp | Bin .../positionextension-identity.webp | Bin .../positionextension-result.webp | Bin .../postman_accesstoken.webp | Bin .../postman_accesstokenresult.webp | Bin .../postman_authentication.webp | Bin .../postman_authorization.webp | Bin .../postman_authorizationcombined.webp | Bin .../postman_gettokencombined.webp | Bin .../postman_newaccesstokencombined.webp | Bin .../postman_newrequest.webp | Bin .../postman_requestfields.webp | Bin .../powerbi_clearcache.webp | Bin .../powerbi_clientid.webp | Bin .../connect-powerbi => }/powerbi_getdata.webp | Bin .../powerbi_getdatawindow.webp | Bin .../analyze-powerbi => }/powerbi_process.webp | Bin .../powerbi_universes.webp | Bin .../connect-powerbi => }/powerbi_url.webp | Bin .../prodagent_directoryproperties1.webp | Bin .../prodagent_directoryproperties2.webp | Bin .../prodagent_directoryproperties3.webp | Bin .../prodagent_directoryproperties4.webp | Bin .../prodagent_foldersproperties1.webp | Bin .../prodagent_foldersproperties2.webp | Bin .../prodagent_iis1.webp | Bin .../prodagent_iis2.webp | Bin .../prodagent_iis3.webp | Bin .../prodagent_iis4.webp | Bin .../prodagent_iis5.webp | Bin .../prodagent_servercertificate1.webp | Bin .../prodagent_servercertificate2.webp | Bin .../prodagent_servercertificate3.webp | Bin .../prodagent_servermanager1.webp | Bin .../prodagent_servermanager2.webp | Bin .../prodagent_servermanager3.webp | Bin .../prodagent_servermanager4.webp | Bin .../prodagent_servermanager5.webp | Bin .../prodagent_servermanager6.webp | Bin .../profiles_creation_v602.webp | Bin .../profiles_example_v603.webp | Bin .../profiles_schema.webp | Bin .../prov_stateschema_v523.webp | Bin .../provauto_states_v523.webp | Bin .../provmanual_bulk_v603.webp | Bin .../provmanual_createresource_v522.webp | Bin .../provmanual_editresource_v522.webp | Bin .../provmanual_iconapprove_v602.svg | 0 .../provmanual_icondecline_v522.svg | 0 .../provmanual_iconedit_v602.svg | 0 .../provmanual_iconpostpone_v522.svg | 0 .../provmanual_page_v603.webp | Bin .../provmanual_provreview_v602.webp | Bin .../provmanual_reviewaddition_v602.webp | Bin .../provmanual_reviewassociation_v602.webp | Bin .../provmanual_reviewdeletion_v602.webp | Bin .../provmanual_reviewedition_v602.webp | Bin .../provmanual_states_v523.webp | Bin .../provreview_bulkunblock_v603.webp | Bin .../provreview_propertyview_v603.webp | Bin .../provreview_resourceview_v603.webp | Bin .../provreview_states_v523.webp | Bin .../provrules_entitytype_v602.webp | Bin .../provrules_examplenav_v602.webp | Bin .../provrules_examplequery_v602.webp | Bin .../provrules_examplequerybis_v602.webp | Bin .../provrules_examplescalar_v522.webp | Bin .../provrules_exampletype_v602.webp | Bin .../provrules_queryrule_v522.webp | Bin .../provrules_queryrulefields_v602.webp | Bin .../provrules_scalarrule_v522.webp | Bin .../provrules_scalarrulefields_v602.webp | Bin .../provrules_schemanavigation.webp | Bin .../provrules_schemascalar.webp | Bin .../provrules_typerule_v602.webp | Bin .../reverse-proxy => }/proxy_example.webp | Bin .../proxy_purpose_encryption.webp | Bin .../proxy_purpose_loadbalancing.webp | Bin .../quadratic-linear-complexity.webp | Bin .../recommendations => }/recommendation.webp | Bin .../recordsection-withvaluecopy-result1.webp | Bin .../recordsection_extensionkind.webp | Bin .../recordsorigin_contexts.webp | Bin .../recordsorigin_firstmodel.webp | Bin .../recordsorigin_thirdmodel.webp | Bin .../recordsorigin_timelines.webp | Bin .../recordsorigin_userexample.webp | Bin .../redundantassignments_buttons_v602.webp | Bin .../redundantassignments_examplewith.webp | Bin .../redundantassignments_examplewithout.webp | Bin ...dundantassignments_reportexample_v602.webp | Bin ...ntassignments_reportexampleverif_v602.webp | Bin ...erences_connectors_activedirectory_01.webp | Bin ...erences_connectors_activedirectory_02.webp | Bin ...erences_connectors_activedirectory_03.webp | Bin ...erences_connectors_activedirectory_04.webp | Bin ...erences_connectors_activedirectory_05.webp | Bin .../reload_v603.webp | Bin .../reporting_fieldstodisplay_v522.webp | Bin .../reporting_filters_v602.webp | Bin .../reporting_predefinedreports_v602.webp | Bin .../reporting_querypage_v602.webp | Bin .../resourcetype_newclassifrule_v602.webp | Bin ...esourcetype_newclassifrulefields_v602.webp | Bin .../resourcetype_newcorrelrule_v602.webp | Bin ...resourcetype_newcorrelrulefields_v602.webp | Bin .../resourcetype_newresourcet_v603.webp | Bin .../resourcetype_test_v602.webp | Bin .../reviewautomation_newrulefields_v602.webp | Bin .../reviewautomation_rulemessage_v522.webp | Bin .../reviewprop_example_v602.webp | Bin .../reviewprop_unreconciled_v522.webp | Bin .../reviewrole_exampleresource_v602.webp | Bin .../reviewrole_exampleresourceprop_v602.webp | Bin .../reviewrole_examplerole_v602.webp | Bin .../reviewrole_icondelete_v602.svg | 0 .../reviewrole_rolereconciliation_v603.webp | Bin ...eviewrole_rolereconciliationbulk_v603.webp | Bin .../riskmanagement_identifiedrisks_v522.webp | Bin .../riskmanagement_newrisk_v602.webp | Bin .../riskmanagement_newriskitem_v602.webp | Bin .../riskmanagement_workflowstate_v523.webp | Bin .../risks => }/risks_blocking_v522.webp | Bin .../risks_requiredapproval_v522.webp | Bin .../risks_riskcomputetask_v522.webp | Bin .../risks => }/risks_riskicon_v522.svg | 0 .../risks => }/risks_warning_v522.webp | Bin .../robotframeworkflaui_flauishowxpath.webp | Bin ...robotframeworkflaui_flauixpathexample.webp | Bin .../robotframeworkselenium_copyfullxpath.webp | Bin .../robotframeworkselenium_inspecttool.webp | Bin .../rolemining_impact_usecase1.webp | Bin .../rolemining_impact_usecase2.webp | Bin .../rolemining_impact_usecase3.webp | Bin .../rolemining_impact_usecase4.webp | Bin .../rolemining_impact_usecase5.webp | Bin .../rolemining_launchjob_v602.webp | Bin .../rolemining_miningrule_v602.webp | Bin .../rolemining_ruletype-sensitivity.webp | Bin .../role-mining => }/rolemining_ruletype.webp | Bin .../role-mining => }/rolemining_schema.webp | Bin .../rolemining_simulation.webp | Bin .../rolemining_simulationresults.webp | Bin .../rolemining_suggested_v602.webp | Bin .../roleofficers_newprofile_v602.webp | Bin .../scim => }/salesforce-advancesetup.webp | Bin .../scim => }/salesforce-agent-settings.webp | Bin .../scim => }/salesforce-checkemail.webp | Bin .../scim => }/salesforce-connection.webp | Bin .../scim => }/salesforce-connector.webp | Bin .../scim => }/salesforce-consumerkey.webp | Bin .../scim => }/salesforce-enableoauth.webp | Bin .../salesforce-manageconnectedapps.webp | Bin .../salesforce-manageconsumerdetails.webp | Bin .../scim => }/salesforce-newconnectedapp.webp | Bin .../salesforce-resetseuritytoken.webp | Bin .../salesforce-usertoken-settings.webp | Bin ...rark_export_display_entity_type_5.1.6.webp | Bin ...m_cyberark_export_display_table_5.1.6.webp | Bin .../scim_cyberark_export_menu_item_5.1.6.webp | Bin .../searchbarfilters.webp | Bin .../searchbarwithoutfilter.webp | Bin .../securedoptions_adexample_v603.webp | Bin .../securedoptions_adexamplevisible_v603.webp | Bin .../securedoptions_adlogin_v603.webp | Bin .../securedoptions_keyvalue_v603.webp | Bin ...securedoptions_powershellexample_v603.webp | Bin .../securedoptions_sqlexample1_v603.webp | Bin .../securedoptions_sqlexample2_v603.webp | Bin .../sharedfolder_permission.webp | Bin .../sharepoint_export_add_member.webp | Bin .../sharepoint_export_role_owner.webp | Bin .../simple-recordsection-identity.webp | Bin .../simple-recordsection-result.webp | Bin .../simulation_cancel_v602.webp | Bin .../simulation_decision_v600.webp | Bin .../simulation_icondelete_v600.svg | 0 .../simulation_iconedit_v600.svg | 0 .../simulation => }/simulation_list_v602.webp | Bin .../simulation => }/simulation_new_v602.webp | Bin .../simulation_start_v602.webp | Bin ...inglerolescatalog_createcategory_v602.webp | Bin ...erolescatalog_createcompositerole_v62.webp | Bin ...singlerolescatalog_createnavrule_v602.webp | Bin .../singlerolescatalog_newcategory_v602.webp | Bin .../singlerolescatalog_schemaapprovals.webp | Bin .../singlerolescatalog_schemabottomup.webp | Bin .../singlerolescatalog_schemarole.webp | Bin .../singlerolescatalog_schemarolerule.webp | Bin ...glerolescatalog_schemarolesidentities.webp | Bin .../singlerolescatalog_schematopdown.webp | Bin .../singlerolescatalog_strategymono_v602.webp | Bin ...singlerolescatalog_strategymulti_v522.webp | Bin ...rolescatalog_strategymultinoname_v522.webp | Bin .../sql => }/sql_downloadpackage.webp | Bin .../sql => }/sql_packagecharacteristics.webp | Bin .../srconf_5.2.1.webp | Bin .../srrule_5.2.1.webp | Bin .../suggestallcorrelations-nnn.webp | Bin .../suggestallcorrelations-nnn2.webp | Bin .../suggestallcorrelations-nny.webp | Bin .../suggestallcorrelations-nyn.webp | Bin .../suggestallcorrelations-nyy.webp | Bin .../suggestallcorrelations-ynn.webp | Bin .../suggestallcorrelations-ynn2.webp | Bin .../suggestallcorrelations-yny.webp | Bin .../suggestallcorrelations-yyny.webp | Bin .../{integration-guide/api => }/swagger.webp | Bin .../synchro_dashboard_v522.webp | Bin .../synchro_edit_v600.webp | Bin .../synchro_examplesab2_v602.webp | Bin .../synchro_examplesab3_v602.webp | Bin .../synchro_examplesab_v522.webp | Bin .../synchro_executionjobs-complete_v602.webp | Bin .../synchro_executionjobs_v602.webp | Bin .../synchro_resourcetype_v602.webp | Bin .../synchro_results_v603.webp | Bin .../synchronization => }/synchro_schema.webp | Bin .../synchro_threshold_v603.webp | Bin .../synchro_thresholdlog_v603.webp | Bin .../synchro_thresholdresumed_v602.webp | Bin .../tools_managehistory_schema.webp | Bin .../tree-like-structure.webp | Bin .../troubleshoot_synchroprovschema.webp | Bin .../troubleshooting_connectorjobs_v603.webp | Bin .../troubleshooting_helpdesk_v603.webp | Bin .../troubleshooting_userdata_v603.webp | Bin ...aypriorities_changeselection_v521beta.webp | Bin .../unauth_reviewunauthorized_v602.webp | Bin .../unauth_unauthorizedaccounts_v602.webp | Bin .../unauth_updateprop_v522.webp | Bin .../universe_columnnamedisplayname.webp | Bin .../universe_columnnameidentifier.webp | Bin .../universe_excluded.webp | Bin .../universe_mixedexample.webp | Bin .../universe_notemplateschema.webp | Bin .../use_case_1_deduction.webp | Bin .../use_case_1_rolemodel.webp | Bin .../use_case_1_sync.webp | Bin .../on-offboarding => }/validityperiod.webp | Bin .../viewpermissions_v602.webp | Bin .../viewpermissionsadvanced_5.2.1.webp | Bin .../viewpermissionssimplified_5.2.1.webp | Bin .../workflowinentitylist.webp | Bin .../workflowinresourceview.webp | Bin .../workflows_homonyms_v601.webp | Bin .../workflows_reviewpermissions_v601.webp | Bin .../workflows_reviewsteps_v601.webp | Bin .../workflows_verifyhomonyms_v601.webp | Bin 2125 files changed, 81244 insertions(+), 2579 deletions(-) create mode 100644 docs/identitymanager/6.3/_partials/README.md create mode 100644 docs/identitymanager/6.3/_partials/argumentsexpression.mdx create mode 100644 docs/identitymanager/6.3/_partials/contextrule-certification.mdx create mode 100644 docs/identitymanager/6.3/_partials/ignoreHistorization-intro.mdx create mode 100644 docs/identitymanager/6.3/_partials/parameterized-role.mdx create mode 100644 docs/identitymanager/6.3/_partials/resourcetypemapping-identifier.mdx create mode 100644 docs/identitymanager/6.3/index.md create mode 100644 docs/identitymanager/6.3/installation-guide/index.md create mode 100644 docs/identitymanager/6.3/installation-guide/overview.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/agent.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/database.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/email-server.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/index.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/server.md create mode 100644 docs/identitymanager/6.3/installation-guide/production-ready/working-directory.md create mode 100644 docs/identitymanager/6.3/installation-guide/quick-start.md create mode 100644 docs/identitymanager/6.3/installation-guide/requirements/agent-requirements.md create mode 100644 docs/identitymanager/6.3/installation-guide/requirements/database-requirements.md create mode 100644 docs/identitymanager/6.3/installation-guide/requirements/device-requirements.md create mode 100644 docs/identitymanager/6.3/installation-guide/requirements/index.md create mode 100644 docs/identitymanager/6.3/installation-guide/requirements/server-requirements.md create mode 100644 docs/identitymanager/6.3/installation-guide/reverse-proxy.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/authentication.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/pagination.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/request-postman.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/accesscertification.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/accesscontrol.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/connectors.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/files.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/job.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/metadata.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/provisioningentityinstance.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/provisioningpolicy.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/report.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/resource.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/resourcechange.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/resourcefilechange.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/resourcelinkchange.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/robots.txt.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/universes.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/server/workflows.md create mode 100644 docs/identitymanager/6.3/integration-guide/api/squery.md create mode 100644 docs/identitymanager/6.3/integration-guide/architecture/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/architecture/on-prem.md create mode 100644 docs/identitymanager/6.3/integration-guide/architecture/protect-agent-server-communication.md create mode 100644 docs/identitymanager/6.3/integration-guide/architecture/saas.md create mode 100644 docs/identitymanager/6.3/integration-guide/architecture/sbom.md create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaign_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaignpolicy_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationdatafilter_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationownerfilter_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentityproperty_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentitytype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentry_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolfilter_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpermission_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpropertygroup_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activity_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancecc_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancesactor_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplate_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatestate_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatetransition_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/agent_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/allowednavigationbinding_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/aspect_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedcompositerole_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedprofile_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcebinary_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourceerror_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcenavigation_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcescalar_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcetype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedsinglerole_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/associationinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/automationrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/binding_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/bindingexpression_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/category_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/change_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerole_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolerule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolescategory_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationdll_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfile_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfileitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connection_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connectioncolumn_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connectionpackage_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontable_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontransformation_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/connector_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/context_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/contextrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/dimension_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityassociation_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityproperty_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentitytype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displaypropertygroup_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytable_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytablecolumn_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytabledesignelement_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociation_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociationmapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entityinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entityproperty_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertyexpression_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertymapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytypemapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/form_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/formcontrol_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/formtype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/forwardedaccesscertificationitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylink_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylinkfilter_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/identifiedrisk_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/indicator_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/indicatoritem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/indirectresourcerule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/inputtype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/job_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/jobinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/jobstep_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/language_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/menuitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/miningrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/notification_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationtemplate_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/openidclient_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/outputtype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/passwordresetsettings_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/pendingwork_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/pointcut_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/policy_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/policysimulation_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/profile_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/profilecontext_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerulecontext_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/recipient_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/recordproperty_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/recordsection_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/reportquery_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resource_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcebinaryrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcechange_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceclassificationrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationkey_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefile_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefilechange_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelink_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelinkchange_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcenavigationrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcepropertymapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcequeryrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceriskscore_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcescalarrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypemapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetyperule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypescategory_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/risk_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/riskrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/riskruleitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemapping_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingruleitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffolding_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffoldingargument_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbar_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbarcriterion_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbardesignelement_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/sequence_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/setting_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerole_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolerule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolescategory_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/synchronizationhistory_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/task_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdependontask_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdimension_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/taskentitytype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/taskinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/taskresourcetype_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/tile_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/tiledesignelement_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/tileitem_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/unicitycheckrule_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/universe_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/workflow_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowinstance_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowstate_class_diagram.plantuml create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/azuread-register.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/configure-secured-options.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/connections.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/entra-ID.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/credential-protection.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-banking.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-hr.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-gui-robotframework.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/powershell-fulfill.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-cyberark-export.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-salesforce-provisioning-entitlements.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/entra-ID.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/sharepoint-export.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-powershell-script.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-robotframework-script.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-sync-powershell-script.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-ticket-template.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/entitypropertymapping-format.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/activedirectory.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/azure.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/csv.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvista.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvistaticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/excel.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/googleworkspace.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/homefolder.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalresources.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalworkflow.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/json.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldif.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftentraid.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftexchange.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/nimprofile.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/odata.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/okta.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/openldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellprov.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellsync.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/racf.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/robotframework.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/saperp6.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sapnetweaver.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/scim.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowentitymanagement.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharedfolder.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharepoint.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sql.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sqlserverentitlements.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/topsecret.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-connectors/workday.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/active-directory.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/apache-directory.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure-active-directory.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/csv.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/cyberark.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvista.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvistaticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/excel.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-ldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-scim.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-sql.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/googleworkspace.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/home-folders.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/identitymanager-database.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/json.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/ldif.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/microsoft-exchange.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/mysql.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/nimprofile.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/odata.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/odbc.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/open-ldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-database.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-ldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/postgresql.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellprov.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellsync.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/racf.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/red-hat-directory-server.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/robot-framework.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/salesforce.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/sapase.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/saperp6.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/saphana.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow-ticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/shared-folders.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/sharepoint.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/slack.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server-entitlements.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/tss.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/unplugged.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/workday.md create mode 100644 docs/identitymanager/6.3/integration-guide/connectors/references-packages/workflow.md create mode 100644 docs/identitymanager/6.3/integration-guide/entity-model.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/agent.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/anonymize.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/check-expressionsconsistency.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/compute-correlationkeys.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/configuration-transform.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/create-databaseviews.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/csv-transform.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/decrypt-file.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/deploy-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/encrypt-file.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-bacpac.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-csv.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-easyvista.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-excel.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/export-scim.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/fillbankingdatabase.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/fulfill-easyvista.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/fulfill-scim.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/fulfill-toeasyvistaticket.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/generate-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/get-jobsteps.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/invoke-job.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/invoke-serverjob.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/login.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/manage-configurationdependantindexes.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/manage-history.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/new-openidsecret.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/passwordgenerator.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/prepare-synchronization.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/protect-certificatepassword.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonfile.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonvalue.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/refreshschema.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/send-passwordnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/server.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/update-entitypropertyexpressions.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/upgrade-configurationversion.md create mode 100644 docs/identitymanager/6.3/integration-guide/executables/references/upgrade-databaseversion.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/accesscertification.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/reporting/analyze-powerbi.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/reporting/connect-powerbi.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/analyze-powerbi.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/connect-powerbi.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/reporting/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/review-prolonged-entitlements.md create mode 100644 docs/identitymanager/6.3/integration-guide/governance/risks.md create mode 100644 docs/identitymanager/6.3/integration-guide/identity-management/identity-repository.md create mode 100644 docs/identitymanager/6.3/integration-guide/identity-management/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md create mode 100644 docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/position-change.md create mode 100644 docs/identitymanager/6.3/integration-guide/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/modules.md create mode 100644 docs/identitymanager/6.3/integration-guide/monitoring/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/monitoring/qradar-setting.md create mode 100644 docs/identitymanager/6.3/integration-guide/monitoring/references.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings-agent.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/azure-key-vault.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/rsa-encryption.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/configure-okta.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/how-tos/okta.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/password-management.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/proxy.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/database-connection.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/end-users-authentication.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/general-purpose.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/rsa-encryption.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/settings.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/appsettings.connection.md create mode 100644 docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/custom.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/how-tos/customize-native-notification.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/how-tos/set-language.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/access-certification.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/customize-native-notification.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/errored-jobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/manual-provisioning.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/password-reset.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/provisioning-review.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/native/role-review.md create mode 100644 docs/identitymanager/6.3/integration-guide/notifications/set-language.md create mode 100644 docs/identitymanager/6.3/integration-guide/profiles-permissions/create-assign-profiles/index.md rename docs/identitymanager/{current/integration-guide/content => 6.3}/integration-guide/profiles-permissions/index.md (100%) create mode 100644 docs/identitymanager/6.3/integration-guide/profiles-permissions/permissions/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/profiles-permissions/rightsrestriction/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/provisioning/argumentsexpression.md create mode 100644 docs/identitymanager/6.3/integration-guide/provisioning/how-tos/argumentsexpression.md create mode 100644 docs/identitymanager/6.3/integration-guide/provisioning/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/provisioning/prov-thresholds.md create mode 100644 docs/identitymanager/6.3/integration-guide/resources.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/assignment-dates.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/assignments-of-entitlements.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/configureindirectpermissions.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/conformingassignmentcomputation.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/evaluate-policy.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/existingassignmentsdeduction.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/generate-contexts.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/configureindirectpermissions.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/infer-single-roles.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/restrict-assignment.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/indirectpermissions.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/infer-single-roles.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/nonconformingdetection.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/restrict-assignment.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-assignment/role-model-rules.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-mining.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-model/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/role-model/role-model-rules.md create mode 100644 docs/identitymanager/6.3/integration-guide/simulation.md create mode 100644 docs/identitymanager/6.3/integration-guide/synchronization/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/synchronization/synchro-thresholds.md create mode 100644 docs/identitymanager/6.3/integration-guide/synchronization/upward-data-sync.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/build-efficient-jobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-incremental-job.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-jobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/fulfillldap.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/jobdaily.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/jobfast.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/jobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/tasks.md create mode 100644 docs/identitymanager/6.3/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/adjust-scaffoldings.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/bindings.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/deploy-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/export-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/expressions/csharp-utility-functions.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/expressions/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/expressions/predefined-functions.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/file-hierarchy.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/how-tos/adjust-scaffoldings.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/how-tos/deploy-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/how-tos/export-configuration.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/languages.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/parameter-names.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/recommendations.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/reservedidentifiers.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/assignedprofile.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/openidclient.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profile.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilecontext.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/profilemodule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/agent.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connection.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connectiontable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connector.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistauserresourcetypemapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/nimresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping.mdx create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/job.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/binding.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entityassociation.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitytype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/language.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/category.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerole.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/context.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/miningrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/policy.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/risk.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/rolemapping.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerole.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/reportquery.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/resource.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/form.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/indicator.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/searchbar.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/tile.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/workflow.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/create-menu-items.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/custom-display-table.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/custom-forms.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/custom-search-bar.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/how-tos/create-menu-items.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-display-table.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-forms.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-search-bar.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/how-tos/producttranslations.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/ui/producttranslations.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/activity-templates.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/configure-homonym-test.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-mono.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-multi.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-mono.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-multi.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-resource.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/index.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/workflow-uses.md create mode 100644 docs/identitymanager/6.3/integration-guide/workflows/workflowhomonym.md create mode 100644 docs/identitymanager/6.3/introduction-guide/architecture.md create mode 100644 docs/identitymanager/6.3/introduction-guide/configuration.md create mode 100644 docs/identitymanager/6.3/introduction-guide/index.md create mode 100644 docs/identitymanager/6.3/introduction-guide/overview/entitlement-management.md create mode 100644 docs/identitymanager/6.3/introduction-guide/overview/governance.md create mode 100644 docs/identitymanager/6.3/introduction-guide/overview/identity-management.md create mode 100644 docs/identitymanager/6.3/introduction-guide/overview/index.md create mode 100644 docs/identitymanager/6.3/introduction-guide/overview/use-cases.md create mode 100644 docs/identitymanager/6.3/migration-guide/index.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-execution.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-scheduling.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/access-certification/index.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/assigned-roles.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/index.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/manual-assignment-request.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/index.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/orphan-unused-account-review.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/provisioning/automatic-provisioning.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/provisioning/index.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/provisioning/manual-provisioning.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/provisioning/provisioning-review.md create mode 100644 docs/identitymanager/6.3/user-guide/administrate/reporting.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/authentication.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/change-management.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/index.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/directory-permissions.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/finalization.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-configuration.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-installation.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/index.md create mode 100644 docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/settings-files.md create mode 100644 docs/identitymanager/6.3/user-guide/global-process/howto-maintaindirectory.md create mode 100644 docs/identitymanager/6.3/user-guide/global-process/howto-newsystem.md create mode 100644 docs/identitymanager/6.3/user-guide/global-process/howto-start.md create mode 100644 docs/identitymanager/6.3/user-guide/global-process/index.md create mode 100644 docs/identitymanager/6.3/user-guide/index.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/index.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/individual-update.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/mass-update.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/multiple-update.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/index.md create mode 100644 docs/identitymanager/6.3/user-guide/maintain/troubleshooting.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/assignment-automation/automate-role-assignment.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/assignment-automation/index.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/assignment-automation/remove-redundant-assignments.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/assignment-automation/role-mining.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/composite-role-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/hr-connector-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/identity-datamodel-modification.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/index.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/non-conforming-assignment-review-automation.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/parameterized-role.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/policy-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/risk-management.md create mode 100644 docs/identitymanager/6.3/user-guide/optimize/simulation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/categorization/classification.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/categorization/correlation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/categorization/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/categorization/resource-type-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/configure-global-settings.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/configure-workflows.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/connection-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-declaration.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-modeling.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/key-selection.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/connect-system/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/development-environment-installation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/adjust-datamodel.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/generate-unique-properties.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/load-identities.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/template-description.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/resource-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/category-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/index.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/synchronization.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/user-profile-assignment.md create mode 100644 docs/identitymanager/6.3/user-guide/set-up/user-profile-configuration.md rename docs/identitymanager/current/integration-guide/{content/integration-guide => }/profiles-permissions/create-assign-profiles.md (82%) create mode 100644 docs/identitymanager/current/integration-guide/profiles-permissions/index.md rename docs/identitymanager/current/integration-guide/{content/integration-guide => }/profiles-permissions/permissions.md (99%) rename docs/identitymanager/current/integration-guide/{content/integration-guide => }/profiles-permissions/rightsrestriction.md (89%) create mode 100644 docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/AccessCertificationItemReviewer.md create mode 100644 docs/identitymanager/current/preview-features.md create mode 100644 sidebars/identitymanager/6.3.js rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/118_givenbyarole_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/16_approved_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/17_declined_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/18_calculated_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/1_nonconforming_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/20_cancellation_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/21_suggested_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/24_approvedquestioned_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/25_pendingapprovalrisk_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/automationrule => }/27_prolonged_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/3_preexisting_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/4_requested_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/5_calculatedmissingparameters_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/8_pendingapproval_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/AccessControl_Profiles_V603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/metadata => }/AppDisplaySetting_tab_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_checkbox_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_comboboxMultiselection_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_combobox_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_date_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_image_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_picker_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_textArea_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlInputType_text_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_basicCollection_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_date_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_image_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_layoutContainer_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_layoutFieldset_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_layoutRowset_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_textArea_V603.webp (100%) rename static/images/identitymanager/{integration-guide/database => }/ControlOutputType_text_V603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_state0_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_state1_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_state2_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_state3_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_state4_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_step1_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypes => }/DiscardManualAssignments_step2_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface => }/DisplayTableDesignElement_table_V602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface => }/Form_hideRoles_V603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface => }/Form_requestTypeHelpdesk_V603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/resourcetypemappings => }/ServiceNow_example.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedCompositeRoles.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedCompositeRolesSchema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedResourceTypes.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedResourceTypesSchema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedSingleRoles.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_OwnedSingleRolesSchema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_ResourceResourceTypes.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_ResourceResourceTypesSchema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_noTemplate.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_rootInstance.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_severalDuplication.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_severalDuplicationSchema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_severalNoDuplication.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/scaffoldings => }/Universe_severalNoDuplicationSchema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-global-settings => }/accesscertificationonlyapprovedeny-disabled.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-global-settings => }/accesscertificationonlyapprovedeny.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-global-settings => }/accesscertificationonlyapprovedenysettings.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts => }/accesscontrol_manageaccounts_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule => }/accesscontrolfilter_schema.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activity_actionwithrefine_v602.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activity_reviewwithfeedback_v602.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activitytemplates_action.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activitytemplates_actionwithrefine.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activitytemplates_example.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activitytemplates_review.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/activity-templates => }/activitytemplates_reviewwithfeedback.webp (100%) rename static/images/identitymanager/{integration-guide/synchronization/upward-data-sync => }/ad_export_example.webp (100%) rename static/images/identitymanager/{integration-guide/synchronization/upward-data-sync => }/ad_preparesynchro_example.webp (100%) rename static/images/identitymanager/{integration-guide/synchronization/upward-data-sync => }/ad_synchro_example.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/adassignednavigations_5.2.1.webp (100%) rename static/images/identitymanager/{integration-guide/architecture/how-tos/protect-agent-server-communication => }/agent-server-communication.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-global-settings => }/allowapprovingdenyingaccesscertificationitems.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/create-menu-items => }/allworkflowinresourceview.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting => }/appdisplaysetting_counters_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting => }/appdisplaysetting_nocounters_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting => }/appdisplaysetting_screen1_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting => }/appdisplaysetting_screen2_v603.webp (100%) rename static/images/identitymanager/{integration-guide/architecture => }/architecture.webp (100%) rename static/images/identitymanager/{integration-guide/architecture/on-prem => }/architecture_onprem.webp (100%) rename static/images/identitymanager/{integration-guide/architecture/saas => }/architecture_saas.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect => }/aspects_unicitycheck.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule => }/assignedprofile_example_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/assigned-roles => }/assignedroles.webp (100%) rename static/images/identitymanager/{user-guide/administrate/assigned-roles => }/assignedrolesscreen.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/automate-role-assignment => }/assignmentrules_newsrolerule_v602.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/server-configuration/end-users-authentication => }/authent_1.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/server-configuration/end-users-authentication => }/authent_2.webp (100%) rename static/images/identitymanager/{installation-guide/quick-start => }/authentication_v601.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/recommendations => }/autocomplete.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_dataquality_ex.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_dataquality_ex2.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_dataquality_ex3.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_dataquality_ex4.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost_automationbenefits.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost_automationlimits.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost_data.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost_manual.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_optimalcost_rolemining.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation => }/automation_schema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/business-intelligence/universe => }/bi_universeexample.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/business-intelligence/universe => }/bi_universeexampledisplaynames.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/entitypropertymapping-format => }/bitprov_property_v603.webp (100%) rename static/images/identitymanager/{installation-guide/production-ready/server => }/bulk.webp (100%) delete mode 100644 static/images/identitymanager/buttons/Home_settings_V523.webp delete mode 100644 static/images/identitymanager/buttons/Home_topBar_V601.webp rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_categschema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_classifschema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_correlschema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_exampleadminad.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_exampleadminuser.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_examplebasicad.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization => }/categorization_examplebasicuser.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/categorization_reviewsprovisioningreview_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/categorization_reviewsresourcereconciliation_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/category-creation => }/categorycreation_test_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_accesscertification_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_applydecisions_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_campaigns_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_decisions_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_example_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_iconapproval_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_iconcomment_v522.svg (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/certifcampaign_icondecline_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_icondiscouragement_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_iconforward_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/certifcampaign_iconrecommendation_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_job_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_newcertificationcampaign_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_newlycreated_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_targetowners_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_targetownersadditional_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/certifcampaign_targetspecificities_v602.webp (100%) rename static/images/identitymanager/{user-guide/deploy/change-management => }/changemanagement_actors.webp (100%) rename static/images/identitymanager/{user-guide/deploy/change-management => }/changemanagement_populations.webp (100%) rename static/images/identitymanager/{user-guide/deploy/change-management => }/changemanagement_process.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/classification_example_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/classification_test_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/classification_unclassified_v600.webp (100%) rename static/images/identitymanager/{installation-guide/overview => }/components_data_flow.webp (100%) rename static/images/identitymanager/{user-guide/optimize/composite-role-creation => }/compositeroles_applicativeroles.webp (100%) rename static/images/identitymanager/{user-guide/optimize/composite-role-creation => }/compositeroles_schema.webp (100%) rename static/images/identitymanager/{user-guide/optimize/composite-role-creation => }/compositeroles_testroles_v602.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/compute-expected-1.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/compute-expected-2.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/compute-find-matching.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit => }/configurationcycle.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connection_newconnection_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connection_notrecovered_v523.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/mass-update => }/connection_upload_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_checkconnection_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_connectioncreation_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_failedindicator_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_noschema_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_refreshall_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connection-creation => }/connectioncreation_refreshschema_v522.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/configuration-details/connections => }/connectiontables_ui_v60.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-declaration => }/connectorcreation_connectorpage_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system => }/connectorcreation_connectorschema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system => }/connectorcreation_connectortechnicalschema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-declaration => }/connectorcreation_declaration_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/connectorcreation_inbound.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system => }/connectorcreation_outbound.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-declaration => }/connectorcreation_test_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_ad-step1.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_ad.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_adentry.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_key.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_profiles.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_profiletransaction.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_racf.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_sab.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_sdge.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_star.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_starmodel.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_tss-prof-trans.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_tss.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_user-canteen.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_user-mailbox.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_user.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/connector-modeling => }/connectormodel_usergroup.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/saperp6 => }/connectorreadprerequisites1.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/saperp6 => }/connectorreadprerequisites2.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/saperp6 => }/connectorwriteprerequisites.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/saperp6 => }/connectorwriteprerequisites2.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/contextrule => }/contextrules_rolemining.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/correlation.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/correlation => }/correlation_example_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/correlation => }/correlation_test_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/correlation => }/correlation_uncorrelated_v600.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/crconf_5.2.1.webp (100%) rename static/images/identitymanager/{user-guide/optimize/policy-creation => }/createpolicy.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-manual-creation => }/createsinglerole.webp (100%) rename static/images/identitymanager/{integration-guide/governance/accesscertification => }/creation_5.1.6.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/settings => }/customlinksusermenu_v523.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/settings => }/dashboarditemnumber.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/datamodel_scalarrule_timeoffsetdefault.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/datamodel_scalarrule_timeoffsetexample.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/datamodel_scalarrule_timeoffsetoverlap.webp (100%) rename static/images/identitymanager/{user-guide/optimize/identity-datamodel-modification => }/datamodelmodif_scan_v600.webp (100%) rename static/images/identitymanager/{user-guide/administrate/manual-assignment-request => }/datamodif_changeuser_v602.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/mass-update => }/datamodif_downloadtemplatedata_v602.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/mass-update => }/datamodif_downloadtemplateempty_v602.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/multiple-update => }/datamodif_multipleform_v602.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/individual-update => }/datamodif_newuser_v602.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/individual-update => }/datamodif_reviewpending_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/manual-assignment-request => }/datamodif_user_v602.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/demoapp-banking => }/demoapps_banking_userdetails.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/demoapp-banking => }/demoapps_banking_userslist.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/demoapp-hr => }/demoapps_hr_userdetails.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/demoapp-hr => }/demoapps_hr_userslist.webp (100%) rename static/images/identitymanager/{installation-guide/quick-start => }/directory_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/discardmanualassignments_schema.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup => }/displaypropertygroup_example_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/displaytable => }/displaytabledesignelement_list_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/displaytable => }/displaytabledesignelement_resourcetable_v602.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/custom-display-table => }/displaytablesresourcetable.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/custom-display-table => }/displaytablestable.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/custom-display-table => }/displaytablestiles.webp (100%) rename static/images/identitymanager/{installation-guide/overview => }/distribution_1.webp (100%) rename static/images/identitymanager/{installation-guide/overview => }/distribution_2.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/easyvista => }/easyvista_view_v523.webp (100%) rename static/images/identitymanager/{integration-guide/role-model/role-model-rules => }/enforce-assignment-policy-summary.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/enforce-context.webp (100%) rename static/images/identitymanager/{installation-guide/production-ready/server => }/enter-the-object-names-to-select.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_assignmentrules.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_categorizationrules.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_compositeroles.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_dimension1.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_dimension2.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_dimension3.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_provisioningrules.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_rolecatalogusers.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/entitlement-management => }/entitlements_rolemodel.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/entitypropertymapping-format => }/entitypropertymapping-format-flowchart.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/entitytype_format_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/entitytype_sourcecolumn_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation => }/entitytype_template_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_example1_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_example2_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_example2results_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_fields_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/datasheet-organization => }/entitytypecreation_displaygroups_without_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_displayname_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_displaynameexample_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration => }/entitytypecreation_entitytypecreation_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_examplead2_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_examplead3_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_examplead4-result_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_examplead4_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_examplehr-result_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_examplehr_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/key-selection => }/entitytypecreation_keys_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_manager_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_managerof_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_member_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_memberof_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition => }/entitytypecreation_navigationproperties_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_propertiessettings_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration => }/entitytypecreation_propertiessource_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/key-selection => }/entitytypecreation_reload_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_scalarex_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_scalarproperties_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_scalarpropertiesmap_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_scalarpropertieswithoutformat_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation => }/entitytypecreation_schema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition => }/entitytypecreation_sourceexpressionexample_v60.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/entitytypecreation_test_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/display-name-setting => }/entitytypecreation_troubleprop_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration => }/entitytypecreation_troubleshootingschema_v603.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/evaluate-policy => }/evaluate-policy-1.webp (100%) rename static/images/identitymanager/{installation-guide/production-ready/database => }/execute_query.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/expressions => }/expression-propertypath-example1_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/expressions => }/expression-propertypath-example2_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/expressions => }/expression-propertypath_v602.webp (100%) rename static/images/identitymanager/{installation-guide/quick-start => }/extranet_v601.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/form_recordtable_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/form_requesttypeself_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform => }/formexample_workflowaddandendrecordentityform_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform => }/formexample_workflowaddandendrecordentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform => }/formexample_workflowaddrecordentityform_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform => }/formexample_workflowaddrecordentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform => }/formexample_workflowcreateentityform_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform => }/formexample_workflowcreateentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform => }/formexample_workflowcreaterecordentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform => }/formexample_workflowcreateseveralrecordsentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform => }/formexample_workfloweditentityform_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform => }/formexample_workfloweditentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform => }/formexample_workflowupdaterecordentitiesform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform => }/formexample_workflowupdaterecordentityform_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform => }/formexample_workflowupdaterecordentityform_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform => }/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform => }/formexample_workflowupdateseveralrecordsentityform_v603.webp (100%) rename static/images/identitymanager/{user-guide/global-process/howto-newsystem => }/globalprocess_schemaconnectsyst.webp (100%) rename static/images/identitymanager/{user-guide/global-process/howto-maintaindirectory => }/globalprocess_schemamaintain.webp (100%) rename static/images/identitymanager/{user-guide/global-process/howto-start => }/globalprocess_schemastart.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/assignments-of-entitlements => }/governance_nonconforming.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-execution => }/home_accesscertification_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/access-certification/certification-campaign-scheduling => }/home_accesscertificationcampaigns_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/policy-creation => }/home_accesspolicies_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-assignment => }/home_assignedprofiles_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules => }/home_configuration_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/home_connectors_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/home_directorydepartment_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/home_directoryuser_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/home_entitytypes_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/home_identifiedrisks_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/home_jobexecution_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/home_manualprovisioning_v523.webp (100%) rename static/images/identitymanager/{user-guide/maintain/identity-data-modification/multiple-update => }/home_multipleupdates_v523.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules => }/home_mytasks_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/generate-unique-properties => }/home_newemployee_v600.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/home_provisioningreview_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/home_query_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/home_redundantassignments_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/home_reports_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/home_resourcereconciliation_v523.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/home_risks_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/home_rolemining_v60.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/role-reconciliation => }/home_rolereconciliation_v523.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules => }/home_rolereview_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/resource-type-creation => }/home_roles_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/home_rules_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-configuration => }/home_settings_v523.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/home_simulations_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/home_topbar_v601.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/home_workflowoverview_v602.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-create-mono => }/howto_resourcecreationmono_form_v602.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-create-multi => }/howto_resourcecreationmono_homonym_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-create-mono => }/howto_resourcecreationmono_summary_v602.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-create-multi => }/howto_resourcecreationmulti_form_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-update-mono => }/howto_resourceupdatemono_form_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-update-multi => }/howto_resourceupdatemulti_form_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-update-resource => }/howto_resourceupdateno_form_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-update-resource => }/howto_resourceupdateno_summary_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/create-connector/azuread => }/howtos_azure_menuitem_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/create-connector/azuread => }/howtos_azure_navproperties_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/create-connector/azuread => }/howtos_azure_table_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportadminconsent.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportapplicationid.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportdirectorypermission.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportpermissions.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportregistration.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/azuread-register => }/howtos_azuread_exportsecret.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/hr_connection_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/hr_connectordeclaration_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/hr_entitytypen_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/hr_entitytypes_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/hr-connector-creation => }/hr_validatemenu_v600.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/indirectpermissions => }/ic_fluent_flow_20_regular.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/iconadd_v602.svg (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-assignment => }/iconadd_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/icondownload_v602.svg (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/iconeye_v600.svg (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-configuration => }/iconsave_v602.svg (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/iconscandatamodel_v602.svg (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/iconupload_v602.svg (100%) rename static/images/identitymanager/{introduction-guide/overview/identity-management => }/identities_repository.webp (100%) rename static/images/identitymanager/{integration-guide/executables/references/create-databaseviews => }/identitymanager-create-databaseviews_ssms.webp (100%) rename static/images/identitymanager/{integration-guide/executables/references/export-configuration => }/identitymanager-export-configuration.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/how-tos/export-configuration => }/identitymanager-login_success_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading => }/identityrepository-example.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading => }/identityrepository-person_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading => }/identityrepository_v602.webp (100%) rename static/images/identitymanager/{installation-guide/production-ready/server => }/iis_settings.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/indirectpermissionsadexample.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/initialload_dataupload-synchronize_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/initialload_departments_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/initialload_directoryusers_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/initialload_scan-example2_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/initialload_scan-example3_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/initialload_scan-example_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/initialload_scandatamodel-result_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/adjust-datamodel => }/initialload_scandatamodel_v60.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/initialload_templateexample_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/template-description => }/initialload_templatemodel_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/load-identities => }/initialload_templatereco_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/generate-unique-properties => }/initialload_uniqueemail_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/generate-unique-properties => }/initialload_uniqueidentifier_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/generate-unique-properties => }/initialload_uniquelogin_v602.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypeattachment.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypecheckbox.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypecombobox.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypecomboboxmultiselection.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypedate.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypeimage.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypepicker.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypetext.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/form => }/inputtypetextarea.webp (100%) delete mode 100644 static/images/identitymanager/integration-guide/datamodel/BI_universeExample.webp delete mode 100644 static/images/identitymanager/integration-guide/datamodel/Universe_columnNameDisplayName.webp delete mode 100644 static/images/identitymanager/integration-guide/datamodel/Universe_columnNameIdentifier.webp delete mode 100644 static/images/identitymanager/integration-guide/datamodel/datamodel_scalarRule_timeOffsetDefault.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/accesscontrol_profiles_v603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositerolesschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypes.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsingleroles.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplicationschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenow_example.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state3_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step2_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_table_v602.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddAndEndRecordEntityForm_V603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddRecordEntityForm_V603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowEditEntityForm_V603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowUpdateRecordEntityForm_V603.webp delete mode 100644 static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowUpdateSeveralRecordsEntityForm_V603.webp rename static/images/identitymanager/{integration-guide/executables/references/invoke-job => }/job_operation.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-assignment => }/launch_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-create-multi => }/menuitems_userslist_v603.webp (100%) rename static/images/identitymanager/{integration-guide/workflows/how-to/workflow-update-mono => }/menuitems_userview_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/powershell-fulfill => }/microsoftexchange_fulfill_display_entity_type_5.1.7.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/powershell-fulfill => }/microsoftexchange_fulfill_display_table_5.1.7.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/powershell-fulfill => }/microsoftexchange_fulfill_menu_item_5.1.7.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/powershell-fulfill => }/microsoftexchange_jobs_5.1.7.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_example_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_exampleroleresult_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_exampleruleresult_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_newrule_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_testroles_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/namingrulecreation_testrules_v602.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/navrule_5.2.1.webp (100%) rename static/images/identitymanager/{installation-guide/production-ready/server => }/newlogin.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/nimprofile => }/nimProfileModal_v63.png (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/nimprofile => }/nimProfile_MenuItem_v63.png (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/oauthauthentication.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/okta => }/okta.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_addapplication.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_applicationsection.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_clientcredentials.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_createnativeapp.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_createnewapp.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration/how-tos/okta => }/okta_saveapplication.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_bulkreconcile_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/orphan_entitytype_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/role-reconciliation => }/orphan_iconapprove_v602.svg (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/role-reconciliation => }/orphan_icondecline_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_propertyview_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_resourceview_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_revieworphans-owners_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_revieworphans_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_serviceaccounts.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/orphan_unusedquery_v602.webp (100%) rename static/images/identitymanager/{introduction-guide/overview => }/overview_calculation.webp (100%) rename static/images/identitymanager/{introduction-guide/overview => }/overview_connectors.webp (100%) rename static/images/identitymanager/{introduction-guide/overview => }/overview_provisioning.webp (100%) rename static/images/identitymanager/{introduction-guide/overview => }/overview_synchronization.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/packages_ad_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/azure => }/packages_azure_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/microsoftentraid => }/packages_azuread_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/csv => }/packages_csv_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/packages_cyberark_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/easyvista => }/packages_easyvista_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/easyvistaticket => }/packages_easyvistaticket_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/excel => }/packages_excel_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/microsoftexchange => }/packages_exchange_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/homefolder => }/packages_homefolders_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/internalresources => }/packages_identitymanagerticket_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/internalresources => }/packages_identitymanagerticketcud_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/json => }/packages_json_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/ldap => }/packages_ldapapache_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/ldap => }/packages_ldapgeneric_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/openldap => }/packages_ldapopen_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/ldap => }/packages_ldaporacle_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/ldap => }/packages_ldapredhat_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/ldif => }/packages_ldif_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/nimprofile => }/packages_nimprofile_v63.png (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/odata => }/packages_odata_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/powershellprov => }/packages_powershellprov_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/powershellsync => }/packages_powershellsync_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/racf => }/packages_racf_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/robotframework => }/packages_robot_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/packages_salesforce_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sapnetweaver => }/packages_sap_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/saperp6 => }/packages_saperp6_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/packages_scim_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/servicenowentitymanagement => }/packages_servicenow_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/servicenowticket => }/packages_servicenowticket_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sharedfolder => }/packages_sharedfolders_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sharepoint => }/packages_sharepoint_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/packages_slack_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlgeneric_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlmy_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlodbc_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqloracle_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlpostgre_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlsap_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/packages_sqlserver_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sqlserverentitlements => }/packages_sqlservermanagement_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/topsecret => }/packages_tss_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/workday => }/packages_workday_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/internalworkflow => }/packages_workflow_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/googleworkspace => }/packages_workspace_v603.webp (100%) rename static/images/identitymanager/{integration-guide/api/pagination => }/pagination.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedrole_examplerole_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedrole_exampleroleparameter_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedrole_examplerolesuggestion_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedrole_examplerule_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedroles_numerousroles.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedroles_parameterexamplestep1_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedroles_parameterexamplestep2_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedroles_parameters.webp (100%) rename static/images/identitymanager/{user-guide/optimize/parameterized-role => }/parameterizedroles_simplerole.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect => }/pointcut.webp (100%) rename static/images/identitymanager/{user-guide/optimize/policy-creation => }/policycreation_policies_v602.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/generate-contexts => }/positionextension-identity.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/generate-contexts => }/positionextension-result.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_accesstoken.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_accesstokenresult.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_authentication.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_authorization.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_authorizationcombined.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_gettokencombined.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_newaccesstokencombined.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_newrequest.webp (100%) rename static/images/identitymanager/{integration-guide/api/how-tos/request-postman => }/postman_requestfields.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_clearcache.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_clientid.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_getdata.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_getdatawindow.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/analyze-powerbi => }/powerbi_process.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_universes.webp (100%) rename static/images/identitymanager/{integration-guide/governance/reporting/how-tos/connect-powerbi => }/powerbi_url.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_directoryproperties1.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_directoryproperties2.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_directoryproperties3.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_directoryproperties4.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_foldersproperties1.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/directory-permissions => }/prodagent_foldersproperties2.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_iis1.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_iis2.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_iis3.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_iis4.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_iis5.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_servercertificate1.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_servercertificate2.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-configuration => }/prodagent_servercertificate3.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager1.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager2.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager3.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager4.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager5.webp (100%) rename static/images/identitymanager/{user-guide/deploy/production-agent-installation/iis-installation => }/prodagent_servermanager6.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-configuration => }/profiles_creation_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-configuration => }/profiles_example_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-configuration => }/profiles_schema.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning => }/prov_stateschema_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/automatic-provisioning => }/provauto_states_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/provmanual_bulk_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/provmanual_createresource_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/provmanual_editresource_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_iconapprove_v602.svg (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_icondecline_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_iconedit_v602.svg (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_iconpostpone_v522.svg (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/provmanual_page_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_provreview_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_reviewaddition_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_reviewassociation_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_reviewdeletion_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provmanual_reviewedition_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/manual-provisioning => }/provmanual_states_v523.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provreview_bulkunblock_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provreview_propertyview_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provreview_resourceview_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/provreview_states_v523.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation => }/provrules_entitytype_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_examplenav_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_examplequery_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_examplequerybis_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/scalar-property-computation => }/provrules_examplescalar_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/resource-creation => }/provrules_exampletype_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_queryrule_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_queryrulefields_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/scalar-property-computation => }/provrules_scalarrule_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/scalar-property-computation => }/provrules_scalarrulefields_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/navigation-property-computation => }/provrules_schemanavigation.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/scalar-property-computation => }/provrules_schemascalar.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/resource-creation => }/provrules_typerule_v602.webp (100%) rename static/images/identitymanager/{installation-guide/reverse-proxy => }/proxy_example.webp (100%) rename static/images/identitymanager/{installation-guide/reverse-proxy => }/proxy_purpose_encryption.webp (100%) rename static/images/identitymanager/{installation-guide/reverse-proxy => }/proxy_purpose_loadbalancing.webp (100%) rename static/images/identitymanager/{introduction-guide/overview/identity-management => }/quadratic-linear-complexity.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/recommendations => }/recommendation.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/generate-contexts => }/recordsection-withvaluecopy-result1.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/recordsection => }/recordsection_extensionkind.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/position-change => }/recordsorigin_contexts.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/position-change => }/recordsorigin_firstmodel.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/position-change => }/recordsorigin_thirdmodel.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/position-change => }/recordsorigin_timelines.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/position-change => }/recordsorigin_userexample.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/redundantassignments_buttons_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/redundantassignments_examplewith.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/redundantassignments_examplewithout.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/redundantassignments_reportexample_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/remove-redundant-assignments => }/redundantassignments_reportexampleverif_v602.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/references_connectors_activedirectory_01.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/references_connectors_activedirectory_02.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/references_connectors_activedirectory_03.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/references_connectors_activedirectory_04.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/activedirectory => }/references_connectors_activedirectory_05.webp (100%) rename static/images/identitymanager/{user-guide/set-up/initial-identities-loading/generate-unique-properties => }/reload_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/reporting_fieldstodisplay_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/reporting_filters_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/reporting_predefinedreports_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/reporting => }/reporting_querypage_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/resourcetype_newclassifrule_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/resourcetype_newclassifrulefields_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/correlation => }/resourcetype_newcorrelrule_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/correlation => }/resourcetype_newcorrelrulefields_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/resource-type-creation => }/resourcetype_newresourcet_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/resource-type-creation => }/resourcetype_test_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/non-conforming-assignment-review-automation => }/reviewautomation_newrulefields_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/non-conforming-assignment-review-automation => }/reviewautomation_rulemessage_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/property-reconciliation => }/reviewprop_example_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/property-reconciliation => }/reviewprop_unreconciled_v522.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/property-reconciliation => }/reviewrole_exampleresource_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/property-reconciliation => }/reviewrole_exampleresourceprop_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/property-reconciliation => }/reviewrole_examplerole_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/provisioning/provisioning-review => }/reviewrole_icondelete_v602.svg (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/role-reconciliation => }/reviewrole_rolereconciliation_v603.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/role-reconciliation => }/reviewrole_rolereconciliationbulk_v603.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/riskmanagement_identifiedrisks_v522.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/riskmanagement_newrisk_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/riskmanagement_newriskitem_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/risk-management => }/riskmanagement_workflowstate_v523.webp (100%) rename static/images/identitymanager/{integration-guide/governance/risks => }/risks_blocking_v522.webp (100%) rename static/images/identitymanager/{integration-guide/governance/risks => }/risks_requiredapproval_v522.webp (100%) rename static/images/identitymanager/{integration-guide/governance/risks => }/risks_riskcomputetask_v522.webp (100%) rename static/images/identitymanager/{integration-guide/governance/risks => }/risks_riskicon_v522.svg (100%) rename static/images/identitymanager/{integration-guide/governance/risks => }/risks_warning_v522.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/interact-gui-robotframework => }/robotframeworkflaui_flauishowxpath.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/interact-gui-robotframework => }/robotframeworkflaui_flauixpathexample.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/interact-web-page-robotframework => }/robotframeworkselenium_copyfullxpath.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/interact-web-page-robotframework => }/robotframeworkselenium_inspecttool.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_impact_usecase1.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_impact_usecase2.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_impact_usecase3.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_impact_usecase4.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_impact_usecase5.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_launchjob_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_miningrule_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_ruletype-sensitivity.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_ruletype.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_schema.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_simulation.webp (100%) rename static/images/identitymanager/{integration-guide/role-mining => }/rolemining_simulationresults.webp (100%) rename static/images/identitymanager/{user-guide/optimize/assignment-automation/role-mining => }/rolemining_suggested_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/user-profile-assignment => }/roleofficers_newprofile_v602.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-advancesetup.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-agent-settings.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-checkemail.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-connection.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-connector.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-consumerkey.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-enableoauth.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-manageconnectedapps.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-manageconsumerdetails.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-newconnectedapp.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-resetseuritytoken.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/scim => }/salesforce-usertoken-settings.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/scim-cyberark-export => }/scim_cyberark_export_display_entity_type_5.1.6.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/scim-cyberark-export => }/scim_cyberark_export_display_table_5.1.6.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/scim-cyberark-export => }/scim_cyberark_export_menu_item_5.1.6.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/custom-search-bar => }/searchbarfilters.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/custom-search-bar => }/searchbarwithoutfilter.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_adexample_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_adexamplevisible_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_adlogin_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_keyvalue_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_powershellexample_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_sqlexample1_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/configure-secured-options => }/securedoptions_sqlexample2_v603.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sharedfolder => }/sharedfolder_permission.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/sharepoint-export => }/sharepoint_export_add_member.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/how-tos/sharepoint-export => }/sharepoint_export_role_owner.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/generate-contexts => }/simple-recordsection-identity.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/generate-contexts => }/simple-recordsection-result.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_cancel_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_decision_v600.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_icondelete_v600.svg (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_iconedit_v600.svg (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_list_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_new_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/simulation => }/simulation_start_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/category-creation => }/singlerolescatalog_createcategory_v602.webp (100%) rename static/images/identitymanager/{user-guide/optimize/composite-role-creation => }/singlerolescatalog_createcompositerole_v62.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/role-manual-creation => }/singlerolescatalog_createnavrule_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation/category-creation => }/singlerolescatalog_newcategory_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schemaapprovals.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schemabottomup.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schemarole.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schemarolerule.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schemarolesidentities.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_schematopdown.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_strategymono_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_strategymulti_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/single-roles-catalog-creation => }/singlerolescatalog_strategymultinoname_v522.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/sql_downloadpackage.webp (100%) rename static/images/identitymanager/{integration-guide/connectors/references-connectors/sql => }/sql_packagecharacteristics.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/srconf_5.2.1.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/srrule_5.2.1.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-nnn.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-nnn2.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-nny.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-nyn.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-nyy.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-ynn.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-ynn2.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-yny.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/provisioning/resourcetype => }/suggestallcorrelations-yyny.webp (100%) rename static/images/identitymanager/{integration-guide/api => }/swagger.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_dashboard_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_edit_v600.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_examplesab2_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_examplesab3_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_examplesab_v522.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_executionjobs-complete_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_executionjobs_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/categorization/classification => }/synchro_resourcetype_v602.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_results_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_schema.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_threshold_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_thresholdlog_v603.webp (100%) rename static/images/identitymanager/{user-guide/set-up/synchronization => }/synchro_thresholdresumed_v602.webp (100%) rename static/images/identitymanager/{integration-guide/executables/references/manage-history => }/tools_managehistory_schema.webp (100%) rename static/images/identitymanager/{integration-guide/network-configuration => }/tree-like-structure.webp (100%) rename static/images/identitymanager/{integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs => }/troubleshoot_synchroprovschema.webp (100%) rename static/images/identitymanager/{user-guide/maintain/troubleshooting => }/troubleshooting_connectorjobs_v603.webp (100%) rename static/images/identitymanager/{user-guide/maintain/troubleshooting => }/troubleshooting_helpdesk_v603.webp (100%) rename static/images/identitymanager/{user-guide/maintain/troubleshooting => }/troubleshooting_userdata_v603.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/user-interface/displayentitytype => }/ui_displaypriorities_changeselection_v521beta.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review => }/unauth_reviewunauthorized_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/orphan-unused-account-review => }/unauth_unauthorizedaccounts_v602.webp (100%) rename static/images/identitymanager/{user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review => }/unauth_updateprop_v522.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/business-intelligence/universe => }/universe_columnnamedisplayname.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/business-intelligence/universe => }/universe_columnnameidentifier.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel => }/universe_excluded.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel => }/universe_mixedexample.webp (100%) rename static/images/identitymanager/{integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel => }/universe_notemplateschema.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/existingassignmentsdeduction => }/use_case_1_deduction.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/existingassignmentsdeduction => }/use_case_1_rolemodel.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/existingassignmentsdeduction => }/use_case_1_sync.webp (100%) rename static/images/identitymanager/{integration-guide/identity-management/joiners-movers-leavers/on-offboarding => }/validityperiod.webp (100%) rename static/images/identitymanager/{user-guide/set-up/provisioning-rule-creation/resource-creation => }/viewpermissions_v602.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/viewpermissionsadvanced_5.2.1.webp (100%) rename static/images/identitymanager/{integration-guide/role-assignment/how-tos/configureindirectpermissions => }/viewpermissionssimplified_5.2.1.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/create-menu-items => }/workflowinentitylist.webp (100%) rename static/images/identitymanager/{integration-guide/ui/how-tos/create-menu-items => }/workflowinresourceview.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/workflows_homonyms_v601.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/workflows_reviewpermissions_v601.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/workflows_reviewsteps_v601.webp (100%) rename static/images/identitymanager/{user-guide/set-up/configure-workflows => }/workflows_verifyhomonyms_v601.webp (100%) diff --git a/docs/identitymanager/6.1/integration-guide/connectors/references-connectors/scim/index.md b/docs/identitymanager/6.1/integration-guide/connectors/references-connectors/scim/index.md index 2c78f315ba..47ebc5b214 100644 --- a/docs/identitymanager/6.1/integration-guide/connectors/references-connectors/scim/index.md +++ b/docs/identitymanager/6.1/integration-guide/connectors/references-connectors/scim/index.md @@ -100,7 +100,7 @@ To enable the OAuth authentication do the following: **Step 2 –** Go to **Advanced Setup**. -![oauthauthentication](/images/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) +![oauthauthentication](/images/identitymanager/oauthauthentication.webp) **Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, enable the option to **Allow OAuth Username-Password Flows**. diff --git a/docs/identitymanager/6.2/installation-guide/overview/index.md b/docs/identitymanager/6.2/installation-guide/overview/index.md index 5657556554..99b2e27b74 100644 --- a/docs/identitymanager/6.2/installation-guide/overview/index.md +++ b/docs/identitymanager/6.2/installation-guide/overview/index.md @@ -12,7 +12,7 @@ choose the installation setup that fits best your organization's needs. ## Components and Data Flow -![Components & Data Flow](/images/identitymanager/installation-guide/overview/components_data_flow.webp) +![Components & Data Flow](/images/identitymanager/components_data_flow.webp) ### Components @@ -95,7 +95,7 @@ Two scenarios unfold: This approach is useful when managed systems need to run on separate and isolated networks. -![Server & Agents isolated](/images/identitymanager/installation-guide/overview/distribution_1.webp) +![Server & Agents isolated](/images/identitymanager/distribution_1.webp) **2.** The Server and one Agent are installed on the same workstation @@ -104,7 +104,7 @@ process. The hosting workstation would **only host a Identity Manager Server pr integrated agent) and no separate agent needs to be installed. The database could be installed on the same workstation or on a separate one. -![Server & Agent together](/images/identitymanager/installation-guide/overview/distribution_2.webp) +![Server & Agent together](/images/identitymanager/distribution_2.webp) ## Authentication diff --git a/docs/identitymanager/6.2/installation-guide/production-ready/agent/index.md b/docs/identitymanager/6.2/installation-guide/production-ready/agent/index.md index b10212061e..64768723cf 100644 --- a/docs/identitymanager/6.2/installation-guide/production-ready/agent/index.md +++ b/docs/identitymanager/6.2/installation-guide/production-ready/agent/index.md @@ -102,7 +102,7 @@ The following is - **Application Pool** > **Identity Manager ``** > **Advanced Settings** > **General** > **.NET CLR Version** > **No Managed Code** -![IIS Settings](/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp) +![IIS Settings](/images/identitymanager/iis_settings.webp) This sums up IIS settings. @@ -246,7 +246,7 @@ would be `IIS APPPOOL/identitymanagerAgent`. **Step 5 –** Select the newly added user name in the Group or user names panel at the top of the window. -![Object Names](/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) +![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) **Step 6 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for the others. See the[Server](/docs/identitymanager/6.2/installation-guide/requirements/server-requirements/index.md) topic for additional diff --git a/docs/identitymanager/6.2/installation-guide/production-ready/database/index.md b/docs/identitymanager/6.2/installation-guide/production-ready/database/index.md index e569278b98..cf0d11fe07 100644 --- a/docs/identitymanager/6.2/installation-guide/production-ready/database/index.md +++ b/docs/identitymanager/6.2/installation-guide/production-ready/database/index.md @@ -49,7 +49,7 @@ and - Locate the database name dropdown, next to the **Execute** button in the top left section of the screen. -![Execute Query](/images/identitymanager/installation-guide/production-ready/database/execute_query.webp) +![Execute Query](/images/identitymanager/execute_query.webp) - From the dropdown, select the newly created database. - Click **Execute**. diff --git a/docs/identitymanager/6.2/installation-guide/production-ready/server/index.md b/docs/identitymanager/6.2/installation-guide/production-ready/server/index.md index 741fa49be1..59e7ef56fa 100644 --- a/docs/identitymanager/6.2/installation-guide/production-ready/server/index.md +++ b/docs/identitymanager/6.2/installation-guide/production-ready/server/index.md @@ -79,7 +79,7 @@ The following is mandatory: - **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR Version > `No Managed Code` -![IIS Settings](/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp) +![IIS Settings](/images/identitymanager/iis_settings.webp) An SSL Certificate should also be set to the IIS Server to perform HTTPS communication with end-users. @@ -183,7 +183,7 @@ This guide will show you how to perform these operations using SQL Server Manage the Identity Manager Database with an account member of the **sysadmin** or **securityadmin** server-level role. -![New Login](/images/identitymanager/installation-guide/production-ready/server/newlogin.webp) +![New Login](/images/identitymanager/newlogin.webp) **Step 2 –** Expand the **Security** and **Login** nodes, and look for the Identity Manager service account in the list. @@ -208,7 +208,7 @@ then go to the **Server Roles** page on the left and make sure **public** is che **Step 6 –** Go to **User Mapping**and make sure `Usercube/` is checked (top panel), as well as **db_owner** and **public** (bottom panel). -![Bulk](/images/identitymanager/installation-guide/production-ready/server/bulk.webp) +![Bulk](/images/identitymanager/bulk.webp) **Step 7 –** Right-click the **Server** root node and select **Properties**, and in the **Permissions** tab, select the service account or group name. @@ -252,7 +252,7 @@ The Identity Manager Server service account that was chosen previously: **Step 1 –** Click on **Edit** and then on **Add**. - ![Object Names](/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + ![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) **Step 2 –** In the **Enter the object names to select** textbox, enter the service account name in the down-level log on format, such as `CONTOSO/identitymanagerContosoServer`, then click **OK**. diff --git a/docs/identitymanager/6.2/installation-guide/quick-start/index.md b/docs/identitymanager/6.2/installation-guide/quick-start/index.md index 07737ca436..0d56c64cbe 100644 --- a/docs/identitymanager/6.2/installation-guide/quick-start/index.md +++ b/docs/identitymanager/6.2/installation-guide/quick-start/index.md @@ -27,7 +27,7 @@ The installation of Identity Manager requires: [portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) and download the artifacts of the expected version. -![Extranet Artifacts](/images/identitymanager/installation-guide/quick-start/extranet_v601.webp) +![Extranet Artifacts](/images/identitymanager/extranet_v601.webp) **Step 2 –** Extract from SDK the folder Identity Manager Bootstrap anywhere on the computer. @@ -35,7 +35,7 @@ expected version. When extracting Identity Manager Bootstrap to the root of the computer, it looks like: -![Project Directory](/images/identitymanager/installation-guide/quick-start/directory_v602.webp) +![Project Directory](/images/identitymanager/directory_v602.webp) **Step 4 –** Move or copy your certificate inside the Runtime folder. @@ -87,7 +87,7 @@ In our example, the command would be, still in the Runtime folder: as a username and the password specified in the Runtime/appsettings.json file, in the Authentication section. -![Authentication Dialog](/images/identitymanager/installation-guide/quick-start/authentication_v601.webp) +![Authentication Dialog](/images/identitymanager/authentication_v601.webp) Now you can start using the application. @@ -96,7 +96,7 @@ Now you can start using the application. From there, you can start setting up Identity Manager via the **Settings** page which is accessible from the **Configuration** section of the home page. -![Home Page - Settings](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) +![Home Page - Settings](/images/identitymanager/home_settings_v523.webp) Then, Netwrix Identity Manager (formerly Usercube) recommends following the user guide to start the configuration of your IGA project from scratch. See the [User Guide](/docs/identitymanager/6.2/user-guide/index.md) diff --git a/docs/identitymanager/6.2/installation-guide/reverse-proxy/index.md b/docs/identitymanager/6.2/installation-guide/reverse-proxy/index.md index 38991d68ee..c80d4d371f 100644 --- a/docs/identitymanager/6.2/installation-guide/reverse-proxy/index.md +++ b/docs/identitymanager/6.2/installation-guide/reverse-proxy/index.md @@ -18,19 +18,19 @@ A reverse proxy is usually used when: - needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be able to monitor plain text requests from/to Identity Manager's server; - ![Proxy Purposes: Encryption](/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp) + ![Proxy Purposes: Encryption](/images/identitymanager/proxy_purpose_encryption.webp) - installing Identity Manager with an integrated agent on a network isolated from the users' browsers, in order to be able to access sensitive systems which are protected by being set up on a network isolated from the Internet; - ![Proxy Installation Example](/images/identitymanager/installation-guide/reverse-proxy/proxy_example.webp) + ![Proxy Installation Example](/images/identitymanager/proxy_example.webp) This installation will be used for the configuration examples below. - using several Identity Manager's server instances for load-balancing purposes. - ![Proxy Purposes: Load Balancing](/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp) + ![Proxy Purposes: Load Balancing](/images/identitymanager/proxy_purpose_loadbalancing.webp) As Identity Manager is session-less, working with several servers does not imply the need to synchronize sessions between servers, nor the need to guarantee that a particular IP will be diff --git a/docs/identitymanager/6.2/integration-guide/api/index.md b/docs/identitymanager/6.2/integration-guide/api/index.md index 6fe1f8e00f..3f224655f7 100644 --- a/docs/identitymanager/6.2/integration-guide/api/index.md +++ b/docs/identitymanager/6.2/integration-guide/api/index.md @@ -19,7 +19,7 @@ The page `[Usercube application's URL]/swagger` can be used to explore and test This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Identity Manager [OpenAPI](https://swagger.io/specification/) definition. -![Usercube server swagger page](/images/identitymanager/integration-guide/api/swagger.webp) +![Usercube server swagger page](/images/identitymanager/swagger.webp) A function can have several versions. This is why the API description is split into several OpenAPI definition files. diff --git a/docs/identitymanager/6.2/integration-guide/api/pagination/index.md b/docs/identitymanager/6.2/integration-guide/api/pagination/index.md index 12170414b2..a6082a2997 100644 --- a/docs/identitymanager/6.2/integration-guide/api/pagination/index.md +++ b/docs/identitymanager/6.2/integration-guide/api/pagination/index.md @@ -11,7 +11,7 @@ PageSize and ContinuationToken parameters. The principle is to call the function with the ContinuationToken obtained from the previous call. -![Pagination sequence diagram](/images/identitymanager/integration-guide/api/pagination/pagination.webp) +![Pagination sequence diagram](/images/identitymanager/pagination.webp) :::note Pagination is optional. If PageSize is not specified, the function will return all items diff --git a/docs/identitymanager/6.2/integration-guide/api/request-postman/index.md b/docs/identitymanager/6.2/integration-guide/api/request-postman/index.md index cd7806d07d..a85a4e3c92 100644 --- a/docs/identitymanager/6.2/integration-guide/api/request-postman/index.md +++ b/docs/identitymanager/6.2/integration-guide/api/request-postman/index.md @@ -15,15 +15,15 @@ Get an access token by proceeding as follows: 1. Launch Postman. 2. Create a new request by clicking on **+ New** then **Request**. - ![Postman: New Request](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp) + ![Postman: New Request](/images/identitymanager/postman_newrequest.webp) 3. Fill in the fields and click on **Save to Identity Manager**. - ![Postman: New Request Fields](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp) + ![Postman: New Request Fields](/images/identitymanager/postman_requestfields.webp) 4. Fill in the authentication information as follows: - ![Postman: Authentication](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp) + ![Postman: Authentication](/images/identitymanager/postman_authentication.webp) - **Method**: POST - **URL**: ``/connect/token @@ -35,7 +35,7 @@ Get an access token by proceeding as follows: 5. Click on **Send** and get the access token from the response body. - ![Postman: Access Token](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp) + ![Postman: Access Token](/images/identitymanager/postman_accesstoken.webp) ## Use an Access Token @@ -44,7 +44,7 @@ Use an access token by proceeding as follows: 1. Create a new request in Postman. 2. Fill in the authorization information as follows: - ![Postman: Authorization](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp) + ![Postman: Authorization](/images/identitymanager/postman_authorization.webp) - **Method**: GET - **URL**: ``/``?api-version=1.0 @@ -54,7 +54,7 @@ Use an access token by proceeding as follows: 3. Click on **Send** and get the result from the response body. - ![Postman: Access Token Result](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + ![Postman: Access Token Result](/images/identitymanager/postman_accesstokenresult.webp) ## Create a Combined Request @@ -63,7 +63,7 @@ Create a combined request by proceeding as follows: 1. Create a new request in Postman. 2. Fill in the authorization information as follows: - ![Postman: Authorization (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp) + ![Postman: Authorization (Combined Request)](/images/identitymanager/postman_authorizationcombined.webp) - **Method**: GET - **URL**: ``/``?api-version=1.0 @@ -73,7 +73,7 @@ Create a combined request by proceeding as follows: 3. Click on **Get New Access Token** and fill in the fields as follows: - ![Postman: New Access Token Fields (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp) + ![Postman: New Access Token Fields (Combined Request)](/images/identitymanager/postman_newaccesstokencombined.webp) - **Token Name**: `` - **Grant Type**: Client Credentials @@ -88,8 +88,8 @@ Create a combined request by proceeding as follows: 4. Click on **Request Token** to get the token. - ![Postman: Get Token (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp) + ![Postman: Get Token (Combined Request)](/images/identitymanager/postman_gettokencombined.webp) 5. Click on **Use Token** and **Send** and get the result from the response body. - ![Postman: Access Token Result (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + ![Postman: Access Token Result (Combined Request)](/images/identitymanager/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/6.2/integration-guide/architecture/index.md b/docs/identitymanager/6.2/integration-guide/architecture/index.md index 5e2a6ec83a..8b472a8720 100644 --- a/docs/identitymanager/6.2/integration-guide/architecture/index.md +++ b/docs/identitymanager/6.2/integration-guide/architecture/index.md @@ -22,7 +22,7 @@ Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) ap on Windows. Identity Manager's database is a [Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. -![Architecture](/images/identitymanager/integration-guide/architecture/architecture.webp) +![Architecture](/images/identitymanager/architecture.webp) See the [SaaS Environment](/docs/identitymanager/6.2/integration-guide/architecture/saas/index.md) topic for additional information on Netwrix Identity Manager (formerly Usercube) recommended architecture when working in a SaaS environment. diff --git a/docs/identitymanager/6.2/integration-guide/architecture/on-prem/index.md b/docs/identitymanager/6.2/integration-guide/architecture/on-prem/index.md index de8f2ae670..91a26e9ea7 100644 --- a/docs/identitymanager/6.2/integration-guide/architecture/on-prem/index.md +++ b/docs/identitymanager/6.2/integration-guide/architecture/on-prem/index.md @@ -12,7 +12,7 @@ When working in an on-premises environment, Identity Manager needs a specific a Identity Manager recommends the following architecture: -![On-Premises Recommended Architecture](/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) +![On-Premises Recommended Architecture](/images/identitymanager/architecture_onprem.webp) Most situations do not need Identity Manager so much that they need a fail-over system, i.e. installing several Identity Manager instances in order to prevent breakdowns. In most situations, a diff --git a/docs/identitymanager/6.2/integration-guide/architecture/protect-agent-server-communication/index.md b/docs/identitymanager/6.2/integration-guide/architecture/protect-agent-server-communication/index.md index eb9ea5f98c..dba82ef1dd 100644 --- a/docs/identitymanager/6.2/integration-guide/architecture/protect-agent-server-communication/index.md +++ b/docs/identitymanager/6.2/integration-guide/architecture/protect-agent-server-communication/index.md @@ -24,7 +24,7 @@ The idea, when sending data from the agent to the server, is the following: 3. the server receives and decrypts the message, before encrypting it again with its own encryption certificate configured by Identity Manager. -![Schema: Agent/Server Communication](/images/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp) +![Schema: Agent/Server Communication](/images/identitymanager/agent-server-communication.webp) ### Configuration details diff --git a/docs/identitymanager/6.2/integration-guide/architecture/saas/index.md b/docs/identitymanager/6.2/integration-guide/architecture/saas/index.md index dfe7e1196b..419a5dc1eb 100644 --- a/docs/identitymanager/6.2/integration-guide/architecture/saas/index.md +++ b/docs/identitymanager/6.2/integration-guide/architecture/saas/index.md @@ -12,7 +12,7 @@ When working in a SaaS environment, Identity Manager needs a specific architect Identity Manager recommends the following architecture: -![SaaS Recommended Architecture](/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) +![SaaS Recommended Architecture](/images/identitymanager/architecture_saas.webp) ### Agent(s) diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/azuread-register/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/azuread-register/index.md index 4281fc0b0d..d3b9c95f07 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/azuread-register/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/azuread-register/index.md @@ -26,7 +26,7 @@ follows: 4. Go to **App Registrations** in the left panel. 5. Click the **+ New Registration** button in the top menu. - ![Azure AD Export - Add New Registration](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp) + ![Azure AD Export - Add New Registration](/images/identitymanager/howtos_azuread_exportregistration.webp) A new registration form is displayed: @@ -74,7 +74,7 @@ follows: Manager Agent. The same page also displays the **Directory (tenant) ID** that will also be needed by the Identity Manager Agent. - ![Azure AD Export - New ApplicationId](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp) + ![Azure AD Export - New ApplicationId](/images/identitymanager/howtos_azuread_exportapplicationid.webp) ### Get the application's secret key @@ -91,7 +91,7 @@ A **Client Secret** key needs to be generated. Get it by proceeding as follows: The Client Secret is now listed in the bottom panel **Client Secrets**. The Client Secret value is needed by the Identity Manager Agent settings file. - ![Azure AD Export - New Client Secret](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp) + ![Azure AD Export - New Client Secret](/images/identitymanager/howtos_azuread_exportsecret.webp) The **Client Secret** value is only displayed in the UI in plain text at first. After a while, it is only displayed as `**************`. It should hence be stored in the @@ -108,7 +108,7 @@ Grant Identity Manager directory permissions by proceeding as follows: 3. Go to **API Permissions** in the left panel. 4. Click on the **+ Add a permission** button. - ![Azure AD Export - Add Permission](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp) + ![Azure AD Export - Add Permission](/images/identitymanager/howtos_azuread_exportpermissions.webp) 5. Go to **Microsoft graph** > **Application permissions**. 6. Search and open the **Directory** category. @@ -117,7 +117,7 @@ Grant Identity Manager directory permissions by proceeding as follows: If you plan on configuring fulfillment too, you must only check the **Directory.ReadWrite.All** permission. - ![Azure AD Export - Directory Permission](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp) + ![Azure AD Export - Directory Permission](/images/identitymanager/howtos_azuread_exportdirectorypermission.webp) 8. Confirm with the **Add permissions** button at the bottom of the page. @@ -126,6 +126,6 @@ Grant Identity Manager directory permissions by proceeding as follows: 9. Grant admin consent by clicking on **√ Grant admin consent for** name of the organization. - ![Azure AD Export - Grant Admin Consent](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp) + ![Azure AD Export - Grant Admin Consent](/images/identitymanager/howtos_azuread_exportadminconsent.webp) You should now see the status displayed as **√ Granted for** name of the organization. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/configure-secured-options/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/configure-secured-options/index.md index fe8a57c290..fcfeae19e9 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/configure-secured-options/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/configure-secured-options/index.md @@ -26,38 +26,38 @@ Configure a secured option by proceeding as follows: - for a simple field: - ![AD creation](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp) + ![AD creation](/images/identitymanager/securedoptions_adlogin_v603.webp) - for multiple key-value fields: - ![SQL connection string](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp) + ![SQL connection string](/images/identitymanager/securedoptions_keyvalue_v603.webp) Contrary to simple fields, multiple-key-value secured options are not restricted to a given property. They are arbitrary and can be set to anything. 2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. - ![Eye Icon](/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) > For example, for a simple field in an AD connection, the **Login** and **Password** are by > default hidden with ??????: > - > ![Login Secured Options Hidden](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp) + > ![Login Secured Options Hidden](/images/identitymanager/securedoptions_adexample_v603.webp) > - > ![Login Secured Options Revealed](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp) + > ![Login Secured Options Revealed](/images/identitymanager/securedoptions_adexamplevisible_v603.webp) > For example, for multiple key-value fields in an SQL connection, some elements of the > connection string might be sensitive and need to be hidden: > - > ![SQL connection string](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp) + > ![SQL connection string](/images/identitymanager/securedoptions_sqlexample1_v603.webp) > > In this example, the database name and the minimal pool size are secured options: > - > ![SQL Secured option filled](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp) + > ![SQL Secured option filled](/images/identitymanager/securedoptions_sqlexample2_v603.webp) > Another example of multiple key-value fields in a Powershell connection: > - > ![Powershell Secured option hidden](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp) + > ![Powershell Secured option hidden](/images/identitymanager/securedoptions_powershellexample_v603.webp) 3. Once saved, any secured option's value can no longer be seen. However, it can still be modified by deleting the value and re-specifying it. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/connections/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/connections/index.md index ad2f7a4e18..d53abf5bad 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/connections/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/connections/index.md @@ -46,7 +46,7 @@ systems. A connection table is used in the definition of an entity type as `Source`, while the available columns of the selected table are used for the mapping as `Source Columns`. -![connectiontables_ui_v60](/images/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp) +![connectiontables_ui_v60](/images/identitymanager/connectiontables_ui_v60.webp) ## Refresh Schema @@ -59,23 +59,23 @@ Identity Manager refreshes a connection's schema: - when clicking on **Refresh Schema** on the connection's page: only the schema of the current connection is refreshed; - ![Refresh Schema of One Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) - when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are refreshed. - ![Refresh all Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. -![Failed Refresh Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "There is no schema for this connection". -![No Schema](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/entra-ID/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/entra-ID/index.md index 431f061e5f..bfa4aa826b 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/entra-ID/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/entra-ID/index.md @@ -284,7 +284,7 @@ This is how the connectors are displayed on the UI. Each connector should be configured with a menu item, which is created automatically when working via the UI. -![Menu Item - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp) +![Menu Item - Azure AD Connector](/images/identitymanager/howtos_azure_menuitem_v603.webp) In XML, it should look like this: @@ -316,7 +316,7 @@ Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml ``` -![Navigation Properties - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp) +![Navigation Properties - Azure AD Connector](/images/identitymanager/howtos_azure_navproperties_v603.webp) Microsoft Entra ID's resources are listed in a table. @@ -335,7 +335,7 @@ Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml ``` -![Display Table - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp) +![Display Table - Azure AD Connector](/images/identitymanager/howtos_azure_table_v603.webp) This is how the resources are displayed on the UI. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/index.md index 6f0b171f0e..a37fbf6e75 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/create-connector/index.md @@ -90,7 +90,7 @@ An association mapping is the equivalent of an entity type mapping, but for the Identity Manager provides a menu item to list all connectors in the dashboard's left menu. -![Menu Item - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Menu Item - Connectors](/images/identitymanager/home_entitytypes_v602.webp) > It is usually written like this: > diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-banking/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-banking/index.md index fe5049a177..35a0d9516b 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-banking/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-banking/index.md @@ -17,14 +17,14 @@ Banking application contains: - A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add a user by clicking on **Create New User** - ![Users list](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp) + ![Users list](/images/identitymanager/demoapps_banking_userslist.webp) - A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on **Details** on a group shows the users belonging to that group - A user's details page for each user, accessible by clicking on **Details** on a user in the users list - ![User details](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp) + ![User details](/images/identitymanager/demoapps_banking_userdetails.webp) The most interesting part of the Banking application is a user's page. On a user's page, it is possible to: diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-hr/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-hr/index.md index 72a6c0b7ef..8990e8bc9c 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-hr/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/demoapp-hr/index.md @@ -13,12 +13,12 @@ This guide shows how to set up and run the HR demo application. The HR application is a demo application that represents a web based external system. The HR application contains an employee list. -![Users list](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp) +![Users list](/images/identitymanager/demoapps_hr_userslist.webp) Each employee also has their own page, with the possibility to edit their profile or delete them. It is also possible to add a new employee. -![User details](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp) +![User details](/images/identitymanager/demoapps_hr_userdetails.webp) The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv file will be modified, and the changes will be saved. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-gui-robotframework/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-gui-robotframework/index.md index 2fff3417ed..03fda62d78 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-gui-robotframework/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-gui-robotframework/index.md @@ -51,13 +51,13 @@ through the elements. However, the easiest way is to use the Hover Mode, which i tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > **Show XPath**. -![Show XPath](/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp) +![Show XPath](/images/identitymanager/robotframeworkflaui_flauishowxpath.webp) To see the XPath of an element, hover over the element, and press control. A red box should appear around the element, and the FlaUI inspection tool should show the element's information. The XPath should be at the bottom left of the FlaUI element. -![Highlight Element](/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp) +![Highlight Element](/images/identitymanager/robotframeworkflaui_flauixpathexample.webp) As an example, imagine an application showing a list of files and folders. Targeting a specific file would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-web-page-robotframework/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-web-page-robotframework/index.md index 726185d047..eb1712b600 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-web-page-robotframework/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/interact-web-page-robotframework/index.md @@ -53,7 +53,7 @@ which can be opened by pressing the F12 key on most browsers. For Selenium, we w information on specific parts of the page. Inspecting an element can be done by right clicking the element, and clicking **Inspect**. -![Inspect Tool](/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp) +![Inspect Tool](/images/identitymanager/robotframeworkselenium_inspecttool.webp) Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to ensure that the file is up to date with the documentation. To do this, the Robot Framework has to @@ -77,7 +77,7 @@ Each element on the web page has an XPath, and each XPath uniquely identifies an that we can always use an XPath locator. To get the XPath of an element, inspect the element, then right click it in the HTML, and click on **Copy** > **Full XPath**. -![Copy Full XPath](/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp) +![Copy Full XPath](/images/identitymanager/robotframeworkselenium_copyfullxpath.webp) For the `copy to clipboard` button, the XPath is `/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/powershell-fulfill/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/powershell-fulfill/index.md index d6d7578422..3d3077d1de 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/powershell-fulfill/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/powershell-fulfill/index.md @@ -388,7 +388,7 @@ This example adds a new menu item under the `Nav_Connectors` menu item declared `Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange entities. -![Microsoft Exchange Menu Items](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) ### Configuration @@ -433,7 +433,7 @@ Conf/MicrosoftExchange/MicrosoftExchange UI.xml This example configures the following display for [wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). -![Microsoft Exchange Display Entity Type](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) The scalar properties require no configuration: they are automatically displayed. The only information that the @@ -462,7 +462,7 @@ Conf/MicrosoftExchange/MicrosoftExchange UI.xml This example configures the following list display: -![Microsoft Exchange Display Table](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) #### Internal Display Name @@ -611,7 +611,7 @@ existing mailbox, the Active Directory part can be skipped. The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name input in the Job's **DisplayName_Li** attribute. -![Microsoft Exchange Jobs](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp) +![Microsoft Exchange Jobs](/images/identitymanager/microsoftexchange_jobs_5.1.7.webp) From there, the Synchronization job can be launched and debugged (if needed). @@ -620,8 +620,8 @@ the SQL Server database. The results can also be viewed on the UI: -![Microsoft Exchange Menu Items](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) -![Microsoft Exchange Display Entity Type](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) -![Microsoft Exchange Display Table](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/scim-cyberark-export/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/scim-cyberark-export/index.md index d511ddf5cd..4f14ec5b70 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/scim-cyberark-export/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/scim-cyberark-export/index.md @@ -545,7 +545,7 @@ It is strongly recommended to use a new ```CyberArk Nav.xml``` file in the ```SC Adds a new menu item under the `Nav_Connectors` menu item declared in the root `Nav.xml` file. This new menu item gives access to the list of synchronized CyberArk SCIM objects. -![SCIM CyberArk Menu Items](/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp) +![SCIM CyberArk Menu Items](/images/identitymanager/scim_cyberark_export_menu_item_5.1.6.webp) ### Configuration @@ -573,7 +573,7 @@ describes how a single resource should be displayed. This configuration configures that display for [christian.adam@acme.com](mailto:christian.adam@acme.com): -![SCIM CyberArk Display Entity Type](/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp) +![SCIM CyberArk Display Entity Type](/images/identitymanager/scim_cyberark_export_display_entity_type_5.1.6.webp) The scalar properties don't need to be configured: they are automatically displayed. The only information that the [Display Entity Type](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. @@ -595,7 +595,7 @@ The [Display Table](/docs/identitymanager/6.2/integration-guide/toolkit/xml-conf configures the following list display: -![SCIM CyberArk Display Table](/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp) +![SCIM CyberArk Display Table](/images/identitymanager/scim_cyberark_export_display_table_5.1.6.webp) #### Internal display name diff --git a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/sharepoint-export/index.md b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/sharepoint-export/index.md index 702ccb21d6..a30f97e670 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/sharepoint-export/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/configuration-details/sharepoint-export/index.md @@ -27,7 +27,7 @@ SharePoint sites. It includes the following substeps: - Click on the **Add members** button. - Enter the name of the Identity Manager service account or its email address. -![SharePoint Export Add Member](/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp) +![SharePoint Export Add Member](/images/identitymanager/sharepoint_export_add_member.webp) The service account is now a member of the site. However, to scan the site, the service account needs to be owner of the site. @@ -36,7 +36,7 @@ needs to be owner of the site. - Under the name of the Identity Manager service account, click on the arrow. - Choose **Owner**. -![SharePoint Export Role Owner](/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp) +![SharePoint Export Role Owner](/images/identitymanager/sharepoint_export_role_owner.webp) ### Configuration diff --git a/docs/identitymanager/6.2/integration-guide/connectors/entitypropertymapping-format/index.md b/docs/identitymanager/6.2/integration-guide/connectors/entitypropertymapping-format/index.md index f513b6ebe6..6b02def903 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/entitypropertymapping-format/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/entitypropertymapping-format/index.md @@ -53,7 +53,7 @@ single-bit "sub-properties", not both. > For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit > of `userAccountControl`. > -> ![New Property for Bit Provisioning](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp) +> ![New Property for Bit Provisioning](/images/identitymanager/bitprov_property_v603.webp) > > XML configuration looks like the following: > @@ -154,4 +154,4 @@ This allows the export of the attribute `u_startdate` as a date in Identity Mana The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** declared in the ResourceType. -![Export and Fulfill Data transformation](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) diff --git a/docs/identitymanager/6.2/integration-guide/connectors/index.md b/docs/identitymanager/6.2/integration-guide/connectors/index.md index e9893ff89e..807530fe50 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/index.md @@ -23,7 +23,7 @@ ServiceNow, EasyVista, SAP, SharePoint, etc. A connector, therefore, acts as an interface between Identity Manager and a managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of one connector for each application. @@ -40,7 +40,7 @@ each application. In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. -![Outbound System=](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) In this case, data flows between Identity Manager and the managed system are also called: @@ -121,7 +121,7 @@ Identity Manager's connectors all operate on the same basic principles. Technica > `AD User (administration)` for sensitive administration accounts, which we want to provision > manually through Identity Manager. -![Connector Technical Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) A connector requires at least one connection and one entity type. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/activedirectory/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/activedirectory/index.md index c1d2dcc940..c5c2d2edce 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/activedirectory/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/activedirectory/index.md @@ -13,7 +13,7 @@ instance. This page is about Directory/Active Directory. See the Active Directory topic for additional information. -![Package: Directory/Active Directory](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp) +![Package: Directory/Active Directory](/images/identitymanager/packages_ad_v603.webp) ## Overview @@ -44,25 +44,25 @@ To enable permissions, the Active Directory administrator must do the following: **Step 1 –** Check the **View** details in the Active Directory and Computers. -![Enable Permissions - Step 1](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp) +![Enable Permissions - Step 1](/images/identitymanager/references_connectors_activedirectory_01.webp) **Step 2 –** Open the **Advanced Security Settings** dialog box for the domain root. -![Enable Permissions - Step 2](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp) +![Enable Permissions - Step 2](/images/identitymanager/references_connectors_activedirectory_02.webp) **Step 3 –** Select the **Replicating Directory Changes** check box from the list. -![Enable Permissions - Step 3](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp) +![Enable Permissions - Step 3](/images/identitymanager/references_connectors_activedirectory_03.webp) **Step 4 –** To change groups' membership, in the Applies field, select Descendent Group object and select the **Read Members** and **Write Members** check boxes from the list. -![Read/Write Members](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp) +![Read/Write Members](/images/identitymanager/references_connectors_activedirectory_04.webp) **Step 5 –** To Reset Password capabilities, in the Applies field, select Descendent User object and select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. -![Read/Write Lockout Times](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp) +![Read/Write Lockout Times](/images/identitymanager/references_connectors_activedirectory_05.webp) Administrator rights must not be granted to the service account. Doing otherwise would create a security breach. Administrator rights must only be granted to the target perimeter. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/azure/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/azure/index.md index 454a4c0c20..d13ac4b128 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/azure/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/azure/index.md @@ -12,7 +12,7 @@ resources, role definitions and assignments. This page is about [Azure](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/azure/index.md). -![Package: Cloud/Azure](/images/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp) +![Package: Cloud/Azure](/images/identitymanager/packages_azure_v603.webp) ## Prerequisites diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/csv/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/csv/index.md index d33be46817..c9e67cd594 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/csv/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/csv/index.md @@ -10,7 +10,7 @@ This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comm This page is about [CSV](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/csv/index.md). -![Package: File/CSV](/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) ## Overview @@ -92,7 +92,7 @@ This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comm This page is about [CSV](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/csv/index.md). -![Package: File/CSV](/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvista/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvista/index.md index 5725e7f5b0..9ff8893ad5 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvista/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvista/index.md @@ -11,7 +11,7 @@ This connector exports and fulfills users from/to an This page is about EasyVista . -![Package: ITSM/EasyVista](/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp) +![Package: ITSM/EasyVista](/images/identitymanager/packages_easyvista_v603.webp) ## Overview @@ -96,7 +96,7 @@ entities. | Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | | | | | --- | --- | -| ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp) | +| ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/images/identitymanager/easyvista_view_v523.webp) | ### Output details diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvistaticket/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvistaticket/index.md index 2193acfcd3..0e99e9b600 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvistaticket/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/easyvistaticket/index.md @@ -12,7 +12,7 @@ provisioning. This page is about [EasyVista Ticket](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/easyvistaticket/index.md). -![Package: Ticket/EasyVista](/images/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp) +![Package: Ticket/EasyVista](/images/identitymanager/packages_easyvistaticket_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/excel/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/excel/index.md index fcdb21259c..891cb9214c 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/excel/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/excel/index.md @@ -11,7 +11,7 @@ This connector exports datasheets from a This page is about [Excel](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/excel/index.md). -![Package: File/Microsoft Excel](/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) ## Overview @@ -99,7 +99,7 @@ This connector exports datasheets from a This page is about [Excel](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/excel/index.md). -![Package: File/Microsoft Excel](/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/googleworkspace/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/googleworkspace/index.md index 16f6ad5f30..2718008676 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/googleworkspace/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/googleworkspace/index.md @@ -11,7 +11,7 @@ This connector exports and fulfills users and groups from/to a This page is about [Google Workspace](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/googleworkspace/index.md). -![Package: Directory/Google Workspace](/images/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp) +![Package: Directory/Google Workspace](/images/identitymanager/packages_workspace_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/homefolder/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/homefolder/index.md index df6fe9f7ee..3a562898a5 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/homefolder/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/homefolder/index.md @@ -10,7 +10,7 @@ This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directo This page is about [Home Folders](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/home-folders/index.md). -![Package: Storage/Home Folders](/images/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp) +![Package: Storage/Home Folders](/images/identitymanager/packages_homefolders_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalresources/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalresources/index.md index ff63e55d69..d7bb837dd4 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalresources/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalresources/index.md @@ -17,9 +17,9 @@ See the [Manual Ticket](/docs/identitymanager/6.2/integration-guide/connectors/r [Manual Ticket and CUD Resources](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) topics for additional information. -![Package: Ticket/identitymanager](/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp) +![Package: Ticket/identitymanager](/images/identitymanager/packages_identitymanagerticket_v603.webp) -![Package: Ticket/identitymanager And Create/Update/Delete resources](/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp) +![Package: Ticket/identitymanager And Create/Update/Delete resources](/images/identitymanager/packages_identitymanagerticketcud_v603.webp) See the [Provision Manually](/docs/identitymanager/6.2/user-guide/administrate/provisioning/manual-provisioning/index.md) diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalworkflow/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalworkflow/index.md index 3ec39f1fae..645321d5a9 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalworkflow/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/internalworkflow/index.md @@ -11,7 +11,7 @@ This connector triggers workflows in Identity Manager for a system's provisioni This page is about Identity Manager Internal Workflow. See the [Workflow](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/workflow/index.md) topic for additional information. -![Package: Usercube/Workflow](/images/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp) +![Package: Usercube/Workflow](/images/identitymanager/packages_workflow_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/json/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/json/index.md index 0f09265f72..3be8f85228 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/json/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/json/index.md @@ -11,6 +11,6 @@ order. **This page is about [JSON](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/json/index.md)** -![Package: Custom/JSON](/images/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp) +![Package: Custom/JSON](/images/identitymanager/packages_json_v603.webp) The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldap/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldap/index.md index 9054e2ad40..d4eb13c90f 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldap/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldap/index.md @@ -15,13 +15,13 @@ This page is about: - [Apache Directory](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/apache-directory/index.md); - [Red Hat Directory Server](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/red-hat-directory-server/index.md). -![Package: Directory/Generic LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp) +![Package: Directory/Generic LDAP](/images/identitymanager/packages_ldapgeneric_v603.webp) -![Package: Directory/Oracle LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp) +![Package: Directory/Oracle LDAP](/images/identitymanager/packages_ldaporacle_v603.webp) -![Package: Directory/Apache Directory](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp) +![Package: Directory/Apache Directory](/images/identitymanager/packages_ldapapache_v603.webp) -![Package: Directory/Red Hat Directory Server](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp) +![Package: Directory/Red Hat Directory Server](/images/identitymanager/packages_ldapredhat_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldif/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldif/index.md index 549b1613e9..d79a3c7b12 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldif/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/ldif/index.md @@ -11,7 +11,7 @@ This connector exports entries from an This page is about [LDIF](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/ldif/index.md). -![Package: Directory/LDIF](/images/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp) +![Package: Directory/LDIF](/images/identitymanager/packages_ldif_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftentraid/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftentraid/index.md index 7b46bbeb22..82e85cb457 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftentraid/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftentraid/index.md @@ -13,7 +13,7 @@ This connector exports and fulfills user and groups from/to a See the[Microsoft Entra ID](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/azure-active-directory/index.md)topic for additional information. -![Package: Directory/Microsoft Entra ID](/images/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp) +![Package: Directory/Microsoft Entra ID](/images/identitymanager/packages_azuread_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftexchange/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftexchange/index.md index ff320465f8..35381681ba 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftexchange/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/microsoftexchange/index.md @@ -12,7 +12,7 @@ instance. This page is about [Microsoft Exchange](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/microsoft-exchange/index.md). -![Package: Server/Microsoft Exchange](/images/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp) +![Package: Server/Microsoft Exchange](/images/identitymanager/packages_exchange_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/odata/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/odata/index.md index d0f89860e1..1e985a7e99 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/odata/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/odata/index.md @@ -10,7 +10,7 @@ This connector exports and fulfills data from/to an [OData](https://www.odata.or This page is about [OData](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/odata/index.md). -![Package: Custom/OData](/images/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp) +![Package: Custom/OData](/images/identitymanager/packages_odata_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/okta/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/okta/index.md index 1597870689..28081190e7 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/okta/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/okta/index.md @@ -8,7 +8,7 @@ sidebar_position: 170 This connector exports and fulfills entries from/to Okta application. -![okta](/images/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp) +![okta](/images/identitymanager/okta.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/openldap/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/openldap/index.md index 9b7d1d68ea..70c0fdd54e 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/openldap/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/openldap/index.md @@ -11,7 +11,7 @@ directory. This page is about [OData](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/odata/index.md). -![Package: Directory/Open LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp) +![Package: Directory/Open LDAP](/images/identitymanager/packages_ldapopen_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellprov/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellprov/index.md index d9d111e659..9fceb069d4 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellprov/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellprov/index.md @@ -11,7 +11,7 @@ This connector writes to an external system via a This page is about [PowerShellProv](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/powershellprov/index.md). -![Package: Custom/PowerShellProv](/images/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp) +![Package: Custom/PowerShellProv](/images/identitymanager/packages_powershellprov_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellsync/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellsync/index.md index 1dfce6e08b..d4d012ba7f 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellsync/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/powershellsync/index.md @@ -11,7 +11,7 @@ This connector exports data from an external system via a This page is about [PowerShellSync](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/powershellsync/index.md). -![Package: Custom/PowerShellSync](/images/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp) +![Package: Custom/PowerShellSync](/images/identitymanager/packages_powershellsync_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/racf/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/racf/index.md index 341c6ecefd..76e928db66 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/racf/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/racf/index.md @@ -11,7 +11,7 @@ This connector exports users and profiles from a This page is about [RACF](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/racf/index.md). -![Package: MainFrame/RACF](/images/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp) +![Package: MainFrame/RACF](/images/identitymanager/packages_racf_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/robotframework/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/robotframework/index.md index f05c4e77ba..2412130c58 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/robotframework/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/robotframework/index.md @@ -11,7 +11,7 @@ script. **This page is about [Robot Framework](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/robot-framework/index.md)** -![Package: Custom/Robot Framework](/images/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp) +![Package: Custom/Robot Framework](/images/identitymanager/packages_robot_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/saperp6/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/saperp6/index.md index e7cceaef12..fde79be8ef 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/saperp6/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/saperp6/index.md @@ -12,7 +12,7 @@ This connector exports and fulfills users and roles from/to an This page is about ERP/SAP ERP 6.0. -![Package: ERP/SAP ERP 6.0](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp) +![Package: ERP/SAP ERP 6.0](/images/identitymanager/packages_saperp6_v603.webp) ## Overview @@ -95,12 +95,12 @@ To set up the prerequisites for reading follow the steps below. **Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Identity Manager. -![connectorreadprerequisites1](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp) +![connectorreadprerequisites1](/images/identitymanager/connectorreadprerequisites1.webp) **Step 2 –** Unzip the “hdbclient.zip” archive to C: drive and add the path to the Path environment variables. -![connectorreadprerequisites2](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp) +![connectorreadprerequisites2](/images/identitymanager/connectorreadprerequisites2.webp) **Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and `HDBADOTNETCORE=C:\hdbclient\dotnetcore`. @@ -119,11 +119,11 @@ Make sure the Read prerequisites are configured first. **Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Identity Manager. -![connectorwriteprerequisites](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp) +![connectorwriteprerequisites](/images/identitymanager/connectorwriteprerequisites.webp) **Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. -![connectorwriteprerequisites2](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp) +![connectorwriteprerequisites2](/images/identitymanager/connectorwriteprerequisites2.webp) **Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 (e.g.: `C: \donetx86\dotnet.exe`). diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sapnetweaver/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sapnetweaver/index.md index a31a95ba78..d13e94c367 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sapnetweaver/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sapnetweaver/index.md @@ -12,7 +12,7 @@ instance. This page is about [SAP S/4 HANA](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/saphana/index.md). -![Package: ERP/SAP S/4 HANA](/images/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp) +![Package: ERP/SAP S/4 HANA](/images/identitymanager/packages_sap_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/scim/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/scim/index.md index d31b65a462..82e3462ca1 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/scim/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/scim/index.md @@ -16,13 +16,13 @@ This page is about: - Messaging/Slack - PAM/CyberArk -![Package: Custom/SCIM](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp) +![Package: Custom/SCIM](/images/identitymanager/packages_scim_v603.webp) -![Package: CRM/Salesforce](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp) +![Package: CRM/Salesforce](/images/identitymanager/packages_salesforce_v603.webp) -![Package: Messaging/Slack](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp) +![Package: Messaging/Slack](/images/identitymanager/packages_slack_v603.webp) -![Package: PAM/CyberArk](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp) +![Package: PAM/CyberArk](/images/identitymanager/packages_cyberark_v603.webp) ## Overview @@ -62,15 +62,15 @@ To connect to the Salesforce application do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-advancesetup](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) **Step 2 –** Go to **Advanced Setup**. -![salesforce-newconnectedapp](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp) +![salesforce-newconnectedapp](/images/identitymanager/salesforce-newconnectedapp.webp) **Step 3 –** Go to **App Manager** and **Create a Connected App**. -![salesforce-enableoauth](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp) +![salesforce-enableoauth](/images/identitymanager/salesforce-enableoauth.webp) **Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth @@ -78,15 +78,15 @@ Scopes. **Step 5 –** Save the Application. -![salesforce-manageconnectedapps](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp) +![salesforce-manageconnectedapps](/images/identitymanager/salesforce-manageconnectedapps.webp) **Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. -![salesforce-manageconsumerdetails](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp) +![salesforce-manageconsumerdetails](/images/identitymanager/salesforce-manageconsumerdetails.webp) **Step 7 –** Click on **Manage Consumer Details**. -![salesforce-consumerkey](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp) +![salesforce-consumerkey](/images/identitymanager/salesforce-consumerkey.webp) **Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. @@ -96,11 +96,11 @@ To enable the OAuth authentication do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-advancesetup](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) **Step 2 –** Go to **Advanced Setup**. -![oauthauthentication](/images/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) +![oauthauthentication](/images/identitymanager/oauthauthentication.webp) **Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, enable the option to **Allow OAuth Username-Password Flows**. @@ -111,15 +111,15 @@ To reset the user token do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-usertoken-settings](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp) +![salesforce-usertoken-settings](/images/identitymanager/salesforce-usertoken-settings.webp) **Step 2 –** Click on **Settings** under the profile details. -![salesforce-resetseuritytoken](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp) +![salesforce-resetseuritytoken](/images/identitymanager/salesforce-resetseuritytoken.webp) **Step 3 –** Click on **Reset My Security Token**. -![salesforce-checkemail](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp) +![salesforce-checkemail](/images/identitymanager/salesforce-checkemail.webp) **Step 4 –** An email containing the new token will be sent. @@ -129,15 +129,15 @@ To configure the Salesforce connection do the following: **Step 1 –** Log into Identity Manager using an admin account. -![salesforce-connector](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp) +![salesforce-connector](/images/identitymanager/salesforce-connector.webp) **Step 2 –** Create a new Salesforce connector. -![salesforce-connection](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp) +![salesforce-connection](/images/identitymanager/salesforce-connection.webp) **Step 3 –** Add a new Salesforce connection. -![salesforce-agent-settings](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp) +![salesforce-agent-settings](/images/identitymanager/salesforce-agent-settings.webp) **Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md index d7b5d09d22..05e3cfdcd7 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md @@ -11,7 +11,7 @@ This connector exports and fulfills any data, including users and roles, from/to This page is about [ServiceNow](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/servicenow/index.md). -![Package: ITSM/ServiceNow](/images/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp) +![Package: ITSM/ServiceNow](/images/identitymanager/packages_servicenow_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowticket/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowticket/index.md index c7bcc2f167..22ee94e54c 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowticket/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/servicenowticket/index.md @@ -10,7 +10,7 @@ This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for ma This page is about [ServiceNow Ticket](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/servicenow-ticket/index.md). -![Package: Ticket/ServiceNow](/images/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp) +![Package: Ticket/ServiceNow](/images/identitymanager/packages_servicenowticket_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharedfolder/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharedfolder/index.md index 3230d5125e..88239df28b 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharedfolder/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharedfolder/index.md @@ -10,7 +10,7 @@ This connector exports users and permissions from Windows shared folders. This page is about [Shared Folders](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/shared-folders/index.md). -![Package: Storage/Shared Folders](/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp) +![Package: Storage/Shared Folders](/images/identitymanager/packages_sharedfolders_v603.webp) ## Overview @@ -26,7 +26,7 @@ Implementing this connector requires an account with the permissions: - **Log on as a batch job** in the local group policy, when the connector's authentication mode is batch. - ![SharedFolder - Permission for Batch Authentication](/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp) + ![SharedFolder - Permission for Batch Authentication](/images/identitymanager/sharedfolder_permission.webp) ## Export diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharepoint/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharepoint/index.md index c0709d20b1..729b7b0b87 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharepoint/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sharepoint/index.md @@ -11,7 +11,7 @@ This connector exports sites, folders, groups and permissions from a This page is about Storage/SharePoint. -![Package: Storage/SharePoint](/images/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp) +![Package: Storage/SharePoint](/images/identitymanager/packages_sharepoint_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sql/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sql/index.md index 87176357eb..3799b00858 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sql/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sql/index.md @@ -19,19 +19,19 @@ This page is about: - Database/[PostgreSQL](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/postgresql/index.md); - [SAP ASE](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/sapase/index.md). -![Package: Directory/Database/Generic SQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp) +![Package: Directory/Database/Generic SQL](/images/identitymanager/packages_sqlgeneric_v603.webp) -![Package: Directory/Database/Microsoft SQL Server](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp) +![Package: Directory/Database/Microsoft SQL Server](/images/identitymanager/packages_sqlserver_v603.webp) -![Package: Directory/Database/MySQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp) +![Package: Directory/Database/MySQL](/images/identitymanager/packages_sqlmy_v603.webp) -![Package: Directory/Database/ODBC](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp) +![Package: Directory/Database/ODBC](/images/identitymanager/packages_sqlodbc_v603.webp) -![Package: Directory/Database/Oracle](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp) +![Package: Directory/Database/Oracle](/images/identitymanager/packages_sqloracle_v603.webp) -![Package: Directory/Database/PostgreSQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp) +![Package: Directory/Database/PostgreSQL](/images/identitymanager/packages_sqlpostgre_v603.webp) -![Package: Directory/Database/SAP ASE](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp) +![Package: Directory/Database/SAP ASE](/images/identitymanager/packages_sqlsap_v603.webp) ## Overview @@ -127,7 +127,7 @@ Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: 1. Download and extract the package. > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). > - > ![MySQL: Download Package](/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp) + > ![MySQL: Download Package](/images/identitymanager/sql_downloadpackage.webp) 2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. > For MySQL, the DLL is `MySql.Data.dll`. 3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: @@ -137,7 +137,7 @@ Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: > For MySQL: > - > ![Package Characteristics Example](/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp) + > ![Package Characteristics Example](/images/identitymanager/sql_packagecharacteristics.webp) - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with **Factory** in its name. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md index b30dfc5a8c..8a41f98876 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md @@ -12,7 +12,7 @@ This connector exports entitlements from This page is about [SQL Server Entitlements](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/sql-server-entitlements/index.md). -![Package: Database/Microsoft SQL Server Entitlements](/images/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp) +![Package: Database/Microsoft SQL Server Entitlements](/images/identitymanager/packages_sqlservermanagement_v603.webp) ## Overview diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/topsecret/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/topsecret/index.md index 8a9c70a84c..6aafbab29f 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/topsecret/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/topsecret/index.md @@ -11,6 +11,6 @@ This connector exports users and profiles from a This page is about [TSS](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/tss/index.md). -![Package: Mainframe/Top Secret](/images/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp) +![Package: Mainframe/Top Secret](/images/identitymanager/packages_tss_v603.webp) The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/workday/index.md b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/workday/index.md index 0af2b12e70..75a81e1412 100644 --- a/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/workday/index.md +++ b/docs/identitymanager/6.2/integration-guide/connectors/references-connectors/workday/index.md @@ -11,7 +11,7 @@ This connector exports users and groups from a This page is about [Workday](/docs/identitymanager/6.2/integration-guide/connectors/references-packages/workday/index.md). -![Package: ERP/Workday](/images/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp) +![Package: ERP/Workday](/images/identitymanager/packages_workday_v603.webp) ## Prerequisites diff --git a/docs/identitymanager/6.2/integration-guide/entity-model/index.md b/docs/identitymanager/6.2/integration-guide/entity-model/index.md index aba45755e2..6edc13933d 100644 --- a/docs/identitymanager/6.2/integration-guide/entity-model/index.md +++ b/docs/identitymanager/6.2/integration-guide/entity-model/index.md @@ -214,7 +214,7 @@ We need to transform the input data, from the export, into something readable by Manager and, when writing to the external system, transform Identity Manager's data back into something readable by the external system. -![Export and Fulfill Data transformation](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) The format used in the external system can be provided through the [Entity Type Mapping](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) using diff --git a/docs/identitymanager/6.2/integration-guide/executables/references/create-databaseviews/index.md b/docs/identitymanager/6.2/integration-guide/executables/references/create-databaseviews/index.md index c277c7d8a2..563e7aa6c3 100644 --- a/docs/identitymanager/6.2/integration-guide/executables/references/create-databaseviews/index.md +++ b/docs/identitymanager/6.2/integration-guide/executables/references/create-databaseviews/index.md @@ -41,4 +41,4 @@ Identity Manager's database. You can explore created views in the Identity Manager database's Views folder in SQL Server Management Studio -![SSMS Views](/images/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp) +![SSMS Views](/images/identitymanager/identitymanager-create-databaseviews_ssms.webp) diff --git a/docs/identitymanager/6.2/integration-guide/executables/references/export-configuration/index.md b/docs/identitymanager/6.2/integration-guide/executables/references/export-configuration/index.md index 7e96448dcb..d388a7f5e0 100644 --- a/docs/identitymanager/6.2/integration-guide/executables/references/export-configuration/index.md +++ b/docs/identitymanager/6.2/integration-guide/executables/references/export-configuration/index.md @@ -26,7 +26,7 @@ database to generate XML files: - a basic export will export the translation JSON files; - a scaffolding export will export the XML configuration generated by scaffoldings. -![Schema - Export Process](/images/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp) +![Schema - Export Process](/images/identitymanager/identitymanager-export-configuration.webp) For all export types, Netwrix Identity Manager (formerly Usercube) recommends using as output directory a folder other than the one containing the old XML configuration. This way, the exported diff --git a/docs/identitymanager/6.2/integration-guide/executables/references/invoke-job/index.md b/docs/identitymanager/6.2/integration-guide/executables/references/invoke-job/index.md index 623d9c8d12..bd7fa2d34a 100644 --- a/docs/identitymanager/6.2/integration-guide/executables/references/invoke-job/index.md +++ b/docs/identitymanager/6.2/integration-guide/executables/references/invoke-job/index.md @@ -12,7 +12,7 @@ This tool launches a job on the agent side. The Usercube-Invoke-Job.exe tool is a state machine. -![Schematization](/images/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp) +![Schematization](/images/identitymanager/job_operation.webp) When a job is launched, the state machine starts by computing all the tasks that must be launched in the job. diff --git a/docs/identitymanager/6.2/integration-guide/executables/references/manage-history/index.md b/docs/identitymanager/6.2/integration-guide/executables/references/manage-history/index.md index e9a99fb29f..60aa9cd983 100644 --- a/docs/identitymanager/6.2/integration-guide/executables/references/manage-history/index.md +++ b/docs/identitymanager/6.2/integration-guide/executables/references/manage-history/index.md @@ -55,7 +55,7 @@ interval. Here we keep one version per day (1440 minutes) in the last 7 days, th month (43920 minutes) in the last 6 months before the previously defined period, then one version per year (525960 minutes) in the last 2 years before the previously defined periods. -![Schema - Optimize](/images/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp) +![Schema - Optimize](/images/identitymanager/tools_managehistory_schema.webp) For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the versions are merged in the following way: diff --git a/docs/identitymanager/6.2/integration-guide/executables/references/prepare-synchronization/index.md b/docs/identitymanager/6.2/integration-guide/executables/references/prepare-synchronization/index.md index 966719c782..8cd5fcb124 100644 --- a/docs/identitymanager/6.2/integration-guide/executables/references/prepare-synchronization/index.md +++ b/docs/identitymanager/6.2/integration-guide/executables/references/prepare-synchronization/index.md @@ -111,7 +111,7 @@ The figure models the complete _Prepare-Synchronization_ steps applied to an Act export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ and _manager_). -![Active Directory Prepare-Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/governance/accesscertification/index.md b/docs/identitymanager/6.2/integration-guide/governance/accesscertification/index.md index 49bae81bba..3daad252d0 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/accesscertification/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/accesscertification/index.md @@ -192,7 +192,7 @@ script in the command line. It automatically appears on the campaign creation screen, and binds itself to the created campaign: -![Campaign creation screen with policies](/images/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp) +![Campaign creation screen with policies](/images/identitymanager/creation_5.1.6.webp) To use it, modify the access control rules by adding a filter on the campaign policy. See the [Access Control Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) diff --git a/docs/identitymanager/6.2/integration-guide/governance/reporting/analyze-powerbi/index.md b/docs/identitymanager/6.2/integration-guide/governance/reporting/analyze-powerbi/index.md index ca3f61265a..a0f749de22 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/reporting/analyze-powerbi/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/reporting/analyze-powerbi/index.md @@ -29,7 +29,7 @@ Based on this model, Power BI will be able to: - generate customized graphic reports - publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) -![Process Schema](/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) +![Process Schema](/images/identitymanager/powerbi_process.webp) ## Prerequisites diff --git a/docs/identitymanager/6.2/integration-guide/governance/reporting/connect-powerbi/index.md b/docs/identitymanager/6.2/integration-guide/governance/reporting/connect-powerbi/index.md index 274d086e96..e09341d6dc 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/reporting/connect-powerbi/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/reporting/connect-powerbi/index.md @@ -28,30 +28,30 @@ Connect Power BI to Identity Manager by proceeding as follows: 1. Open Power BI Desktop. 2. Click on **Get data** either in the welcome window or in the home menu. - ![Get Data](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + ![Get Data](/images/identitymanager/powerbi_getdata.webp) 3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and click on **Connect**. - ![Get Data Window](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) 4. Enter Identity Manager's server URL in the opening window. - ![Server URL](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + ![Server URL](/images/identitymanager/powerbi_url.webp) 5. In the opening window, enter the [OpenIdClient](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. - ![Client Id / Client Secret](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) 6. You can now access in the left panel the [Universe](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. - ![Universe Panel](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) **Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. @@ -69,4 +69,4 @@ Clear the cache by proceeding as follows: 1. In Power BI, click on **File** > **Options and settings** > **Options**. 2. In the **Data Load** tab, click on **Clear Cache**. - ![Clear Cache](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) diff --git a/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md b/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md index d16669e830..cba908d143 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md @@ -23,7 +23,7 @@ Based on this model, Power BI will be able to: - generate customized graphic reports - publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) -![Process Schema](/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) +![Process Schema](/images/identitymanager/powerbi_process.webp) ## Prerequisites diff --git a/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md b/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md index c661d4af65..5f024b8971 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md @@ -22,30 +22,30 @@ Connect Power BI to Identity Manager by proceeding as follows: 1. Open Power BI Desktop. 2. Click on **Get data** either in the welcome window or in the home menu. - ![Get Data](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + ![Get Data](/images/identitymanager/powerbi_getdata.webp) 3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and click on **Connect**. - ![Get Data Window](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) 4. Enter Identity Manager's server URL in the opening window. - ![Server URL](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + ![Server URL](/images/identitymanager/powerbi_url.webp) 5. In the opening window, enter the [OpenIdClient](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. - ![Client Id / Client Secret](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) 6. You can now access in the left panel the [Universe](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. - ![Universe Panel](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) **Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. @@ -63,4 +63,4 @@ Clear the cache by proceeding as follows: 1. In Power BI, click on **File** > **Options and settings** > **Options**. 2. In the **Data Load** tab, click on **Clear Cache**. - ![Clear Cache](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) diff --git a/docs/identitymanager/6.2/integration-guide/governance/risks/index.md b/docs/identitymanager/6.2/integration-guide/governance/risks/index.md index 528b887767..6251014ebf 100644 --- a/docs/identitymanager/6.2/integration-guide/governance/risks/index.md +++ b/docs/identitymanager/6.2/integration-guide/governance/risks/index.md @@ -74,7 +74,7 @@ one of the detected risks in the requested entitlement set has the blocking exem Identity Manager does not allow the set to be requested at all. A message is displayed and the request must be cancelled: -![Exemption Policy - Blocking](/images/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp) +![Exemption Policy - Blocking](/images/identitymanager/risks_blocking_v522.webp) ### Approval Required @@ -84,14 +84,14 @@ of the detected risks in the requested entitlement set has the approval required then Identity Manager adds a step where this new set must be reviewed by a knowledgeable user like a security officer. A message is displayed and the request can be continued or cancelled: -![Exemption Policy - Approval Required](/images/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp) +![Exemption Policy - Approval Required](/images/identitymanager/risks_requiredapproval_v522.webp) If the request is performed, then a line appears on the **Role Review** screen. The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following risk icon. -![Home Page - Role Review](/images/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg) +![Home Page - Role Review](/images/identitymanager/risks_riskicon_v522.svg) ### Warning @@ -99,7 +99,7 @@ Risk-triggering permissions can also be allowed with only a warning with the war policy. If all detected risks in the requested entitlement set has the warning exemption policy, then Identity Manager displays a message and the request can be continued or cancelled: -![Exemption Policy - Warning](/images/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp) +![Exemption Policy - Warning](/images/identitymanager/risks_warning_v522.webp) ### Upon Profile @@ -177,4 +177,4 @@ examined and then, kept or discarded. The risk score computation is performed by the risk score task. -![Compute Risk Score Task](/images/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp) +![Compute Risk Score Task](/images/identitymanager/risks_riskcomputetask_v522.webp) diff --git a/docs/identitymanager/6.2/integration-guide/identity-management/identity-repository/index.md b/docs/identitymanager/6.2/integration-guide/identity-management/identity-repository/index.md index eb144a1ad7..41002669e6 100644 --- a/docs/identitymanager/6.2/integration-guide/identity-management/identity-repository/index.md +++ b/docs/identitymanager/6.2/integration-guide/identity-management/identity-repository/index.md @@ -19,13 +19,13 @@ entitlement assignments. > For example, a user can be represented by an identifier and linked to their position which > includes the user's employee id, last name and first name, email, user type, organization, etc. > -> ![Identity Repository Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) > In Identity Manager, the identity repository can look like the following: > -> ![Identity Repository Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) > -> ![Identity Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) The identity repository can be created and updated by: diff --git a/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md b/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md index ddea3840e7..c42f26a662 100644 --- a/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md +++ b/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md @@ -54,7 +54,7 @@ These dates should then be part of entity types' properties (for example as `Sta [Record Section](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and [Context Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md). -![Identities - Validity Period](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp) +![Identities - Validity Period](/images/identitymanager/validityperiod.webp) At the start date, the resource is created and a few entitlements are assigned to the identity. diff --git a/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md b/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md index 21fb7a83c0..50c307c04b 100644 --- a/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md +++ b/docs/identitymanager/6.2/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md @@ -48,7 +48,7 @@ given set of properties simultaneously. It seems natural to model identities by splitting their properties into three entities: one for users' personal data, one for their contract(s) and one for their position(s): -![Records Origin - Three-Entity Model](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp) +![Records Origin - Three-Entity Model](/images/identitymanager/recordsorigin_firstmodel.webp) A user can have several positions over time, even simultaneously. A user's contract can change over time too. Even personal data is subject to change. This is why we can have several sets of personal @@ -98,16 +98,16 @@ Identity Manager, where all values in one datasheet are valid on a given time pe > fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap > from day D2 to day D3 when the first position ends. > -> ![User Example](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp) +> ![User Example](/images/identitymanager/recordsorigin_userexample.webp) > > Over time, the three entities are as follows: > -> ![Example - Timelines](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp) +> ![Example - Timelines](/images/identitymanager/recordsorigin_timelines.webp) > > From this, Identity Manager is able to combine the start and end dates of all entities at all > times to generate the following datasheets, named contexts: > -> ![Example - Contexts](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp) +> ![Example - Contexts](/images/identitymanager/recordsorigin_contexts.webp) Contexts are the result of the combination of all entities (personal data, contract and position) so that all values contained in a given context are valid on a given period of time. @@ -141,7 +141,7 @@ database, in order to be able to perform fast requests. Hence, the final model g (personal data, contracts and positions), including their respective start and end dates, into a single entity named records, where a context is a record instance: -![Records Origin - Final Model](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp) +![Records Origin - Final Model](/images/identitymanager/recordsorigin_thirdmodel.webp) While there are as many contexts for a user as the number of changes in the user's datasheet, there are only as many records as needed to store each value at least once. diff --git a/docs/identitymanager/6.2/integration-guide/network-configuration/configure-okta/index.md b/docs/identitymanager/6.2/integration-guide/network-configuration/configure-okta/index.md index 5361e59de0..660200204b 100644 --- a/docs/identitymanager/6.2/integration-guide/network-configuration/configure-okta/index.md +++ b/docs/identitymanager/6.2/integration-guide/network-configuration/configure-okta/index.md @@ -12,15 +12,15 @@ This guide shows how to configure the OIDC to set up the authentication to Ident On the Okta dashboard: -![Add Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) +![Add Application](/images/identitymanager/okta_addapplication.webp) **Step 1 –** Select the **Applications** section and click on the **Add Application** button. -![Create New App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) +![Create New App](/images/identitymanager/okta_createnewapp.webp) **Step 2 –** Then click on the **Create New App** button. -![Create Native App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) +![Create Native App](/images/identitymanager/okta_createnativeapp.webp) **Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. Click on **Create**. @@ -39,7 +39,7 @@ Identity Manager. ::: -![Save Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) +![Save Application](/images/identitymanager/okta_saveapplication.webp) ## Configure the Client Credentials @@ -48,14 +48,14 @@ configure this OIDC connection option in the application. In the Application Das **Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and save the changes. -![Client Credentials](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) +![Client Credentials](/images/identitymanager/okta_clientcredentials.webp) ## Configure the Application Settings In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. -![Application Section](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) +![Application Section](/images/identitymanager/okta_applicationsection.webp) ## Configure the appsettings.json diff --git a/docs/identitymanager/6.2/integration-guide/network-configuration/index.md b/docs/identitymanager/6.2/integration-guide/network-configuration/index.md index 085f94d1dd..ffee164864 100644 --- a/docs/identitymanager/6.2/integration-guide/network-configuration/index.md +++ b/docs/identitymanager/6.2/integration-guide/network-configuration/index.md @@ -58,7 +58,7 @@ containing another subsection for every authentication method such as OpenId or This means that every setting value either belongs to the settings root node or to a section, itself belonging to a parent section. -![tree like structure](/images/identitymanager/integration-guide/network-configuration/tree-like-structure.webp) +![tree like structure](/images/identitymanager/tree-like-structure.webp) ### Configuration files diff --git a/docs/identitymanager/6.2/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md b/docs/identitymanager/6.2/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md index 09dde0ac72..e75baea540 100644 --- a/docs/identitymanager/6.2/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md +++ b/docs/identitymanager/6.2/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md @@ -47,11 +47,11 @@ authentication. Internal method & test mode form: -![authent_1](/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp) +![authent_1](/images/identitymanager/authent_1.webp) External method prompt: -![authent_2](/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp) +![authent_2](/images/identitymanager/authent_2.webp) ## Identity Server RSA Key Pair diff --git a/docs/identitymanager/6.2/integration-guide/network-configuration/settings/index.md b/docs/identitymanager/6.2/integration-guide/network-configuration/settings/index.md index b86504c08f..0f4fa28871 100644 --- a/docs/identitymanager/6.2/integration-guide/network-configuration/settings/index.md +++ b/docs/identitymanager/6.2/integration-guide/network-configuration/settings/index.md @@ -85,14 +85,14 @@ to navigate to the defined URI addresses. ``` -![LCustomLinksUserMenu.webp](/images/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp) +![LCustomLinksUserMenu.webp](/images/identitymanager/customlinksusermenu_v523.webp) ## DashboardItemNumber Some sections on the dashboard contain multiple links. These links are quick links with counters to the review page filtered by entity type. The links are sorted by entity type priority. -![LDashboardItemNumber.webp](/images/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp) +![LDashboardItemNumber.webp](/images/identitymanager/dashboarditemnumber.webp) By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is displayed with the concatenation of remaining counters. diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/assignments-of-entitlements/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/assignments-of-entitlements/index.md index c0e63831f7..d5372750bb 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/assignments-of-entitlements/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/assignments-of-entitlements/index.md @@ -81,7 +81,7 @@ only about the assignments that need provisioning. For example, roles exist only in Identity Manager and not in the managed systems, so assigned roles do not have a provisioning state, unlike assigned resource types, scalars and navigation, etc. -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) +![Provisioning State Schema](/images/identitymanager/prov_stateschema_v523.webp) The schema sums up the usual progress of an assignment's provisioning state. @@ -117,7 +117,7 @@ entitlements found in the systems. A simple comparison between these two lists defines the non-conforming assignments, i.e. the list of all assignments that do not comply with the policy. -![Non-Conforming Assignments](/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) +![Non-Conforming Assignments](/images/identitymanager/governance_nonconforming.webp) A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/configureindirectpermissions/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/configureindirectpermissions/index.md index 74289c7f11..742c22f0fd 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/configureindirectpermissions/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/configureindirectpermissions/index.md @@ -41,7 +41,7 @@ After adding this rule to the Configuration, do not forget to deploy the configu The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. -![Group Membership Schema](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) +![Group Membership Schema](/images/identitymanager/indirectpermissionsadexample.webp) A running Active Directory instance is required to reproduce these steps yourself. @@ -54,19 +54,19 @@ Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB`` Since we have manually edited the Active Directory, we first need to run an AD synchronization job. Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : -![Single Role Configuration Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) +![Single Role Configuration Example](/images/identitymanager/srconf_5.2.1.webp) We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: -![Composite Role Configuration](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) +![Composite Role Configuration](/images/identitymanager/crconf_5.2.1.webp) Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: -![Navigation Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) +![Navigation Rule Example](/images/identitymanager/navrule_5.2.1.webp) And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: -![Single Role Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) +![Single Role Rule Example](/images/identitymanager/srrule_5.2.1.webp) Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. @@ -78,15 +78,15 @@ The next screenshots were taken after adding the direct assignment directly insi If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: -![View Permissions Simplified](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) +![View Permissions Simplified](/images/identitymanager/viewpermissionssimplified_5.2.1.webp) To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: -![View Permissions Advanced](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) +![View Permissions Advanced](/images/identitymanager/viewpermissionsadvanced_5.2.1.webp) You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: -![AD Assigned Resource Navigations](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) +![AD Assigned Resource Navigations](/images/identitymanager/adassignednavigations_5.2.1.webp) ## Configure Indirect Permissions in an Microsoft Entra ID diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md index 10a0e5fe02..d6b6e209c5 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md @@ -21,7 +21,7 @@ See the [Risk Management](/docs/identitymanager/6.2/integration-guide/governance ## Overview -![Evaluate Policy Overview](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp) +![Evaluate Policy Overview](/images/identitymanager/evaluate-policy-1.webp) The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of assignments of entitlements that comply with the assignment policy. @@ -146,7 +146,7 @@ Before starting, a context rule is applied, giving for the input resource: - The dimension values - The time period validity of every assignment computed during this Evaluate Policy iteration -![Computing Context For Input Resource](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp) +![Computing Context For Input Resource](/images/identitymanager/enforce-context.webp) **Computing expected role assignments** @@ -159,7 +159,7 @@ outcome of those rules, as assigned composite roles and assigned single roles, i input resource's context. They are the image of the status of trust and privilege granted to a resource-identity. -![Computing Expected Role Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp) +![Computing Expected Role Assignments](/images/identitymanager/compute-expected-1.webp) **Enforcing composite role rules** @@ -217,7 +217,7 @@ provisioning orders that are to be executed by the agent, after being validated user. See the [Resource Type](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-expected-2.webp) **Enforcing resource type rules** @@ -269,7 +269,7 @@ scalar assignments are added as well. **Step 3 –** **Match existing assignments with expected assignments** -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-find-matching.webp) The expected assignments list is now built. @@ -301,7 +301,7 @@ unwanted ones for any reason. **Step 5 –** **Correlation** -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/correlation.webp) Resource correlation rules are enforced: for every expected assigned resource type, the algorithm looks for a target resource that correlates the owner, which is the input resource. @@ -346,20 +346,20 @@ The workflow state is also analyzed; assignments with Approved (or Cancellation) | Workflow state | Description | | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 0—None | Used for Identity Manager's internal computation | -| 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) | +| 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) | | 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the role. | -| 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | -| 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) | -| 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) | -| 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) | +| 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) | +| 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) | +| 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) | +| 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) | | 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | | 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | | 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | | 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | | 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | -| 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) | +| 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) | | 17—Declined | The assignment is explicitly declined during one of the approval steps. | -| 20—Cancellation | The assignment is inferred by a role that was declined. ![Workflow State: Cancellation](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) | +| 20—Cancellation | The assignment is inferred by a role that was declined. ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) | **Step 7 –** **Delta** diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/existingassignmentsdeduction/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/existingassignmentsdeduction/index.md index 9b9877b209..1626238177 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/existingassignmentsdeduction/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/existingassignmentsdeduction/index.md @@ -38,7 +38,7 @@ entitlement, for example an Active Directory group. Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory group _Internet_ through a navigation rule `N`. -![use_case_1_rolemodel](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp) +![use_case_1_rolemodel](/images/identitymanager/use_case_1_rolemodel.webp) We are going to consider here an identity named John Doe, and his Active Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com). @@ -73,7 +73,7 @@ Directory group. The situation in Identity Manager database at this point is the following. -![use_case_1_sync](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp) +![use_case_1_sync](/images/identitymanager/use_case_1_sync.webp) Integrators have defined the Internet single role and linked it to the _Internet_ AD group through the navigation rule `N`. @@ -85,7 +85,7 @@ rules be consistent with the data found in the Active Directory. The role is now listed under John Doe's assignment list (permissions) in Identity Manager. -![use_case_1_deduction](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp) +![use_case_1_deduction](/images/identitymanager/use_case_1_deduction.webp) ## Use Case 2: Several Groups, One Role diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/generate-contexts/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/generate-contexts/index.md index fc8c216ca9..5938360ed3 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/generate-contexts/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/generate-contexts/index.md @@ -89,11 +89,11 @@ of the previous or future position. The following image shows the positions of `Mark Barn` in a defined timeline. -![simple-recordsection-identity](/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp) +![simple-recordsection-identity](/images/identitymanager/simple-recordsection-identity.webp) With the given configuration and the identity of `Mark Barn`, the following contexts are generated: -![simple-recordsection-result](/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp) +![simple-recordsection-result](/images/identitymanager/simple-recordsection-result.webp) Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for the [Evaluate Policy](/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. @@ -139,7 +139,7 @@ The `ExtensionKind="None"` was removed for the `Location` property. Using the identity of `Mark Barn` the computed contexts should be as followed: -![recordsection-withvaluecopy-result1](/images/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp) +![recordsection-withvaluecopy-result1](/images/identitymanager/recordsection-withvaluecopy-result1.webp) Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to `Ce`. @@ -164,11 +164,11 @@ Position record section: ```` -![positionextension-identity](/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp) +![positionextension-identity](/images/identitymanager/positionextension-identity.webp) Two contexts will be generated. -![positionextension-result](/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp) +![positionextension-result](/images/identitymanager/positionextension-result.webp) By default, the previous position is extended when there is a gap. If there isn't any previous position then the next position will be anticipated. diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/indirectpermissions/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/indirectpermissions/index.md index 9a59f0fb11..e9616378cb 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/indirectpermissions/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/indirectpermissions/index.md @@ -103,7 +103,7 @@ Although Indirect Permissions are marked as `Non-conforming`, they can be neithe deleted. They also won't appear in Access certification campaigns. Indirect Permissions are always indicated by the following icon: -![Indirect Permission Icon](/images/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp) +![Indirect Permission Icon](/images/identitymanager/ic_fluent_flow_20_regular.webp) ## Disabling the Indirect Permission Computation diff --git a/docs/identitymanager/6.2/integration-guide/role-assignment/role-model-rules/index.md b/docs/identitymanager/6.2/integration-guide/role-assignment/role-model-rules/index.md index 80e322bf9c..c94c0c1bc9 100644 --- a/docs/identitymanager/6.2/integration-guide/role-assignment/role-model-rules/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-assignment/role-model-rules/index.md @@ -254,7 +254,7 @@ between the assignments of a role and the actual assignment of entitlement. This series of steps is actually a very simplified version of the [Evaluate Policy](/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. -![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) +![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) **---** diff --git a/docs/identitymanager/6.2/integration-guide/role-mining/index.md b/docs/identitymanager/6.2/integration-guide/role-mining/index.md index e7ff179fe1..1bc0239e0c 100644 --- a/docs/identitymanager/6.2/integration-guide/role-mining/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-mining/index.md @@ -30,7 +30,7 @@ Now that users received their roles, the role mining tool can analyze these assi [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will assign single roles to certain users matching given criteria. -![Schema - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) Role mining is a Machine Learning process. It is a statistic tool used to emphasize the dimensions that constitute the key criteria for existing role assignments. See the @@ -62,7 +62,7 @@ Mining rules can be configured to generate: 2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an entitlement request for a user. - ![Suggested](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) You can generate both automatic and suggested rules for the same role, with different precision levels and different approval workflows. @@ -72,12 +72,12 @@ levels and different approval workflows. > above 95% and a second mining rule to generate suggested assignment rules when the ratio is > between 75% and 95%. > -> ![Rule Types](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: -![Rule Types - Sensitivity](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets @@ -92,25 +92,25 @@ Consider that all users from a given organization have a given role. Then role m single role rule to assign automatically this role to any user of this organization. Then users' entitlements remain unchanged: -![Impact Example - Use Case 1](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp) +![Impact Example - Use Case 1](/images/identitymanager/rolemining_impact_usecase1.webp) Now consider that half of users in the organization have the role. Then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: -![Impact Example - Use Case 2](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp) +![Impact Example - Use Case 2](/images/identitymanager/rolemining_impact_usecase2.webp) Starting from the previous example, consider now that users progressively request the role. As long as the ratio is below a given threshold, then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: -![Impact Example - Use Case 3](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp) +![Impact Example - Use Case 3](/images/identitymanager/rolemining_impact_usecase3.webp) Starting from the previous example, consider now that users continue requesting the role. As soon as the ratio is above the threshold, then role mining will create a single role rule to assign automatically this role to any user in the organization. Then a few users are going to get the entitlement: -![Impact Example - Use Case 4](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp) +![Impact Example - Use Case 4](/images/identitymanager/rolemining_impact_usecase4.webp) Starting from the previous example, consider now that, as a result of a reorganization or an access certification for example, some users do not have the role anymore. If the ratio is below the @@ -118,7 +118,7 @@ threshold, then role mining will remove the single role rule. If the role (or it configured with a grace period, users who need the role will not lose it. Then users' entitlements remain unchanged: -![Impact Example - Use Case 5](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp) +![Impact Example - Use Case 5](/images/identitymanager/rolemining_impact_usecase5.webp) ## Perform Role Mining @@ -135,10 +135,10 @@ to generate role assignment rules either directly or in a [Simulation](/docs/ide Simulating the results of role mining allows a knowledgeable user to analyze the impact of role mining on the role model, before applying them. -![Schema - Role Mining](/images/identitymanager/integration-guide/role-mining/rolemining_simulation.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_simulation.webp) The simulation tool gives another point of view on the role model as it emphasizes the changes. -![Schema - Role Mining](/images/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_simulationresults.webp) Identity Manager recommends simulating role mining before applying the results. diff --git a/docs/identitymanager/6.2/integration-guide/role-model/role-model-rules/index.md b/docs/identitymanager/6.2/integration-guide/role-model/role-model-rules/index.md index df1569abda..7d10a94009 100644 --- a/docs/identitymanager/6.2/integration-guide/role-model/role-model-rules/index.md +++ b/docs/identitymanager/6.2/integration-guide/role-model/role-model-rules/index.md @@ -244,7 +244,7 @@ between the assignments of a role and the actual assignment of entitlement. This series of steps is actually a very simplified version of the [Evaluate Policy](/docs/identitymanager/6.2/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. -![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) +![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) **---** diff --git a/docs/identitymanager/6.2/integration-guide/synchronization/upward-data-sync/index.md b/docs/identitymanager/6.2/integration-guide/synchronization/upward-data-sync/index.md index d9053a01de..1ed9be9e95 100644 --- a/docs/identitymanager/6.2/integration-guide/synchronization/upward-data-sync/index.md +++ b/docs/identitymanager/6.2/integration-guide/synchronization/upward-data-sync/index.md @@ -203,7 +203,7 @@ outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries about group membership (`ad_members.csv`) and about the hierarchical organization (`ad_managers.csv`). -![Active Directory Export Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp) +![Active Directory Export Example](/images/identitymanager/ad_export_example.webp) `ad_entries.csv` contains raw AD entry data. @@ -319,7 +319,7 @@ Of course, any notification of a _complete__Prepare-Synchronization_ would cance The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. -![Active Directory Prepare-Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) ## Synchro @@ -380,7 +380,7 @@ Then, changes according to the _command_ column are applied to UR_Resources and This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Identity Manager database. -![Active Directory Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp) +![Active Directory Synchronization Example](/images/identitymanager/ad_synchro_example.webp) ## Handling Errors diff --git a/docs/identitymanager/6.2/integration-guide/tasks-jobs/troubleshoot-connector-jobs/index.md b/docs/identitymanager/6.2/integration-guide/tasks-jobs/troubleshoot-connector-jobs/index.md index ff2f516b38..9352529d1d 100644 --- a/docs/identitymanager/6.2/integration-guide/tasks-jobs/troubleshoot-connector-jobs/index.md +++ b/docs/identitymanager/6.2/integration-guide/tasks-jobs/troubleshoot-connector-jobs/index.md @@ -14,7 +14,7 @@ and fix errors. A managed system is synchronized and provisioned to/from Identity Manager with the following task sequence: -![Synchronization/Provisioning Schema](/images/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp) +![Synchronization/Provisioning Schema](/images/identitymanager/troubleshoot_synchroprovschema.webp) ### Export data diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/deploy-configuration/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/deploy-configuration/index.md index 9e26a39abf..f626262bd7 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/deploy-configuration/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/deploy-configuration/index.md @@ -83,7 +83,7 @@ Deploy a SaaS XML configuration by proceeding as follows: 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/export-configuration/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/export-configuration/index.md index 0ea1887c62..83015304fe 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/export-configuration/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/export-configuration/index.md @@ -87,7 +87,7 @@ Export a SaaS configuration by proceeding as follows: 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/expressions/index.md index 08d682b187..30f7938f8c 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/expressions/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/expressions/index.md @@ -41,7 +41,7 @@ Expression. For example, the source object of a scalar rule based on user records is displayed: -![Property Path and Expression](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp) +![Property Path and Expression](/images/identitymanager/expression-propertypath_v602.webp) The field Property Path is usually filled in with the + button only when the rule involves one single attribute. If the object involves more than one attribute, then the attributes are to be @@ -51,9 +51,9 @@ written in Expression (C#), with the help of predefined simple transformations. The first example defines the source object as simply the user record's Login property, while the second defines the source object with an expression based on the user record's first and last names: -![Property Path Example](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp) +![Property Path Example](/images/identitymanager/expression-propertypath-example1_v602.webp) -![Expression Example](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp) +![Expression Example](/images/identitymanager/expression-propertypath-example2_v602.webp) ### Expressions in XML diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/index.md index d0cb2a2864..ce171e6e9f 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/index.md @@ -22,4 +22,4 @@ used to **export** the current configuration (to a XML files set). The Identity Manager project's integration cycle consists in developing a configuration by successive imports in a test instance. -![Integration cycle](/images/identitymanager/integration-guide/toolkit/configurationcycle.webp) +![Integration cycle](/images/identitymanager/configurationcycle.webp) diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/recommendations/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/recommendations/index.md index effe17336f..c2b4c1f16e 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/recommendations/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/recommendations/index.md @@ -31,7 +31,7 @@ RedHat's XML extension provides auto-completion based on an XSD file. It opens a popup when you start to edit an element or attribute name. You can open the popup by typing `Ctrl-Space`. -![Auto-complete](/images/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp) +![Auto-complete](/images/identitymanager/autocomplete.webp) Configure auto-completion by proceeding as follows: @@ -76,4 +76,4 @@ or Application Entity. For each Connector or Application Entity create a folder - **_Jobs.xml_** file containing the jobs configuration. - **_Workflows.xml_** file containing the Workflows configuration for the given connector. -![Recommendation](/images/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp) +![Recommendation](/images/identitymanager/recommendation.webp) diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md index 0c29e494fe..093d59a46f 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md @@ -83,7 +83,7 @@ This condition is actually a comparison expression between two elements: - The value of a property which is originating from an entity targeted by the rule - A comparison value that can be constant, or originating from the user profile -![Access Control Filter Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp) +![Access Control Filter Schema](/images/identitymanager/accesscontrolfilter_schema.webp) ### Examples @@ -152,7 +152,7 @@ Technically speaking, the filter here says that the rule's permissions apply onl For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension set to `Treasury/Chief Economist`. -![Matching Assigned Profile](/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp) +![Matching Assigned Profile](/images/identitymanager/assignedprofile_example_v603.webp) Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users whose main department is `Treasury/Chief Economist`. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md index fff45bfd34..44a9ae3704 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md @@ -24,13 +24,13 @@ The following example builds a universe called `Universe1`: ``` -![Universe - Basic Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp) +![Universe - Basic Example](/images/identitymanager/bi_universeexampledisplaynames.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Display Names)](/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp) +![Universe (Display Names)](/images/identitymanager/universe_columnnamedisplayname.webp) ##### Basic universe with identifiers instead of display names @@ -43,13 +43,13 @@ display names: ``` -![Universe - Basic Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp) +![Universe - Basic Example](/images/identitymanager/bi_universeexample.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Identifiers)](/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp) +![Universe (Identifiers)](/images/identitymanager/universe_columnnameidentifier.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md index c405994cd2..dd35395c17 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md @@ -10,7 +10,7 @@ Scaffolding to generate the rights to administrate campaign creation. Gives access to a shortcut on the dashboard to access this page. -![Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) +![Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md index 0ba38c1042..51efa0d2e0 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md @@ -9,7 +9,7 @@ sidebar_position: 20 Scaffolding to access the job administration page. This page is accessible from the administration part in dashboard of the user interface. -![Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Job Execution](/images/identitymanager/home_jobexecution_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md index d78dbca36c..603ae86671 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md @@ -9,7 +9,7 @@ sidebar_position: 10 Gives to a given profile the rights to create, update, delete and query any assigned profile, from the **Assigned Profiles** screen. -![Assigned Profiles](/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) +![Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md index 5065ff6877..84d7338b12 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md @@ -10,9 +10,9 @@ Gives to a given profile the rights to create, update and delete profiles. Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. -![Settings](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) +![Settings](/images/identitymanager/home_settings_v523.webp) -![Profiles](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/accesscontrol_profiles_v603.webp) +![Profiles](/images/identitymanager/AccessControl_Profiles_V603.webp) See more details on profiles' APIs. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md index 1164701d6a..73ab591e13 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md @@ -10,7 +10,7 @@ Generates the rights to access the report view. Gives access to a shortcut on the navigation to access this page. -![Reports](/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) +![Reports](/images/identitymanager/home_reports_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md index fc2dd1dafe..dc0b3cd813 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md @@ -10,7 +10,7 @@ Generates the rights to access the role review pages for a given entity type and Gives access to a shortcut on the dashboard to access this page. -![Role Review](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) +![Role Review](/images/identitymanager/home_rolereview_v523.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md index 047ef89b1e..3b14de0658 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md @@ -11,7 +11,7 @@ profile. Gives access to a shortcut on the dashboard to access this page. -![Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) +![Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) The connector connected to the entity type must have the manual type as the provisioning type, otherwise the information of the entity type cannot be displayed on this screen. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md index 162b8329fa..57bcd631ee 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md @@ -13,7 +13,7 @@ Gives access to a shortcut on the dashboard to access this page. Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the EntityType to be filled in the Scaffolding. -![Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) +![Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md index 19a770fb98..b4aba689c7 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md @@ -10,7 +10,7 @@ Generates the rights to access the access reconcile roles pages for a given enti Gives access to a shortcut on the dashboard to access this page. -![Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) +![Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md index ab904f7e7b..1bc1ac68c1 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md @@ -11,7 +11,7 @@ redundant assignments. Gives access to a shortcut on the dashboard to access this page. -![Redundant Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) +![Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md index ff58a23641..8caf63bc0e 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md @@ -12,7 +12,7 @@ EntityType to be filled in the Scaffolding. Gives access to a shortcut on the dashboard to access this page. -![Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) +![Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md index 346e51f3ce..e32de76208 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md @@ -10,7 +10,7 @@ Generates the rights to access the access roles review pages for a given entity Gives access to a shortcut on the dashboard to access this page. -![Role Review](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) +![Role Review](/images/identitymanager/home_rolereview_v523.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md index 5bf223a65a..60a11db8c2 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md @@ -23,7 +23,7 @@ Generates the rights to access the access configuration pages and create, update Gives access to a shortcut on the dashboard to access this page. -![Configuration Section](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp) +![Configuration Section](/images/identitymanager/home_configuration_v603.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md index 0e008b634a..4cd8ab0bf7 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md @@ -8,7 +8,7 @@ sidebar_position: 10 Gives access to the **Manage Accounts** buttons for the users of a given entity type. -![ManageAccounts Button](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp) +![ManageAccounts Button](/images/identitymanager/accesscontrol_manageaccounts_v603.webp) The scaffolding gives access to the button, but you need to get the permissions on said accounts in order to see anything once you click on the button. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md index 13fe7835e4..14f684d47a 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md @@ -13,11 +13,11 @@ Gives access to a shortcut on the dashboard and on the top bar to access this pa Top bar shortcut: -![Tasks in Top Bar](/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) +![Tasks in Top Bar](/images/identitymanager/home_topbar_v601.webp) DashBoard shortcut: -![Task in Dashboard](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp) +![Task in Dashboard](/images/identitymanager/home_mytasks_v523.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md index 2be9e41433..d461e7ca60 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md @@ -10,7 +10,7 @@ Generates the rights to access the workflow supervision page. Gives access to a shortcut on the dashboard to access this page. -![Workflow Overview](/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) +![Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md index 7d1bf1e7be..1a78fac57e 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md @@ -66,7 +66,7 @@ When getting Identity Manager [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (ExcludedProperty)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) ### Mapping Path diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md index c2dba594e9..36c6c9fbd8 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md @@ -55,7 +55,7 @@ When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (ExcludedProperty)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) ### Root Instance @@ -74,13 +74,13 @@ The following example generates a universe `U2_UserRecords` based on the entity ``` -![Universe (RootInstance)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (RootInstance)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) #### RootInstance for several scaffoldings together @@ -99,13 +99,13 @@ the entity instances and follow the existing naming rule explained in the introd ``` -![Universe Schema (Several Scaffoldings with Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplicationschema.webp) +![Universe Schema (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplicationSchema.webp) When getting Identity Manager [data in Power BI](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Several Scaffoldings with Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp) +![Universe (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplication.webp) We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity instances. @@ -123,13 +123,13 @@ entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_Us ``` -![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp) +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplicationSchema.webp) When getting Identity Managerdata in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp) +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplication.webp) Thus we removed the duplicated data, and we understand easily the navigations of the model. @@ -177,13 +177,13 @@ It generates: ``` -![Universe (No Template)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp) +![Universe (No Template)](/images/identitymanager/universe_notemplateschema.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (No Template)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp) +![Universe (No Template)](/images/identitymanager/Universe_noTemplate.webp) We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. @@ -220,13 +220,13 @@ It generates: ``` -![Universe (Template Schema: Owned Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp) +![Universe (Template Schema: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypesSchema.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Template: Owned Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypes.webp) +![Universe (Template: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypes.webp) #### ResourceResourceTypes @@ -243,13 +243,13 @@ owners of AD resources: The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. -![Universe (Template Schema: Resource Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp) +![Universe (Template Schema: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypesSchema.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Template: Resource Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp) +![Universe (Template: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypes.webp) #### Owned Single Roles @@ -281,13 +281,13 @@ It generates: ``` -![Universe (Template Schema: Owned Single Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp) +![Universe (Template Schema: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRolesSchema.webp) When getting Identity Managerdata in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Template: Owned Single Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsingleroles.webp) +![Universe (Template: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRoles.webp) #### Owned Composite Roles @@ -304,13 +304,13 @@ the composite roles assigned to users: The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. -![Universe (Template Schema: Owned Composite Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositerolesschema.webp) +![Universe (Template Schema: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRolesSchema.webp) When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Template: Owned Composite Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp) +![Universe (Template: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRoles.webp) ## Mixed Example @@ -334,4 +334,4 @@ When getting Identity Manager data in [Connect Power BI to Identity Manager](/docs/identitymanager/6.2/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see the following: -![Universe (Mixed Example)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp) +![Universe (Mixed Example)](/images/identitymanager/universe_mixedexample.webp) diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md index ced9863805..34697a72a3 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md @@ -13,7 +13,7 @@ the access rules page and the job execution page. Gives access to shortcuts on the dashboard to access these pages. -![Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) +![Connectors](/images/identitymanager/home_connectors_v602.webp) The scaffolding generates the following scaffoldings: diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md index 09921ba64e..199e562f61 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md @@ -14,7 +14,7 @@ map the properties in Identity Manager with those in ServiceNow, for provisionin Below is an example of an incident ticket in ServiceNow, where relevant properties (from Identity Manager's perspective) are emphasized: -![ServiceNow Ticket Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenow_example.webp) +![ServiceNow Ticket Example](/images/identitymanager/ServiceNow_example.webp) ## Examples diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md index 625c5b210a..a2405ed60e 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md @@ -31,17 +31,17 @@ script in the command line. Colors, logo and name customization: -![AppDisplay - Basic Screen](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp) +![AppDisplay - Basic Screen](/images/identitymanager/appdisplaysetting_screen2_v603.webp) Display colors customization: -![AppDisplay - Authentication](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp) +![AppDisplay - Authentication](/images/identitymanager/appdisplaysetting_screen1_v603.webp) ### Disable counters The following example disables the counters that are usually visible on the dashboard: -![AppDisplay - Without Counters](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp) +![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_counters_v603.webp) Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. @@ -50,7 +50,7 @@ script in the command line. ``` -![AppDisplay - Without Counters](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp) +![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_nocounters_v603.webp) ### Features @@ -58,7 +58,7 @@ The feature **Only allow approving and refusing on access certifications items** administrator the option to limit the user's option to either **Approve** or **Deny** the Access Certification items while making the **More** button unavailable. -![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) +![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp) The following example disables the **More** button that is usually visible on certification screen: @@ -72,7 +72,7 @@ script in the command line. If the feature **Only allow approving and denying on access certification items** is set to **Yes**, the **More** button is disabled. -![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) +![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp) See the [Configure Global Settings](/docs/identitymanager/6.2/user-guide/set-up/configure-global-settings/index.md) diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md index 39d2cdd407..7558cb968b 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md @@ -106,4 +106,4 @@ script in the command line. | ResourceType optional | Int64 | Identifier of the resource type targeted by the rule. | | SingleRole optional | Int64 | Identifier of the single role targeted by the rule. | | Type required | AutomationRuleType | Object type targeted by the rule. 0 - CompositeRole. 1 - SingleRole. 2 - ResourceType. 4 - Category. 5 - Policy. | -| WorkflowState default value: 0 | WorkflowState | Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined. See the [Reconcile a Property](/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. ![Workflow State: Cancellation](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Suggested](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. _Remember,_ the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. See the [Resource Type](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. ![Workflow State: Approved - Questioned](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Prolonged](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp) **Found** - Will match assignments not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) **Historic** - Will match assignments not supported by a rule, which existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | +| WorkflowState default value: 0 | WorkflowState | Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/images/identitymanager/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/images/identitymanager/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined. See the [Reconcile a Property](/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Suggested](/images/identitymanager/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. _Remember,_ the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. See the [Resource Type](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. ![Workflow State: Approved - Questioned](/images/identitymanager/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/images/identitymanager/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. See the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Prolonged](/images/identitymanager/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/images/identitymanager/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/images/identitymanager/118_givenbyarole_v603.webp) **Found** - Will match assignments not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) **Historic** - Will match assignments not supported by a rule, which existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md index 1ddded9305..2ad815f64c 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md @@ -107,7 +107,7 @@ we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' poss `A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension and sorting the dimension values per user percentage, we get the following table (right). -![Role Mining Tables](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp) +![Role Mining Tables](/images/identitymanager/contextrules_rolemining.webp) The tables here represent a simple situation with few dimensions. But the higher the number of dimensions, the more complex are role mining's computations. This is known as the curse of diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md index bba5a8ec5b..82cd3cf842 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md @@ -117,7 +117,7 @@ no contract or vice versa. Identity Manager offers the possibility to choose whe context is to be extended to the period without context. And in case we decide to use another context and extend its values, which context should it be? -![Schema - ExtensionKind](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp) +![Schema - ExtensionKind](/images/identitymanager/recordsection_extensionkind.webp) Here, we decide to extend an existing contract to the gap, for example because users' email addresses are built using the contract type to add `-ext` for external users. And we decide to not diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md index 1e5901832f..091f742ddf 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md @@ -148,7 +148,7 @@ property based on users' last names. The following scenario is about a user named Cedric Blanc, whose AD's sn property is set by the scalar rule to Blanc. -![Example - State 0](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp) +![Example - State 0](/images/identitymanager/DiscardManualAssignments_state0_V602.webp) Let's see what happens when the user's name is changed manually directly in the AD. @@ -158,15 +158,15 @@ between the value calculated by the rule and the actual value in the AD. This di by the next synchronization, triggering a non-conforming assignment on the Resource Reconciliation page. -![Example - State 1](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp) +![Example - State 1](/images/identitymanager/DiscardManualAssignments_state1_V602.webp) -![Example - Step 1](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp) +![Example - Step 1](/images/identitymanager/DiscardManualAssignments_step1_V602.webp) -![Example - Step 2](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step2_v602.webp) +![Example - Step 2](/images/identitymanager/DiscardManualAssignments_step2_V602.webp) Once this manual new value is confirmed, the property is stated as **Approved**. -![Example - State 2](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp) +![Example - State 2](/images/identitymanager/DiscardManualAssignments_state2_V602.webp) Now suppose that the user's last name is changed to Black via Identity Manager's workflows. As the source data is changed, the scalar rule computes a new value for sn. There are two options: @@ -177,7 +177,7 @@ source data is changed, the scalar rule computes a new value for sn. There are t the AD stays as is, no matter the changes in the source data (here the user's last name). Identity Manager only states the property's value as Questioned. - ![Example - State 3](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state3_v602.webp) + ![Example - State 3](/images/identitymanager/DiscardManualAssignments_state3_V602.webp) :::note No change in the source data can affect the property's value. However, any manual @@ -195,11 +195,11 @@ source data is changed, the scalar rule computes a new value for sn. There are t ::: - ![Example - State 4](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp) + ![Example - State 4](/images/identitymanager/DiscardManualAssignments_state4_V602.webp) In this scenario for Cedric Blanc, these behaviors can be summed up like the following: -![Schema for DiscardManualAssignments](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp) +![Schema for DiscardManualAssignments](/images/identitymanager/discardmanualassignments_schema.webp) ### Correlate Multiple Resources @@ -210,53 +210,53 @@ with the **Suggest all resources** option to fine tune the behavior. Below, we illustrate the different scenarios that are possible, taking into consideration whether a resource type has previously been correlated to the owner or not. -![suggestallcorrelations-nnn](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp) +![suggestallcorrelations-nnn](/images/identitymanager/suggestallcorrelations-nnn.webp) - The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** there is no Resource already correlated so the first match with the highest confidence rate is **Correlated** if it is > 100 or **Suggested** if it is < 100. As for all other matches with lower confidence rate they will be ignored. - ![suggestallcorrelations-nnn2](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp) + ![suggestallcorrelations-nnn2](/images/identitymanager/suggestallcorrelations-nnn2.webp) If there are no Resources to be correlated with a confidence rate >100, the ones below with confidence rate below 100 are Suggested or Ignored. - ![suggestallcorrelations-nny](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp) + ![suggestallcorrelations-nny](/images/identitymanager/suggestallcorrelations-nny.webp) - The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** there is one Resource already correlated so due to this all future correlations will be ignored. - ![suggestallcorrelations-nyn](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp) + ![suggestallcorrelations-nyn](/images/identitymanager/suggestallcorrelations-nyn.webp) - The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** is **Yes** there is no Resource already correlated so all Resource Types will be **Suggested**. - ![suggestallcorrelations-nyy](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp) + ![suggestallcorrelations-nyy](/images/identitymanager/suggestallcorrelations-nyy.webp) - The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** **Yes** there is one Resource already correlated so the Resource Types that have a confidence rate `>100` will be **Suggested**. As for all other matches with lower confidence rate they will be ignored. - ![suggestallcorrelations-ynn](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp) + ![suggestallcorrelations-ynn](/images/identitymanager/suggestallcorrelations-ynn.webp) - The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No**, and there is no Resource already correlated so Resource Types that have a confidence rate `>100` will be **Correlated** and the ones `<100` will be **Suggested** if there are no higher matches otherwise they will be ignored. - ![suggestallcorrelations-ynn2](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp) + ![suggestallcorrelations-ynn2](/images/identitymanager/suggestallcorrelations-ynn2.webp) If there are no Resources to be correlated with a confidence rate `>100`, the ones with confidence rate below 100 are Suggested. - ![suggestallcorrelations-yny](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp) + ![suggestallcorrelations-yny](/images/identitymanager/suggestallcorrelations-yny.webp) - The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No** there is one Resource already correlated so the matches with confidence rate `>100` will be **Correlated** and the ones `<100` will be ignored. - ![suggestallcorrelations-yyny](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp) + ![suggestallcorrelations-yyny](/images/identitymanager/suggestallcorrelations-yyny.webp) - The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **Yes** one Resource could be already correlated or not so the matches with confidence rate `>100` will be @@ -563,7 +563,7 @@ matching the rule's criteria, a property is to be computed, by default, from the until their departure day. See the [Record Section](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and [Context Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) topics for additional information. -![Schema - Default Application Period](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp) +![Schema - Default Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp) A time offset adjusts the period for which the rule applies and computes a property's value. @@ -583,7 +583,7 @@ script in the command line. ``` -![Schema - Offset Application Period](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp) +![Schema - Offset Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetexample.webp) If the time period of property computation exceeds the limits of the period of resource type assignment, then the period of resource type assignment is extended accordingly. @@ -594,7 +594,7 @@ rules, Default-offset rules overwrite the values of Around-offset rules, which o of Before-offset rules, which overwrite the values of After-offset rules. We could have the following: -![Schema - Overlapping Offsets](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp) +![Schema - Overlapping Offsets](/images/identitymanager/datamodel_scalarrule_timeoffsetoverlap.webp) ### Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md index 6a042e068f..8b555e29b5 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md @@ -34,7 +34,7 @@ selection dropdown of the following administration screens: By default, the entity type with the highest priority is selected first. The end user can later change the selection using the top-left dropdown. -![Change Selection](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp) +![Change Selection](/images/identitymanager/ui_displaypriorities_changeselection_v521beta.webp) Priorities are integer values, positive or negative. The most important priority is assigned to the lowest value. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md index fcbf12425d..9dcb945433 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md @@ -22,7 +22,7 @@ Knowing that we have the following properties: ``` -![Display Property Group - Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp) +![Display Property Group - Example](/images/identitymanager/displaypropertygroup_example_v603.webp) Any property without a value is not displayed. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md index e186009769..b298d04aab 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md @@ -26,7 +26,7 @@ script in the command line.              ``` -![Example - DisplayTableDesignElement Set to Table](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_table_v602.webp) +![Example - DisplayTableDesignElement Set to Table](/images/identitymanager/DisplayTableDesignElement_table_V602.webp) **DisplayTableDesignElement list** @@ -39,7 +39,7 @@ script in the command line.              ``` -![Example - DisplayTableDesignElement Set to List](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp) +![Example - DisplayTableDesignElement Set to List](/images/identitymanager/displaytabledesignelement_list_v602.webp) :::tip Remember, for resources to be displayed as a list, the display table must also be configured with @@ -58,7 +58,7 @@ script in the command line.                  ``` -![Example - DisplayTableDesignElement Set to ResourceTable](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp) +![Example - DisplayTableDesignElement Set to ResourceTable](/images/identitymanager/displaytabledesignelement_resourcetable_v602.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/form/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/form/index.md index 3d1d4a75fe..2bc53a30c0 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/form/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/form/index.md @@ -34,64 +34,64 @@ The display settings allow you to adjust the display. When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. -![Access Permissions](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp) +![Access Permissions](/images/identitymanager/Form_hideRoles_V603.webp) **Adjust the request type** When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: -![WorkflowRequestType = Self](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp) +![WorkflowRequestType = Self](/images/identitymanager/form_requesttypeself_v603.webp) When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: -![WorkflowRequestType = Helpdesk](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp) +![WorkflowRequestType = Helpdesk](/images/identitymanager/Form_requestTypeHelpdesk_V603.webp) **Display records in a table** -![RecordTable Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp) +![RecordTable Example](/images/identitymanager/form_recordtable_v603.webp) **InputType display** The InputType represents the type of research property, attribute which supports only a predefined set of values listed below: -![inputtypeattachment](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeattachment.webp) +![inputtypeattachment](/images/identitymanager/inputtypeattachment.webp) - Attachment — represents a control for adding an attachment - Auto — takes by default the type of the EntityType property - ![inputtypecheckbox](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecheckbox.webp) + ![inputtypecheckbox](/images/identitymanager/inputtypecheckbox.webp) - Checkbox — a boolean control which supports one of the two states - ![inputtypecombobox](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecombobox.webp) + ![inputtypecombobox](/images/identitymanager/inputtypecombobox.webp) - Combobox — a dropdown which supports single selection - ![inputtypecomboboxmultiselection](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecomboboxmultiselection.webp) + ![inputtypecomboboxmultiselection](/images/identitymanager/inputtypecomboboxmultiselection.webp) - ComboboxMultiSelection — a dropdown which supports multiple selection - ![inputtypedate](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypedate.webp) + ![inputtypedate](/images/identitymanager/inputtypedate.webp) - Date — Date control - Hidden — Hides the input - ![inputtypeimage](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeimage.webp) + ![inputtypeimage](/images/identitymanager/inputtypeimage.webp) - Image - Control to show / upload image - Inherited —Control to get the InputType of the associated display entity property (when nothing is specified in a Control of a Form, it's the default value). - ![inputtypepicker](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypepicker.webp) + ![inputtypepicker](/images/identitymanager/inputtypepicker.webp) - Picker — Opens a grid to select a resource - ![inputtypetext](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetext.webp) + ![inputtypetext](/images/identitymanager/inputtypetext.webp) - Text — Displays a single-line of text - ![inputtypetextarea](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetextarea.webp) + ![inputtypetextarea](/images/identitymanager/inputtypetextarea.webp) - TextArea — A textbox which supports carriage return character. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md index 60b3ed702e..3905414ff6 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md @@ -56,7 +56,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md index 8e6ecb6828..212bbd3b90 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md @@ -77,7 +77,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked as The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Type | Description | | ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md index 4017509922..ab56ff8a90 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md @@ -38,7 +38,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md index ba31cc7618..a66aac740f 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md @@ -45,7 +45,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -68,7 +68,7 @@ resource which is the resource whose property we compute via the `BuildUniqueVal The rule compares the return value of the source binding/expression with the existing values of the target binding/expression in the target entity type. -![Schema: Unicity Check](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp) +![Schema: Unicity Check](/images/identitymanager/aspects_unicitycheck.webp) > For example, we need to generate an email address for any new user joining the company. We > configure in a `BuildUniqueValue` aspect that users' emails are computed with diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md index 9f98f3ac34..cbc500769b 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md @@ -44,7 +44,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked as The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Type | Description | | ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md index a030f8e012..2c43b3e31b 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md @@ -37,7 +37,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md index d1fe94d8db..ab8a4ab77d 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md @@ -45,7 +45,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) | Property | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md index 84bf8644ed..e59d91cfc9 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md @@ -48,7 +48,7 @@ And with the following form for the record data's content and summary, and for t The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Update Position](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp) +![Form Example - Update Position](/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp) The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially @@ -57,7 +57,7 @@ modified, as one. The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Summary Form Example - Update Position](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp) +![Summary Form Example - Update Position](/images/identitymanager/formexample_workflowaddandendrecordentityform_summary_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md index 50c88eeb6c..e2af659fa5 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md @@ -52,7 +52,7 @@ And with the following form for the data that groups records together: The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp) +![Form Example - Computer Request](/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp) The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially @@ -61,7 +61,7 @@ modified, as one. The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Summary Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp) +![Summary Form Example - Computer Request](/images/identitymanager/formexample_workflowaddrecordentityform_summary_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md index a2941425b2..0b4a244705 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md @@ -59,11 +59,11 @@ And with the following form for the workflow's summary: The content of `MainControl` is visible during the workflow's execution: -![Form Example - Site Creation](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp) +![Form Example - Site Creation](/images/identitymanager/formexample_workflowcreateentityform_v603.webp) The content of `SummaryControl` is visible after the workflow's execution: -![Summary Form Example - Site Creation](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp) +![Summary Form Example - Site Creation](/images/identitymanager/formexample_workflowcreateentityform_summary_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md index b653425af2..2219e9ab4f 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md @@ -55,7 +55,7 @@ And with the following form for the workflow's summary on record data: The content of `MainControl` is visible during the workflow's execution: -![Form Example - New User from HR](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp) +![Form Example - New User from HR](/images/identitymanager/formexample_workflowcreaterecordentityform_v603.webp) The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md index 98c9764cf8..557ad886aa 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md @@ -72,7 +72,7 @@ And with the following form for the data specific to each record: The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the workflow's execution: -![Form Example - New User from Helpdesk](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp) +![Form Example - New User from Helpdesk](/images/identitymanager/formexample_workflowcreateseveralrecordsentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md index e6fde96e57..0544ae0da5 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md @@ -30,11 +30,11 @@ With the following form for the workflow's content and summary: The content of `MainControl` is visible during the workflow's execution: -![Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp) +![Form Example - Computer Request](/images/identitymanager/formexample_workfloweditentityform_v603.webp) The content of `SummaryControl` is visible after the workflow's execution: -![Summary Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp) +![Summary Form Example - Computer Request](/images/identitymanager/formexample_workfloweditentityform_summary_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md index e0e143a654..a253db4fb9 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md @@ -50,7 +50,7 @@ And with the following form for the data that groups records together: The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Mass Update](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp) +![Form Example - Mass Update](/images/identitymanager/formexample_workflowupdaterecordentitiesform_v603.webp) The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be modified as one. diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md index 57b0ee9da0..b7649cf8c8 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md @@ -79,7 +79,7 @@ systematically the main resource and all the associated records. The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Update Data](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp) +![Form Example - Update Data](/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp) The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially @@ -88,7 +88,7 @@ modified, as one. The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Summary Form Example - Update Data](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) +![Summary Form Example - Update Data](/images/identitymanager/formexample_workflowupdaterecordentityform_summary_v603.webp) ## Properties diff --git a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md index 0916436fa1..bfeeb74edf 100644 --- a/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md +++ b/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md @@ -73,12 +73,12 @@ And with the following form for the data that groups records together: The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and `RecordSlaveControl` are visible during the workflow's execution: -![Summary Form Example - Update Data](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) +![Summary Form Example - Update Data](/images/identitymanager/formexample_workflowupdaterecordentityform_summary_v603.webp) When adding a new position, we decide to make `Title` available, in addition to the fields used to update existing records: -![Form Example - Manage a User's Positions - New Record](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp) +![Form Example - Manage a User's Positions - New Record](/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp) The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially diff --git a/docs/identitymanager/6.2/integration-guide/ui/create-menu-items/index.md b/docs/identitymanager/6.2/integration-guide/ui/create-menu-items/index.md index af516ba206..a9fd42163f 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/create-menu-items/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/create-menu-items/index.md @@ -29,7 +29,7 @@ The other MenuItems are displayed from left to right. This XML element gives the following result: -![Add workflow link in resource list entity](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) ### Create menu items for a workflow in a resource view @@ -45,6 +45,6 @@ These workflows will manipulate the selected resource in the view. This XML element gives the following result: -![Workflow in resource view](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) -![All workflow in resource view*](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.2/integration-guide/ui/custom-display-table/index.md b/docs/identitymanager/6.2/integration-guide/ui/custom-display-table/index.md index 7639016af7..8cd00f2f2b 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/custom-display-table/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/custom-display-table/index.md @@ -22,7 +22,7 @@ script in the command line. Here is the visualization of this display table on the interface: -![DisplayTable(Table)](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids @@ -43,7 +43,7 @@ script in the command line. Here is the visualization of this resource table on the interface: -![ResourceTable](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) ## Display Table with Tiles @@ -71,7 +71,7 @@ script in the command line. Here is the visualization of this display table on the interface: -![DisplayTable with Tiles](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) See the [Display Table](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/integration-guide/ui/custom-search-bar/index.md b/docs/identitymanager/6.2/integration-guide/ui/custom-search-bar/index.md index 1b9addcf8c..1cddf2d063 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/custom-search-bar/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/custom-search-bar/index.md @@ -24,7 +24,7 @@ To search on a resource list for an entity, you must enter a SearchBar tag for t Here is the visualization of this searchbar on the interface: -![SearchBarWithoutFilters](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids @@ -46,7 +46,7 @@ To add a default filter, you must add both of the following properties to a crit Here is the visualization of this criterion on the interface: -![SearchBarFilter](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) ## Search Bar Menu diff --git a/docs/identitymanager/6.2/integration-guide/ui/how-tos/create-menu-items/index.md b/docs/identitymanager/6.2/integration-guide/ui/how-tos/create-menu-items/index.md index 59b99b314b..cac363f8c2 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/how-tos/create-menu-items/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/how-tos/create-menu-items/index.md @@ -23,7 +23,7 @@ The other MenuItems are displayed from left to right. This XML element gives the following result: -![Add workflow link in resource list entity](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) ### Create menu items for a workflow in a resource view @@ -39,6 +39,6 @@ These workflows will manipulate the selected resource in the view. This XML element gives the following result: -![Workflow in resource view](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) -![All workflow in resource view*](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-display-table/index.md b/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-display-table/index.md index 7b8087da8f..2e3cbe9bc6 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-display-table/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-display-table/index.md @@ -16,7 +16,7 @@ script in the command line. Here is the visualization of this display table on the interface: -![DisplayTable(Table)](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids @@ -37,7 +37,7 @@ script in the command line. Here is the visualization of this resource table on the interface: -![ResourceTable](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) ## Display Table with Tiles @@ -65,7 +65,7 @@ script in the command line. Here is the visualization of this display table on the interface: -![DisplayTable with Tiles](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) See the [Display Table](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-search-bar/index.md b/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-search-bar/index.md index 95e980f6be..1a9cf743a6 100644 --- a/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-search-bar/index.md +++ b/docs/identitymanager/6.2/integration-guide/ui/how-tos/custom-search-bar/index.md @@ -18,7 +18,7 @@ To search on a resource list for an entity, you must enter a SearchBar tag for t Here is the visualization of this searchbar on the interface: -![SearchBarWithoutFilters](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids @@ -41,7 +41,7 @@ To add a default filter, you must add both of the following properties to a Here is the visualization of this criterion on the interface: -![SearchBarFilter](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) ## Search Bar Menu diff --git a/docs/identitymanager/6.2/integration-guide/workflows/activity-templates/index.md b/docs/identitymanager/6.2/integration-guide/workflows/activity-templates/index.md index a04181700d..c17d3b2923 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/activity-templates/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/activity-templates/index.md @@ -14,7 +14,7 @@ a template, made of states and transitions. Going through an activity means going through states and transitions. -![Activity Template - Example](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp) +![Activity Template - Example](/images/identitymanager/activitytemplates_example.webp) By default, Identity Manager's workflow engine implements the following activity templates: @@ -32,34 +32,34 @@ By default, Identity Manager's workflow engine implements the following activity Awaits user modifications without another user's intervention. -![Activity Template - Action](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp) +![Activity Template - Action](/images/identitymanager/activitytemplates_action.webp) ### ActionWithRefine Awaits user modifications with the possibility to delegate the action to another user. -![Activity Template - ActionWithRefine](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp) +![Activity Template - ActionWithRefine](/images/identitymanager/activitytemplates_actionwithrefine.webp) The `ActionWithRefine` activity can be translated into the following form: -![ActionWithRefine in the UI](/images/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp) +![ActionWithRefine in the UI](/images/identitymanager/activity_actionwithrefine_v602.webp) ### Review Awaits user approval without another user's intervention. -![Activity Template - Review](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp) +![Activity Template - Review](/images/identitymanager/activitytemplates_review.webp) ### ReviewWithFeedback Awaits user approval with the possiblity of getting feedback from another user before taking the action. -![Activity Template - ReviewWithFeedback](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp) +![Activity Template - ReviewWithFeedback](/images/identitymanager/activitytemplates_reviewwithfeedback.webp) The `ReviewWithFeedback` activity can be translated into the following form: -![ReviewWithFeedback in the UI](/images/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp) +![ReviewWithFeedback in the UI](/images/identitymanager/activity_reviewwithfeedback_v602.webp) ### Persist diff --git a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-mono/index.md b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-mono/index.md index fbd2f723a1..18df00ba5f 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-mono/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-mono/index.md @@ -105,7 +105,7 @@ for additional information. ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp) +![UI Form](/images/identitymanager/howto_resourcecreationmono_form_v602.webp) ### Add a summary (Optional) @@ -123,7 +123,7 @@ Summary form: ``` -![UI Summary](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp) +![UI Summary](/images/identitymanager/howto_resourcecreationmono_summary_v602.webp) ## Assign the Right Permissions @@ -152,7 +152,7 @@ make the workflow accessible in the UI. Creating a new resource, an interesting location for this workflow could be the users list page. -![Workflow Menu Items - Users List](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: @@ -200,7 +200,7 @@ Partial form for user data: ``` -![UI Homonym Detection](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) ## Customize the Display Table (Optional) diff --git a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-multi/index.md b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-multi/index.md index 3c188c22fa..bc07c94442 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-multi/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-create-multi/index.md @@ -126,7 +126,7 @@ topic for additional information. ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourcecreationmulti_form_v603.webp) ## Assign the Right Permissions @@ -156,7 +156,7 @@ to make the workflow accessible in the UI. Creating a new resource, an interesting location for this workflow could be the users list page. -![Workflow Menu Items - Users List](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: @@ -205,7 +205,7 @@ Partial form for user data: ``` -![UI Homonym Detection](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) ## Customize the Display Table (Optional) diff --git a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-mono/index.md b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-mono/index.md index c500d2e96c..ef904debdc 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-mono/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-mono/index.md @@ -82,7 +82,7 @@ not involved in the changes of this workflow. ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdatemono_form_v603.webp) `End of transition` sets the date for the change of records scheduled by this form. @@ -109,7 +109,7 @@ to make the workflow accessible in the UI. Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-multi/index.md b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-multi/index.md index bbd70b5aab..5f00568bf3 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-multi/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-multi/index.md @@ -129,7 +129,7 @@ not involved in the changes of this workflow. The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it copies part of the main record to pre-fill the fields of `RecordUniqueControl`. -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdatemulti_form_v603.webp) ## Assign the Right Permissions @@ -154,7 +154,7 @@ to make the workflow accessible in the UI. Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-resource/index.md b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-resource/index.md index d79b46f59d..ee4a7458a9 100644 --- a/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-resource/index.md +++ b/docs/identitymanager/6.2/integration-guide/workflows/create-workflow/workflow-update-resource/index.md @@ -66,7 +66,7 @@ of the workflow's form and calls the form created previously: ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdateno_form_v603.webp) ### Add a summary (Optional) @@ -83,7 +83,7 @@ displays the `IsDraft` attribute that the user just changed: ``` -![UI Summary](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp) +![UI Summary](/images/identitymanager/howto_resourceupdateno_summary_v603.webp) ## Assign the Right Permissions @@ -108,7 +108,7 @@ to make the workflow accessible in the UI. Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/6.2/introduction-guide/architecture/index.md b/docs/identitymanager/6.2/introduction-guide/architecture/index.md index 35bd7899a8..2851ecfe8e 100644 --- a/docs/identitymanager/6.2/introduction-guide/architecture/index.md +++ b/docs/identitymanager/6.2/introduction-guide/architecture/index.md @@ -29,11 +29,11 @@ Identity Manager can be installed: - SaaS so that the server dwells in the cloud and is provided as a service; - ![Architecture: SaaS](/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + ![Architecture: SaaS](/images/identitymanager/architecture_saas.webp) - on-premises so that the server is installed on an isolated network within the company. - ![Architecture: On-Premises](/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + ![Architecture: On-Premises](/images/identitymanager/architecture_onprem.webp) ## Next Steps diff --git a/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md b/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md index 3f114466e4..9f8d6729e2 100644 --- a/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md +++ b/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md @@ -21,7 +21,7 @@ data on a given system, or a physical location. Identity Manager is designed to help establish an exhaustive and reliable catalog of the entitlements available in the managed systems, and assign the right entitlements to the right users. -![Role Catalog and Users](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp) +![Role Catalog and Users](/images/identitymanager/entitlements_rolecatalogusers.webp) Thus, the role model contains: @@ -31,7 +31,7 @@ Thus, the role model contains: accounts and permissions. Some of them are linked to, and thus apply only to, specific resource types. -![Role Model](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp) +![Role Model](/images/identitymanager/entitlements_rolemodel.webp) The role model is a subset of a policy that also includes [Governance](/docs/identitymanager/6.2/introduction-guide/overview/governance/index.md) data such as risk definition. So, at a higher level, distinct policies can be used to implement distinct @@ -47,12 +47,12 @@ Entitlements from the managed systems are modeled by roles. For each entitlement creating a single role, with an easily understandable name, more functional than technical, so that everyone knows what the role is for. -![Single Roles](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) +![Single Roles](/images/identitymanager/singlerolescatalog_schemarole.webp) Each individual entitlement should usually be modeled by a single role, and single roles can be grouped together into composite roles to be closer to real job positions. -![Composite Roles](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp) +![Composite Roles](/images/identitymanager/entitlements_compositeroles.webp) ## A Rule Set @@ -77,7 +77,7 @@ roles. > Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the > member list of a specific AD group. -![Provisioning Rules](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp) +![Provisioning Rules](/images/identitymanager/entitlements_provisioningrules.webp) Even when a role is manually assigned, provisioning rules will determine which account (and permission groups) are given as entitlements. @@ -97,7 +97,7 @@ automatically assign roles to identities based on specific criteria. > For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title > is benefits manager and whose location is in France. -![Assignment Rules](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp) +![Assignment Rules](/images/identitymanager/entitlements_assignmentrules.webp) Once all assignment rules are created, Identity Manager is able to spot existing assignments that are not supported by any rule, marking them as non-conforming. @@ -120,7 +120,7 @@ they own. > steps in the workflows related to privileged accounts, for more security than for standard > accounts. -![Categorization Rules](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp) +![Categorization Rules](/images/identitymanager/entitlements_categorizationrules.webp) Identity Manager's categorization rules are: @@ -158,15 +158,15 @@ governed by users' attributes defined as dimensions. Let's schematize users arou - The schema with two dimensions would be a table, a square. - The schema with three dimensions would be a 3D cube. And you can imagine 4D or 5D hypercubes, etc. -![Dimensions - 1D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp) +![Dimensions - 1D](/images/identitymanager/entitlements_dimension1.webp) #### 1D -![Dimensions - 2D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp) +![Dimensions - 2D](/images/identitymanager/entitlements_dimension2.webp) #### 2D -![Dimensions - 3D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp) +![Dimensions - 3D](/images/identitymanager/entitlements_dimension3.webp) ## Next Steps diff --git a/docs/identitymanager/6.2/introduction-guide/overview/governance/index.md b/docs/identitymanager/6.2/introduction-guide/overview/governance/index.md index c9dc41c5b7..9e228fb081 100644 --- a/docs/identitymanager/6.2/introduction-guide/overview/governance/index.md +++ b/docs/identitymanager/6.2/introduction-guide/overview/governance/index.md @@ -18,7 +18,7 @@ Rules and roles define a policy. By definition, assignments not supported by a r with the policy. These assignments are identified as non-conforming in order to be acted upon by knowledgeable users who can decide whether the assignment is warranted, such as security officers. -![Non-Conforming Assignments](/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) +![Non-Conforming Assignments](/images/identitymanager/governance_nonconforming.webp) A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: diff --git a/docs/identitymanager/6.2/introduction-guide/overview/identity-management/index.md b/docs/identitymanager/6.2/introduction-guide/overview/identity-management/index.md index d861937dbd..a93214e578 100644 --- a/docs/identitymanager/6.2/introduction-guide/overview/identity-management/index.md +++ b/docs/identitymanager/6.2/introduction-guide/overview/identity-management/index.md @@ -19,7 +19,7 @@ Companies often use about one system for each identity type. Identity Manager ca information from several source systems in order to build a central repository meant to contain all the data necessary to manage all identities throughout their whole lifecycle. -![Usercube's Repository](/images/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp) +![Usercube's Repository](/images/identitymanager/identities_repository.webp) Identity Manager's central repository acts as an intermediary between the systems that provide data, for example the HR system, and those that receive data, for example the Active Directory. This greatly reduces the complexity in the links between all systems. @@ -28,7 +28,7 @@ Without an intermediary, adding one system to a set of n systems requires up to Now with the central repository as an intermediary, implementing a new system requires only one more set of rules. The complexity becomes linear. -![quadratic-linear-complexity](/images/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp) +![quadratic-linear-complexity](/images/identitymanager/quadratic-linear-complexity.webp) ## An Entity Relationship Model @@ -48,7 +48,7 @@ properties which make links between entities, quite like foreign keys in a datab > Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The > accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. -![Entity Type - Schema](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) These entities' instances are called resources in Identity Manager. A resource can be the digital identity of a user (human or bot), or an AD account or any other account, or an entry from the HR @@ -70,7 +70,7 @@ Each entity is related to a managed system, for example the Active Directory or etc. The reading/writing data between the system and Identity Manager are ensured by connectors. So Identity Manager can be configured with one connector for each managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) For a given system, a connector contains: @@ -82,13 +82,13 @@ For a given system, a connector contains: Thus, a connector enables synchronization, i.e. Identity Manager reading from a managed system via an [extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. -![Synchronization](/images/identitymanager/introduction-guide/overview/overview_synchronization.webp) +![Synchronization](/images/identitymanager/overview_synchronization.webp) > A typical example is the synchronization of the HR system's data to retrieve employees' personal > information. It also enables provisioning, i.e. Identity Manager writing to a managed system, but that is something we will dig into later. -![Provisioning](/images/identitymanager/introduction-guide/overview/overview_provisioning.webp) +![Provisioning](/images/identitymanager/overview_provisioning.webp) ## Repository Updates diff --git a/docs/identitymanager/6.2/introduction-guide/overview/index.md b/docs/identitymanager/6.2/introduction-guide/overview/index.md index 6719eab2f0..ab509ba212 100644 --- a/docs/identitymanager/6.2/introduction-guide/overview/index.md +++ b/docs/identitymanager/6.2/introduction-guide/overview/index.md @@ -36,7 +36,7 @@ a central repository. This repository should contain all the organizational data management for all users, meaning not only employees but also contractors, bots, or any kind of identity. -![Synchronization](/images/identitymanager/introduction-guide/overview/overview_synchronization.webp) +![Synchronization](/images/identitymanager/overview_synchronization.webp) **This implies involving external systems.** @@ -44,7 +44,7 @@ Access management requires reading/writing data to/from varied systems and appli Active Directory. Identity Manager provides an expanded set of connectors which contain the technology required for IGA-related data flows. -![Connectors](/images/identitymanager/introduction-guide/overview/overview_connectors.webp) +![Connectors](/images/identitymanager/overview_connectors.webp) See more details on [Identity Management](/docs/identitymanager/6.2/introduction-guide/overview/identity-management/index.md) and connection between systems. @@ -65,7 +65,7 @@ As each working environment has its own particularities, you will be able to ref model by defining dimensions, i.e. criteria from among organizational data that will trigger the rules. -![Calculation](/images/identitymanager/introduction-guide/overview/overview_calculation.webp) +![Calculation](/images/identitymanager/overview_calculation.webp) **---** @@ -76,7 +76,7 @@ dictated by the role model. This provisioning can be done either directly, with provisioning, or by notifying system administrators of the needed changes. Thus, identities finally get their entitlements. -![Provisioning](/images/identitymanager/introduction-guide/overview/overview_provisioning.webp) +![Provisioning](/images/identitymanager/overview_provisioning.webp) Furthermore, Identity Manager provides a few workflows for entitlement request or user data modification, which often include approval from a third party, hence identities get their diff --git a/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-execution/index.md b/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-execution/index.md index 069ef07ddc..594785667d 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-execution/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-execution/index.md @@ -36,15 +36,15 @@ Execute certification by proceeding as follows: 1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home page. - ![Home - Access Certification](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp) + ![Home - Access Certification](/images/identitymanager/home_accesscertification_v523.webp) On this page, all assignments to be reviewed are listed. - ![Access Certification](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp) + ![Access Certification](/images/identitymanager/certifcampaign_accesscertification_v602.webp) Each assignment can be commented by clicking on the corresponding icon. - ![Comment Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + ![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) 2. Choose one of the three possibilities to verify all assignments one by one: @@ -62,24 +62,24 @@ Execute certification by proceeding as follows: However, it has been manually granted or denied. Thus there is no recommendation, please review this entitlement carefully. - ![Recommendation Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg) + ![Recommendation Icon](/images/identitymanager/certifcampaign_iconrecommendation_v522.svg) - ![Discouragement Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg) + ![Discouragement Icon](/images/identitymanager/certifcampaign_icondiscouragement_v522.svg) - Either click on the approval icon to confirm that this entitlement is necessary for this identity. - ![Approval Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg) + ![Approval Icon](/images/identitymanager/certifcampaign_iconapproval_v522.svg) - Or click on the decline icon to confirm that this entitlement is not necessary for this identity. - ![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + ![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) - Or click on the three dots icon to highlight that this entitlement is not part of your scope of responsibility and forward it to the adequate person. - ![Forward Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg) + ![Forward Icon](/images/identitymanager/certifcampaign_iconforward_v522.svg) 3. Click on **Confirm Decisions** on the left of the page. @@ -91,16 +91,16 @@ Execute certification by proceeding as follows: Existing certification campaigns are listed on the page accessible via the **Access Certification Campaigns** button on the home page in the **Administration** section. -![Home - Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) +![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) -![Campaigns Page](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp) +![Campaigns Page](/images/identitymanager/certifcampaign_campaigns_v602.webp) ### Get reports A **Download** button is available for each campaign. It downloads a CSV report that lists all the entitlement assignments to be reviewed, the corresponding reviewers and their decisions. -![Report Example](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp) +![Report Example](/images/identitymanager/certifcampaign_decisions_v522.webp) ### Send notifications @@ -116,4 +116,4 @@ campaign. The campaign administrator can then decide to actually apply said deci the appropriate provisioning orders for deprovisioning unjustified entitlements. Said orders will be considered during the next provisioning job. -![Apply Decisions](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp) +![Apply Decisions](/images/identitymanager/certifcampaign_applydecisions_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md b/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md index 96079d3b20..dd6db5eb66 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md @@ -35,13 +35,13 @@ Create an access certification campaign by proceeding as follows: 1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. - ![Home - Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + ![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) 2. Click on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![New Certification Campaign](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp) + ![New Certification Campaign](/images/identitymanager/certifcampaign_newcertificationcampaign_v602.webp) - `Identifier`: Must be unique among certification campaigns and must not contain whitespace. - `Name`: Will be displayed in the UI to identify the campaign. @@ -59,7 +59,7 @@ Create an access certification campaign by proceeding as follows: defines the campaign scope (e.g., by object type, category, approval state). The campaign uses the union of all specificities. - ![Target Specificities](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp) + ![Target Specificities](/images/identitymanager/certifcampaign_targetspecificities_v602.webp) The campaign will target permissions that meet the **intersection (AND)** of all criteria. @@ -68,11 +68,11 @@ Create an access certification campaign by proceeding as follows: - `Target Owners`: Filters based on identity attributes for those whose access is being reviewed. All filters are combined using **intersection (AND)** logic. - ![Target Owner Filters](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp) + ![Target Owner Filters](/images/identitymanager/certifcampaign_targetowners_v602.webp) Additional filters may be available depending on the target entity type. - ![Target Owner Additional Filters](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp) + ![Target Owner Additional Filters](/images/identitymanager/certifcampaign_targetownersadditional_v603.webp) - `Individual Owner`: A single identity whose access is to be certified. - `Active Target`: Identities with a specific property (from `Directory_UserRecord`) @@ -83,11 +83,11 @@ Create an access certification campaign by proceeding as follows: > The following campaign targets all assigned single roles for two specific users: > - > ![Campaign Example](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp) + > ![Campaign Example](/images/identitymanager/certifcampaign_example_v602.webp) 3. Click **Create** to add the campaign to the list. - ![Campaigns Page](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp) + ![Campaigns Page](/images/identitymanager/certifcampaign_newlycreated_v603.webp) 4. Apply changes by clicking **Launch** to run the access certification job. @@ -95,7 +95,7 @@ Create an access certification campaign by proceeding as follows: > Example: > - > ![Execute Access Reviews Job](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp) + > ![Execute Access Reviews Job](/images/identitymanager/certifcampaign_job_v522.webp) ## Impact of Modifications diff --git a/docs/identitymanager/6.2/user-guide/administrate/assigned-roles/index.md b/docs/identitymanager/6.2/user-guide/administrate/assigned-roles/index.md index 1cdcdc5cd8..4415b84f69 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/assigned-roles/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/assigned-roles/index.md @@ -51,11 +51,11 @@ script in the command line. Review the Assigned Roles by proceeding as follows: -![assignedroles](/images/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp) +![assignedroles](/images/identitymanager/assignedroles.webp) **Step 1 –** On the home page, in the Administration section of the UI click on Assigned Roles. -![assignedrolesscreen](/images/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp) +![assignedrolesscreen](/images/identitymanager/assignedrolesscreen.webp) **Step 2 –** View the list of users with different assigned roles and filter them by **Entity Type**, **Workflow State**, **Policy**, **Role**or by using a custom filter. diff --git a/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md b/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md index 9540716634..ca997edd86 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md @@ -36,15 +36,15 @@ View the identity's entitlements by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the user to be checked. - ![Workflow - User](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - User](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **View Permissions** to access the entitlement list. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) ## Modify Identity's Entitlements @@ -52,16 +52,16 @@ Act on an existing identity by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the user to be modified. - ![Workflow - User](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - User](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement request. - ![Workflow - Modify Permissions](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) 4. Follow the workflow's instructions to select entitlements and the action to be performed. You can: @@ -88,6 +88,6 @@ Act on an existing identity by proceeding as follows: In order to verify the process, check that the change you made in the user's entitlements is displayed in their **View Permissions** tab in the directory. -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md index 0379e97504..a145341b17 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md @@ -51,11 +51,11 @@ As roles and navigation properties are technically bonded together, their review > each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on > the **Resource Reconciliation** screen: > -> ![Example - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) > -> ![Example - Resource Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) > -> ![Example - Resource Reconciliation - Properties](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) ## Participants and Artifacts @@ -73,20 +73,20 @@ Review an unreconciled property by proceeding as follows: 1. Ensure that the task for the computation of the role model was launched recently, through the complete job on the **Job Execution** page - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page, **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. - ![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) 3. Select `Unreconciled properties` as a `Workflow State`. - ![Unreconciled Property](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp) + ![Unreconciled Property](/images/identitymanager/reviewprop_unreconciled_v522.webp) 4. Choose the default resource view or the property view with the top right toggle. See the Reconcile a Property topic for additional information. @@ -96,7 +96,7 @@ Review an unreconciled property by proceeding as follows: > nominative SAB account associated with his email address. In the **Resource Properties to be > Verified** frame, there is one unreconciled property that happens to be `Group`. > - > ![Unreconciled Property Example](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp) + > ![Unreconciled Property Example](/images/identitymanager/reviewprop_example_v602.webp) - `Name`: unreconciled property name. - `Proposed Value`: value proposed by Identity Manager. @@ -115,11 +115,11 @@ Review an unreconciled property by proceeding as follows: - Either click on the approval icon to update the property with the proposed value. It discards the whole property history. - ![Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - ![Deletion Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) Automatic changes are essential for frequently-changing attributes. However, saving history information can sometimes be important for some attributes such as logins and emails. @@ -127,7 +127,7 @@ Review an unreconciled property by proceeding as follows: - Or click on the decline icon to not update the property and keep the resource value. In the future, this property will no longer be changed automatically. - ![Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of interest. Identity Manager won't be able to change this data and the service account manager @@ -138,20 +138,20 @@ Review an unreconciled property by proceeding as follows: - Or click on the postponement icon to delay the decision. An unreconciled property is ignored by Identity Manager, and therefore cannot be modified. - ![Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 7. Click on **Confirm Property Values**. 8. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use property view By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view @@ -161,7 +161,7 @@ Once enabled, select a resource type to display all unreconciled properties link type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. @@ -169,7 +169,7 @@ a given line, but choose a decision directly on the left of the property line. In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) ## Verify Property Reconciliation diff --git a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md index db0c4a7460..46d62d08bc 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md @@ -54,11 +54,11 @@ As roles and navigation properties are technically bonded together, their review > each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on > the **Resource Reconciliation** screen: > -> ![Example - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) > -> ![Example - Resource Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) > -> ![Example - Resource Reconciliation - Properties](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) ## Participants and Artifacts @@ -77,22 +77,22 @@ Review a non-conforming permission by proceeding as follows: [Compute Role Model Task](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) was launched recently, through the complete job on the **Job Execution** page - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page, **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** section, to get to the non-conforming permissions page. - ![Home Page - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + ![Home Page - Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) - ![Role Reconciliation Page](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp) + ![Role Reconciliation Page](/images/identitymanager/reviewrole_rolereconciliation_v603.webp) Each non-conforming permission can be commented by clicking on the corresponding icon. - ![Comment Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + ![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) 3. Choose one of the two possibilities to verify the permission: @@ -101,27 +101,27 @@ Review a non-conforming permission by proceeding as follows: - Either click on the approval icon to keep the non-conforming permission. - ![Approval Icon](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg) + ![Approval Icon](/images/identitymanager/orphan_iconapprove_v602.svg) - Or click on the decline icon to delete the non-conforming permission. - ![Decline Icon](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg) + ![Decline Icon](/images/identitymanager/orphan_icondecline_v522.svg) 4. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. See the [Provision](/docs/identitymanager/6.2/user-guide/administrate/provisioning/index.md) topic for additional information. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use bulk provisioning Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. -![Bulk Reconcile Roles](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp) +![Bulk Reconcile Roles](/images/identitymanager/reviewrole_rolereconciliationbulk_v603.webp) ## Verify Role Reconciliation In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md index 2b332c2f60..4753e9a421 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md @@ -31,20 +31,20 @@ Review an unauthorized account by proceeding as follows: [Compute Role Model Task](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) was launched recently, through the complete job on the **Job Execution** page: - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page, **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. - ![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) 3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. - ![Resource Reconciliation Page](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + ![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) 4. Choose the default resource view or the property view with the top right toggle. 5. Click on the line of an account with an owner. @@ -53,7 +53,7 @@ Review an unauthorized account by proceeding as follows: `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence rate. - ![Select Decision](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp) + ![Select Decision](/images/identitymanager/unauth_reviewunauthorized_v602.webp) The displayed confidence rate means that a rule actually assigned the account to the identity, but with a confidence rate too low to imply full automatic assignment. Approval will be @@ -64,7 +64,7 @@ Review an unauthorized account by proceeding as follows: by clicking on the edit button. See the [Reconcile a Property](/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. - ![Edit Button](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp) + ![Edit Button](/images/identitymanager/unauth_updateprop_v522.webp) 6. Select the appropriate decision. @@ -76,14 +76,14 @@ Review an unauthorized account by proceeding as follows: overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use property view By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view @@ -93,7 +93,7 @@ Once enabled, select a resource type to display all unreconciled properties link type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. @@ -101,7 +101,7 @@ a given line, but choose a decision directly on the left of the property line. In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current Values**, does not approve their unreconciled properties which will still be displayed on this @@ -112,4 +112,4 @@ screen. In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/administrate/orphan-unused-account-review/index.md b/docs/identitymanager/6.2/user-guide/administrate/orphan-unused-account-review/index.md index 3a80a70c33..8f60ad9975 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/orphan-unused-account-review/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/orphan-unused-account-review/index.md @@ -19,7 +19,7 @@ activity. A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed through the menu items on the left of the home page, in the **Connectors** section. -![Home - Entity Types](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Home - Entity Types](/images/identitymanager/home_entitytypes_v602.webp) These entity type pages can be configured via XML to customize all displayed columns and available filters, especially the **Orphan** filter that spots uncorrelated resources, and the **Owner / @@ -27,7 +27,7 @@ Resource Type** column that shows the owner of each resource. See the[Create Menu Items](/docs/identitymanager/6.2/integration-guide/ui/create-menu-items/index.md) topic for additional information on customization. -![Owner / Resource Type Column](/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) +![Owner / Resource Type Column](/images/identitymanager/orphan_entitytype_v523.webp) In the **Orphan** field, select **Yes** to see all existing resources without an owner. @@ -91,7 +91,7 @@ filters in the query module, based on said property. See the The previous example about the AD's **isUnused** property can be complemented in the query module by displaying this property alongside users' **EmployeeId**. -![Query of Unused Accounts](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp) +![Query of Unused Accounts](/images/identitymanager/orphan_unusedquery_v602.webp) ## Participants and Artifacts @@ -106,12 +106,12 @@ table below. Review an orphaned account by proceeding as follows: -![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) +![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) **Step 1 –** Go to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. -![Resource Reconciliation Page](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) +![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) **Step 2 –** Select **Unauthorized account** as the **Workflow State**. Orphaned accounts are those appearing with no owner. @@ -120,14 +120,14 @@ appearing with no owner. **Step 4 –** Click on the line of an account without an owner. -![Select Owner](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp) +![Select Owner](/images/identitymanager/orphan_revieworphans_v602.webp) In the following example, the nominative AD account linked to the email address nathan.smith@acme.com has no owner. You can **Select owner** from the list by clicking on the check box. -![Owners List](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp) +![Owners List](/images/identitymanager/orphan_revieworphans-owners_v602.webp) **Step 5 –** Answer the following questions in order to understand the situation. @@ -164,7 +164,7 @@ not deprovisioned. See the schema below this note. -![Schema - Service Accounts](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp) +![Schema - Service Accounts](/images/identitymanager/orphan_serviceaccounts.webp) **Step 6 –** Select the appropriate owner or no owner at all, according to the previous analysis. @@ -189,7 +189,7 @@ By taking the necessary steps the orphan account will be delete or authorized. By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view @@ -199,12 +199,12 @@ Once enabled, select a resource type to display all unreconciled properties link type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. @@ -214,7 +214,7 @@ the current values for several resources simultaneously. In order to verify the process, check that the line for your reviewed item has been removed from the **Resource Reconciliation** screen. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) In addition, if you reconciled an orphaned account with an owner, check the user's permissions to see said account. diff --git a/docs/identitymanager/6.2/user-guide/administrate/provisioning/automatic-provisioning/index.md b/docs/identitymanager/6.2/user-guide/administrate/provisioning/automatic-provisioning/index.md index 88a5ee3b9b..6749436f5d 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/provisioning/automatic-provisioning/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/provisioning/automatic-provisioning/index.md @@ -20,7 +20,7 @@ In an assignment request's lifecycle, provisioning automation implies skipping t state as Identity Manager no longer waits for a user to make changes anymore. For this reason, an assignment request goes through the following provisioning states: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provauto_states_v523.webp) ## Participants and Artifacts @@ -45,7 +45,7 @@ Make sure that the task used to compute and generate provisioning orders was lau request (or the provisioning review, if any), through the complete job in the **Job Execution** page. -![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) ## Verify Automated Provisioning @@ -53,7 +53,7 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the manual assignment workflow through [Request Entitlement Assignment](/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md) to make a change in diff --git a/docs/identitymanager/6.2/user-guide/administrate/provisioning/index.md b/docs/identitymanager/6.2/user-guide/administrate/provisioning/index.md index dd73eb5b66..79f392cde5 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/provisioning/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/provisioning/index.md @@ -100,19 +100,19 @@ In order to perform the provisioning you have to: In order to verify the process: -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) **Step 1 –** Select a test user in the directory, accessible from the home page. **Step 2 –** Follow the manual assignment workflow to make a change in one of their entitlements, which involves the type of provisioning that you want to test. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) **Step 3 –** Check the provisioning state of the requested entitlement at every step, in the user's **View Permissions** tab. -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) +![Provisioning State Schema](/images/identitymanager/prov_stateschema_v523.webp) Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or automated provisioning, below is the global state schema. diff --git a/docs/identitymanager/6.2/user-guide/administrate/provisioning/manual-provisioning/index.md b/docs/identitymanager/6.2/user-guide/administrate/provisioning/manual-provisioning/index.md index 00bfaa8c88..140caf2e87 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/provisioning/manual-provisioning/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/provisioning/manual-provisioning/index.md @@ -18,7 +18,7 @@ Identity Manager. In its lifecycle, an assignment request goes through the following provisioning states: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provmanual_states_v523.webp) ## Participants and Artifacts @@ -43,23 +43,23 @@ Perform manual provisioning by proceeding as follows: 1. Ensure that the task to compute or generate provisioning orders was launched after the request (or the provisioning review, if any), through the complete job in the **Job Execution** page. - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) - ![Manual Provisioning Screen](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp) + ![Manual Provisioning Screen](/images/identitymanager/provmanual_page_v603.webp) 2. Access the manual provisioning orders page by clicking on the entity type that you want to manage in the **Manual Provisioning** section. - ![Home Page - Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + ![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) 3. Choose a line to handle the corresponding provisioning order. 4. Creation, edition and deletion orders follow the same process: read Identity Manager's suggestions and create, edit or delete the appropriate resource directly in the managed system (outside Identity Manager). - ![Creation Provisioning Order](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp) + ![Creation Provisioning Order](/images/identitymanager/provmanual_createresource_v522.webp) - ![Creation Provisioning Order](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp) + ![Creation Provisioning Order](/images/identitymanager/provmanual_editresource_v522.webp) 5. Choose to confirm or report an error. @@ -67,7 +67,7 @@ Perform manual provisioning by proceeding as follows: Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. -![Bulk Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp) +![Bulk Provisioning](/images/identitymanager/provmanual_bulk_v603.webp) ## Verify Manual Provisioning @@ -75,7 +75,7 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the workflow through [Request Entitlement Assignment](/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md) to make a change in @@ -83,6 +83,6 @@ In order to verify the process: 3. Perform manual provisioning and check the provisioning state of the requested entitlement at every step, in the user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) 4. Check in your managed system that the change was effectively made. diff --git a/docs/identitymanager/6.2/user-guide/administrate/provisioning/provisioning-review/index.md b/docs/identitymanager/6.2/user-guide/administrate/provisioning/provisioning-review/index.md index c1206fd9db..af7d7e174b 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/provisioning/provisioning-review/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/provisioning/provisioning-review/index.md @@ -22,7 +22,7 @@ additional information. In an assignment request's lifecycle, provisioning review adds a few steps between the moment when the request is issued and when provisioning orders are computed: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provreview_states_v523.webp) ## Participants and Artifacts @@ -55,9 +55,9 @@ Review provisioning orders by proceeding as follows: 1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** section. - ![Home Page - Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + ![Home Page - Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) - ![Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp) + ![Provisioning Review](/images/identitymanager/provmanual_provreview_v602.webp) 2. Click on a line to access details and handle addition, association, update or deletion orders. @@ -68,13 +68,13 @@ Review provisioning orders by proceeding as follows: Automatic provisioning orders are directly executed, while manual provisioning orders are listed on the **Manual Provisioning** page. - ![Fulfill Task](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Fulfill Task](/images/identitymanager/synchro_resourcetype_v602.webp) ### Handle an addition order Identity Manager shows all the properties of the new resource to be created: -![Addition Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp) +![Addition Order Review](/images/identitymanager/provmanual_reviewaddition_v602.webp) - `Proposed Value`: value proposed by Identity Manager. - [Entitlement Assignment](/docs/identitymanager/6.2/integration-guide/role-assignment/assignments-of-entitlements/index.md) @@ -94,15 +94,15 @@ Handle an addition order by proceeding as follows: - Either click on the approval icon to order the property creation with the proposed value. - ![Addition - Approval Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition - Approval Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - Or click on the decline icon to refuse the property creation. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Choose to confirm or ignore the creation. @@ -112,7 +112,7 @@ Identity Manager displays a given owner and a given resource to be associated wi [Classify Resources](/docs/identitymanager/6.2/user-guide/set-up/categorization/classification/index.md)and all resource properties to be verified: -![Association Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp) +![Association Order Review](/images/identitymanager/provmanual_reviewassociation_v602.webp) - `Confidence rate of proposed resource`: rate expressing the confidence in this [Correlate Resources](/docs/identitymanager/6.2/user-guide/set-up/categorization/correlation/index.md). @@ -135,19 +135,19 @@ Handle an association order by proceeding as follows: - Either click on the approval icon to validate the proposed property value. - ![Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - ![Deletion Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) - Or click on the decline icon to refuse the property association. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Choose to confirm or deny the association. @@ -155,7 +155,7 @@ Handle an association order by proceeding as follows: Identity Manager shows a given resource and all resource properties to be verified: -![Edition Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp) +![Edition Order Review](/images/identitymanager/provmanual_reviewedition_v602.webp) - `Proposed Value`: value proposed by Identity Manager. - `Current Value`: value currently in the managed system. @@ -176,17 +176,17 @@ Handle an update order by proceeding as follows: - Either click on the approval icon to order the property update with the proposed value. - ![Edition - Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Edition - Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - Or click on the decline icon to refuse the property update. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Click on **Confirm Property Values**. @@ -194,7 +194,7 @@ Handle an update order by proceeding as follows: Identity Manager shows a given owner and their resources to be deleted: -![Deletion Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp) +![Deletion Order Review](/images/identitymanager/provmanual_reviewdeletion_v602.webp) Handle a deletion order by choosing either to confirm the deletion or to keep the resource. @@ -203,11 +203,11 @@ Handle a deletion order by choosing either to confirm the deletion or to keep th By default, provisioning orders are listed by resource. It is possible to click on a resource and then access the list of all provisioning orders for that resource. -![Resource View](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp) +![Resource View](/images/identitymanager/provreview_resourceview_v603.webp) In addition, using resource view enables bulk unblocking for provisioning orders with errors. -![Bulk Unblock](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp) +![Bulk Unblock](/images/identitymanager/provreview_bulkunblock_v603.webp) It can be helpful to have the provisioning orders regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be @@ -217,7 +217,7 @@ Once enabled, select a resource type to display all provisioning orders linked t type. In addition, select a property to display only the provisioning orders linked to these resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp) +![Property View](/images/identitymanager/provreview_propertyview_v603.webp) The review process is similar on both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. @@ -228,21 +228,21 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the [Request Entitlement Assignment](/docs/identitymanager/6.2/user-guide/administrate/manual-assignment-request/index.md) workflow to make a change in one of their permissions, which involves provisioning review. 3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) 4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource Types** frame, to execute the provisioning orders. - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/synchro_resourcetype_v602.webp) 5. The orders using automated provisioning should be automatically handled with their state switching to `Executed`, while those using manual provisioning should appear on the **Manual Provisioning** page with their state switching to `Transmitted`. -![Home Page - Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) +![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) diff --git a/docs/identitymanager/6.2/user-guide/administrate/reporting/index.md b/docs/identitymanager/6.2/user-guide/administrate/reporting/index.md index d6edd6ab4a..9e90c5d5b0 100644 --- a/docs/identitymanager/6.2/user-guide/administrate/reporting/index.md +++ b/docs/identitymanager/6.2/user-guide/administrate/reporting/index.md @@ -21,16 +21,16 @@ project, for example: - the list of entitlements for a given user in their **View Permissions** tab; - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) - the list of all requests that you are authorized to see in **Workflow Overview** accessible from the home page in the **Administration** section; - ![Home - Workflow Overview](/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + ![Home - Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) - the list of [Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/user-guide/administrate/orphan-unused-account-review/index.md). - ![Orphaned Account List](/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + ![Orphaned Account List](/images/identitymanager/orphan_entitytype_v523.webp) Identity Manager puts users in control of their reporting. Rich features help produce customizable reports that can be used to check the assignment policy results, or gather information for an audit. @@ -67,9 +67,9 @@ Download predefined reports by proceeding as follows: 1. Click on **Reports** on the left of the home page to access the list of predefined reports. - ![Home Page - Reports](/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + ![Home Page - Reports](/images/identitymanager/home_reports_v602.webp) - ![Reports](/images/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp) + ![Reports](/images/identitymanager/reporting_predefinedreports_v602.webp) 2. Choose the appropriate report and click on **Download** to get an Excel report. The downward-pointing arrow provides additional report formats. @@ -97,16 +97,16 @@ Create a custom report by proceeding as follows: 1. Click on **Query** in the **Administration** section on the home page. - ![Home Page - Query](/images/identitymanager/user-guide/administrate/reporting/home_query_v602.webp) + ![Home Page - Query](/images/identitymanager/home_query_v602.webp) - ![Query Page](/images/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp) + ![Query Page](/images/identitymanager/reporting_querypage_v602.webp) 2. Choose a query model from among the list. 3. Click on **Fields to Display** and select the appropriate fields from among the database [Universe](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) and click on **Confirm**. - ![Fields to Display](/images/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp) + ![Fields to Display](/images/identitymanager/reporting_fieldstodisplay_v522.webp) In cases where Identity Manager doesn't display correctly the information you need, you must try to understand the entity instances and association instances that constitute the @@ -115,7 +115,7 @@ Create a custom report by proceeding as follows: 4. Click on **Filters**, write the appropriate condition and click on **Confirm**. - ![Filters](/images/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp) + ![Filters](/images/identitymanager/reporting_filters_v602.webp) For example, a report could list user names and identifiers but only those with their `Contract end date` less than today's date, so that we will see all the workers who have left diff --git a/docs/identitymanager/6.2/user-guide/deploy/change-management/index.md b/docs/identitymanager/6.2/user-guide/deploy/change-management/index.md index 80fd7da696..3166e332d0 100644 --- a/docs/identitymanager/6.2/user-guide/deploy/change-management/index.md +++ b/docs/identitymanager/6.2/user-guide/deploy/change-management/index.md @@ -30,7 +30,7 @@ A digital project follows two parallel processes: Change management aims to support the teams throughout the human process. -![Process of Change Management](/images/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp) +![Process of Change Management](/images/identitymanager/changemanagement_process.webp) These processes include mandatory steps that all staff members have to go through, but not necessarily at the same pace. For that reason, change managers can benefit from the use of personas, @@ -38,7 +38,7 @@ i.e. creating characters that represent key populations. ## Participants and Artifacts -![Actors of Change Management](/images/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp) +![Actors of Change Management](/images/identitymanager/changemanagement_actors.webp) The aim of a Project Management Officer concerning critical stakeholders is to enable: @@ -79,7 +79,7 @@ Run change management by proceeding as follows: 1. Identify the populations impacted by change. Below is an example of impacted populations that can vary enormously. - ![Usual Populations](/images/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp) + ![Usual Populations](/images/identitymanager/changemanagement_populations.webp) 2. For all listed populations, estimate their size and the expected impact on them, through indicators like the frequency of their future use of the solution. Use personas to represent key diff --git a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/directory-permissions/index.md b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/directory-permissions/index.md index 1c36a50bbc..3950a4fed3 100644 --- a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/directory-permissions/index.md +++ b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/directory-permissions/index.md @@ -23,17 +23,17 @@ Set the working directory's permissions by proceeding as follows: 1. Right-click on the working directory, for example `C:/identitymanager`, to select **Properties**, and in the **Security** tab, click on **Advanced**. - ![Working Directory Properties: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp) + ![Working Directory Properties: Step 1](/images/identitymanager/prodagent_directoryproperties1.webp) 2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a principal**. - ![Working Directory Properties: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp) + ![Working Directory Properties: Step 2](/images/identitymanager/prodagent_directoryproperties2.webp) 3. Click on **Locations** to choose the current computer, and in the text area enter `iis apppool/identitymanager` (`Usercube` being the name of the previously created pool). - ![Working Directory Properties: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp) + ![Working Directory Properties: Step 3](/images/identitymanager/prodagent_directoryproperties3.webp) An error at this point should come either from a mistake in the pool's name or in the selected location. @@ -41,17 +41,17 @@ Set the working directory's permissions by proceeding as follows: 4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and **Read** permissions are selected. - ![Working Directory Properties: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp) + ![Working Directory Properties: Step 4](/images/identitymanager/prodagent_directoryproperties4.webp) 5. Click on **OK** in the windows until they are all closed. 6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on **Edit**. - ![Temp Folder Properties: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp) + ![Temp Folder Properties: Step 1](/images/identitymanager/prodagent_foldersproperties1.webp) 7. Select the user corresponding to the pool and give them `Full control`. - ![Temp Folder Properties: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp) + ![Temp Folder Properties: Step 2](/images/identitymanager/prodagent_foldersproperties2.webp) 8. Click on **OK** in the windows until they are all closed. 9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and diff --git a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-configuration/index.md b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-configuration/index.md index 3cdd606d85..ce9dee6210 100644 --- a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-configuration/index.md +++ b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-configuration/index.md @@ -27,41 +27,41 @@ Configure the application pool and site by proceeding as follows: IIS can usually be found in Windows' search menu, or from Server Manager by accessing the **Tools** menu. - ![IIS: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp) + ![IIS: Step 1](/images/identitymanager/prodagent_iis1.webp) 2. Right-click on **Application Pools** to add a new pool named `Usercube`. - ![IIS: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp) + ![IIS: Step 2](/images/identitymanager/prodagent_iis2.webp) 3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. - ![IIS: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp) + ![IIS: Step 3](/images/identitymanager/prodagent_iis3.webp) 4. Right-click on the application pool to open its advanced settings and make sure that the following parameters are set as such: - ![IIS: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp) + ![IIS: Step 4](/images/identitymanager/prodagent_iis4.webp) - ![IIS: Step 5](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp) + ![IIS: Step 5](/images/identitymanager/prodagent_iis5.webp) 5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and double-clicking on **Server Certificates**. If the certificate is not ready yet, generate an auto-signed certificate. - ![IIS Server Certificate: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp) + ![IIS Server Certificate: Step 1](/images/identitymanager/prodagent_servercertificate1.webp) If the certificate is not there yet, import it by clicking on **Import** in the right-side menu, and specify the certificate's path and password. - ![IIS Server Certificate: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp) + ![IIS Server Certificate: Step 2](/images/identitymanager/prodagent_servercertificate2.webp) 6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings** and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's URL (without the `https` part) as host name, and finally selecting the server certificate. - ![IIS Server Certificate: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp) + ![IIS Server Certificate: Step 3](/images/identitymanager/prodagent_servercertificate3.webp) Click on **OK**. diff --git a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-installation/index.md b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-installation/index.md index de10a3f1c0..137702908a 100644 --- a/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-installation/index.md +++ b/docs/identitymanager/6.2/user-guide/deploy/production-agent-installation/iis-installation/index.md @@ -23,29 +23,29 @@ Install IIS via Server Manager by proceeding as follows: 1. Open the Server Manager program and click on **Add roles and features**. - ![Server Manager: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp) + ![Server Manager: Step 1](/images/identitymanager/prodagent_servermanager1.webp) 2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based installation** is selected and click on **Next**. - ![Server Manager: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp) + ![Server Manager: Step 2](/images/identitymanager/prodagent_servermanager2.webp) 3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. - ![Server Manager: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp) + ![Server Manager: Step 3](/images/identitymanager/prodagent_servermanager3.webp) 4. In **Server Roles** tick **Web Server (IIS)**. - ![Server Manager: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp) + ![Server Manager: Step 4](/images/identitymanager/prodagent_servermanager4.webp) 5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > **AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. - ![Server Manager: Step 5](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp) + ![Server Manager: Step 5](/images/identitymanager/prodagent_servermanager5.webp) 6. In **Confirmation** click on **Install**. - ![Server Manager: Step 6](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp) + ![Server Manager: Step 6](/images/identitymanager/prodagent_servermanager6.webp) ## Next Steps diff --git a/docs/identitymanager/6.2/user-guide/global-process/howto-maintaindirectory/index.md b/docs/identitymanager/6.2/user-guide/global-process/howto-maintaindirectory/index.md index 713ea0ba5f..b786efd3ed 100644 --- a/docs/identitymanager/6.2/user-guide/global-process/howto-maintaindirectory/index.md +++ b/docs/identitymanager/6.2/user-guide/global-process/howto-maintaindirectory/index.md @@ -10,7 +10,7 @@ How to keep the workforce directory up to date. ## Overview -![Process Schema - How to Implement a New System](/images/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp) +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemamaintain.webp) ## Process Details diff --git a/docs/identitymanager/6.2/user-guide/global-process/howto-newsystem/index.md b/docs/identitymanager/6.2/user-guide/global-process/howto-newsystem/index.md index 7af257fed4..88b3c0cda7 100644 --- a/docs/identitymanager/6.2/user-guide/global-process/howto-newsystem/index.md +++ b/docs/identitymanager/6.2/user-guide/global-process/howto-newsystem/index.md @@ -34,7 +34,7 @@ roles. The option B is more complicated and time-consuming than the option A, but leads to more gain. Be aware that you can go through the process options simultaneously. -![Process Schema - How to Implement a New System](/images/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp) +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemaconnectsyst.webp) ## Process Details diff --git a/docs/identitymanager/6.2/user-guide/global-process/howto-start/index.md b/docs/identitymanager/6.2/user-guide/global-process/howto-start/index.md index 35a8d749ac..2ab2b9a1f3 100644 --- a/docs/identitymanager/6.2/user-guide/global-process/howto-start/index.md +++ b/docs/identitymanager/6.2/user-guide/global-process/howto-start/index.md @@ -42,7 +42,7 @@ Netwrix Identity Manager (formerly Usercube) recommends the option 1 to be able waiting for the installation of an agent in your network, and go through the option 2 simultaneously. -![Process Schema - How to Start with Usercube](/images/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp) +![Process Schema - How to Start with Usercube](/images/identitymanager/globalprocess_schemastart.webp) ## Process Details diff --git a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/individual-update/index.md b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/individual-update/index.md index 9f5a2547d0..d244156041 100644 --- a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/individual-update/index.md +++ b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/individual-update/index.md @@ -37,11 +37,11 @@ Declare a new worker by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. According to the type of the user to be declared, click on the corresponding button. - ![Workflow - New User](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp) + ![Workflow - New User](/images/identitymanager/datamodif_newuser_v602.webp) 3. Follow the workflow's instructions to fill the form with the user's data, choose the user's entitlements from your role catalog and send the request. See the @@ -54,15 +54,15 @@ Act on an existing identity by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the user to be modified. - ![Workflow - User](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - User](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **Actions** or **Helpdesk** to select the action to perform. - ![Workflow - Modify Permissions](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) 4. Follow the workflow's instructions. @@ -71,11 +71,11 @@ Act on an existing identity by proceeding as follows: for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. - ![Request - Review Pending](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) ## Verify Data Update In order to verify the process, check that the right data is displayed in the directory for the involved user. -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/mass-update/index.md b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/mass-update/index.md index 6bacab7958..32dcb4858c 100644 --- a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/mass-update/index.md +++ b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/mass-update/index.md @@ -40,22 +40,22 @@ Mass update identity data (in complete mode) by proceeding as follows: 1. Access the directory connector from **Connectors** on the home page, in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, choose the connection corresponding to identities. 3. In the connection's settings, download the Excel template full of the data from your database. - ![Download Full Template](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp) + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplatedata_v602.webp) 4. Update the data that needs change. 5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. 6. Click on **Upload** and choose the file you modified with new data. - ![Upload](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + ![Upload](/images/identitymanager/connection_upload_v602.webp) 7. Click on **Check Connection** to verify the path. - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) 8. Click on **Save & Close**. 9. Back on the connector's page, launch synchronization. See the @@ -70,12 +70,12 @@ Mass update identity data (in incremental mode) by proceeding as follows: 1. Access the directory connector from **Connectors** on the home page, in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, choose the connection corresponding to identities. 3. In the connection's settings, download the empty Excel template. - ![Download Full Template](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp) + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplateempty_v602.webp) 4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation purposes), and fill the column `Command`, which can take a few available inputs: @@ -100,11 +100,11 @@ Mass update identity data (in incremental mode) by proceeding as follows: 5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. 6. Click on **Upload** and choose the file you modified with new data. - ![Upload](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + ![Upload](/images/identitymanager/connection_upload_v602.webp) 7. Click on **Check Connection** to verify the path. - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) 8. Click on **Save & Close**. 9. Back on the connector's page, launch synchronization. See the @@ -119,14 +119,14 @@ In order to verify the process: - Check manually a sample in the `User` directory accessible from the home page. You should verify at least your own sheet and the sheets for your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that every organization still has a manager. Organizations are accessible in the `Department` directory accessible from the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains many organizations, then it is also possible to list them with their managers through the Query module. diff --git a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/multiple-update/index.md b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/multiple-update/index.md index 1154d5a63e..61fad51250 100644 --- a/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/multiple-update/index.md +++ b/docs/identitymanager/6.2/user-guide/maintain/identity-data-modification/multiple-update/index.md @@ -36,19 +36,19 @@ Perform multiple updates by proceeding as follows: 1. Click on **Multiple Updates**, accessible from the directory on the home page. - ![Home Page - Multiple Updates](/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp) + ![Home Page - Multiple Updates](/images/identitymanager/home_multipleupdates_v523.webp) 2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and send the request. - ![Multiple Updates Form](/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp) + ![Multiple Updates Form](/images/identitymanager/datamodif_multipleform_v602.webp) If the workflow has been configured in this way, the update request may require a review. In this case, sending the request triggers the display of said request on the **My Tasks** screen for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. - ![Request - Review Pending](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) ## Verify Data Update @@ -57,14 +57,14 @@ In order to verify the process: - Check manually a sample in the `User` directory accessible from the home page. You should verify at least your own sheet and the sheets assigned to your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that every organization still has a manager. Organizations are accessible in the `Department` directory on the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. diff --git a/docs/identitymanager/6.2/user-guide/maintain/troubleshooting/index.md b/docs/identitymanager/6.2/user-guide/maintain/troubleshooting/index.md index 55aa5022a6..2e24fdc2d8 100644 --- a/docs/identitymanager/6.2/user-guide/maintain/troubleshooting/index.md +++ b/docs/identitymanager/6.2/user-guide/maintain/troubleshooting/index.md @@ -27,17 +27,17 @@ administrator, must have access to: - the connector screens, especially the jobs available there; - ![Connector Jobs](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp) + ![Connector Jobs](/images/identitymanager/troubleshooting_connectorjobs_v603.webp) - the resource screens (identities, accounts, etc.) with their data, and especially their history and sources; - ![User Data](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp) + ![User Data](/images/identitymanager/troubleshooting_userdata_v603.webp) - basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements and enable data modification and repair. - ![Helpdesk Workflow](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp) + ![Helpdesk Workflow](/images/identitymanager/troubleshooting_helpdesk_v603.webp) ## Participants and Artifacts diff --git a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/automate-role-assignment/index.md b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/automate-role-assignment/index.md index c7b687f16f..5f0a4d243a 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/automate-role-assignment/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/automate-role-assignment/index.md @@ -37,20 +37,20 @@ Create a role assignment rule by proceeding as follows: 1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** section. - ![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create an Assignment Rule](/images/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp) + ![Create an Assignment Rule](/images/identitymanager/assignmentrules_newsrolerule_v602.webp) - `Single Role`: single role to be automatically assigned in a single role rule. `Composite Role` for a composite role rule. @@ -108,15 +108,15 @@ Then, you can: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Create a role assignment rule for a role that said user doesn't already have, and based on criteria which the selected user satisfies. 3. Trigger the computation of the role model through the complete job on the **Job Execution** page in the **Administration** section. - ![Home - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) 4. See the new permission in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/index.md index a05435fc84..86829d12a6 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/index.md @@ -29,7 +29,7 @@ decisions, based on several automation levels provided by Identity Manager: 3. Automation of the creation of said assignment rules through [Perform Role Mining](/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/role-mining/index.md), based on existing data analysis. -![Automation Concept](/images/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp) +![Automation Concept](/images/identitymanager/automation_schema.webp) Assignment rules can sometimes give to users an entitlement that they had already received manually. Hence, new assignment rules can imply redundancies between the entitlements assigned manually and @@ -64,7 +64,7 @@ The entitlement management cost mainly varies according to the number of managed Manual processing for entitlement requests implies a linear growth of the management cost according to the number of managed entitlements. -![Optimal Cost Chart - Manual Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp) +![Optimal Cost Chart - Manual Assignments](/images/identitymanager/automation_optimalcost_manual.webp) ### Automation benefits @@ -78,7 +78,7 @@ There is a high potential gain coming with the automation of assignment decision - Machine Learning can compute the role model way faster than a person. Consequently, the model can be computed more frequently and thus sticks closer to reality. -![Optimal Cost Chart - Automation Benefits](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp) +![Optimal Cost Chart - Automation Benefits](/images/identitymanager/automation_optimalcost_automationbenefits.webp) Automation helps integrators find basic assignment rules and face the previous risks, thus reducing cost. @@ -113,7 +113,7 @@ However, automation implies an increasing number of rules. And a high number of certain complexity in rule model understanding, and consequently hiring expensive expert contractors to write the right rules. It drives up costs considerably and draws you near the automation wall. -![Optimal Cost Chart - Automation Limits](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp) +![Optimal Cost Chart - Automation Limits](/images/identitymanager/automation_optimalcost_automationlimits.webp) The automation wall represents the automation threshold that cannot be overcome. It mostly comes from the fact that with limited data, automation capabilities are also limited. Everything cannot be @@ -125,7 +125,7 @@ The idea is to stop automation when the automatic cost curve increases faster th curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix of automatic and manual assignments. -![Optimal Cost Chart](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp) +![Optimal Cost Chart](/images/identitymanager/automation_optimalcost.webp) Automation strategy consists in using Machine Learning through Role Mining to get closer to the automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the @@ -152,7 +152,7 @@ The process of assignment automation is the following: error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to the automation wall. - ![Optimal Cost Chart - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp) + ![Optimal Cost Chart - Role Mining](/images/identitymanager/automation_optimalcost_rolemining.webp) **Enlarge the number of managed entitlements by tolerating errors:** @@ -177,22 +177,22 @@ The process of assignment automation is the following: > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers > about their respective projects. This is a typical area for improvement in data quality. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex.webp) > For example, if charts show a high number of identities in the category `No Position`, > integrators understand that the data model must be completed for role mining to be efficient. > - > ![Data Quantity Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp) + > ![Data Quantity Example](/images/identitymanager/automation_dataquality_ex2.webp) > For example, if charts show a high number of unused roles, integrators understand that the > role model needs further improvement because roles are not adequate. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex3.webp) > For example, if charts show low automation rate per department, integrators will understand > that many identities may have switched departments while keeping their previous entitlements. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex4.webp) 3. Improve data quality and quantity to move the automation wall. @@ -202,7 +202,7 @@ The process of assignment automation is the following: Improvement in existing data quantity and quality entails the possibility of managing a higher number of entitlements. - ![Optimal Cost Chart - Improved Data](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp) + ![Optimal Cost Chart - Improved Data](/images/identitymanager/automation_optimalcost_data.webp) A high quantity of data simplifies data analysis and inferences in assignment rules. diff --git a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md index 0f0b9bddd5..2ca53a4486 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md @@ -58,7 +58,7 @@ For example, consider a user who has a given entitlement which was assigned to t several distinct time periods. When creating a rule that assigns the same entitlement to them automatically on a given time period, then we have: -![Schema - Compute Role Model](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp) +![Schema - Compute Role Model](/images/identitymanager/redundantassignments_examplewithout.webp) The redundant assignment analysis gives priority to the rules inside the role model and the policy. When an entitlement is assigned via a rule, it is stated as calculated, even if it is also assigned @@ -68,7 +68,7 @@ be truncated or deleted. For example, consider the same situation as before. Using the redundant assignments analysis, then we have: -![Schema - Redundant Assignment Analysis](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp) +![Schema - Redundant Assignment Analysis](/images/identitymanager/redundantassignments_examplewith.webp) Redundant assignments can be removed by Identity Manager only when the corresponding assigned items are tagged as redundant and displayed in the most recent report. The manual assigned items that are @@ -92,11 +92,11 @@ See the Remove redundant assignments by proceeding as follows: -![Home Page - Redundant Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) +![Home Page - Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) **Step 1 –** Click on **Redundant Assignments** on the home page in the **Administration** section. -![Redundant Assignments - Buttons](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp) +![Redundant Assignments - Buttons](/images/identitymanager/redundantassignments_buttons_v602.webp) **Step 2 –** Click on **Analyze** to tag the manual roles and resource types from all policies eligible for conversion to an automatic state. @@ -109,7 +109,7 @@ Previous tags are cleared at each instance of this tagging process. **Step 3 –** Click on **Download Excel** to download a dedicated XLSX report which contains one tab per entity type representing identities. -![Redundant Assignments - Report Example](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp) +![Redundant Assignments - Report Example](/images/identitymanager/redundantassignments_reportexample_v602.webp) The example states that in the entity type Directory_User, the user Nicholas Acosta had the single role Banking/Sales/Eunomia/Administrator starting from February 28th 2023 (dateA) until May 16th @@ -126,18 +126,18 @@ eligible manual roles to calculated. In order to verify the process: -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) **Step 1 –** Access the user directory from the home page. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) **Step 2 –** For one of the users mentioned in the report, access their permissions. **Step 3 –** Check that their roles (mentioned in the report) have actually switched from approved to calculated. -![Redundant Assignments - Result](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp) +![Redundant Assignments - Result](/images/identitymanager/redundantassignments_reportexampleverif_v602.webp) When removing redundant assignments based on the previous report example the setting will be as above. diff --git a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/role-mining/index.md b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/role-mining/index.md index a055a6dd6a..ca4e26df0c 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/role-mining/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/role-mining/index.md @@ -27,7 +27,7 @@ Now that users received their roles, the role mining tool can analyze these assi [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will assign single roles to certain users matching given criteria. -![Schema - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) Role mining is a Machine Learning process. It is a statistic tool used to emphasize the [Single Role Rule](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) @@ -60,7 +60,7 @@ Mining rules can be configured to generate: 2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an entitlement request for a user. - ![Suggested](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) You can generate both automatic and suggested rules for the same role, with different precision levels and different approval workflows. @@ -70,12 +70,12 @@ levels and different approval workflows. > above 95% and a second mining rule to generate suggested assignment rules when the ratio is > between 75% and 95%. > -> ![Rule Types](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: -![Rule Types - Sensitivity](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets @@ -103,15 +103,15 @@ Create a mining rule by proceeding as follows: 1. On the home page in the **Configuration** section, click on the **Role Mining** button. - ![Home page - Connectors](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp) + ![Home page - Connectors](/images/identitymanager/home_rolemining_v60.webp) You will see all existing mining rules. 2. Click on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![New Mining Rule](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp) + ![New Mining Rule](/images/identitymanager/rolemining_miningrule_v602.webp) - `Policy`: [Create a Policy](/docs/identitymanager/6.2/user-guide/optimize/policy-creation/index.md) in which the mining rule exists. - `Entity Type`: @@ -164,7 +164,7 @@ Create a mining rule by proceeding as follows: 4. Click on **Simulate** to perfom role mining in a simulation. See the[Perform a Simulation](/docs/identitymanager/6.2/user-guide/optimize/simulation/index.md) topic for additional information. - ![Role Mining Jobs](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp) + ![Role Mining Jobs](/images/identitymanager/rolemining_launchjob_v602.webp) If you need to bypass the simulation process, clicking on **Launch** will perform role mining and apply its results directly. NETWRIX recommends always performing role mining in simulation. @@ -183,6 +183,6 @@ is created or updated. In order to verify the process, access the rule list from the home page. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) Select **Single Roles** and check that the single role rules are created with the right parameters. diff --git a/docs/identitymanager/6.2/user-guide/optimize/composite-role-creation/index.md b/docs/identitymanager/6.2/user-guide/optimize/composite-role-creation/index.md index 9e40102b1e..60f68dbcca 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/composite-role-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/composite-role-creation/index.md @@ -19,7 +19,7 @@ they can help organize the role catalog. See the [Composite Role](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) topic for additional information. -![Schema](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp) +![Schema](/images/identitymanager/compositeroles_applicativeroles.webp) A composite role is a business role comprehensible by managers. It provides an additional layer of abstraction above existing entitlements and single roles. We can say that if a single role allows a @@ -38,7 +38,7 @@ composite roles. Here, we clearly have one role for R&D-developer, one for R&D-w Project-contractor and Project-project manager. Thus, it is clear here that composite roles add an abstraction layer. -![Example](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp) +![Example](/images/identitymanager/compositeroles_schema.webp) Single role rules link composite roles to single roles: a single role rule states that specific single roles are assigned according to specific criteria, particularly composite roles. See the @@ -66,14 +66,14 @@ Create a composite role by proceeding as follows: **Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access the roles page. -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) **Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ New** at the top right corner. **Step 3 –** Fill in the fields. -![singlerolescatalog_createcompositerole_v62](/images/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp) +![singlerolescatalog_createcompositerole_v62](/images/identitymanager/singlerolescatalog_createcompositerole_v62.webp) - **Identifier**: must be unique among roles and without any whitespace. - **Name**: will be displayed in the UI to identify the single role. @@ -124,12 +124,12 @@ In order to verify the process, check that the role and rule are created with th For roles, click on **Access Roles** on the home page in the **Configuration** section. -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) Select composite roles and find the role you created inside the right category and with the right parameters. -![Access Composite Roles](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp) +![Access Composite Roles](/images/identitymanager/compositeroles_testroles_v602.webp) For rules, follow the instructions about assignment rules. See the [Automate Role Assignments](/docs/identitymanager/6.2/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) diff --git a/docs/identitymanager/6.2/user-guide/optimize/hr-connector-creation/index.md b/docs/identitymanager/6.2/user-guide/optimize/hr-connector-creation/index.md index 8192faeb09..694120721d 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/hr-connector-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/hr-connector-creation/index.md @@ -49,7 +49,7 @@ data, through a certification-like process. An HR connector is considered an inbound connector, as it writes to the central identity repository inside Identity Manager. -![Inbound System=](/images/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp) +![Inbound System=](/images/identitymanager/connectorcreation_inbound.webp) As Identity Manager is able to feed all managed systems, it can also feed itself thanks to specific connections such as the @@ -81,27 +81,27 @@ Create an HR connector by proceeding as follows: [Create the Connector](/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-declaration/index.md) topic for additional information. - ![HR Connector Declaration](/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp) + ![HR Connector Declaration](/images/identitymanager/hr_connectordeclaration_v602.webp) 3. Create an Export CSV connection for each HR file to connect. See the [Create a Connection](/docs/identitymanager/6.2/user-guide/set-up/connect-system/connection-creation/index.md) topic for additional information. - ![HR Connection](/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp) + ![HR Connection](/images/identitymanager/hr_connection_v602.webp) 4. [Create an Entity Type](/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/index.md) corresponding to your model. For example: - ![HR Entity Type - Scalar Properties](/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp) + ![HR Entity Type - Scalar Properties](/images/identitymanager/hr_entitytypes_v602.webp) - ![HR Entity Type - Navigation Properties](/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp) + ![HR Entity Type - Navigation Properties](/images/identitymanager/hr_entitytypen_v602.webp) 5. Don't forget to reload and [Synchronize Data](/docs/identitymanager/6.2/user-guide/set-up/synchronization/index.md) to access HR data within Identity Manager. - ![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + ![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) - ![Synchronize Job](/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + ![Synchronize Job](/images/identitymanager/synchro_executionjobs_v602.webp) ## Verify HR Connector Creation @@ -111,16 +111,16 @@ In order to verify the process: 2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that synchronization completed successfully. - ![Jobs Results](/images/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + ![Jobs Results](/images/identitymanager/synchro_results_v603.webp) 3. Check that the entity types have been added to the left menu of the home page. - ![Test Entity Type](/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp) + ![Test Entity Type](/images/identitymanager/hr_validatemenu_v600.webp) 4. Access the relevant entity types (from the menu items on the left of the home page) to check synchronized resources, by navigating in the UI from the accounts through a sample of associations, via the Eye icon: - ![Eye Icon](/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) You should seek configuration validation, not validation of the actual data being synchronized. diff --git a/docs/identitymanager/6.2/user-guide/optimize/identity-datamodel-modification/index.md b/docs/identitymanager/6.2/user-guide/optimize/identity-datamodel-modification/index.md index a910c01872..60153b55f6 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/identity-datamodel-modification/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/identity-datamodel-modification/index.md @@ -75,20 +75,20 @@ Add or modify properties within the identity data model by proceeding as follows 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. Access the data model on the **Workforce** > **Data Model** page. 3. Change the display option to show or hide properties in the identity repository. - ![Scan Data Model - Display Option](/images/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp) + ![Scan Data Model - Display Option](/images/identitymanager/datamodelmodif_scan_v600.webp) 4. After your changes are complete, click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 5. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Delete Properties @@ -105,14 +105,14 @@ In order to verify the process: - Check manually a sample in the user directory accessible from the home page. You should verify at least your own sheet and the sheets assigned to your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that every organization still has a manager. Organizations are accessible in the department directory accessible from the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. See diff --git a/docs/identitymanager/6.2/user-guide/optimize/non-conforming-assignment-review-automation/index.md b/docs/identitymanager/6.2/user-guide/optimize/non-conforming-assignment-review-automation/index.md index db15f2020d..cd53b0e6ae 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/non-conforming-assignment-review-automation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/non-conforming-assignment-review-automation/index.md @@ -49,20 +49,20 @@ information. Create an automation rule by proceeding as follows: -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule will be applied. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. -![New Automation Rule](/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp) +![New Automation Rule](/images/identitymanager/reviewautomation_newrulefields_v602.webp) **Step 4 –** Fill in the fields. @@ -100,13 +100,13 @@ assignment. **Step 2 –** Create an automation rule matching said assignment. -![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) **Step 3 –** Compute the role model through the complete job on the **Job Execution** page. **Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed according to the rule's settings. -![New Automation Rule](/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp) +![New Automation Rule](/images/identitymanager/reviewautomation_rulemessage_v522.webp) Any role affected by an automation rule shows a specific message on the **Role Review** page. diff --git a/docs/identitymanager/6.2/user-guide/optimize/parameterized-role/index.md b/docs/identitymanager/6.2/user-guide/optimize/parameterized-role/index.md index 0f2905518d..89b2ceb127 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/parameterized-role/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/parameterized-role/index.md @@ -15,20 +15,20 @@ a navigation rule. See the [Create Roles in the Role Catalog](/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/index.md) topic for additional information. -![Simple Role](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp) +![Simple Role](/images/identitymanager/parameterizedroles_simplerole.webp) To enable the assignment of all existing entitlements, the role model usually contains numerous roles. For example, the SAP role can be given with slight differences according to the users' subsidiaries: -**> ![Role Matrix](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp)** +**> ![Role Matrix](/images/identitymanager/parameterizedroles_numerousroles.webp)** In order to reduce the number of roles, we can configure roles with parameters by inserting a criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on the schema), we can have way fewer roles (right on the schema). -![With/Without Parameters](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp) +![With/Without Parameters](/images/identitymanager/parameterizedroles_parameters.webp) In the previous example, with a parameter on the subsidiary, the number of roles would be divided by three. @@ -59,7 +59,7 @@ script in the command line. ``` -![Example - Role](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp) +![Example - Role](/images/identitymanager/parameterizedrole_examplerole_v603.webp) **Step 2 –** Create a single role. See the [Create a Role Manually](/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) @@ -72,7 +72,7 @@ topic for additional information. Here we have three navigation rules, one for each distinct time slot (dimension A). For example: -![Example - Rule](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp) +![Example - Rule](/images/identitymanager/parameterizedrole_examplerule_v603.webp) :::note Make sure that the corresponding dimension is specified in the right `DisplayEntityType` @@ -96,7 +96,7 @@ value Y, then that user would get the role B. ::: -![Example - Role Parameter Required](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp) +![Example - Role Parameter Required](/images/identitymanager/parameterizedrole_exampleroleparameter_v603.webp) **Step 4 –** Go back to the roles page to edit the single role from step 2, if needing to set the parameter required. @@ -126,13 +126,13 @@ additional information. In our example: -![Example - Step 1](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp) +![Example - Step 1](/images/identitymanager/parameterizedroles_parameterexamplestep1_v603.webp) -![Example - Step 2](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp) +![Example - Step 2](/images/identitymanager/parameterizedroles_parameterexamplestep2_v603.webp) If the dimension is specified in the users' context rule, then Identity Manager will provide suggestions. -![Example - Suggestion](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp) +![Example - Suggestion](/images/identitymanager/parameterizedrole_examplerolesuggestion_v603.webp) For example, concerning the `Title` dimension mentioned above. diff --git a/docs/identitymanager/6.2/user-guide/optimize/policy-creation/index.md b/docs/identitymanager/6.2/user-guide/optimize/policy-creation/index.md index 7ed6f0d3e6..824c7d0292 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/policy-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/policy-creation/index.md @@ -47,16 +47,16 @@ topic for additional information. Create a policy by proceeding as follows: -![Home - Access Policies](/images/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp) +![Home - Access Policies](/images/identitymanager/home_accesspolicies_v602.webp) **Step 1 –** Access the policies screen by clicking on **Access Policies** on the home page in the **Configuration** section. -![New Policy](/images/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp) +![New Policy](/images/identitymanager/policycreation_policies_v602.webp) **Step 2 –** Click on **+ New policy** at the top right corner. -![createpolicy](/images/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp) +![createpolicy](/images/identitymanager/createpolicy.webp) **Step 3 –** Fill in the information fields. diff --git a/docs/identitymanager/6.2/user-guide/optimize/risk-management/index.md b/docs/identitymanager/6.2/user-guide/optimize/risk-management/index.md index feb2dcefa8..eff8dd6b24 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/risk-management/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/risk-management/index.md @@ -54,15 +54,15 @@ Create a risk by proceeding as follows: 1. On the home page in the **Configuration** section, click on **Risks**. - ![Home Page - Risks](/images/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp) + ![Home Page - Risks](/images/identitymanager/home_risks_v602.webp) 2. On the risks page, click on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the fields. - ![New Risk](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp) + ![New Risk](/images/identitymanager/riskmanagement_newrisk_v602.webp) - `Identifier`: must be unique among risks and without any whitespace. - `Name`: will be displayed in the UI to identify the risk. @@ -90,7 +90,7 @@ Create a risk by proceeding as follows: [Reconcile a Role](/docs/identitymanager/6.2/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) topic for additional information. - ![Risk Icon](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp) + ![Risk Icon](/images/identitymanager/riskmanagement_workflowstate_v523.webp) ### Write risk rules @@ -125,7 +125,7 @@ Create a risk by proceeding as follows: > The group `DL-INTERNET-Restricted` in our example. - ![Risk Item Example](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp) + ![Risk Item Example](/images/identitymanager/riskmanagement_newriskitem_v602.webp) This final value is an entitlement, linked to the owner identity through the navigation property and the ownership relationship. @@ -149,9 +149,9 @@ Create a risk by proceeding as follows: After creating at least one risk and computing risk scores, identified risks are listed on the **Identified Risks** screen, accessible from the home page in the **Administration** section. -![Home Page - Identified Risks](/images/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp) +![Home Page - Identified Risks](/images/identitymanager/home_identifiedrisks_v602.webp) -![Identified Risks](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp) +![Identified Risks](/images/identitymanager/riskmanagement_identifiedrisks_v522.webp) For a given identity in the list, user information can be viewed and accessed by clicking respectively on the eye and arrow buttons on the right-hand side. diff --git a/docs/identitymanager/6.2/user-guide/optimize/simulation/index.md b/docs/identitymanager/6.2/user-guide/optimize/simulation/index.md index 9f2affe340..cef27bf49b 100644 --- a/docs/identitymanager/6.2/user-guide/optimize/simulation/index.md +++ b/docs/identitymanager/6.2/user-guide/optimize/simulation/index.md @@ -71,47 +71,47 @@ Launch a simulation by proceeding as follows: 1. Access the simulation list by clicking on **Simulations** on the home page, in the **Configuration** section. - ![Home - Simulations](/images/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp) + ![Home - Simulations](/images/identitymanager/home_simulations_v600.webp) - ![Simulation List](/images/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp) + ![Simulation List](/images/identitymanager/simulation_list_v602.webp) 2. Create a new simulation by clicking on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the fields. - ![Simulation List](/images/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp) + ![Simulation List](/images/identitymanager/simulation_new_v602.webp) 4. Click on **+ Create**. 5. Perform changes through the **Roles Changes** and **Rules Changes** tabs and the following icons, respectively for addition, modification and deletion: - ![Edition - Approval Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Edition - Approval Icon](/images/identitymanager/iconadd_v602.svg) - ![Recommendation Icon](/images/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg) + ![Recommendation Icon](/images/identitymanager/simulation_iconedit_v600.svg) - ![Discouragement Icon](/images/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg) + ![Discouragement Icon](/images/identitymanager/simulation_icondelete_v600.svg) At any time, you can click on the line of a previously made change to access its description, even click on **Cancel** to erase it. - ![Cancel Change](/images/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp) + ![Cancel Change](/images/identitymanager/simulation_cancel_v602.webp) 6. Click on **Start** to launch the simulation. - ![Start Simulation](/images/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp) + ![Start Simulation](/images/identitymanager/simulation_start_v602.webp) 7. After a few seconds, click on **Refresh** to display the simulation results. 8. Observe the results in the overview and in the Excel report available via the Download button. - ![Download Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + ![Download Icon](/images/identitymanager/icondownload_v602.svg) ## Shift from Simulation to Production After all needed changes have been simulated, you can decide to apply or cancel them. -![Apply or Cancel Changes](/images/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp) +![Apply or Cancel Changes](/images/identitymanager/simulation_decision_v600.webp) Then, the simulation is no longer active. @@ -134,16 +134,16 @@ parameters. For roles, click on **Access Roles** on the home page in the **Configuration** section. -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) Select the type of role that you want to check, and find the roles you created inside the right category and with the right parameters. -![Select Roles](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) +![Select Roles](/images/identitymanager/categorycreation_test_v602.webp) For rules, click on **Access Rules** on the home page in the **Configuration** section. -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) Select the type of rule that you want to check, and find the rules you created with the right parameters. diff --git a/docs/identitymanager/6.2/user-guide/set-up/categorization/classification/index.md b/docs/identitymanager/6.2/user-guide/set-up/categorization/classification/index.md index 01f44103a0..b469f391fc 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/categorization/classification/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/categorization/classification/index.md @@ -64,14 +64,14 @@ When the confidence rate is below 100%, correlation and classification reviews a - on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. requested manually or assigned automatically by a resource type rule; - ![Correlation Review - Provisioning Review Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) - on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. - ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule @@ -114,32 +114,32 @@ Fill a resource type with a classification rule by proceeding as follows: 1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. - ![New Classification Rule](/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp) + ![New Classification Rule](/images/identitymanager/resourcetype_newclassifrule_v602.webp) Classification rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Classifications** tab and the addition button at the top right corner. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 2. Fill in the fields. - ![New Classification Rule Fields](/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp) + ![New Classification Rule Fields](/images/identitymanager/resourcetype_newclassifrulefields_v602.webp) - **Target Object** > `Expression`: C# expression based on the resource that needs to be classified. - `Confidence Rate`: rate expressing the rule's reliability, and its priority order.. > Our overview example would look like: > - > ![Classification Rule Example](/images/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp) + > ![Classification Rule Example](/images/identitymanager/classification_example_v602.webp) 3. Click on **Create** and see a line added on the rules page. 4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource Types** to apply the new classification rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Impact of Modifications @@ -166,7 +166,7 @@ Any modification in classification rules is taken into account via the classific connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource Types**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Verify Classification @@ -174,13 +174,13 @@ In order to verify the process, analyze samples and check that all objects are c classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu of the home page. -![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Uncategorized** filter that spots unclassified resources, and the **Owner / Resource Type** column that shows the resource type assigned to each resource. -![Owner / Resource Type Column](/images/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp) +![Owner / Resource Type Column](/images/identitymanager/classification_test_v522.webp) Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must analyze a few samples to ensure that resources are classified in the right resource type. @@ -189,7 +189,7 @@ analyze a few samples to ensure that resources are classified in the right resou If a resource is not classified (or not correctly), then: -![Unclassified Resource](/images/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp) +![Unclassified Resource](/images/identitymanager/classification_unclassified_v600.webp) - If the resource is correlated, check whether the corresponding correlation rule is in the right resource type. diff --git a/docs/identitymanager/6.2/user-guide/set-up/categorization/correlation/index.md b/docs/identitymanager/6.2/user-guide/set-up/categorization/correlation/index.md index 5f286ae7a7..47d2517959 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/categorization/correlation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/categorization/correlation/index.md @@ -74,14 +74,14 @@ When the confidence rate is below 100%, correlation and classification reviews a - on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. requested manually or assigned automatically by a resource type rule; - ![Correlation Review - Provisioning Review Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) - on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. - ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule @@ -132,19 +132,19 @@ Fill a resource type with a correlation rule by proceeding as follows: 1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. - ![New Correlation Rule](/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp) + ![New Correlation Rule](/images/identitymanager/resourcetype_newcorrelrule_v602.webp) Correlation rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Correlations** tab and the addition button at the top right corner. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 2. Fill in the fields. - ![New Correlation Rule Fields](/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp) + ![New Correlation Rule Fields](/images/identitymanager/resourcetype_newcorrelrulefields_v602.webp) - **Source Object**: at least one property from the source system that is going to be linked to a given target object. Can be defined by a property path and/or an @@ -156,14 +156,14 @@ Fill a resource type with a correlation rule by proceeding as follows: > In this example, a person via their login and name, is the owner of a nominative AD > account via its `sAMAccountName` attribute and display name: > - > ![Correlation Rule Example](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp) + > ![Correlation Rule Example](/images/identitymanager/correlation_example_v602.webp) 3. Click on **Create** and see a line added on the rules page. 4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on **Jobs** > **Compute Role Model** to apply all correlation rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Impact of Modifications @@ -186,7 +186,7 @@ Any modification in correlation rules is taken into account via the following jo dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and then on **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Verify Correlation @@ -195,13 +195,13 @@ In order to verify the process, check the list of and analyze them to look for patterns revealing correlation issues. To do so, click on the target entity type(s) affected by your rule(s) in the left menu of the home page. -![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Orphan** filter that spots resources without an owner, and the **Owner / Resource Type** column that shows the owner assigned to each resource. -![Owner / Resource Type Column](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp) +![Owner / Resource Type Column](/images/identitymanager/correlation_test_v522.webp) A knowledgeable person must analyze a few samples to ensure that resources' owners can all be justified, meaning that orphaned accounts are supposed to be so, and that correlated resources are @@ -214,7 +214,7 @@ of users. However, keep in mind that several accounts are sometimes assigned to If a resource is not correlated (or not correctly), then: -![Uncorrelated Resource](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp) +![Uncorrelated Resource](/images/identitymanager/correlation_uncorrelated_v600.webp) - Check the validity of correlation rules. - Check the resource's data quality. diff --git a/docs/identitymanager/6.2/user-guide/set-up/categorization/index.md b/docs/identitymanager/6.2/user-guide/set-up/categorization/index.md index 806c02345a..75f1c2c426 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/categorization/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/categorization/index.md @@ -50,7 +50,7 @@ specific resource can only be assigned a single resource type. See the [Entitlement Management](/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md) topic for additional information. -![Classification Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp) +![Classification Schema](/images/identitymanager/categorization_classifschema.webp) Any resource that is unclassified will not be available for review. @@ -59,7 +59,7 @@ In most cases, an identity resource that becomes the owner of an account resourc [Entitlement Management](/docs/identitymanager/6.2/introduction-guide/overview/entitlement-management/index.md) topic for additional information. -![Correlation Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp) +![Correlation Schema](/images/identitymanager/categorization_correlschema.webp) While an owner can possess several resources, a resource can have only one owner. @@ -71,11 +71,11 @@ As stated previously, both classification and correlation work through sets of r > For basic users, we have in Identity Manager: > -> ![Example - Basic Users in Usercube](/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp) +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_examplebasicuser.webp) > > For basic users, we have in the AD: > -> ![Example - Basic Users in AD](/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp) +> ![Example - Basic Users in AD](/images/identitymanager/categorization_examplebasicad.webp) > > Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | > --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email @@ -84,11 +84,11 @@ As stated previously, both classification and correlation work through sets of r > For administrators, we have in Identity Manager: > -> ![Example - Basic Users in Usercube](/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp) +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_exampleadminuser.webp) > > For administrators, we have in the AD: > -> ![Example - Admin Users in AD](/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp) +> ![Example - Admin Users in AD](/images/identitymanager/categorization_exampleadminad.webp) > > Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | > --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id @@ -115,7 +115,7 @@ remaining uncorrelated resources. In the same way, Identity Manager will apply correlation rules before classification rules. -![Categorization Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp) +![Categorization Schema](/images/identitymanager/categorization_categschema.webp) Now that you have created resource types and their correlation/classification rules, you have created the first elements for your role model. See the diff --git a/docs/identitymanager/6.2/user-guide/set-up/categorization/resource-type-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/categorization/resource-type-creation/index.md index 5c3ef1c95f..794f09bce5 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/categorization/resource-type-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/categorization/resource-type-creation/index.md @@ -73,17 +73,17 @@ Create a resource type by proceeding as follows: 1. On the relevant connector page, click on the addition button in the **Resource Types** frame. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) Resource types can also be created through the **Access Roles** screen (accessible from the home page, in the **Configuration** section), using the **+ New** button and selecting `Resource Type` in the first field called `Type`. - ![Home - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + ![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) 2. Fill in the fields. - ![New Resource Type](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp) + ![New Resource Type](/images/identitymanager/resourcetype_newresourcet_v603.webp) - `Identifier`: must be unique among resource types, without any whitespace, and be C#-compatible. @@ -224,6 +224,6 @@ In order to verify the process, check that the resource type has been added with to the list on the **Access Roles** page, accessible from the home page in the **Administration** section. -![Home - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) -![Test Connector](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp) +![Test Connector](/images/identitymanager/resourcetype_test_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/configure-global-settings/index.md b/docs/identitymanager/6.2/user-guide/set-up/configure-global-settings/index.md index cf83d7ead7..5df428f199 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/configure-global-settings/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/configure-global-settings/index.md @@ -12,7 +12,7 @@ This topic covers the customization in the application **Settings**. The Settings interface provides information and management options for the application. -![accesscertificationonlyapprovedenysettings](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp) +![accesscertificationonlyapprovedenysettings](/images/identitymanager/accesscertificationonlyapprovedenysettings.webp) ### Look and Feel @@ -39,16 +39,16 @@ The feature **Only allow approving and refusing on access certifications items** administrator the option to limit the user's option to either **Approve** or **Deny** the Access Certification items while making the **More** button unavailable. -![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) +![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp) If the feature **Only allow approving and denying on access certification items** is set to **No** the following will be visible on the certification screen: -![accesscertificationonlyapprovedeny](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp) +![accesscertificationonlyapprovedeny](/images/identitymanager/accesscertificationonlyapprovedeny.webp) If the feature **Only allow approving and denying on access certification items** is set to **Yes** the following will be visible on the certification screen: -![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) +![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp) This is how the user's experience can be customized directly from the UI. diff --git a/docs/identitymanager/6.2/user-guide/set-up/configure-workflows/index.md b/docs/identitymanager/6.2/user-guide/set-up/configure-workflows/index.md index 9e3d374898..dd142a7bde 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/configure-workflows/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/configure-workflows/index.md @@ -33,11 +33,11 @@ Identity Manager provides the review step as optional, for its necessity depends To perform the review of a user creation, one should have the right permissions. -![Review Permissions](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp) +![Review Permissions](/images/identitymanager/workflows_reviewpermissions_v601.webp) When a review is needed, a notification appears on the **MY TASKS** tab at the top. -![My Tasks Tab](/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) +![My Tasks Tab](/images/identitymanager/home_topbar_v601.webp) The reviewer can then complete the creation request and finally approve it. @@ -69,11 +69,11 @@ Configure onboarding workflows by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > **Onboarding Workflows** in the left menu. - ![Home - Settings](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home - Settings](/images/identitymanager/home_settings_v523.webp) 2. For each workflow, choose whether a review step is required. - ![Workflows Review Steps](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp) + ![Workflows Review Steps](/images/identitymanager/workflows_reviewsteps_v601.webp) Netwrix Identity Manager (formerly Usercube) recommends enabling the review for the onboarding of employees, and disabling the review for contractors. @@ -84,7 +84,7 @@ Configure onboarding workflows by proceeding as follows: 3. Configure the homonym detection. - ![Workflows Homonym Detection](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp) + ![Workflows Homonym Detection](/images/identitymanager/workflows_homonyms_v601.webp) Netwrix Identity Manager (formerly Usercube) recommends enabling the birth name comparison to detect user duplicates due to name changes, when the GDPR supports it. @@ -93,7 +93,7 @@ Configure onboarding workflows by proceeding as follows: 4. Click on **Save** at the top of the page. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) ## Verify Workflow Configuration @@ -101,14 +101,14 @@ Validate the process by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Execute the workflows for a new employee and a new contractor. 3. Make sure that the homonym detection works in accordance with the specified options. > For example, if the inversion comparison is enabled between the first and last names: > - > ![Workflows Homonym Detection](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp) + > ![Workflows Homonym Detection](/images/identitymanager/workflows_verifyhomonyms_v601.webp) 4. Make sure that the potential validation steps are in accordance with the specified options. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connection-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connection-creation/index.md index 6734217564..fd4e524a92 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connection-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connection-creation/index.md @@ -41,12 +41,12 @@ Create a connection by proceeding as follows: 1. Click on the addition button in the **Connections** frame on the connector's summary page. - ![Add a New Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp) + ![Add a New Connection](/images/identitymanager/connection_newconnection_v602.webp) 2. Fill in the connection information fields on the left, then select a package (AD, CSV, etc.) and fill the associated agent settings on the right. - ![Connection Creation](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp) + ![Connection Creation](/images/identitymanager/connectioncreation_connectioncreation_v602.webp) - `Identifier`: must be unique among connections, without any whitespace, start with a letter, and contain only letters, numbers, `.` and/or `-`. @@ -105,23 +105,23 @@ Identity Manager refreshes a connection's schema: - when clicking on **Refresh Schema** on the connection's page: only the schema of the current connection is refreshed; - ![Refresh Schema of One Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) - when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are refreshed. - ![Refresh all Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. -![Failed Refresh Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "_There is no schema for this connection_". -![No Schema](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no @@ -139,7 +139,7 @@ In order to verify the process: 1. click on **Check Connection** to ensure that Identity Manager can reach the managed system; - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) Some connectors have both incremental and complete setting modes. See the [Jobs](/docs/identitymanager/6.2/integration-guide/tasks-jobs/jobs/index.md)topic for additional @@ -148,19 +148,19 @@ In order to verify the process: 2. check that the connection appears in the **Connections** frame with the right options, and without the Failed icon. -![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) ## Troubleshooting If the Failed icon appears, then: -![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) Ensure that the schema of the connection is refreshed. If the schema couldn't be recovered, then: -![Schema Not Recovered](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp) +![Schema Not Recovered](/images/identitymanager/connection_notrecovered_v523.webp) - Ensure that the managed system is properly connected. - Check the connection's settings. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-declaration/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-declaration/index.md index 45ceaede15..9f80bc9ed5 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-declaration/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-declaration/index.md @@ -36,15 +36,15 @@ Create a connector container by proceeding as follows: 1. On the home page in the **Configuration** section, click on the **Connectors** button. - ![Home page - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) You will see all existing connectors. 2. Click on the addition icon and fill in the information fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![Connector creation](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp) + ![Connector creation](/images/identitymanager/connectorcreation_declaration_v602.webp) - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, and contain only letters, numbers, `.` and/or `-`. @@ -62,11 +62,11 @@ Create a connector container by proceeding as follows: 3. Click on **+ Create** to get on the connector's overview page: - ![Connector page](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp) + ![Connector page](/images/identitymanager/connectorcreation_connectorpage_v602.webp) ## Verify the Connector Declaration In order to verify the process, check that the connector has been added to the connectors list with the right name and identifier. -![Test Connector](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp) +![Test Connector](/images/identitymanager/connectorcreation_test_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-modeling/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-modeling/index.md index be06a7d939..13d78d0f74 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-modeling/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-modeling/index.md @@ -143,7 +143,7 @@ Find at the bottom a procedure example about modeling the Active Directory. All templates are detailed with examples and schemas with the following key: -![Schemas' Key](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp) +![Schemas' Key](/images/identitymanager/connectormodel_key.webp) During the technical modeling inside Identity Manager, these objects will become entity types, their attributes will become scalar properties, the links between them will become navigation properties. @@ -164,7 +164,7 @@ Permissions can be managed: #### Model -![User Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp) +![User Model](/images/identitymanager/connectormodel_user.webp) Thus you need to create one entity type to represent either accounts or other resources. @@ -200,7 +200,7 @@ creating an entity type for users, we can create an entity type for the badges. their attributes their respective access location and time, and an attribute listing authorized users. -![User Model - Canteen Badges Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp) +![User Model - Canteen Badges Example](/images/identitymanager/connectormodel_user-canteen.webp) #### Example - Mailboxes @@ -208,7 +208,7 @@ Mailboxes constitute a complex system, but IGA purposes require little informati so this system can too be handled with the User model, either through users and their entitlement lists, or through mailbox entitlements and their lists of authorized users. -![User Model - Mailboxes Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp) +![User Model - Mailboxes Example](/images/identitymanager/connectormodel_user-mailbox.webp) ### User-Group @@ -227,7 +227,7 @@ Users are represented by the accounts they own. #### Model -![User-Group Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) Thus you need to create one entity type to represent groups (or roles or profiles) and one for accounts. @@ -255,7 +255,7 @@ We define two entity types `SAB - User` and `SAB - Group`. We fill them with a f to manage entitlements in the SAB application. Finally, we add a navigation property in both entity types in order to link `User` with `Group` with an "n-to-n" relationship. -![User-Group Example - SAB](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp) +![User-Group Example - SAB](/images/identitymanager/connectormodel_sab.webp) #### Example - RACF @@ -264,7 +264,7 @@ manage critical entitlements on the mainframe. RACF is a complex system, but IGA require information about accounts and groups, as entitlements are given by group membership. Thus the system can be simplified to be managed by Identity Manager following the User-Group model. -![User-Group Example - RACF](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp) +![User-Group Example - RACF](/images/identitymanager/connectormodel_racf.webp) For RACF, Identity Manager provisions only the link between accounts and groups. @@ -278,7 +278,7 @@ Identity Manager manages users (with their accounts) and groups called here pro profiles are grouped into departments, themselves grouped into partitions. Entitlements are called authorizations, and are linked to users through group (profile) membership. -![User-Group Example - TSS](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp) +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss.webp) For TSS, Identity Manager provisions only the link between users and profiles. @@ -312,7 +312,7 @@ The object `Group` from the template is called here `Position` (grouped into org themselves grouped into organization types). It contains the way an entitlement is given, here through a given position and wallet. -![User-Group Example - SDGE](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp) +![User-Group Example - SDGE](/images/identitymanager/connectormodel_sdge.webp) For SDGE, Identity Manager provisions only workers and the link between workers and positions. @@ -336,7 +336,7 @@ basic characteristics: #### Model -![Account-Profile-Transaction Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp) +![Account-Profile-Transaction Model](/images/identitymanager/connectormodel_profiletransaction.webp) Thus you need to create one entity type to represent accounts, one for profiles, and one for transactions. @@ -362,7 +362,7 @@ sticks to the real capacity of the technical tool and all use-cases are consider See the schema below this note. -![Profiles Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp) +![Profiles Example](/images/identitymanager/connectormodel_profiles.webp) Transactions are not mandatory in a model. Most of the time, the profile packages are predefined once and for all, or are the responsibility of the application owner. Then Identity Manager doesn't @@ -376,7 +376,7 @@ must take them into account. The TSS connector is actually a mix of the User-Group and Account-Profile-Transaction models. The User-Group part is explained above. -![User-Group Example - TSS](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp) +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss-prof-trans.webp) Transactions are called here authorizations. @@ -405,7 +405,7 @@ criteria altogether (i.e. the right profile and other user parameters). #### Model -![Star Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp) +![Star Model](/images/identitymanager/connectormodel_star.webp) Thus you need to create one entity type to represent accounts, one for each criterion, and another one to represent the object linking acounts to criteria. @@ -436,7 +436,7 @@ Consider an application which manages entitlement assignment with different rule users' profiles, attachment areas and sites. Our example shows 4 profiles, 4 attachment areas and 3 sites. So a user may be assigned a given entitlement for a given profile, attachment area and site. -![Star Model Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp) +![Star Model Example](/images/identitymanager/connectormodel_starmodel.webp) For this connector, Identity Manager provisions only the links between accounts and linking objects, and the links between linking objects and each criterion. @@ -457,19 +457,19 @@ memberships of accounts. In other words, to assign an entitlement to an identity account of said identity member of the corresponding AD group. That is exactly what the User-Group template is designed to handle. See the Model the Data topic for additional information. -![User-Group Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) **Step 2: adapt the model to your reality.** We start by renaming the `Account` object as `AD_User` and the `Group` object as `AD_Group`. -![AD Example - Step 1](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp) +![AD Example - Step 1](/images/identitymanager/connectormodel_ad-step1.webp) **Step 3: define useful data close to your reality.** We shape these objects with the following attributes: -![AD Example - Step 2](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp) +![AD Example - Step 2](/images/identitymanager/connectormodel_ad.webp) **Step 4: ensure that all objects have unique keys.** @@ -496,4 +496,4 @@ Beyond avoiding repetition, this makes the model easily adaptable if new element > `AD_Computer` and `AD_OU` without merging groups with entries, designing `AD_Entry` with all these > attributes provides the means to add objects without creating new entity types. > -> ![AD_Entry Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp) +> ![AD_Entry Example](/images/identitymanager/connectormodel_adentry.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md index 80fea3ce7d..4e85a72a0d 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md @@ -19,7 +19,7 @@ in alphabetic order. > For example, for an HR user without any display groups: > -> ![Without Display Groups](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp) +> ![Without Display Groups](/images/identitymanager/entitytypecreation_displaygroups_without_v603.webp) ## Organize Resources' Datasheets @@ -32,19 +32,19 @@ Organize resources' datasheets by proceeding as follows: top right corner. 3. On the entity type's definition page, click on the **Display** tab. - ![Display Groups](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp) + ![Display Groups](/images/identitymanager/entitytypecreation_displaygroups_v603.webp) 4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag and drop the properties to customize the order. > For example: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example1_v603.webp) 5. When needing to group properties together, click on **Add Display Group**, fill in the fields and select from the pop-up window the properties to be grouped. - ![Display Group Fields](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp) + ![Display Group Fields](/images/identitymanager/entitytypecreation_displaygroups_fields_v603.webp) - `Identifier`: must be unique among display groups, without any whitespace, and be C#-compatible. @@ -52,11 +52,11 @@ Organize resources' datasheets by proceeding as follows: - `Name`: will be displayed in the UI to indicate the property group. > For example: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2_v603.webp) > > The entity type's resources would look like: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2results_v603.webp) 6. Click on **Save & Close**. @@ -70,7 +70,7 @@ Every time an entity type mapping is modified and saved, a green pop-up appears should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md index 1693c76c49..fdd89861d7 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md @@ -16,7 +16,7 @@ identify a resource of an entity type. Its value is computed from existing prope for the entity type `HR - User`, integrators may set the display name to: ` - `. -![Display Name - Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp) +![Display Name - Example](/images/identitymanager/entitytypecreation_displaynameexample_v600.webp) If you do not set your own display name, Identity Manager provides a default value based on the first scalar property after alphabetizing all the properties whose name contains `name`. @@ -32,7 +32,7 @@ Set the resource's display name by proceeding as follows: top right corner. 3. On the entity type's definition page, click on the **Settings** tab. - ![Display Name - Property Path](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp) + ![Display Name - Property Path](/images/identitymanager/entitytypecreation_displayname_v603.webp) 4. Set the display name. As a display name, you can use either the value of an existing property, or compute [Expressions](/docs/identitymanager/6.2/integration-guide/toolkit/expressions/index.md) based on @@ -41,15 +41,15 @@ Set the resource's display name by proceeding as follows: > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined > functions. > - > ![AD Entity Type - Display Name](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp) + > ![AD Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplead4_v602.webp) > - > ![AD Entity Type - Display Name Result](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp) + > ![AD Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplead4-result_v602.webp) > Another example from the HR connector (User entity type): > - > ![HR User Entity Type - Display Name](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp) + > ![HR User Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplehr_v602.webp) > - > ![HR User Entity Type - Display Name Result](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp) + > ![HR User Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplehr-result_v602.webp) 5. Click on **Save & Close**. @@ -65,7 +65,7 @@ Every time an entity type mapping is modified and saved, a green pop-up appears should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. @@ -76,7 +76,7 @@ You can find the **Reload** button either on the green warning, or on the connec If no property appears in the display name auto-completion, then: -![No Property](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp) +![No Property](/images/identitymanager/entitytypecreation_troubleprop_v602.webp) Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top right corner of the screen. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md index a11325d24c..8387ed60f5 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md @@ -23,15 +23,15 @@ Create the entity type by proceeding as follows: 1. Access the connector's page by clicking on the **Connectors** button on the home page in the **Configuration** section, then on the relevant connector. - ![Home page - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, in the **Entity Types** frame, click on the addition button. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the information fields. - ![Entity type creation](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp) + ![Entity type creation](/images/identitymanager/entitytypecreation_entitytypecreation_v602.webp) - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). @@ -45,7 +45,7 @@ Create the entity type by proceeding as follows: 4. In the entity type's **Properties** section, choose a source so that the connection provides the source's data structure. - ![Properties' source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + ![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want @@ -65,7 +65,7 @@ type. If there are no connection tables available in the **Source** dropdown list of an entity type, then: -![Properties' source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) +![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) Ensure that there are existing connections: @@ -76,7 +76,7 @@ Ensure that there are existing connections: If there is a message stating to refresh the connection's schema, then: -![No Connection Table Error](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp) +![No Connection Table Error](/images/identitymanager/entitytypecreation_troubleshootingschema_v603.webp) Start by making sure that the connection's schema is refreshed by clicking on **Refresh all schemas** on the connector page, and verify that there is no error. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/index.md index 6635eb014b..a10cbd97c0 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -23,7 +23,7 @@ resources inside Identity Manager. It is a relational model, made of properties ([Define Scalar Properties](/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)) and links between entity types ([Define Navigation Properties](/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)), both described later. -![Entity Type - Schema](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) The configuration of entity types depends entirely on the previously established by[Model the Data](/docs/identitymanager/6.2/user-guide/set-up/connect-system/connector-modeling/index.md). @@ -64,7 +64,7 @@ configuration. See below this note. > resource types for a standard AD connector. The template is available for a connector with an AD > connection but no entity types. > -> ![Entity Type - AD Template](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp) +> ![Entity Type - AD Template](/images/identitymanager/entitytype_template_v602.webp) ## Verify the Entity Type diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md index d17c61ff8e..1f38311a41 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md @@ -97,7 +97,7 @@ Create an entity type by proceeding as follows: [Define Scalar Properties](/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) topic for additional information. - ![Keys](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp) + ![Keys](/images/identitymanager/entitytypecreation_keys_v522.webp) 2. In the entity type's **Properties** section, choose the key properties. 3. Choose the mapping key. @@ -109,7 +109,7 @@ Every time an entity type mapping is modified and saved, a green pop-up appears should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md index 69d795c372..ecc4431adc 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md @@ -22,25 +22,25 @@ information. > to other groups. In the UI, `memberOf` is displayed just like scalar properties, but you can click > its values to access each group in the list. Here for the AD entry `ADM Vidal Pierre`: > -> ![Navigation Property - memberOf](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp) +> ![Navigation Property - memberOf](/images/identitymanager/entitytypecreation_memberof_v600.webp) > > Clicking on one of these groups will display the group’s properties, including the other side of > the `memberOf` property—called `member`—which contains the list of users and groups who are > members. Example: `SG_APP_RAY_0_LDAP_READLDSFEDE`: > -> ![Navigation Property - member](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp) +> ![Navigation Property - member](/images/identitymanager/entitytypecreation_member_v600.webp) > As another example, a department is linked to a manager who is an existing user. The user > identifier is used in the `Manager` property to create the link between department and manager. In > the UI, `Manager` is displayed like scalar properties, but you can click it to access the > manager’s page: > -> ![Navigation Property - Manager](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp) +> ![Navigation Property - Manager](/images/identitymanager/entitytypecreation_manager_v600.webp) > > Clicking the manager displays their properties, including the `Department` property, which points > back to the managed department: > -> ![Navigation Property - Managed Department](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp) +> ![Navigation Property - Managed Department](/images/identitymanager/entitytypecreation_managerof_v600.webp) Navigation properties can create a link: @@ -80,7 +80,7 @@ Define navigation properties by following these steps: select the ones to use. 4. Fill in the information fields: - ![Navigation Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp) + ![Navigation Properties](/images/identitymanager/entitytypecreation_navigationproperties_v602.webp) If you map a column from the source, the first line is for the source column, and the second is the new navigation property in Identity Manager (always in the entity type). @@ -126,11 +126,11 @@ Define navigation properties by following these steps: > `Entries`, `assistant`, `assistantOf`, `manager`, `directReports`, `memberOf`, `member`, > `parentdn`, `children` -**> ![AD Entity Type - Navigation Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp)** +**> ![AD Entity Type - Navigation Properties](/images/identitymanager/entitytypecreation_examplead3_v603.webp)** 5. Click the gear icon to access advanced settings: - ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) - `Icon`: Choose from [Microsoft icon set](https://uifabricicons.azurewebsites.net/) - **Source Expression**: Define using a property path or @@ -138,7 +138,7 @@ Define navigation properties by following these steps: > Example: Scalar `isUnused` created by combining `accountExpires` and `lastLogonTimestamp` > - > ![Source Expression Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + > ![Source Expression Example](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) - `Flexible Comparison Expression`: Adds advanced search matching - `History Precision`: Set how often property history is recorded @@ -156,7 +156,7 @@ Clicking **Continue** closes the window but **does not save** the configuration. After saving, a green banner reminds you to reload the schema. It’s not necessary after every step—but is **required after the final step** to apply changes. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button ensures updates appear in the menu links on the UI home page. You’ll find it either in the banner or on the connector dashboard. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md index de0d0ff5ae..c50ea0b2fa 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md @@ -17,7 +17,7 @@ the properties from the corresponding managed system. > For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. > -> ![Scalar Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp) +> ![Scalar Properties](/images/identitymanager/entitytypecreation_scalarex_v600.webp) Most often, properties inside Identity Manager are each linked to a property from the managed system. This way, data from the managed system can be imported into Identity Manager and stored in @@ -47,14 +47,14 @@ Define the entity type's scalar properties by proceeding as follows: existing columns from the external source, and select the properties to be used in the entity type. - ![Map from source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp) + ![Map from source](/images/identitymanager/entitytypecreation_scalarpropertiesmap_v602.webp) You need to configure at least one property to be able to define primary keys later, and thus create an entity type. 3. Fill in the information fields. - ![Scalar properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp) + ![Scalar properties](/images/identitymanager/entitytypecreation_scalarproperties_v603.webp) - **APPLICATION METADATA**: fields about the future display of the properties inside Identity Manager. @@ -102,11 +102,11 @@ Define the entity type's scalar properties by proceeding as follows: > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as > `1601 Date`. > - > ![AD Entity Type - Scalar Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp) + > ![AD Entity Type - Scalar Properties](/images/identitymanager/entitytypecreation_examplead2_v602.webp) 4. Click on the Gear symbol to add advanced settings if needed. - ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and will be displayed with the property among users' data. @@ -117,7 +117,7 @@ Define the entity type's scalar properties by proceeding as follows: > For example, `isUnused` is created to spot unused accounts via a combination of > `accountExpires` and `lastLogonTimestamp`: > - > ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + > ![Advanced Settings](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) - `Flexible Comparison Expression`: expression that inserts adaptable comparison flexibility when using a searchbar for the property. @@ -142,7 +142,7 @@ Every time an entity type mapping is modified and saved, a green pop-up appears should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. @@ -157,6 +157,6 @@ Before saving, you must first[Select Primary Keys](/docs/identitymanager/6.2/use If the Format column is not displayed in the External System part, then: -![Scalar properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp) +![Scalar properties](/images/identitymanager/entitytypecreation_scalarpropertieswithoutformat_v522.webp) Refresh the connections' schemas. diff --git a/docs/identitymanager/6.2/user-guide/set-up/connect-system/index.md b/docs/identitymanager/6.2/user-guide/set-up/connect-system/index.md index d70f7d4b0e..c46d92d989 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/connect-system/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/connect-system/index.md @@ -28,7 +28,7 @@ ServiceNow, EasyVista, SAP, SharePoint, etc. A connector, therefore, acts as an interface between Identity Manager and a managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) NETWRIX strongly recommends the creation of one connector for one application. @@ -44,7 +44,7 @@ NETWRIX strongly recommends the creation of one connector for one application. In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. -![Outbound System=](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) In this case, data flows between Identity Manager and the managed system are also called: @@ -118,7 +118,7 @@ Identity Manager's connectors all operate on the same basic principles. Technica > `AD User (administration)` for sensitive administration accounts, which we want to provision > manually through Identity Manager. -![Connector Technical Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) A connector requires at least one connection and one entity type. @@ -161,7 +161,7 @@ the connector's synchronization- and provisioning-related tasks from any jobs. S You can activate the connector again at any time using the same button. -![Jobs Results Dashboard](/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) ## Next Steps diff --git a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md index af13eb815d..72b81d31bf 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md @@ -48,14 +48,14 @@ Adjust the data model by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model to your specific situation. - ![Scan Data Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg) + ![Scan Data Model](/images/identitymanager/iconscandatamodel_v602.svg) - ![Scan Data Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp) + ![Scan Data Model](/images/identitymanager/initialload_scandatamodel_v60.webp) Identity Manager counts the entries for each attribute and suggests a quantification: @@ -63,7 +63,7 @@ Adjust the data model by proceeding as follows: - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's forms optimally (e.g. dropdown list, search tool, etc.). - ![Scan Data Model - Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp) + ![Scan Data Model - Result](/images/identitymanager/initialload_scandatamodel-result_v523.webp) 3. Observe the result and adjust manually the data model if needed, by clicking on the properties. @@ -84,11 +84,11 @@ Adjust the data model by proceeding as follows: 4. Click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 5. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Verify Identities Loading @@ -98,7 +98,7 @@ In order to validate the process: > For example, our `Region` field in `Site` is sized as `large`. > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example_v523.webp) 2. Navigate within Identity Manager to find a workflow using the test field. Observe the displaying mode in the UI. @@ -106,9 +106,9 @@ In order to validate the process: > Our `State` field must be filled in during the creation of a new site. It can be filled by > opening a pop-up and choosing the region in the list. > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example2_v523.webp) > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example3_v523.webp) 3. Back on the scanning feature, change the displaying mode of your test field and save. diff --git a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md index 25f999b539..5006146b7d 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md @@ -48,13 +48,13 @@ Configure the generation of unique properties by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Identity Manager's instructions to configure the generation of a unique identifier for new workers (if needed), based on one of the available options. - ![Unique Identifier Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp) + ![Unique Identifier Generation](/images/identitymanager/initialload_uniqueidentifier_v602.webp) - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all special characters; can add a separator between the first name and the last name if needed @@ -75,7 +75,7 @@ Configure the generation of unique properties by proceeding as follows: 3. Follow Identity Manager's instructions to configure the generation of a unique email address for all users (who do not have one), based on one of the available options. - ![Unique Email Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp) + ![Unique Email Generation](/images/identitymanager/initialload_uniqueemail_v602.webp) - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all special characters; can add a separator between the first name and the last name if needed @@ -96,7 +96,7 @@ Configure the generation of unique properties by proceeding as follows: 4. Follow Identity Manager's instructions to configure the generation of a unique login for new workers (who do not have one), based on one of the available options. - ![Unique Login Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp) + ![Unique Login Generation](/images/identitymanager/initialload_uniquelogin_v602.webp) - `Based on Email`: uses the local part of the email, i.e. before `@`. - `Based on Full Email`: uses the full email. @@ -105,19 +105,19 @@ Configure the generation of unique properties by proceeding as follows: 5. Click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 6. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Verify Property Generation In order to verify the process, add a fictitious employee through the workflows from the UI. -![Home - New Employee](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp) +![Home - New Employee](/images/identitymanager/home_newemployee_v600.webp) Verify in the directory that the employee's sheet displays the expected values for the configured unique properties. -![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/index.md index 98a5884b40..bfdbf631ed 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/index.md @@ -18,13 +18,13 @@ Each identity will be represented by a set of properties that are to be used in > For example, a user can be represented by an identifier and linked to their position which > includes the user's employee id, last name and first name, email, user type, organization, etc. > -> ![Identity Repository Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) > In Identity Manager, the identity repository can look like the following: > -> ![Identity Repository Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) > -> ![Identity Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) See the [Identity Repository](/docs/identitymanager/6.2/integration-guide/identity-management/identity-repository/index.md) diff --git a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/load-identities/index.md b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/load-identities/index.md index 5a63d09b20..cb593c66ff 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/load-identities/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/load-identities/index.md @@ -21,7 +21,7 @@ lifecycle management features and managing assignments of entitlements. Identity Manager contains a template model, downloadable as an Excel file. Below is an example of a part of the `UserRecord` tab, used in Identity Manager's demo: -![Template Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp) +![Template Example](/images/identitymanager/initialload_templateexample_v602.webp) ### Useful data @@ -66,11 +66,11 @@ Load identities for the first time by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Data Upload** page, download the empty Excel template. - ![Upload Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + ![Upload Icon](/images/identitymanager/icondownload_v602.svg) 3. Collect identity and organizational data. @@ -110,7 +110,7 @@ Load identities for the first time by proceeding as follows: [Template Description](/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/template-description/index.md)**. Below are the minimum recommended attributes (mandatory in orange): - ![Template Recommendations](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp) + ![Template Recommendations](/images/identitymanager/initialload_templatereco_v600.webp) [**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). @@ -152,18 +152,18 @@ Load identities for the first time by proceeding as follows: 5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in order to feed the data back to Identity Manager. - ![Upload Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg) + ![Upload Icon](/images/identitymanager/iconupload_v602.svg) The latest uploaded file overwrites the previous one. 6. Click on **Verify and Synchronize** to check the file's consistency and import its data into Identity Manager. - ![Verify and Synchronize](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp) + ![Verify and Synchronize](/images/identitymanager/initialload_dataupload-synchronize_v602.webp) Now you are able to view users' pages in the directory. - ![Directory - Users](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp) + ![Directory - Users](/images/identitymanager/initialload_directoryusers_v602.webp) ## Verify Identities Loading @@ -172,14 +172,14 @@ In order to validate the process: - Check manually a sample in the user directory accessible from the home page. You should verify at least your own sheet and the sheets for your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that every organization includes a manager. Organizations are accessible from the department directory on the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains many organizations, then it is also possible to list each organization with its manager through the Query module. diff --git a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/template-description/index.md b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/template-description/index.md index b41f17f69f..c91ecfa195 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/template-description/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/initial-identities-loading/template-description/index.md @@ -10,7 +10,7 @@ Description of the MS Excel template for the creation of the identities reposito [**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). -![Template Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp) +![Template Model](/images/identitymanager/initialload_templatemodel_v603.webp) All tabs contain a column `Command` only used at a later stage to modify (massively) identity data. See the diff --git a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md index 9ff076c9ac..bc191013b4 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md @@ -38,7 +38,7 @@ entity type itself). Let's call this entity type the "other" one. rule when there is the need to use variables from among users' attributes to select the resource to assign. -![Schema - Scalar Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp) +![Schema - Scalar Rule](/images/identitymanager/provrules_schemanavigation.webp) > A navigation rule could add the AD group `SG_APP_SQL` to the `memberOf` navigation property to all > AD nominative accounts provided that the user has the single role `SQL Server Administration`. @@ -156,20 +156,20 @@ Fill an entity type with a navigation rule by proceeding as follows: **Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future navigation rule. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 4 –** Fill in the fields. -![Create a Navigation Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) +![Create a Navigation Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) - `Join`: navigation property from the target entity type, whose value is to be impacted. - `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the @@ -185,7 +185,7 @@ navigation rule. > Our example would look like: > -> ![Scalar Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp) +> ![Scalar Rule Example](/images/identitymanager/provrules_examplenav_v602.webp) **Step 5 –** Click on **Create** and see a line added on the rules page. @@ -197,24 +197,24 @@ Fill an entity type with a query rule by proceeding as follows: **Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future query rule. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 3 –** Click on the **Queries** tab and on the addition button at the top right corner. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) Fill in the fields. -![Create Query Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp) +![Create Query Rule](/images/identitymanager/provrules_queryrule_v522.webp) Once the `Resource Type` is provided, more fields appear. -![Query Rule Fields](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp) +![Query Rule Fields](/images/identitymanager/provrules_queryrulefields_v602.webp) - **Target Object** > `Property to fill`: navigation property from the target entity type, whose value is to be impacted. @@ -237,9 +237,9 @@ Once the `Resource Type` is provided, more fields appear. > Our examples would look like: > -> ![Query Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp) +> ![Query Rule Example](/images/identitymanager/provrules_examplequery_v602.webp) > -> ![Query Rule Example 2](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp) +> ![Query Rule Example 2](/images/identitymanager/provrules_examplequerybis_v602.webp) Click on **Create** and see a line added on the rules page. @@ -249,7 +249,7 @@ Any modification in a navigation or query rule is taken into account when launch computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created @@ -272,7 +272,7 @@ In order to verify the process: **Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to be diff --git a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md index bf44b993ce..d43b9493da 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md @@ -44,19 +44,19 @@ Create a resource type rule by proceeding as follows: 1. Click on **Access Rules** on the home page in the **Configuration** section. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Resource Types** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create a Resource Type Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp) + ![Create a Resource Type Rule](/images/identitymanager/provrules_typerule_v602.webp) - `Resource Type`: resource type to be automatically assigned. - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among @@ -71,7 +71,7 @@ Create a resource type rule by proceeding as follows: - **Criteria**: conditions that, if met, trigger the resource creation. > Our example would look like: > - > ![Resource Type Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp) + > ![Resource Type Rule Example](/images/identitymanager/provrules_exampletype_v602.webp) 5. Click on **Create** and see a line added on the rules page. @@ -81,7 +81,7 @@ Any modification in a resource type rule is taken into account when launching th computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes new assignments. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created @@ -107,18 +107,18 @@ Then, you can: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Create a resource type rule involving an account that said user doesn't already have, based on criteria which the selected user satisfies. 3. Trigger the computation of the role model by clicking, on the corresponding connector's overview page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 4. See the new account in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) If the type rule uses a single role as a criterion, and the user has said role, then both the resource type and the role will be displayed in the user's permissions, but only if the role is diff --git a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md index 62b29c59bd..864ef60dd4 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md @@ -26,7 +26,7 @@ The right tools for the job are scalar rules. A scalar property's value can be computed by a scalar rule, based on at least one scalar property from the source entity type, possibly writing a C# expression. -![Schema - Scalar Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp) +![Schema - Scalar Rule](/images/identitymanager/provrules_schemascalar.webp) A scalar rule could define the scalar property displayName of nominative AD accounts based on its owner's name with the expression: @@ -110,24 +110,24 @@ See the [Categorize Resources](/docs/identitymanager/6.2/user-guide/set-up/categ Fill an entity type with a scalar rule by proceeding as follows: -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future scalar rule. -![iconadd_v602](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![iconadd_v602](/images/identitymanager/iconadd_v602.webp) **Step 3 –** Click on the **Scalars** tab and on the addition button at the top right corner. -![Create Scalar Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp) +![Create Scalar Rule](/images/identitymanager/provrules_scalarrule_v522.webp) **Step 4 –** Fill in the fields. -![Scalar Rule Fields](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp) +![Scalar Rule Fields](/images/identitymanager/provrules_scalarrulefields_v602.webp) Once the Resource Type is provided, more fields appear. @@ -166,7 +166,7 @@ Once the Resource Type is provided, more fields appear. Our example would look like: -![Scalar Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp) +![Scalar Rule Example](/images/identitymanager/provrules_examplescalar_v522.webp) **Step 5 –** Click on **Create** and see a line added on the rules page. @@ -176,7 +176,7 @@ Any modification in a scalar rule is taken into account when launching the role task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created @@ -196,7 +196,7 @@ creation/modification/deletion in scalar rules. See the In order to verify the process: -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) **Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. diff --git a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md index c664032151..2f0cde537f 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md @@ -49,16 +49,16 @@ Create a category by proceeding as follows: 1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles page. - ![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + ![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) 2. All existing categories are shown in the menus on the left. To create a new category, click on **+**. - ![Add a New Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp) + ![Add a New Category](/images/identitymanager/singlerolescatalog_newcategory_v602.webp) 3. Fill in the fields. - ![Create a Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp) + ![Create a Category](/images/identitymanager/singlerolescatalog_createcategory_v602.webp) - `Identifier`: must be unique among categories and without any whitespace. - `Name`: will be displayed in the UI to identify the created category. @@ -77,4 +77,4 @@ Create a category by proceeding as follows: In order to verify the process, check on the **Access Roles** screen that the category is created with the right parameters. -![Verify Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) +![Verify Category](/images/identitymanager/categorycreation_test_v602.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/index.md index 4ff639fa14..9520ea820b 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/index.md @@ -23,7 +23,7 @@ The aim here is to establish and create the exhaustive list of a way to represent entitlements which are assigned to identities, so that said identities are able to work with the managed systems. -![Schema - Single Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) +![Schema - Single Role](/images/identitymanager/singlerolescatalog_schemarole.webp) In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles in the organization, hiding the technical complexity of entitlements behind the business vision of @@ -69,7 +69,7 @@ Identity Manager's roles are all built the same way. Technically speaking: - a role is created with a given approval workflow according to the entitlement's sensitivity; - ![Schema - Approval Workflow](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp) + ![Schema - Approval Workflow](/images/identitymanager/singlerolescatalog_schemaapprovals.webp) > We choose to require one manual validation from a knowledgeable user before the Internet role > is assigned to a user. @@ -80,7 +80,7 @@ Identity Manager's roles are all built the same way. Technically speaking: type. See the [Categorize Resources](/docs/identitymanager/6.2/user-guide/set-up/categorization/index.md) topic for additional information. - ![Schema - Single Role with Navigation Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp) + ![Schema - Single Role with Navigation Rule](/images/identitymanager/singlerolescatalog_schemarolerule.webp) > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for @@ -89,7 +89,7 @@ Identity Manager's roles are all built the same way. Technically speaking: This part is about single roles, dealing with entitlements one-to-one. The idea is to associate one single role with one fine-grained entitlement. - ![Schema - Roles and Identities](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp) + ![Schema - Roles and Identities](/images/identitymanager/singlerolescatalog_schemarolesidentities.webp) > For example, an accountant needs read access to the accounting software, a project manager to > their billable hours for their projects on SAP, etc. @@ -123,7 +123,7 @@ one role per entitlement in said application, and one category for the applicati > The SAP application is about entitlements only for itself. Then, we create a single role per > entitlement in SAP inside a category called `SAP`: > -> ![Roles Example](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp) +> ![Roles Example](/images/identitymanager/singlerolescatalog_strategymono_v602.webp) One system hosting several applications with existing naming conventions @@ -133,7 +133,7 @@ becomes more complicated. > For example, the Active Directory usually hosts many groups used to manage entitlements in several > distinct applications. > -> ![AD Groups](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp) +> ![AD Groups](/images/identitymanager/singlerolescatalog_strategymulti_v522.webp) The goal here is to find a way to clarify the link between each entitlement and the corresponding application. @@ -160,7 +160,7 @@ filling an empty field. > For example in the Active Directory, integrators can modify the field called `description` to > specify the application name (such as Outlook in this example). > -> ![Appropriated Field](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp) +> ![Appropriated Field](/images/identitymanager/singlerolescatalog_strategymultinoname_v522.webp) Thus, the needed information is added to the managed system. After the execution of synchronization, said data is accessible inside Identity Manager database and can be used as a naming convention. @@ -176,7 +176,7 @@ to the technical aspects (navigation rule and technical entitlement). Most proje single roles, which makes role creation a long, tedious and repetitive process. See the [Create a Role Manually](/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) topic for additional information. -![Schema - Role Creation Top-Down](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp) +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schematopdown.webp) Roles can also be created bottom-up via role naming rules. Instead of the previous process, you can use the name of said entitlement in your managed system to create automatically the corresponding @@ -184,7 +184,7 @@ single role and rule (and category if it does not already exist). In other words naming rules are to be based on your existing naming conventions for entitlements. See the [Create Roles in Bulk](/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) topic for additional information. -![Schema - Role Creation Top-Down](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp) +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schemabottomup.webp) One naming rule can generate many roles, so a few automatic rules can easily and faster create the single role catalog. Naming rules prove particularly useful when you need to add multiple new diff --git a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md index 3252eaca5d..0ae2672b18 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md @@ -49,12 +49,12 @@ information. Create a single role by proceeding as follows: -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access the roles page. -![createsinglerole](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp) +![createsinglerole](/images/identitymanager/createsinglerole.webp) **Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ New** at the top right corner. @@ -142,21 +142,21 @@ creates one navigation. Create a navigation rule by proceeding as follows: -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access Rules** to access the rules page. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 –** In the drop down menu at the top left, choose the entity type to which the future navigation rule will be applied. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. -![Create a Navigation Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) +![Create a Navigation Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) **Step 4 –** Fill in the fields. @@ -182,29 +182,29 @@ Indeed, these rules thus lose their criteria and may be applied to far too many In order to verify the process, check that the role and rule are created with the right parameters. -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) **Step 1 –** For roles, click on **Access Roles** on the home page in the **Configuration** section. -![Access Single Roles](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) +![Access Single Roles](/images/identitymanager/namingrulecreation_testroles_v602.webp) **Step 2 –** Select single roles and find the role you created inside the right category and with the right parameters. Our example would look like: -![Example - Generated Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) +![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 3 –** For rules, click on **Access Rules** on the home page in the **Configuration** section. -![Access Navigation Rules](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) +![Access Navigation Rules](/images/identitymanager/namingrulecreation_testrules_v602.webp) **Step 4 –** Select navigation rules and find the rule(s) you created with the right parameters. Our example would look like: -![Example - Generated Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) +![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) The verification of role creation has been completed. diff --git a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md index dac403d271..16f12c2d75 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md @@ -53,20 +53,20 @@ Create a role naming rule by proceeding as follows: 1. On the home page, click on **Access Rules** in the **Configuration** section. - ![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will be applied. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create a Naming Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp) + ![Create a Naming Rule](/images/identitymanager/namingrulecreation_newrule_v602.webp) - `Policy`: [Policy](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) @@ -124,7 +124,7 @@ Create a role naming rule by proceeding as follows: - `Comment Management on Permission Review`: to change if different from the role policy. > Our example would look like: > - > ![Example - Naming Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp) + > ![Example - Naming Rule](/images/identitymanager/namingrulecreation_example_v602.webp) 5. Click on **Create** and see a line added on the rules page. @@ -141,31 +141,31 @@ In order to verify the process: 1. to take the changes into account, on the appropriate connector's overview page click on **Jobs** > **Apply Naming Conventions**; - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. check that the correct roles and rules were created. For roles, click on **Access Roles** on the home page in the **Configuration** section. -![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) Select single roles and find the role(s) you created inside the right category and with the right parameters. -![Access Single Roles](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) +![Access Single Roles](/images/identitymanager/namingrulecreation_testroles_v602.webp) > Our example would look like: > -> ![Example - Generated Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) +> ![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) For rules, click on **Access Rules** on the home page in the **Configuration** section. -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) Select navigation rules and find the rule(s) you created with the right parameters. -![Access Navigation Rules](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) +![Access Navigation Rules](/images/identitymanager/namingrulecreation_testrules_v602.webp) > Our example would look like: > -> ![Example - Generated Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) +> ![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/6.2/user-guide/set-up/synchronization/index.md b/docs/identitymanager/6.2/user-guide/set-up/synchronization/index.md index 2a8cf52cfb..41458e5149 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/synchronization/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/synchronization/index.md @@ -22,7 +22,7 @@ in the form of CSV/XLSX files. These files are cleansed and loaded into Identity Synchronization is a three-step ETL process going through export, synchronization preparation and the synchronization itself. -![Synchronization Schema](/images/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp) +![Synchronization Schema](/images/identitymanager/synchro_schema.webp) #### Export @@ -114,7 +114,7 @@ Launch synchronization for a given managed system by proceeding as follows: 1. Access the list of connectors by clicking on **Connectors** on the home page in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. @@ -124,7 +124,7 @@ Launch synchronization for a given managed system by proceeding as follows: connection(s) and package(s), all these tasks can be launched either in incremental or complete mode. - ![Synchronize Job](/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + ![Synchronize Job](/images/identitymanager/synchro_executionjobs_v602.webp) - `Update Expressions`: computes the expressions used in the entity type mapping. - `All Tasks`: launches all previous tasks in a row. @@ -133,7 +133,7 @@ Launch synchronization for a given managed system by proceeding as follows: in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a choice between `Complete` and `Incremental`. See below this note. - ![Synchronize Job (Only Complete)](/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp) + ![Synchronize Job (Only Complete)](/images/identitymanager/synchro_executionjobs-complete_v602.webp) ## Manage Synchronization Automation @@ -157,18 +157,18 @@ clicking on **Deactivate** on the connector's dashboard. This is particularly us a connector. You can also re-insert it at any time with the same button which is now named **Activate**. -![Jobs Results Dashboard](/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) You can fine-tune the synchronization and/or provisioning of the connector by clicking on the **Edit** button. -![Edit button](/images/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp) +![Edit button](/images/identitymanager/synchro_edit_v600.webp) Click on **Job Results** to access the progress of this connector's jobs. All jobs are accessible on the **Job Execution** page in the **Administration** section. -![Home - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) ## Verify an Entity Type's Synchronization @@ -179,17 +179,17 @@ In order to verify both the synchronization configuration and 2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that synchronization completed successfully. - ![Jobs Results](/images/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + ![Jobs Results](/images/identitymanager/synchro_results_v603.webp) 3. Check that the entity types have been added to the left menu of the home page. - ![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + ![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) 4. Access the relevant entity types (from the menu items on the left of the home page) to check synchronized resources, by navigating in the UI from the accounts through a sample of associations, via the eye icon: - ![Eye Icon](/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) You should first look for configuration validation, and only later validation of the actual data being synchronized. @@ -197,15 +197,15 @@ In order to verify both the synchronization configuration and > For example, let's say we created a connector for SAB that contains two entity types called > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. > - > ![SAB Example - Home Page](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp) + > ![SAB Example - Home Page](/images/identitymanager/synchro_examplesab_v522.webp) > > Clicking on `SAB - Users` displays the list of all synchronized resources. > - > ![SAB Example - Data List](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp) + > ![SAB Example - Data List](/images/identitymanager/synchro_examplesab2_v602.webp) > > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: > - > ![SAB Example - Resource Attributes](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp) + > ![SAB Example - Resource Attributes](/images/identitymanager/synchro_examplesab3_v602.webp) > > Clicking on any eye icon displays the corresponding resource. SAB was created here with a > simple user-group schema that links n users to n groups. So here, we can check these links by @@ -225,7 +225,7 @@ logs in order to debug a situation. If the connector and/or entity type doesn't appear in the menu items, then: -![Test Entity Type](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Test Entity Type](/images/identitymanager/home_entitytypes_v602.webp) Access the relevant connector's page and click on the **Reload** button to take into account the last changes in the entity type mappings. @@ -237,7 +237,7 @@ recent changes in the entity type mappings. If a synchronization is blocked by an exceeded threshold, then: -![Threshold warning](/images/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp) +![Threshold warning](/images/identitymanager/synchro_threshold_v603.webp) Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: @@ -246,7 +246,7 @@ Find out the reasons to decide whether or not to bypass the threshold. Proceed a 2. Study synchronization counters and the list of all synchronization changes. These tools help you make a decision about whether to bypass synchronization thresholds. - ![Job progress](/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp) + ![Job progress](/images/identitymanager/synchro_thresholdlog_v603.webp) In most cases, the first synchronization exceeds thresholds because no data exists in Identity Manager yet. Thus, a high quantity of modifications is expected and the synchronization is to be @@ -263,7 +263,7 @@ Find out the reasons to decide whether or not to bypass the threshold. Proceed a Be cautious, check twice for mistakes before resuming. - ![Resumed Job](/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp) + ![Resumed Job](/images/identitymanager/synchro_thresholdresumed_v602.webp) If an export doesn't complete, then: @@ -271,13 +271,13 @@ If an export doesn't complete, then: - If you manually typed the source column of a property in the entity types, then make sure that the source column exists in the corresponding managed system. - ![Source Column](/images/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp) + ![Source Column](/images/identitymanager/entitytype_sourcecolumn_v602.webp) If a given property from users' data is displayed in an unexpected way, then: Check the format of both the application metadata and the external system. -![Property Format](/images/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp) +![Property Format](/images/identitymanager/entitytype_format_v523.webp) > For example, if you find that a given date doesn't comply with what you set, then maybe the format > in the External System section wasn't correctly selected, thus inducing a conversion error during diff --git a/docs/identitymanager/6.2/user-guide/set-up/user-profile-assignment/index.md b/docs/identitymanager/6.2/user-guide/set-up/user-profile-assignment/index.md index 5399fb2d79..df1c7fea1e 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/user-profile-assignment/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/user-profile-assignment/index.md @@ -16,7 +16,7 @@ by assigning profiles to users and permissions to profiles. See the and [References: Permissions](/docs/identitymanager/6.2/integration-guide/profiles-permissions/permissions/index.md) topics for additional information. -![Schema - Profile Assignment](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) For example, the access to the list of users with their personal data is usually restricted to HR people, and the possibility to modify personal data restricted to HR managers. @@ -57,16 +57,16 @@ In the following section you will read about how to assign a profile to an accou Assign manually a profile to a user by proceeding as follows: -![Home Page - Assigned Profiles](/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) +![Home Page - Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) **Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** section. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 2 –** Click on the addition button at the top right corner. -![New Profile](/images/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp) +![New Profile](/images/identitymanager/roleofficers_newprofile_v602.webp) **Step 3 –** Fill in the fields. @@ -98,7 +98,7 @@ type and potentially specific criteria. See the [Profile Rule Context](/docs/identitymanager/6.2/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) topic for additional information. -![Launch Button](/images/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp) +![Launch Button](/images/identitymanager/launch_v603.webp) Click on **Launch** to apply these profile rules. diff --git a/docs/identitymanager/6.2/user-guide/set-up/user-profile-configuration/index.md b/docs/identitymanager/6.2/user-guide/set-up/user-profile-configuration/index.md index f89c9b707b..3ef40bee18 100644 --- a/docs/identitymanager/6.2/user-guide/set-up/user-profile-configuration/index.md +++ b/docs/identitymanager/6.2/user-guide/set-up/user-profile-configuration/index.md @@ -16,7 +16,7 @@ actions within Identity Manager, for a set of basic All the permissions for accessing items and performing actions in Identity Manager are managed by assigning profiles to users and permissions to profiles. -![Schema - Profile Assignment](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) > For example, access to user lists with personal data is usually restricted to HR staff, and the > modification of personal data would be restricted to HR managers. @@ -81,14 +81,14 @@ Configure a user profile by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the left menu. - ![Home - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home - Configuration](/images/identitymanager/home_settings_v523.webp) 2. Check whether the profile to configure is part of the provided list. If not, create it by clicking on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![New Profile](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp) + ![New Profile](/images/identitymanager/profiles_creation_v602.webp) - `Identifier`: must be unique among profiles and without any whitespace. - `Name`: will be displayed in the UI to identify the profile. @@ -100,11 +100,11 @@ Configure a user profile by proceeding as follows: 4. Follow Identity Manager's instructions for assigning permissions to the profile by clicking on the appropriate permissions, one by one, selecting if needed their responsibility scope. - ![Profile Configuration Example](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp) + ![Profile Configuration Example](/images/identitymanager/profiles_example_v603.webp) 5. Click on **Save** at the top of the page. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) ## Verify Profile Configuration diff --git a/docs/identitymanager/6.3/_partials/README.md b/docs/identitymanager/6.3/_partials/README.md new file mode 100644 index 0000000000..0c49f7ebd2 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/README.md @@ -0,0 +1,43 @@ +# Reusable Content Partials + +This directory contains reusable MDX content that can be imported into multiple documentation pages to avoid duplication. + +## How to Use + +### 1. Import the partial at the top of your MDX file + +```mdx +import ContextruleCertification from '@site/docs/identitymanager/current/_partials/contextrule-certification.mdx'; +``` + +### 2. Use the component in your content + +```mdx + +``` + +## Available Partials + +| Partial File | Component Name | Description | +|--------------|----------------|-------------| +| `contextrule-certification.mdx` | `ContextruleCertification` | Information about context rule certification properties | +| `parameterized-role.mdx` | `ParameterizedRole` | Information about parameterized roles | +| `resourcetypemapping-identifier.mdx` | `ResourcetypemappingIdentifier` | Resource type mapping identifier conventions | +| `argumentsexpression.mdx` | `Argumentsexpression` | Arguments expression usage | +| `ignoreHistorization-intro.mdx` | `IgnoreHistorizationIntro` | Ignore historization warning | + +## Creating New Partials + +1. Create a new `.mdx` file in this directory +2. Use PascalCase for the component name (e.g., `MyNewPartial`) +3. Import it using the `@site` alias: + ```mdx + import MyNewPartial from '@site/docs/identitymanager/current/_partials/my-new-partial.mdx'; + ``` + +## Notes + +- Files in `_partials` directory (prefixed with underscore) are not generated as standalone pages +- Always use `.mdx` extension for partials to enable MDX features +- The `@site` alias resolves to the Docusaurus root directory +- Partials can include any valid MDX content: markdown, React components, admonitions, etc. diff --git a/docs/identitymanager/6.3/_partials/argumentsexpression.mdx b/docs/identitymanager/6.3/_partials/argumentsexpression.mdx new file mode 100644 index 0000000000..6da9688364 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/argumentsexpression.mdx @@ -0,0 +1,5 @@ +:::info Arguments Expression +The `ArgumentsExpression` allows you to compute provisioning arguments dynamically based on the provisioning order and resource properties. +::: + +For detailed examples, see [Compute a Resource Type's Provisioning Arguments](/docs/identitymanager/current/integration-guide/provisioning/argumentsexpression). diff --git a/docs/identitymanager/6.3/_partials/contextrule-certification.mdx b/docs/identitymanager/6.3/_partials/contextrule-certification.mdx new file mode 100644 index 0000000000..e115028671 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/contextrule-certification.mdx @@ -0,0 +1,5 @@ +:::info Note +These properties are used to configure access certification campaigns for resources. The comparison filters which resources should be included in certification campaigns based on the specified property values. +::: + +For more information, see [Access Certification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification). diff --git a/docs/identitymanager/6.3/_partials/ignoreHistorization-intro.mdx b/docs/identitymanager/6.3/_partials/ignoreHistorization-intro.mdx new file mode 100644 index 0000000000..58b37aae83 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/ignoreHistorization-intro.mdx @@ -0,0 +1,3 @@ +:::warning Ignore Historization +When `IgnoreHistorization` is set to `true`, the task will not create historical records of changes. This can improve performance but reduces audit trail capabilities. +::: diff --git a/docs/identitymanager/6.3/_partials/parameterized-role.mdx b/docs/identitymanager/6.3/_partials/parameterized-role.mdx new file mode 100644 index 0000000000..478754cca9 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/parameterized-role.mdx @@ -0,0 +1,5 @@ +:::tip Parameterized Roles +This configuration supports parameterized roles, which allow dynamic role assignments based on context properties and expressions. +::: + +For more details, see [Parameterized Roles](/docs/identitymanager/current/user-guide/optimize/parameterized-role). diff --git a/docs/identitymanager/6.3/_partials/resourcetypemapping-identifier.mdx b/docs/identitymanager/6.3/_partials/resourcetypemapping-identifier.mdx new file mode 100644 index 0000000000..a6c07d1226 --- /dev/null +++ b/docs/identitymanager/6.3/_partials/resourcetypemapping-identifier.mdx @@ -0,0 +1,3 @@ +:::note Resource Type Mapping Identifier +The identifier must be unique across all resource type mappings and should follow the naming convention: `_`. +::: diff --git a/docs/identitymanager/6.3/index.md b/docs/identitymanager/6.3/index.md new file mode 100644 index 0000000000..a44fe79348 --- /dev/null +++ b/docs/identitymanager/6.3/index.md @@ -0,0 +1,22 @@ +--- +title: "Netwrix Identity Manager 6.3" +description: "Netwrix Identity Manager 6.3" +sidebar_position: 10 +--- + +# A software solution to match your IGA needs + +To learn about Netwrix Identity Manager (formerly Usercube) and build the solution you need, explore our guides. + +The present documentation mentions the Netwrix Identity Manager (formerly Usercube) application as simply Identity Manager. + +Identity Manager's guides include: + +- An [Introduction Guide](introduction-guide) if you are new to Identity Manager. +- A [User Guide](user-guide) to configure Identity Manager from scratch via the UI. +- An [Integration Guide](integration-guide) to complete Identity Manager's configuration in +XML according to your needs. +- An [Installation Guide](installation-guide) to install Identity Manager in a production +environment. +- A [Migration Guide](migration-guide) to upgrade to a new version of Identity Manager. + diff --git a/docs/identitymanager/6.3/installation-guide/index.md b/docs/identitymanager/6.3/installation-guide/index.md new file mode 100644 index 0000000000..130545949e --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/index.md @@ -0,0 +1,24 @@ +--- +title: "Installation Guide" +description: "Installation Guide" +sidebar_position: 40 +--- + +# Installation Guide + +This guide is designed to help you install Identity Manager in a production environment. + +## Target Audience + +This guide is intended for **system administrators** and **system architects**. + +Required knowledge includes: + +- Windows Server administration +- Internet Information Services (IIS) administration +- SQL Server administration + +## Overview + +The installation of Identity Manager requires architectural decisions to be made. An [Overview](../installation-guide/overview) of the architecture and available configurations will help you make informed decisions. + diff --git a/docs/identitymanager/6.3/installation-guide/overview.md b/docs/identitymanager/6.3/installation-guide/overview.md new file mode 100644 index 0000000000..580619c92c --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/overview.md @@ -0,0 +1,99 @@ +--- +title: "Overview" +description: "Overview" +sidebar_position: 10 +--- + +# Overview + +This section will give you an overview of Identity Manager's components, their requirements and constraints, and possible interconnection schemes. At the end of this section, you should be able to choose the installation setup that fits best your organization's needs. + +## Components and Data Flow + +![Components & Data Flow](/images/identitymanager/components_data_flow.webp) + +### Components + +Identity Manager's solution includes **at least** three components. + +#### **1.** Server + +**One** server handles all of Identity Manager's computing needs, internal database management and serves the UI as a web application accessible through a browser. + +The SaaS offering hosts the Identity Manager Server in the **Cloud**. This means that the server needs not be installed within a Identity Manager SaaS installation. + +#### **2.** Database + +**One** database stores Identity Manager's data. + +With the SaaS offering, the Identity Manager Database is hosted in the **Cloud** and needs not be installed. + +The port used to access the database depends on the [database configuration](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-network-configuration?view=sql-server-ver15#database-configuration) and the [connectionString](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-8.0) set in the technical configuration. See the [Network Configuration](../integration-guide/network-configuration) topic for additional information. + +#### **3.** Agents + +**One** or several agents perform synchronization and provisioning to/from the managed systems. + +### Data flow + +Identity Manager needs the following data flows to be enabled: + +- The **Server** requires opening connections to the **Database**. +- The **Agents** require opening HTTPS connections to the **Server**. +- The **Agents** require accessing **managed systems**. +- All end-users' **browsers** require opening HTTPS connections to the **Server**. +- All end-users' **browsers** require accessing the authentication providers. See the +[Install the Server](../installation-guide/production-ready/server) topic for additional information. +- Some end-users' **browsers** require opening HTTPS connections to the **Agents**. + +These connections are used to launch `Jobs` or use the `Reset Password` capabilities of some connectors. This requirement only applies to a few specific **administrator type profiles**. + +- The **Server** and the **Agent** both need to access an **SMTP server** to +[Send Notifications](../installation-guide/production-ready/email-server). + +## SaaS vs. On-Premise + +Identity Manager comes in two flavors: SaaS and On-Premise. + +- The **SaaS** offering only requires the Agent to be installed on your organization network. +- The **On-Premise** offering requires the Agent, the +[Install the Server](../installation-guide/production-ready/server), and the [Install the Database](../installation-guide/production-ready/database) to be installed. + +See the [ Install the Agents](../installation-guide/production-ready/agent) topics for additional information. + +## Hosting Hardware + +Depending on the existing network infrastructure and constraints, Identity Manager's components can be organized in several ways. + +### Database and Servers + +The Identity Manager Database can be installed on the same workstation as the Identity Manager Server or run on a separate machine. The second approach is **recommended**. + +### Server and Agents + +The Identity Manager Server and the Agents can be spread between several workstations. See the [ Install the Agents](../installation-guide/production-ready/agent) topics for additional information. + +Two scenarios unfold: + +**1.** The server and agents are installed on separate workstations + +This approach is useful when managed systems need to run on separate and isolated networks. + +![Server & Agents isolated](/images/identitymanager/distribution_1.webp) + +**2.** The Server and **One** Agent are installed on the same workstation + +In that case, the Identity Manager Agent can run directly within the Identity Manager Server process. The hosting workstation would **only host a Identity Manager Server process** (**with the integrated agent**) and no separate agent needs to be installed. The database could be installed on the same workstation or on a separate **One**. + +![Server & Agent together](/images/identitymanager/distribution_2.webp) + +## Authentication + +End-users will be able to access Identity Manager after authentication. Several authentication methods are available. See the [Install the Server](../installation-guide/production-ready/server) topic for additional information. + +## Email Server + +Identity Manager sends notifications to users by email. An email server will have to be set up for the Agent and the Server. See the [Send Notifications](../installation-guide/production-ready/email-server) topic for additional information. + +Before you check out the installation steps, make sure that all the [Requirements](../installation-guide/requirements) are met. + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/agent.md b/docs/identitymanager/6.3/installation-guide/production-ready/agent.md new file mode 100644 index 0000000000..9a8e29e05e --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/agent.md @@ -0,0 +1,427 @@ +--- +title: "Install the Agents" +description: "Install the Agents" +sidebar_position: 40 +--- + +# Install the Agents + +Most on-premises installations use an agent **integrated** with Identity Manager's server. If this is your case, **and** the server is **Already** installed, no need to go further. If, on the other hand, you need **separate** agents, or if you are installing Identity Manager's agents within Identity Manager's **SaaS** offering, this is the way to go. + +:::note +Please make sure that Identity Manager's agent requirements are met before going further. See the [Agent](../../installation-guide/requirements/agent-requirements) topic for additional information. +::: + + +## Agent Working Directory + +The agent runtime content should be extracted from the runtime archive following the instructions provided in the [Create a Working Directory](../../installation-guide/production-ready/working-directory) topic. + +In the **separate** agent setup, the agent is usually installed on a different workstation from the server. + +The agent is configured thanks to the *appsettings.agent.json* file. See the [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +## Create an IIS Website + +It is **recommended** to run the Identity Manager's agent as an IIS website. + +:::tip +Remember, to install Identity Manager's agent as a Windows service, see the [Agent](../../installation-guide/requirements/agent-requirements) topic for additional information. +::: + + +Adding Identity Manager's agent as an IIS website can be achieved with the [Internet Information Services (IIS) Manager](https://www.iis.net/) which can be launched with the `INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +The Microsoft Documentation provides the [prerequisites](https://docs.microsoft.com/en-us/aspnet/core/host-**and**-deploy/iis/?view=aspnetcore-8.0) **and** the procedure to [create a new IIS site](https://docs.microsoft.com/en-us/aspnet/core/host-**and**-deploy/iis/?view=aspnetcore-8.0#create-a-new-iis-site). + +The information needed to go through the creation process are the following: + +- Identity Manager's agent uses an in-process hosting model +- Identity Manager's agent uses .NET +- Identity Manager's agent's web.config dwells in the runtime directory + +It might require a few modifications to target the agent instead of the server: + +**Step 1 –** Open web.config with a text editor. + +**Step 2 –** Change the arguments **and** stdoutLogFile attributes of the `` element as indicated below: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml + +``` + +- When creating the website, enter the following data: + +**Step 1 –** Site name: Identity Manager's agent`` is the **recommended** naming convention + +**Step 2 –** Physical path: /``/Runtime + +**Step 3 –** Type: http + +**Step 4 –** IP address: All unassigned + +**Step 5 –** Port & Hostname: To access Identity Manager's agent. Use the hostname **and** port that has been reserved for Identity Manager. + +After creation, the following settings are **recommended**: + +- **Application Pool** > **Identity Manager ``** > **Advanced Settings** > +**General** > **Start Mode** set to AlwaysRunning; +- **Application Pool** > `Identity Manager ` > **Advanced Settings** > **Process +Model** > **Idle Time-out** (minutes) set to 0 **and** Load User Profile set to True; +- **Application Pool** > **Identity Manager ``** > **Recycling** > Regular time +intervals set to 0. + +Recycling the application pool creates a discontinuation in the connection between server **and** agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS **Already** recycles the application pool at each setting change, thus Netwrix recommends not using periodic recycling. + +The following is [mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-**and**-deploy/iis/?view=aspnetcore-8.0#mandatory): + +- **Application Pool** > **Identity Manager ``** > **Advanced Settings** > +**General** > **.NET CLR Version** > **No Managed Code** + +![IIS Settings](/images/identitymanager/iis_settings.webp) + +This sums up IIS settings. + +## Hosting Bundle + +You need to install the [dotnet hosting bundle](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) (version 8.0 or higher) to be able to run dotnet application. + +## Select an Agent Identity + +The agent, through Identity Manager's server IIS Website, should be assigned a service account with the relevant permissions. See the [Agent](../../installation-guide/requirements/agent-requirements) topic for additional information. + +You can either: + +- Use the built-in application pool identity **and** grant this identity the right permissions. See the +Install the Agents topic for additional information. +- Use a custom Windows service account with the right permissions **and** use it as an IIS identity for +Identity Manager's agent IIS Website + +### Check default behavior + +Usually, creating an IIS application pool, such as the one within which Identity Manager's server website runs, triggers the creation of a service account `IIS APPPOOL/` (where `` is the application pool name) known as an application pool identity. It is associated with the IIS website. This account is granted basic group membership that should enable it to access what it needs. + +For more information about IIS identities, visit the [Microsoft Documentation](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis). + +Building on this default behavior, the default Application Pool Identity is usually granted the necessary permissions for Identity Manager's server to operate. + +Before going further, you should check the following points: + +**Step 1 –** Find the group membership of `IIS APPPOOL\`. + +**Step 2 –** Check the permissions on the working directory. Right-click the working directory **and** select Security. The group section should contain one of the `IIS APPPOOL/` groups, namely Users. **and**, + +**Step 3 –** If the built-in application pool identity has been created but does not have the right permissions, you can follow the steps outlined in Install the Agents section to fix it. Go back to the section to make sure that the built-in application pool identity is effectively used by Identity Manager's server IIS Website. + +**Step 4 –** If you would rather use a custom service account instead of the built-in application pool identity, start with Install the Agents. + +**Step 5 –** If you're not sure what to do, follow the procedure below, starting with Install the Agents. + +Once the steps indicated above are completed you can carry on with setting an IIS Identity. + +### Set an IIS Identity + +If you want to use the built-in application pool identity created with the application pool, you can use the[ Microsoft documentation](https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities). + +If you would rather use a custom service account created for Identity Manager's agent, follow the procedure below. + +The following implies that a [custom service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) has **Already** been created for Identity Manager's agent. See the[Install the Server](../../installation-guide/production-ready/server) topic for additional information. + +Follow the steps below to set an IIS identity **and** note that these are the same for the server: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`). + +**Step 2 –** Open the **Application Pools** node underneath the machine node. + +**Step 3 –** Select the Identity ManagerAgent/`` application pool. + +**Step 4 –** Right-click **and** select **Advanced Settings**. + +**Step 5 –** In the **Process Model** section, on the **Identity** list item, click on the three dots to open the **Application Pool Identity** dialog. + +**Step 6 –** Select the **Custom Account** radio button **and** click on **Set**. + +**Step 7 –** Enter the Service Account credentials. + +**Step 8 –** Click **OK**. You're all set. + +Identity Manager's server IIS site will now use this identity to access the database **and** the working directory. + +## Set the Agent Permissions + +Identity Manager's agent needs specific permissions on its working directory to run, write synchronization output **and** read provisioning orders. See the [Server](../../installation-guide/requirements/server-requirements) topic for additional information. + +Up to **four** folders have to be considered: + +- the working directory +- the runtime directory, usually `C:/identitymanager/Runtime` +- the data collection directory, usually `C:/identitymanager/Temp` +- the provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data +collection directory). + +See the[Create a Working Directory](../../installation-guide/production-ready/working-directory) **and** [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +Further check the permissions of the service account **and** perform the steps for each of the relevant directories: + +**Step 1 –** Go to the working directory parent folder. + +**Step 2 –** Right-click the working directory. + +**Step 3 –** Select **Properties**. + +**Step 4 –** Select **Security**. + +The agent service account selected in the previous step can **either**: + +- have the necessary permissions or it belongs to a group that does, so no further action is +required +- is **missing** one of the permissions + +To fix the **missing** permissions follow the steps: + +**Step 1 –** Click on **Edit**. + +**Step 2 –** Click on **Add**. + +**Step 3 –** In the **Enter the object names to select** textbox, enter the service account name in the down-level logon format. For example, if you chose the built-in application pool identity, this would be `IIS APPPOOL/UsercubeAgent`. + +**Step 4 –** Click on **OK**. + +**Step 5 –** Select the newly added user name in the Group or user names panel at the top of the window. + +![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) + +**Step 6 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for the others. See the[Server](../../installation-guide/requirements/server-requirements) topic for additional information. + +**Step 7 –** Click **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection **and** the provisioning orders directories. See the[Create a Working Directory](../../installation-guide/production-ready/working-directory) **and** [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +## Name the Agent + +Every agent is assigned a name. This name will be used in the UI to differentiate agents for the end-user, **and** in the XML configuration to assign connectors to specific agents. + +In the *appsettings.agent.json* file, the **OpenId** > **AgentIdentifier** can be set to **any string** except for Local which is **Already** taken by Identity Manager's inner workings. Then the agent set in the XML configuration must have the same string as identifier. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +": { +  "AgentIdentifier": "" +  } +``` + +With the following configuration: + +```xml + +``` + +## Connect the Agent to the Managed Systems + +The Runtime/*appsettings.agent.json* file is a technical configuration file that will enable you set up the connection between the agent **and** the target managed systems. See the [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +Every agent is associated with an *appsettings.agent.json* file. + +The integration team should communicate the list of the managed systems to be connected to the agent, together with their configuration. + +Here is an example of *appsettings.agent.json* connecting an agent to an Active Directory **and** an SAP server. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "Connections": { +    "ADExport": { +        "Servers": [{ +           "Server": "", +           "BaseDN": "" +          }], +        "AuthType": "", +        "Login": "", +        "Password": "", +        "Filter": "<(objectclass=*)>", +        "EnableSSL": "" +    } +    "": { +        "Server": "", +        "Login": "", +        "Password": "" +    } +  } +} +``` + +:::tip +Remember, storing sensitive managed system data in configuration files, such as login/password pairs, is **strongly discouraged**. Sensitive data should be protected by one of the credentials protection methods. See the[Connectors](../../integration-guide/connectors) topic for additional information. +::: + + +## Encryption Key Pair + +Identity Manager's agent needs an [RSA key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) to perform various encryption operations, such as source, configuration, or log file encryptions. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate **and** a private key, can be stored one of **two** ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called +[Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or .pfx file) stored in the server's host file system. The file contains both the public key certificate **and** the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate **and** the private key. This is the **recommended** method. + +The key pair can be generated with tools such as [OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's [New-SelfSignedCertificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps) **and** [pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (``) bundling a public key certificate (``) **and** a private key (``) with OpenSSL, with a 50-year expiration date: + +**Step 1 –** Enter the following command: + +```shell +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +**Step 2 –** Enter the following command: + +```shell +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +Public key certificates can also be bought from trusted certificate providers **and** bundled with a private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step 2 in the frame above. + +The certificate has to be linked to Identity Manager via EncryptionCertificate in the *appsettings.agent.json* file. + +See the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information about configuration parameters. + +### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in EncryptionCertificate. + +:::note +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be [password protected](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#password-protected), hence the X509KeyFilePassword attribute. +::: + +:::info +Storing a `.pfx` file password in plain text in a production environment is **strongly discouraged**. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. +::: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "": { +      "": "<./UsercubeContoso.pfx>", +      "": "" +  } +  ... +} +``` + +### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the **recommended** method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "": { +      "":"", +      "": "", +      "": "" +  } +  ... +} +``` + +## Connect the Agent to Server + +The connection to Identity Manager's server can be configured through: + +- The applicationUri attribute in the Runtime/*appsettings.agent.json* file has to be set to Identity +Manager's server URL + +- OpenIdClients **and** DefaultOpenIdClient must be used to set the agent's credentials to connect to +the server; See the [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) **and**[OpenIdClient](../../integration-guide/toolkit/xml-configuration/access-control/openidclient) topics for additional information. + +Their content should be provided by the integration team, in relation to the OpenIdClient tag in the applicative configuration. See the[OpenIdClient](../../integration-guide/toolkit/xml-configuration/access-control/openidclient) topic for additional information. + +The following example shows an *appsettings.agent.json* file that sets an agent to connect to Identity Manager's server (`https://identitymanagerserver.contoso.com`) with the OpenId client identifier `` **and** the password ``, stored in the OpenIdClients list which also contains the "admin/secret" login/password pair. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ +    .... +    "ApplicationUri": "", +    "OpenIdClients": { +        "Job": "", +        "Admin": "" +     }, +    "DefaultOpenIdClient": "" +} +``` + +:::tip +Remember, storing plain text passwords in configuration files is **strongly discouraged**. Sensitive passwords should be encrypted. +::: + + +## Install the Agent as a Windows Service + +Installing Identity Manager's agent as a Windows service instead of an IIS website is mostly useful when using IIS is rendered moot by another system. For example, using a reverse proxy in front of Identity Manager's agent. + +To install Identity Manager's agent as a service in Windows server, use the following command: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```bat +sc.exe create Identity Manager binpath= "" displayname= "" start= auto obj= "" password= "" +``` + +:::tip +Remember, make sure to include a space between each parameter's equal sign (=) **and** the parameter value. +::: + + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts Identity Manager's agent only if an incoming http request is made on the server **and** the scheduler is not launched until Identity Manager's agent is started. Because of that, you need to carefully set up the starting mode of IIS to force the starting of Identity Manager's agent. + +Identity Manager's agent warm up is done using the `` element in the web.config file, the configuration is described [here.](https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) + +You need to: + +**Step 1 –** Enable the Application Initialization feature + +**Step 2 –** Modify the applicationHost.config file to set the startMode of the application pool as AlwaysRunning. You also need to set the preloadEnabled of your application set to true. It is advised to backup the applicationHost.config file when doing this step to prevent mistakes. + +**Step 3 –** Double check that the following section is set in your web.config file, in the section system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +   + + +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's scheduler without having to manually issue a request on Identity Manager's agent. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs from being launched. + +## What's Next? + +The last step in the installation process is setting up an Email server. See the [Send Notifications](../../installation-guide/production-ready/email-server) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/database.md b/docs/identitymanager/6.3/installation-guide/production-ready/database.md new file mode 100644 index 0000000000..47c7ca885a --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/database.md @@ -0,0 +1,64 @@ +--- +title: "Install the Database" +description: "Install the Database" +sidebar_position: 20 +--- + +# Install the Database + +The Identity Manager Database can be installed on the Server workstation or on a separate machine. + +Please make sure that the [Database](../../installation-guide/requirements/database-requirements) requirements are met before going further. + +## Steps + +### 1. Install SQL server + +Microsoft's extensive documentation can be used to get help [installing a SQL Server 2016 or later](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server). + +### 2. Create the database + +The **recommended** naming convention is `Usercube`, where `` is the name of the organization targeted by this installation. + +> **FAQ**: +> [How to create a database in SQL Server?](https://docs.microsoft.com/en-us/sql/relational-databases/databases/create-a-database?view=sql-server-ver15) + +The database name is of no technical importance, but following the naming convention will make it easier to read the guide. + +### 3. Initialize the database + +The database scheme can be initialized by running the `Usercube.sql` script (found in the `SQL_.zip` archive) on the newly created database. + +Preferred methods include [SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) and [command line](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +#### Example of procedure for SQL Server Management Studio 2019 + +- Open SQL Server Management Studio. +- Connect to your SQL Server instance. +- In the top left corner, select **File** > **Open** > **File**. +- Select the `Usercube.sql` file. +- Open the file. The file is now open in the main SQL Server Management Studio window. +- Locate the database name dropdown, next to the **Execute** button in the top left section of the +screen. + +![Execute Query](/images/identitymanager/execute_query.webp) + +- From the dropdown, select the newly created database. +- Click **Execute**. + +#### Example using the sqlcmd CLI + +```shell +sqlcmd -S \ -d Usercube -i +``` + +## What's Next? + +The next step will consist in: + +- Setting up the Identity Manager Server as an IIS website. +- Creating a custom service account. +- Granting the necessary database permissions for this account. + +It will also show how to test the Identity Manager Database connection. See the [Install the Server](../../installation-guide/production-ready/server) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/email-server.md b/docs/identitymanager/6.3/installation-guide/production-ready/email-server.md new file mode 100644 index 0000000000..e481541dbf --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/email-server.md @@ -0,0 +1,84 @@ +--- +title: "Send Notifications" +description: "Send Notifications" +sidebar_position: 50 +--- + +# Send Notifications + +An SMTP server is used by the Identity Manager Server to send notification emails to its users, and by the Identity Manager Agent to send Reset Password emails. + +## Email Delivery + +### Via a local SMTP server and the pickup directory + +Both the Agent and the Server can send emails using a **local SMTP server** with Microsoft's **Pickup Directory** feature. + +**Pickup Directory** is a feature offered by most of Microsoft's SMTP services, such as IIS SMTP service or Microsoft Exchange Server. + +The pickup directory helps reducing network overhead by eliminating SMTP traffic between applications, such as the Identity Manager Server or Identity Manager Agent, and SMTP servers. It is particularly useful when using emails as notifications. + +To send an email, an application usually communicates with an SMTP server via the SMTP protocol. In the real world, email notifications generate a lot of traffic on the organization network. This extra traffic can be avoided by having applications (such as the Identity Manager Server or Identity Manager Agent) write emails as local files in a local directory instead of sending SMTP packets. + +The SMTP server will then periodically check the directory and send any email found in it. The SMTP exchange between the applications and the SMTP server is replaced by file writing and reading. + +The directory where clients write emails as files is called the **pickup directory**. + +### Via an external SMTP server + +Both the Agent and the Server can get their emails delivered through an **external** SMTP server. + +## Server Emails + +The SMTP server used by the Identity Manager Server is configured in the [Application Settings](../../integration-guide/network-configuration/server-configuration/general-purpose). + +Here is an example with an external SMTP server. + +```json +***appsettings.json*** + +{ + ... + "MailSettings": { + "Host": "smtp.contoso.com", + "FromAddress": "no-reply@contoso.com" + } +} +``` + +The **Host** attribute is the hostname or IP address of an external SMTP server. You can also specify a directory path instead, that would be the **pickup directory** of your **local** SMTP server. + +You can also input a **UserName** and **Password** if the SMTP server requires Identity Manager to authenticate to send emails. + +## Agent Emails + +From the agent side, the email settings dwell in the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) file. + +Here is a classic example that enables Identity Manager to send emails through the _smtp.contoso.com_ server using _[no-reply@contoso.com](mailto:no-reply@contoso.com)_ as the sender address. The Identity Manager Agent will authenticate to the SMTP server with the _contosoIdentity Manager_ login. + +```json +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "Host":"smtp.contoso.com", + "Port":993, + "Username": "contosousercube", + "Password": "secret" + } +``` + +If you'd rather use a **local** SMTP server with **pickup directory**, _Host_, _Port_, _Username_ and _Password_ won't be needed. + +```json +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "UseSpecifiedPickupDirectory": true, + "PickupDirectory": "C:/Temp/identitymanagerContosoPickup", + } +``` + +## That's It! + +Now, you're all set to start using Identity Manager. + +Enjoy the benefits of your new Identity and Access Management solution. + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/index.md b/docs/identitymanager/6.3/installation-guide/production-ready/index.md new file mode 100644 index 0000000000..992bb868a6 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/index.md @@ -0,0 +1,36 @@ +--- +title: "Production-Ready Installation Guide" +description: "Production-Ready Installation Guide" +sidebar_position: 40 +--- + +# Production-Ready Installation + +This guide leads the reader through the steps to install Identity Manager for production purposes. + +**1.\_\_**Before proceeding\_\_, you should go through the [Overview](../../installation-guide/overview) and [Requirements](../../installation-guide/requirements) sections to make fundamental decisions about Identity Manager setup, including: + +- Whether to install the database within the Identity Manager Server or on a separated workstation. +- How many Agents will be installed? +- If only one Agent is installed, whether to install it as an integrated agent or a separate agent. +- What end-user authentication methods are to be used? +- What hosting environment is used for the Agent and the Server? + +**2.** You should **get the following archives ready**: + +- Identity Manager runtime: `runtime_.zip` +- Identity Manager database scheme: `Usercube.sql` from the `SQL_.zip` + +**3.** This guide is **based on the following choices**: + +- Identity Manager Server running with IIS +- Identity Manager Database connection with Windows authentication + +This guide will allow you to **extrapolate** less common configurations and will provide links to the relevant [Network Configuration](../../integration-guide/network-configuration) sections. + +Our examples use the fabled [Contoso Corporation](https://docs.microsoft.com/en-us/microsoft-365/enterprise/contoso-overview?view=o365-worldwide) as target organization. + +## What's Next? + +The first step consists in [Create a Working Directory](../../installation-guide/production-ready/working-directory). + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/server.md b/docs/identitymanager/6.3/installation-guide/production-ready/server.md new file mode 100644 index 0000000000..2526b1a587 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/server.md @@ -0,0 +1,400 @@ +--- +title: "Install the Server" +description: "Install the Server" +sidebar_position: 30 +--- + +# Install the Server + +:::note + If you are a SaaS client this topic does not apply. You can skip directly to end user authentication. See the Set up End-User Authentication topic for additional information. +::: +Identity Manager Server can be installed on the same workstation as the database **or** on a separate workstation. If Identity Manager is installed on a separate workstation, it requires the SQL PowerShell components to function properly. + +Please make sure that the server requirements are met before going further. See the [Server](../../installation-guide/requirements/server-requirements) topic for additional information. + +## Server Working Directory + +The server executable is beeing been extracted to the working directory as `Usercube-Server.exe` **and** `Usercube-Server.dll` **and** will enable a user **or** IIS to run the Identity Manager Server. See the [Create a Working Directory](../../installation-guide/production-ready/working-directory) topic for additional information. + +## Set up the License Key + +The license key provided by Identity Manager must be set up in the **appsetting.json** > **License attribute**. See the [Application Settings](../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +## Create an IIS Website + +It is **recommended** to run the Identity Manager Server as an IIS website. + +To install the Identity Manager Server as a Windows service, please jump to Install the Server as a Windows Service. See the Install the Server topic for additional information. + +Adding the Identity Manager Server as an IIS website can be achieved with the [Internet Information Services (IIS) Manager](https://www.iis.net) which can be launched with the `INETMGR.MSC` command. You need to have an IIS 10.0 **or** greater. + +An IIS website must be created using the [Microsoft guide](https://docs.microsoft.com/en-us/aspnet/core/host-**and**-deploy/iis/?view=aspnetcore-8.0) **and** the following parameters: + +- Site name: `Usercube` is the **recommended** naming convention +- Physical path — `//Runtime` +- Type — `http` +- IP address — `All unassigned` +- Port & Hostname — To access the Identity Manager Server **and** the UI. Use the hostname **and** port that +has been reserved for Identity Manager. + +During installation, the following information guides some of your choices: + +- The Identity Manager Server uses an in-process hosting model +- Identity Manager Server's `web.config` can be found in the `Runtime` folder +- The Identity Manager Server uses .NET + +After creation, the following settings are **recommended**: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > Start Mode +set to `AlwaysRunning`; +- **Application Pool** > `Usercube` > **Advanced Settings** > **Process Model** > Idle +Time-out (minutes) set to `0` **and** Load User Profile set to `True`; +- **Application Pool** > `Usercube` > **Recycling** > Regular time intervals set to +`0`. + +Recycling the application pool creates a discontinuation in the connection between server **and** agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS **Already** recycles the application pool at each setting change, thus Netwrix Identity Manager (formerly Usercube) recommends not using periodic recycling. + +The following is mandatory: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR +Version > `No Managed Code` + +![IIS Settings](/images/identitymanager/iis_settings.webp) + +An SSL Certificate should also be set to the IIS Server to perform HTTPS communication with end-users. + +## Hosting Bundle + +You need to install the dotnet hosting bundle (version 8.0 **or** higher) to be able to run dotnet application. + +## Select a Server Identity + +The Identity Manager Server, through the IIS Website, should be assigned a service account with the relevant permissions. + +### Create the service account + +This section requires using an Active Directory account with sufficient privileges to create service accounts on the domain. + +To create a service account you need to perform the following steps: + +**Step 1 –** Log on to a Windows server in the target domain environment. You should use an account with the necessary permissions to create new domain accounts. + +:::note + The target domain is the domain where SQL Server is installed. +::: +**Step 2 –** Access the _Active Directory User **and** Computers_ tool with the command `dsa.mc`. + +**Step 3 –** Select the target domain **and** Click on **Users**. From the users list, right-click to select **New** > **User**. + +**Step 4 –** Choose a mnemonic _First Name_ for the Identity Manager Server, as for **Example** `UsercubeContosoServer`, **and** click **Next**. + +:::tip + Remember, the down-level log on name in the format `DOMAIN/userName`,.as for **Example** `CONTOSO/identitymanagerContosoServer`. +::: +**Step 5 –** Set a password **and** remember it for later, check the boxes **User cannot change password** **and** **Password never expires**. + +This newly created service account is a domain account **and** will be used as an IIS identity. + +:::note + You can go further **and** use Managed Service Account to avoid dealing with the service account password update yourself **and** let Windows worry about it. This feature requires installing Identity Manager on Windows Server 2016 **or** later, **and** using an Active Directory with a forest level set to Windows Server 2016 **or** later. +::: +### Set an IIS identity + +The following implies that a custom service account has **Already** been created for the Identity Manager Server. + +To set an IIS identity you need to perform the following steps: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`) **and** then the **Application Pools** node underneath the machine node. + +**Step 2 –** Select the `Usercube/` application pool **and** right-click **and** select **Advanced Settings**. + +**Step 3 –** In the **Process Model** section, on the **Identity** list item, click on the three dots to open the **Application Pool Identity** dialog. + +**Step 4 –** Select the **Custom Account** radio button **and** click on **Set** **and** enter the previously created Service Account credentials: + +- User name in the format `DOMAIN/userName` that you have previously written down +- Password, previously remembered + +**Step 5 –** Click **OK**. You're all set. + +The Identity Manager Server IIS site will now use this identity to access the database **and** the working directory. + +## Set-up Permissions + +The Server permissions include the database **and** working directory. + +### Set- up the database permissions + +The service account used by the Server to access the database needs the following database-level roles in SQL Server: + +- `Public` +- `Dbowner` + +**and** the `Administer bulk operations` server-level role. + +This guide will show you how to perform these operations using SQL Server Management Studio: + +**Step 1 –** Open SQL Server Management Studio (SSMS) **and** log in to access the server on which runs the Identity Manager Database with an account member of the **sysadmin** **or** **securityadmin** server-level role. + +![New Login](/images/identitymanager/newlogin.webp) + +**Step 2 –** Expand the **Security** **and** **Login** nodes, **and** look for the Identity Manager service account in the list. + +If you cannot find the service account click on the **Login** node, right-click **and** select **New** > **Login**. + +**Step 3 –** On the **General** page, enter the service account login name in the down-level logon format, such as `CONTOSO/identitymanagerContosoServer`. If you're not sure about the correct spelling of your service account **or** domain, you can search for it using the search window. From the **Login** node, right-click **and** select **New login** > **Login name** > **Search**. + +**Step 4 –** Choose **either****Windows authentication** if you chose to connect the server to the database with a Windows service account (Integrated Security=SSPI in the connection string) **or** a **SQL Server authentication** for a SQL Server account (if you set up the connection string with a login/password). In the SQL case, fill in the same password in the form as in the connection string. You should now see the newly created login in the Login list. + +**Step 5 –** From the **Login** node, right-click the newly created login **and** select **Properties** then go to the **Server Roles** page on the left **and** make sure **public** is checked. + +**Step 6 –** Go to **User Mapping****and** make sure `Usercube/` is checked (top panel), as well as **db_owner** **and** **public** (bottom panel). + +![Bulk](/images/identitymanager/bulk.webp) + +**Step 7 –** Right-click the **Server** root node **and** select **Properties**, **and** in the **Permissions** tab, select the service account **or** group name. + +**Step 8 –** Grant the **Administer bulk operations** permission. **and** confirm with **OK**. + +Identity Manager Server now has the required permissions to access the database. + +### Set the working directory permissions + +The Identity Manager Server needs specific permissions on the working directory to run, read synchronization output, **and** write provisioning orders. See the [Server](../../installation-guide/requirements/server-requirements) topic for additional information. + +Up to four folders have to be considered: + +- The working directory +- The runtime directory, usually `C:/identitymanager/Runtime` +- The data collection directory, usually `C:/identitymanager/Temp` +- The provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data +collection directory). + +See the [Create a Working Directory](../../installation-guide/production-ready/working-directory) **and** [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +The following steps can be performed for each of the relevant directories. + +First, let's check what permissions the service account **Already** has. + +To do so go to the working directory parent folder, right-click the working directory, select **Properties** **and** then select **Security**. + +From there, you have **two** choices. + +The Identity Manager Server service account that was chosen previously: + +- **Already** has **or** belongs to a group that **Already** has the needed permissions. There is nothing more +to do +- Is **missing** one of the needed permissions **and** you need to perform the steps underlined below: + +**Step 1 –** Click on **Edit** **and** then on **Add**. + + ![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) + +**Step 2 –** In the **Enter the object names to select** textbox, enter the service account name in the down-level log on format, such as `CONTOSO/identitymanagerContosoServer`, then click **OK**. + +**Step 3 –** Select the newly added user name in the **Group **or** user names** panel at the top of the window. + +**Step 4 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for the others, **and** then **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection **and** the provisioning orders directories. See the [Create a Working Directory](../../installation-guide/production-ready/working-directory) **and** [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +## Encryption **and** Authentication Key Pairs + +The Identity Manager Server requires an RSA-2048 encryption key pair to perform various encryption operations, such as source, configuration, **or** log file encryptions. Identity Manager's Identity Server also needs an RSA-2048 authentication key pair for end-user authentication purposes. + +These certificates don't need to be integrated into the target organization's Public Key Infrastructure (PKI) **and** don't require an expiration date. They're only relevant to specific Identity Manager temporary data **and** can be changed at any time. + +Each RSA key pair, as in an [X.509](https://en.wikipedia.org/wiki/X.509) public key certificate **and** a private key, can be stored one of **two** ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called Personal Information +Exchange file **or** `.pfx` file) stored in the Server's host file system. The file contains both the public key certificate **and** the private key. +- As a certificate from a Windows' certificate store identified by SubjectDistinguishedName **or** by +Thumbprint. The Windows certificate also contains both the public key certificate **and** the private key. This is the **recommended** method. + +The key pairs can be generated with tools such as [OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) **or** Microsoft's [New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps), **and** [pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an **Example** showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (`UsercubeContoso.pfx`) bundling a public key certificate (`UsercubeContoso.cert`) **and** an RSA-2048 private key (`UsercubeContoso.key`) with OpenSSL, with a 50-year expiration date: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +1. +openssl req -x509 -newkey rsa:2048 -keyout UsercubeContoso.key -out UsercubeContoso.cert -days 18250 +2.  +openssl pkcs12 -export -out UsercubeContoso.pfx -inkey UsercubeContoso.key -in UsercubeContoso.cert +``` + +Public key certificates can also be bought from trusted certificate providers **and** bundled with a private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step **2** in the frame above. + +### Generate **and** use an encryption key pair + +This is the key pair used to perform various encryption operations, such as source, configuration, **or** log file encryptions. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a `.pfx` file **or** use the Windows [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) (**recommended**). + +**Step 3 –** Link the generated certificate to Identity Manager. + +### Generate **and** use an identity server key pair + +This is the key pair used by the Identity Server for end-user authentication purposes. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a .`pfx` file **or** use the Windows [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) (**recommended**). + +**Step 3 –** Link the generated certificate to Identity Manager. + +#### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in the `IdentityServer` section. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be password protected, hence the `X509KeyFilePassword` attribute. + +Storing a `.pfx` file password in plain text in a production environment is **strongly discouraged**. The password should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.json* +{ +  ... +  "IdentityServer": { +      "X509KeyFilePath": "./identitymanagerContoso.pfx", +      "X509KeyFilePassword": "eff@%fmel/" +  } +  ... +} +``` + +#### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the **recommended** method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.json* +{ +  ... +  "IdentityServer": { +      "X509SubjectDistinguishedName":"UsercubeContoso", +      "X509StoreLocation": "LocalMachine", +      "X509StoreName": "AuthRoot" +    } +  ... +} +``` + +## Connect the Server to the Database + +Now that the Identity Manager Server has been provided with a service account with the right permissions, let's finalize the setup. + +The connection between the Server **and** the Database requires choosing an authentication method: [Windows Authentication](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15#windows-authentication) **or** SQL Server authentication. See the [Connection to the Database](../../integration-guide/network-configuration/server-configuration/database-connection) **and** [Usercube-Protect-CertificatePassword](../../integration-guide/executables/references/protect-certificatepassword) topics for additional information. Windows authentication will require the IIS identity to be set to the custom Windows service account used to log in to the Identity Manager's Windows Server session. SQL authentication will work with both the _built-in_ app pool identity **and** a custom service account. This authentication method will write the login **and** password directly in the connection string. + +`Runtime/*appsettings.json*` is a technical configuration file that enables you to set up the connection between the Server **and** the Database through the ConnectionString attribute. See the [Network Configuration](../../integration-guide/network-configuration) topic for additional information. + +The connection string is set up in the `Runtime/*appsettings.json*` configuration file which can be edited with any text editor, such as [Notepad++](https://notepad-plus-plus.org/downloads/). + +If the SQL Server is hosted on Azure, you should use the AzureCredentials setting before going further. + +In the`Runtime/*appsettings.json*` file, find **or** write the `ConnectionString` attributes following the examples shown below: + +The first **Example** sets a connection string using the Windows authentication (`Integrated Security=SSPI`) to connect, on a local SQL Server system (`source=.`), to the `UsercubeContoso` database. See the + +The service account used by the Server to access the Database is **either**: + +- A Windows account if the connection string was set up using `Integrated Security=SSPI`. +- A SQL Server account if the connection string was set up with a login/password. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.json* +{ +... +"ConnectionString": "data source=.;Database=UsercubeContoso;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +... +} +``` + +The second **Example** sets a connection string using the SQL Server authentication. `CONTOSO/identitymanagerContosoServer` has been set as the Identity Manager Server IIS website identity. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.json* +{ +... +"ConnectionString": "data source=.;Database=Usercube;User Id=CONTOSO/identitymanagerContosoServer;Password=myPassword;Min Pool Size=10;encrypt=false;" +... +} +``` + +:::info + SQL Server authentication stores plain text credentials in the configuration file. This is **strongly discouraged**. To avoid storing plain text credentials, you should always strive to use Windows authentication **or** encrypt sensitive setting values such as the connection string. +::: +## SSL Certificate + +The Identity ManagerServer requires the use of an SSL Certificate trusted by all the target end-users' browsers. The standard setup is to use a certificate signed by the target organization's PKI root Certificate Authority **and** import the certificate into the end-user's Windows Store. + +This can be achieved using the [Microsoft Management Console (MMC)](https://en.wikipedia.org/wiki/Microsoft_Management_Console). See the [View certificates with the MMC](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) for additional information. + +## DNS + +Your organization's DNS needs to be updated according to the requirements indicated in Hostname **and** DNS. See the [Server](../../installation-guide/requirements/server-requirements) topic for additional information. + +## Test Your Installation + +In order to test your installation you must: + +**Step 1 –** Make sure the IIS site is running. + +**Step 2 –** Go to the following URL with a browser: `:/hc` with the hostname **and** port set up in Create an IIS website. See the Install the Server topic for additional information. + +**Step 3 –** The Identity Manager Server is trying to access the Database. If it succeeds, the message **Healthy** should be displayed in the browser. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts the Identity Manager Server only if an incoming http request is made on the server **and** the scheduler is not launched until the Identity Manager Server is started. Because of that, you need to carefully set up the starting mode of IIS to force the starting of the Identity Manager Server. + +The Identity Manager Server warm up is done using the `` element in the web.config file, the configuration is described in the [Microsoft documentation](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization). + +You need to: + +- Enable the **Application Initialization** feature +- Modify the **applicationHost.config** file to set the **startMode** of the application pool as +**AlwaysRunning**. You also need to set the preloadEnabled of your application set to true. It is advised to backup the **applicationHost.config** file when doing this step to prevent mistakes. +- Double check that the following section is set in your web.config file, in the section +system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +   +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's scheduler without having to manually issue a request on the Identity Manager Server. + +If this is not correctly configured, any restart of your IIS **or** application pool could prevent jobs from being launched. + +## Set up End-User Authentication + +The next step consists in setting up one **or** more authentication methods for end-users. You may choose one **or** several external authentication providers among the following: + +- [OpenId Connect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Everything you need to know about setting up authentication is provided in the Technical Configuration Guide. See the [ End-User Authentication](../../integration-guide/network-configuration/server-configuration/end-users-authentication) topic for additional information. + +## What's Next? + +Install the Agent is the next step of the process. See the [ Install the Agents](../../installation-guide/production-ready/agent) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/production-ready/working-directory.md b/docs/identitymanager/6.3/installation-guide/production-ready/working-directory.md new file mode 100644 index 0000000000..8aa9ff4e4d --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/production-ready/working-directory.md @@ -0,0 +1,55 @@ +--- +title: "Create a Working Directory" +description: "Create a Working Directory" +sidebar_position: 10 +--- + +# Create a Working Directory + +The working directory is a simple Windows directory where Identity Manager's Server and/or Agent executable(s) and dependencies are stored on the workstation. This section shows how to set up the directory for the rest of the installation and Identity Manager's lifespan. + +The following steps are to be performed on the Server workstation. They will also have to be executed on the Agent workstation if a separate Agent setup has been chosen. + +## Steps + +### 1. Create the working directory + +The recommended naming convention is `C:/identitymanager`, where `` is the name of the organization targeted by this installation. + +### 2. Extract the content of the runtime archive + +Extract the content of the `Runtime` archive into a `Runtime` folder in the newly created working directory. + +### 3. Create a new empty folder in the working directory + +The folder will be used by the Server and Agent to write and read synchronization files and provisioning orders. Job logs are usually found here. It is usually named `Temp` and is referenced in the technical configuration files. + +The working directory structure should now resemble the following: + +```text +📦 UsercubeXXX + ├─ 📁 Temp + └─ 📁 Runtime + ├─ 📁 wwwroot + ├─ ... + ├─ 📄 Usercube-Server.exe + ├─ 📄 Usercube-Agent.exe + ├─ ... + ├─ 📄 appsettings.agent.json + ├─ 📄 appsettings.cyberArk.agent.json + ├─ 📄 appsettings.encrypted.agent.json + └─ 📄 appsettings.json +``` + +`Runtime` contains Identity Manager executables and configuration files, including: + +- `Usercube-Server.exe`: the Identity Manager Server executable, which also contains an Agent. +- `Usercube-Agent.exe`: the separate Identity Manager Agent executable, that will be used only if +you choose to install a separate agent. +- `appsettings.*.json`: +[Network Configuration](../../integration-guide/network-configuration). + +## What's Next? + +Next section shows how to install the Identity Manager Database. See the [Install the Database](../../installation-guide/production-ready/database)topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/quick-start.md b/docs/identitymanager/6.3/installation-guide/quick-start.md new file mode 100644 index 0000000000..b3ce470109 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/quick-start.md @@ -0,0 +1,81 @@ +--- +title: "Quick Start Guide" +description: "Quick Start Guide" +sidebar_position: 30 +--- + +# Quick Start Guide + +This guide leads the reader through the steps to quickly install Identity Manager's bootstrap version. + +## Prerequisites + +The installation of Identity Manager requires: + +- A certificate named Usercube.pfx +([see the Microsoft tool to create a self-signed certificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps)) + +If the certificate is named something other than Usercube.pfx, remember to change the name in the Runtime/appsettings.json file too. + +- [Database](../installation-guide/requirements/database-requirements)-related specifications + +## Install the Bootstrap Version + +**Step 1 –** Go on the Netwrix Identity Manager (formerly Usercube) [portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) and download the artifacts of the expected version. + +![Extranet Artifacts](/images/identitymanager/extranet_v601.webp) + +**Step 2 –** Extract from SDK the folder Usercube Bootstrap anywhere on the computer. + +**Step 3 –** Extract the content of Runtime to Usercube Bootstrap. + +When extracting Usercube Bootstrap to the root of the computer, it looks like: + +![Project Directory](/images/identitymanager/directory_v602.webp) + +**Step 4 –** Move or copy your certificate inside the Runtime folder. + +**Step 5 –** Create a Sources folder in Usercube Bootstrap. + +:::tip + Remember, if you don't have the Usercube Bootstrap folder or if you don't create the Sources folder, the Path in the Directory connection in the Runtime/appsettings.agent.json must be adapted. Note that you don't need to have a Directory.xlsx file at the location described by this Path for now. +::: +**Step 6 –** Create a database named Usercube, using the default options. + +:::note + When using a database server other than Microsoft SQL Server or a different database name, remember to change the connection string accordingly, in the Runtime/appsettings.json file and in the future command lines. +::: +**Step 7 –** Execute the Runtime/Usercube.sql file in the database. + +**Step 8 –** Open a command prompt and deploy the configuration. See the[ Usercube-Deploy Configuration](../integration-guide/executables/references/deploy-configuration) topic for additional information. + +In our example, the command would be, in the Runtime folder: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Deploy-Configuration.exe -s "" -d "" +``` + +**Step 9 –** Launch the server. See the [Usercube-Server ](../integration-guide/executables/references/server) topic for additional information. + +In our example, the command would be, still in the Runtime folder: + +```shell +./Usercube-Server.exe +``` + +**Step 10 –** Open a browser and navigate to http://localhost:5000. Authenticate with administrator as a username and the password specified in the Runtime/appsettings.json file, in the Authentication section. + +![Authentication Dialog](/images/identitymanager/authentication_v601.webp) + +Now you can start using the application. + +## Next Steps + +From there, you can start setting up Identity Manager via the **Settings** page which is accessible from the **Configuration** section of the home page. + +![Home Page - Settings](/images/identitymanager/home_settings_v523.webp) + +Then, Netwrix recommends following the user guide to start the configuration of your IGA project from scratch. See the [User Guide](../user-guide) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/requirements/agent-requirements.md b/docs/identitymanager/6.3/installation-guide/requirements/agent-requirements.md new file mode 100644 index 0000000000..74d4935382 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/requirements/agent-requirements.md @@ -0,0 +1,113 @@ +--- +title: "Agent" +description: "Agent" +sidebar_position: 40 +--- + +# Agent + +This section identifies the requirements for an Identity Manager agent. + +## Software + +The agent is a .NET application. + +Running an agent requires installing the [Windows hosting bundle for ASP**.NET** Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +When used separated from the server, the agent can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version IIS 10.0 (recommended) +- A [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications) +- A stand-alone executable for tests or debugging purposes + +### Integrated agent + +Some installations require multiple **separate agents**, but most of them use a single **integrated agent** that runs **within** the Identity Manager server process. In that case, the server executable contains the agents and no agent executable needs to be executed. It means that if a Identity Manager server is already installed, no further installation is required. + +In this case, the agent working directory is the same as the server working directory, and both the agent's and server's `appsettings` share the same configuration. The `appsettings.agent` configuration set is still configured through environment variables or via a separate `appsettings.agent.json` file stored next to the `Usercube-Server.exe` executable, in the common working directory. See the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) and [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topics for additional information. + +## Service Accounts + +The agent should be assigned a [Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The installation of the server as part of an Active Directory domain requires the use of an account with sufficient privileges to create a service account on the domain. + +It can be either the IIS built-in [application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis), or a custom [Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +### Working directory permissions + +The agent's service account needs specific permissions presented in the [Create a Working Directory](../../installation-guide/production-ready/working-directory) topic as: + +- _Read_, _Modify_, and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually +`C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_, _Modify_, and _List folder contents_ on the directory for provisioning orders, whose path +depends on the `Work` folder's path; +- _Read_, _Modify_, _List folder contents_, and _Write_ on the directory for data collection, whose +path depends on the `Work` folder's path. + +See the [Create a Working Directory](../../installation-guide/production-ready/working-directory) and [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](../../installation-guide/production-ready/server) topic for additional information. + +### Managed systems' permissions + +Every Identity Manager agent needs one or several service accounts on the target managed systems, able to read and write to said managed systems. + +> For example, using Identity Manager with an Active Directory instance requires the agent to be +> assigned an Active Directory service account that can read, write, change users' passwords, update +> group memberships, and synchronize the whole Active Directory. + +Before going further, make sure the integration team has provided: + +- The list of all managed systems +- Service accounts with the necessary permissions for the agent to perform _Read_ and/or _Write_ +operations on the systems associated with a connector allowing respectively synchronization and/or provisioning; See the [Connectors](../../integration-guide/connectors) topic for additional information. +- service accounts' credentials + +Managed systems credentials are stored in the `appsettings.agent` configuration set and can be protected. See the [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) and [Modules](../../integration-guide/modules) topics for additional information. + +### Database permissions + +The agent needs a service account that can authenticate to SQL Server. + +## Hostname and DNS + +The agent needs to be assigned a hostname **within** the organization's domain. End-user browsers must be able to resolve the agent's hostname. + +The associated DNS zone needs to be [updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as possible. + +## SSL Certificate + +The agent requires the use of HTTPS ports and an SSL certificate in order to perform HTTPS communication with the server. + +## Emails + +The agent needs access to an **SMTP server** to [Send Notifications](../../installation-guide/production-ready/email-server). + +## Encryption Key Pair + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required for the agent in order to perform various encryption operations, such as source, configuration, or log file encryptions; + +Such a certificate does not need to be integrated into the target organization's Public Key Infrastructure and does not require an expiration date. They are only relevant to internal and temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called +[Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as [OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's [New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) and [pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +To start the installation, follow either the [ Quick Start Guide](../../installation-guide/quick-start) or the [Production-Ready Installation](../../installation-guide/production-ready). + diff --git a/docs/identitymanager/6.3/installation-guide/requirements/database-requirements.md b/docs/identitymanager/6.3/installation-guide/requirements/database-requirements.md new file mode 100644 index 0000000000..a731af40c7 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/requirements/database-requirements.md @@ -0,0 +1,101 @@ +--- +title: "Database" +description: "Database" +sidebar_position: 20 +--- + +# Database + +This section identifies hardware and software requirements for Identity Manager's database. + +## Hardware + +The database disk storage requirements depend on multiple factors as the database lifespan and the number of entries, for example 100,000 users can take up appropriately **10 GB** of storage + +:::note + The maximum SQL Express database is **10 GB**. +::: +## Software + +Identity Manager uses a [SQL Server database](https://www.microsoft.com/en-us/sql-server/sql-server-2019) and supports SQL Server 2016 or later. + +The [database requirements](https://docs.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server?view=sql-server-ver15) may depend on the chosen SQL Server edition and version. + +### Recommended features + +The following features are also highly recommended: + +- [Always On availability groups](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server): +only available in the Enterprise edition of SQL Server 2016 or later + + > **FAQ**: + > [How to enable Always On availability groups in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server?view=sql-server-ver15) + +- [Database Mirroring](https://docs.microsoft.com/en-us//sql/database-engine/database-mirroring/database-mirroring-sql-server?view=sqlallproducts-allversions): +available in all editions of SQL Server 2016 or later + + > **FAQ**: + > [How to enable database mirroring in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/setting-up-database-mirroring-sql-server?view=sql-server-ver15) + +- [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + +The data history feature introduced in Identity Manager v5.1.0, might cause some tables to grow significantly. + +Database performance is greatly improved by enabling the [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) feature for the `UR_Resource` and `UP_Assigned*` tables: + + | `UP_Assigned*` Tables | + | --- | + | UP_AssignedResourceTypes | + | UP_AssignedSingleRoles | + | UP_AssignedCompositeRoles | + | UP_AssignedNavigationRules | + | UP_AssignedScalarRules | + +This feature is available and enabled by default in SQL Server 2016 or later. + + > **FAQ**: + > [How to create partitioned tables and indexes?](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/create-partitioned-tables-and-indexes?view=sql-server-ver15) + +### Additional tools + +The installation and setup of the database require using either [SQL server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) or the [`sqlcmd` command line tool](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +## SQL Server Authentication + +Identity Manager can authenticate to SQL Server using either a SQL Server authentication login or a Windows authentication login. + +Netwrix recommends using the [Windows authentication login](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) to avoid storing a plain text password in the technical configuration files. + +## SQL Server Roles + +The database administrator must be able to assign the following roles to the service account used by Identity Manager to access the SQL Server database: + +- `db_owner` which is a +[**database-level** role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15). This role grants its owner the authorization to perform all configuration and maintenance activities on the database, and to drop the database in SQL Server. +- `bulkadmin` which is a +[server-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver15). This role grants its owner the authorization to perform bulk operations on the database. + +Although `bulkadmin` is a server-level role, it still requires Identity Manager to have **database-level** permissions granted by the `db_owner` role. It means that bulk operations can be performed on the database only if Identity Manager has been granted the `db_owner` role. + +Granting `bulkadmin` role to the server's service account requires access to an account member of the `sysadmin` or `securityadmin` server-level role on the target SQL Server. See the [Install the Server](../../installation-guide/production-ready/server) topic for additional information. + +For more information about identity and permission management in SQL Server, see [Microsoft's documentation](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15). + +## Shared SQL Server and Dedicated Database + +Identity Manager's SQL Server installation can be used to host other database applications. + +Identity Manager's database itself must be used exclusively for Identity Manager. + +## Connection to the Server + +SQL feed must be open from Identity Manager's server to SQL Server. + +## Optimization + +The [max degree of parallelism (MAXDOP)](https://learn.microsoft.com/en-us/azure/azure-sql/database/configure-max-degree-of-parallelism?view=azuresql-db) must be set to 1 in the SQL database. + +## What's Next? + +Let's move on to the requirements for Identity Manager's server. See the [Server](../../installation-guide/requirements/server-requirements) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/requirements/device-requirements.md b/docs/identitymanager/6.3/installation-guide/requirements/device-requirements.md new file mode 100644 index 0000000000..06f74ae6a3 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/requirements/device-requirements.md @@ -0,0 +1,42 @@ +--- +title: "Integration Device" +description: "Integration Device" +sidebar_position: 10 +--- + +# Integration Device + +This section identifies the requirements for the Saas installation of Identity Manager. For the requirements of on premise installation see the Integration Device topic in the Identity Manager 6.0 or 6.1 [Netwrix Identity Manager (formerly Usercube) Help Center](https://helpcenter.netwrix.com/category/identitymanager) for additional information. + +## Hardware + +No matter whether the machine is virtual or physical, running a Identity Manager server or agent requires at least **8 GB** of RAM, **20 GB** of disk storage, and a **dual-core CPU**. + +:::note + Netwrix Identity Manager (formerly Usercube) recommends a 4-core CPU if SQL server is installed on this device. +::: +## Software + +[.NET version 8.0](https://dotnet.microsoft.com/en-us/download/dotnet/8.0/runtime) or higher must be installed. + +**Microsoft Excel** must be installed. + +A **web browser** must be accessible to test the future installation. Identity Manager's UI supports all popular browsers: + +- Google Chrome (latest 2 versions) +- Mozilla Firefox (latest 2 versions) +- Apple Safari (latest 2 versions) +- Microsoft Edge Chromium + +## Administrator Account + +A **Windows local administrator account** is required to install the server and agent on the target Windows Server workstation. + +## Additional Recommendations + +A not-so-minimalist text editor such as [Notepad++](https://notepad-plus-plus.org/downloads/) can be useful to comfortably edit network configuration files. See the [Network Configuration](../../integration-guide/network-configuration)topic for additional information. + +## What's Next? + +Let's move on to the requirements for Identity Manager's database. See the[Database](../../installation-guide/requirements/database-requirements)topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/requirements/index.md b/docs/identitymanager/6.3/installation-guide/requirements/index.md new file mode 100644 index 0000000000..e39cf7e0d2 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/requirements/index.md @@ -0,0 +1,15 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 20 +--- + +# Requirements + +This section identifies hardware and software requirements for each Identity Manager component: + +- [Integration Device](../../installation-guide/requirements/device-requirements) +- [Database](../../installation-guide/requirements/database-requirements) +- [Server](../../installation-guide/requirements/server-requirements) +- [Agent](../../installation-guide/requirements/agent-requirements) + diff --git a/docs/identitymanager/6.3/installation-guide/requirements/server-requirements.md b/docs/identitymanager/6.3/installation-guide/requirements/server-requirements.md new file mode 100644 index 0000000000..027895c7c6 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/requirements/server-requirements.md @@ -0,0 +1,109 @@ +--- +title: "Server" +description: "Server" +sidebar_position: 30 +--- + +# Server + +This section identifies software requirements for Identity Manager's server. + +## License Key + +The server requires a license key provided by Netwrix Identity Manager (formerly Usercube). See the [Application Settings](../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +## Software + +The server is a .NET application. + +Running the server requires installing the [Windows hosting bundle for ASP**.NET** Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +The server can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version IIS 10.0 (**recommended**) +- A [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications); +- a stand-alone executable for tests or debugging purposes. + +It is **recommended** to enable the following [Internet Information Services (IIS)](https://www.iis.net/) features to host Identity Manager: + +- [Windows Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#windows-authentication) +- [Anonymous Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication#anonymous-authentication) + +## Service Accounts + +The installation of the server as part of an Active Directory domain requires the use of an account with sufficient privileges to create a service account on the domain. + +The server should be assigned a [custom Windows service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The IIS built-in [application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis) should not be used, because it will prevent the custom account from connecting to a distant SQL Server. Hence Netwrix Identity Manager (formerly Usercube) recommends using a domain account. + +### Working directory permissions + +The agent's service account needs specific permissions presented in the[Create a Working Directory](../../installation-guide/production-ready/working-directory) topic as: + +- _Read_ and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually +`C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_ and _List folder contents_ on the directory for provisioning orders, whose path depends on +the `Work` folder's path; +- _Read_, _List folder contents_, and _Write_ on the directory for data collection, whose path +depends on the `Work` folder's path. + +See the [Create a Working Directory](../../installation-guide/production-ready/working-directory) and [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](../../installation-guide/production-ready/server) topic for additional information. + +### Database permissions + +If Windows' authentication is used for SQL Server, then the server should be able to authenticate to SQL Server with its assigned service account. It means that the server's service account needs to be assigned an **SQL Server login** with the relevant roles, including necessarily either `sysadmin` or `securityadmin`. + +See the [Database](../../installation-guide/requirements/database-requirements) and [Install the Server](../../installation-guide/production-ready/server) topics for additional information. + +## Hostname and DNS + +In the case of an **on-premises** installation, the server needs to be assigned a hostname **within** the organization's domain. Agents must be able to resolve the server's hostname. + +The associated DNS zone needs to be [updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as possible. + +## SSL Certificate + +The server requires the use of an SSL certificate in order to perform HTTPS communication with end-users' browsers. + +Identity Manager **SaaS** offering comes with an SSL certificate signed by a trusted certificate authority for the `*.usercube.com` domains. This certificate allows end-users to access the server through the Internet without any further configuration. Using another domain name for the **SaaS** installation requires providing Netwrix Identity Manager (formerly Usercube) with the corresponding SSL certificate signed by a trusted certificate Authority. + +Identity Manager **on-premises** offering requires the use of an SSL certificate trusted by all the target end-users' browsers. Standard practices use a certificate signed by the target organization's Public Key Infrastructure (PKI) root certificate authority. The on-premise SSL certificate must be set up in IIS. + +## Emails + +The server needs access to an **SMTP server** to [Send Notifications](../../installation-guide/production-ready/email-server). + +## Encryption and Identity Server Key Pairs + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required for: + +- Identity Manager's server in order to perform various encryption operations, such as source, +configuration, or log file encryptions; +- Identity Manager's Identity Server for end-user authentication purposes. + +Such a certificate does not need to be integrated into the target organization's Public Key Infrastructure and does not require an expiration date. They are only relevant to internal and temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called +[Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains both the public key certificate and the private key. This is the **recommended** method. + +The key pair can be generated with tools such as [OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's [New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) and[ pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +Let's move on to Identity Manager's agent requirements. See the [Agent](../../installation-guide/requirements/agent-requirements) topic for additional information. + diff --git a/docs/identitymanager/6.3/installation-guide/reverse-proxy.md b/docs/identitymanager/6.3/installation-guide/reverse-proxy.md new file mode 100644 index 0000000000..f1ca9fc4c1 --- /dev/null +++ b/docs/identitymanager/6.3/installation-guide/reverse-proxy.md @@ -0,0 +1,172 @@ +--- +title: "Reverse Proxy" +description: "Reverse Proxy" +sidebar_position: 50 +--- + +# Reverse Proxy + +Identity Manager can be installed behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) that acts as an intermediate server between users and Identity Manager's server, in order to process users' requests and redirect them to the right server(s), for performance and security purposes. + +## Overview + +A reverse proxy is usually used when: + +- needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be +able to monitor plain text requests from/to Identity Manager's server; + + ![Proxy Purposes: Encryption](/images/identitymanager/proxy_purpose_encryption.webp) + +- installing Identity Manager with an integrated agent on a network isolated from the users' +browsers, in order to be able to access sensitive systems which are protected by being set up on a network isolated from the Internet; + + ![Proxy Installation Example](/images/identitymanager/proxy_example.webp) + +This installation will be used for the configuration examples below. + +- using several Identity Manager's server instances for load-balancing purposes. + + ![Proxy Purposes: Load Balancing](/images/identitymanager/proxy_purpose_loadbalancing.webp) + +As Identity Manager is **session-less**, working with several servers does not imply the need to synchronize sessions between servers, nor the need to guarantee that a particular IP will be processed by a particular server. + +### Nginx + +For these tasks, [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/#nginx) is a relevant choice of reverse proxy. There are several versions of nginx available, suitable for several Linux-based environments. [Installation instructions](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) can be found directly on the nginx website. + +At its core, Identity Manager is an ASP.NET application with a Kestrel server. We can configure a nginx reverse proxy accordingly by following [Microsoft's guidelines](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-8.0&tabs=linux-ubuntu#microsofts-guidelines). + +Nginx [configuration files](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/) are usually located in `/etc/nginx`. + +### Load balancing + +Nginx offers several [load balancing methods](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#load-balancing-methods) which are all compatible with Identity Manager. + +Then, in order for servers to be able to properly schedule and coordinate synchronization and provisioning, the following file locations **must** be shared by all Identity Manager servers: + +- TempFolderPath +- WorkFolderPath + +All Identity Manager servers also share a database. See the [Application Settings](../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information. + +## Basic Configuration + +The following is a basic configuration, in the `*nginx.conf*` file, with one virtual host, that directs incoming requests on `` from network 1 to a Identity Manager server instance at `` on network 2. + +```text +***nginx.conf*** + +worker_processes auto; + +**http {** + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /nginx-1.19.7/logs/access.log; + error_log /nginx-1.19.7/logs/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + ## + # Virtual Host Configs + ## + + server { + listen default_server; + server_name ; + + location / { + proxy_pass http://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + } +} +``` + +Where: + +- `` is the port that nginx listens to on network 1 for incoming HTTP requests. It +should be set to `80`, except if you have another web server listening for port 80 requests and passing them to your nginx server. +- `` is the URL used by end-users to request Identity Manager's server, such as +`contoso.usercube.com`. It is the content of the host header in the incoming HTTP request. +- `` is Identity Manager's server URL on network 2. + +With this configuration, SSL is enabled between the nginx proxy and the client, but not between the proxy and Identity Manager's server. `gzip` is used to compress files to be sent over the network. + +### Static files + +Performance can be enhanced for static file serving. This requires extracting static files such as the UI JavaScript application and the logo and pictures, and storing them on the nginx server directly.See more information about [static file serving with nginx](https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/). + +## Load Balancing Configuration + +Load balancing involves at least two Identity Manager servers to which [nginx, acting as a load balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/), distributes the load of incoming requests. + +Then, in addition to the configuration from the previous example, a group of servers **must** be declared, using the `upstream` directive in the `http` section. + +The following configuration defines a group named `usercubegroup` which contains two server configurations, each one resolving to an actual Identity Manager's server instance: + +```text +... +http { + upstream usercubegroup { + server usercube1.contoso.com; + server usercube2.contoso.com; + } + ... +} +... +``` + +Then, the name of the group takes the place of `` in the virtual host definition: + +```json +server { + listen default_server; + server_name ; + + location / { + proxy_pass http://IdentityManagergroup; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + +**}** +``` + diff --git a/docs/identitymanager/6.3/integration-guide/api/authentication.md b/docs/identitymanager/6.3/integration-guide/api/authentication.md new file mode 100644 index 0000000000..7b302ba263 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/authentication.md @@ -0,0 +1,24 @@ +--- +title: "Authentication" +description: "Authentication" +sidebar_position: 10 +--- + +# Authentication + +Identity Manager API authentication is based on the [OpenIdConnect protocol](https://openid.net/connect/). Configuration informations are accessible on: `[Usercube application URL]/.well-known/openid-configuration`. + +An OpenId client must be previously defined using an [OpenIdClient](../../integration-guide/toolkit/xml-configuration/access-control/openidclient) configuration element. + +The `client_id` parameter to use in calls to the OpenIdConnect protocol endpoints must be the concatenation of `clientId`, `@` and the domain of the application. + +**For example, client defined by** + +```xml +**** +``` + +for the Identity Manager application hosted on `usercube.mycompany.com` must use `MyApplication@usercube.mycompany.com` as `client_id` parameter in any call to the OpenIdConnect endpoints. + +The scope to access to the Identity Manager API is `usercube_api`. + diff --git a/docs/identitymanager/6.3/integration-guide/api/index.md b/docs/identitymanager/6.3/integration-guide/api/index.md new file mode 100644 index 0000000000..0f75deadc6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/index.md @@ -0,0 +1,26 @@ +--- +title: "API" +description: "API" +sidebar_position: 170 +--- + +# API + +Agent and server expose a REST API. + +## OpenAPI Definition + +This feature is optional and must be activated by the Swagger settings section. See the [Application Settings](../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +The page `[Usercube application's URL]/swagger` can be used to explore and test the API. + +This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Identity Manager [OpenAPI](https://swagger.io/specification/) definition. + +![Usercube server swagger page](/images/identitymanager/swagger.webp) + +A function can have several versions. This is why the API description is split into several OpenAPI definition files. + +Each definition file is accessible in JSON format on URL `[Usercube application's URL]/swagger/{version}/swagger.json`. + +The Swagger UI page is accessible anonymously but each call from this page to the API must have an authenticated context. To do so, you only need to be logged to the application from the same browser instance (Authentication is carried by a cookie). + diff --git a/docs/identitymanager/6.3/integration-guide/api/pagination.md b/docs/identitymanager/6.3/integration-guide/api/pagination.md new file mode 100644 index 0000000000..ea3e7240d2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/pagination.md @@ -0,0 +1,19 @@ +--- +title: "Pagination" +description: "Pagination" +sidebar_position: 30 +--- + +# Pagination + +Each function returning a list of items supports pagination. This pagination is based on the PageSize and ContinuationToken parameters. + +The principle is to call the function with the ContinuationToken obtained from the previous call. + +![Pagination sequence diagram](/images/identitymanager/pagination.webp) + +:::note + Pagination is optional. If PageSize is not specified, the function will return all items or use the limit specified in the squery parameter. If PageSize is specified, no limit must be specified in the squery parameter. +::: +A DefaultPageSize as well as a MaxPageSize can be defined in the Applicative configuration settings. If the given PageSize or squery limit is above the MaxPageSize, the limit of the MaxPageSize` is used. See the [Application Settings](../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/api/request-postman.md b/docs/identitymanager/6.3/integration-guide/api/request-postman.md new file mode 100644 index 0000000000..9ad4fffeee --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/request-postman.md @@ -0,0 +1,95 @@ +--- +title: "Request APIs via Postman" +description: "Request APIs via Postman" +sidebar_position: 40 +--- + +# Request APIs via Postman + +This guide shows how to configure Postman to be able to request Identity Manager's API. + +## Get an Access Token + +Get an access token by proceeding as follows: + +1. Launch Postman. +2. Create a new request by clicking on **+ New** then **Request**. + + ![Postman: New Request](/images/identitymanager/postman_newrequest.webp) + +3. Fill in the fields and click on **Save to Identity Manager**. + + ![Postman: New Request Fields](/images/identitymanager/postman_requestfields.webp) + +4. Fill in the authentication information as follows: + + ![Postman: Authentication](/images/identitymanager/postman_authentication.webp) + + - **Method**: POST + - **URL**: ``/connect/token + - **Body**: + - **client_id**: ``@`` + - **client_secret**: `` + - **scope**: usercube_api + - **grant_type**: client_credentials + +5. Click on **Send** and get the access token from the response body. + + ![Postman: Access Token](/images/identitymanager/postman_accesstoken.webp) + +## Use an Access Token + +Use an access token by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization](/images/identitymanager/postman_authorization.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: Bearer Token + - **Token**: `` + +3. Click on **Send** and get the result from the response body. + + ![Postman: Access Token Result](/images/identitymanager/postman_accesstokenresult.webp) + +## Create a Combined Request + +Create a combined request by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization (Combined Request)](/images/identitymanager/postman_authorizationcombined.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: OAuth 2.0 + - **Header Prefix**: Bearer + +3. Click on **Get New Access Token** and fill in the fields as follows: + + ![Postman: New Access Token Fields (Combined Request)](/images/identitymanager/postman_newaccesstokencombined.webp) + + - **Token Name**: `` + - **Grant Type**: Client Credentials + - **Access Token URL**: ``/connect/token + - **Client ID**: ``@`` + +Do not replace `@` with its encoding. + + - **Client Secret**: `` + - **Scope**: usercube_api + - **Client Authentication**: Send client credentials in body + +4. Click on **Request Token** to get the token. + + ![Postman: Get Token (Combined Request)](/images/identitymanager/postman_gettokencombined.webp) + +5. Click on **Use Token** and **Send** and get the result from the response body. + + ![Postman: Access Token Result (Combined Request)](/images/identitymanager/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/6.3/integration-guide/api/server/accesscertification.md b/docs/identitymanager/6.3/integration-guide/api/server/accesscertification.md new file mode 100644 index 0000000000..6b8d118812 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/accesscertification.md @@ -0,0 +1,162 @@ +--- +title: "AccessCertification" +sidebar_position: 1 +--- + +### /api/AccessCertification/AccessCertificationCampaign + +#### Get +##### Summary: + +Returns all the access certification campaigns according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The access certification campaign list. | List of AccessCertificationCampaign | + +#### Post +##### Summary: + +Creates an access certification campaign. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the access certification campaign creation. | AccessCertificationCampaignCreatedResult | + +### /api/AccessCertification/AccessCertificationCampaign/\{id\} + +#### Get +##### Summary: + +Returns an access certification campaign corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the access certification campaign. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The access certification campaign. | AccessCertificationCampaign | + +#### Put +##### Summary: + +Updates an access certification campaign. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the access certification campaign to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the access certification campaign update. | AccessCertificationCampaignUpdatedResult | + +#### Delete +##### Summary: + +Deletes an access certification campaign. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the access certification campaign to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the access certification campaign delete. | AccessCertificationCampaignDeletedResult | + +### /api/AccessCertification/AccessCertificationCampaignPolicy + +#### Get +##### Summary: + +Returns all the policies according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy list. | List of AccessCertificationCampaignPolicy | +| 400 | No access certification policy can be found in database. | | + +### /api/AccessCertification/AccessCertificationItem + +#### Get +##### Summary: + +Returns all the access certification items of the campaignId campaign according to the provided squery. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| campaignId | Recertification campaign Id. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The access certification item list. | List of AccessCertificationItem | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/accesscontrol.md b/docs/identitymanager/6.3/integration-guide/api/server/accesscontrol.md new file mode 100644 index 0000000000..59567c0a5f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/accesscontrol.md @@ -0,0 +1,717 @@ +--- +title: "AccessControl" +sidebar_position: 2 +--- + +### /api/AccessControl/AccessControlEntry + +#### Get +##### Summary: + +Returns all the accessControlEntrys according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlEntry list. | List of AccessControlEntry | + +#### Post +##### Summary: + +Creates a accessControlEntry. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlEntry creation. | AccessControlEntryCreatedResult | + +### /api/AccessControl/AccessControlEntry/\{id\} + +#### Get +##### Summary: + +Returns a accessControlEntry corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlEntry. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlEntry. | AccessControlEntry | + +#### Put +##### Summary: + +Updates a accessControlEntry. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlEntry to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlEntry update. | AccessControlEntryUpdatedResult | + +#### Delete +##### Summary: + +Deletes a accessControlEntry. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlEntry to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlEntry delete. | AccessControlEntryDeletedResult | + +### /api/AccessControl/AccessControlFilter + +#### Get +##### Summary: + +Returns all the accessControlFilters according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlFilter list. | List of AccessControlFilter | + +#### Post +##### Summary: + +Creates a accessControlFilter. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlFilter creation. | AccessControlFilterCreatedResult | + +### /api/AccessControl/AccessControlFilter/\{id\} + +#### Get +##### Summary: + +Returns a accessControlFilter corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlFilter. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlFilter. | AccessControlFilter | + +#### Put +##### Summary: + +Updates a accessControlFilter. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlFilter to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlFilter update. | AccessControlFilterUpdatedResult | + +#### Delete +##### Summary: + +Deletes a accessControlFilter. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlFilter to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlFilter delete. | AccessControlFilterDeletedResult | + +### /api/AccessControl/AccessControlPermission + +#### Get +##### Summary: + +Returns all the accessControlPermissions according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlPermission list. | List of AccessControlPermission | + +### /api/AccessControl/AccessControlPermission/\{id\} + +#### Get +##### Summary: + +Returns a accessControlPermission corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlPermission. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlPermission. | AccessControlPermission | + +### /api/AccessControl/AccessControlRule + +#### Get +##### Summary: + +Returns all the accessControlRules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlRule list. | List of AccessControlRule | + +#### Post +##### Summary: + +Creates a accessControlRule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlRule creation. | AccessControlRuleCreatedResult | + +### /api/AccessControl/AccessControlRule/\{id\} + +#### Get +##### Summary: + +Returns a accessControlRule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlRule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The accessControlRule. | AccessControlRule | + +#### Put +##### Summary: + +Updates a accessControlRule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlRule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlRule update. | AccessControlRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a accessControlRule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the accessControlRule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the accessControlRule delete. | AccessControlRuleDeletedResult | + +### /api/AccessControl/AssignedProfile + +#### Get +##### Summary: + +Returns all the assigned profiles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned profile list. | List of AssignedProfile | + +#### Post +##### Summary: + +Creates an assigned profile. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned profile creation. | AssignedProfileCreatedResult | + +### /api/AccessControl/AssignedProfile/\{id\} + +#### Get +##### Summary: + +Returns an assigned profile corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned profile. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned profile. | AssignedProfile | + +#### Put +##### Summary: + +Updates an assigned profile with support for both full and incremental profile context updates. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned profile to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned profile update. | AssignedProfileUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned profile. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned profile to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned profile delete. | AssignedProfileDeletedResult | + +### /api/AccessControl/OpenIdClient + +#### Get +##### Summary: + +Returns all the openId clients according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The clients list. | List of OpenIdClient | + +#### Post +##### Summary: + +Creates an openId client. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the openId client creation. | OpenIdClientCreatedResult | + +### /api/AccessControl/OpenIdClient/\{id\} + +#### Get +##### Summary: + +Returns an openId client corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the openId client. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The open id client. | OpenIdClient | + +#### Put +##### Summary: + +Updates an openId client. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the openId client to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the openId client update. | OpenIdClientUpdatedResult | + +#### Delete +##### Summary: + +Deletes an openId client. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the openId client to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the openId client delete. | OpenIdClientDeletedResult | + +### /api/AccessControl/Profile + +#### Get +##### Summary: + +Returns all the profiles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The profile list. | List of Profile | + +#### Post +##### Summary: + +Creates a profile. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the profile creation. | ProfileCreatedResult | + +### /api/AccessControl/Profile/\{id\} + +#### Get +##### Summary: + +Returns a profile corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the profile. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The profile. | Profile | + +#### Put +##### Summary: + +Updates a profile. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the profile to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the profile update. | ProfileUpdatedResult | + +#### Delete +##### Summary: + +Deletes a profile. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the profile to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the profile delete. | ProfileDeletedResult | + +### /api/AccessControl/ProfileRuleContext + +#### Get +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | List of ProfileRuleContext | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/connectors.md b/docs/identitymanager/6.3/integration-guide/api/server/connectors.md new file mode 100644 index 0000000000..9b413b1f81 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/connectors.md @@ -0,0 +1,671 @@ +--- +title: "Connectors" +sidebar_position: 3 +--- + +### /api/Connectors/Agent + +#### Get +##### Summary: + +Returns all the agents according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The agent list. | List of Agent | + +#### Post +##### Summary: + +Creates a agent. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the agent creation. | AgentCreatedResult | + +### /api/Connectors/Agent/\{id\} + +#### Get +##### Summary: + +Returns a agent corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the agent. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The agent. | Agent | + +#### Put +##### Summary: + +Updates a agent. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the agent to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the agent update. | AgentUpdatedResult | + +#### Delete +##### Summary: + +Deletes a agent. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the agent to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the agent delete. | AgentDeletedResult | + +### /api/Connectors/Connection + +#### Get +##### Summary: + +Returns all the connection packages according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector list. | List of Connection | + +#### Post +##### Summary: + +Creates a connection. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector creation. | ConnectionCreatedResult | + +### /api/Connectors/Connection/\{id\} + +#### Get +##### Summary: + +Returns a connection package corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector. | Connection | + +#### Put +##### Summary: + +Updates a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector update. | ConnectionUpdatedResult | + +#### Delete +##### Summary: + +Deletes a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector delete. | ConnectionDeletedResult | + +### /api/Connectors/ConnectionColumn + +#### Get +##### Summary: + +Returns all the connection columns according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connection column list. | List of ConnectionColumn | + +### /api/Connectors/ConnectionPackage + +#### Get +##### Summary: + +Returns all the connection packages according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector list. | List of ConnectionPackage | + +### /api/Connectors/ConnectionPackage/\{id\} + +#### Get +##### Summary: + +Returns a connection package corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector. | ConnectionPackage | + +### /api/Connectors/ConnectionTable + +#### Get +##### Summary: + +Returns all the connection tables according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connection table list. | List of ConnectionTable | + +### /api/Connectors/Connector + +#### Get +##### Summary: + +Returns all the connectors according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector list. | List of Connector | + +#### Post +##### Summary: + +Creates a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector creation. | ConnectorCreatedResult | + +### /api/Connectors/Connector/\{id\} + +#### Get +##### Summary: + +Returns a connector corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The connector. | Connector | + +#### Put +##### Summary: + +Updates a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector update. | ConnectorUpdatedResult | + +#### Delete +##### Summary: + +Deletes a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector to delete. | True | | | +| force | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the connector delete. | ConnectorDeletedResult | + +### /api/Connectors/Connector/ResourceTypes/\{id\} + +#### Get +##### Summary: + +Returns the resource type ids corresponding to the provided connector identifier. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the connector. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + +### /api/Connectors/EntityAssociationMapping + +#### Get +##### Summary: + +Returns all the entity types mappings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity type list. | List of EntityAssociationMapping | + +### /api/Connectors/EntityPropertyMapping + +#### Get +##### Summary: + +Returns all the entity property mappings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity property mapping list. | List of EntityPropertyMapping | + +### /api/Connectors/EntityTypeMapping + +#### Get +##### Summary: + +Returns all the entity types mappings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity type list. | List of EntityTypeMapping | + +### /api/Connectors/EntityTypeMapping/\{id\} + +#### Get +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | EntityTypeMapping | + +### /api/Connectors/Mapping/PasswordResetSetting + +#### Get +##### Summary: + +Returns all the password reset settings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The password reset setting list. | List of PasswordResetSetting | + +### /api/Connectors/Provisioning/ProvisioningData/\{id\} + +#### Get +##### Summary: + +Get provisioning orders from server for a connector. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Id of the connector. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + +### /api/Connectors/Provisioning/ProvisioningResults + +#### Put +##### Summary: + +Update the status of the provisioned resources. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | ProvisioningResultsReceivedResult | + +### /api/Connectors/Mapping/ResourceTypeMapping + +#### Get +##### Summary: + +Returns all the resource types mappings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type mapping list. | List of ResourceTypeMapping | + +### /api/Connectors/Mapping/ResourceTypeMapping/\{id\} + +#### Get +##### Summary: + +Returns all the resource types mappings according to its id and the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type mapping. | ResourceTypeMapping | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/files.md b/docs/identitymanager/6.3/integration-guide/api/server/files.md new file mode 100644 index 0000000000..62d47e4904 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/files.md @@ -0,0 +1,106 @@ +--- +title: "Files" +sidebar_position: 4 +--- + +### /files/Report/FromQuery/\{rootEntityType\} + +#### Get +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| rootEntityType | | True | | | +| squery | | False | | | +| format | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + +### /files/Report/FromQueryId/\{reportQueryId\} + +#### Get +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| reportQueryId | | True | | | +| format | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + +### /files/ResourceFile/\{type\}/\{property\}/\{id\} + +#### Get +##### Summary: + +Returns a resource file. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| property | Entity type property. | True | | | +| tag | Defines a tag. | False | | | +| id | Identifier of the resource. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource. | | + +### /api/files/ResourceFile/filename/\{type\}/\{property\}/\{id\} + +#### Get +##### Summary: + +Returns a resource file name. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| property | Entity type property. | True | | | +| tag | Defines a tag. | False | | | +| id | Identifier of the resource. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource. | | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/index.md b/docs/identitymanager/6.3/integration-guide/api/server/index.md new file mode 100644 index 0000000000..eb46c4cf7a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/index.md @@ -0,0 +1,24 @@ +--- +title: "Server API" +sidebar_position: 3 +--- + +## API Resources + +- [AccessCertification](./accesscertification) +- [AccessControl](./accesscontrol) +- [Connectors](./connectors) +- [Files](./files) +- [Job](./job) +- [Metadata](./metadata) +- [ProvisioningEntityInstance](./provisioningentityinstance) +- [ProvisioningPolicy](./provisioningpolicy) +- [Report](./report) +- [Resource](./resource) +- [ResourceChange](./resourcechange) +- [ResourceFileChange](./resourcefilechange) +- [ResourceLinkChange](./resourcelinkchange) +- [Robots.Txt](./robots.txt) +- [Universes](./universes) +- [Workflows](./workflows) + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/job.md b/docs/identitymanager/6.3/integration-guide/api/server/job.md new file mode 100644 index 0000000000..ff6f7b4573 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/job.md @@ -0,0 +1,978 @@ +--- +title: "Job" +sidebar_position: 5 +--- + +### /api/Job/Job + +#### Get +##### Summary: + +Returns all the Job according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The JobGroup list. | List of Job | + +#### Post +##### Summary: + +Creates a Job. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the JobGroup creation. | JobCreatedResult | + +### /api/Job/Job/\{id\} + +#### Get +##### Summary: + +Returns a Job corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Job. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The JobGroup. | Job | + +#### Put +##### Summary: + +Updates a Job. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Job to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Job update. | JobUpdatedResult | + +#### Delete +##### Summary: + +Deletes a Job. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Job to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Job delete. | JobDeletedResult | + +### /api/Job/Job/Notification + +#### Put +##### Summary: + +Send Job Notification. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the job notification. | SendJobNotificationResult | + +### /api/Job/JobInstance + +#### Get +##### Summary: + +Returns all the job instance according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The job instance list. | List of JobInstance | + +#### Post +##### Summary: + +Creates a job instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the job instance creation. | JobInstanceCreatedResult | + +### /api/Job/JobInstance/\{id\} + +#### Get +##### Summary: + +Returns a job instance corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the job instance. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The job instance. | JobInstance | + +#### Put +##### Summary: + +Updates a job instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the job instance to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the job instance update. | JobInstanceUpdatedResult | + +#### Delete +##### Summary: + +Deletes a job instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the job instance to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the job instance delete. | JobInstanceDeletedResult | + +### /api/Job/JobStep + +#### Get +##### Summary: + +Returns all the JobSteps according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The JobStep list. | List of JobStep | + +#### Post +##### Summary: + +Creates a JobStep. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the JobStep creation. | JobStepCreatedResult | + +### /api/Job/JobStep/\{id\} + +#### Get +##### Summary: + +Returns a JobStep corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the JobStep. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The JobStep. | JobStep | + +#### Put +##### Summary: + +Updates a JobStep. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of JobStep to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the JobStep update. | JobStepUpdatedResult | + +#### Delete +##### Summary: + +Deletes a JobStep. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the JobStep to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the JobStep delete. | JobStepDeletedResult | + +### /api/Job/Task + +#### Get +##### Summary: + +Returns all the Tasks according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The job list. | List of JTask | + +#### Post +##### Summary: + +Creates a Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Task creation. | TaskCreatedResult | + +### /api/Job/Task/\{id\} + +#### Get +##### Summary: + +Returns a Task corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Task. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The Task. | JTask | + +#### Put +##### Summary: + +Updates a Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Task to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Task update. | TaskUpdatedResult | + +#### Delete +##### Summary: + +Deletes a Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Task to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Task delete. | TaskDeletedResult | + +### /api/Job/TaskDependOnTask + +#### Get +##### Summary: + +Returns all the DependOnTask's task according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The DependOnTask's task list. | List of TaskDependOnTask | + +#### Post +##### Summary: + +Creates a DependOnTask's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the DependOnTask's task creation. | TaskDependOnTaskCreatedResult | + +### /api/Job/TaskDependOnTask/\{id\} + +#### Get +##### Summary: + +Returns a DependOnTask's task corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the DependOnTask's task. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The DependOnTask's task. | TaskDependOnTask | + +#### Put +##### Summary: + +Updates a DependOnTask's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the DependOnTask's task to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the DependOnTask's task update. | TaskDependOnTaskUpdatedResult | + +#### Delete +##### Summary: + +Deletes a DependOnTask's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the DependOnTask's task to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the DependOnTask's task delete. | TaskDependOnTaskDeletedResult | + +### /api/Job/TaskDimension + +#### Get +##### Summary: + +Returns all the Dimension's task according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role list. | List of TaskDimension | + +#### Post +##### Summary: + +Creates a Dimension's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Dimension's task creation. | TaskDimensionCreatedResult | + +### /api/Job/TaskDimension/\{id\} + +#### Get +##### Summary: + +Returns a Dimension's task corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Dimension's task. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The Dimension's task. | TaskDimension | + +#### Put +##### Summary: + +Updates a Dimension's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Dimension's task to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Dimension's task update. | TaskDimensionUpdatedResult | + +#### Delete +##### Summary: + +Deletes a Dimension's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the Dimension's task to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the Dimension's task delete. | TaskDimensionDeletedResult | + +### /api/Job/TaskEntityType + +#### Get +##### Summary: + +Returns all the EntityType's task according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The EntityType's task list. | List of TaskEntityType | + +#### Post +##### Summary: + +Creates a EntityType's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the EntityType's task creation. | TaskEntityTypeCreatedResult | + +### /api/Job/TaskEntityType/\{id\} + +#### Get +##### Summary: + +Returns a EntityType's task corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the EntityType's task. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The EntityType's task. | TaskEntityType | + +#### Put +##### Summary: + +Updates a EntityType's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the EntityType's task to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the EntityType's task update. | TaskEntityTypeUpdatedResult | + +#### Delete +##### Summary: + +Deletes a EntityType's task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the EntityType's task to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the EntityType's task delete. | TaskEntityTypeDeletedResult | + +### /api/Job/TaskInstance + +#### Get +##### Summary: + +Returns all the task instance according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The task instance list. | List of TaskInstance | + +#### Post +##### Summary: + +Creates a task instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the task instance creation. | TaskInstanceCreatedResult | + +### /api/Job/TaskInstance/\{id\} + +#### Get +##### Summary: + +Returns a task instance corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the task instance. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The task instance. | TaskInstance | + +#### Put +##### Summary: + +Updates a task instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the task instance to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the task instance update. | TaskInstanceUpdatedResult | + +#### Delete +##### Summary: + +Deletes a task instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the task instance to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the task instance delete. | TaskInstanceDeletedResult | + +### /api/Job/TaskResourceType + +#### Get +##### Summary: + +Returns all the ResourceType's Task according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The ResourceType's Task list. | List of TaskResourceType | + +#### Post +##### Summary: + +Creates a ResourceType's Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the ResourceType's Task creation. | TaskResourceTypeCreatedResult | + +### /api/Job/TaskResourceType/\{id\} + +#### Get +##### Summary: + +Returns a ResourceType's Task corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the ResourceType's Task. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The ResourceType's Task. | TaskResourceType | + +#### Put +##### Summary: + +Updates a ResourceType's Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the ResourceType's Task to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the ResourceType's Task update. | TaskResourceTypeUpdatedResult | + +#### Delete +##### Summary: + +Deletes a ResourceType's Task. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the ResourceType's Task to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the ResourceType's Task delete. | TaskResourceTypeDeletedResult | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/metadata.md b/docs/identitymanager/6.3/integration-guide/api/server/metadata.md new file mode 100644 index 0000000000..00513773f6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/metadata.md @@ -0,0 +1,755 @@ +--- +title: "Metadata" +sidebar_position: 6 +--- + +### /api/Metadata/Binding + +#### Get +##### Summary: + +Returns all the bindings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The binding list. | List of Binding | + +#### Post +##### Summary: + +Creates a Binding. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the binding creation. | BindingCreatedResult | + +### /api/Metadata/Binding/\{id\} + +#### Get +##### Summary: + +Returns a binding corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the binding. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The binding. | Binding | + +#### Put +##### Summary: + +Updates a binding. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the binding to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the binding update. | BindingUpdatedResult | + +#### Delete +##### Summary: + +Deletes a binding. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the binding to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the binding delete. | BindingDeletedResult | + +### /api/Metadata/BindingItem + +#### Get +##### Summary: + +Returns all the binding items according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The binding item list. | List of BindingItem | + +### /api/Metadata/BindingItem/\{id\} + +#### Get +##### Summary: + +Returns a binding item corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the binding item. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The binding item. | BindingItem | + +### /api/Metadata/Dimension + +#### Get +##### Summary: + +Returns all the dimensions according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The dimension list. | List of Dimension | + +#### Post +##### Summary: + +Creates a dimension. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the dimension creation. | DimensionCreatedResult | + +### /api/Metadata/Dimension/\{id\} + +#### Get +##### Summary: + +Returns a dimension corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the dimension. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The dimension. | Dimension | + +#### Put +##### Summary: + +Updates a dimension. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the dimension to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the dimension update. | DimensionUpdatedResult | + +#### Delete +##### Summary: + +Deletes a dimension. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the dimension to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the dimension delete. | DimensionDeletedResult | + +### /api/Metadata/EntityAssociation + +#### Get +##### Summary: + +Returns all the entity associations according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity association list. | List of EntityAssociation | + +#### Post +##### Summary: + +Creates a entity association. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity association creation. | EntityAssociationCreatedResult | + +### /api/Metadata/EntityAssociation/\{id\} + +#### Get +##### Summary: + +Returns a entity association corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity association. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity association. | EntityAssociation | + +#### Put +##### Summary: + +Updates a entity association. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity association to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity association update. | EntityAssociationUpdatedResult | + +#### Delete +##### Summary: + +Deletes a entity association. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity association to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity association delete. | EntityAssociationDeletedResult | + +### /api/Metadata/EntityProperty + +#### Get +##### Summary: + +Returns all the entity properties according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity property list. | List of EntityProperty | + +#### Post +##### Summary: + +Creates a entity property. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity property creation. | EntityPropertyCreatedResult | + +### /api/Metadata/EntityProperty/\{id\} + +#### Get +##### Summary: + +Returns a entity property corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity property. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity property. | EntityProperty | + +#### Put +##### Summary: + +Updates a entity property. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity property to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity property update. | EntityPropertyUpdatedResult | + +#### Delete +##### Summary: + +Deletes a entity property. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity property to delete. | True | | | +| force | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity property delete. | EntityPropertyDeletedResult | + +### /api/Metadata/EntityType + +#### Get +##### Summary: + +Returns all the entity types according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity type list. | List of EntityType | + +#### Post +##### Summary: + +Creates a entity type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity type creation. | EntityTypeCreatedResult | + +### /api/Metadata/EntityType/\{id\} + +#### Get +##### Summary: + +Returns a entity type corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity type. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The entity type. | EntityType | + +#### Put +##### Summary: + +Updates a entity type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity type to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity type update. | EntityTypeUpdatedResult | + +#### Delete +##### Summary: + +Deletes a entity type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the entity type to delete. | True | | | +| force | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the entity type delete. | EntityTypeDeletedResult | + +### /api/Metadata/Language + +#### Get +##### Summary: + +Returns all the languages. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role list. | List of Language_ | + +### /api/Metadata/Setting + +#### Get +##### Summary: + +Returns all the settings according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role list. | List of Setting | + +#### Post +##### Summary: + +Creates a setting. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role creation. | SettingCreatedResult | + +### /api/Metadata/Setting/\{id\} + +#### Get +##### Summary: + +Returns a setting corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the setting. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role. | Setting | + +#### Put +##### Summary: + +Updates a setting. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the setting to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the setting update. | SettingUpdatedResult | + +#### Delete +##### Summary: + +Deletes a setting. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the setting to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the setting delete. | SettingDeletedResult | + +### /api/Metadata/Setting/CustomLink/\{url\} + +#### Get +##### Summary: + +Returns the html data corresponding to the requested custom link url. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| url | Url of the custom link. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The html data. | | + +### /api/Metadata/Setting/GetFeatureFlags + +#### Get +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/provisioningentityinstance.md b/docs/identitymanager/6.3/integration-guide/api/server/provisioningentityinstance.md new file mode 100644 index 0000000000..4d9bc1b171 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/provisioningentityinstance.md @@ -0,0 +1,58 @@ +--- +title: "ProvisioningEntityInstance" +sidebar_position: 7 +--- + +### /api/ProvisioningEntityInstance/EntityInstance + +#### Get +##### Summary: + +Returns all the policies according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy list. | List of EntityInstance | + +### /api/ProvisioningEntityInstance/EntityInstance/\{id\} + +#### Get +##### Summary: + +Returns a policy corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the policy. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy. | EntityInstance | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/provisioningpolicy.md b/docs/identitymanager/6.3/integration-guide/api/server/provisioningpolicy.md new file mode 100644 index 0000000000..5155423223 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/provisioningpolicy.md @@ -0,0 +1,2860 @@ +--- +title: "ProvisioningPolicy" +sidebar_position: 8 +--- + +### /api/ProvisioningPolicy/AssignedCompositeRole + +#### Get +##### Summary: + +Returns all the assigned composite roles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| forExecution | If true, return only the items for which the user has the right to do the action. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned composite role list. | List of AssignedCompositeRole | + +#### Post +##### Summary: + +Creates an assigned composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned composite role creation. | AssignedCompositeRoleCreatedResult | + +### /api/ProvisioningPolicy/AssignedCompositeRole/\{id\} + +#### Get +##### Summary: + +Returns an assigned composite role corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned composite role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned composite role. | AssignedCompositeRole | + +#### Put +##### Summary: + +Updates an assigned composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned composite role to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned composite role update. | AssignedCompositeRoleUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned composite role to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned composite role delete. | AssignedCompositeRoleDeletedResult | + +### /api/ProvisioningPolicy/AssignedResourceBinary + +#### Get +##### Summary: + +Returns all the assigned resource binarys according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| getCurrentValues | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource binary list. | List of AssignedResourceBinary | + +#### Post +##### Summary: + +Creates an assigned resource binary. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource binary creation. | AssignedResourceBinaryCreatedResult | + +### /api/ProvisioningPolicy/AssignedResourceBinary/\{id\} + +#### Get +##### Summary: + +Returns an assigned resource binary corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource binary. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource binary. | AssignedResourceBinary | + +#### Put +##### Summary: + +Updates an assigned resource binary. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource binary to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource binary update. | AssignedResourceBinaryUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned resource binary. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource binary to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource binary delete. | AssignedResourceBinaryDeletedResult | + +### /api/ProvisioningPolicy/AssignedResourceNavigation + +#### Get +##### Summary: + +Returns all the assigned resource navigations according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| getCurrentValues | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource navigation list. | List of AssignedResourceNavigation | + +#### Post +##### Summary: + +Creates an assigned resource navigation. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource navigation creation. | AssignedResourceNavigationCreatedResult | + +### /api/ProvisioningPolicy/AssignedResourceNavigation/\{id\} + +#### Get +##### Summary: + +Returns an assigned resource navigation corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource navigation. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource navigation. | AssignedResourceNavigation | + +#### Put +##### Summary: + +Updates an assigned resource navigation. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource navigation to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource navigation update. | AssignedResourceNavigationUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned resource navigation. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource navigation to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource navigation delete. | AssignedResourceNavigationDeletedResult | + +### /api/ProvisioningPolicy/AssignedResourceScalar + +#### Get +##### Summary: + +Returns all the assigned resource scalars according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| getCurrentValues | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource scalar list. | List of AssignedResourceScalar | + +#### Post +##### Summary: + +Creates an assigned resource scalar. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource scalar creation. | AssignedResourceScalarCreatedResult | + +### /api/ProvisioningPolicy/AssignedResourceScalar/\{id\} + +#### Get +##### Summary: + +Returns an assigned resource scalar corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource scalar. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource scalar. | AssignedResourceScalar | + +#### Put +##### Summary: + +Updates an assigned resource scalar. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource scalar to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource scalar update. | AssignedResourceScalarUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned resource scalar. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource scalar to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource scalar delete. | AssignedResourceScalarDeletedResult | + +### /api/ProvisioningPolicy/AssignedResourceType + +#### Get +##### Summary: + +Returns all the assigned resource types according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource type list. | List of AssignedResourceType | + +#### Post +##### Summary: + +Creates an assigned resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource type creation. | AssignedResourceTypeCreatedResult | + +### /api/ProvisioningPolicy/AssignedResourceType/\{id\} + +#### Get +##### Summary: + +Returns an assigned resource type corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource type. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned resource type. | AssignedResourceType | + +#### Put +##### Summary: + +Updates an assigned resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource type to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource type update. | AssignedResourceTypeUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned resource type to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned resource type delete. | AssignedResourceTypeDeletedResult | + +### /api/ProvisioningPolicy/AssignedSingleRole + +#### Get +##### Summary: + +Returns all the assigned single roles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| forExecution | If true, return only the items for which the user has the right to do the action. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned single role list. | List of AssignedSingleRole | + +#### Post +##### Summary: + +Creates an assigned single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned single role creation. | AssignedSingleRoleCreatedResult | + +### /api/ProvisioningPolicy/AssignedSingleRole/\{id\} + +#### Get +##### Summary: + +Returns an assigned single role corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned single role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned single role. | AssignedSingleRole | + +#### Put +##### Summary: + +Updates an assigned single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned single role to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned single role update. | AssignedSingleRoleUpdatedResult | + +#### Delete +##### Summary: + +Deletes an assigned single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the assigned single role to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the assigned single role delete. | AssignedSingleRoleDeletedResult | + +### /api/ProvisioningPolicy/AutomationRule + +#### Get +##### Summary: + +Returns all the automation rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | Automation rules list. | List of AutomationRule | + +#### Post +##### Summary: + +Creates an automation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the automation rule creation. | AutomationRuleCreatedResult | + +### /api/ProvisioningPolicy/AutomationRule/\{id\} + +#### Get +##### Summary: + +Returns a automation rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the automation rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | Automation rule. | AutomationRule | + +#### Put +##### Summary: + +Updates an automation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the automation rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the automation rule update. | AutomationRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes an automation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the automation rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the automation rule delete. | AutomationRuleDeletedResult | + +### /api/ProvisioningPolicy/Category + +#### Get +##### Summary: + +Returns all the categories according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The category list. | List of Category | + +#### Post +##### Summary: + +Creates a category. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the category creation. | CategoryCreatedResult | + +### /api/ProvisioningPolicy/Category/\{id\} + +#### Get +##### Summary: + +Returns a category corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the category. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The category. | Category | + +#### Put +##### Summary: + +Updates a category. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the category to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the category update. | CategoryUpdatedResult | + +#### Delete +##### Summary: + +Deletes a category. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the category to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the category delete. | CategoryDeletedResult | + +### /api/ProvisioningPolicy/CompositeRole + +#### Get +##### Summary: + +Returns all the composite roles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The composite role list. | List of CompositeRole | + +#### Post +##### Summary: + +Creates a composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role creation. | CompositeRoleCreatedResult | + +### /api/ProvisioningPolicy/CompositeRole/\{id\} + +#### Get +##### Summary: + +Returns a composite role corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The composite role. | CompositeRole | + +#### Put +##### Summary: + +Updates a composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role update. | CompositeRoleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a composite role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role delete. | CompositeRoleDeletedResult | + +### /api/ProvisioningPolicy/CompositeRoleRule + +#### Get +##### Summary: + +Returns all the composite role rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The composite role rule list. | List of CompositeRoleRule | + +#### Post +##### Summary: + +Creates a composite role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role rule creation. | CompositeRoleRuleCreatedResult | + +### /api/ProvisioningPolicy/CompositeRoleRule/\{id\} + +#### Get +##### Summary: + +Returns a composite role rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The composite role rule. | CompositeRoleRule | + +#### Put +##### Summary: + +Updates a composite role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role rule update. | CompositeRoleRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a composite role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the composite role rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the composite role rule delete. | CompositeRoleRuleDeletedResult | + +### /api/ProvisioningPolicy/ContextRule + +#### Get +##### Summary: + +Returns all the context rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The context rule list. | List of ContextRule | + +#### Post +##### Summary: + +Creates a context rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the context rule creation. | ContextRuleCreatedResult | + +### /api/ProvisioningPolicy/ContextRule/\{id\} + +#### Get +##### Summary: + +Returns a context rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the context rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The context rule. | ContextRule | + +#### Put +##### Summary: + +Updates a context rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the context rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the context rule update. | ContextRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a context rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the context rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the context rule delete. | ContextRuleDeletedResult | + +### /api/ProvisioningPolicy/IdentifiedRisk + +#### Get +##### Summary: + +Returns all the identified risks according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The identified risks list. | List of IdentifiedRisk | + +### /api/ProvisioningPolicy/IdentifiedRisk/\{id\} + +#### Get +##### Summary: + +Returns a IdentifiedRisk corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the IdentifiedRisk. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The risk. | IdentifiedRisk | + +### /api/ProvisioningPolicy/MiningRule + +#### Get +##### Summary: + +Returns all the mining rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The mining rule list. | List of MiningRule | + +#### Post +##### Summary: + +Creates a mining rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the mining rule creation. | MiningRuleCreatedResult | + +### /api/ProvisioningPolicy/MiningRule/\{id\} + +#### Get +##### Summary: + +Returns a mining rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the mining rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The mining rule. | MiningRule | + +#### Delete +##### Summary: + +Deletes a mining rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the mining rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the mining rule delete. | MiningRuleDeletedResult | + +#### Put +##### Summary: + +Updates a mining rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the mining rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the mining rule update. | MiningRuleUpdatedResult | + +### /api/ProvisioningPolicy/Policy + +#### Get +##### Summary: + +Returns all the policies according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy list. | List of Policy | + +#### Post +##### Summary: + +Creates a policy. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the policy creation. | PolicyCreatedResult | + +### /api/ProvisioningPolicy/Policy/\{id\} + +#### Get +##### Summary: + +Returns a policy corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the policy. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy. | Policy | + +#### Put +##### Summary: + +Updates a policy. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the policy to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the policy update. | PolicyUpdatedResult | + +#### Delete +##### Summary: + +Deletes a policy. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the policy to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the policy delete. | PolicyDeletedResult | + +### /api/ProvisioningPolicy/Policy/ApproveSimulation/\{id\} + +#### Put +##### Summary: + +Approves the simulation policies and applies modifications to all elements related to the policy. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the base policy to which the simulation is applied. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the policy simulation approval. | ApproveSimulationPoliciesResult | + +### /api/ProvisioningPolicy/Policy/CancelSimulation/\{id\} + +#### Put +##### Summary: + +Cancels the simulation policies and reverts modifications to all elements related to the policy. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the base policy to which the simulation is applied. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the policy simulation cancellation. | CancelSimulationPoliciesResult | + +### /api/ProvisioningPolicy/PolicySimulation + +#### Get +##### Summary: + +Returns all the simulations according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The simulations list. | List of PolicySimulation | + +#### Post +##### Summary: + +Creates a simulation with status "new". + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of simulation creation. | PolicySimulationCreatedResult | + +### /api/ProvisioningPolicy/PolicySimulation/\{id\} + +#### Get +##### Summary: + +Returns the simulation matching the provided identifier and squery. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the relevant simulation. | True | | | +| squery | Squery compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The simulation. | PolicySimulation | + +#### Put +##### Summary: + +Starts a simulation, the status becomes "Running". + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of simulation start. | PolicySimulationStartedResult | + +#### Delete +##### Summary: + +Deletes a context rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the context rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the context rule delete. | PolicySimulationDeletedResult | + +### /api/ProvisioningPolicy/ResourceBinaryRule + +#### Get +##### Summary: + +Returns all the resource binary rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource binary rule list. | List of ResourceBinaryRule | + +#### Post +##### Summary: + +Creates a resource binary rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource binary rule creation. | ResourceBinaryRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceBinaryRule/\{id\} + +#### Get +##### Summary: + +Returns a resource binary rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource binary rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource binary rule. | ResourceBinaryRule | + +#### Put +##### Summary: + +Updates a resource binary rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource binary rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource binary rule update. | ResourceBinaryRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource binary rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource binary rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource binary rule delete. | ResourceBinaryRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceClassificationRule + +#### Get +##### Summary: + +Returns all the resource classification rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource classification rule list. | List of ResourceClassificationRule | + +#### Post +##### Summary: + +Creates a resource classification rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource classification rule creation. | ResourceClassificationRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceClassificationRule/\{id\} + +#### Get +##### Summary: + +Returns a resource classification rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource classification rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource classification rule. | ResourceClassificationRule | + +#### Put +##### Summary: + +Updates a resource classification rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource classification rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource classification rule update. | ResourceClassificationRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource classification rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource classification rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource classification rule delete. | ResourceClassificationRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceCorrelationRule + +#### Get +##### Summary: + +Returns all the resource correlation rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource correlation rule list. | List of ResourceCorrelationRule | + +#### Post +##### Summary: + +Creates a resource correlation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource correlation rule creation. | ResourceCorrelationRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceCorrelationRule/\{id\} + +#### Get +##### Summary: + +Returns a resource correlation rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource correlation rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource correlation rule. | ResourceCorrelationRule | + +#### Put +##### Summary: + +Updates a resource correlation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource correlation rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource correlation rule update. | ResourceCorrelationRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource correlation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource correlation rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource correlation rule delete. | ResourceCorrelationRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceNavigationRule + +#### Get +##### Summary: + +Returns all the resource navigation rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource navigation rule list. | List of ResourceNavigationRule | + +#### Post +##### Summary: + +Creates a resource navigation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource navigation rule creation. | ResourceNavigationRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceNavigationRule/\{id\} + +#### Get +##### Summary: + +Returns a resource navigation rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource navigation rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource navigation rule. | ResourceNavigationRule | + +#### Put +##### Summary: + +Updates a resource navigation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource navigation rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource navigation rule update. | ResourceNavigationRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource navigation rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource navigation rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource navigation rule delete. | ResourceNavigationRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceQueryRule + +#### Get +##### Summary: + +Returns all the resource query rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource query rule list. | List of ResourceQueryRule | + +#### Post +##### Summary: + +Creates a resource query rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource query rule creation. | ResourceQueryRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceQueryRule/\{id\} + +#### Get +##### Summary: + +Returns a resource query rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource query rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource query rule. | ResourceQueryRule | + +#### Put +##### Summary: + +Updates a resource query rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource query rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource query rule update. | ResourceQueryRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource query rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource query rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource query rule delete. | ResourceQueryRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceScalarRule + +#### Get +##### Summary: + +Returns all the resource scalar rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource scalar rule list. | List of ResourceScalarRule | + +#### Post +##### Summary: + +Creates a resource scalar rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource scalar rule creation. | ResourceScalarRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceScalarRule/\{id\} + +#### Get +##### Summary: + +Returns a resource scalar rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource scalar rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource scalar rule. | ResourceScalarRule | + +#### Put +##### Summary: + +Updates a resource scalar rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource scalar rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource scalar rule update. | ResourceScalarRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource scalar rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource scalar rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource scalar rule delete. | ResourceScalarRuleDeletedResult | + +### /api/ProvisioningPolicy/ResourceType + +#### Get +##### Summary: + +Returns all the resource types according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type list. | List of ResourceType | + +#### Post +##### Summary: + +Creates a resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type creation. | ResourceTypeCreatedResult | + +### /api/ProvisioningPolicy/ResourceType/\{id\} + +#### Get +##### Summary: + +Returns a resource type corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type. | ResourceType | + +#### Put +##### Summary: + +Updates a resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type update. | ResourceTypeUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource type. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type to delete. | True | | | +| force | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type delete. | ResourceTypeDeletedResult | + +### /api/ProvisioningPolicy/ResourceTypeRule + +#### Get +##### Summary: + +Returns all the resource type rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type rule list. | List of ResourceTypeRule | + +#### Post +##### Summary: + +Creates a resource type rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type rule creation. | ResourceTypeRuleCreatedResult | + +### /api/ProvisioningPolicy/ResourceTypeRule/\{id\} + +#### Get +##### Summary: + +Returns a resource type rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource type rule. | ResourceTypeRule | + +#### Put +##### Summary: + +Updates a resource type rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type rule update. | ResourceTypeRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource type rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the resource type rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource type rule delete. | ResourceTypeRuleDeletedResult | + +### /api/ProvisioningPolicy/Risk + +#### Get +##### Summary: + +Returns all the risks according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The risk list. | List of Risk | + +#### Post +##### Summary: + +Creates a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk creation. | RiskCreatedResult | + +### /api/ProvisioningPolicy/Risk/\{id\} + +#### Get +##### Summary: + +Returns a risk corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The risk. | Risk | + +#### Put +##### Summary: + +Updates a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk update. | RiskUpdatedResult | + +#### Delete +##### Summary: + +Deletes a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk delete. | RiskDeletedResult | + +### /api/ProvisioningPolicy/RoleMapping + +#### Get +##### Summary: + +Returns all the risks according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The risk list. | List of RoleMapping | + +#### Post +##### Summary: + +Creates a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk creation. | RoleMappingCreatedResult | + +### /api/ProvisioningPolicy/RoleMapping/\{id\} + +#### Get +##### Summary: + +Returns a risk corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The risk. | RoleMapping | + +#### Put +##### Summary: + +Updates a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk update. | RoleMappingUpdatedResult | + +#### Delete +##### Summary: + +Deletes a risk. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the risk to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the risk delete. | RoleMappingDeletedResult | + +### /api/ProvisioningPolicy/SingleRole + +#### Get +##### Summary: + +Returns all the single roles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role list. | List of SingleRole | + +#### Post +##### Summary: + +Creates a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role creation. | SingleRoleCreatedResult | + +### /api/ProvisioningPolicy/SingleRole/\{id\} + +#### Get +##### Summary: + +Returns a single role corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role. | SingleRole | + +#### Put +##### Summary: + +Updates a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role update. | SingleRoleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role delete. | SingleRoleDeletedResult | + +### /api/ProvisioningPolicy/SingleRoleRule + +#### Get +##### Summary: + +Returns all the single role rules according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role rule list. | List of SingleRoleRule | + +#### Post +##### Summary: + +Creates a single role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role rule creation. | SingleRoleRuleCreatedResult | + +### /api/ProvisioningPolicy/SingleRoleRule/\{id\} + +#### Get +##### Summary: + +Returns a single role rule corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role rule. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role rule. | SingleRoleRule | + +#### Put +##### Summary: + +Updates a single role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role rule to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role rule update. | SingleRoleRuleUpdatedResult | + +#### Delete +##### Summary: + +Deletes a single role rule. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role rule to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role rule delete. | SingleRoleRuleDeletedResult | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/report.md b/docs/identitymanager/6.3/integration-guide/api/server/report.md new file mode 100644 index 0000000000..76dee57271 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/report.md @@ -0,0 +1,111 @@ +--- +title: "Report" +sidebar_position: 9 +--- + +### /api/Report/ReportQuery + +#### Get +##### Summary: + +Returns all the single roles according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role list. | List of ReportQuery | + +#### Post +##### Summary: + +Creates a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role creation. | ReportQueryCreatedResult | + +### /api/Report/ReportQuery/\{id\} + +#### Get +##### Summary: + +Returns a single role corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The single role. | ReportQuery | + +#### Put +##### Summary: + +Updates a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role update. | ReportQueryUpdatedResult | + +#### Delete +##### Summary: + +Deletes a single role. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the single role to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the single role delete. | ReportQueryDeletedResult | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/resource.md b/docs/identitymanager/6.3/integration-guide/api/server/resource.md new file mode 100644 index 0000000000..3fc60f4e92 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/resource.md @@ -0,0 +1,116 @@ +--- +title: "Resource" +sidebar_position: 10 +--- + +### /api/Resource/\{type\} + +#### Get +##### Summary: + +Returns all the resources according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The assigned composite role list. | List of UntypedResource | + +#### Post +##### Summary: + +Creates a resource. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource creation. | ResourceCreatedResult | + +### /api/Resource/\{type\}/\{id\} + +#### Get +##### Summary: + +Returns a resource corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| id | Identifier of the resource role. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource. | | + +#### Put +##### Summary: + +Updates a resource. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| id | Identifier of the resource to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource update. | ResourceUpdatedResult | + +#### Delete +##### Summary: + +Deletes a resource. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| id | Identifier of the resource to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the resource delete. | ResourceDeletedResult | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/resourcechange.md b/docs/identitymanager/6.3/integration-guide/api/server/resourcechange.md new file mode 100644 index 0000000000..667cfac488 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/resourcechange.md @@ -0,0 +1,35 @@ +--- +title: "ResourceChange" +sidebar_position: 11 +--- + +### /api/ResourceChange/\{type\}/\{id\} + +#### Get +##### Summary: + +Returns all the resource changes according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| primaryKeyFilter | Filter on primary key value. | False | | | +| changeOperationType | Filter on change operation type. | False | | ChangeOperation | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource changes list. | List of ResourceChange | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/resourcefilechange.md b/docs/identitymanager/6.3/integration-guide/api/server/resourcefilechange.md new file mode 100644 index 0000000000..edd785f739 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/resourcefilechange.md @@ -0,0 +1,34 @@ +--- +title: "ResourceFileChange" +sidebar_position: 12 +--- + +### /api/ResourceFileChange/\{type\}/\{id\} + +#### Get +##### Summary: + +Returns all the resource file changes according to the provided job instance id. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| changeOperationType | Filter on change operation type. | False | | ChangeOperation | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource file change. | List of ResourceFileChange | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/resourcelinkchange.md b/docs/identitymanager/6.3/integration-guide/api/server/resourcelinkchange.md new file mode 100644 index 0000000000..5927708a8b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/resourcelinkchange.md @@ -0,0 +1,35 @@ +--- +title: "ResourceLinkChange" +sidebar_position: 13 +--- + +### /api/ResourceLinkChange/\{type\}/\{property\}/\{id\} + +#### Get +##### Summary: + +Returns all the resource link changes according to the provided job instance id. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| type | Entity type identifier. | True | | | +| property | Navigation property identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| changeOperationType | Filter on change operation type. | False | | ChangeOperation | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The resource link changes. | List of ResourceLinkChange | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/robots.txt.md b/docs/identitymanager/6.3/integration-guide/api/server/robots.txt.md new file mode 100644 index 0000000000..97e5455d27 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/robots.txt.md @@ -0,0 +1,14 @@ +--- +title: "Robots.Txt" +sidebar_position: 14 +--- + +### /robots.txt + +#### Get +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | OK | | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/universes.md b/docs/identitymanager/6.3/integration-guide/api/server/universes.md new file mode 100644 index 0000000000..d61997810c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/universes.md @@ -0,0 +1,100 @@ +--- +title: "Universes" +sidebar_position: 15 +--- + +### /api/Universes/PowerBI/Model + +#### Get +##### Summary: + +PowerBI model. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | Model. | | + +### /api/Universes/PowerBI/Data/\{universeIdentifier\}/\{tableIdentifier\} + +#### Get +##### Summary: + +PowerBI table data. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| universeIdentifier | | True | | | +| tableIdentifier | | True | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | Data. | List of Object__ | + +### /api/Universes/Universe + +#### Get +##### Summary: + +Returns all the policies according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy list. | List of Universe | + +### /api/Universes/Universe/\{id\} + +#### Get +##### Summary: + +Returns a policy corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the policy. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The policy. | Universe | + diff --git a/docs/identitymanager/6.3/integration-guide/api/server/workflows.md b/docs/identitymanager/6.3/integration-guide/api/server/workflows.md new file mode 100644 index 0000000000..9002808060 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/server/workflows.md @@ -0,0 +1,550 @@ +--- +title: "Workflows" +sidebar_position: 16 +--- + +### /api/Workflows/Activity + +#### Get +##### Summary: + +Returns all the activities according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activity list. | List of Activity | + +#### Post +##### Summary: + +Creates an activity. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the activity creation. | ActivityCreatedResult | + +### /api/Workflows/Activity/\{id\} + +#### Get +##### Summary: + +Returns an activity corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activity. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activity. | Activity | + +#### Put +##### Summary: + +Updates an activity. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activity to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the activity update. | ActivityUpdatedResult | + +#### Delete +##### Summary: + +Deletes a activity. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activity to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the activity delete. | ActivityDeletedResult | + +### /api/Workflows/ActivityInstance + +#### Get +##### Summary: + +Returns all the activity instances according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activity instance list. | List of ActivityInstance | + +### /api/Workflows/ActivityInstance/\{id\} + +#### Get +##### Summary: + +Returns the activity instances corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the ActivityInstance. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activity instances. | ActivityInstance | + +### /api/Workflows/ActivityTemplate + +#### Get +##### Summary: + +Returns all the activityTemplates according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplate list. | List of ActivityTemplate | + +### /api/Workflows/ActivityTemplate/\{id\} + +#### Get +##### Summary: + +Returns a activityTemplate corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activityTemplate. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplate. | ActivityTemplate | + +### /api/Workflows/ActivityTemplateState + +#### Get +##### Summary: + +Returns all the activityTemplateStates according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplateState list. | List of ActivityTemplateState | + +### /api/Workflows/ActivityTemplateState/\{id\} + +#### Get +##### Summary: + +Returns a activityTemplateState corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activityTemplateState. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplateState. | ActivityTemplateState | + +### /api/Workflows/ActivityTemplateTransition + +#### Get +##### Summary: + +Returns all the activityTemplateTransitions according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplateTransition list. | List of ActivityTemplateTransition | + +### /api/Workflows/ActivityTemplateTransition/\{id\} + +#### Get +##### Summary: + +Returns a activityTemplateTransition corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the activityTemplateTransition. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The activityTemplateTransition. | ActivityTemplateTransition | + +### /api/Workflows/Workflow + +#### Get +##### Summary: + +Returns all the workflows according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The workflow list. | List of Workflow | + +#### Post +##### Summary: + +Creates a workflow. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflow creation. | WorkflowCreatedResult | + +### /api/Workflows/Workflow/\{id\} + +#### Get +##### Summary: + +Returns a workflow corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflow. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The workflow. | Workflow | + +#### Put +##### Summary: + +Updates a workflow. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflow to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflow update. | WorkflowUpdatedResult | + +#### Delete +##### Summary: + +Deletes a workflow. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflow to delete. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflow delete. | WorkflowDeletedResult | + +### /api/Workflows/WorkflowInstance + +#### Get +##### Summary: + +Returns all the activities according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The workflowInstance list. | List of WorkflowInstance | + +#### Post +##### Summary: + +Starts a new workflow instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflowInstance creation. | WorkflowInstanceStartedResult | + +### /api/Workflows/WorkflowInstance/\{id\} + +#### Get +##### Summary: + +Returns a workflowInstance corresponding to the provided identifier and its information according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflowInstance. | True | | | +| squery | Query compliant to the API query grammar. | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| ApplyPostCondition | If true, use PostCondition access control rules. | False | | | +| AllowedAllJoinQuery | | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The workflowInstance. | WorkflowInstance | + +#### Put +##### Summary: + +Resume an running workflow instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflowInstance to update. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflowInstance update. | WorkflowInstanceResumedResult | + +#### Delete +##### Summary: + +Purges an aborted workflow instance. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| id | Identifier of the workflowInstance to purge. | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 200 | The result of the workflowInstance purge. | WorkflowInstancePurgedResult | + +### /api/Workflows/WorkflowInstance/Bulk + +#### Post +##### Parameters: + +| Name | Description | Required | Type | Reference | +| --- | --- | --- | --- | --- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| --- | --- | --- | +| 202 | Accepted | | + diff --git a/docs/identitymanager/6.3/integration-guide/api/squery.md b/docs/identitymanager/6.3/integration-guide/api/squery.md new file mode 100644 index 0000000000..b50213aab4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/api/squery.md @@ -0,0 +1,202 @@ +--- +title: "API query grammar" +description: "API query grammar" +sidebar_position: 20 +--- + +# API query grammar + +Identity Manager's API query language allows to express exactly needed data in an API's GET call. Query is optionally specified by the squery parameter. + +### Grammar + +Here's the query language's formal description. See the [EBNF syntax ](https://en.wikipedia.org/wiki/Extended_Backus–Naur_form)for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```ebnf +    [query] = [historizationFilter] , [joins] , [limit] , [select] , [where] , [orderby] ; +    historizationFilter = asof | between | contained ; +    asof = "as of" , '"' , date , '"' ; +    between = "between" , '"' , date , '"', "and", '"' , date , '"' ; +    contained = "contained in" , "(" , '"' , date , '"' , "," , '"' , date , '"' , ")" ; +    joins = join , { join } ; +    join = "join" , binding ( "of type" identifier ) , alias ; +    binding = [alias , "."] , property ; +    property = identifier ; +    alias = identifier ; +    identifier = letter , { letter | digit | "_" } ; +    limit = "pagesize" , integer +    select = projections ; +    projections = "select" , binding , { "," , binding } ; +    where = "where" , filter ; +    filter = comparison  | combinatorFilter ; +    combinatorFilter = "(" , filter , (andCombinatorFilter | orCombinatorFilter) , ")" ; +    andCombinatorFilter = "and" , filter , { "and , filter } ; +    orCombinatorFilter = "or" , filter , { "or , filter } ; +    comparison = binding , operator , rightOperand ; +    rightOperand = value | binding ; +    operator = "=" | "!=" | "<" | ">" | "<=" | ">=" | "%=" | "=%" | "%=%" | "!%=" | "!=%" | "!%=%" | "&=" ; +    value = integer | boolean | '"' , string , '"' | "null" | '"' , date , '"; +    boolean = "false" | "true" +    date = yyyy-mm-ddThh:mm:ssZ +    orderby = "order by" , binding , sortdirection , { "," ,  binding , sortdirection } +    sortdirection = "asc" | "desc". +``` + +### Operators' semantic + +- **=** : Equal. +- **!=** : Not Equal. +- **`<`** : Less than. +- **`>`** : Greater than. +- **`<=`** : Less than or equal. +- **`>=`** : Greater than or equal. +- **%=** : Start with. +- **=%** : End with. +- **%=%** : Contain. +- **!%=** : Doesn't start with. +- **!=%** : Doesn't end with. +- **!%=%** : Doesn't contain. +- **&=** : Has flag + +### Query without select section + +If select is not specified, API will just return queried elements' Ids. + +### Examples + +Last 100 started job's instances' Ids. + +:::tip + Remember, The `Top` in the API queries had been deprecated and `PageSize`should be used instead. +::: +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +/api/Job/JobInstance?squery=order  by StartDate desc&PageSize=100 +``` + +A Complete query would be like: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +join Properties p join p.Association1 ea1  PageSize 2 select Id,Identifier,p.Id,p.Identifier,ea1.Id,ea1.Identifier where Id > 45 order by DisplayName_L1 asc +``` + +This query when executed on `/api/Metadata/EntityType` route will return the first 2 EntityTypes with their properties ordered by DisplayName: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ +  "Result": [{ +      "Id": "2147483653", +      "Properties": [ +        { +          "Id": "-9223372015379939327", +          "Association1": { +            "Id": "-9223372015379939327", +            "Identifier": "AssignedCompositeRole.Role-CompositeRole.AssignedCompositeRoles" +          }, +          "Identifier": "Role" +        }, +        { +          "Id": "-9223372015379939326", +          "Association1": { +            "Id": "-9223372015379939326", +            "Identifier": "AssignedCompositeRole.Owner-Resource.AssignedCompositeRoles" +          }, +          "Identifier": "Owner" +        }, +        ... +        { +          "Id": "-9223372015379939324", +          "Identifier": "WorkflowState" +        }, +        { +          "Id": "-9223372015379939312", +          "Identifier": "WorkflowInstanceId" +        }], +      "Identifier": "AssignedCompositeRole" +    }, +    { +      "Id": "2147483654", +      "Properties": [{ +          "Id": "-9223372011084972031", +          "Association1": { +            "Id": "-9223372011084972031", +            "Identifier": "AssignedResourceNavigation.AssignedResourceType-AssignedResourceType.AssignedResourceNavigations" +          }, +          "Identifier": "AssignedResourceType" +        }, +        { +          "Id": "-9223372011084972030", +          "Association1": { +            "Id": "-9223372011084972030", +            "Identifier": "AssignedResourceNavigation.Property-EntityProperty.AssignedResourceNavigations" +          }, +          "Identifier": "Property" +        }, +        ... +        { +          "Id": "-9223372011084972012", +          "Identifier": "PerformerId" +        }, +        { +          "Id": "-9223372011084972025", +          "Identifier": "StartDate" +        }], +      "Identifier": "AssignedResourceNavigation" +    } +  ] +} +``` + +### HasFlag operator + +Determines whether one or more bit fields are set in the property. + +#### Example + +How to determine whether the DisplayFilter property has its first and third bits are set to 1. + +- Comparison expression in the squery (101 in binary = 5 in decimal): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +DisplayFilter &= 5 +``` + +- SQL equivalent (see +[Microsoft Documentation](https://docs.microsoft.com/en-us/sql/t-sql/language-elements/bitwise-operators-transact-sql?view=sql-server-ver15) about the bitwise operators): + +```text +DisplayFilter & 5 = 5 +``` + +### Historization filter + +Provides information about data stored in Identity Manager at any point in time, rather than only the data that is correct at the current moment in time. + +The **historizationfilter** expression can take the following values: + +- **As of**: Returns the rows that are active at the time specified by the date parameter. +- **Between**: Returns the values for all row versions that are active within the specified time +range, regardless of whether they activated before the start date parameter value or deactivated after the end date parameter value. +- **Contained in**: Returns the values for all row versions that were opened and closed within the +specified time range defined by the two **datetime** values. + +For now, the **between** and **contained in** historization filters can be used only in ReportQuery. + +#### Example + +The following squery returns the active users at "01/01/2022". + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```sql +as of "2022-01-01T23:00:00Z" select Id, MainFirstName, MainLastName, Op_MainTitle_DisplayName, Op_MainOrganization_DisplayName, Op_MainLocation_DisplayName, MainPhoneNumber, MainMobileNumber, MainEmployeeCategory.Id, MainLeave, MainVIP +``` diff --git a/docs/identitymanager/6.3/integration-guide/architecture/index.md b/docs/identitymanager/6.3/integration-guide/architecture/index.md new file mode 100644 index 0000000000..10003b38e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/architecture/index.md @@ -0,0 +1,55 @@ +--- +title: "Architecture" +description: "Architecture" +sidebar_position: 220 +--- + +# Architecture + +This article dives deeper into Identity Manager's design principles. Security and flexibility are the main concerns of the architecture. + +## A Two-Tier Architecture + +Identity Manager is made of two parts: + +- The Identity Manager server operates the main process. It uses a dedicated database, serves the +client side part of the web application and exposes its API. +- The Identity Manager agent operates data exchange with the information system. It implements a +specific API called by the web client application. + +Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) applications running on Windows. Identity Manager's database is a [Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. + +![Architecture](/images/identitymanager/architecture.webp) + +See the [SaaS Environment](../../integration-guide/architecture/saas) topic for additional information on Netwrix Identity Manager (formerly Usercube) recommended architecture when working in a SaaS environment. + +See the [On-Premises Environment](../../integration-guide/architecture/on-prem) topic for additional information on Netwrix Identity Manager (formerly Usercube)' recommended architecture when working in an on-premises environment. + +See how to [Protect Agent/Server Communication](../../integration-guide/architecture/protect-agent-server-communication). + +See the [Software Bill of Materials](../../integration-guide/architecture/sbom) topic for information about the dependency inventory included in releases. + +## Isolation Principle + +Identity Manager server has no direct access to the information system of the organization. It can be installed on an isolated network (typically in the cloud). Only the agent can read or write the information system. All exchanges between agent and server are operated through the HTTP protocol (HTTPS recommended in production). + +## Unidirectional Command Flow + +All reading or writing actions in the information system are initiated by the agent. Identity Manager server will never call the agent. The Agent periodically polls the server to gather the actions to process. + +Tasks can run on the Server side or on the Agent side. + +Tasks that run on the Server side are still executed by an Agent. This is the application of the one-way data flow principle. Agents can send commands to the Server to execute a Task through an HTTP request but the Server cannot command an Agent, hence isolating the sensitive Agents from the exposed Server. + +As a result, each set of planned Tasks is assigned to a specific Agent, depending on the managed systems its Tasks relate to. + +Agents also receive HTTP/HTTPS requests from the browser to allow authenticated end-users to launch jobs from the UI. + +## Authentication + +Identity Manager can authenticate users within an Active Directory domain or using an OpenID identity server. For development mode, Identity Manager implements a form-based authentication using a unique password for all users See the [ End-User Authentication](../../integration-guide/network-configuration/server-configuration/end-users-authentication) topic for additional information. + +## Multi-Agent Capability + +Multiple agents can be installed. This allows Identity Manager to operate in a context where the information system is partitioned over several networks. + diff --git a/docs/identitymanager/6.3/integration-guide/architecture/on-prem.md b/docs/identitymanager/6.3/integration-guide/architecture/on-prem.md new file mode 100644 index 0000000000..0ba78ac219 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/architecture/on-prem.md @@ -0,0 +1,31 @@ +--- +title: "On-Premises Environment" +description: "On-Premises Environment" +sidebar_position: 20 +--- + +# On-Premises Environment + +When working in an on-premises environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![On-Premises Recommended Architecture](/images/identitymanager/architecture_onprem.webp) + +Most situations do not need Identity Manager so much that they need a fail-over system, i.e. installing several Identity Manager instances in order to prevent breakdowns. In most situations, a single Identity Manager instance is enough. + +### Server + +The server should be stateless, i.e. it should store only temporary files. + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an administration network separated from the main network. + +### Database + +The database is a critical item, and thus should be set up with a mirror. The database mirror can have lower CPU and RAM and be on a different location. + +Identity Manager recommends using an incremental backup. diff --git a/docs/identitymanager/6.3/integration-guide/architecture/protect-agent-server-communication.md b/docs/identitymanager/6.3/integration-guide/architecture/protect-agent-server-communication.md new file mode 100644 index 0000000000..a000dbd3c5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/architecture/protect-agent-server-communication.md @@ -0,0 +1,121 @@ +--- +title: "Protect Agent/Server Communication" +description: "Protect Agent/Server Communication" +sidebar_position: 30 +--- + +# Protect Agent/Server Communication + +This guide shows how to set up a secured authentication system between Identity Manager's agent and server. + +## Overview + +Identity Manager provides a simple way to protect the communication between agent and server, using OpenID Connect. + +First, make sure to understand the OpenID protocol. For example, [see Microsoft's documentation on the matter](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc). + +The idea, when sending data from the agent to the server, is the following: + +1. the agent decrypts its own data which was encrypted with the agent-side certificate; +2. the agent calls the server, and sends its HTTPS-encrypted message; +3. the server receives and decrypts the message, before encrypting it again with its own encryption +certificate configured by Identity Manager. + +![Schema: Agent/Server Communication](/images/identitymanager/agent-server-communication.webp) + +### Configuration details + +The server must be configured, in its `appsettings.json`, with: + +- an encryption certificate with the private and public keys, in order to be able to send signed +tokens. + +The agent must be configured, in its `appsettings.json`, with: + +- an encryption certificate with at least the server's public key, in order to be able to verify the +tokens sent by the server; +- another encryption certificate meant to encrypt specific files such as logs or temporary files; +- an SSL encryption certificate for the HTTPS connection. + +The SSL certificate is required when working in an on-premises environment. In a SaaS environment, Identity Manager provides it. + +In order to give to the agent the right permissions, the XML configuration must specify an [OpenIdClient](../../integration-guide/toolkit/xml-configuration/access-control/openidclient) linked to its hashed secret, and to a Identity Manager profile. + +## Protect Agent/Server Communication + +Protect agent/server communication by proceeding as follows: + +1. Make sure that both the agent and server configurations specify an encryption certificate. See +the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) for additional information. + + > For example: +> + > ``` +> + > appsettings.json +> + > { + > "IdentityServer": { + > "X509KeyFilePath": "./identitymanager.pfx", + > "X509KeyFilePassword": "secret" + > }, + > ... + > } +> + > ``` + +2. Make sure that the agent is also configured with its own encryption certificate. See the +[Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) for additional information. + + > For example: +> + > ``` +> + > appsettings.json +> + > { + > "EncryptionCertificate": { + > "File": "./Usercube-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > }, + > ... + > } +> + > ``` + +3. Configure an OpenIdClient, both on agent side in `appsettings.agent.json` with the non-hashed +secret and on server side in the XML configuration with the secret hashed by the [Usercube-New-OpenIDSecret](../../integration-guide/executables/references/new-openidsecret) executable. See the [OpenIdClient](../../integration-guide/toolkit/xml-configuration/access-control/openidclient) for additional information. + + > For example on agent side: +> + > ``` +> + > appsettings.agent.json +> + > { + > "OpenId": { + > "OpenIdClients": { + > "Job": "newSecret" + > }, + > ... + > } + > ... + > } +> + > ``` +> + > And on server side: +> + > ``` +> + > ./Usercube-New-OpenIDSecret.exe --client-secret secret +> + > ``` +> + > `` +> + > ``` +> + > ``` + diff --git a/docs/identitymanager/6.3/integration-guide/architecture/saas.md b/docs/identitymanager/6.3/integration-guide/architecture/saas.md new file mode 100644 index 0000000000..917973c5f3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/architecture/saas.md @@ -0,0 +1,19 @@ +--- +title: "SaaS Environment" +description: "SaaS Environment" +sidebar_position: 10 +--- + +# SaaS Environment + +When working in a SaaS environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![SaaS Recommended Architecture](/images/identitymanager/architecture_saas.webp) + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an administration network separated from the main network. diff --git a/docs/identitymanager/6.3/integration-guide/architecture/sbom.md b/docs/identitymanager/6.3/integration-guide/architecture/sbom.md new file mode 100644 index 0000000000..e83fe93295 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/architecture/sbom.md @@ -0,0 +1,47 @@ +--- +title: "Software Bill of Materials" +description: "Understanding the SBOM included with releases" +sidebar_position: 50 +--- + +# Software Bill of Materials + +## Overview + +Starting in version 6.1, Identity Manager includes a Software Bill of Materials (SBOM) file in every release. The SBOM is a complete inventory of all software components and dependencies included in the product. + +**File location**: `Runtime/nim-bom.json` + +## What's Included + +The SBOM contains: +- All backend (.NET) dependencies +- All frontend (npm) dependencies +- Component versions +- License information +- Cryptographic hashes for verification + +## SBOM Format + +The SBOM uses the **CycloneDX JSON format (version 1.6)**, which is a widely-adopted standard that can be consumed by most security scanning and compliance tools. + +## Common Use Cases + +### Security Scanning +Import the SBOM into vulnerability scanning tools (such as Dependency-Track or OWASP Dependency-Check) to identify known vulnerabilities in dependencies. + +### Compliance Documentation +The SBOM provides evidence of software composition for security audits and compliance requirements. + +### License Review +Extract license information for all components included in the product. + +## Migration from LICENSES.txt + +**Previous versions**: Included a `LICENSES.txt` file listing license information. + +**Version 6.3+**: The `LICENSES.txt` file has been replaced by `nim-bom.json`, which provides more comprehensive information in a machine-readable format. + +## Additional Resources + +For more information about the CycloneDX format: https://cyclonedx.org diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaign_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaign_class_diagram.plantuml new file mode 100644 index 0000000000..9771fe3b49 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaign_class_diagram.plantuml @@ -0,0 +1,47 @@ +@startuml component +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + CertificationEndDate : DateTime + CompletedItemsCount : Int32 + DisplayName_L1 : String + Identifier : String + ItemsCount : Int32 + LastNotificationDate : DateTime + NotificationNeeded : Boolean + StartDate : DateTime + State : Byte + -- + DataFilters : AccessCertificationDataFilter[] + Items : AccessCertificationItem[] + OwnerEntityType : EntityType + OwnerFilters : AccessCertificationOwnerFilter[] + Policy : AccessCertificationCampaignPolicy + } +} +package "AccessCertificationDataFilter" { + class AccessCertificationDataFilter { + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "EntityType" { + class EntityType { + } +} +package "AccessCertificationOwnerFilter" { + class AccessCertificationOwnerFilter { + } +} +package "AccessCertificationCampaignPolicy" { + class AccessCertificationCampaignPolicy { + } +} +AccessCertificationCampaign "1" -- "0..*"AccessCertificationDataFilter +AccessCertificationCampaign "1" -- "0..*"AccessCertificationItem +AccessCertificationCampaign "0..*" -- "1"EntityType +AccessCertificationCampaign "1" -- "0..*"AccessCertificationOwnerFilter +AccessCertificationCampaign "0..*" -- "1"AccessCertificationCampaignPolicy +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaignpolicy_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaignpolicy_class_diagram.plantuml new file mode 100644 index 0000000000..b713367c37 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationcampaignpolicy_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "AccessCertificationCampaignPolicy" { + class AccessCertificationCampaignPolicy { + DisplayName_L1 : String + Identifier : String + -- + Campaigns : AccessCertificationCampaign[] + } +} +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + } +} +AccessCertificationCampaignPolicy "1" -- "0..*"AccessCertificationCampaign +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationdatafilter_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationdatafilter_class_diagram.plantuml new file mode 100644 index 0000000000..a79163fa72 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationdatafilter_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "AccessCertificationDataFilter" { + class AccessCertificationDataFilter { + IncludeCompositeRoles : Boolean + IncludeDeniedPermissions : Boolean + IncludeDoubleValidation : Boolean + IncludeManualAssignmentNotAllowed : Boolean + IncludeNestedCategories : Boolean + IncludeNoValidation : Boolean + IncludeResourceNavigations : Boolean + IncludeResourceScalars : Boolean + IncludeResourceTypes : Boolean + IncludeSimpleValidation : Boolean + IncludeSingleRoles : Boolean + IncludeTripleValidation : Boolean + IncludeWorkflowStateApproved : Boolean + IncludeWorkflowStateFound : Boolean + IncludeWorkflowStateHistory : Boolean + IncludeWorkflowStatePolicyApproved : Boolean + LatestCertifiedLimitDate : DateTime + Tags : String + TargetedRisk : Int64 + -- + Campaign : AccessCertificationCampaign + Category : Category + ResourceType : ResourceType + } +} +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + } +} +package "Category" { + class Category { + } +} +package "ResourceType" { + class ResourceType { + } +} +AccessCertificationDataFilter "0..*" -- "1"AccessCertificationCampaign +AccessCertificationDataFilter "0..*" -- "0..1"Category +AccessCertificationDataFilter "0..*" -- "0..1"ResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationitem_class_diagram.plantuml new file mode 100644 index 0000000000..5978a8e798 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationitem_class_diagram.plantuml @@ -0,0 +1,72 @@ +@startuml component +package "AccessCertificationItem" { + class AccessCertificationItem { + AdministratorComment : String + AdministratorDate : DateTime + AdministratorDecision : Byte + CertificationState : Byte + IsDenied : Boolean + IsTransferred : Boolean + OwnerType : Int64 + ReviewComment : String + ReviewDate : DateTime + ReviewDecision : Byte + SetReviewerDate : DateTime + WorkflowState : Byte + -- + Administrator : Resource + AssignedCompositeRole : AssignedCompositeRole + AssignedResourceNavigation : AssignedResourceNavigation + AssignedResourceScalar : AssignedResourceScalar + AssignedResourceType : AssignedResourceType + AssignedSingleRole : AssignedSingleRole + Campaign : AccessCertificationCampaign + ItemForwardedAccessCertificationItems : ForwardedAccessCertificationItem[] + Owner : Resource + Reviewer : Resource + } +} +package "Resource" { + class Resource { + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + } +} +package "AssignedResourceScalar" { + class AssignedResourceScalar { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + } +} +package "ForwardedAccessCertificationItem" { + class ForwardedAccessCertificationItem { + } +} +AccessCertificationItem "0..*" -- "0..1"Resource +AccessCertificationItem "0..*" -- "0..1"AssignedCompositeRole +AccessCertificationItem "0..*" -- "0..1"AssignedResourceNavigation +AccessCertificationItem "0..*" -- "0..1"AssignedResourceScalar +AccessCertificationItem "0..*" -- "0..1"AssignedResourceType +AccessCertificationItem "0..*" -- "0..1"AssignedSingleRole +AccessCertificationItem "0..*" -- "1"AccessCertificationCampaign +AccessCertificationItem "1" -- "0..*"ForwardedAccessCertificationItem +AccessCertificationItem "0..*" -- "1"Resource +AccessCertificationItem "0..*" -- "0..1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationownerfilter_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationownerfilter_class_diagram.plantuml new file mode 100644 index 0000000000..23090cf82e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscertificationownerfilter_class_diagram.plantuml @@ -0,0 +1,26 @@ +@startuml component +package "AccessCertificationOwnerFilter" { + class AccessCertificationOwnerFilter { + D0 : Int64 + IndividualOwner : Int64 + L0 : Boolean + MinimalRiskScore : Int32 + OwnerLastModificationDate : DateTime + TargetedRisk : Int64 + -- + Campaign : AccessCertificationCampaign + OwnerLastModificationDateBinding : Binding + } +} +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + } +} +package "Binding" { + class Binding { + } +} +AccessCertificationOwnerFilter "0..*" -- "1"AccessCertificationCampaign +AccessCertificationOwnerFilter "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentityproperty_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentityproperty_class_diagram.plantuml new file mode 100644 index 0000000000..ec5c3ed681 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentityproperty_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "AccessControlEntityProperty" { + class AccessControlEntityProperty { + -- + AccessControlEntityType : AccessControlEntityType + VisibilityGroup : AccessControlPropertyGroup + } +} +package "AccessControlEntityType" { + class AccessControlEntityType { + } +} +package "AccessControlPropertyGroup" { + class AccessControlPropertyGroup { + } +} +AccessControlEntityProperty "0..*" -- "1"AccessControlEntityType +AccessControlEntityProperty "0..*" -- "0..1"AccessControlPropertyGroup +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentitytype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentitytype_class_diagram.plantuml new file mode 100644 index 0000000000..3802be83e3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentitytype_class_diagram.plantuml @@ -0,0 +1,15 @@ +@startuml component +package "AccessControlEntityType" { + class AccessControlEntityType { + Identifier : String + -- + Properties : AccessControlEntityProperty[] + } +} +package "AccessControlEntityProperty" { + class AccessControlEntityProperty { + } +} +AccessControlEntityType "1" -- "0..*"AccessControlEntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentry_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentry_class_diagram.plantuml new file mode 100644 index 0000000000..dc7eff80a0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolentry_class_diagram.plantuml @@ -0,0 +1,32 @@ +@startuml component +package "AccessControlEntry" { + class AccessControlEntry { + CanExecute : Boolean + FullAccessProperties : Boolean + IsPostCondition : Boolean + IsPreCondition : Boolean + Notify : Boolean + Priority : Int32 + -- + Permission : AccessControlPermission + PropertyGroup : AccessControlPropertyGroup + Rule : AccessControlRule + } +} +package "AccessControlPermission" { + class AccessControlPermission { + } +} +package "AccessControlPropertyGroup" { + class AccessControlPropertyGroup { + } +} +package "AccessControlRule" { + class AccessControlRule { + } +} +AccessControlEntry "0..*" -- "1"AccessControlPermission +AccessControlEntry "0..*" -- "0..1"AccessControlPropertyGroup +AccessControlEntry "0..*" -- "1"AccessControlRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolfilter_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolfilter_class_diagram.plantuml new file mode 100644 index 0000000000..0248ed5497 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolfilter_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "AccessControlFilter" { + class AccessControlFilter { + Category : Boolean + CompositeRole : Boolean + CurrentUser : Boolean + Group : String + Operator : Byte + ResourceType : Boolean + SingleRole : Boolean + Value : String + -- + Binding : Binding + Dimension : Dimension + Rule : AccessControlRule + } +} +package "Binding" { + class Binding { + } +} +package "Dimension" { + class Dimension { + } +} +package "AccessControlRule" { + class AccessControlRule { + } +} +AccessControlFilter "0..*" -- "1"Binding +AccessControlFilter "0..*" -- "0..1"Dimension +AccessControlFilter "0..*" -- "1"AccessControlRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpermission_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpermission_class_diagram.plantuml new file mode 100644 index 0000000000..c25a5015ff --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpermission_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "AccessControlPermission" { + class AccessControlPermission { + BlockInheritance : Boolean + Identifier : String + -- + AllowedNavigationBindings : AllowedNavigationBinding[] + Entries : AccessControlEntry[] + } +} +package "AllowedNavigationBinding" { + class AllowedNavigationBinding { + } +} +package "AccessControlEntry" { + class AccessControlEntry { + } +} +AccessControlPermission "1" -- "0..*"AllowedNavigationBinding +AccessControlPermission "1" -- "0..*"AccessControlEntry +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpropertygroup_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpropertygroup_class_diagram.plantuml new file mode 100644 index 0000000000..58657634e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolpropertygroup_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "AccessControlPropertyGroup" { + class AccessControlPropertyGroup { + DisplayName_L1 : String + Identifier : String + -- + PropertyGroupAccessControlEntries : AccessControlEntry[] + VisibilityGroupAccessControlEntityProperties : AccessControlEntityProperty[] + } +} +package "AccessControlEntry" { + class AccessControlEntry { + } +} +package "AccessControlEntityProperty" { + class AccessControlEntityProperty { + } +} +AccessControlPropertyGroup "0..1" -- "0..*"AccessControlEntry +AccessControlPropertyGroup "0..1" -- "0..*"AccessControlEntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolrule_class_diagram.plantuml new file mode 100644 index 0000000000..9fbcfefa21 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/accesscontrolrule_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "AccessControlRule" { + class AccessControlRule { + DisplayName_L1 : String + Identifier : String + -- + EntityType : EntityType + Entries : AccessControlEntry[] + Filters : AccessControlFilter[] + Profile : Profile + } +} +package "EntityType" { + class EntityType { + } +} +package "AccessControlEntry" { + class AccessControlEntry { + } +} +package "AccessControlFilter" { + class AccessControlFilter { + } +} +package "Profile" { + class Profile { + } +} +AccessControlRule "0..*" -- "1"EntityType +AccessControlRule "1" -- "0..*"AccessControlEntry +AccessControlRule "1" -- "0..*"AccessControlFilter +AccessControlRule "0..*" -- "1"Profile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activity_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activity_class_diagram.plantuml new file mode 100644 index 0000000000..0fbb51a08a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activity_class_diagram.plantuml @@ -0,0 +1,57 @@ +@startuml component +package "Activity" { + class Activity { + ArgumentBlockProvisioning : Boolean + DisplayName_L1 : String + Identifier : String + Order : Int32 + WorkflowOverviewDisable : Boolean + -- + ActivityRecipients : Recipient[] + ArgumentCalledWorkflow : Workflow + CurrentWorkflowInstances : WorkflowInstance[] + Forms : Form[] + Instances : ActivityInstance[] + PointCuts : PointCut[] + Template : ActivityTemplate + Workflow : Workflow + } +} +package "Recipient" { + class Recipient { + } +} +package "Workflow" { + class Workflow { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "Form" { + class Form { + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "PointCut" { + class PointCut { + } +} +package "ActivityTemplate" { + class ActivityTemplate { + } +} +Activity "0..1" -- "0..*"Recipient +Activity "0..*" -- "0..1"Workflow +Activity "1" -- "0..*"WorkflowInstance +Activity "0..1" -- "0..*"Form +Activity "1" -- "0..*"ActivityInstance +Activity "1" -- "0..*"PointCut +Activity "0..*" -- "1"ActivityTemplate +Activity "0..*" -- "1"Workflow +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstance_class_diagram.plantuml new file mode 100644 index 0000000000..fdacad5a61 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstance_class_diagram.plantuml @@ -0,0 +1,67 @@ +@startuml component +package "ActivityInstance" { + class ActivityInstance { + AssignedTo : Int64 + Body : String + CC : String + ChangeSetSummary : String + CreationDate : DateTime + ExpectedDate : DateTime + PrivateBody : String + Subject : String + TriggerMode : Int32 + -- + Activity : Activity + ActivityInstanceActivityInstanceCCs : ActivityInstanceCC[] + ActivityInstanceActivityInstancesActors : ActivityInstancesActor[] + ActivityInstanceChanges : Change[] + ActivityInstance_WorkflowInstanceForWhichItIsCurrent : WorkflowInstance[] + ActivityState : ActivityTemplateState + OpenIdClient : OpenIdClient + Performer : Resource + WorkflowInstance : WorkflowInstance + } +} +package "Activity" { + class Activity { + } +} +package "ActivityInstanceCC" { + class ActivityInstanceCC { + } +} +package "ActivityInstancesActor" { + class ActivityInstancesActor { + } +} +package "Change" { + class Change { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "OpenIdClient" { + class OpenIdClient { + } +} +package "Resource" { + class Resource { + } +} +ActivityInstance "0..*" -- "1"Activity +ActivityInstance "1" -- "0..*"ActivityInstanceCC +ActivityInstance "1" -- "0..*"ActivityInstancesActor +ActivityInstance "1" -- "0..*"Change +ActivityInstance "0..1" -- "0..*"WorkflowInstance +ActivityInstance "0..*" -- "1"ActivityTemplateState +ActivityInstance "0..*" -- "0..1"OpenIdClient +ActivityInstance "0..*" -- "0..1"Resource +ActivityInstance "0..*" -- "1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancecc_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancecc_class_diagram.plantuml new file mode 100644 index 0000000000..8b9d0eb201 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancecc_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "ActivityInstanceCC" { + class ActivityInstanceCC { + -- + ActivityInstance : ActivityInstance + Resource : Resource + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "Resource" { + class Resource { + } +} +ActivityInstanceCC "0..*" -- "1"ActivityInstance +ActivityInstanceCC "0..*" -- "1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancesactor_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancesactor_class_diagram.plantuml new file mode 100644 index 0000000000..25bc9f6c05 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activityinstancesactor_class_diagram.plantuml @@ -0,0 +1,15 @@ +@startuml component +package "ActivityInstancesActor" { + class ActivityInstancesActor { + Actor : Int64 + -- + ActivityInstance : ActivityInstance + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +ActivityInstancesActor "0..*" -- "1"ActivityInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplate_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplate_class_diagram.plantuml new file mode 100644 index 0000000000..d3935b8156 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplate_class_diagram.plantuml @@ -0,0 +1,24 @@ +@startuml component +package "ActivityTemplate" { + class ActivityTemplate { + DisplayName_L1 : String + Identifier : String + -- + ActivityTemplateActivityTemplateStates : ActivityTemplateState[] + FirstState : ActivityTemplateState + TemplateActivities : Activity[] + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "Activity" { + class Activity { + } +} +ActivityTemplate "1" -- "0..*"ActivityTemplateState +ActivityTemplate "0..*" -- "0..1"ActivityTemplateState +ActivityTemplate "1" -- "0..*"Activity +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatestate_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatestate_class_diagram.plantuml new file mode 100644 index 0000000000..2eb9cdd1b3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatestate_class_diagram.plantuml @@ -0,0 +1,58 @@ +@startuml component +package "ActivityTemplateState" { + class ActivityTemplateState { + DisplayName_L1 : String + Identifier : String + Interactive : Boolean + ShortIdentifier : String + -- + ActivityStateActivityInstances : ActivityInstance[] + ActivityStateForms : Form[] + ActivityStateRecipients : Recipient[] + ActivityTemplate : ActivityTemplate + CurrentStateWorkflowInstances : WorkflowInstance[] + FirstStateActivityTemplates : ActivityTemplate[] + FromStateActivityTemplateTransitions : ActivityTemplateTransition[] + PointCuts : PointCut[] + ToStateActivityTemplateTransitions : ActivityTemplateTransition[] + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "Form" { + class Form { + } +} +package "Recipient" { + class Recipient { + } +} +package "ActivityTemplate" { + class ActivityTemplate { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "ActivityTemplateTransition" { + class ActivityTemplateTransition { + } +} +package "PointCut" { + class PointCut { + } +} +ActivityTemplateState "1" -- "0..*"ActivityInstance +ActivityTemplateState "0..1" -- "0..*"Form +ActivityTemplateState "0..1" -- "0..*"Recipient +ActivityTemplateState "0..*" -- "1"ActivityTemplate +ActivityTemplateState "1" -- "0..*"WorkflowInstance +ActivityTemplateState "0..1" -- "0..*"ActivityTemplate +ActivityTemplateState "1" -- "0..*"ActivityTemplateTransition +ActivityTemplateState "1" -- "0..*"PointCut +ActivityTemplateState "1" -- "0..*"ActivityTemplateTransition +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatetransition_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatetransition_class_diagram.plantuml new file mode 100644 index 0000000000..7f83c60dc5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/activitytemplatetransition_class_diagram.plantuml @@ -0,0 +1,25 @@ +@startuml component +package "ActivityTemplateTransition" { + class ActivityTemplateTransition { + DisplayName_L1 : String + Identifier : String + IsBatchActor : Boolean + -- + CurrentWorkflowInstances : WorkflowInstance[] + FromState : ActivityTemplateState + ToState : ActivityTemplateState + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +ActivityTemplateTransition "1" -- "0..*"WorkflowInstance +ActivityTemplateTransition "0..*" -- "1"ActivityTemplateState +ActivityTemplateTransition "0..*" -- "1"ActivityTemplateState +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/agent_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/agent_class_diagram.plantuml new file mode 100644 index 0000000000..5e8bd1bc92 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/agent_class_diagram.plantuml @@ -0,0 +1,42 @@ +@startuml component +package "Agent" { + class Agent { + DisplayName_L1 : String + Identifier : String + State : Int32 + URI : String + -- + AgentScaffoldings : Scaffolding[] + Connectors : Connector[] + Jobs : Job[] + TaskInstances : TaskInstance[] + Tasks : Task[] + } +} +package "Scaffolding" { + class Scaffolding { + } +} +package "Connector" { + class Connector { + } +} +package "Job" { + class Job { + } +} +package "TaskInstance" { + class TaskInstance { + } +} +package "Task" { + class Task { + } +} +Agent "0..1" -- "0..*"Scaffolding +Agent "0..1" -- "0..*"Connector +Agent "0..1" -- "0..*"Job +Agent "0..1" -- "0..*"TaskInstance +Agent "0..1" -- "0..*"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/allowednavigationbinding_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/allowednavigationbinding_class_diagram.plantuml new file mode 100644 index 0000000000..80012a1166 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/allowednavigationbinding_class_diagram.plantuml @@ -0,0 +1,32 @@ +@startuml component +package "AllowedNavigationBinding" { + class AllowedNavigationBinding { + -- + Binding : Binding + EntityType : EntityType + OpenIdClient : OpenIdClient + Permission : AccessControlPermission + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "OpenIdClient" { + class OpenIdClient { + } +} +package "AccessControlPermission" { + class AccessControlPermission { + } +} +AllowedNavigationBinding "0..*" -- "1"Binding +AllowedNavigationBinding "0..*" -- "1"EntityType +AllowedNavigationBinding "0..*" -- "1"OpenIdClient +AllowedNavigationBinding "0..*" -- "1"AccessControlPermission +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/aspect_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/aspect_class_diagram.plantuml new file mode 100644 index 0000000000..31d35ec11b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/aspect_class_diagram.plantuml @@ -0,0 +1,41 @@ +@startuml component +package "Aspect" { + class Aspect { + Identifier : String + IfExpression : String + P0 : String + Priority : Int32 + Type : Int32 + -- + AspectRecipients : Recipient[] + AspectUnicityCheckRules : UnicityCheckRule[] + Binding : Binding + ExpressionBinding : Binding + HistorizeBinding : Binding + PointCuts : PointCut[] + } +} +package "Recipient" { + class Recipient { + } +} +package "UnicityCheckRule" { + class UnicityCheckRule { + } +} +package "Binding" { + class Binding { + } +} +package "PointCut" { + class PointCut { + } +} +Aspect "1" -- "0..*"Recipient +Aspect "1" -- "0..*"UnicityCheckRule +Aspect "0..*" -- "0..1"Binding +Aspect "0..*" -- "0..1"Binding +Aspect "0..*" -- "0..1"Binding +Aspect "1" -- "0..*"PointCut +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedcompositerole_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedcompositerole_class_diagram.plantuml new file mode 100644 index 0000000000..e46e43779c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedcompositerole_class_diagram.plantuml @@ -0,0 +1,72 @@ +@startuml component +package "AssignedCompositeRole" { + class AssignedCompositeRole { + EndDate : DateTime + IsDenied : Boolean + IsIndirect : Boolean + IsInferred : Boolean + ManualAssignmentEndDateLockedToContext : Boolean + OwnerType : Int64 + Performer : Int64 + ReconciliationComment : String + RedundantAssignment : Boolean + RequestComment : String + Requester : Int64 + ReviewComment1 : String + ReviewComment2 : String + ReviewComment3 : String + Reviewer1 : Int64 + Reviewer2 : Int64 + Reviewer3 : Int64 + RiskReviewComment : String + RiskReviewer : Int64 + StartDate : DateTime + WhenPerformed : DateTime + WhenReviewed1 : DateTime + WhenReviewed2 : DateTime + WhenReviewed3 : DateTime + WhenRiskReviewed : DateTime + WorkflowState : Byte + -- + AccessCertificationItems : AccessCertificationItem[] + AssignedCompositeRole1IdentifiedRisks : IdentifiedRisk[] + AssignedCompositeRole2IdentifiedRisks : IdentifiedRisk[] + Owner : Resource + ParametersContext : Context + Role : CompositeRole + WorkflowInstance : WorkflowInstance + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "IdentifiedRisk" { + class IdentifiedRisk { + } +} +package "Resource" { + class Resource { + } +} +package "Context" { + class Context { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedCompositeRole "0..1" -- "0..*"AccessCertificationItem +AssignedCompositeRole "0..1" -- "0..*"IdentifiedRisk +AssignedCompositeRole "0..1" -- "0..*"IdentifiedRisk +AssignedCompositeRole "0..*" -- "1"Resource +AssignedCompositeRole "0..*" -- "1"Context +AssignedCompositeRole "0..*" -- "1"CompositeRole +AssignedCompositeRole "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedprofile_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedprofile_class_diagram.plantuml new file mode 100644 index 0000000000..53d8913b00 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedprofile_class_diagram.plantuml @@ -0,0 +1,31 @@ +@startuml component +package "AssignedProfile" { + class AssignedProfile { + AccessState : Int32 + Email : String + EndDate : DateTime + IsDenied : Boolean + StartDate : DateTime + -- + Context : ProfileContext + Profile : Profile + User : Resource + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "Profile" { + class Profile { + } +} +package "Resource" { + class Resource { + } +} +AssignedProfile "0..*" -- "1"ProfileContext +AssignedProfile "0..*" -- "1"Profile +AssignedProfile "0..*" -- "1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcebinary_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcebinary_class_diagram.plantuml new file mode 100644 index 0000000000..0a087adc14 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcebinary_class_diagram.plantuml @@ -0,0 +1,35 @@ +@startuml component +package "AssignedResourceBinary" { + class AssignedResourceBinary { + AssignedResourceType : Int64 + EndDate : DateTime + IsDenied : Boolean + IsPending : Boolean + Owner : Int64 + OwnerType : Int64 + Performer : Int64 + PolicyResourceFile : Int64 + ProvisioningState : Byte + ResourceFile : Int64 + ResourceFileHash : Int32 + StartDate : DateTime + WhenPerformed : DateTime + WhenTransmitted : DateTime + WorkflowState : Byte + -- + Property : EntityProperty + WorkflowInstance : WorkflowInstance + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedResourceBinary "0..*" -- "1"EntityProperty +AssignedResourceBinary "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourceerror_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourceerror_class_diagram.plantuml new file mode 100644 index 0000000000..7c3629b1d7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourceerror_class_diagram.plantuml @@ -0,0 +1,17 @@ +@startuml component +package "AssignedResourceError" { + class AssignedResourceError { + AssignedResourceType : Int64 + ErrorCode : Int32 + Message : String + -- + JobInstance : TaskInstance + } +} +package "TaskInstance" { + class TaskInstance { + } +} +AssignedResourceError "0..*" -- "1"TaskInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcenavigation_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcenavigation_class_diagram.plantuml new file mode 100644 index 0000000000..1b52e48cf4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcenavigation_class_diagram.plantuml @@ -0,0 +1,54 @@ +@startuml component +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + ConfidenceLevel : Byte + EndDate : DateTime + IsDenied : Boolean + IsIndirect : Boolean + IsInferred : Boolean + IsPending : Boolean + Owner : Int64 + OwnerType : Int64 + Performer : Int64 + ProvisioningState : Byte + StartDate : DateTime + WhenPerformed : DateTime + WhenTransmitted : DateTime + WorkflowState : Byte + -- + AccessCertificationItems : AccessCertificationItem[] + AssignedResourceType : AssignedResourceType + PolicyResource : Resource + Property : EntityProperty + Resource : Resource + WorkflowInstance : WorkflowInstance + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "Resource" { + class Resource { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedResourceNavigation "0..1" -- "0..*"AccessCertificationItem +AssignedResourceNavigation "0..*" -- "1"AssignedResourceType +AssignedResourceNavigation "0..*" -- "0..1"Resource +AssignedResourceNavigation "0..*" -- "1"EntityProperty +AssignedResourceNavigation "0..*" -- "1"Resource +AssignedResourceNavigation "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcescalar_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcescalar_class_diagram.plantuml new file mode 100644 index 0000000000..278f317af0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcescalar_class_diagram.plantuml @@ -0,0 +1,44 @@ +@startuml component +package "AssignedResourceScalar" { + class AssignedResourceScalar { + EndDate : DateTime + IsPending : Boolean + Owner : Int64 + OwnerType : Int64 + Performer : Int64 + PolicyValue : String + ProvisioningState : Byte + StartDate : DateTime + Value : String + WhenPerformed : DateTime + WhenTransmitted : DateTime + WorkflowState : Byte + -- + AccessCertificationItems : AccessCertificationItem[] + AssignedResourceType : AssignedResourceType + Property : EntityProperty + WorkflowInstance : WorkflowInstance + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedResourceScalar "0..1" -- "0..*"AccessCertificationItem +AssignedResourceScalar "0..*" -- "1"AssignedResourceType +AssignedResourceScalar "0..*" -- "1"EntityProperty +AssignedResourceScalar "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcetype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcetype_class_diagram.plantuml new file mode 100644 index 0000000000..5b5480a31d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedresourcetype_class_diagram.plantuml @@ -0,0 +1,91 @@ +@startuml component +package "AssignedResourceType" { + class AssignedResourceType { + Arguments : String + ConsolidatedAssignedResourceTypeCountError : Int16 + ConsolidatedProvisioningState : Byte + ConsolidatedWorkflowBlockedCount : Int16 + ConsolidatedWorkflowBlockedState : Byte + ConsolidatedWorkflowFoundCount : Int16 + ConsolidatedWorkflowFoundState : Byte + ConsolidatedWorkflowReviewCount : Int16 + ConsolidatedWorkflowReviewState : Byte + EndDate : DateTime + HasPendingOrders : Boolean + IsDenied : Boolean + IsInferred : Boolean + ManualAssignmentEndDateLockedToContext : Boolean + ManualProvisioningState : Byte + NeedsPolicyApplication : Boolean + OwnerType : Int64 + Performer : Int64 + ProvisioningReviewFilter : Byte + ProvisioningState : Byte + ReconciliationComment : String + RedundantAssignment : Boolean + RequestComment : String + Requester : Int64 + ResourceTypeIdentificationConfidenceLevel : Byte + ReviewComment1 : String + ReviewComment2 : String + ReviewComment3 : String + Reviewer1 : Int64 + Reviewer2 : Int64 + Reviewer3 : Int64 + SourceMatchedConfidenceLevel : Byte + StartDate : DateTime + WhenPerformed : DateTime + WhenReviewed1 : DateTime + WhenReviewed2 : DateTime + WhenReviewed3 : DateTime + WhenTransmitted : DateTime + WorkflowState : Byte + -- + AccessCertificationItems : AccessCertificationItem[] + AssignedResourceNavigations : AssignedResourceNavigation[] + AssignedResourceScalars : AssignedResourceScalar[] + Owner : Resource + ParametersContext : Context + Resource : Resource + ResourceType : ResourceType + WorkflowInstance : WorkflowInstance + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + } +} +package "AssignedResourceScalar" { + class AssignedResourceScalar { + } +} +package "Resource" { + class Resource { + } +} +package "Context" { + class Context { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedResourceType "0..1" -- "0..*"AccessCertificationItem +AssignedResourceType "1" -- "0..*"AssignedResourceNavigation +AssignedResourceType "1" -- "0..*"AssignedResourceScalar +AssignedResourceType "0..*" -- "0..1"Resource +AssignedResourceType "0..*" -- "1"Context +AssignedResourceType "0..*" -- "0..1"Resource +AssignedResourceType "0..*" -- "1"ResourceType +AssignedResourceType "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedsinglerole_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedsinglerole_class_diagram.plantuml new file mode 100644 index 0000000000..fecb229c68 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/assignedsinglerole_class_diagram.plantuml @@ -0,0 +1,72 @@ +@startuml component +package "AssignedSingleRole" { + class AssignedSingleRole { + EndDate : DateTime + IsDenied : Boolean + IsIndirect : Boolean + IsInferred : Boolean + ManualAssignmentEndDateLockedToContext : Boolean + OwnerType : Int64 + Performer : Int64 + ReconciliationComment : String + RedundantAssignment : Boolean + RequestComment : String + Requester : Int64 + ReviewComment1 : String + ReviewComment2 : String + ReviewComment3 : String + Reviewer1 : Int64 + Reviewer2 : Int64 + Reviewer3 : Int64 + RiskReviewComment : String + RiskReviewer : Int64 + StartDate : DateTime + WhenPerformed : DateTime + WhenReviewed1 : DateTime + WhenReviewed2 : DateTime + WhenReviewed3 : DateTime + WhenRiskReviewed : DateTime + WorkflowState : Byte + -- + AccessCertificationItems : AccessCertificationItem[] + AssignedSingleRole1IdentifiedRisks : IdentifiedRisk[] + AssignedSingleRole2IdentifiedRisks : IdentifiedRisk[] + Owner : Resource + ParametersContext : Context + Role : SingleRole + WorkflowInstance : WorkflowInstance + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "IdentifiedRisk" { + class IdentifiedRisk { + } +} +package "Resource" { + class Resource { + } +} +package "Context" { + class Context { + } +} +package "SingleRole" { + class SingleRole { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +AssignedSingleRole "0..1" -- "0..*"AccessCertificationItem +AssignedSingleRole "0..1" -- "0..*"IdentifiedRisk +AssignedSingleRole "0..1" -- "0..*"IdentifiedRisk +AssignedSingleRole "0..*" -- "1"Resource +AssignedSingleRole "0..*" -- "1"Context +AssignedSingleRole "0..*" -- "1"SingleRole +AssignedSingleRole "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/associationinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/associationinstance_class_diagram.plantuml new file mode 100644 index 0000000000..4da8e2c02c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/associationinstance_class_diagram.plantuml @@ -0,0 +1,29 @@ +@startuml component +package "AssociationInstance" { + class AssociationInstance { + Direction : Byte + -- + Association : EntityAssociation + Instance1 : EntityInstance + Instance2 : EntityInstance + Universe : Universe + } +} +package "EntityAssociation" { + class EntityAssociation { + } +} +package "EntityInstance" { + class EntityInstance { + } +} +package "Universe" { + class Universe { + } +} +AssociationInstance "0..*" -- "1"EntityAssociation +AssociationInstance "0..*" -- "1"EntityInstance +AssociationInstance "0..*" -- "1"EntityInstance +AssociationInstance "0..*" -- "1"Universe +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/automationrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/automationrule_class_diagram.plantuml new file mode 100644 index 0000000000..a0f404bd48 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/automationrule_class_diagram.plantuml @@ -0,0 +1,55 @@ +@startuml component +package "AutomationRule" { + class AutomationRule { + Decision : Byte + HoursToWait : Int32 + L0 : Boolean + Type : Byte + WorkflowState : Byte + -- + Category : Category + CompositeRole : CompositeRole + D0 : Resource + EntityType : EntityType + Policy : Policy + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "Category" { + class Category { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +AutomationRule "0..*" -- "0..1"Category +AutomationRule "0..*" -- "0..1"CompositeRole +AutomationRule "0..*" -- "0..1"Resource +AutomationRule "0..*" -- "1"EntityType +AutomationRule "0..*" -- "0..1"Policy +AutomationRule "0..*" -- "0..1"ResourceType +AutomationRule "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/binding_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/binding_class_diagram.plantuml new file mode 100644 index 0000000000..84f5dc1222 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/binding_class_diagram.plantuml @@ -0,0 +1,221 @@ +@startuml component +package "Binding" { + class Binding { + Path : String + -- + AccessCertificationOwnerFilter : AccessCertificationOwnerFilter[] + AccessControlFilters : AccessControlFilter[] + AllowedNavigationBindings : AllowedNavigationBinding[] + Aspects : Aspect[] + AutocompleteBindingDisplayEntityProperties : DisplayEntityProperty[] + AutocompleteBindingDisplayEntityTypes : DisplayEntityType[] + B0ContextRules : ContextRule[] + B0ProfileRules : ProfileRule[] + BeneficiaryEmailBindingPasswordResetSettings : PasswordResetSettings[] + BeneficiaryFullNameBindingPasswordResetSettings : PasswordResetSettings[] + BindingBindingExpressions : BindingExpression[] + BindingRecipients : Recipient[] + Controls : FormControl[] + Controls2 : FormControl[] + Controls3 : FormControl[] + DefaultValueFormControls : FormControl[] + DisplayedDisplayTableColumns : DisplayTableColumn[] + EntityPropertyExpressions : EntityPropertyExpression[] + ExpressionAspects : Aspect[] + FilterFormControls1 : FormControl[] + FilterFormControls2 : FormControl[] + HistorizeBindingAspects : Aspect[] + Indicators : Indicator[] + LinkedFormControls1 : FormControl[] + LinkedFormControls2 : FormControl[] + NavigationDisplayEntityProperties : DisplayEntityProperty[] + NavigationFormControls : FormControl[] + NotifiedEmailBindingPasswordResetSettings : PasswordResetSettings[] + NotifiedFullNameBindingPasswordResetSettings : PasswordResetSettings[] + OptimizedDisplayedDisplayTableColumns : DisplayTableColumn[] + OptimizedIndicators : Indicator[] + OptimizedSearchCriteria1 : SearchBarCriterion[] + OptimizedSortedDisplayTableColumns : DisplayTableColumn[] + OptimizedTileItems : TileItem[] + RecipientMailBindingNotifications : Notification[] + ResourceBinaryRules : ResourceBinaryRule[] + ResourceCertificationComparisonBindingContextRules : ContextRule[] + ResourceCorrelationRules : ResourceCorrelationRule[] + ResourceQueryRules : ResourceQueryRule[] + ResourceScalarRules : ResourceScalarRule[] + ResourcesContextRules : ContextRule[] + ResourcesEndContextRules : ContextRule[] + ResourcesStartContextRules : ContextRule[] + RoleMappingDisplayNames : RoleMapping[] + RoleMappingIdentifiers : RoleMapping[] + RootBindingProfileRuleContexts : ProfileRuleContext[] + SearchBarsFromSearchedBinding : SearchBar[] + SortedDisplayTableColumns : DisplayTableColumn[] + SourceBindingUnicityCheckRules : UnicityCheckRule[] + SubBindingProfileRuleContexts : ProfileRuleContext[] + TargetBindingUnicityCheckRules : UnicityCheckRule[] + TargetResourceCorrelationRules : ResourceCorrelationRule[] + TargetResourceQueryRules : ResourceQueryRule[] + TileItems : TileItem[] + } +} +package "AccessCertificationOwnerFilter" { + class AccessCertificationOwnerFilter { + } +} +package "AccessControlFilter" { + class AccessControlFilter { + } +} +package "AllowedNavigationBinding" { + class AllowedNavigationBinding { + } +} +package "Aspect" { + class Aspect { + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +package "DisplayEntityType" { + class DisplayEntityType { + } +} +package "ContextRule" { + class ContextRule { + } +} +package "ProfileRule" { + class ProfileRule { + } +} +package "PasswordResetSettings" { + class PasswordResetSettings { + } +} +package "BindingExpression" { + class BindingExpression { + } +} +package "Recipient" { + class Recipient { + } +} +package "FormControl" { + class FormControl { + } +} +package "DisplayTableColumn" { + class DisplayTableColumn { + } +} +package "EntityPropertyExpression" { + class EntityPropertyExpression { + } +} +package "Indicator" { + class Indicator { + } +} +package "SearchBarCriterion" { + class SearchBarCriterion { + } +} +package "TileItem" { + class TileItem { + } +} +package "Notification" { + class Notification { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceCorrelationRule" { + class ResourceCorrelationRule { + } +} +package "ResourceQueryRule" { + class ResourceQueryRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "ProfileRuleContext" { + class ProfileRuleContext { + } +} +package "SearchBar" { + class SearchBar { + } +} +package "UnicityCheckRule" { + class UnicityCheckRule { + } +} +Binding "0..1" -- "0..*"AccessCertificationOwnerFilter +Binding "1" -- "0..*"AccessControlFilter +Binding "1" -- "0..*"AllowedNavigationBinding +Binding "0..1" -- "0..*"Aspect +Binding "0..1" -- "0..*"DisplayEntityProperty +Binding "0..1" -- "0..*"DisplayEntityType +Binding "0..1" -- "0..*"ContextRule +Binding "0..1" -- "0..*"ProfileRule +Binding "0..1" -- "0..*"PasswordResetSettings +Binding "0..1" -- "0..*"PasswordResetSettings +Binding "0..1" -- "0..*"BindingExpression +Binding "0..1" -- "0..*"Recipient +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"DisplayTableColumn +Binding "0..1" -- "0..*"EntityPropertyExpression +Binding "0..1" -- "0..*"Aspect +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"Aspect +Binding "0..1" -- "0..*"Indicator +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"DisplayEntityProperty +Binding "0..1" -- "0..*"FormControl +Binding "0..1" -- "0..*"PasswordResetSettings +Binding "0..1" -- "0..*"PasswordResetSettings +Binding "0..1" -- "0..*"DisplayTableColumn +Binding "0..1" -- "0..*"Indicator +Binding "0..1" -- "0..*"SearchBarCriterion +Binding "0..1" -- "0..*"DisplayTableColumn +Binding "0..1" -- "0..*"TileItem +Binding "0..1" -- "0..*"Notification +Binding "0..1" -- "0..*"ResourceBinaryRule +Binding "0..1" -- "0..*"ContextRule +Binding "0..1" -- "0..*"ResourceCorrelationRule +Binding "0..1" -- "0..*"ResourceQueryRule +Binding "0..1" -- "0..*"ResourceScalarRule +Binding "0..1" -- "0..*"ContextRule +Binding "0..1" -- "0..*"ContextRule +Binding "0..1" -- "0..*"ContextRule +Binding "0..1" -- "0..*"RoleMapping +Binding "0..1" -- "0..*"RoleMapping +Binding "0..1" -- "0..*"ProfileRuleContext +Binding "0..1" -- "0..*"SearchBar +Binding "0..1" -- "0..*"DisplayTableColumn +Binding "0..1" -- "0..*"UnicityCheckRule +Binding "0..1" -- "0..*"ProfileRuleContext +Binding "0..1" -- "0..*"UnicityCheckRule +Binding "0..1" -- "0..*"ResourceCorrelationRule +Binding "0..1" -- "0..*"ResourceQueryRule +Binding "1" -- "0..*"TileItem +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/bindingexpression_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/bindingexpression_class_diagram.plantuml new file mode 100644 index 0000000000..a03b4d4c48 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/bindingexpression_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "BindingExpression" { + class BindingExpression { + Expression : String + Hash : Int32 + -- + Binding : Binding + EntityType : EntityType + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +BindingExpression "0..*" -- "0..1"Binding +BindingExpression "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/category_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/category_class_diagram.plantuml new file mode 100644 index 0000000000..2ca3ba0f47 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/category_class_diagram.plantuml @@ -0,0 +1,93 @@ +@startuml component +package "Category" { + class Category { + CompositeRoleCounter : Int32 + CurrentNodeIndex : Guid + Description_L1 : String + DisplayName_L1 : String + FullName_L1 : String + Identifier : String + IsCollapsed : Boolean + NextNodeIndex : Guid + ResourceTypeCounter : Int32 + SingleRoleCounter : Int32 + -- + AccessCertificationDataFilters : AccessCertificationDataFilter[] + AutomationRules : AutomationRule[] + Categories : Category[] + CategoryCompositeRolesCategories : CompositeRolesCategory[] + CategoryResourceTypesCategories : ResourceTypesCategory[] + CategorySingleRolesCategories : SingleRolesCategory[] + CompositeRoles : CompositeRole[] + MiningRules : MiningRule[] + Parent : Category + Policy : Policy + ProfileContexts : ProfileContext[] + ResourceTypes : ResourceType[] + RoleMappings : RoleMapping[] + SingleRoles : SingleRole[] + } +} +package "AccessCertificationDataFilter" { + class AccessCertificationDataFilter { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "CompositeRolesCategory" { + class CompositeRolesCategory { + } +} +package "ResourceTypesCategory" { + class ResourceTypesCategory { + } +} +package "SingleRolesCategory" { + class SingleRolesCategory { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "MiningRule" { + class MiningRule { + } +} +package "Policy" { + class Policy { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "SingleRole" { + class SingleRole { + } +} +Category "0..1" -- "0..*"AccessCertificationDataFilter +Category "0..1" -- "0..*"AutomationRule +Category "0..1" -- "0..*"Category +Category "1" -- "0..*"CompositeRolesCategory +Category "1" -- "0..*"ResourceTypesCategory +Category "1" -- "0..*"SingleRolesCategory +Category "0..1" -- "0..*"CompositeRole +Category "0..1" -- "0..*"MiningRule +Category "0..*" -- "1"Policy +Category "0..1" -- "0..*"ProfileContext +Category "0..1" -- "0..*"ResourceType +Category "0..1" -- "0..*"RoleMapping +Category "0..1" -- "0..*"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/change_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/change_class_diagram.plantuml new file mode 100644 index 0000000000..f5c05b39a6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/change_class_diagram.plantuml @@ -0,0 +1,24 @@ +@startuml component +package "Change" { + class Change { + Linked : Int64 + Object : Int64 + Operation : Int32 + Value : String + -- + ActivityInstance : ActivityInstance + Property : EntityProperty + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +Change "0..*" -- "1"ActivityInstance +Change "0..*" -- "1"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerole_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerole_class_diagram.plantuml new file mode 100644 index 0000000000..063cb858e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerole_class_diagram.plantuml @@ -0,0 +1,84 @@ +@startuml component +package "CompositeRole" { + class CompositeRole { + ApprovalWorkflowType : Int32 + BaseRole : Int64 + CommentActivationOnApproveInReview : Byte + CommentActivationOnDeclineInReview : Byte + CommentActivationOnDeleteGapInReconciliation : Byte + CommentActivationOnKeepGapInReconciliation : Byte + CommentActivationOnRequest : Byte + Description_L1 : String + DisplayName_L1 : String + FullName_L1 : String + GracePeriod : Int32 + HideOnSimplifiedView : Boolean + Identifier : String + ImplicitApproval : Byte + ManualAssignmentEndDateLockedToContextMode : Byte + MaxDuration : Int32 + P0 : Boolean + ProlongationWithoutApproval : Byte + R0 : Boolean + Tags : String + -- + AssignedCompositeRoles : AssignedCompositeRole[] + AutomationRules : AutomationRule[] + Category : Category + CompositeRoleCompositeRolesCategories : CompositeRolesCategory[] + CompositeRoleParentRules : CompositeRoleRule[] + CompositeRoleRules : CompositeRoleRule[] + EntityType : EntityType + Policy : Policy + ProfileContexts : ProfileContext[] + SingleRoleRules : SingleRoleRule[] + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "Category" { + class Category { + } +} +package "CompositeRolesCategory" { + class CompositeRolesCategory { + } +} +package "CompositeRoleRule" { + class CompositeRoleRule { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "SingleRoleRule" { + class SingleRoleRule { + } +} +CompositeRole "1" -- "0..*"AssignedCompositeRole +CompositeRole "0..1" -- "0..*"AutomationRule +CompositeRole "0..*" -- "0..1"Category +CompositeRole "1" -- "0..*"CompositeRolesCategory +CompositeRole "0..1" -- "0..*"CompositeRoleRule +CompositeRole "1" -- "0..*"CompositeRoleRule +CompositeRole "0..*" -- "1"EntityType +CompositeRole "0..*" -- "1"Policy +CompositeRole "0..1" -- "0..*"ProfileContext +CompositeRole "0..1" -- "0..*"SingleRoleRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolerule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolerule_class_diagram.plantuml new file mode 100644 index 0000000000..20c14718df --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolerule_class_diagram.plantuml @@ -0,0 +1,39 @@ +@startuml component +package "CompositeRoleRule" { + class CompositeRoleRule { + BaseRule : Int64 + IsDenied : Boolean + L0 : Boolean + Priority : Int32 + Type : Int32 + -- + D0 : Resource + EntityType : EntityType + ParentRole : CompositeRole + Policy : Policy + Role : CompositeRole + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "Policy" { + class Policy { + } +} +CompositeRoleRule "0..*" -- "0..1"Resource +CompositeRoleRule "0..*" -- "1"EntityType +CompositeRoleRule "0..*" -- "0..1"CompositeRole +CompositeRoleRule "0..*" -- "1"Policy +CompositeRoleRule "0..*" -- "1"CompositeRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolescategory_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolescategory_class_diagram.plantuml new file mode 100644 index 0000000000..7878f195b3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/compositerolescategory_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "CompositeRolesCategory" { + class CompositeRolesCategory { + -- + Category : Category + CompositeRole : CompositeRole + } +} +package "Category" { + class Category { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +CompositeRolesCategory "0..*" -- "1"Category +CompositeRolesCategory "0..*" -- "1"CompositeRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationdll_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationdll_class_diagram.plantuml new file mode 100644 index 0000000000..673fc66c85 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationdll_class_diagram.plantuml @@ -0,0 +1,10 @@ +@startuml component +package "ConfigurationDLL" { + class ConfigurationDLL { + Data : Bytes + Identifier : String + Type : Int32 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfile_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfile_class_diagram.plantuml new file mode 100644 index 0000000000..e8f09431c4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfile_class_diagram.plantuml @@ -0,0 +1,15 @@ +@startuml component +package "ConfigurationFile" { + class ConfigurationFile { + FilePath : String + -- + FileConfigurationFileItems : ConfigurationFileItem[] + } +} +package "ConfigurationFileItem" { + class ConfigurationFileItem { + } +} +ConfigurationFile "1" -- "0..*"ConfigurationFileItem +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfileitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfileitem_class_diagram.plantuml new file mode 100644 index 0000000000..79e0ef28ad --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/configurationfileitem_class_diagram.plantuml @@ -0,0 +1,18 @@ +@startuml component +package "ConfigurationFileItem" { + class ConfigurationFileItem { + Item : Int64 + LineNumber : Int32 + Scaffolding : Int64 + TableName : String + -- + File : ConfigurationFile + } +} +package "ConfigurationFile" { + class ConfigurationFile { + } +} +ConfigurationFileItem "0..*" -- "1"ConfigurationFile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connection_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connection_class_diagram.plantuml new file mode 100644 index 0000000000..9c36ec4dd7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connection_class_diagram.plantuml @@ -0,0 +1,44 @@ +@startuml component +package "Connection" { + class Connection { + DeactivationExportFulfill : Int32 + DisplayName_L1 : String + HasRefreshSchemaFailed : Boolean + Identifier : String + Package521 : Int64 + RefreshSchemaDate : DateTime + -- + Connection : ResourceTypeMapping[] + Connector : Connector + Package : ConnectionPackage + Tables : ConnectionTable[] + Transformations : ConnectionTransformation[] + } +} +package "ResourceTypeMapping" { + class ResourceTypeMapping { + } +} +package "Connector" { + class Connector { + } +} +package "ConnectionPackage" { + class ConnectionPackage { + } +} +package "ConnectionTable" { + class ConnectionTable { + } +} +package "ConnectionTransformation" { + class ConnectionTransformation { + } +} +Connection "1" -- "0..*"ResourceTypeMapping +Connection "0..*" -- "1"Connector +Connection "0..*" -- "1"ConnectionPackage +Connection "1" -- "0..*"ConnectionTable +Connection "1" -- "0..*"ConnectionTransformation +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectioncolumn_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectioncolumn_class_diagram.plantuml new file mode 100644 index 0000000000..bd8b1f43e7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectioncolumn_class_diagram.plantuml @@ -0,0 +1,25 @@ +@startuml component +package "ConnectionColumn" { + class ConnectionColumn { + DisplayName : String + Identifier : String + IsMultivalued : Boolean + KeyType : Byte + Path : String + UpdateDate : DateTime + ValueLength : Int32 + ValueType : Byte + -- + ForeignColumn : ConnectionColumn + ForeignColumnConnectionColumns : ConnectionColumn[] + Table : ConnectionTable + } +} +package "ConnectionTable" { + class ConnectionTable { + } +} +ConnectionColumn "0..*" -- "0..1"ConnectionColumn +ConnectionColumn "0..*" -- "1"ConnectionTable +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectionpackage_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectionpackage_class_diagram.plantuml new file mode 100644 index 0000000000..dca1e9dd68 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectionpackage_class_diagram.plantuml @@ -0,0 +1,36 @@ +@startuml component +package "ConnectionPackage" { + class ConnectionPackage { + Description_L1 : String + DisplayName_L1 : String + DocumentationUrl : String + ExportType : Int32 + FulfillmentType : Int32 + HasIncrementalMode : Boolean + Identifier : String + ImplementsConfiguration : Boolean + ImplementsEntityTypeMapping : Boolean + ImplementsResourceTypeMapping : Boolean + InducedFulfillment : Int32 + Keywords : String + License : String + LogoUrl : String + Publisher : String + WebsiteUrl : String + -- + Connections : Connection[] + PackageScaffoldings : Scaffolding[] + } +} +package "Connection" { + class Connection { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +ConnectionPackage "1" -- "0..*"Connection +ConnectionPackage "0..1" -- "0..*"Scaffolding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontable_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontable_class_diagram.plantuml new file mode 100644 index 0000000000..d7e51b0ce5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontable_class_diagram.plantuml @@ -0,0 +1,24 @@ +@startuml component +package "ConnectionTable" { + class ConnectionTable { + DisplayName : String + Identifier : String + Path : String + UpdateDate : DateTime + -- + Columns : ConnectionColumn[] + Connection : Connection + } +} +package "ConnectionColumn" { + class ConnectionColumn { + } +} +package "Connection" { + class Connection { + } +} +ConnectionTable "1" -- "0..*"ConnectionColumn +ConnectionTable "0..*" -- "1"Connection +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontransformation_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontransformation_class_diagram.plantuml new file mode 100644 index 0000000000..933e8a733d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connectiontransformation_class_diagram.plantuml @@ -0,0 +1,30 @@ +@startuml component +package "ConnectionTransformation" { + class ConnectionTransformation { + AddedDays : Float + Column : String + ConcatSeparator : String + DatePattern : String + InputColumn : String + InputColumn2 : String + MaxYear : Int32 + MinYear : Int32 + RemoveDuplicates : Boolean + RemoveEmpty : Boolean + SortValues : Boolean + Table : String + TransformationOrder : Int32 + Type : Int32 + WhereOperator : Int32 + WhereValue : String + -- + Connection : Connection + } +} +package "Connection" { + class Connection { + } +} +ConnectionTransformation "0..*" -- "1"Connection +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/connector_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connector_class_diagram.plantuml new file mode 100644 index 0000000000..7e8187d398 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/connector_class_diagram.plantuml @@ -0,0 +1,66 @@ +@startuml component +package "Connector" { + class Connector { + CompleteJob : Byte + DisplayName_L1 : String + Identifier : String + IncrementalJob : Byte + IsDeactivated : Boolean + IsSynchronizationBlocked : Boolean + MaxLinkPercentageDeletedLines : Int32 + MaxLinkPercentageInsertedLines : Int32 + MaxPercentageDeletedLines : Int32 + MaxPercentageInsertedLines : Int32 + MaxPercentageUpdatedLines : Int32 + MaximumDeletedLines : Int32 + MaximumInsertedLines : Int32 + MaximumLinkDeletedLines : Int32 + MaximumLinkInsertedLines : Int32 + MaximumUpdatedLines : Int32 + -- + Agent : Agent + Connections : Connection[] + ConnectorScaffoldings : Scaffolding[] + ConnectorSynchronizationHistories : SynchronizationHistory[] + EntityAssociationMappings : EntityAssociationMapping[] + EntityTypeMappings : EntityTypeMapping[] + Tasks : Task[] + } +} +package "Agent" { + class Agent { + } +} +package "Connection" { + class Connection { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +package "SynchronizationHistory" { + class SynchronizationHistory { + } +} +package "EntityAssociationMapping" { + class EntityAssociationMapping { + } +} +package "EntityTypeMapping" { + class EntityTypeMapping { + } +} +package "Task" { + class Task { + } +} +Connector "0..*" -- "0..1"Agent +Connector "1" -- "0..*"Connection +Connector "0..1" -- "0..*"Scaffolding +Connector "1" -- "0..*"SynchronizationHistory +Connector "1" -- "0..*"EntityAssociationMapping +Connector "0..1" -- "0..*"EntityTypeMapping +Connector "0..1" -- "0..*"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/context_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/context_class_diagram.plantuml new file mode 100644 index 0000000000..580484f185 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/context_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "Context" { + class Context { + Automatic : Boolean + DisplayName_L1 : String + -- + D0 : Resource + ParametersAssignedCompositeRoles : AssignedCompositeRole[] + ParametersAssignedResourceTypes : AssignedResourceType[] + ParametersAssignedSingleRoles : AssignedSingleRole[] + } +} +package "Resource" { + class Resource { + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +Context "0..*" -- "0..1"Resource +Context "1" -- "0..*"AssignedCompositeRole +Context "1" -- "0..*"AssignedResourceType +Context "1" -- "0..*"AssignedSingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/contextrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/contextrule_class_diagram.plantuml new file mode 100644 index 0000000000..4ce5058b14 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/contextrule_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "ContextRule" { + class ContextRule { + DisplayName_L1 : String + ExcludeExpression : String + Identifier : String + MinIdentitiesCount : Int32 + ReductionOutlierPercentage : Float + ResourceCertificationComparisonOperator : Byte + ResourceCertificationComparisonValue : String + ResourcesEndExpression : String + ResourcesExpression : String + ResourcesStartExpression : String + RiskFactorType : Byte + -- + B0 : Binding + Policy : Policy + ResourceCertificationComparisonBinding : Binding + ResourcesBinding : Binding + ResourcesEndBinding : Binding + ResourcesStartBinding : Binding + SourceEntityType : EntityType + } +} +package "Binding" { + class Binding { + } +} +package "Policy" { + class Policy { + } +} +package "EntityType" { + class EntityType { + } +} +ContextRule "0..*" -- "0..1"Binding +ContextRule "0..*" -- "1"Policy +ContextRule "0..*" -- "0..1"Binding +ContextRule "0..*" -- "0..1"Binding +ContextRule "0..*" -- "0..1"Binding +ContextRule "0..*" -- "0..1"Binding +ContextRule "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/dimension_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/dimension_class_diagram.plantuml new file mode 100644 index 0000000000..c7fa55c85c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/dimension_class_diagram.plantuml @@ -0,0 +1,43 @@ +@startuml component +package "Dimension" { + class Dimension { + ColumnMapping : Int32 + DisplayName_L1 : String + Identifier : String + IsExcludedFromRoleMining : Boolean + IsHierarchical : Boolean + -- + AccessControlFilters : AccessControlFilter[] + EntityType : EntityType + ParentProperty : EntityProperty + TaskDimension : TaskDimension[] + ToResourceNavigationRules : ResourceNavigationRule[] + } +} +package "AccessControlFilter" { + class AccessControlFilter { + } +} +package "EntityType" { + class EntityType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "TaskDimension" { + class TaskDimension { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +Dimension "0..1" -- "0..*"AccessControlFilter +Dimension "0..*" -- "1"EntityType +Dimension "0..*" -- "0..1"EntityProperty +Dimension "1" -- "0..*"TaskDimension +Dimension "0..1" -- "0..*"ResourceNavigationRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityassociation_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityassociation_class_diagram.plantuml new file mode 100644 index 0000000000..54f2d95f1d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityassociation_class_diagram.plantuml @@ -0,0 +1,8 @@ +@startuml component +package "DisplayEntityAssociation" { + class DisplayEntityAssociation { + IsHierarchical : Boolean + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityproperty_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityproperty_class_diagram.plantuml new file mode 100644 index 0000000000..3dff25cc68 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentityproperty_class_diagram.plantuml @@ -0,0 +1,62 @@ +@startuml component +package "DisplayEntityProperty" { + class DisplayEntityProperty { + AddedMinutes : Int32 + DisplayOrder : Int32 + Format : String + IconCode : String + IsHidden : Boolean + IsReadOnly : Boolean + IsRequired : Boolean + MinSearchLength : Int32 + PlaceHolderText_L1 : String + ToolTipText_L1 : String + -- + AutocompleteBinding : Binding + DisplayEntityType : DisplayEntityType + DisplayTable : DisplayTable + Group : DisplayPropertyGroup + InputType : InputType + NavigationBinding : Binding + OutputType : OutputType + Tile : Tile + } +} +package "Binding" { + class Binding { + } +} +package "DisplayEntityType" { + class DisplayEntityType { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +package "DisplayPropertyGroup" { + class DisplayPropertyGroup { + } +} +package "InputType" { + class InputType { + } +} +package "OutputType" { + class OutputType { + } +} +package "Tile" { + class Tile { + } +} +DisplayEntityProperty "0..*" -- "0..1"Binding +DisplayEntityProperty "0..*" -- "1"DisplayEntityType +DisplayEntityProperty "0..*" -- "0..1"DisplayTable +DisplayEntityProperty "0..*" -- "0..1"DisplayPropertyGroup +DisplayEntityProperty "0..*" -- "1"InputType +DisplayEntityProperty "0..*" -- "0..1"Binding +DisplayEntityProperty "0..*" -- "1"OutputType +DisplayEntityProperty "0..*" -- "0..1"Tile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentitytype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentitytype_class_diagram.plantuml new file mode 100644 index 0000000000..7d1c2449bc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displayentitytype_class_diagram.plantuml @@ -0,0 +1,28 @@ +@startuml component +package "DisplayEntityType" { + class DisplayEntityType { + Color : String + D0IsActive : Boolean + HideRoles : Boolean + IconCode : String + IsHierarchical : Boolean + MinSearchLength : Int32 + PluralDisplayName_L1 : String + Priority : Int32 + -- + AutocompleteBinding : Binding + Properties : DisplayEntityProperty[] + } +} +package "Binding" { + class Binding { + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +DisplayEntityType "0..*" -- "0..1"Binding +DisplayEntityType "1" -- "0..*"DisplayEntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaypropertygroup_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaypropertygroup_class_diagram.plantuml new file mode 100644 index 0000000000..a3307a3ca0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaypropertygroup_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "DisplayPropertyGroup" { + class DisplayPropertyGroup { + DisplayName_L1 : String + Identifier : String + -- + Properties : DisplayEntityProperty[] + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +DisplayPropertyGroup "0..1" -- "0..*"DisplayEntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytable_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytable_class_diagram.plantuml new file mode 100644 index 0000000000..e6c3d85095 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytable_class_diagram.plantuml @@ -0,0 +1,59 @@ +@startuml component +package "DisplayTable" { + class DisplayTable { + Identifier : String + IsEntityTypeDefault : Boolean + LinesPerPage : Int32 + -- + Columns : DisplayTableColumn[] + Controls : FormControl[] + DisplayEntityProperties : DisplayEntityProperty[] + DisplayTableDesignElement : DisplayTableDesignElement + EntityType : EntityType + HomonymEntityLink : HomonymEntityLink + ParentProperty : EntityProperty + RecordTableForms : Form[] + } +} +package "DisplayTableColumn" { + class DisplayTableColumn { + } +} +package "FormControl" { + class FormControl { + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +package "DisplayTableDesignElement" { + class DisplayTableDesignElement { + } +} +package "EntityType" { + class EntityType { + } +} +package "HomonymEntityLink" { + class HomonymEntityLink { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "Form" { + class Form { + } +} +DisplayTable "1" -- "0..*"DisplayTableColumn +DisplayTable "0..1" -- "0..*"FormControl +DisplayTable "0..1" -- "0..*"DisplayEntityProperty +DisplayTable "0..*" -- "1"DisplayTableDesignElement +DisplayTable "0..*" -- "1"EntityType +DisplayTable "0..*" -- "0..1"HomonymEntityLink +DisplayTable "0..*" -- "0..1"EntityProperty +DisplayTable "0..1" -- "0..*"Form +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytablecolumn_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytablecolumn_class_diagram.plantuml new file mode 100644 index 0000000000..53d3cb9c21 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytablecolumn_class_diagram.plantuml @@ -0,0 +1,43 @@ +@startuml component +package "DisplayTableColumn" { + class DisplayTableColumn { + AddedMinutes : Int32 + CanBeFiltered : Boolean + ColumnSize : Int32 + DefaultSortPriority : Int32 + DisplayName_L1 : String + DisplayOrder : Int32 + IsDisplayInDropDownList : Boolean + IsDisplayInSummaryView : Boolean + IsResizable : Boolean + IsSortable : Boolean + SearchOperator : Byte + -- + DisplayBinding : Binding + DisplayTable : DisplayTable + OptimizedDisplayBinding : Binding + OptimizedSortBinding : Binding + SortBinding : Binding + Tile : Tile + } +} +package "Binding" { + class Binding { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +package "Tile" { + class Tile { + } +} +DisplayTableColumn "0..*" -- "0..1"Binding +DisplayTableColumn "0..*" -- "1"DisplayTable +DisplayTableColumn "0..*" -- "0..1"Binding +DisplayTableColumn "0..*" -- "0..1"Binding +DisplayTableColumn "0..*" -- "0..1"Binding +DisplayTableColumn "0..*" -- "0..1"Tile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytabledesignelement_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytabledesignelement_class_diagram.plantuml new file mode 100644 index 0000000000..a319745847 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/displaytabledesignelement_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "DisplayTableDesignElement" { + class DisplayTableDesignElement { + DisplayName_L1 : String + Identifier : String + -- + DisplayTables : DisplayTable[] + } +} +package "DisplayTable" { + class DisplayTable { + } +} +DisplayTableDesignElement "1" -- "0..*"DisplayTable +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociation_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociation_class_diagram.plantuml new file mode 100644 index 0000000000..327b857fea --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociation_class_diagram.plantuml @@ -0,0 +1,32 @@ +@startuml component +package "EntityAssociation" { + class EntityAssociation { + DisplayName_L1 : String + Identifier : String + IsProperty1Collection : Boolean + IsProperty2Collection : Boolean + -- + AssociationInstances : AssociationInstance[] + Property1 : EntityProperty + Property2 : EntityProperty + TypeResourceLinks : ResourceLink[] + } +} +package "AssociationInstance" { + class AssociationInstance { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceLink" { + class ResourceLink { + } +} +EntityAssociation "1" -- "0..*"AssociationInstance +EntityAssociation "0..*" -- "1"EntityProperty +EntityAssociation "0..*" -- "1"EntityProperty +EntityAssociation "1" -- "0..*"ResourceLink +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociationmapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociationmapping_class_diagram.plantuml new file mode 100644 index 0000000000..51bfc77e72 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityassociationmapping_class_diagram.plantuml @@ -0,0 +1,30 @@ +@startuml component +package "EntityAssociationMapping" { + class EntityAssociationMapping { + C0 : String + Column1 : String + Column2 : String + ConnectionTable : String + MaxPercentageDeletedLines : Int32 + MaxPercentageInsertedLines : Int32 + MaximumDeletedLines : Int32 + MaximumInsertedLines : Int32 + -- + Connector : Connector + EntityPropertyMapping1 : EntityProperty + EntityPropertyMapping2 : EntityProperty + } +} +package "Connector" { + class Connector { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +EntityAssociationMapping "0..*" -- "1"Connector +EntityAssociationMapping "0..*" -- "1"EntityProperty +EntityAssociationMapping "0..*" -- "1"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityinstance_class_diagram.plantuml new file mode 100644 index 0000000000..96453864dc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityinstance_class_diagram.plantuml @@ -0,0 +1,48 @@ +@startuml component +package "EntityInstance" { + class EntityInstance { + DisplayName_L1 : String + FilterValue : String + Identifier : String + IsHidden : Boolean + -- + Associations1 : AssociationInstance[] + Associations2 : AssociationInstance[] + EntityType : EntityType + FilterEntityProperty : EntityProperty + FilterEntityType : EntityType + FilterProperty : EntityProperty + FilterResourceType : ResourceType + Universe : Universe + } +} +package "AssociationInstance" { + class AssociationInstance { + } +} +package "EntityType" { + class EntityType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Universe" { + class Universe { + } +} +EntityInstance "1" -- "0..*"AssociationInstance +EntityInstance "1" -- "0..*"AssociationInstance +EntityInstance "0..*" -- "1"EntityType +EntityInstance "0..*" -- "0..1"EntityProperty +EntityInstance "0..*" -- "0..1"EntityType +EntityInstance "0..*" -- "0..1"EntityProperty +EntityInstance "0..*" -- "0..1"ResourceType +EntityInstance "0..*" -- "1"Universe +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityproperty_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityproperty_class_diagram.plantuml new file mode 100644 index 0000000000..cd197a5686 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entityproperty_class_diagram.plantuml @@ -0,0 +1,216 @@ +@startuml component +package "EntityProperty" { + class EntityProperty { + DisplayName_L1 : String + FlexibleComparisonExpression : String + HistoryPrecision : Int32 + Identifier : String + IsKey : Boolean + TargetColumnIndex : Int32 + TargetEntityType : Int64 + Type : Int32 + -- + AssignedResourceBinaries : AssignedResourceBinary[] + AssignedResourceNavigations : AssignedResourceNavigation[] + AssignedResourceScalars : AssignedResourceScalar[] + AssociatedLocalizedProperties : EntityProperty[] + Association1 : EntityAssociation[] + Association2 : EntityAssociation[] + CorrespondenceIndirectResourceRules : IndirectResourceRule[] + CorrespondenceMembershipPropertyIndirectResourceRules : IndirectResourceRule[] + EndPropertyRecordSections : RecordSection[] + EntitlementIndirectResourceRules : IndirectResourceRule[] + EntityAssociationMappings1 : EntityAssociationMapping[] + EntityAssociationMappings2 : EntityAssociationMapping[] + EntityType : EntityType + Expression : EntityPropertyExpression[] + FilterEntityPropertyEntityInstances : EntityInstance[] + FilterPropertyEntityInstances : EntityInstance[] + GroupByProperty : EntityProperty + GroupByPropertyEntityProperties : EntityProperty[] + HomonymEntityLinkFiltersComparisonProperty1 : HomonymEntityLinkFilter[] + HomonymEntityLinkFiltersProperty1 : HomonymEntityLinkFilter[] + Language : Language + MainPropertyForms : Form[] + NeutralProperty : EntityProperty + ParentDisplayTables : DisplayTable[] + ParentPropertyDimensions : Dimension[] + PropertyChanges : Change[] + PropertyCriteriaEntityPropertyExpressions : EntityPropertyExpression[] + PropertyIndirectResourceRules : IndirectResourceRule[] + PropertyRecordProperties : RecordProperty[] + PropertyResourceFiles : ResourceFile[] + PropertyScaffoldings : Scaffolding[] + RecordEndPropertyForms : Form[] + RecordPropertyForms : Form[] + RecordSortPropertyForms : Form[] + RecordStartPropertyForms : Form[] + ResourceBinaryRules : ResourceBinaryRule[] + ResourceNavigationRules : ResourceNavigationRule[] + ResourcePropertyMappings : ResourcePropertyMapping[] + ResourceQueryRules : ResourceQueryRule[] + ResourceScalarRules : ResourceScalarRule[] + ResourceTypeDependsOn : ResourceType[] + RiskRuleItems : RiskRuleItem[] + RoleMappingRuleItems : RoleMappingRuleItem[] + RoleMappings : RoleMapping[] + StartPropertyRecordSections : RecordSection[] + } +} +package "AssignedResourceBinary" { + class AssignedResourceBinary { + } +} +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + } +} +package "AssignedResourceScalar" { + class AssignedResourceScalar { + } +} +package "EntityAssociation" { + class EntityAssociation { + } +} +package "IndirectResourceRule" { + class IndirectResourceRule { + } +} +package "RecordSection" { + class RecordSection { + } +} +package "EntityAssociationMapping" { + class EntityAssociationMapping { + } +} +package "EntityType" { + class EntityType { + } +} +package "EntityPropertyExpression" { + class EntityPropertyExpression { + } +} +package "EntityInstance" { + class EntityInstance { + } +} +package "HomonymEntityLinkFilter" { + class HomonymEntityLinkFilter { + } +} +package "Language" { + class Language { + } +} +package "Form" { + class Form { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +package "Dimension" { + class Dimension { + } +} +package "Change" { + class Change { + } +} +package "RecordProperty" { + class RecordProperty { + } +} +package "ResourceFile" { + class ResourceFile { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourcePropertyMapping" { + class ResourcePropertyMapping { + } +} +package "ResourceQueryRule" { + class ResourceQueryRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "RoleMappingRuleItem" { + class RoleMappingRuleItem { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +EntityProperty "1" -- "0..*"AssignedResourceBinary +EntityProperty "1" -- "0..*"AssignedResourceNavigation +EntityProperty "1" -- "0..*"AssignedResourceScalar +EntityProperty "0..1" -- "0..*"EntityProperty +EntityProperty "1" -- "0..*"EntityAssociation +EntityProperty "1" -- "0..*"EntityAssociation +EntityProperty "0..1" -- "0..*"IndirectResourceRule +EntityProperty "0..1" -- "0..*"IndirectResourceRule +EntityProperty "0..1" -- "0..*"RecordSection +EntityProperty "0..1" -- "0..*"IndirectResourceRule +EntityProperty "1" -- "0..*"EntityAssociationMapping +EntityProperty "1" -- "0..*"EntityAssociationMapping +EntityProperty "0..*" -- "1"EntityType +EntityProperty "1" -- "0..*"EntityPropertyExpression +EntityProperty "0..1" -- "0..*"EntityInstance +EntityProperty "0..1" -- "0..*"EntityInstance +EntityProperty "0..*" -- "0..1"EntityProperty +EntityProperty "0..1" -- "0..*"HomonymEntityLinkFilter +EntityProperty "0..1" -- "0..*"HomonymEntityLinkFilter +EntityProperty "0..*" -- "0..1"Language +EntityProperty "0..1" -- "0..*"Form +EntityProperty "0..1" -- "0..*"DisplayTable +EntityProperty "0..1" -- "0..*"Dimension +EntityProperty "1" -- "0..*"Change +EntityProperty "0..1" -- "0..*"EntityPropertyExpression +EntityProperty "1" -- "0..*"IndirectResourceRule +EntityProperty "1" -- "0..*"RecordProperty +EntityProperty "1" -- "0..*"ResourceFile +EntityProperty "0..1" -- "0..*"Scaffolding +EntityProperty "0..1" -- "0..*"Form +EntityProperty "0..1" -- "0..*"Form +EntityProperty "0..1" -- "0..*"Form +EntityProperty "0..1" -- "0..*"Form +EntityProperty "1" -- "0..*"ResourceBinaryRule +EntityProperty "1" -- "0..*"ResourceNavigationRule +EntityProperty "1" -- "0..*"ResourcePropertyMapping +EntityProperty "1" -- "0..*"ResourceQueryRule +EntityProperty "1" -- "0..*"ResourceScalarRule +EntityProperty "0..1" -- "0..*"ResourceType +EntityProperty "1" -- "0..*"RiskRuleItem +EntityProperty "1" -- "0..*"RoleMappingRuleItem +EntityProperty "1" -- "0..*"RoleMapping +EntityProperty "0..1" -- "0..*"RecordSection +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertyexpression_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertyexpression_class_diagram.plantuml new file mode 100644 index 0000000000..44bf9e928e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertyexpression_class_diagram.plantuml @@ -0,0 +1,31 @@ +@startuml component +package "EntityPropertyExpression" { + class EntityPropertyExpression { + Expression : String + Identifier : String + Priority : Int32 + -- + Binding : Binding + EntityType : EntityType + Property : EntityProperty + PropertyCriteria : EntityProperty + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +EntityPropertyExpression "0..*" -- "0..1"Binding +EntityPropertyExpression "0..*" -- "1"EntityType +EntityPropertyExpression "0..*" -- "1"EntityProperty +EntityPropertyExpression "0..*" -- "0..1"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertymapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertymapping_class_diagram.plantuml new file mode 100644 index 0000000000..55ef14c60a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitypropertymapping_class_diagram.plantuml @@ -0,0 +1,19 @@ +@startuml component +package "EntityPropertyMapping" { + class EntityPropertyMapping { + ConnectionColumn : String + Format : String + IsPrimaryKey : Boolean + IsUniqueKey : Boolean + UniqueKeyOrder : Int32 + -- + EntityTypeMapping : EntityTypeMapping + } +} +package "EntityTypeMapping" { + class EntityTypeMapping { + } +} +EntityPropertyMapping "0..*" -- "1"EntityTypeMapping +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytype_class_diagram.plantuml new file mode 100644 index 0000000000..37b4bf3e38 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytype_class_diagram.plantuml @@ -0,0 +1,314 @@ +@startuml component +package "EntityType" { + class EntityType { + DisplayName_L1 : String + Identifier : String + IsRelatedToAccessCertificationCampaign : Boolean + IsRelatedToAssignedRoles : Boolean + IsRelatedToIdentifiedRisks : Boolean + IsRelatedToManualProvisioning : Boolean + IsRelatedToResourceReconciliation : Boolean + IsRelatedToResourceReview : Boolean + IsRelatedToRoleReconciliation : Boolean + IsRelatedToRoleReview : Boolean + IsRelatedToRules : Boolean + IsRelatedToWorkflowReview : Boolean + IsRelatedToWorkflowSupervision : Boolean + LicenseTag : String + TableName : String + UnclassifiedCount : Int32 + -- + AccessControlRules : AccessControlRule[] + AllowedNavigationBindings : AllowedNavigationBinding[] + CompositeRoles : CompositeRole[] + ContextRules : ContextRule[] + Dimensions : Dimension[] + DisplayTables : DisplayTable[] + EntityInstances : EntityInstance[] + EntityPropertyExpressions : EntityPropertyExpression[] + EntityTypeAutomationRules : AutomationRule[] + EntityTypeBindingExpressions : BindingExpression[] + EntityTypeCompositeRoleRules : CompositeRoleRule[] + EntityTypeFormControls : FormControl[] + EntityTypeIndirectResourceRules : IndirectResourceRule[] + EntityTypeMenuItems : MenuItem[] + EntityTypeResourceBinaryRules : ResourceBinaryRule[] + EntityTypeResourceClassificationRules : ResourceClassificationRule[] + EntityTypeResourceCorrelationRules : ResourceCorrelationRule[] + EntityTypeResourceNavigationRules : ResourceNavigationRule[] + EntityTypeResourceQueryRules : ResourceQueryRule[] + EntityTypeResourceScalarRules : ResourceScalarRule[] + EntityTypeResourceTypeRules : ResourceTypeRule[] + EntityTypeRiskRuleItems : RiskRuleItem[] + EntityTypeScaffoldings : Scaffolding[] + EntityTypeSingleRoleRules : SingleRoleRule[] + FilterEntityTypeEntityInstances : EntityInstance[] + FormEntityTypeHomonymEntityLinks : HomonymEntityLink[] + Forms : Form[] + Indicators : Indicator[] + MiningRules : MiningRule[] + OwnerAccessCertificationCampaigns : AccessCertificationCampaign[] + OwnerEntityTypeNotifications : Notification[] + PolicySimulations : PolicySimulation[] + ProfileRuleContexts : ProfileRuleContext[] + Properties : EntityProperty[] + ResourceEntityTypeRecordSections : RecordSection[] + ResourceTypes : ResourceType[] + ReturnedEntityTypeReportQueries : ReportQuery[] + Risks : Risk[] + RoleMappings : RoleMapping[] + SearchBars : SearchBar[] + SearchBarsFromSearchedEntityType : SearchBar[] + SingleRoles : SingleRole[] + SourceEntityTypeRecordSections : RecordSection[] + TargetEntityTypeUnicityCheckRules : UnicityCheckRule[] + TargetResourceTypes : ResourceType[] + TaskEntityType : TaskEntityType[] + Tiles : Tile[] + TypeResourceChanges : ResourceChange[] + TypeResources : Resource[] + TypeWorkflowInstances : WorkflowInstance[] + Workflows : Workflow[] + } +} +package "AccessControlRule" { + class AccessControlRule { + } +} +package "AllowedNavigationBinding" { + class AllowedNavigationBinding { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "ContextRule" { + class ContextRule { + } +} +package "Dimension" { + class Dimension { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +package "EntityInstance" { + class EntityInstance { + } +} +package "EntityPropertyExpression" { + class EntityPropertyExpression { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "BindingExpression" { + class BindingExpression { + } +} +package "CompositeRoleRule" { + class CompositeRoleRule { + } +} +package "FormControl" { + class FormControl { + } +} +package "IndirectResourceRule" { + class IndirectResourceRule { + } +} +package "MenuItem" { + class MenuItem { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceClassificationRule" { + class ResourceClassificationRule { + } +} +package "ResourceCorrelationRule" { + class ResourceCorrelationRule { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourceQueryRule" { + class ResourceQueryRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "ResourceTypeRule" { + class ResourceTypeRule { + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +package "SingleRoleRule" { + class SingleRoleRule { + } +} +package "HomonymEntityLink" { + class HomonymEntityLink { + } +} +package "Form" { + class Form { + } +} +package "Indicator" { + class Indicator { + } +} +package "MiningRule" { + class MiningRule { + } +} +package "AccessCertificationCampaign" { + class AccessCertificationCampaign { + } +} +package "Notification" { + class Notification { + } +} +package "PolicySimulation" { + class PolicySimulation { + } +} +package "ProfileRuleContext" { + class ProfileRuleContext { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "RecordSection" { + class RecordSection { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "ReportQuery" { + class ReportQuery { + } +} +package "Risk" { + class Risk { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "SearchBar" { + class SearchBar { + } +} +package "SingleRole" { + class SingleRole { + } +} +package "UnicityCheckRule" { + class UnicityCheckRule { + } +} +package "TaskEntityType" { + class TaskEntityType { + } +} +package "Tile" { + class Tile { + } +} +package "ResourceChange" { + class ResourceChange { + } +} +package "Resource" { + class Resource { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "Workflow" { + class Workflow { + } +} +EntityType "1" -- "0..*"AccessControlRule +EntityType "1" -- "0..*"AllowedNavigationBinding +EntityType "1" -- "0..*"CompositeRole +EntityType "1" -- "0..*"ContextRule +EntityType "1" -- "0..*"Dimension +EntityType "1" -- "0..*"DisplayTable +EntityType "1" -- "0..*"EntityInstance +EntityType "1" -- "0..*"EntityPropertyExpression +EntityType "1" -- "0..*"AutomationRule +EntityType "1" -- "0..*"BindingExpression +EntityType "1" -- "0..*"CompositeRoleRule +EntityType "0..1" -- "0..*"FormControl +EntityType "1" -- "0..*"IndirectResourceRule +EntityType "0..1" -- "0..*"MenuItem +EntityType "1" -- "0..*"ResourceBinaryRule +EntityType "1" -- "0..*"ResourceClassificationRule +EntityType "1" -- "0..*"ResourceCorrelationRule +EntityType "1" -- "0..*"ResourceNavigationRule +EntityType "1" -- "0..*"ResourceQueryRule +EntityType "1" -- "0..*"ResourceScalarRule +EntityType "1" -- "0..*"ResourceTypeRule +EntityType "1" -- "0..*"RiskRuleItem +EntityType "0..1" -- "0..*"Scaffolding +EntityType "1" -- "0..*"SingleRoleRule +EntityType "0..1" -- "0..*"EntityInstance +EntityType "1" -- "0..*"HomonymEntityLink +EntityType "1" -- "0..*"Form +EntityType "1" -- "0..*"Indicator +EntityType "1" -- "0..*"MiningRule +EntityType "1" -- "0..*"AccessCertificationCampaign +EntityType "1" -- "0..*"Notification +EntityType "1" -- "0..*"PolicySimulation +EntityType "0..1" -- "0..*"ProfileRuleContext +EntityType "1" -- "0..*"EntityProperty +EntityType "1" -- "0..*"RecordSection +EntityType "1" -- "0..*"ResourceType +EntityType "1" -- "0..*"ReportQuery +EntityType "1" -- "0..*"Risk +EntityType "1" -- "0..*"RoleMapping +EntityType "1" -- "0..*"SearchBar +EntityType "1" -- "0..*"SearchBar +EntityType "1" -- "0..*"SingleRole +EntityType "1" -- "0..*"RecordSection +EntityType "1" -- "0..*"UnicityCheckRule +EntityType "1" -- "0..*"ResourceType +EntityType "1" -- "0..*"TaskEntityType +EntityType "1" -- "0..*"Tile +EntityType "1" -- "0..*"ResourceChange +EntityType "1" -- "0..*"Resource +EntityType "1" -- "0..*"WorkflowInstance +EntityType "1" -- "0..*"Workflow +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytypemapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytypemapping_class_diagram.plantuml new file mode 100644 index 0000000000..941e73fc9b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/entitytypemapping_class_diagram.plantuml @@ -0,0 +1,29 @@ +@startuml component +package "EntityTypeMapping" { + class EntityTypeMapping { + C0 : String + ConnectionTable : String + MaxPercentageDeletedLines : Int32 + MaxPercentageInsertedLines : Int32 + MaxPercentageUpdatedLines : Int32 + MaximumDeletedLines : Int32 + MaximumInsertedLines : Int32 + MaximumUpdatedLines : Int32 + ResourceCount : Int32 + -- + Connector : Connector + Properties : EntityPropertyMapping[] + } +} +package "Connector" { + class Connector { + } +} +package "EntityPropertyMapping" { + class EntityPropertyMapping { + } +} +EntityTypeMapping "0..*" -- "0..1"Connector +EntityTypeMapping "1" -- "0..*"EntityPropertyMapping +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/form_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/form_class_diagram.plantuml new file mode 100644 index 0000000000..99977947e2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/form_class_diagram.plantuml @@ -0,0 +1,80 @@ +@startuml component +package "Form" { + class Form { + AddRowLabel_L1 : String + FormTitle_L1 : String + HideRecordAddButton : Boolean + HideRecordRemoveButton : Boolean + HideRoles : Boolean + Identifier : String + IsDefaultSelfForm : Boolean + IsDefaultViewForm : Boolean + IsDeleteForm : Boolean + MainPropertyLabel_L1 : String + RecordFilter : Int32 + RemoveRowLabel_L1 : String + TableTitle_L1 : String + WorkflowRequestType : Int32 + -- + Activity : Activity + ActivityState : ActivityTemplateState + Controls : FormControl[] + EmbeddedFormFormControls : FormControl[] + EntityType : EntityType + FormType : FormType + MainProperty : EntityProperty + Menu : MenuItem + RecordEndProperty : EntityProperty + RecordProperty : EntityProperty + RecordSortProperty : EntityProperty + RecordStartProperty : EntityProperty + RecordTable : DisplayTable + } +} +package "Activity" { + class Activity { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "FormControl" { + class FormControl { + } +} +package "EntityType" { + class EntityType { + } +} +package "FormType" { + class FormType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "MenuItem" { + class MenuItem { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +Form "0..*" -- "0..1"Activity +Form "0..*" -- "0..1"ActivityTemplateState +Form "1" -- "0..*"FormControl +Form "0..1" -- "0..*"FormControl +Form "0..*" -- "1"EntityType +Form "0..*" -- "1"FormType +Form "0..*" -- "0..1"EntityProperty +Form "0..*" -- "0..1"MenuItem +Form "0..*" -- "0..1"EntityProperty +Form "0..*" -- "0..1"EntityProperty +Form "0..*" -- "0..1"EntityProperty +Form "0..*" -- "0..1"EntityProperty +Form "0..*" -- "0..1"DisplayTable +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/formcontrol_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/formcontrol_class_diagram.plantuml new file mode 100644 index 0000000000..af89277c7c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/formcontrol_class_diagram.plantuml @@ -0,0 +1,86 @@ +@startuml component +package "FormControl" { + class FormControl { + AddedMinutes : Int32 + ColumnSize : Int32 + DisplayName_L1 : String + DisplayOrder : Int32 + ExtensionIdentifier : String + IsReadOnly : Boolean + IsRequired : Boolean + Name : String + PlaceHolderText_L1 : String + -- + Binding : Binding + Binding2 : Binding + Binding3 : Binding + DefaultValueBinding : Binding + DisplayTable : DisplayTable + EmbeddedForm : Form + EntityType : EntityType + FilterBinding1 : Binding + FilterBinding2 : Binding + Form : Form + HomonymEntityLink : HomonymEntityLink + InputType : InputType + LinkedBinding1 : Binding + LinkedBinding2 : Binding + NavigationBinding : Binding + OutputType : OutputType + ParentControl : FormControl + ParentControlFormControls : FormControl[] + Tile : Tile + } +} +package "Binding" { + class Binding { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +package "Form" { + class Form { + } +} +package "EntityType" { + class EntityType { + } +} +package "HomonymEntityLink" { + class HomonymEntityLink { + } +} +package "InputType" { + class InputType { + } +} +package "OutputType" { + class OutputType { + } +} +package "Tile" { + class Tile { + } +} +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"DisplayTable +FormControl "0..*" -- "0..1"Form +FormControl "0..*" -- "0..1"EntityType +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "1"Form +FormControl "0..*" -- "0..1"HomonymEntityLink +FormControl "0..*" -- "1"InputType +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "0..1"Binding +FormControl "0..*" -- "1"OutputType +FormControl "0..*" -- "0..1"FormControl +FormControl "0..*" -- "0..1"Tile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/formtype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/formtype_class_diagram.plantuml new file mode 100644 index 0000000000..0874b00afa --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/formtype_class_diagram.plantuml @@ -0,0 +1,15 @@ +@startuml component +package "FormType" { + class FormType { + Identifier : String + -- + FormTypeForms : Form[] + } +} +package "Form" { + class Form { + } +} +FormType "1" -- "0..*"Form +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/forwardedaccesscertificationitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/forwardedaccesscertificationitem_class_diagram.plantuml new file mode 100644 index 0000000000..eb7a37f32d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/forwardedaccesscertificationitem_class_diagram.plantuml @@ -0,0 +1,18 @@ +@startuml component +package "ForwardedAccessCertificationItem" { + class ForwardedAccessCertificationItem { + Comment : String + Date : DateTime + From : Int64 + To : Int64 + -- + Item : AccessCertificationItem + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +ForwardedAccessCertificationItem "0..*" -- "1"AccessCertificationItem +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylink_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylink_class_diagram.plantuml new file mode 100644 index 0000000000..662e12879f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylink_class_diagram.plantuml @@ -0,0 +1,33 @@ +@startuml component +package "HomonymEntityLink" { + class HomonymEntityLink { + Identifier : String + -- + Controls : FormControl[] + Filters : HomonymEntityLinkFilter[] + FormEntityType : EntityType + HomonymEntityLinkDisplayTables : DisplayTable[] + } +} +package "FormControl" { + class FormControl { + } +} +package "HomonymEntityLinkFilter" { + class HomonymEntityLinkFilter { + } +} +package "EntityType" { + class EntityType { + } +} +package "DisplayTable" { + class DisplayTable { + } +} +HomonymEntityLink "0..1" -- "0..*"FormControl +HomonymEntityLink "1" -- "0..*"HomonymEntityLinkFilter +HomonymEntityLink "0..*" -- "1"EntityType +HomonymEntityLink "0..1" -- "0..*"DisplayTable +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylinkfilter_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylinkfilter_class_diagram.plantuml new file mode 100644 index 0000000000..c0c3764afc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/homonymentitylinkfilter_class_diagram.plantuml @@ -0,0 +1,24 @@ +@startuml component +package "HomonymEntityLinkFilter" { + class HomonymEntityLinkFilter { + Expression1 : String + Operator1 : Byte + -- + ComparisonProperty1 : EntityProperty + HomonymEntityLink : HomonymEntityLink + Property1 : EntityProperty + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "HomonymEntityLink" { + class HomonymEntityLink { + } +} +HomonymEntityLinkFilter "0..*" -- "0..1"EntityProperty +HomonymEntityLinkFilter "0..*" -- "1"HomonymEntityLink +HomonymEntityLinkFilter "0..*" -- "0..1"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/identifiedrisk_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/identifiedrisk_class_diagram.plantuml new file mode 100644 index 0000000000..927285fbd1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/identifiedrisk_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "IdentifiedRisk" { + class IdentifiedRisk { + EndDate : DateTime + OwnerType : Int64 + StartDate : DateTime + -- + AssignedCompositeRole1 : AssignedCompositeRole + AssignedCompositeRole2 : AssignedCompositeRole + AssignedSingleRole1 : AssignedSingleRole + AssignedSingleRole2 : AssignedSingleRole + Owner : Resource + Risk : Risk + WorkflowInstance : WorkflowInstance + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +package "Resource" { + class Resource { + } +} +package "Risk" { + class Risk { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +IdentifiedRisk "0..*" -- "0..1"AssignedCompositeRole +IdentifiedRisk "0..*" -- "0..1"AssignedCompositeRole +IdentifiedRisk "0..*" -- "0..1"AssignedSingleRole +IdentifiedRisk "0..*" -- "0..1"AssignedSingleRole +IdentifiedRisk "0..*" -- "1"Resource +IdentifiedRisk "0..*" -- "1"Risk +IdentifiedRisk "0..*" -- "0..1"WorkflowInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicator_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicator_class_diagram.plantuml new file mode 100644 index 0000000000..c568bb34bf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicator_class_diagram.plantuml @@ -0,0 +1,30 @@ +@startuml component +package "Indicator" { + class Indicator { + ComparisonOperator : Byte + Order : Int32 + -- + Binding : Binding + EntityType : EntityType + Items : IndicatorItem[] + OptimizedBinding : Binding + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "IndicatorItem" { + class IndicatorItem { + } +} +Indicator "0..*" -- "0..1"Binding +Indicator "0..*" -- "1"EntityType +Indicator "0..1" -- "0..*"IndicatorItem +Indicator "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicatoritem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicatoritem_class_diagram.plantuml new file mode 100644 index 0000000000..351fb97bd7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indicatoritem_class_diagram.plantuml @@ -0,0 +1,18 @@ +@startuml component +package "IndicatorItem" { + class IndicatorItem { + Color : String + DisplayName_L1 : String + Priority : Int32 + Value : String + -- + Indicator : Indicator + } +} +package "Indicator" { + class Indicator { + } +} +IndicatorItem "0..*" -- "0..1"Indicator +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/indirectresourcerule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indirectresourcerule_class_diagram.plantuml new file mode 100644 index 0000000000..d321554189 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/indirectresourcerule_class_diagram.plantuml @@ -0,0 +1,32 @@ +@startuml component +package "IndirectResourceRule" { + class IndirectResourceRule { + -- + Correspondence : EntityProperty + CorrespondenceMembershipProperty : EntityProperty + Entitlement : EntityProperty + EntityType : EntityType + Property : EntityProperty + ResourceType : ResourceType + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "EntityType" { + class EntityType { + } +} +package "ResourceType" { + class ResourceType { + } +} +IndirectResourceRule "0..*" -- "0..1"EntityProperty +IndirectResourceRule "0..*" -- "0..1"EntityProperty +IndirectResourceRule "0..*" -- "0..1"EntityProperty +IndirectResourceRule "0..*" -- "1"EntityType +IndirectResourceRule "0..*" -- "1"EntityProperty +IndirectResourceRule "0..*" -- "1"ResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/inputtype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/inputtype_class_diagram.plantuml new file mode 100644 index 0000000000..90898ef7d3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/inputtype_class_diagram.plantuml @@ -0,0 +1,27 @@ +@startuml component +package "InputType" { + class InputType { + Identifier : String + -- + InputTypeDisplayEntityProperties : DisplayEntityProperty[] + InputTypeFormControls : FormControl[] + InputTypeSearchBarCriteria : SearchBarCriterion[] + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +package "FormControl" { + class FormControl { + } +} +package "SearchBarCriterion" { + class SearchBarCriterion { + } +} +InputType "1" -- "0..*"DisplayEntityProperty +InputType "1" -- "0..*"FormControl +InputType "1" -- "0..*"SearchBarCriterion +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/job_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/job_class_diagram.plantuml new file mode 100644 index 0000000000..1756224f61 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/job_class_diagram.plantuml @@ -0,0 +1,36 @@ +@startuml component +package "Job" { + class Job { + CronTabExpression : String + CronTimeZone : Int32 + DisplayName_L1 : String + Identifier : String + IsConnectorJob : Boolean + IsIncremental : Boolean + IsInitializationJob : Boolean + LastJobInstance : Int64 + LogLevel : Int32 + UserStartDenied : Boolean + -- + Agent : Agent + JobInstance : JobInstance[] + JobStep : JobStep[] + } +} +package "Agent" { + class Agent { + } +} +package "JobInstance" { + class JobInstance { + } +} +package "JobStep" { + class JobStep { + } +} +Job "0..*" -- "0..1"Agent +Job "1" -- "0..*"JobInstance +Job "1" -- "0..*"JobStep +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobinstance_class_diagram.plantuml new file mode 100644 index 0000000000..8dd2235931 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobinstance_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "JobInstance" { + class JobInstance { + CancelRequested : Boolean + CurrentLaunch : Int32 + EndDate : DateTime + LastProgressUpdate : DateTime + Retry : Boolean + StartDate : DateTime + State : Int16 + TotalLaunch : Int32 + -- + Job : Job + TaskInstance : TaskInstance[] + User : Resource + } +} +package "Job" { + class Job { + } +} +package "TaskInstance" { + class TaskInstance { + } +} +package "Resource" { + class Resource { + } +} +JobInstance "0..*" -- "1"Job +JobInstance "0..1" -- "0..*"TaskInstance +JobInstance "0..*" -- "0..1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobstep_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobstep_class_diagram.plantuml new file mode 100644 index 0000000000..3b3463baa5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/jobstep_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "JobStep" { + class JobStep { + LaunchOrder : Int32 + Level : Int32 + -- + Job : Job + Task : Task + } +} +package "Job" { + class Job { + } +} +package "Task" { + class Task { + } +} +JobStep "0..*" -- "1"Job +JobStep "0..*" -- "1"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/language_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/language_class_diagram.plantuml new file mode 100644 index 0000000000..55404e7fb3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/language_class_diagram.plantuml @@ -0,0 +1,18 @@ +@startuml component +package "Language" { + class Language { + Code : String + IndicatorNumber : Int32 + JsonPath : String + Translations : String + -- + Properties : EntityProperty[] + } +} +package "EntityProperty" { + class EntityProperty { + } +} +Language "0..1" -- "0..*"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/menuitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/menuitem_class_diagram.plantuml new file mode 100644 index 0000000000..5505904b04 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/menuitem_class_diagram.plantuml @@ -0,0 +1,48 @@ +@startuml component +package "MenuItem" { + class MenuItem { + DisplayName_L1 : String + DisplayOrder : Int32 + IconCode : String + Identifier : String + IsExpandedByDefault : Boolean + IsSelfForm : Boolean + URI : String + -- + EntityType : EntityType + MenuForms : Form[] + MenuSearchBars : SearchBar[] + ParentMenuItem : MenuItem + ParentMenuItemMenuItems : MenuItem[] + ReportQuery : ReportQuery + Workflow : Workflow + } +} +package "EntityType" { + class EntityType { + } +} +package "Form" { + class Form { + } +} +package "SearchBar" { + class SearchBar { + } +} +package "ReportQuery" { + class ReportQuery { + } +} +package "Workflow" { + class Workflow { + } +} +MenuItem "0..*" -- "0..1"EntityType +MenuItem "0..1" -- "0..*"Form +MenuItem "0..1" -- "0..*"SearchBar +MenuItem "0..*" -- "0..1"MenuItem +MenuItem "0..*" -- "0..1"ReportQuery +MenuItem "0..*" -- "0..1"Workflow +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/miningrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/miningrule_class_diagram.plantuml new file mode 100644 index 0000000000..848e75bd94 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/miningrule_class_diagram.plantuml @@ -0,0 +1,37 @@ +@startuml component +package "MiningRule" { + class MiningRule { + ExcludeRole : Boolean + FalsePositiveMaxPercentage : Float + IncludeDoubleValidation : Boolean + IncludeNoValidation : Boolean + IncludeSimpleValidation : Boolean + IncludeTripleValidation : Boolean + PrecisionMinPercentage : Float + Priority : Int32 + RuleType : Int32 + -- + Category : Category + EntityType : EntityType + Policy : Policy + RulePolicy : Policy + } +} +package "Category" { + class Category { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +MiningRule "0..*" -- "0..1"Category +MiningRule "0..*" -- "1"EntityType +MiningRule "0..*" -- "1"Policy +MiningRule "0..*" -- "0..1"Policy +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/notification_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notification_class_diagram.plantuml new file mode 100644 index 0000000000..2ba4dcca74 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notification_class_diagram.plantuml @@ -0,0 +1,33 @@ +@startuml component +package "Notification" { + class Notification { + CssTemplate : String + Identifier : String + QueryFilterExpression : String + RazorTemplate : String + ReminderInterval : Int32 + TitleExpression : String + Type : Byte + -- + NotificationNotificationInstances : NotificationInstance[] + OwnerEntityType : EntityType + RecipientMailBinding : Binding + } +} +package "NotificationInstance" { + class NotificationInstance { + } +} +package "EntityType" { + class EntityType { + } +} +package "Binding" { + class Binding { + } +} +Notification "1" -- "0..*"NotificationInstance +Notification "0..*" -- "1"EntityType +Notification "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationinstance_class_diagram.plantuml new file mode 100644 index 0000000000..d6cc55e928 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationinstance_class_diagram.plantuml @@ -0,0 +1,21 @@ +@startuml component +package "NotificationInstance" { + class NotificationInstance { + LastExecutionDate : DateTime + -- + Notification : Notification + OwnerResource : Resource + } +} +package "Notification" { + class Notification { + } +} +package "Resource" { + class Resource { + } +} +NotificationInstance "0..*" -- "1"Notification +NotificationInstance "0..*" -- "1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationtemplate_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationtemplate_class_diagram.plantuml new file mode 100644 index 0000000000..4cab14e804 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/notificationtemplate_class_diagram.plantuml @@ -0,0 +1,10 @@ +@startuml component +package "NotificationTemplate" { + class NotificationTemplate { + BodyTemplate_L1 : String + Identifier : String + SubjectTemplate_L1 : String + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/openidclient_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/openidclient_class_diagram.plantuml new file mode 100644 index 0000000000..c0b23cedaf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/openidclient_class_diagram.plantuml @@ -0,0 +1,42 @@ +@startuml component +package "OpenIdClient" { + class OpenIdClient { + DisplayName_L1 : String + ExpirationDate : DateTime + HashedSecret : String + Identifier : String + -- + AllowedNavigationBindings : AllowedNavigationBinding[] + ContextId : ProfileContext + OpenIdClient : ActivityInstance[] + Profile : Profile + Tasks : Task[] + } +} +package "AllowedNavigationBinding" { + class AllowedNavigationBinding { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "Profile" { + class Profile { + } +} +package "Task" { + class Task { + } +} +OpenIdClient "1" -- "0..*"AllowedNavigationBinding +OpenIdClient "0..*" -- "0..1"ProfileContext +OpenIdClient "0..1" -- "0..*"ActivityInstance +OpenIdClient "0..*" -- "1"Profile +OpenIdClient "0..1" -- "0..*"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/outputtype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/outputtype_class_diagram.plantuml new file mode 100644 index 0000000000..1cb44938df --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/outputtype_class_diagram.plantuml @@ -0,0 +1,21 @@ +@startuml component +package "OutputType" { + class OutputType { + Identifier : String + -- + OutputTypeDisplayEntityProperties : DisplayEntityProperty[] + OutputTypeFormControls : FormControl[] + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +package "FormControl" { + class FormControl { + } +} +OutputType "1" -- "0..*"DisplayEntityProperty +OutputType "1" -- "0..*"FormControl +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/passwordresetsettings_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/passwordresetsettings_class_diagram.plantuml new file mode 100644 index 0000000000..344aa8bcc9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/passwordresetsettings_class_diagram.plantuml @@ -0,0 +1,39 @@ +@startuml component +package "PasswordResetSettings" { + class PasswordResetSettings { + AutoGenerate : Boolean + DefaultPassword : String + DisableNotifications : Boolean + GeneratedDigitCharsCount : Int32 + GeneratedLength : Int32 + GeneratedLowerCaseCharsCount : Int32 + GeneratedSymbolCharsCount : Int32 + GeneratedUpperCaseCharsCount : Int32 + Identifier : String + Mode : Int64 + MustChange : Boolean + NotificationCC : String + StrengthCheck : String + -- + BeneficiaryEmailBinding : Binding + BeneficiaryFullNameBinding : Binding + NotifiedEmailBinding : Binding + NotifiedFullNameBinding : Binding + PasswordResetSetting : ResourceTypeMapping[] + } +} +package "Binding" { + class Binding { + } +} +package "ResourceTypeMapping" { + class ResourceTypeMapping { + } +} +PasswordResetSettings "0..*" -- "0..1"Binding +PasswordResetSettings "0..*" -- "0..1"Binding +PasswordResetSettings "0..*" -- "0..1"Binding +PasswordResetSettings "0..*" -- "0..1"Binding +PasswordResetSettings "0..1" -- "0..*"ResourceTypeMapping +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/pendingwork_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/pendingwork_class_diagram.plantuml new file mode 100644 index 0000000000..7ec329a4c1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/pendingwork_class_diagram.plantuml @@ -0,0 +1,13 @@ +@startuml component +package "PendingWork" { + class PendingWork { + ActualCompletionDate : DateTime + CompletionRedirectUri : String + EstimatedCompletionDate : DateTime + LaunchDate : DateTime + Payload : String + State : Int16 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/pointcut_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/pointcut_class_diagram.plantuml new file mode 100644 index 0000000000..6a3c4743ba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/pointcut_class_diagram.plantuml @@ -0,0 +1,27 @@ +@startuml component +package "PointCut" { + class PointCut { + Mode : Int32 + -- + Activity : Activity + ActivityState : ActivityTemplateState + Aspect : Aspect + } +} +package "Activity" { + class Activity { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "Aspect" { + class Aspect { + } +} +PointCut "0..*" -- "1"Activity +PointCut "0..*" -- "1"ActivityTemplateState +PointCut "0..*" -- "1"Aspect +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/policy_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/policy_class_diagram.plantuml new file mode 100644 index 0000000000..4ec59d5ea1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/policy_class_diagram.plantuml @@ -0,0 +1,155 @@ +@startuml component +package "Policy" { + class Policy { + CommentActivationOnApproveInReview : Byte + CommentActivationOnDeclineInReview : Byte + CommentActivationOnDeleteGapInReconciliation : Byte + CommentActivationOnKeepGapInReconciliation : Byte + CommentActivationOnRequest : Byte + DisplayName_L1 : String + GracePeriod : Int32 + HasImplicitApproval : Boolean + Identifier : String + IsExternal : Boolean + IsProvisioningEnabled : Boolean + IsSimulationEnabled : Boolean + ManualAssignmentEndDateLockedToContextMode : Byte + MaxDuration : Int32 + PolicyProvisioning : Int64 + PolicySimulation : Int64 + ProlongationWithoutApproval : Boolean + -- + AutomationRules : AutomationRule[] + Categories : Category[] + CompositeRoleRules : CompositeRoleRule[] + CompositeRoles : CompositeRole[] + ContextRules : ContextRule[] + D0 : Resource + MiningRuleRules : MiningRule[] + MiningRules : MiningRule[] + PolicyPolicySimulations : PolicySimulation[] + ResourceBinaryRules : ResourceBinaryRule[] + ResourceClassificationRules : ResourceClassificationRule[] + ResourceCorrelationRules : ResourceCorrelationRule[] + ResourceNavigationRules : ResourceNavigationRule[] + ResourceQueryRules : ResourceQueryRule[] + ResourceScalarRules : ResourceScalarRule[] + ResourceTypeRules : ResourceTypeRule[] + ResourceTypes : ResourceType[] + RiskRules : RiskRule[] + Risks : Risk[] + RoleMappings : RoleMapping[] + RoleRoleMappings : RoleMapping[] + SingleRoleRules : SingleRoleRule[] + SingleRoles : SingleRole[] + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "Category" { + class Category { + } +} +package "CompositeRoleRule" { + class CompositeRoleRule { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "ContextRule" { + class ContextRule { + } +} +package "Resource" { + class Resource { + } +} +package "MiningRule" { + class MiningRule { + } +} +package "PolicySimulation" { + class PolicySimulation { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceClassificationRule" { + class ResourceClassificationRule { + } +} +package "ResourceCorrelationRule" { + class ResourceCorrelationRule { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourceQueryRule" { + class ResourceQueryRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "ResourceTypeRule" { + class ResourceTypeRule { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "RiskRule" { + class RiskRule { + } +} +package "Risk" { + class Risk { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "SingleRoleRule" { + class SingleRoleRule { + } +} +package "SingleRole" { + class SingleRole { + } +} +Policy "0..1" -- "0..*"AutomationRule +Policy "1" -- "0..*"Category +Policy "1" -- "0..*"CompositeRoleRule +Policy "1" -- "0..*"CompositeRole +Policy "1" -- "0..*"ContextRule +Policy "0..*" -- "0..1"Resource +Policy "0..1" -- "0..*"MiningRule +Policy "1" -- "0..*"MiningRule +Policy "0..1" -- "0..*"PolicySimulation +Policy "1" -- "0..*"ResourceBinaryRule +Policy "1" -- "0..*"ResourceClassificationRule +Policy "1" -- "0..*"ResourceCorrelationRule +Policy "1" -- "0..*"ResourceNavigationRule +Policy "1" -- "0..*"ResourceQueryRule +Policy "1" -- "0..*"ResourceScalarRule +Policy "1" -- "0..*"ResourceTypeRule +Policy "1" -- "0..*"ResourceType +Policy "1" -- "0..*"RiskRule +Policy "1" -- "0..*"Risk +Policy "1" -- "0..*"RoleMapping +Policy "0..1" -- "0..*"RoleMapping +Policy "1" -- "0..*"SingleRoleRule +Policy "1" -- "0..*"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/policysimulation_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/policysimulation_class_diagram.plantuml new file mode 100644 index 0000000000..032e2314fd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/policysimulation_class_diagram.plantuml @@ -0,0 +1,53 @@ +@startuml component +package "PolicySimulation" { + class PolicySimulation { + BlockProvisioning : Boolean + CompositeRoleAddedAutomaticCount : Int32 + CompositeRoleAddedBlockedCount : Int32 + CompositeRoleAddedFoundOrHistoryCount : Int32 + CompositeRoleDeletedCount : Int32 + CompositeRoleUpdatedCount : Int32 + Identifier : String + ResourceNavigationAddedAutomaticCount : Int32 + ResourceNavigationAddedBlockedCount : Int32 + ResourceNavigationAddedFoundOrHistoryCount : Int32 + ResourceNavigationDeletedCount : Int32 + ResourceNavigationUpdatedCount : Int32 + ResourceScalarAddedAutomaticCount : Int32 + ResourceScalarAddedBlockedCount : Int32 + ResourceScalarAddedFoundOrHistoryCount : Int32 + ResourceScalarDeletedCount : Int32 + ResourceScalarUpdatedCount : Int32 + ResourceTypeAddedAutomaticCount : Int32 + ResourceTypeAddedBlockedCount : Int32 + ResourceTypeAddedFoundOrHistoryCount : Int32 + ResourceTypeDeletedCount : Int32 + ResourceTypeUpdatedCount : Int32 + RiskAddedCount : Int32 + RiskDeletedCount : Int32 + SingleRoleAddedAutomaticCount : Int32 + SingleRoleAddedBlockedCount : Int32 + SingleRoleAddedFoundOrHistoryCount : Int32 + SingleRoleDeletedCount : Int32 + SingleRoleUpdatedCount : Int32 + StartedBy : Int64 + State : Byte + WhenCompleted : DateTime + WhenStarted : DateTime + -- + EntityType : EntityType + Policy : Policy + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +PolicySimulation "0..*" -- "1"EntityType +PolicySimulation "0..*" -- "0..1"Policy +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/profile_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profile_class_diagram.plantuml new file mode 100644 index 0000000000..db7fbebd30 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profile_class_diagram.plantuml @@ -0,0 +1,41 @@ +@startuml component +package "Profile" { + class Profile { + DisplayName_L1 : String + Identifier : String + IsComponent : Boolean + -- + AssignedProfiles : AssignedProfile[] + ProfileOpenIdClients : OpenIdClient[] + ProfileProfileRules : ProfileRule[] + ProfileScaffoldings : Scaffolding[] + Rules : AccessControlRule[] + } +} +package "AssignedProfile" { + class AssignedProfile { + } +} +package "OpenIdClient" { + class OpenIdClient { + } +} +package "ProfileRule" { + class ProfileRule { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +package "AccessControlRule" { + class AccessControlRule { + } +} +Profile "1" -- "0..*"AssignedProfile +Profile "1" -- "0..*"OpenIdClient +Profile "1" -- "0..*"ProfileRule +Profile "0..1" -- "0..*"Scaffolding +Profile "1" -- "0..*"AccessControlRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilecontext_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilecontext_class_diagram.plantuml new file mode 100644 index 0000000000..ba362499c1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilecontext_class_diagram.plantuml @@ -0,0 +1,51 @@ +@startuml component +package "ProfileContext" { + class ProfileContext { + IsAutomatic : Boolean + -- + AssignedProfiles : AssignedProfile[] + Category : Category + CompositeRole : CompositeRole + ContextOpenIdClients : OpenIdClient[] + D0 : Resource + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "AssignedProfile" { + class AssignedProfile { + } +} +package "Category" { + class Category { + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "OpenIdClient" { + class OpenIdClient { + } +} +package "Resource" { + class Resource { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +ProfileContext "1" -- "0..*"AssignedProfile +ProfileContext "0..*" -- "0..1"Category +ProfileContext "0..*" -- "0..1"CompositeRole +ProfileContext "0..1" -- "0..*"OpenIdClient +ProfileContext "0..*" -- "0..1"Resource +ProfileContext "0..*" -- "0..1"ResourceType +ProfileContext "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerule_class_diagram.plantuml new file mode 100644 index 0000000000..e8e161f5bf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerule_class_diagram.plantuml @@ -0,0 +1,29 @@ +@startuml component +package "ProfileRule" { + class ProfileRule { + IsDenied : Boolean + RootExpression : String + SubExpression : String + -- + B0 : Binding + Context : ProfileRuleContext + Profile : Profile + } +} +package "Binding" { + class Binding { + } +} +package "ProfileRuleContext" { + class ProfileRuleContext { + } +} +package "Profile" { + class Profile { + } +} +ProfileRule "0..*" -- "0..1"Binding +ProfileRule "0..*" -- "1"ProfileRuleContext +ProfileRule "0..*" -- "1"Profile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerulecontext_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerulecontext_class_diagram.plantuml new file mode 100644 index 0000000000..32b2c9cbcb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/profilerulecontext_class_diagram.plantuml @@ -0,0 +1,35 @@ +@startuml component +package "ProfileRuleContext" { + class ProfileRuleContext { + IsAppliedToRoot : Boolean + -- + ContextProfileRules : ProfileRule[] + EntityType : EntityType + ResourceType : ResourceType + RootBinding : Binding + SubBinding : Binding + } +} +package "ProfileRule" { + class ProfileRule { + } +} +package "EntityType" { + class EntityType { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Binding" { + class Binding { + } +} +ProfileRuleContext "1" -- "0..*"ProfileRule +ProfileRuleContext "0..*" -- "0..1"EntityType +ProfileRuleContext "0..*" -- "0..1"ResourceType +ProfileRuleContext "0..*" -- "0..1"Binding +ProfileRuleContext "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/recipient_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recipient_class_diagram.plantuml new file mode 100644 index 0000000000..812e44ab17 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recipient_class_diagram.plantuml @@ -0,0 +1,36 @@ +@startuml component +package "Recipient" { + class Recipient { + EmailAddresses : String + Expression : String + IsCC : Boolean + Type : Int32 + -- + Activity : Activity + ActivityState : ActivityTemplateState + Aspect : Aspect + Binding : Binding + } +} +package "Activity" { + class Activity { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "Aspect" { + class Aspect { + } +} +package "Binding" { + class Binding { + } +} +Recipient "0..*" -- "0..1"Activity +Recipient "0..*" -- "0..1"ActivityTemplateState +Recipient "0..*" -- "1"Aspect +Recipient "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordproperty_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordproperty_class_diagram.plantuml new file mode 100644 index 0000000000..77e5fdf519 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordproperty_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "RecordProperty" { + class RecordProperty { + ExtensionKind : Int32 + IsExcluded : Boolean + -- + Property : EntityProperty + Section : RecordSection + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "RecordSection" { + class RecordSection { + } +} +RecordProperty "0..*" -- "1"EntityProperty +RecordProperty "0..*" -- "1"RecordSection +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordsection_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordsection_class_diagram.plantuml new file mode 100644 index 0000000000..736222e472 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/recordsection_class_diagram.plantuml @@ -0,0 +1,38 @@ +@startuml component +package "RecordSection" { + class RecordSection { + BoundaryKind : Int32 + DisplayName_L1 : String + ExtendedSortKey : String + ExtensionKind : Int32 + Identifier : String + InstanceKeyExpression : String + IsDefaultBoundariesSection : Boolean + SortKeyExpression : String + -- + EndProperty : EntityProperty + ResourceEntityType : EntityType + SectionRecordProperties : RecordProperty[] + SourceEntityType : EntityType + StartProperty : EntityProperty + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "EntityType" { + class EntityType { + } +} +package "RecordProperty" { + class RecordProperty { + } +} +RecordSection "0..*" -- "0..1"EntityProperty +RecordSection "0..*" -- "1"EntityType +RecordSection "1" -- "0..*"RecordProperty +RecordSection "0..*" -- "1"EntityType +RecordSection "0..*" -- "0..1"EntityProperty +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/reportquery_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/reportquery_class_diagram.plantuml new file mode 100644 index 0000000000..e850986b31 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/reportquery_class_diagram.plantuml @@ -0,0 +1,23 @@ +@startuml component +package "ReportQuery" { + class ReportQuery { + DisplayName_L1 : String + Identifier : String + Query : String + -- + ReportQueryMenuItems : MenuItem[] + ReturnedEntityType : EntityType + } +} +package "MenuItem" { + class MenuItem { + } +} +package "EntityType" { + class EntityType { + } +} +ReportQuery "0..1" -- "0..*"MenuItem +ReportQuery "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resource_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resource_class_diagram.plantuml new file mode 100644 index 0000000000..fce3630e70 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resource_class_diagram.plantuml @@ -0,0 +1,176 @@ +@startuml component +package "Resource" { + class Resource { + C0 : String + Dirty : Boolean + DisplayName_L1 : String + I40 : Int64 + PrimaryKey : String + U0 : String + -- + AdministratedAccessCertificationItems : AccessCertificationItem[] + AssignedCompositeRoles : AssignedCompositeRole[] + AssignedProfiles : AssignedProfile[] + AssignedResourceNavigations : AssignedResourceNavigation[] + AssignedSingleRoles : AssignedSingleRole[] + D0AutomationRules : AutomationRule[] + D0CompositeRoleRules : CompositeRoleRule[] + D0Contexts : Context[] + D0Policies : Policy[] + D0ProfileContexts : ProfileContext[] + D0ResourceNavigationRules : ResourceNavigationRule[] + D0ResourceTypeRules : ResourceTypeRule[] + D0SingleRoleRules : SingleRoleRule[] + D0SingleRoles : SingleRole[] + IdentifiedRisks : IdentifiedRisk[] + JobGroupInstance : JobInstance[] + OwnedAccessCertificationItems : AccessCertificationItem[] + OwnerAssignedResourceTypes : AssignedResourceType[] + OwnerResourceNotificationInstances : NotificationInstance[] + PerformedActivityInstances : ActivityInstance[] + PolicyAssignedResourceNavigations : AssignedResourceNavigation[] + R1ResourceLinks : ResourceLink[] + R2ResourceLinks : ResourceLink[] + ResourceActivityInstanceCCs : ActivityInstanceCC[] + ResourceAssignedResourceTypes : AssignedResourceType[] + ResourceNavigationRules : ResourceNavigationRule[] + ResourceResourceCorrelationKeies : ResourceCorrelationKey[] + ResourceResourceFiles : ResourceFile[] + ReviewedAccessCertificationItems : AccessCertificationItem[] + RiskRuleItems : RiskRuleItem[] + Type : EntityType + } +} +package "AccessCertificationItem" { + class AccessCertificationItem { + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AssignedProfile" { + class AssignedProfile { + } +} +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "CompositeRoleRule" { + class CompositeRoleRule { + } +} +package "Context" { + class Context { + } +} +package "Policy" { + class Policy { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourceTypeRule" { + class ResourceTypeRule { + } +} +package "SingleRoleRule" { + class SingleRoleRule { + } +} +package "SingleRole" { + class SingleRole { + } +} +package "IdentifiedRisk" { + class IdentifiedRisk { + } +} +package "JobInstance" { + class JobInstance { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "NotificationInstance" { + class NotificationInstance { + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "ResourceLink" { + class ResourceLink { + } +} +package "ActivityInstanceCC" { + class ActivityInstanceCC { + } +} +package "ResourceCorrelationKey" { + class ResourceCorrelationKey { + } +} +package "ResourceFile" { + class ResourceFile { + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "EntityType" { + class EntityType { + } +} +Resource "0..1" -- "0..*"AccessCertificationItem +Resource "1" -- "0..*"AssignedCompositeRole +Resource "1" -- "0..*"AssignedProfile +Resource "1" -- "0..*"AssignedResourceNavigation +Resource "1" -- "0..*"AssignedSingleRole +Resource "0..1" -- "0..*"AutomationRule +Resource "0..1" -- "0..*"CompositeRoleRule +Resource "0..1" -- "0..*"Context +Resource "0..1" -- "0..*"Policy +Resource "0..1" -- "0..*"ProfileContext +Resource "0..1" -- "0..*"ResourceNavigationRule +Resource "0..1" -- "0..*"ResourceTypeRule +Resource "0..1" -- "0..*"SingleRoleRule +Resource "0..1" -- "0..*"SingleRole +Resource "1" -- "0..*"IdentifiedRisk +Resource "0..1" -- "0..*"JobInstance +Resource "1" -- "0..*"AccessCertificationItem +Resource "0..1" -- "0..*"AssignedResourceType +Resource "1" -- "0..*"NotificationInstance +Resource "0..1" -- "0..*"ActivityInstance +Resource "0..1" -- "0..*"AssignedResourceNavigation +Resource "1" -- "0..*"ResourceLink +Resource "1" -- "0..*"ResourceLink +Resource "1" -- "0..*"ActivityInstanceCC +Resource "0..1" -- "0..*"AssignedResourceType +Resource "0..1" -- "0..*"ResourceNavigationRule +Resource "1" -- "0..*"ResourceCorrelationKey +Resource "1" -- "0..*"ResourceFile +Resource "0..1" -- "0..*"AccessCertificationItem +Resource "0..1" -- "0..*"RiskRuleItem +Resource "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcebinaryrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcebinaryrule_class_diagram.plantuml new file mode 100644 index 0000000000..d0e9730898 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcebinaryrule_class_diagram.plantuml @@ -0,0 +1,47 @@ +@startuml component +package "ResourceBinaryRule" { + class ResourceBinaryRule { + TimeOffsetAfterReference : Int32 + TimeOffsetBeforeReference : Int32 + TimeOffsetReference : Int32 + -- + Binding : Binding + EntityType : EntityType + Policy : Policy + Property : EntityProperty + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +ResourceBinaryRule "0..*" -- "0..1"Binding +ResourceBinaryRule "0..*" -- "1"EntityType +ResourceBinaryRule "0..*" -- "1"Policy +ResourceBinaryRule "0..*" -- "1"EntityProperty +ResourceBinaryRule "0..*" -- "1"ResourceType +ResourceBinaryRule "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcechange_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcechange_class_diagram.plantuml new file mode 100644 index 0000000000..6faa77d2be --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcechange_class_diagram.plantuml @@ -0,0 +1,18 @@ +@startuml component +package "ResourceChange" { + class ResourceChange { + C0 : String + ChangeOperation : Int32 + JobInstance : Int64 + Resource : Int64 + -- + Type : EntityType + } +} +package "EntityType" { + class EntityType { + } +} +ResourceChange "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceclassificationrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceclassificationrule_class_diagram.plantuml new file mode 100644 index 0000000000..d4c3d339e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceclassificationrule_class_diagram.plantuml @@ -0,0 +1,30 @@ +@startuml component +package "ResourceClassificationRule" { + class ResourceClassificationRule { + BaseRule : Int64 + ResourceTypeIdentificationConfidenceLevel : Int32 + SourceMatchedConfidenceLevel : Boolean + TargetExpression : String + -- + EntityType : EntityType + Policy : Policy + ResourceType : ResourceType + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ResourceType" { + class ResourceType { + } +} +ResourceClassificationRule "0..*" -- "1"EntityType +ResourceClassificationRule "0..*" -- "1"Policy +ResourceClassificationRule "0..*" -- "1"ResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationkey_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationkey_class_diagram.plantuml new file mode 100644 index 0000000000..f082141929 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationkey_class_diagram.plantuml @@ -0,0 +1,17 @@ +@startuml component +package "ResourceCorrelationKey" { + class ResourceCorrelationKey { + BindingExpressionHash : Int32 + EntityType : Int64 + Value : String + -- + Resource : Resource + } +} +package "Resource" { + class Resource { + } +} +ResourceCorrelationKey "0..*" -- "1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationrule_class_diagram.plantuml new file mode 100644 index 0000000000..efcf305f55 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcecorrelationrule_class_diagram.plantuml @@ -0,0 +1,38 @@ +@startuml component +package "ResourceCorrelationRule" { + class ResourceCorrelationRule { + BaseRule : Int64 + SourceExpression : String + SourceMatchedConfidenceLevel : Int32 + TargetExpression : String + -- + EntityType : EntityType + Policy : Policy + ResourceType : ResourceType + SourceBinding : Binding + TargetBinding : Binding + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Binding" { + class Binding { + } +} +ResourceCorrelationRule "0..*" -- "1"EntityType +ResourceCorrelationRule "0..*" -- "1"Policy +ResourceCorrelationRule "0..*" -- "1"ResourceType +ResourceCorrelationRule "0..*" -- "0..1"Binding +ResourceCorrelationRule "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefile_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefile_class_diagram.plantuml new file mode 100644 index 0000000000..dcb601b4e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefile_class_diagram.plantuml @@ -0,0 +1,24 @@ +@startuml component +package "ResourceFile" { + class ResourceFile { + Data : Bytes + DataHash : Int32 + FileName : String + MimeType : String + -- + Property : EntityProperty + Resource : Resource + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "Resource" { + class Resource { + } +} +ResourceFile "0..*" -- "1"EntityProperty +ResourceFile "0..*" -- "1"Resource +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefilechange_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefilechange_class_diagram.plantuml new file mode 100644 index 0000000000..73b1ab953e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcefilechange_class_diagram.plantuml @@ -0,0 +1,13 @@ +@startuml component +package "ResourceFileChange" { + class ResourceFileChange { + ChangeOperation : Int32 + Data : Bytes + JobInstance : Int64 + Property : Int64 + Resource : Int64 + ResourceFile : Int64 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelink_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelink_class_diagram.plantuml new file mode 100644 index 0000000000..574c38c9de --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelink_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "ResourceLink" { + class ResourceLink { + -- + R1 : Resource + R2 : Resource + Type : EntityAssociation + } +} +package "Resource" { + class Resource { + } +} +package "EntityAssociation" { + class EntityAssociation { + } +} +ResourceLink "0..*" -- "1"Resource +ResourceLink "0..*" -- "1"Resource +ResourceLink "0..*" -- "1"EntityAssociation +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelinkchange_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelinkchange_class_diagram.plantuml new file mode 100644 index 0000000000..424b8858ba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcelinkchange_class_diagram.plantuml @@ -0,0 +1,10 @@ +@startuml component +package "ResourceLinkChange" { + class ResourceLinkChange { + ChangeOperation : Int32 + JobInstance : Int64 + Type : Int64 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcenavigationrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcenavigationrule_class_diagram.plantuml new file mode 100644 index 0000000000..1591bd12a9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcenavigationrule_class_diagram.plantuml @@ -0,0 +1,59 @@ +@startuml component +package "ResourceNavigationRule" { + class ResourceNavigationRule { + BaseRule : Int64 + IsDenied : Boolean + L0 : Boolean + TimeOffsetAfterReference : Int32 + TimeOffsetBeforeReference : Int32 + TimeOffsetReference : Int32 + Type : Int32 + -- + D0 : Resource + EntityType : EntityType + Policy : Policy + Property : EntityProperty + Resource : Resource + ResourceFromDimension : Dimension + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "Dimension" { + class Dimension { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +ResourceNavigationRule "0..*" -- "0..1"Resource +ResourceNavigationRule "0..*" -- "1"EntityType +ResourceNavigationRule "0..*" -- "1"Policy +ResourceNavigationRule "0..*" -- "1"EntityProperty +ResourceNavigationRule "0..*" -- "0..1"Resource +ResourceNavigationRule "0..*" -- "0..1"Dimension +ResourceNavigationRule "0..*" -- "1"ResourceType +ResourceNavigationRule "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcepropertymapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcepropertymapping_class_diagram.plantuml new file mode 100644 index 0000000000..1c8ddcee2d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcepropertymapping_class_diagram.plantuml @@ -0,0 +1,31 @@ +@startuml component +package "ResourcePropertyMapping" { + class ResourcePropertyMapping { + C0 : String + C1 : String + C10 : String + C2 : String + C3 : String + C4 : String + C5 : String + C6 : String + C7 : String + C8 : String + C9 : String + -- + Property : EntityProperty + ResourceTypeMapping : ResourceTypeMapping + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceTypeMapping" { + class ResourceTypeMapping { + } +} +ResourcePropertyMapping "0..*" -- "1"EntityProperty +ResourcePropertyMapping "0..*" -- "1"ResourceTypeMapping +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcequeryrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcequeryrule_class_diagram.plantuml new file mode 100644 index 0000000000..4afcc0a90f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcequeryrule_class_diagram.plantuml @@ -0,0 +1,46 @@ +@startuml component +package "ResourceQueryRule" { + class ResourceQueryRule { + SourceExpression : String + TargetExpression : String + TargetMatchedConfidenceLevel : Int32 + TimeOffsetAfterReference : Int32 + TimeOffsetBeforeReference : Int32 + TimeOffsetReference : Int32 + -- + EntityType : EntityType + Policy : Policy + Property : EntityProperty + ResourceType : ResourceType + SourceBinding : Binding + TargetBinding : Binding + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Binding" { + class Binding { + } +} +ResourceQueryRule "0..*" -- "1"EntityType +ResourceQueryRule "0..*" -- "1"Policy +ResourceQueryRule "0..*" -- "1"EntityProperty +ResourceQueryRule "0..*" -- "1"ResourceType +ResourceQueryRule "0..*" -- "0..1"Binding +ResourceQueryRule "0..*" -- "0..1"Binding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceriskscore_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceriskscore_class_diagram.plantuml new file mode 100644 index 0000000000..2147d19fef --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourceriskscore_class_diagram.plantuml @@ -0,0 +1,11 @@ +@startuml component +package "ResourceRiskScore" { + class ResourceRiskScore { + Owner : Int64 + OwnerType : Int64 + Rating : Int32 + Score : Int32 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcescalarrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcescalarrule_class_diagram.plantuml new file mode 100644 index 0000000000..311ffaa4d9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcescalarrule_class_diagram.plantuml @@ -0,0 +1,51 @@ +@startuml component +package "ResourceScalarRule" { + class ResourceScalarRule { + BaseRule : Int64 + ComparisonType : Int32 + Expression : String + IsMapped : Boolean + TimeOffsetAfterReference : Int32 + TimeOffsetBeforeReference : Int32 + TimeOffsetReference : Int32 + -- + Binding : Binding + EntityType : EntityType + Policy : Policy + Property : EntityProperty + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +ResourceScalarRule "0..*" -- "0..1"Binding +ResourceScalarRule "0..*" -- "1"EntityType +ResourceScalarRule "0..*" -- "1"Policy +ResourceScalarRule "0..*" -- "1"EntityProperty +ResourceScalarRule "0..*" -- "1"ResourceType +ResourceScalarRule "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetype_class_diagram.plantuml new file mode 100644 index 0000000000..20ea6b3766 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetype_class_diagram.plantuml @@ -0,0 +1,175 @@ +@startuml component +package "ResourceType" { + class ResourceType { + AllowAdd : Boolean + AllowRemove : Boolean + ApprovalWorkflowType : Int32 + ArgumentsExpression : String + AssignmentCount : Int32 + BaseRole : Int64 + BlockProvisioning : Boolean + CorrelateMultipleResources : Boolean + Description_L1 : String + DiscardManualAssignments : Boolean + DisplayName_L1 : String + FulfillHoursAheadOfTime : Int32 + FullName_L1 : String + HideOnSimplifiedView : Boolean + Identifier : String + ImplicitApproval : Byte + ManualAssignmentEndDateLockedToContextMode : Byte + MaximumDelete : Int32 + MaximumDeletePercent : Int32 + MaximumInsert : Int32 + MaximumInsertPercent : Int32 + MaximumUpdate : Int32 + MaximumUpdatePercent : Int32 + OrphanCount : Int32 + P0 : Boolean + ProlongationWithoutApproval : Byte + R0 : Boolean + RemoveOrphans : Boolean + SuggestAllCorrelations : Boolean + TransmittedStateValidityPeriod : Int32 + -- + AccessCertificationDataFilters : AccessCertificationDataFilter[] + AutomationRules : AutomationRule[] + Category : Category + DependsOn : ResourceType + DependsOnChildren : ResourceType[] + DependsOnOwnerProperty : EntityProperty + FilterResourceTypeEntityInstances : EntityInstance[] + Policy : Policy + ProfileContexts : ProfileContext[] + ProfileRuleContexts : ProfileRuleContext[] + ResourceBinaryRules : ResourceBinaryRule[] + ResourceClassificationRules : ResourceClassificationRule[] + ResourceCorrelationRules : ResourceCorrelationRule[] + ResourceNavigationRules : ResourceNavigationRule[] + ResourceQueryRules : ResourceQueryRule[] + ResourceScalarRules : ResourceScalarRule[] + ResourceTypeAssignedResourceTypes : AssignedResourceType[] + ResourceTypeIndirectResourceRules : IndirectResourceRule[] + ResourceTypeResourceTypeRules : ResourceTypeRule[] + ResourceTypeResourceTypesCategories : ResourceTypesCategory[] + RiskRuleItems : RiskRuleItem[] + RoleMappings : RoleMapping[] + SourceEntityType : EntityType + TargetEntityType : EntityType + TaskResourceType : TaskResourceType[] + } +} +package "AccessCertificationDataFilter" { + class AccessCertificationDataFilter { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "Category" { + class Category { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "EntityInstance" { + class EntityInstance { + } +} +package "Policy" { + class Policy { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "ProfileRuleContext" { + class ProfileRuleContext { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceClassificationRule" { + class ResourceClassificationRule { + } +} +package "ResourceCorrelationRule" { + class ResourceCorrelationRule { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourceQueryRule" { + class ResourceQueryRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "IndirectResourceRule" { + class IndirectResourceRule { + } +} +package "ResourceTypeRule" { + class ResourceTypeRule { + } +} +package "ResourceTypesCategory" { + class ResourceTypesCategory { + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "EntityType" { + class EntityType { + } +} +package "TaskResourceType" { + class TaskResourceType { + } +} +ResourceType "0..1" -- "0..*"AccessCertificationDataFilter +ResourceType "0..1" -- "0..*"AutomationRule +ResourceType "0..*" -- "0..1"Category +ResourceType "0..*" -- "0..1"ResourceType +ResourceType "0..*" -- "0..1"EntityProperty +ResourceType "0..1" -- "0..*"EntityInstance +ResourceType "0..*" -- "1"Policy +ResourceType "0..1" -- "0..*"ProfileContext +ResourceType "0..1" -- "0..*"ProfileRuleContext +ResourceType "1" -- "0..*"ResourceBinaryRule +ResourceType "1" -- "0..*"ResourceClassificationRule +ResourceType "1" -- "0..*"ResourceCorrelationRule +ResourceType "1" -- "0..*"ResourceNavigationRule +ResourceType "1" -- "0..*"ResourceQueryRule +ResourceType "1" -- "0..*"ResourceScalarRule +ResourceType "1" -- "0..*"AssignedResourceType +ResourceType "1" -- "0..*"IndirectResourceRule +ResourceType "1" -- "0..*"ResourceTypeRule +ResourceType "1" -- "0..*"ResourceTypesCategory +ResourceType "1" -- "0..*"RiskRuleItem +ResourceType "1" -- "0..*"RoleMapping +ResourceType "0..*" -- "1"EntityType +ResourceType "0..*" -- "1"EntityType +ResourceType "1" -- "0..*"TaskResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypemapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypemapping_class_diagram.plantuml new file mode 100644 index 0000000000..be2d2c04ca --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypemapping_class_diagram.plantuml @@ -0,0 +1,38 @@ +@startuml component +package "ResourceTypeMapping" { + class ResourceTypeMapping { + C0 : String + C1 : String + C10 : String + C2 : String + C3 : String + C4 : String + C5 : String + C6 : String + C7 : String + C8 : String + C9 : String + Type : Int32 + -- + Connection : Connection + PasswordResetSetting : PasswordResetSettings + ResourcePropertyMappings : ResourcePropertyMapping[] + } +} +package "Connection" { + class Connection { + } +} +package "PasswordResetSettings" { + class PasswordResetSettings { + } +} +package "ResourcePropertyMapping" { + class ResourcePropertyMapping { + } +} +ResourceTypeMapping "0..*" -- "1"Connection +ResourceTypeMapping "0..*" -- "0..1"PasswordResetSettings +ResourceTypeMapping "1" -- "0..*"ResourcePropertyMapping +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetyperule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetyperule_class_diagram.plantuml new file mode 100644 index 0000000000..257790c3f5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetyperule_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "ResourceTypeRule" { + class ResourceTypeRule { + BaseRule : Int64 + IsDenied : Boolean + L0 : Boolean + TimeOffsetAfterReference : Int32 + TimeOffsetBeforeReference : Int32 + TimeOffsetReference : Int32 + Type : Int32 + -- + D0 : Resource + EntityType : EntityType + Policy : Policy + ResourceType : ResourceType + SingleRole : SingleRole + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "SingleRole" { + class SingleRole { + } +} +ResourceTypeRule "0..*" -- "0..1"Resource +ResourceTypeRule "0..*" -- "1"EntityType +ResourceTypeRule "0..*" -- "1"Policy +ResourceTypeRule "0..*" -- "1"ResourceType +ResourceTypeRule "0..*" -- "0..1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypescategory_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypescategory_class_diagram.plantuml new file mode 100644 index 0000000000..04d18cbdf5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/resourcetypescategory_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "ResourceTypesCategory" { + class ResourceTypesCategory { + -- + Category : Category + ResourceType : ResourceType + } +} +package "Category" { + class Category { + } +} +package "ResourceType" { + class ResourceType { + } +} +ResourceTypesCategory "0..*" -- "1"Category +ResourceTypesCategory "0..*" -- "1"ResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/risk_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/risk_class_diagram.plantuml new file mode 100644 index 0000000000..0df489566f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/risk_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "Risk" { + class Risk { + Description_L1 : String + DisplayName_L1 : String + ExemptionPolicy : Byte + Identifier : String + Level : Byte + Remediation_L1 : String + RiskType : Byte + -- + EntityType : EntityType + IdentifiedRisks : IdentifiedRisk[] + Policy : Policy + RuleItems : RiskRuleItem[] + Rules : RiskRule[] + } +} +package "EntityType" { + class EntityType { + } +} +package "IdentifiedRisk" { + class IdentifiedRisk { + } +} +package "Policy" { + class Policy { + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "RiskRule" { + class RiskRule { + } +} +Risk "0..*" -- "1"EntityType +Risk "1" -- "0..*"IdentifiedRisk +Risk "0..*" -- "1"Policy +Risk "1" -- "0..*"RiskRuleItem +Risk "1" -- "0..*"RiskRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskrule_class_diagram.plantuml new file mode 100644 index 0000000000..c096c85681 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskrule_class_diagram.plantuml @@ -0,0 +1,27 @@ +@startuml component +package "RiskRule" { + class RiskRule { + Order : Int32 + -- + Items : RiskRuleItem[] + Policy : Policy + Risk : Risk + } +} +package "RiskRuleItem" { + class RiskRuleItem { + } +} +package "Policy" { + class Policy { + } +} +package "Risk" { + class Risk { + } +} +RiskRule "1" -- "0..*"RiskRuleItem +RiskRule "0..*" -- "1"Policy +RiskRule "0..*" -- "1"Risk +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskruleitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskruleitem_class_diagram.plantuml new file mode 100644 index 0000000000..cbf07de687 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/riskruleitem_class_diagram.plantuml @@ -0,0 +1,45 @@ +@startuml component +package "RiskRuleItem" { + class RiskRuleItem { + Value : String + -- + EntityType : EntityType + Property : EntityProperty + Resource : Resource + ResourceType : ResourceType + Risk : Risk + Rule : RiskRule + } +} +package "EntityType" { + class EntityType { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "Resource" { + class Resource { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Risk" { + class Risk { + } +} +package "RiskRule" { + class RiskRule { + } +} +RiskRuleItem "0..*" -- "1"EntityType +RiskRuleItem "0..*" -- "1"EntityProperty +RiskRuleItem "0..*" -- "0..1"Resource +RiskRuleItem "0..*" -- "1"ResourceType +RiskRuleItem "0..*" -- "1"Risk +RiskRuleItem "0..*" -- "1"RiskRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemapping_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemapping_class_diagram.plantuml new file mode 100644 index 0000000000..a13f704cc2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemapping_class_diagram.plantuml @@ -0,0 +1,73 @@ +@startuml component +package "RoleMapping" { + class RoleMapping { + ApprovalRequired : Boolean + ApprovalWorkflowType : Int32 + CategoryDisplayNameBinding : Int64 + CategoryDisplayNameExpression : String + CategoryIdentifierBinding : Int64 + CategoryIdentifierExpression : String + CommentActivationOnApproveInReview : Byte + CommentActivationOnDeclineInReview : Byte + CommentActivationOnDeleteGapInReconciliation : Byte + CommentActivationOnKeepGapInReconciliation : Byte + CommentActivationOnRequest : Byte + DisplayNameExpression : String + HideOnSimplifiedView : Boolean + Identifier : String + IdentifierExpression : String + ImplicitApproval : Byte + ParentCategoryIdentifierBinding : Int64 + ParentCategoryIdentifierExpression : String + WhereExpression : String + -- + Category : Category + DisplayNameBinding : Binding + EntityType : EntityType + IdentifierBinding : Binding + Policy : Policy + Property : EntityProperty + ResourceType : ResourceType + RolePolicy : Policy + Rules : RoleMappingRule[] + } +} +package "Category" { + class Category { + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ResourceType" { + class ResourceType { + } +} +package "RoleMappingRule" { + class RoleMappingRule { + } +} +RoleMapping "0..*" -- "0..1"Category +RoleMapping "0..*" -- "0..1"Binding +RoleMapping "0..*" -- "1"EntityType +RoleMapping "0..*" -- "0..1"Binding +RoleMapping "0..*" -- "1"Policy +RoleMapping "0..*" -- "1"EntityProperty +RoleMapping "0..*" -- "1"ResourceType +RoleMapping "0..*" -- "0..1"Policy +RoleMapping "1" -- "0..*"RoleMappingRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingrule_class_diagram.plantuml new file mode 100644 index 0000000000..1618e8f2ce --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingrule_class_diagram.plantuml @@ -0,0 +1,21 @@ +@startuml component +package "RoleMappingRule" { + class RoleMappingRule { + Order : Int32 + -- + RoleMapping : RoleMapping + RoleMappingRuleRoleMappingRuleItems : RoleMappingRuleItem[] + } +} +package "RoleMapping" { + class RoleMapping { + } +} +package "RoleMappingRuleItem" { + class RoleMappingRuleItem { + } +} +RoleMappingRule "0..*" -- "1"RoleMapping +RoleMappingRule "1" -- "0..*"RoleMappingRuleItem +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingruleitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingruleitem_class_diagram.plantuml new file mode 100644 index 0000000000..d112535ff1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/rolemappingruleitem_class_diagram.plantuml @@ -0,0 +1,22 @@ +@startuml component +package "RoleMappingRuleItem" { + class RoleMappingRuleItem { + Operator : Byte + Value : String + -- + Property : EntityProperty + RoleMappingRule : RoleMappingRule + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "RoleMappingRule" { + class RoleMappingRule { + } +} +RoleMappingRuleItem "0..*" -- "1"EntityProperty +RoleMappingRuleItem "0..*" -- "1"RoleMappingRule +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffolding_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffolding_class_diagram.plantuml new file mode 100644 index 0000000000..0583a6014c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffolding_class_diagram.plantuml @@ -0,0 +1,69 @@ +@startuml component +package "Scaffolding" { + class Scaffolding { + DisplayName_L1 : String + Generator : Int32 + Identifier : String + IsEnabled : Boolean + IsIncremental : Boolean + JobIdentifier : String + OldAlgorithm : Boolean + -- + Agent : Agent + Connector : Connector + EntityType : EntityType + Package : ConnectionPackage + Profile : Profile + Property : EntityProperty + ScaffoldingScaffoldingArguments : ScaffoldingArgument[] + Universe : Universe + Workflow : Workflow + } +} +package "Agent" { + class Agent { + } +} +package "Connector" { + class Connector { + } +} +package "EntityType" { + class EntityType { + } +} +package "ConnectionPackage" { + class ConnectionPackage { + } +} +package "Profile" { + class Profile { + } +} +package "EntityProperty" { + class EntityProperty { + } +} +package "ScaffoldingArgument" { + class ScaffoldingArgument { + } +} +package "Universe" { + class Universe { + } +} +package "Workflow" { + class Workflow { + } +} +Scaffolding "0..*" -- "0..1"Agent +Scaffolding "0..*" -- "0..1"Connector +Scaffolding "0..*" -- "0..1"EntityType +Scaffolding "0..*" -- "0..1"ConnectionPackage +Scaffolding "0..*" -- "0..1"Profile +Scaffolding "0..*" -- "0..1"EntityProperty +Scaffolding "1" -- "0..*"ScaffoldingArgument +Scaffolding "0..*" -- "0..1"Universe +Scaffolding "0..*" -- "0..1"Workflow +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffoldingargument_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffoldingargument_class_diagram.plantuml new file mode 100644 index 0000000000..ab6a8ace5b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/scaffoldingargument_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "ScaffoldingArgument" { + class ScaffoldingArgument { + After : Boolean + Before : Boolean + Binding : String + ConnectorIdentifier : String + CopyOccurence : Int32 + Count : Int32 + EmailDomain : String + ForcedCount : Int32 + Identifier : String + IsIncremental : Boolean + LoginPrefix : String + NameSeparator : String + Order : Int32 + ScaffoldingArgumentType : Int32 + SearchBarPage : Int32 + TaskIdentifier : String + UniqueIdentifierMax : Int32 + UniqueIdentifierMin : Int32 + UniqueIdentifierPrefix : String + Value : String + -- + Scaffolding : Scaffolding + } +} +package "Scaffolding" { + class Scaffolding { + } +} +ScaffoldingArgument "0..*" -- "1"Scaffolding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbar_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbar_class_diagram.plantuml new file mode 100644 index 0000000000..6ea5c9dc89 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbar_class_diagram.plantuml @@ -0,0 +1,40 @@ +@startuml component +package "SearchBar" { + class SearchBar { + -- + EntityType : EntityType + Menu : MenuItem + SearchBarCriteria : SearchBarCriterion[] + SearchBarDesignElement : SearchBarDesignElement + SearchedBinding : Binding + SearchedEntityType : EntityType + } +} +package "EntityType" { + class EntityType { + } +} +package "MenuItem" { + class MenuItem { + } +} +package "SearchBarCriterion" { + class SearchBarCriterion { + } +} +package "SearchBarDesignElement" { + class SearchBarDesignElement { + } +} +package "Binding" { + class Binding { + } +} +SearchBar "0..*" -- "1"EntityType +SearchBar "0..*" -- "0..1"MenuItem +SearchBar "1" -- "0..*"SearchBarCriterion +SearchBar "0..*" -- "1"SearchBarDesignElement +SearchBar "0..*" -- "0..1"Binding +SearchBar "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbarcriterion_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbarcriterion_class_diagram.plantuml new file mode 100644 index 0000000000..c552fae853 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbarcriterion_class_diagram.plantuml @@ -0,0 +1,34 @@ +@startuml component +package "SearchBarCriterion" { + class SearchBarCriterion { + ColumnSize : Int32 + DefaultValue : String + DisplayName_L1 : String + DisplayOrder : Int32 + IsVisibleInAdvancedView : Boolean + Operator : Byte + PlaceHolderText_L1 : String + ToolTipText_L1 : String + -- + InputType : InputType + OptimizedBinding1 : Binding + SearchBar : SearchBar + } +} +package "InputType" { + class InputType { + } +} +package "Binding" { + class Binding { + } +} +package "SearchBar" { + class SearchBar { + } +} +SearchBarCriterion "0..*" -- "1"InputType +SearchBarCriterion "0..*" -- "0..1"Binding +SearchBarCriterion "0..*" -- "1"SearchBar +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbardesignelement_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbardesignelement_class_diagram.plantuml new file mode 100644 index 0000000000..2526bc26fc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/searchbardesignelement_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "SearchBarDesignElement" { + class SearchBarDesignElement { + DisplayName_L1 : String + Identifier : String + -- + SearchBarDesignElementSearchBars : SearchBar[] + } +} +package "SearchBar" { + class SearchBar { + } +} +SearchBarDesignElement "1" -- "0..*"SearchBar +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/sequence_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/sequence_class_diagram.plantuml new file mode 100644 index 0000000000..4b2579e53c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/sequence_class_diagram.plantuml @@ -0,0 +1,8 @@ +@startuml component +package "Sequence" { + class Sequence { + Value : Int64 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/setting_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/setting_class_diagram.plantuml new file mode 100644 index 0000000000..10101c1477 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/setting_class_diagram.plantuml @@ -0,0 +1,11 @@ +@startuml component +package "Setting" { + class Setting { + B0 : Bytes + C0 : String + Identifier : String + Type : Int32 + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerole_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerole_class_diagram.plantuml new file mode 100644 index 0000000000..8369f5d195 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerole_class_diagram.plantuml @@ -0,0 +1,107 @@ +@startuml component +package "SingleRole" { + class SingleRole { + ApprovalWorkflowType : Int32 + BaseRole : Int64 + CommentActivationOnApproveInReview : Byte + CommentActivationOnDeclineInReview : Byte + CommentActivationOnDeleteGapInReconciliation : Byte + CommentActivationOnKeepGapInReconciliation : Byte + CommentActivationOnRequest : Byte + Description_L1 : String + DisplayName_L1 : String + FullName_L1 : String + GracePeriod : Int32 + HideOnSimplifiedView : Boolean + Identifier : String + ImplicitApproval : Byte + ManualAssignmentEndDateLockedToContextMode : Byte + MaxDuration : Int32 + P0 : Boolean + ProlongationWithoutApproval : Byte + R0 : Boolean + State : Byte + Tags : String + -- + AssignedSingleRoles : AssignedSingleRole[] + AutomationRules : AutomationRule[] + Category : Category + D0 : Resource + EntityType : EntityType + Policy : Policy + ProfileContexts : ProfileContext[] + ResourceBinaryRules : ResourceBinaryRule[] + ResourceNavigationRules : ResourceNavigationRule[] + ResourceScalarRules : ResourceScalarRule[] + ResourceTypeRules : ResourceTypeRule[] + SingleRoleRules : SingleRoleRule[] + SingleRoleSingleRolesCategories : SingleRolesCategory[] + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +package "AutomationRule" { + class AutomationRule { + } +} +package "Category" { + class Category { + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "ProfileContext" { + class ProfileContext { + } +} +package "ResourceBinaryRule" { + class ResourceBinaryRule { + } +} +package "ResourceNavigationRule" { + class ResourceNavigationRule { + } +} +package "ResourceScalarRule" { + class ResourceScalarRule { + } +} +package "ResourceTypeRule" { + class ResourceTypeRule { + } +} +package "SingleRoleRule" { + class SingleRoleRule { + } +} +package "SingleRolesCategory" { + class SingleRolesCategory { + } +} +SingleRole "1" -- "0..*"AssignedSingleRole +SingleRole "0..1" -- "0..*"AutomationRule +SingleRole "0..*" -- "0..1"Category +SingleRole "0..*" -- "0..1"Resource +SingleRole "0..*" -- "1"EntityType +SingleRole "0..*" -- "1"Policy +SingleRole "0..1" -- "0..*"ProfileContext +SingleRole "0..1" -- "0..*"ResourceBinaryRule +SingleRole "0..1" -- "0..*"ResourceNavigationRule +SingleRole "0..1" -- "0..*"ResourceScalarRule +SingleRole "0..1" -- "0..*"ResourceTypeRule +SingleRole "1" -- "0..*"SingleRoleRule +SingleRole "1" -- "0..*"SingleRolesCategory +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolerule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolerule_class_diagram.plantuml new file mode 100644 index 0000000000..ea52dfebdc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolerule_class_diagram.plantuml @@ -0,0 +1,43 @@ +@startuml component +package "SingleRoleRule" { + class SingleRoleRule { + BaseRule : Int64 + IsDenied : Boolean + L0 : Boolean + Priority : Int32 + Type : Int32 + -- + CompositeRole : CompositeRole + D0 : Resource + EntityType : EntityType + Policy : Policy + Role : SingleRole + } +} +package "CompositeRole" { + class CompositeRole { + } +} +package "Resource" { + class Resource { + } +} +package "EntityType" { + class EntityType { + } +} +package "Policy" { + class Policy { + } +} +package "SingleRole" { + class SingleRole { + } +} +SingleRoleRule "0..*" -- "0..1"CompositeRole +SingleRoleRule "0..*" -- "0..1"Resource +SingleRoleRule "0..*" -- "1"EntityType +SingleRoleRule "0..*" -- "1"Policy +SingleRoleRule "0..*" -- "1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolescategory_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolescategory_class_diagram.plantuml new file mode 100644 index 0000000000..1409fd8d7a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/singlerolescategory_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "SingleRolesCategory" { + class SingleRolesCategory { + -- + Category : Category + SingleRole : SingleRole + } +} +package "Category" { + class Category { + } +} +package "SingleRole" { + class SingleRole { + } +} +SingleRolesCategory "0..*" -- "1"Category +SingleRolesCategory "0..*" -- "1"SingleRole +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/synchronizationhistory_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/synchronizationhistory_class_diagram.plantuml new file mode 100644 index 0000000000..38475f5064 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/synchronizationhistory_class_diagram.plantuml @@ -0,0 +1,23 @@ +@startuml component +package "SynchronizationHistory" { + class SynchronizationHistory { + ExecutionDate : DateTime + HistorizationDate : DateTime + State : Byte + -- + Connector : Connector + TaskInstance : TaskInstance + } +} +package "Connector" { + class Connector { + } +} +package "TaskInstance" { + class TaskInstance { + } +} +SynchronizationHistory "0..*" -- "1"Connector +SynchronizationHistory "0..*" -- "1"TaskInstance +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/task_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/task_class_diagram.plantuml new file mode 100644 index 0000000000..823ac0bcc6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/task_class_diagram.plantuml @@ -0,0 +1,99 @@ +@startuml component +package "Task" { + class Task { + AllEntityType : Boolean + ApiUrl : String + AssignedResourceNavigationSQL : String + AssignedResourceScalarSQL : String + AssignedResourceTypeSQL : String + BatchInsertSize : Int32 + BatchSelectSize : Int32 + BatchSize : Int32 + BatchUpdateSize : Int32 + BlockProvisioning : Boolean + Check : Boolean + ConnectionIdentifier : String + ContinueOnError : Boolean + Dirty : Boolean + DisplayName_L1 : String + DoNotDeleteChanges : Boolean + GeneratedCodeNamespace : String + GeneratedCodePath : String + GeneratedFile : String + HttpCommand : Int16 + Identifier : String + IgnoreCookieFile : Boolean + IgnoreHistorization : Boolean + InformationSystemIdentifier : String + InputPath : String + Level : Int32 + LogLevel : Int32 + Mode : Int32 + OutputPath : String + ProvisioningJobIdentifier : String + SessionOff : Boolean + SplitSize : Int32 + State : Int32 + SynchronizationJobIdentifier : String + TaskType : Int32 + -- + Agent : Agent + Connector : Connector + DependOnChildTask : TaskDependOnTask[] + DependOnParentTask : TaskDependOnTask[] + JobStep : JobStep[] + OpenIdClient : OpenIdClient + TaskDimension : TaskDimension[] + TaskEntityType : TaskEntityType[] + TaskInstance : TaskInstance[] + TaskResourceType : TaskResourceType[] + } +} +package "Agent" { + class Agent { + } +} +package "Connector" { + class Connector { + } +} +package "TaskDependOnTask" { + class TaskDependOnTask { + } +} +package "JobStep" { + class JobStep { + } +} +package "OpenIdClient" { + class OpenIdClient { + } +} +package "TaskDimension" { + class TaskDimension { + } +} +package "TaskEntityType" { + class TaskEntityType { + } +} +package "TaskInstance" { + class TaskInstance { + } +} +package "TaskResourceType" { + class TaskResourceType { + } +} +Task "0..*" -- "0..1"Agent +Task "0..*" -- "0..1"Connector +Task "1" -- "0..*"TaskDependOnTask +Task "1" -- "0..*"TaskDependOnTask +Task "1" -- "0..*"JobStep +Task "0..*" -- "0..1"OpenIdClient +Task "1" -- "0..*"TaskDimension +Task "1" -- "0..*"TaskEntityType +Task "1" -- "0..*"TaskInstance +Task "1" -- "0..*"TaskResourceType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdependontask_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdependontask_class_diagram.plantuml new file mode 100644 index 0000000000..1f31755841 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdependontask_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "TaskDependOnTask" { + class TaskDependOnTask { + -- + ChildTask : Task + ParentTask : Task + } +} +package "Task" { + class Task { + } +} +TaskDependOnTask "0..*" -- "1"Task +TaskDependOnTask "0..*" -- "1"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdimension_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdimension_class_diagram.plantuml new file mode 100644 index 0000000000..1b9726cccd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskdimension_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "TaskDimension" { + class TaskDimension { + -- + Dimension : Dimension + Task : Task + } +} +package "Dimension" { + class Dimension { + } +} +package "Task" { + class Task { + } +} +TaskDimension "0..*" -- "1"Dimension +TaskDimension "0..*" -- "1"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskentitytype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskentitytype_class_diagram.plantuml new file mode 100644 index 0000000000..f02613f923 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskentitytype_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "TaskEntityType" { + class TaskEntityType { + -- + EntityType : EntityType + Task : Task + } +} +package "EntityType" { + class EntityType { + } +} +package "Task" { + class Task { + } +} +TaskEntityType "0..*" -- "1"EntityType +TaskEntityType "0..*" -- "1"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskinstance_class_diagram.plantuml new file mode 100644 index 0000000000..9d3eae3137 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskinstance_class_diagram.plantuml @@ -0,0 +1,47 @@ +@startuml component +package "TaskInstance" { + class TaskInstance { + C0 : Int32 + DisplayName_L1 : String + EndDate : DateTime + IsChild : Boolean + IsValidation : Boolean + LastProgressUpdate : DateTime + StartDate : DateTime + State : Int16 + WrappedProgress : String + -- + Agent : Agent + AssignedResourceErrors : AssignedResourceError[] + JobInstance : JobInstance + Task : Task + TaskInstanceSynchronizationHistories : SynchronizationHistory[] + } +} +package "Agent" { + class Agent { + } +} +package "AssignedResourceError" { + class AssignedResourceError { + } +} +package "JobInstance" { + class JobInstance { + } +} +package "Task" { + class Task { + } +} +package "SynchronizationHistory" { + class SynchronizationHistory { + } +} +TaskInstance "0..*" -- "0..1"Agent +TaskInstance "1" -- "0..*"AssignedResourceError +TaskInstance "0..*" -- "0..1"JobInstance +TaskInstance "0..*" -- "1"Task +TaskInstance "1" -- "0..*"SynchronizationHistory +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskresourcetype_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskresourcetype_class_diagram.plantuml new file mode 100644 index 0000000000..1e364c8e6d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/taskresourcetype_class_diagram.plantuml @@ -0,0 +1,20 @@ +@startuml component +package "TaskResourceType" { + class TaskResourceType { + -- + ResourceType : ResourceType + Task : Task + } +} +package "ResourceType" { + class ResourceType { + } +} +package "Task" { + class Task { + } +} +TaskResourceType "0..*" -- "1"ResourceType +TaskResourceType "0..*" -- "1"Task +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/tile_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tile_class_diagram.plantuml new file mode 100644 index 0000000000..f27ebe82b6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tile_class_diagram.plantuml @@ -0,0 +1,46 @@ +@startuml component +package "Tile" { + class Tile { + DisplayName_L1 : String + Identifier : String + -- + Columns : DisplayTableColumn[] + Controls : FormControl[] + DisplayEntityProperties : DisplayEntityProperty[] + EntityType : EntityType + Items : TileItem[] + TileDesignElement : TileDesignElement + } +} +package "DisplayTableColumn" { + class DisplayTableColumn { + } +} +package "FormControl" { + class FormControl { + } +} +package "DisplayEntityProperty" { + class DisplayEntityProperty { + } +} +package "EntityType" { + class EntityType { + } +} +package "TileItem" { + class TileItem { + } +} +package "TileDesignElement" { + class TileDesignElement { + } +} +Tile "0..1" -- "0..*"DisplayTableColumn +Tile "0..1" -- "0..*"FormControl +Tile "0..1" -- "0..*"DisplayEntityProperty +Tile "0..*" -- "1"EntityType +Tile "1" -- "0..*"TileItem +Tile "0..*" -- "1"TileDesignElement +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/tiledesignelement_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tiledesignelement_class_diagram.plantuml new file mode 100644 index 0000000000..f3722cdc9c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tiledesignelement_class_diagram.plantuml @@ -0,0 +1,16 @@ +@startuml component +package "TileDesignElement" { + class TileDesignElement { + DisplayName_L1 : String + Identifier : String + -- + Tiles : Tile[] + } +} +package "Tile" { + class Tile { + } +} +TileDesignElement "1" -- "0..*"Tile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/tileitem_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tileitem_class_diagram.plantuml new file mode 100644 index 0000000000..ce8426f0fb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/tileitem_class_diagram.plantuml @@ -0,0 +1,25 @@ +@startuml component +package "TileItem" { + class TileItem { + AddedMinutes : Int32 + LineDisplayOrderIndicator : Int32 + LineNumber : Int32 + -- + Binding : Binding + OptimizedBinding : Binding + Tile : Tile + } +} +package "Binding" { + class Binding { + } +} +package "Tile" { + class Tile { + } +} +TileItem "0..*" -- "1"Binding +TileItem "0..*" -- "0..1"Binding +TileItem "0..*" -- "1"Tile +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/unicitycheckrule_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/unicitycheckrule_class_diagram.plantuml new file mode 100644 index 0000000000..4cba1893b6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/unicitycheckrule_class_diagram.plantuml @@ -0,0 +1,30 @@ +@startuml component +package "UnicityCheckRule" { + class UnicityCheckRule { + SourceExpression : String + TargetExpression : String + -- + Aspect : Aspect + SourceBinding : Binding + TargetBinding : Binding + TargetEntityType : EntityType + } +} +package "Aspect" { + class Aspect { + } +} +package "Binding" { + class Binding { + } +} +package "EntityType" { + class EntityType { + } +} +UnicityCheckRule "0..*" -- "1"Aspect +UnicityCheckRule "0..*" -- "0..1"Binding +UnicityCheckRule "0..*" -- "0..1"Binding +UnicityCheckRule "0..*" -- "1"EntityType +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/universe_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/universe_class_diagram.plantuml new file mode 100644 index 0000000000..bbe11dde1f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/universe_class_diagram.plantuml @@ -0,0 +1,29 @@ +@startuml component +package "Universe" { + class Universe { + ColumnNamesMode : Byte + DisplayName_L1 : String + Identifier : String + -- + AssociationInstances : AssociationInstance[] + EntityInstances : EntityInstance[] + UniverseScaffoldings : Scaffolding[] + } +} +package "AssociationInstance" { + class AssociationInstance { + } +} +package "EntityInstance" { + class EntityInstance { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +Universe "1" -- "0..*"AssociationInstance +Universe "1" -- "0..*"EntityInstance +Universe "0..1" -- "0..*"Scaffolding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflow_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflow_class_diagram.plantuml new file mode 100644 index 0000000000..ee8c3981a2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflow_class_diagram.plantuml @@ -0,0 +1,43 @@ +@startuml component +package "Workflow" { + class Workflow { + DisplayName_L1 : String + Identifier : String + IdentifierPrefix : String + -- + Activities : Activity[] + ArgumentCalledWorkflowActivities : Activity[] + Instances : WorkflowInstance[] + VariablesType : EntityType + WorkflowMenuItems : MenuItem[] + WorkflowScaffoldings : Scaffolding[] + } +} +package "Activity" { + class Activity { + } +} +package "WorkflowInstance" { + class WorkflowInstance { + } +} +package "EntityType" { + class EntityType { + } +} +package "MenuItem" { + class MenuItem { + } +} +package "Scaffolding" { + class Scaffolding { + } +} +Workflow "1" -- "0..*"Activity +Workflow "0..1" -- "0..*"Activity +Workflow "1" -- "0..*"WorkflowInstance +Workflow "0..*" -- "1"EntityType +Workflow "0..1" -- "0..*"MenuItem +Workflow "0..1" -- "0..*"Scaffolding +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowinstance_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowinstance_class_diagram.plantuml new file mode 100644 index 0000000000..34c9e61db4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowinstance_class_diagram.plantuml @@ -0,0 +1,95 @@ +@startuml component +package "WorkflowInstance" { + class WorkflowInstance { + C0 : String + C1 : String + I40 : Int64 + I41 : Int64 + Identifier : String + IsCompleted : Boolean + WhenCompleted : DateTime + -- + ActivityInstances : ActivityInstance[] + AssignedCompositeRoles : AssignedCompositeRole[] + AssignedResourceTypes : AssignedResourceType[] + AssignedSingleRoles : AssignedSingleRole[] + CurrentActivity : Activity + CurrentActivityInstance : ActivityInstance + CurrentState : ActivityTemplateState + CurrentTransition : ActivityTemplateTransition + IdentifiedRisks : IdentifiedRisk[] + Type : EntityType + Workflow : Workflow + WorkflowInstanceAssignedResourceBinaries : AssignedResourceBinary[] + WorkflowInstanceAssignedResourceNavigations : AssignedResourceNavigation[] + WorkflowInstanceAssignedResourceScalars : AssignedResourceScalar[] + } +} +package "ActivityInstance" { + class ActivityInstance { + } +} +package "AssignedCompositeRole" { + class AssignedCompositeRole { + } +} +package "AssignedResourceType" { + class AssignedResourceType { + } +} +package "AssignedSingleRole" { + class AssignedSingleRole { + } +} +package "Activity" { + class Activity { + } +} +package "ActivityTemplateState" { + class ActivityTemplateState { + } +} +package "ActivityTemplateTransition" { + class ActivityTemplateTransition { + } +} +package "IdentifiedRisk" { + class IdentifiedRisk { + } +} +package "EntityType" { + class EntityType { + } +} +package "Workflow" { + class Workflow { + } +} +package "AssignedResourceBinary" { + class AssignedResourceBinary { + } +} +package "AssignedResourceNavigation" { + class AssignedResourceNavigation { + } +} +package "AssignedResourceScalar" { + class AssignedResourceScalar { + } +} +WorkflowInstance "1" -- "0..*"ActivityInstance +WorkflowInstance "0..1" -- "0..*"AssignedCompositeRole +WorkflowInstance "0..1" -- "0..*"AssignedResourceType +WorkflowInstance "0..1" -- "0..*"AssignedSingleRole +WorkflowInstance "0..*" -- "1"Activity +WorkflowInstance "0..*" -- "0..1"ActivityInstance +WorkflowInstance "0..*" -- "1"ActivityTemplateState +WorkflowInstance "0..*" -- "1"ActivityTemplateTransition +WorkflowInstance "0..1" -- "0..*"IdentifiedRisk +WorkflowInstance "0..*" -- "1"EntityType +WorkflowInstance "0..*" -- "1"Workflow +WorkflowInstance "0..1" -- "0..*"AssignedResourceBinary +WorkflowInstance "0..1" -- "0..*"AssignedResourceNavigation +WorkflowInstance "0..1" -- "0..*"AssignedResourceScalar +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowstate_class_diagram.plantuml b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowstate_class_diagram.plantuml new file mode 100644 index 0000000000..899e1b5fd6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/assets/diagrams/workflowstate_class_diagram.plantuml @@ -0,0 +1,9 @@ +@startuml component +package "WorkflowState" { + class WorkflowState { + DisplayName_L1 : String + Identifier : String + } +} +hide empty members +@enduml diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/azuread-register.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/azuread-register.md new file mode 100644 index 0000000000..77dd067088 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/azuread-register.md @@ -0,0 +1,105 @@ +--- +title: "Register for Microsoft Entra ID" +description: "Register for Microsoft Entra ID" +sidebar_position: 60 +--- + +# Register for Microsoft Entra ID + +This guide shows how to [register](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) Identity Manager as an application, i.e. grant Identity Manager a service account, with Microsoft Identity Platform to authenticate to a Microsoft Entra ID (formerly Azure Active Directory), and how to grant Identity Manager the [directory permissions](https://docs.microsoft.com/en-us/graph/permissions-reference) for reading the data to be exported via the [Microsoft Graph API](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api). + +## Create a New Registration + +Create a new registration for Identity Manager with Microsoft Identity Platform by proceeding as follows: + +1. Go to [the Microsoft portal](https://portal.azure.com/). +2. Log in using the organization's credentials. +3. Find the **Microsoft Entra ID** menu on the left panel. +4. Go to **App Registrations** in the left panel. +5. Click the **+ New Registration** button in the top menu. + + ![Azure AD Export - Add New Registration](/images/identitymanager/howtos_azuread_exportregistration.webp) + +A new registration form is displayed: + + - Name: display name of your application for the currently created registration. It is used to +identify this registration within Microsoft Entra ID. In the case at hand, it won't be displayed to the end-user since Identity Manager doesn't access the Microsoft Entra ID using end-user identity but [its own](https://docs.microsoft.com/en-us/graph/auth-v2-service). + +Netwrix Identity Manager (formerly Usercube)  recommends using a mnemonic name resembling Identity Manager Organization in order to remember it as the registration of Identity Manager within the target Microsoft Entra ID, for example Identity Manager Contoso. + + - [Supported account types](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-supported-account-types): +select **Accounts in this organizational directory only (... - Single tenant)**. + +Identity Manager uses its own identity to access the API. It doesn't access the data on behalf of a user. To authenticate, it uses credentials of a service account granted by this registration, in the form of an **ApplicationId** and a secret Client Secret. + +See how to get **ApplicationId** and **ApplicationKey**. + +This service account is stored in the organizational directory, and hence using the [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), only **Accounts in this organizational directory** are supported for authentication within this registration scope. + + - Redirect URI: + + - The left combo box represents the type of application. It influences the authorization +protocol exchanges. Identity Manager is of type Web. + - The right line edit isn't applicable to our case and should be left blank. It is used for +end-user authentication, but doesn't apply to Identity Manager. + +6. Confirm the registration with the **Register** button at the bottom of the page. + +### Get the application's identifier + +**ApplicationId** is available in the registration overview. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Overview** in the left panel. + +The **Essentials** top panel displays the **Application (client) ID** required by the Identity Manager Agent. The same page also displays the **Directory (tenant) ID** that will also be needed by the Identity Manager Agent. + + ![Azure AD Export - New ApplicationId](/images/identitymanager/howtos_azuread_exportapplicationid.webp) + +### Get the application's secret key + +A **Client Secret** key needs to be generated. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Certificate & Secrets** in the left panel. +4. Click the **+ New client secret** button in the bottom panel **Client Secrets**. +5. Input a mnemonic name such as Identity Manager Organization Secret. +6. It is recommended to use a short **expiration period** such as 1 year. +7. Confirm the creation with the **Add** button. + +The Client Secret is now listed in the bottom panel **Client Secrets**. The Client Secret value is needed by the Identity Manager Agent settings file. + + ![Azure AD Export - New Client Secret](/images/identitymanager/howtos_azuread_exportsecret.webp) + +The **Client Secret** value is only displayed in the UI in plain text at first. After a while, it is only displayed as `**************`. It should hence be stored in the appsettings.agent.json file or an environment variable as soon as it is created, to be used subsequently by Identity Manager. If the key is lost, a new key can be created to replace the lost one. + +## Grant Directory Permissions + +Grant Identity Manager directory permissions by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **API Permissions** in the left panel. +4. Click on the **+ Add a permission** button. + + ![Azure AD Export - Add Permission](/images/identitymanager/howtos_azuread_exportpermissions.webp) + +5. Go to **Microsoft graph** > **Application permissions**. +6. Search and open the **Directory** category. +7. Check the **Directory.Read.All** permission. + +If you plan on configuring fulfillment too, you must only check the **Directory.ReadWrite.All** permission. + + ![Azure AD Export - Directory Permission](/images/identitymanager/howtos_azuread_exportdirectorypermission.webp) + +8. Confirm with the **Add permissions** button at the bottom of the page. + +You now see the Directory.Read.All or Directory.ReadWrite.All permission in the **Configured permissions** list with a **⚠ Not granted for ...** status. + +9. Grant admin consent by clicking on **√ Grant admin consent for** name of the organization. + + ![Azure AD Export - Grant Admin Consent](/images/identitymanager/howtos_azuread_exportadminconsent.webp) + +You should now see the status displayed as **√ Granted for** name of the organization. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/configure-secured-options.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/configure-secured-options.md new file mode 100644 index 0000000000..c0e17d5394 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/configure-secured-options.md @@ -0,0 +1,60 @@ +--- +title: "Configure Secured Options" +description: "Configure Secured Options" +sidebar_position: 30 +--- + +# Configure Secured Options + +This guide shows how to configure secured options to ensure data security in a connection's parameters. + +## Overview + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +## Configure a Secured Option + +Configure a secured option by proceeding as follows: + +1. Among a connection's parameters, identify the secured option: + + - for a simple field: + + ![AD creation](/images/identitymanager/securedoptions_adlogin_v603.webp) + + - for multiple key-value fields: + + ![SQL connection string](/images/identitymanager/securedoptions_keyvalue_v603.webp) + +Contrary to simple fields, multiple-key-value secured options are not restricted to a given property. They are arbitrary and can be set to anything. + +2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. + + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) + + > For example, for a simple field in an AD connection, the **Login** and **Password** are by + > default hidden with ??????: +> + > ![Login Secured Options Hidden](/images/identitymanager/securedoptions_adexample_v603.webp) +> + > ![Login Secured Options Revealed](/images/identitymanager/securedoptions_adexamplevisible_v603.webp) + + > For example, for multiple key-value fields in an SQL connection, some elements of the + > connection string might be sensitive and need to be hidden: +> + > ![SQL connection string](/images/identitymanager/securedoptions_sqlexample1_v603.webp) +> + > In this example, the database name and the minimal pool size are secured options: +> + > ![SQL Secured option filled](/images/identitymanager/securedoptions_sqlexample2_v603.webp) + + > Another example of multiple key-value fields in a Powershell connection: +> + > ![Powershell Secured option hidden](/images/identitymanager/securedoptions_powershellexample_v603.webp) + +3. Once saved, any secured option's value can no longer be seen. However, it can still be modified +by deleting the value and re-specifying it. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/connections.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/connections.md new file mode 100644 index 0000000000..b48f1d768c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/connections.md @@ -0,0 +1,75 @@ +--- +title: "Connections" +description: "Connections" +sidebar_position: 10 +--- + +# Connections + +This page gathers useful information concerning the possible uses of connections, used by connectors in order to extract and/or fulfill data from/to external systems. + +## Connection Configuration + +A connector needs at least one [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) which needs to be declared both in the XML configuration and in the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) file to be used. The connection settings must be set in appsettings.agent.json > Connections > **connectionIdentifier**, where **connectionIdentifier** is the identifier specified for the connection in the XML configuration. + +See the [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. + +The information stored in the connection depends on the export and/or fulfill technologies used by the connection's package. + +See the [References: Connectors](../../../integration-guide/connectors/references-connectors) topic for additional information. + +## Connection Tables + +A [Connection Table](../../../integration-guide/toolkit/xml-configuration/connectors/connectiontable) represents the potential output of the connection's [Export Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask), when the connection's package allows export. The export process generates CSV files (our connection tables) whose names start with the connection's identifier. The files' suffixes depend on the connector. See the [References: Connectors](../../../integration-guide/connectors/references-connectors) topic for additional information. + +The name of these files are used to specify the connection tables of the [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) in order to link the connectors' properties to the source files and columns from the managed systems. + +A connection table is used in the definition of an entity type as `Source`, while the available columns of the selected table are used for the mapping as `Source Columns`. + +![connectiontables_ui_v60](/images/identitymanager/connectiontables_ui_v60.webp) + +## Refresh Schema + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current +connection is refreshed; + + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are +refreshed. + + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. + +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "There is no schema for this connection". + +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Export/Fulfill Tasks and Resource Type Mappings + +Connections are given to `ExportTasks` through the `Connection` attribute, which is mandatory as the `ExportTask` needs this information to use the right technology and search the information in the `appsettings.agent.json`. + +It can also be given to `FulfillTasks` the same way but must not be if the `FulfillTask` has `TaskResourceTypes`. + +`ResourceTypeMappings` have the `Connection` attribute as well, which is mandatory. If a `FulfillTask` has `TaskResourceTypes`, it will use the given connections to provision the different `ResourceTypes`. + +## Secured Options + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +See the [Configure Secured Options](../../../integration-guide/connectors/configuration-details/configure-secured-options) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/entra-ID.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/entra-ID.md new file mode 100644 index 0000000000..c41a6eece3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/entra-ID.md @@ -0,0 +1,322 @@ +--- +title: "For Microsoft Entra ID" +description: "For Microsoft Entra ID" +sidebar_position: 10 +--- + +# For Microsoft Entra ID + +See the[ Microsoft Entra ID](../../../../integration-guide/connectors/references-connectors/microsoftentraid) topic for additional information about creating a connector. + +## Prerequisites + +The following are prerequisites for the connector creation. + +**Configure the external system** + +See the [Register for Microsoft Entra ID](../../../../integration-guide/connectors/configuration-details/azuread-register) topic for additional information on how to register Identity Manager. + +**Configure Identity Manager** + +See the [ Microsoft Entra ID](../../../../integration-guide/connectors/references-connectors/microsoftentraid) topic for additional information  on the connection. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +    ... +    "Connections": { +        ... +        "MicrosoftEntraIDContosoNYExport": { +            "ApplicationId": "", +            "ApplicationKey": "<25d408a1925d4c081925b\d40819>", +            "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +            "MicrosoftGraphPathApi": "", +        } +    } +} +``` + +## Build the Connector + +See the [Connect to a Managed System](../../../../user-guide/set-up/connect-system) topic for additional information on how to build a connector via the UI, with its connections, entity types and mappings. + +This example declares the MicrosoftEntraID connector on the Local agent: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml + + +        ... +         +        ... + +``` + +### Entity model + +The entity model should match as closely as possible the structure of the relevant Microsoft Entra ID data, and be aligned with Identity Manager's repository. See the [Entity Model](../../../../integration-guide/entity-model) topic for additional information. + +For example, Microsoft Entra ID's Users and Groups can be described by entity types, and group memberships by entity associations. + +The following example defines an entity type named MicrosoftEntraID_DirectoryObject to match the attributes selected for extraction from the Microsoft Entra ID instance: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +         +         +         +         +         +         +         +         +         +         +         +         +         quot;true" /> +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         + +... +``` + +Notice the omitted TargetColumnIndex attribute for the members and memberOf properties. This means that these properties are navigation properties. + +The following example declares an n-n association between two MicrosoftEntraID_DirectoryObjects, where: + +- memberOf is a collection of Groups IDs of which this MicrosoftEntraID_DirectoryObject is a member; +- members from a Group is a collection of MicrosoftEntraID_DirectoryObjects IDs which are members of +this Group. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +... +``` + +Notice the format of the Property1 and Property2 XML attributes: the name of the entity type is followed by a colon (:) and the name of an entity property. It is a binding describing in one expression, the target entity type and property. See the[Binding](../../../../integration-guide/toolkit/xml-configuration/metadata/binding) topic for additional information. + +**Entity mapping** + +Each property of the entity type must be mapped to an attribute among those exported from Microsoft Entra ID. + +So each element of an entity type mapping is meant to link a property from the CSV file containing the exported Microsoft Entra ID attributes to a property from the entity type. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +         +     +... +``` + +As a result, synchronization updates Identity Manager's UR_Resource table based on the data of the exported CSV files. Considering that AzureAD_DirectoryObject has never been synchronized, the UR_Resource table receives a new line for which the 47th column (City) is filled in with the city column from the `C:/identitymanagerDemo/Temp/ExportOutput/AzureADContosoNYExport_directoryobjects.csv` file. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an entity association instead of an entity type. + +The following example describes the "actual group/member" associations between MicrosoftEntraID_DirectoryObjects. + +These associations are exported from the Microsoft Entra ID system into the `C:/identitymanagerDemo/Temp/ExportOutput/MicrosoftEntraIDContosoNYExport_members_group.csv` file, containing, for each group, a list of members in the following format, with id being the id of an Microsoft Entra ID object and groupId the matching Group's id to which the object belongs: + + | Id | GroupId | + | --- | --- | + | 12 | 454 | + | 3 | 454 | + | 4 | 454 | + | 5 | 333 | + | 2 | 333 | + +The following entity association mapping maps the properties from the MicrosoftEntraID_DirectoryObject_members entity association: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + + +... +``` + +Here the members property of the MicrosoftEntraID_DirectoryObject entity (written to the Property1 attribute of the MicrosoftEntraID_DirectoryObject_members entity association) is filled in by values from the groupId column (written to the Column1 attribute of the MicrosoftEntraID_DirectoryObject_members entity association mapping) of the CSV file. + +And the membersOf property of the MicrosoftEntraID_DirectoryObject entity (written to the Property2 attribute of the MicrosoftEntraID_DirectoryObject_members entity association) is filled in by values from the Id column (written to the Column2 attribute of the MicrosoftEntraID_DirectoryObject_members entity association mapping) of the CSV file. + +## Display the Connector in the UI + +This is how the connectors are displayed on the UI. + +**Menu items** + +Each connector should be configured with a menu item, which is created automatically when working via the UI. + +![Menu Item - Azure AD Connector](/images/identitymanager/howtos_azure_menuitem_v603.webp) + +In XML, it should look like this: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Nav.xml + +``` + +**Displayed resources** + +See the [Organize Resources' Datasheets](../../../../user-guide/set-up/connect-system/entity-type-creation/datasheet-organization) topic for additional information on how to set the display properties via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +         +         + +``` + +![Navigation Properties - Azure AD Connector](/images/identitymanager/howtos_azure_navproperties_v603.webp) + +Microsoft Entra ID's resources are listed in a table. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +         +         +         + +``` + +![Display Table - Azure AD Connector](/images/identitymanager/howtos_azure_table_v603.webp) + +This is how the resources are displayed on the UI. + +**Resources' display names** + +See the [Set Resources' Display Names](../../../../user-guide/set-up/connect-system/entity-type-creation/display-name-setting) topic for additional information on how to set resources' display names via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +``` + +**Permissions** + +In order to access the connector, any user must have the right permissions. + +The following example sets the permissions to access the Microsoft Entra ID connector and resources for the Administrator profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Profile Administrator.xml + +         +         + + +         + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/index.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/index.md new file mode 100644 index 0000000000..f63095188e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/create-connector/index.md @@ -0,0 +1,124 @@ +--- +title: "Create a Connector" +description: "Create a Connector" +sidebar_position: 70 +--- + +# Create a Connector + +How to implement a [Connector](../../../../integration-guide/toolkit/xml-configuration/connectors/connector) via XML to connect Identity Manager to an external system. + +See an example on how to register [For Microsoft Entra ID](../../../../integration-guide/connectors/configuration-details/create-connector/entra-ID). + +Netwrix Identity Manager (formerly Usercube) strongly recommends configuring as much as possible via the UI instead of XML files. See the [Connect to a Managed System](../../../../user-guide/set-up/connect-system) topic to learn how to create a connector via the UI. + +## Prerequisites + +### Configure the external system + +Some systems need additional configuration for Identity Manager to connect. + +### Configure Identity Manager + +Identity Manager's agent must be set up to access the system's data via the related connector. + +Netwrix Identity Manager (formerly Usercube)  recommends performing the configuration via Identity Manager's configuration files like `appsettings.json` and `appsettings.agent.json`. However, these settings can also be input through environment variables. See the [Network Configuration](../../../../integration-guide/network-configuration) topic for additional information. + +This process is configured through a [Connection](../../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +```json +**appsettings.agent.json** + +{ ... "Connections": { ... "": { ... } } } +```` + + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. + +- Not begin with a digit. + +- Not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +Netwrix Identity Manager (formerly Usercube) recommends completing this guide without credential protection, and once the configuration works switch to a more secure way of storing credentials. + +See the [ +Microsoft Entra ID](../../../../integration-guide/connectors/references-connectors/microsoftentraid) topic to learn how to protect Microsoft Entra ID's credentials. + +## Build the Connector + +See the [Connect to a Managed System](../../../../user-guide/set-up/connect-system) topic to learn how to build a connector via the UI, with its connections, entity types and mappings. + +When exporting the configuration, a `````` connector should be found in the ```Conf// Connector.xml``` file. + +All XML files must start with the `````` and `````` elements. + +### Entity model + +The [Entity Model](../../../../integration-guide/entity-model) of the connector defines how the exported data will be written to Identity Manager's repository. It should match as closely as possible the structure of the relevant data from the external system, and be aligned with Identity Manager's repository. + +The entity model is configured by entity type and entity association containing scalar and navigation properties. See the [Entity Model](../../../../integration-guide/entity-model)[Entity Association](../../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation), and [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) topics for additional information. + +The entity model can be refined later in the project. + +### Entity mapping + +Each property of the entity type must be mapped to an attribute from among those exported from the system. + +Entity mapping is configured through [Entity Type Mapping](../../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and [Entity Association Mapping](../../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). + +So each element of an entity type mapping is meant to link a property from the result of the CSV export file containing the exported attributes to a property from the entity type. + +In the mapping, the CSV file is identified by the ```ConnectionTable``` and the entity type by the ```Identifier```. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an entity association instead of an entity type. + +## Display the Connector in the UI + +### Menu items + +Identity Manager provides a menu item to list all connectors in the dashboard's left menu. + +![Menu Item - Connectors](/images/identitymanager/home_entitytypes_v602.webp) + +> It is usually written like this: +> +> ``` +> +> Runtime/Bootstrap/Nav.xml +> +> +> +> ``` + +Then each connector should be configured with a menu item, which is created automatically when working via the UI. + +### Displayed resources + +See the [Organize Resources' Datasheets](../../../../user-guide/set-up/connect-system/entity-type-creation/datasheet-organization) to learn more on how to set the display properties via the UI. + +In the XML configuration, scalar properties are automatically displayed in the datasheets of the connector's resources. But navigation properties must be declared explicitly. + +The properties to be displayed are configured through [Display Entity Type](../../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype). + +Microsoft Entra ID's resources are listed in a table. + +The resources are displayed in a table configurable through a [Display Table](../../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable). + +### Resources' display names + +See the [Set Resources' Display Names](../../../../user-guide/set-up/connect-system/entity-type-creation/display-name-setting) to learn how to set resources' display names via the UI. + +Each resource is displayed in the UI with a display name. + +Resources' display names are customizable through [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) +property expression. + +### Permissions + +In order to access the connector, a user must have the right permissions. + +Permissions within Identity Manager are configured through [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule). +```` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/credential-protection.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/credential-protection.md new file mode 100644 index 0000000000..b21d16e95c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/credential-protection.md @@ -0,0 +1,10 @@ +--- +title: "Credential Protection" +description: "Credential Protection" +sidebar_position: 20 +--- + +# Credential Protection + +The credentials of any managed system can be protected using an [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), a [CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) vault or an [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-banking.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-banking.md new file mode 100644 index 0000000000..23dc376ed9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-banking.md @@ -0,0 +1,82 @@ +--- +title: "Run the Banking Demo Application" +description: "Run the Banking Demo Application" +sidebar_position: 40 +--- + +# Run the Banking Demo Application + +This guide shows how to set up and run the Banking demo application. + +## Banking Application Description + +The Banking application is a demo application that represents a web based external system. The Banking application contains: + +- A main page +- A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add +a user by clicking on **Create New User** + + ![Users list](/images/identitymanager/demoapps_banking_userslist.webp) + +- A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on +**Details** on a group shows the users belonging to that group +- A user's details page for each user, accessible by clicking on **Details** on a user in the users +list + + ![User details](/images/identitymanager/demoapps_banking_userdetails.webp) + +The most interesting part of the Banking application is a user's page. On a user's page, it is possible to: + +- Edit the user's information +- Delete the user +- Add the user to a group +- Remove the user from a group +- Set the user's password + +The Banking application uses a database named BankingSystem as a data source. The changes made to a user are applied to the database, and will be saved. + +The Banking application exposes an API that complies with SCIM 2.0 (RFC 7643 & RFC 7644) standards. This API provides: + +- Token retrieval in two different ways — Login/Password and Client Credentials. This is not real +authentication so you can input any values, as the system only verifies if the fields are empty. +- A schema endpoint (/Schemas) that returns metadata describing SCIM resource types. This includes +attributes, types, mutability, and required fields for Users and Groups, following SCIM 2.0 specifications. +- Operations on users, including: Get list, Get by ID, Create, Update, and Delete (CRUD) +- Operations on groups, limited to Get list only + +:::note + In the Banking Demo Application appsettings two parameters are available: +::: +- `RequireAuthorization` (default: true) — When enabled, the system checks whether a token is +present in the request headers +- `RequireSecureHeader` (default: false) — When enabled, the system verifies that the +SecureHeaderparameter is included in the request headers + +:::tip + Remember, a Postman collection is provided in the same folder as the executable (.exe) to facilitate API testing. +::: +## Running the Banking Application + +The Banking Application is part of the Netwrix Identity Manager (formerly Usercube) SDK, and comes with prefilled sources. To run the Banking application: + +**Step 1 –** Download the SDK. + +**Step 2 –** Download the Runtime. + +**Step 3 –** Create a database named BankingSystem. + +**Step 4 –** Go to the Runtime folder. + +**Step 5 –** Run `./Usercube-FillBankingDatabase.exe --connection-string {connection string} --sources-path {sources path} --banking-sql-path {banking sql path}`, replacing `{connection string}` with the BankingSystem database connection string, `{sources path}` with the path to SDK/DemoApps/Sources, and `{banking sql path}` with the path to SDK/DemoApps/Banking. + +**Step 6 –** Go to the **SDK/DemoApps/Banking** folder. + +**Step 7 –** Run **./Banking.exe** in a command prompt + +**Step 8 –** In a web browser, enter the URL `localhost:5000`. + +The Banking application is running, and the web browser is on the Banking home page. + +To set the Banking application to another port, run `/Banking.exe --urls http://localhost:{port number}`. To access the application, enter the URL `localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-hr.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-hr.md new file mode 100644 index 0000000000..88e1db1f9d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/demoapp-hr.md @@ -0,0 +1,37 @@ +--- +title: "Run the HR Demo Application" +description: "Run the HR Demo Application" +sidebar_position: 50 +--- + +# Run the HR Demo Application + +This guide shows how to set up and run the HR demo application. + +## HR Application Description + +The HR application is a demo application that represents a web based external system. The HR application contains an employee list. + +![Users list](/images/identitymanager/demoapps_hr_userslist.webp) + +Each employee also has their own page, with the possibility to edit their profile or delete them. It is also possible to add a new employee. + +![User details](/images/identitymanager/demoapps_hr_userdetails.webp) + +The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv file will be modified, and the changes will be saved. + +## Running the HR Application + +The HR Application is part of the Identity Manager SDK, and comes with prefilled sources. To run the HR application: + +- Download the Identity Manager SDK. +- Go to SDK/DemoApps/HR. +- Modify **appsettings.json** > **CSVPath** to "..\\Sources". +- Run **./HR.exe** in a command prompt. +- In a web browser, enter the URL **localhost:5000**. + +The HR application is running, and the web browser is on the HR application employee list. + +To set the HR application to another port, run `./HR.exe --urls http://localhost:{port number}`. To access the application, enter the URL `localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/index.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/index.md new file mode 100644 index 0000000000..a6e15d55e7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/index.md @@ -0,0 +1,15 @@ +--- +title: "Configuration Details" +description: "Configuration Details" +sidebar_position: 10 +--- + +# Configuration Details + +This part gathers information about connector configuration. + +Netwrix Identity Manager (formerly Usercube) recommends creating and configuring a connector via the UI. See the [Connect to a Managed System](../../../user-guide/set-up/connect-system) topic for additional information. + +- [Connections](../../../integration-guide/connectors/configuration-details/connections) +- [Credential Protection](../../../integration-guide/connectors/configuration-details/credential-protection) + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-gui-robotframework.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-gui-robotframework.md new file mode 100644 index 0000000000..cb3def4ca8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-gui-robotframework.md @@ -0,0 +1,220 @@ +--- +title: "Interact with a GUI Application via Robot Framework" +description: "Interact with a GUI Application via Robot Framework" +sidebar_position: 150 +--- + +# Interact with a GUI Application via Robot Framework + +This guide shows how to write a Robot Framework script which interacts with an external application. + +## Example: Interacting with an application via a GUI + +Consider an external system that is accessible through a GUI program, and that does not offer an API. In this situation, we can either interact manually with the external system , or with a Robot Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a GUI application. The guide on how to write a Robot Framework script explains the basics of Robot Framework. The basic prerequisites can be found on the Robot Framework connector page. See the [Write a Robot Framework Script](../../../integration-guide/connectors/configuration-details/write-fulfill-robotframework-script) and [Robot Framework](../../../integration-guide/connectors/references-connectors/robotframework) topics for additional information. + +The requirements specific to the Robot Framework FlaUI library are as follows: + +- Python 3.7 or 3.8. For Python 3.9, using `pip install wheel` in the command prompt may solve +installation errors. +- Robot Framework FlaUI library: use `pip install --upgrade robotframework-flaui` in the command +prompt. +- The application with the GUI. + +Other Robot Framework libraries can interact with applications. The [desktop part of the zoomba library] can also interact with a program, but requires an appium server. + +While not strictly required, it is highly recommended that the [Robot Framework FlaUI library documentation](https://gdatasoftwareag.github.io/robotframework-flaui/keywords/1.6.6.html) be consulted. + +## Inspecting tools + +Most FlaUI keywords require an XPath locator. These XPaths can be found using the FlaUI inspection tool. Download the [FlaUI inspection tool zip archive](https://github.com/FlaUI/FlaUInspect/releases), then extract the files to a folder. The inspection tool can be launched simply by running `FlaUIInspect.exe`. + +This tool lets you choose the UIA (UI Automation) version. Picking UIA3 should work in most use cases. + +The FlaUI inspection tool shows each window that is open on the computer. To find the element the script is supposed to interact with, it is possible to manually search through the windows, and through the elements. However, the easiest way is to use the Hover Mode, which is accessible in the tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > **Show XPath**. + +![Show XPath](/images/identitymanager/robotframeworkflaui_flauishowxpath.webp) + +To see the XPath of an element, hover over the element, and press control. A red box should appear around the element, and the FlaUI inspection tool should show the element's information. The XPath should be at the bottom left of the FlaUI element. + +![Highlight Element](/images/identitymanager/robotframeworkflaui_flauixpathexample.webp) + +As an example, imagine an application showing a list of files and folders. Targeting a specific file would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The important parts of this path are the beginning and the end. The beginning of the XPath specifies the window. The middle part of the XPath, in most cases, is irrelevant. + +The last part of the XPath however, `/Group[1]/ListItem[1]`, is what should be modified to find the right file. `Group[1]` means the element is in the first file group. `ListItem[1]` means the element is the first file of the group. Depending on the file explorer view mode, the XPath may end with `Edit[1]`, which means the targeted element is the name section of the file. + +As the Window's number may change, it should be specified by name. For the Downloads folder, `Window[@Name='Downloads']` specifies the window. The file may not always be at the same position, so it should also be specified. If the file is `FlaUInspect.exe`, it can be specified with `ListItem[@Name='FlaUInspect.exe']`. The Group may also change. It is not easy to find the right group, so the best method is to remove the groups, by right clicking, then selecting **Group by** > **(None)**. + +## Use Case: Set a file to read-only + +Consider an HR system that creates a file for each employee. When an employee retires, it may be interesting to set the file to read-only, so that it is not modified by accident. It is possible to set the file to read-only by provisioning it with the Robot Framework. + +### Define settings + +As with every other Robot Framework script, the Identity Manager Robot Framework resource needs to be imported to launch the provisioning. The FlaUI library also needs to be imported to use its keywords. + +```text +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary +``` + +### Define variables + +The `Variables` section contains variables that are used in the rest of the script. As the section is at the start of the script, the variables are easy to update. In this case, the folder's name and path are important variables that may be changed. + +```text +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} +``` + +### Define custom keywords + +To modify a file's properties, the script needs custom keywords that allow the desired actions to be accomplished. In this case, to navigate through the explorer program. These keywords were written with the Windows 10 File Explorer in mind. + + | Keyword | Details | + | --- | --- | + | Open Explorer | Opens and attaches the explorer program to FlaUI. A program can be attached to FlaUI by its name or by its `Pid`, which stands for process identifier. The `Launch Application` keyword returns a `Pid`, however the program may launch multiple processes. In the case of the explorer, it is almost always running, even if no explorer windows are open. The `Pid` returned may not be the correct one. Attaching by the program name seems to work in this case. | + | Open Folder | Opens the folder specified in the `Variables` section. Accessing the address bar is not trivial, as it is not a text field until it is clicked. However, clicking on most elements of the address bar does not open the text field. In this keyword, the icon in the address bar is clicked, which opens the text field. | + | Get File Name | Returns the file's name. This allows the computation of the file's name through a keyword instead of an expression, which can make syntax easier. | + | Set File To Read Only | Sets the file corresponding to the user to read only. This keyword calls the other keywords in the right order, and is used to simplify the readability of the script. | + | Open File Properties | Right clicks on a file, then opens the file's properties. The right click is on the file's image, but it could be changed to any of the file's fields. Note that changing the folder's view mode or ordering may alter the file's XPath. | + | Select Read Only | Selects the read only option. This keyword simply clicks on the radio button, then clicks on the `Ok` button. If the radio button is already ticked, the file will no longer be in read only mode. The script clicks on the `Ok` button as it automatically closes the properties window, unlike the `Apply` button. | + | Close Explorer | Clicks on the cross to close the explorer window. It is also possible to close the program with the `Close Application` keyword, however that also closes the background explorer process, so closing only the window is better. | + +```text +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] +``` + +### Define mandatory keywords + +To provision the system, the script must contain the three mandatory keywords: `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify`. In this case, only ExecuteDelete is implemented. (It is considered, perhaps foolishly, that employees will not come out of retirement!) + +```text +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for testing, which is why the `Test Cases` section defines what should happen when Identity Manager starts the Robot Framework task. The `Launch Provisioning` keyword is the one that will fetch the provisioning orders. + +```text +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer +``` + +### Read the full script + +The full script is as follows: + +```text +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md new file mode 100644 index 0000000000..619d0d7569 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md @@ -0,0 +1,339 @@ +--- +title: "Interact with a Web Page via Robot Framework" +description: "Interact with a Web Page via Robot Framework" +sidebar_position: 140 +--- + +# Interact with a Web Page via Robot Framework + +This guide explains how to write a Robot Framework script that interacts with a web based external system. + +## Example: Interacting with a web-based application + +Consider an external system that is accessible through a web interface, and that does not offer an API. In this situation, we can either interact manually with the external system , or with a Robot Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a web-based application. The guide on how to write a Robot Framework script explains the basics of Robot Framework. The basic prerequisites can be found on the Robot Framework connector page. See the [Write a Robot Framework Script](../../../integration-guide/connectors/configuration-details/write-fulfill-robotframework-script) and [Robot Framework](../../../integration-guide/connectors/references-connectors/robotframework) topics for additional information. + +The prerequisites are explained in detail at the [Robot Framework selenium pypi](https://pypi.org/project/robotframework-seleniumlibrary/) page. + +The requirements specific to the Robot Framework Selenium library are as follows: + +- Robot Framework selenium library: use `pip install --upgrade robotframework-seleniumlibrary` in +the command prompt. +- A web browser. +- A web driver that corresponds to the web browser and its version. Webdrivers can be found in the [Selenium website](https://www.selenium.dev/selenium/docs/api/py/index.html#selenium-website). +This web driver should be in your path. To check that the web driver is in your path, use `gcm {webdriver_name}`. As an example for Edge, use `gcm MicrosoftWebDriver`. + +The web driver for Edge is called `msedgedriver.exe`, but the Robot Framework may expect it to be called `MicrosoftWebDriver.exe` depending on the python version. Renaming the web driver from `msedgedriver.exe` to `MicrosoftWebDriver.exe` should fix this issue. + +If the browser is updated, the web driver should also be updated. + +While not strictly required, it is highly reccomended to look at the [Robot Framework selenium library documentation](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html). + +## Selenium basics + +Selenium is a web browser automation tool. Selenium can automatically perform scripted actions in a web browser. Selenium is not easy to use on its own, and it is easier to use Selenium via the Robot Framework. However, the basics are still the same. + +The basic structure of a web page is defined with HTML. It is accessible with the inspect tool, which can be opened by pressing the F12 key on most browsers. For Selenium, we want to find information on specific parts of the page. Inspecting an element can be done by right clicking the element, and clicking **Inspect**. + +![Inspect Tool](/images/identitymanager/robotframeworkselenium_inspecttool.webp) + +Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to ensure that the file is up to date with the documentation. To do this, the Robot Framework has to click on the **copy to clipboard** button with the keyword [`Click Element`](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html#click-element). + +## Locating elements + +As stated in the Robot Framework SeleniumLibrary documentation, the keyword `Click Element` requires an element locator. The element locator identifies which element the Robot Framework should click. To ensure the right element is clicked, the element locator should only match the one element which should be clicked. + +In the HTML, the button has a class `class="copy-to-clipboard"`. The element locator `class:copy-to-clipboard` matches the button. However, there are other buttons with the same class on the page. The easiest way to click the right button is with an XPath element locator. + +### XPath element locators + +Each element on the web page has an XPath, and each XPath uniquely identifies an element. This means that we can always use an XPath locator. To get the XPath of an element, inspect the element, then right click it in the HTML, and click on **Copy** > **Full XPath**. + +![Copy Full XPath](/images/identitymanager/robotframeworkselenium_copyfullxpath.webp) + +For the `copy to clipboard` button, the XPath is `/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. + +XPaths change as the page is updated. Using a location strategy other than the XPath strategy should reduce the maintenance needs of the script. + +### Hypertext references and API calls + +Some elements have links to other websites or pages of the same website. In the HTML inspection, these elements are likely to have a `href` attribute containing the link. `Href` stands for hypertext reference. By going directly to the linked URL instead of clicking the link, the script does not need to specify an element locator for the link. + +In some cases, an API can be called simply by going to the right URL. This URL may be used as a shortcut to avoid having to fill in text fields. The `href` attributes may show the format of the API calls. + +## Use Case: Fulfill groups in a Banking system + +The Banking system is a Identity Manager demo application that represents an external system. The Banking system stores basic information on its users such as their names, mail addresses� The most interesting part of the Banking system is the groups functionality, as users can belong to multiple groups, and groups can have multiple users. + +The goal of this use case is to extract the existing associations between groups and users from the Banking system into Identity Manager, then provide a way to add users to a group and remove users from a group. To showcase the password generation, the script will generate a password for the provisioned users' accounts. + +### Connector configuration + +As stated in the previous part, the Banking connector is supposed to link the users and their groups. This means that the connector has a user entity type, and a group entity type, with an entity association between them. + +The Banking connector has to be able to extract the data, and fulfill the Banking system. The fulfillment of the Banking system can only be done through its web application, which means the Robot Framework Selenium library will be used. The extraction of the data will be performed through an SQL connection. + +For simplicity's sake, only the user's `Login` is kept. + +```xml + + +``` + +The notion of groups in the Banking system is replaced by the notion of single roles in Identity Manager. A user belonging to the accountant group in the Banking system has the accountant single role in Identity Manager. To automate the correspondance, the connector's configuration requires a rule between the group resource and the single role. This can be done with a navigation rule for each single role and corresponding group. + +For simplicity's sake, only three roles are kept. + +```xml + +``` + +### Define settings + +As with every other Robot Framework script, the resource needs to be imported to launch the provisioning. The SeleniumLibrary also needs to be imported to use its keywords. + +```text +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary +``` + +### Define variables + +The variables in the `Variables` section can serve two purposes. + +- Values that should be modified easily: The browser and the Banking web application URL change with +the provisioning environment. +- Values that are used multiple times: The Banking web application URL is used three times in the +script. This avoids editing mistakes that happen when only one of the instances is modified. + +```text +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 +``` + +### Define custom keywords + +The script defines several custom keywords. As the element locators may not be easily understandable, it is important that the keywords are not long, and have descriptive names. + + | Keyword | Details | + | --- | --- | + | Modify User | Sets a password for the user, then applies the provisioning order. This keyword does everything the `Execute Modify` keyword should do, so that it can be used for error handling. As the provisioned resource type may not have password reset settings, the password generation could fail, which is why it is called by the `Try Keyword` keyword. | + | Restart Banking And Fail | Restarts the Banking Application, then fails the keyword execution. This keyword should be used when the Banking application is in an unknown state. | + | Launch Banking App | Launches the Banking web application. To check that the web browser is on the right page, the title of the page is verified with the `Title Should Be` keyword. | + | Set Password | Generates a password for the provisioned user, sets their Banking password to that password, then sends a notification. This keyword attempts to send the notification as soon as the password is set. First, this ensures that the notification is sent even if the rest of the script would crash. Second, this keeps the password in memory for the least amount of time possible, which reduces security risks. | + | Add Group To User | Selects the group that should be added, and clicks the **Save** button. This keyword also verifies that the web browser has the expected title. The `Click Element At Coordinates` keyword is used to reset the state of the page, as selecting the group hides the **Save** button. | + | Search User And Add Group | Goes to the page to add groups to the right user, and calls `Add Group To User`. This keyword also verifies that the web page has the expected title. | + | Add Groups | Calls `Search User And Add Group` for each group in the provisioning order. | + | Add All Groups | Computes the number of groups to add, and if there is at least one, calls `Add Groups`. The only way to find the number of groups to add is in the **Changes** > **groups_add** section of the provisioning order. This section does not exist if there are no groups to add, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | + | Remove Group From User | Goes to the URL corresponding to the API call to remove the group from the user. | + | Remove Groups | Calls `Remove Group From User` for each group in the provisioning order. | + | Remove All Groups | Computes the number of groups to remove, and if there is at least one, calls `Remove Groups`. The only way to find the number of groups to remove is in the **Changes** > **groups_remove** section of the provisioning order. This section does not exist if there are no groups to remove, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | + +```text +*** Keywords *** +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} +``` + +### Define mandatory keywords + +To be able to provision the system, the script must contain the `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` keyword. As the Banking system is only able to modify existing accounts, only the `Execute Modify` keyword is implemented. + +To simplify error handling, the `Execute Modify` keyword only calls the `Modify User` keyword. As only a single keyword is needed, it can be called within the `Try Keyword` keyword. This means that the error handling can be handled with the `Catch Keyword` keyword. + +```text +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for testing, which is why the `Test Cases` section defines what should happen when Identity Manager starts the Robot Framework task. Note that the `Launch Provisioning` keyword is mandatory for the provisioning to happen. + +As the browser should always be closed after the tests, a teardown is used to ensure that regardless of the script's execution state, the browser is closed. + +```text +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser +``` + +### Read the full script + +The full script is as follows: + +```text +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/powershell-fulfill.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/powershell-fulfill.md new file mode 100644 index 0000000000..b2cb362907 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/powershell-fulfill.md @@ -0,0 +1,504 @@ +--- +title: "Fulfill Microsoft Exchange via PowerShell" +description: "Fulfill Microsoft Exchange via PowerShell" +sidebar_position: 100 +--- + +# Fulfill Microsoft Exchange via PowerShell + +This guide shows how to set up a PowerShell connector to fulfill data in Microsoft Exchange Server. It will focus on registering Identity Manager within the target Microsoft Exchange instance, configuring the connector, and building the job to perform a regularly scheduled fulfillment. Of course, any other system compatible with PowerShell can be chosen. + +## Prerequisites + +### External System Configuration + +Check the following prerequisites: + +- [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) +- [Microsoft Exchange](../../../integration-guide/connectors/references-connectors/microsoftexchange) +- [Active Directory](../../../integration-guide/connectors/references-connectors/activedirectory) + +Let's consider a simplified system, including three parts: + +1. Identity Manager +2. Microsoft Exchange Server +3. Active Directory + +For more details on the complete system, see [Exchange architecture](https://docs.microsoft.com/en-us/exchange/network-configuration/architecture?view=exchserver-2016). + +Identity Manager can: + +- export and fulfill AD entries independently of Microsoft Exchange. +- export mailboxes from Microsoft Exchange independently of AD. +- fulfill a mailbox but Identity Manager needs first to fulfill an AD entry and then, launch the +Microsoft Exchange Fulfill. + +### Identity Manager Configuration + +This step sets up the Identity Manager Agent to use the Active Directory and PowerShell connectors in order to fulfill the Microsoft Exchange mailboxes. + +The settings must be entered in `appsettings.agent.json > Connections`. For more details, see the [Active Directory](../../../integration-guide/connectors/references-connectors/activedirectory) and [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) sections. + +#### Add Sections + +As explained previously, the simplified system consists of Identity Manager and two other systems. It means that settings are required in `appsettings.agent.json` to connect with the systems. See the [Microsoft Exchange](../../../integration-guide/connectors/references-connectors/microsoftexchange), [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov), and [Active Directory](../../../integration-guide/connectors/references-connectors/activedirectory) topics for additional information. + +> This example contains export and fulfillment settings for the Active Directory and for Microsoft +> Exchange: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [> { +> "Server": "...", +> "BaseDN": "..." +> }, +> { +> "Server": "paris.contoso.com", +> "BaseDN": "DC=defense,DC=paris,DC=com" +> } +>], +> "AuthType": "Basic", +> "Login": "...", +> "Password": "...", +> "Filter": "(objectclass=*)", +> "EnableSSL": true, +> } +> "MicrosoftExchangeExportFulfillment": { +> // Export Microsoft Exchange settings +> ... +> // Fulfillment Microsoft Exchange settings +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-Exchange.ps1", +> "Options": { +> "AuthType": "Basic", +> "Server": "http://ex-server1/powershell", +> "Login": "PIXELABS\\Administrateur", +> "Password": "Secret123" +> } +> }, +> } +> } +> ``` + +As this guide focuses on the fulfillment of an external system, export settings will be omitted. + +The Fulfill-PowerShell needs a script whose path is defined by the attribute **PowerShellScriptPath**. Identity Manager provides a script in the SDK in `Usercube.Demo/Scripts/Fulfill-Exchange.ps1`.See the [Write a PowerShell Script for Provisioning](../../../integration-guide/connectors/configuration-details/write-fulfill-powershell-script) topic for additional information on how to write a customized script. + +To define and apply additional settings when authenticating to an external system, we can set the attribute Options and add required parameters for authentication. + +In the example above, the `Basic` AuthType was chosen to show how to fill the credentials, but it isn't mandatory to use this. See the [Microsoft Exchange](../../../integration-guide/connectors/references-connectors/microsoftexchange) topic for additional information. + +For pedagogical reasons, this guide focuses on the simplest way to set up the fulfillment, but it's not the most secure. Hence, it is strongly recommended to use Kerberos AuthType or credentials protection via Azure Key Vault or CyberArk in a production environment. See the [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) topic for additional information. Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the configuration, and only then, switching to a more secure way of storing credentials. + +## Build the Connector + +To be used for export tasks, a connector must be declared in the applicative configuration and linked to an Agent. See the [Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for additional information. + +It is strongly recommended that the applicative configuration be stored in the working directory Conf folder as a set of xml files organized by connector. To follow this structure, create a MicrosoftExchange directory in the Conf folder. + +### Declare a Connector + +In the `MicrosoftExchange` directory, create a `MicrosoftExchange Connector.xml` file. This file contains the declaration of the connector and the associated [Entity Model](../../../integration-guide/entity-model). + +> This example declares the +> `MicrosoftExchange`[Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) +> on the `Local` agent, and the +> [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) linked to the +> previously defined `MicrosoftExchangeExportFulfillment` JSON section (see the example above): +> +> ``` +> Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +> ... +> ... +> +> +> ``` + +### Write Entity Types + +The [Entity Model](../../../integration-guide/entity-model) should match as closely as possible the structure of the Microsoft Exchange data relevant for Identity Manager. It is designed by analyzing the Microsoft Exchange data structure, and describing said data with Entity Types and [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +Eventually, it is up to the integration team to design the [Entity Model](../../../integration-guide/entity-model) that best serves the Role Model needs. It will most likely be refined iteratively throughout the project integration. See the [Assignment Policy](../../../integration-guide/role-assignment/role-model-rules) topic for additional information. + +A good starting point for the Entity Model is to mirror the shape of the Microsoft Exchange mailboxes and databases. + +##### Example + +This example defines the entity types named MicrosoftExchange_Database and MicrosoftExchange_Mailbox. + +Notice the omitted **TargetColumnIndex** attribute and the presence of Type="ForeignKey" for the Mailboxes and Database properties. If omitted, this attribute indicates that the properties are navigation properties. + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... +``` + +### Write the Entity Type Mapping + +The entity type must be mapped, on a property by property basis, to the exported attributes of Microsoft Exchange mailboxes and databases (namely, the columns of the CSV source files generated by the export). The [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) element maps scalar properties from a CSV source file to an EntityType. + +##### Example + +In this example, the CSV source files are microsoftexchange_databases.csv and microsoftexchange_mailboxes.csv located in the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) folder. + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... +``` + +### Write Entity Associations + +Entity types are associated through their navigation properties with [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) elements. + +##### Example + +The following example declares a `1:n` (`'one-to-many'`) association. One `MicrosoftExchange_Database` may be referenced by any number of `MicrosoftExchange_Mailbox`_(es)_, but each `MicrosoftExchange_Mailbox` can only reference one `MicrosoftExchange_Database`. + +The properties used for the association must be `Primary` or `Unique` keys. + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... +``` + +### Write the Entity Association Mapping + +The [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) element maps column values from a CSV source file to an EntityType navigation property. + +##### Example + +This example describes the mailbox/database associations between MicrosoftExchange_Mailbox and MicrosoftExchange_Database. Thanks to the **Export** Microsoft Exchange job, the file microsoftexchange_mailboxes.csv is generated. This file looks like: + +```text +Command;Property_1;Property_2;...;Property_N +Add;value1;value2;...;valueN +``` + +Each line of the CSV file corresponds to a `MicrosoftExchange_Mailbox`. The properties used in the association are: + +- `Guid`: the Guid of the `MicrosoftExchange_Mailbox`. +- `Name`: the name of the `MicrosoftExchange_Database` referencing the `MicrosoftExchange_Mailbox` +(name is unique among the databases). + +The following table can be extracted from the CSV file: + + | Guid | Name | + | --- | --- | + | 4ecbdba7-e984-409a-a9ac-6027ac81fa42 | Mailbox Database 1882404652 | + | 1d3e67a2-7d44-46f1-a300-afa73ae120f4 | DB1 | + | aab57e15-847b-4e16-96f1-82ebc54c01e2 | DB1 | + | ea513604-3758-463f-9b72-6c42ea949260 | DB2 | + +It means that the MicrosoftExchange_Mailbox with Guid ? 4ecbdba7-e984-409a-a9ac-6027ac81fa42 is contained in the MicrosoftExchange_Database with Name ? Mailbox Database 1882404652. This association is created for every line in the CSV file, and therefore also for every line in the table above. + +This can be enabled with an **EntityAssociationMapping** like in the following XML: + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... +``` + +The CSV file `microsoftexchange_mailboxes.csv` must be exported to the export output folder. See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information. + +## Build the Role Model + +An [Entitlement Management](../../../introduction-guide/overview/entitlement-management) must be created with the following elements: + +- `ResourceType` +- `ResourceTypeMapping` +- `ResourceCorrelationRule` +- `SingleRole` (optional) + +### Resource Type + +A [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) is a conceptual model of an information system object, here a mailbox. + +The resource type contains several rules: + +- Type Rule which assigns a resource to a user +- which specifies the value to be set to an assigned resource scalar property +- Resource Type which specifies a value to be set to an assigned resource multi-valued navigation +property + +#### Example + +```xml +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml +... + ... +``` + +The TargetEntityType is MicrosoftExchange_Mailbox and the SourceEntityType is Directory_User. + +This Resource Type allows Identity Manager to compute the values used when fulfilling the external system. + +Finally, the Navigation Rule sets the property Database of the entity MicrosoftExchange_Mailbox. See the Fulfill Microsoft Exchange via PowerShell topic for additional information. + +### Resource Type Mapping + +A [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings) element contains all the resource types (sharing the same Identifier) that can be provisioned into targeted platforms, applications, and systems. + +#### Example + +```xml +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml +... +... +``` + +In this example, `Fulfill-PowerShell` requires only a simple `ResourceTypeMapping` (including only one `Identifier` and one `Connection`): + +- The **Identifier** attribute is `MicrosoftExchange_Mailbox_NominativeUser` which corresponds to +the identifier of the resource type defined earlier. +- The **Connection** attribute is `MicrosoftExchangeExportFulfillment` which corresponds to the +section in `appsettings.agent.json` containing the parameters used to provision the external system. + +### Resource Correlation Rule + +A [Resource Correlation Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) is used to correlate the resource `MicrosoftExchange_Mailbox_NominativeUser` with the `Directory_User`. + +#### Example + +```xml +Conf/MicrosoftExchange/NotImplementInAutoTest/Directory User Role Model MicrosoftExchange.xml +... +... +``` + +This rule means if the `SamAccountName` (`MicrosoftExchange_Mailbox`) is equal to the `Login` (`Directory_User`) then, the `ResourceType` can be linked to the `User` with a confidence rate of 100%. + +### Single Role (optional) + +A [Single Role](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) encapsulates system entitlements. + +#### Example + +```xml +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml +... +... +``` + +This single role was previously used in one of the navigation rules defined in the `ResourceType`. + +```xml +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml +... +... +``` + +If a `Directory_User` is assigned the SingleRole `DB1` then, the `NavigationRule` indicates that the property `Database` (in `MicrosoftExchange_Mailbox`) will have the value `9c512155-d912-4fcb-9448-0755fbaf1b96` (unique id of a `MicrosoftExchange_Database`). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) can be added to include a link to the resources list in the left menu on the UI home screen. + +It is strongly recommended that you gather synchronized resources menu items under parent menu items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +NETWRIX also advises to use a new `MicrosoftExchange Nav.xml` file in the `MicrosoftExchange` connector's folder to add a `mailboxes` and `databases` menu item. + +#### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Nav.xml +... + ... +``` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root `Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange entities. + +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new `MicrosoftExchange UI.xml` file in the `MicrosoftExchange` connector's folder. + +#### All-in-One Scaffolding + +The [View Target Resource Template](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate) generates all the required elements to be seen by the user. + +##### Example + +The documentation explains what is generated by the following scaffolding: + +```xml +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... +``` + +The following sections show how to override the elements generated by this scaffolding in order to provide a more precise display. + +#### Display Entity Type + +The [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) describes how a single resource should be displayed. + +##### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... +``` + +This example configures the following display for [wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). + +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +The scalar properties require no configuration: they are automatically displayed. The only information that the [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display Table + +The [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) elements describe how a list of resources should be displayed. + +The [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) contains a list of [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) columns elements that identify which properties should be included in the list display. + +##### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... +``` + +This example configures the following list display: + +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) + +#### Internal Display Name + +An `InternalDisplayName` can also be declared as an [Entity Type](../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) property expression. The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the identity) containing the string **name**. If no such property is found, the first declared property of the entity type is used. + +##### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... +``` + +This example adds the `InternalDisplayName` to the `MicrosoftExchange_Mailbox` entity type to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) and Access Control Entry elements define [AccessControlPermission](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the `MicrosoftExchange Profile Administrator.xml` file. + +#### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Profile Administrator.xml +... +... +``` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display Microsoft Exchange resources (`mailboxes` and `databases`) and role categories from the UI. + +## Jobs + +### Construction + +This step focuses on writing a Complete Synchronization Job. + +Netwrix Identity Manager (formerly Usercube) recommends writing Jobs associated with the MicrosoftExchange connector to the Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml file. + +#### Example + +```xml +Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml +... + ... +``` + +This job will be executed on Microsoft Exchange's connector agent. + +Notice the **Identifier** attribute with the value `Job` in the `OpenIdIdentifier` tag. It refers to the `ClientId` written to the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) technical configuration. The Tasks will authenticate with the profile associated with this `ClientId` in the `` xml configuration element. + +There is also the tag `` which means that the export will not be executed. Removing the tag will launch export-related tasks before fulfillment-related tasks. Export tasks need the same XML configuration and additional settings in Fulfill Microsoft Exchange via PowerShell. + +All the job steps generated by the scaffolding can be found in the [Create Connector Synchro Complete](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) scaffolding. + +Check [Create Connector Synchro Incremental](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental) for incremental synchronization. + +### Permissions + +The execution of a Job entails the execution of Tasks, reading/writing to the Database and sending files over to the Server. These operations are protected by an authorization mechanism. + +A [Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) is required and must have the proper permissions for the associated Job or Task to perform. + +Here, jobs use the default `OpenId`. + +### Job Launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external scheduler. + +#### With Scheduler + +Use the [Job](../../../integration-guide/toolkit/xml-configuration/jobs/job) Cron Tab Expression attribute. + +#### With an external scheduler + +An external scheduler would rely on the [Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) tool. + +## Validation + +### Deploy Configuration + +The configuration is written to the database using the [Deploy Configuration Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask) tool. + +### Test + +#### ADMicrosoftExchange Prerequisites + +An Active Directory configuration is required for Microsoft Exchange to work. Fill the AD Microsoft Exchange Export Fulfillment settings in accordance with the configuration. + +To reset the password, if **AuthType** is `Basic`, then **EnableSSL** must be `true`. Otherwise, if **AuthType** is `Kerberos`, then **EnableSSL** is not required. + +#### Mailbox Creation + +To create a new mailbox, apply the following procedure: + +1. Select a user and validate both resource types `ADMicrosoftExchange_Entry_NominativeUser` and +`MicrosoftExchange_Mailbox_NominativeUser`. +2. In the Provisioning Review, confirm both resource types. +3. First, launch the job AD Microsoft Exchange Synchronization. +4. Then, launch the job Microsoft Exchange Synchronization. + +In fact, an `ADMicrosoftExchange_Entry` is required to create a mailbox. To update or delete an existing mailbox, the Active Directory part can be skipped. + +#### Interface display + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name input in the Job's **DisplayName_Li** attribute. + +![Microsoft Exchange Jobs](/images/identitymanager/microsoftexchange_jobs_5.1.7.webp) + +From there, the Synchronization job can be launched and debugged (if needed). + +After execution, Microsoft Exchange resources and databases should be in the `UR_Resources` table of the SQL Server database. + +The results can also be viewed on the UI: + +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-cyberark-export.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-cyberark-export.md new file mode 100644 index 0000000000..cdee6e672f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-cyberark-export.md @@ -0,0 +1,790 @@ +--- +title: "Export CyberArk Data via SCIM" +description: "Export CyberArk Data via SCIM" +sidebar_position: 160 +--- + +# Export CyberArk Data via SCIM + +This guide shows how to set up a [SCIM](../../../integration-guide/connectors/references-connectors/scim) connector to extract data from your CyberArk instance into CSV source files that will in turn be fed to the [Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync) task and to your Identity Manager resource repository. It will focus on registering Identity Manager within the target CyberArk instance, configuring the connector, and building the job to perform regularly scheduled synchronization. + +## Prerequisites + +### External system configuration + +Usually CyberArk provides the environment to use AAM (_Application Access Manager_) and SCIM (_System for Cross-domain Identity Management_). For example, PrivateArk Server, PrivateArk and other tools can be found on a VM-based environment. + +It is strongly recommended that you follow the official **CyberArk SCIM Server Implementation Guide** (the CyberArk team can provide this document) in order to set up the environment. When you've completed the installation or if CyberArk has already installed it, you can verify the installation: + +1. Log into **PrivateArk Client**, locate and open the **SCIM Config** safe. +2. Check the presence of the following objects: + + - `Encryption-key`: The SCIM Server uses a local cache to store objects retrieved from the +Vault. Although no credentials (other than the ones in the SCIM Config safe, which are not stored on the cache) are retrieved, we encrypt the cache with this encryption key. The key is randomly generated, and not exposed by the installer, but can be changed if desired. + - `GlobalConfig.yml`: This is the configuration file for the overall SCIM server settings. It is +responsible for the setting of performance parameters and additional added features. + - `Usercube-account`: This is a privileged account to allow Identity Manager to authenticate its +REST API requests to the SCIM Server. The password for this account must be the same as the Identity Manager-user (Identity Manager can be replaced by any other name like Client). + - `SCIM-account`: This is a privileged account, managed by the Central Policy Manager (CPM is +the module of the PAM tool that is responsible for managing the passwords and any policies/exceptions configured), which allows the SCIM server to retrieve the password for SCIM-user through an Application Identity Manager (AIM) Credential Provider call. + +3. Verify that the following **Users** were created in the PrivateArk Client: + + - Go to **Tools** > **Administrative Tools**. + - Select **Users and Groups**. + - Ensure the following users have been created: + + - `SCIM-user`: This is a CyberArk user with full privileges for creating and managing Safes, +Accounts, Permissions, and Users. This user is required by the CyberArk's Command Line Interface (PACLI, used to perform quick Vault-level functions without logging in to the PrivateArk client) on the SCIM server for logging into the Vault and managing objects on behalf of client applications such as Identity Manager. + - `Client-user`: This is a CyberArk user for authenticating requests made to the SCIM server +using the REST API. (The name Client-user' can change and be replaced by Identity Manager-user' for example.) + +Now we can consider that the installation is correct, the login is `Usercube-user` and the password `CyberArk1`. + +### Identity Manager configuration + +This step sets up the Identity Manager Agent to use the SCIM connector and access the CyberArk data. + +The settings must be entered in the appsettings.agent > Connections section. See the [SCIM](../../../integration-guide/connectors/references-connectors/scim) topic for additional information. + +#### Connect to the target CyberArk instance + +In the `Connections` section, add one new subsection that will contain the credentials for the target CyberArk. Use a meaningful name to remember which CyberArk is accessed via this section. + +> This example connects via the `SCIMCyberArkExport` connection to the CyberArk system: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the CyberArk's address. It has the form: +`https://host:port/CyberArk/scim`. +- The **Login** attribute with the User's login value (in our example, `Usercube-user`). +- The **Password** attribute with the User's login value (in our example, `Cyberark1`). + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", +> "Login": "Usercube-user", "Password": "Cyberark1" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault or CyberArk in a production environment. Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the configuration, and only then, switching to a more secure way of storing credentials. + +#### Set exported objects, exported attributes and export files + +This step focuses on choosing and setting up the list of SCIM objects and attributes to be exported. + +The **Filter** attribute defines what is exported. It is located in the `appsettings.agent > Connections > SCIMCyberArkExport` subsection previously created. + +##### Choose objects to export + +The list of objects to export depends on the Role Model requirements. The list will evolve iteratively as the project's needs become clearer. + +The SCIM entities available in a CyberArk implementation are: + +- **Users**: CyberArk Users. +- **Containers**: Containers/CyberArk Safes. +- **ContainerPermissions**: Permissions on CyberArk Safes. +- **Privileged Data**: Privileged Data/CyberArk Accounts. +- **Groups**: CyberArk Groups. + +Filters are defined in the next part. + +##### Filtering + +An exhaustive list of entities and attributes provided by CyberArk is available in their [technical documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsOvw/SCIM-Provisioning.htm) or the SCIM `Swagger UI`. + +The `Filter` and `FilterGroup` setting syntax is detailed in the [SCIM](../../../integration-guide/connectors/references-connectors/scim) optional attributes. + +`SCIMSyntax` must also be set to `CyberArk` because the CyberArk system doesn't strictly follow all the SCIM rules at the moment. + +##### Example + +The following example sets up the **Users**, **ContainerPermissions**, **Containers** and **Groups** for export. + +For **Users**, we give an example for each type of attribute: + +- **userName** is an attribute of the base schema. +- **ldapFullDN** is an attribute of the `urn:ietf:params:scim:schemas:cyberark:1.0:User` schema +because it is separated by `�`. +- **givenName** is a sub-attribute of the attribute `name` because it is separated by `:`. + +Notice the `*` that separates the entities. + +```json +**appsettings.agent.json** + +{ ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", "Login": "Usercube-user", "Password": "Cyberark1", "Filter": "Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id displayName type name", "FilterGroup": "Groups;id displayName", "SCIMSyntax": "CyberArk" } } } +```` + + +##### Set up export files + +The export generates CSV source files that will be fed to the [Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync) task. + +The SCIM connector generates one file per entity, the name is generated as: ```EntryFile``` + ```'_'``` + ```FilterEntity``` or ```MembersFile``` + ```'_'``` + ```FilterGroupEntity```. + +Moreover, ```SyncCookiesFile``` can be specified to indicate the location of the cookie file for an incremental export. + +See the [SCIM](../../../integration-guide/connectors/references-connectors/scim)topic for additional information. + +The target directory and file name are chosen freely. However, Netwrix Identity Manager (formerly Usercube) strongly recommends using the Working Directory ```Temp/ExportOutput``` folder and choosing file names that start with the ```CyberArk_``` prefix. See the [Create a Working Directory](../../../installation-guide/production-ready/working-directory) topic for additional information. + +##### Example + +With the following example, the resulting files are: + +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_ContainerPermissions.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Containers.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` + +```json +// appsettings.agent.json { // ... "Connections": { // ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", "Login": "Usercube-user", "Password": "Cyberark1", "Filter": "Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id displayName type name", "FilterGroup": "Groups;id displayName", "EntryFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk", "MembersFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members", "SCIMSyntax": "CyberArk" } } } +```` + +Every file contains the data as CSV, with one column per attribute. + +## Build the Connector + +### Declare a connector + +To be used for export tasks, a connector must be declared in the applicative configuration and +linked to an Agent. See the [Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for +additional information. + +It is strongly recommended that the applicative configuration be stored the +[Create a Working Directory](../../../installation-guide/production-ready/working-directory) +`Conf` folder as a set of `xml` files organized by connector. + +- In the `Conf` folder, create a `SCIMCyberArk` directory. +- In the `SCIMCyberArk` directory create a `CyberArk Connector.xml` file. + + This file contains the declaration of the connector and the associated Entity Model. + +- Use the [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) element to + declare the connector with the following attributes: + + - **Identifier** identifies this connector in the applicative configuration. We recommend using + a meaningful name such as `CyberArk`. If several connections to several CyberArk targets are + possible, only one CyberArk Connector per Agent is used. See the + [Create a Working Directory](../../../installation-guide/production-ready/working-directory) + topic for additional information. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that will run this connector's export task. The + Agent's identifier can be found in the agent's + [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) > + OpenId > AgentIdentifier. + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `CyberArk` connector on the `Local` agent: +> +> ``` +> +> Conf/SCIMCyberArk/CyberArk Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the resource repository must be aligned with the +[Entity Model](../../../integration-guide/entity-model). See the +[Identity Management](../../../introduction-guide/overview/identity-management) topic +for additional information. + +The [Entity Model](../../../integration-guide/entity-model) should match as closely as possible the structure +of the CyberArk data relevant for Identity Manager. It is designed by analyzing the CyberArk data +structure, and describing said data with the Entity Types and +[Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). +Eventually, it is up to the integration team to design the +[Entity Model](../../../integration-guide/entity-model) that best serves the Role Model needs. It will most +likely be refined iteratively throughout the project integration. See the +[Assignment Policy](../../../integration-guide/role-model/role-model-rules) topic for additional +information. + +A good starting point for the Entity Model is to mirror the shape of the exported CyberArk SCIM +objects. This guide provides a few examples that can serve this purpose. Thus, CyberArk SCIM objects +such as **Users** and **Groups** can be described by Entity Types, and group membership by +[Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). See +the [Assignment Policy](../../../integration-guide/role-model/role-model-rules) topic for additional +information. + +The [Entity Model](../../../integration-guide/entity-model) for the CyberArk connector is written in the +applicative configuration. It is strongly recommended to write the entity model to the newly created +`Conf/SCIMCyberArk/CyberArk Connector.xml` file. See the +[Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for additional information. + +#### Write entity types + +Declaring an Entity Type is achieved with the `` tag and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for CyberArk is + `CyberArk_User`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this Entity Type for the end-user. + **DisplayName_L1** is the name of the entity type in _language number one_. If this language is + _English_, a good example value would be `CyberArk - User`. See the + [Assignment Policy](../../../integration-guide/role-model/role-model-rules) topic for additional + information. + +##### Example + + ``` + +**Conf/SCIMCyberArk/CyberArk Connector.xml** + +... ... ... + +```` +The CyberArk SCIM objects attributes are modeled by Entity properties, with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of by (determined by the ```TargetColumnIndex```): scalar and navigation. + +- Scalar properties can be defined to represent scalar attributes such as ```userName```, ```active``` or ```givenName```. +- Navigation properties represent associations such as group memberships. + +Finally, the main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of property. A scalar property type can be: ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, or ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See the [Entity Type](../../../integration-guide/toolkit/xml-configuration/metadata/entitytype)topic for additional information. + +##### Example + +This example defines an entity type named ```CyberArk_User``` to match the attributes selected for extraction from CyberArk in the previous example. + +Notice the omitted __TargetColumnIndex__ attribute and the presence of ```Type="ForeignKey"``` for the ```groups``` and ```containers``` properties. If omitted, this attribute indicates that the properties are navigation properties. +``` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... ... + +```` +#### Write entity associations + +[Assignment Policy](../../../integration-guide/role-model/role-model-rules) are associated through their +navigation properties with +[Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) +elements. + +##### Example + +The following example declares an `n-n` association between a `CyberArk_User` and `CyberArk_Group`. + +The `groups` property of a `CyberArk_User` is a collection of **Group** IDs (modeled as an +`CyberArk_Group` EntityType) of which this `CyberArk_User` is a member. + +The `Users` property of a `CyberArk_Group` is a collection of `CyberArk_User`IDs which are members +of this **Group**. + + ``` + +**Conf/SCIMCyberArk/CyberArk Connector.xml** + +... +... +```` + + +The exact nature of the IDs are described by the associated [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type followed by ```:``` and the name of an entity property. It is a [Binding](../../../integration-guide/toolkit/xml-configuration/metadata/binding) that describes in one expression both the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of CyberArk SCIM objects (namely, the columns of the CSV source files generated by the export). + +The [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping), and Entity Property Mapping elements serve this purpose. + +#### Write the entity type mapping + +The [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) element maps scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the __ConnectionTable__ xml attribute. The target entity type name is written to the __Identifier__ xml attribute. + +```xml +Conf/SCIMCyberArk/CyberArk Connector.xml ... ... ... +```` + +To do so, the entity type mapping uses the +[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + + ``` + +**Conf/SCIMCyberArk/CyberArk Connector.xml** + +... + + + + + + + + + + + + + + + +... + +```` +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source files data. + +Let's take the example of a new ```CyberArk_User``` which has never been synchronized. The ```UR_Resource``` table receives a new line for which the _6th_ column (```userName```) is filled in with the ```userName``` column from the ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv``` file. + +#### Write the entity association mapping + +The [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) element maps navigation properties, used in [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +An [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) element refers to an [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) written to the __Identifier__ xml attribute. Then, just as the [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) element, it maps columns values from a CSV source file to an EntityType property. + +##### Example + +The following example describes the actual user/group associations between ```CyberArk_User``` and ```CyberArk_Group```. These associations are exported from the CyberArk system into the ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` file. Each line of the file associates a value (property ```CyberArk_id``` from ```CyberArk_Group```) and a MemberId (property ```CyberArk_id``` from ```CyberArk_User```). + + | value | MemberId | + | --- | --- | + | 1 | 100 | + | 1 | 101 | + | 2 | 102 | + | 2 | 103 | + | 3 | 104 | + +The following [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) describes the mapping for the ```CyberArk_Group_Members``` EntityAssociation: +``` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... ... + +```` +Here are a few explanations: + +###### Users/_CyberArk_Group_ + +The `Users` property in the `CyberArk_Group` entity: + +- is written to the **Property1** attribute of the `CyberArk_Group_Members` + [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) + element. +- is filled in by values from the `MemberId` column (written to the **Column2** attribute of the + `CyberArk_Group_Members` + [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_User` by their `CyberArk_id` property (written to +the **EntityPropertyMapping2** attribute of the +[Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) +element. + +###### Groups/_CyberArk_User_ + +The `Groups` property in the `CyberArk_User` entity: + +- is written to the **Property2** attribute of the `CyberArk_Group_Members` + [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) + element). +- is filled in by values from the _value_ column (written to the **Column1** attribute of the + `CyberArk_Group_Members` + [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_Group` by their `CyberArk_id` property (written to +the **EntityPropertyMapping1** attribute of the +[Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) +element). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) can be added to +include a link to the resources list in the left menu in the UI home screen. + +#### Parent menu item + +It strongly recommended to gather synchronized resources menu items under parent menu items. This is +usually declared in the configuration root folder `Nav.xml` file. + +##### Example + + ``` + +**Conf/Nav.xml** + +... + +... +```` + + +#### Child menu item + +It is strongly recommended to use a new ```CyberArk Nav.xml``` file in the ```SCIMCyberArk``` connector's folder in order to add the CyberArk SCIM objects menu item. + +##### Example + +```xml +Conf/SCIMCyberArk/CyberArk Nav.xml ... ... +```` + +Adds a new menu item under the `Nav_Connectors` menu item declared in the root `Nav.xml` file. This +new menu item gives access to the list of synchronized CyberArk SCIM objects. + +![SCIM CyberArk Menu Items](/images/identitymanager/scim_cyberark_export_menu_item_5.1.6.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new `CyberArk UI.xml` file +in the `SCIMCyberArk` connector's folder. + +#### Display entity type + +The +[Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) +describes how a single resource should be displayed. + +##### Example + + ``` + +**Conf/SCIMCyberArk/CyberArk UI.xml** + +... + +... + +```` +This configuration configures that display for [christian.adam@acme.com](mailto:christian.adam@acme.com): + +![SCIM CyberArk Display Entity Type](/images/identitymanager/scim_cyberark_export_display_entity_type_5.1.6.webp) + +The scalar properties don't need to be configured: they are automatically displayed. The only information that the [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +The [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) elements describe how a list of resources should be displayed. + +The [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) contains a list of [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) column elements that identify which properties should be included in the list display. + +##### Example +``` + +Conf/SCIMCyberArk/CyberArk UI.xml ... ... + +```` +configures the following list display: + +![SCIM CyberArk Display Table](/images/identitymanager/scim_cyberark_export_display_table_5.1.6.webp) + +#### Internal display name + +An `InternalDisplayName` can also be declared as an +[Entity Type](../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) property +expression. The `InternalDisplayName` is used in several UI screens to identify a resource for the +user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + + ``` + +**Conf/SCIMCyberArk/CyberArk UI.xml** + +... +... +```` + + +adds the ```InternalDisplayName``` to the CyberArk_User entity type to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) and [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) elements define the [AccessControlPermission](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```CyberArk Profile Administrator.xml``` file. + +#### Example + +The following example sets permissions for the ```Administrator``` profile. + +It entitles an administrator to display ```CyberArk SCIM``` resource and role categories from the UI. + +```xml +Conf/MicrosoftEntraID/MicrosoftEntraID Profile Administrator.xml ... ... +```` + +## Jobs + +### Construction + +This step focuses on writing a `Complete` Synchronization job. + +It is strongly recommended to write Jobs associated with the `CyberArk` connector to the +`Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml` file. + +### Components + +All the job steps can be found in the +[Create Connector Synchro Complete](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) +scaffolding. + +#### Example + + ``` + +**Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml** + +... + +... + +```` +This job will be executed on CyberArk's connector agent. + +Notice the __Identifier__ attribute with the value ```Job``` in the ```OpenIdIdentifier``` tag. It refers to the ```ClientId``` written to the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) technical configuration. The Tasks will authenticate with the profile associated with this ```ClientId``` in the `````` xml configuration element. + +Incremental synchronization can be configured with the following scaffolding. See the [Create Connector Synchro Incremental](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental) topic for additional information. + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the [Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) uses: + +- A [Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) associated with the Job itself to read/write: + - ```UJ_Jobs``` and ```UJ_Tasks``` tables in a list of tasks + - ```UJ_JobInstances``` tables in the progress report +- a Profile for each Task, to read/write ```UJ_TaskInstances``` tables (Progress Report) and perform other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect /Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. +``` + +Conf/Profile AgentJob.xml ... ... + +```` +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube)strongly +recommends that you create a +[Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) to be used during +the Synchronization jobs which will be different from the one used during the Provisioning job. This +contributes to separating access rights. +The same principle applied even more rigorously would make Identity Manager create one profile per +Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the +[Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job), the profile linked to +these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +**View Tasks** + +- `/Jobs/Task/Query` + +**Progress Report** + +- `/Jobs/JobInstance/Query` +- `/Jobs/JobInstance/Update` +- `/Jobs/TaskInstance/Query` +- `/Jobs/TaskInstance/update` + +**Synchronization and Prepare-Synchronization** + +- `/Connectors/Connector/Query` +- `/Connectors/SynchronizeSession` + +Granting access can be done via the +[SynchronizationAccessControlRules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules) +scaffolding and +the[Job View Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules) +scaffolding. + +The following examples (or similar) should be written to `Conf/Profile AgentSychro.xml`. + +> This example entitles the administrator profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSychro.xml +> +> ... +> ... +> +> ``` +> +> ``` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via the +[Job Execution Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules) +scaffolding. + +##### Example + + ``` + +**Conf/Profile AgentSychro.xml** + +... ... +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's [Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) xml element. + +It is strongly recommended that you write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the [Usercube-New-OpenIDSecret](../../../integration-guide/executables/references/new-openidsecret) tool. + +```xml +Conf/OpenIdClients.xml ... ... +```` + +#### Set up the Agent to use ClientId/Secret pairs + +The `ClientId/Secret` pairs that the Agent may use are written to the Agent's +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) +technical configuration set. + +The `ClientId` of such `ClientId/Secret` pairs can then be used as a value in a Task +**OpenIdClient** attribute. + +Pairs written in the `OpenIdClient` section may be used by Tasks. + +The Job itself uses the `DefaultOpenIdClient` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> +> { ... "OpenId":{ "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } } +> +> ``` +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external +scheduler. + +#### With Identity Manager's scheduler + +Use the [Job](../../../integration-guide/toolkit/xml-configuration/jobs/job) CronTab Expression attribute. + +> This example uses Identity Manager's scheduler to execute the +> `CyberArk_Synchronize_Complete_Manually` job every fifteen minutes: +> +> ``` +> +> Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +For more details about checking Crontab expressions, see the +[crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the +[Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) tool. + +##### Example + +The following command can be scheduled. It executes the `CyberArk_Synchronize_Complete_Manually` +using the "Job/secret" authentication pair to connect to the Identity Manager Server at +`http://identitymanager.contoso.com`. + + ``` + +./Usercube-Invoke-Job.exe -j "CyberArk_Synchronize_Complete_Manually" --api-secret secret +--api-client-id Job --api-url "http://identitymanager.contoso.com" + +```` +## Validation + +### Deploy configuration + +The configuration is written to the database using the [Deploy Configuration Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask) tool. + +### Test + +The Synchronization job should be found in the UI, under the __Job Execution__ menu, with the name input in the Job's __DisplayName_Li__ attribute. + +From there, it can be launched and debugged (if needed). + +After execution, CyberArk SCIM Objects resources should be in the ```UR_Resources``` table of the SQL Server database. +```` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-salesforce-provisioning-entitlements.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-salesforce-provisioning-entitlements.md new file mode 100644 index 0000000000..9dee68cf4f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/scim-salesforce-provisioning-entitlements.md @@ -0,0 +1,37 @@ +--- +title: "Provision Salesforce Users' Profiles via SCIM" +description: "Provision Salesforce Users' Profiles via SCIM" +sidebar_position: 170 +--- + +# Provision Salesforce Users' Profiles via SCIM + +This guide shows how to provision a user's account profile in a Salesforce system with the SCIM connector. + +## Prerequisites + +This guide supposes that you already have a working synchronization for Salesforce users' accounts, entitlements and links between accounts and entitlements. + +## Context + +In Salesforce, both `profiles` and `permission sets` are in the `Entitlements` entity, whereas they are not managed the same way: a user account must have a profile and only one, while it can have zero to several permission sets. + +This implies a difference of treatment based on the entitlement's `type`. + +## Configuration + +In order to handle this special case, Identity Manager expects, for now, a very precise configuration. A generic configuration element will come soon to be able to customize and apply this special treatment in other cases. + +For now, for your `EntityType` representing Salesforce's `Entitlements` entity type, you need to have an entity property with exactly `type` as identifier: + +```text +**** +``` + +And to map it in the `Entitlements` entity type mapping: + +``` +**** +``` + +That is all you need to do. With the next synchronization, all the entitlements will have their `type` and then the special treatment can be done for those with the `Profile` type when provisioning users' entitlements. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/entra-ID.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/entra-ID.md new file mode 100644 index 0000000000..4b5569960c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/entra-ID.md @@ -0,0 +1,108 @@ +--- +title: "For Microsoft Entra ID" +description: "For Microsoft Entra ID" +sidebar_position: 10 +--- + +# For Microsoft Entra ID + +This example is about implementing incremental synchronization for a [Microsoft Entra ID](../../../../integration-guide/connectors/references-connectors/microsoftentraid) connector (formerly Microsoft Azure AD). + +## Build the Incremental Synchronization Job + +Identity Manager provides a full-written job to perform incremental synchronization through the UI. + +See how to launch incremental [Synchronize Data](../../../../user-guide/set-up/synchronization)via the UI. + +> For example: +> +> ``` +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Components + +Identity Manager provides a [Create Connector Synchro Incremental](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental) scaffolding that generates the configuration for these steps. + +For example: + +```text +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> +> +``` + + +Note that the `Job` value in `OpenIdIdentifier` refers to the `ClientId` written to the [appsettings.agent](../../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) file. Each task will authenticate with the profile associated with this ClientId. + + +### Permissions for the agent + +This part is not specific to a connector type, see the [Set Up Incremental Synchronization](../../../../integration-guide/connectors/configuration-details/setup-incremental-sync) topic for additional information. + +### Agent's authentication to the server + +This part is not specific to a connector type, see the [Set Up Incremental Synchronization](../../../../integration-guide/connectors/configuration-details/setup-incremental-sync) topic for additional information. + +### Permissions for users + +This part is not specific to a connector type, see the [Set Up Incremental Synchronization](../../../../integration-guide/connectors/configuration-details/setup-incremental-sync) topic for additional information. + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external scheduler. + +### Using scheduler + +> The following example uses Identity Manager's scheduler to execute the +> `AzureAD_Synchronization_Delta` job every fifteen minutes: +> +> ``` +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Using an external scheduler + +An external scheduler relies on the [Usercube-Invoke-Job](../../../../integration-guide/executables/references/invoke-job).exe. + +> The following command can be scheduled. It executes the `AzureAD_Synchronization_Delta` job using +> the `Job/secret` authentication pair to connect to the Identity Manager Server at +> `http://identitymanager.contoso.com`: +> +> ``` +> +> ./Usercube-Invoke-Job.exe -j "MicrosoftEntraID_Synchronization_Delta" --api-secret secret +> --api-client-id Job --api-url "http://identitymanager.contoso.com" +> +> ``` +> +> ``` + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using the +[Deploy Configuration Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string input in the job's `DisplayName_Li` property, and launch it. +4. Once the job is completed, Microsoft Entra ID objects should be synchronized to the database's +`UR_Resources` table. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/index.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/index.md new file mode 100644 index 0000000000..98e5566441 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/setup-incremental-sync/index.md @@ -0,0 +1,170 @@ +--- +title: "Set Up Incremental Synchronization" +description: "Set Up Incremental Synchronization" +sidebar_position: 80 +--- + +# Set Up Incremental Synchronization + +How to implement an incremental synchronization [Job](../../../../integration-guide/toolkit/xml-configuration/jobs/job) for a given [Connector](../../../../integration-guide/toolkit/xml-configuration/connectors/connector) via XML, to upload the related system's resources to Identity Manager. + +See an example on [For Microsoft Entra ID](../../../../integration-guide/connectors/configuration-details/setup-incremental-sync) (formerly Microsoft Azure AD). + +Netwrix Identity Manager (formerly Usercube) strongly recommends configuring as much as possible via the UI instead of XML files. See how to [Synchronize Data](../../../../user-guide/set-up/synchronization) via the UI. + +## Prerequisites + +First read how to [Create a Connector](../../../../integration-guide/connectors/configuration-details/create-connector). + +## Build the Incremental Synchronization Job + +Identity Manager provides a fully-written standardized job to perform incremental synchronization through the UI. See here: + +See how to launch incremental [Synchronize Data](../../../../user-guide/set-up/synchronization) via the UI. + +Any IGA action is configured through [Job](../../../../integration-guide/toolkit/xml-configuration/jobs/job). + +Synchronization jobs contain tasks that are to be executed on agent side. + +### Components + +Any synchronization job should include: + +1. export; +2. synchronization preparation; +3. synchronization. + +The export is configured and performed by the [Export Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask), the synchronization preparation by the [Prepare Synchronization Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) and the synchronization by the [Synchronize Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask). + +See the [Upward Data Synchronization](../../../../integration-guide/synchronization/upward-data-sync) topic for additional information. + +Identity Manager provides a scaffolding that generates the configuration for these steps, named [Create Connector Synchro Incremental](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental). + +This guide is about incremental synchronization, but complete synchronization can be configured with the [Create Connector Synchro Complete](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) scaffolding. + +### Permissions for the agent + +In order to launch a job via the [Usercube-Invoke-Job](../../../../integration-guide/executables/references/invoke-job) tool, the agent must use a profile with the right permissions for each task. + +Permissions within Identity Manager are configured through [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule). + +> For example: +> +> ``` +> +> Conf/Profile AgentJob.xml +> +> +> +> ``` +> +> ``` + +Netwrix Identity Manager (formerly Usercube) recommends the creation of a profile for synchronization jobs, and another for provisioning jobs, in order to comply with the principle of least privilege. + +In order to run a synchronization job, the agent requires the permissions to: + +- view the tasks via `/Jobs/Task/Query`; +- access progress reports via `/Jobs/JobInstance/Query`, `/Jobs/JobInstance/Update`, +`/Jobs/TaskInstance/Query` and `/Jobs/TaskInstance/Update`; +- prepare the synchronization and synchronize via `/Connectors/Connector/Query` and +`/Connectors/SynchronizeSession`. + +Identity Manager provides scaffoldings that generate the configuration for granting these permissions: [SynchronizationAccessControlRules](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules) and [Job View Access Control Rules](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules). + +> The following example permits the `AgentSynchro` profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> `` + +### Agent's authentication to the server + +Every request from agent to server within the execution of a job needs to be authenticated with an [OpenIdClient](../../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair. + +So first, the configuration must contain a `ClientId/Secret` pair. + +Usable `ClientId/Secret` pairs are configured through an [OpenIdClient](../../../../integration-guide/toolkit/xml-configuration/access-control/openidclient). + +> The following example uses a secret hashed +> by [Usercube-New-OpenIDSecret](../../../../integration-guide/executables/references/new-openidsecret): +> +> ``` +> +> Conf/OpenIdClients.xml +> +> +> +> ``` +> +> `` + +Then, the agent's profile must be linked to one of the `ClientId/Secret` pairs. + +Agents' settings are configured in their [appsettings.agent](../../../../integration-guide/network-configuration/agent-configuration/appsettings-agent).json file. + +> The following example sets the `Job/secret` pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> +> { ... "OpenId":{ "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } } +> +> ``` +> +> `` + +### Permissions for users + +In order to launch the job, a user must have the right permissions. + +Permissions within Identity Manager are configured through [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule). + +In order to launch a synchronization job, a user requires the appropriate permission: `/Jobs/RunJob/Launch`. + +Identity Manager provides a [Job Execution Access Control Rules](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules) that generates the configuration for granting this permission. + +> For example: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> `` + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external scheduler. + +### Using scheduler + +Identity Manager's scheduler is configured through the [Job](../../../../integration-guide/toolkit/xml-configuration/jobs/job)'s `CronTabExpression` property. + +[See Crontab documentation for more details](https://crontab.guru/every-15-minutes). + +### Using an external scheduler + +An external scheduler relies on using an external mechanism to schedule the [Usercube-Invoke-Job](../../../../integration-guide/executables/references/invoke-job).exe. + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using the +[Deploy Configuration Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string specified in the XML configuration in the job's `DisplayName` +property, and launch it. +4. Once the job is completed, the system's objects should be synchronized to the database's `UR_Resources` table. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/sharepoint-export.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/sharepoint-export.md new file mode 100644 index 0000000000..1d6d03bea8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/sharepoint-export.md @@ -0,0 +1,618 @@ +--- +title: "Set up SharePoint's Export and Synchronization" +description: "Set up SharePoint's Export and Synchronization" +sidebar_position: 180 +--- + +# Set up SharePoint's Export and Synchronization + +This guide shows how to set up a [SharePoint](../../../integration-guide/connectors/references-connectors/sharepoint) connector to extract data from your SharePoint instance into CSV source files that will be fed to the Synchronization task and to your Identity Manager resource repository. It will focus on registering Identity Manager within the target SharePoint, configuring the connector, and building the job to perform a regularly scheduled synchronization. + +## Prerequisites + +### External system configuration + +This step is designed to grant Identity Manager a service account to authenticate with the target SharePoint sites. It includes the following substeps: + +- Create a service account for Identity Manager in your Microsoft Entra ID (formerly Microsoft Azure +AD). +- Go the SharePoint sites which need to be scanned. +- Log in using the organization credentials. +- Go to the **Members List** in the right corner. +- Click on the **Add members** button. +- Enter the name of the Identity Manager service account or its email address. + +![SharePoint Export Add Member](/images/identitymanager/sharepoint_export_add_member.webp) + +The service account is now a member of the site. However, to scan the site, the service account needs to be owner of the site. + +- Go to the **Members List** in the right corner. +- Under the name of the Identity Manager service account, click on the arrow. +- Choose **Owner**. + +![SharePoint Export Role Owner](/images/identitymanager/sharepoint_export_role_owner.webp) + +### Configuration + +This step sets up the Identity Manager Agent in order to use the SharePoint connector and access the SharePoint data. + +This guide focuses on the [Architecture](../../../integration-guide/architecture) method. Remember that settings can also be input through architecture. + +#### Connect to the SharePoint instance + +In this `Connections` section, add one new subsection that will contain the credentials for the target SharePoint. + +> This example connects via the `SharePointExportContoso` connection to the Contoso SharePoint site: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the address of the root SharePoint site to scan. +- The **Login** attribute with the login of the service account created. +- The **Password** attribute with the password of the service account created. + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { "Server": +> "https://contoso.sharepoint.com/", "Login": "usercube.service@contoso.com", "Password": +> "19f23f48379d50a9a50b8c" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault or Cyber Ark in a production environment. Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the configuration, and only then, switching to a more secure way of storing credentials. + +##### Set up export files + +The export generates CSV source files that will be fed to the [Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync) task. + +The target path for these files can be set up using the following settings: + +- `appsetings.agent > Connections > SharePointExportContoso > OutputDir` +- `appsetings.agent > Connections > SharePointExportContoso > FileNamePrefix` + +###### Example + +```json +**appsettings.agent.json** + +{ ... "Connections": { ... "SharePointExportContoso": { "Server": "https://contoso.sharepoint.com/", "Login": "usercube.service@contoso.com", "Password": "19f23f48379d50a9a50b8c" } } } +```` + + +### SharePoint sites + +Different kinds of SharePoint sites exist. We will describe here the different cases that the integration team might encounter and how to handle them. + +#### Root site with subsites + +A root site has a URL like ```https://contoso.sharepoint.com``` and can have subsites. For example, the subsite ```Finance``` has a URL like ```https://contoso.sharepoint.com/Finance```. Subsites can also have subsites. +To scan the root site and the subsite tree, the root site must be specified in the __Server__ attribute. +Retrieved users can be assigned to/removed from all groups found, but cannot be created. To create a user account, you need to create it in the associated Microsoft Entra ID: it will automatically create a SharePoint user account. + +#### Multiple sites + +A SharePoint can also have other sites which are not subsites of the root site. For example, the site ProjectTeam has a URL like ```https://contoso.sharepoint.com/sites/ProjectTeam```. +These sites can't be scanned from the root site by using the __Server__ attribute. + +To scan these sites, you have to export their URL from SharePoint in a CSV file and use the __CsvUrls__ attribute in the settings. + +###### Example + + ``` + + appsettings.agent.json +{ + ... + "Connections": { + ... + "SharePointExportContoso": { + "Server": "https://contoso.sharepoint.com/", + "Login": "usercube.service@contoso.com", + "Password": "19f23f48379d50a9a50b8c" + "CsvUrls": "C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv�URL�," + } + } +} +```` +In this example, `C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv` is the path of the exported CSV file, `URL` is the column name of the URLs, and `,` is the separator used in the file. The character `�` is used to separate the three data items. + +The CSV file containing the URLS can be generated with two methods: + +- Go to `https://contoso-admin.sharepoint.com` of your SharePoint site, in the menu **Sites** > +**Active sites** and click on the **Export** button above the table. +- Use a script with the +[SharePointOnlinePowerShell commands](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps), specifically [Get-SPO Site](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/get-sposite?view=sharepoint-ps). + +These sites are not synchronized with the root site. Users present in a site are not necessarily present in the others. You can only assign users to a SharePoint group, on condition that they are already members of this site. You can't use the SharePoint connector to make a user a member of this kind of site. Depending on the system you are working on, you could achieve this by using the associated Microsoft Entra ID or the system generating these SharePoint sites (for example, Microsoft Teams can create an associated SharePoint site for each Teams Group). + +## Build the Connector + +### Declare a connector + +To be used for export and fulfill tasks, a connector has to be declared in the applicative configuration and linked to an Agent. See the [Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for additional information. + +It is strongly recommended that the applicative configuration be stored in the working directory `Conf` folder as a set of `xml` files organized by connector. See the[Create a Working Directory](../../../installation-guide/production-ready/working-directory) topic for additional information. + +- In the `Conf` folder, create a `SharePoint` directory. +- In the `SharePoint` directory, create a `SharePoint Connector.xml` file. + +This file should contain the declaration of the connector and the associated [Entity Model](../../../integration-guide/entity-model). + +- Use the [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector)element to +declare the connector with the following attributes: + + - **Identifier** identifies this connector in the applicative configuration. See the +[Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for additional information. It is strongly recommended to use a meaningful name such as `SharePoint`. If several connections to several SharePoint targets are possible, only one SharePoint Connector per Agent is used. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that runs this connector's export task. The Agent's +identifier can be found in the agent's [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) configuration set > OpenId > AgentIdentifier setting attribute. + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `SharePoint` connector on the `Local` agent: +> +> ``` +> +> Conf/SharePoint/SharePoint Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the resource repository must be aligned with the [Entity Model](../../../integration-guide/entity-model). See the[Identity Management](../../../introduction-guide/overview/identity-management)topic for additional information. + +The [Entity Model](../../../integration-guide/entity-model) should match as closely as possible the structure of the SharePoint data relevant for Identity Manager. It is designed by analyzing the SharePoint data structure, and describing said data with [Entity Model](../../../integration-guide/entity-model) and an [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +Eventually, it is up to the integration team to design the [Entity Model](../../../integration-guide/entity-model) that best serves the [Assignment Policy](../../../integration-guide/role-model/role-model-rules) needs. It will be refined iteratively throughout the project phase. + +A good starting point for the Entity Model is to mirror the shape of the exported SharePoint objects. This guide provides a few examples that can serve this purpose. + +#### Write the entity model + +The [Entity Model](../../../integration-guide/entity-model) for the SharePoint connector is written in the applicative configuration. See the [Toolkit for XML Configuration](../../../integration-guide/toolkit) topic for additional information. It is strongly recommended to write the connector to the newly created `Conf/SharePoint/SharePoint Connector.xml` file. + +#### Write entity types + +Declaring an [Entity Model](../../../integration-guide/entity-model) is achieved with the `` tag and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly +recommended to prefix this name with the connector's name. An example for SharePoint is `SharePoint_directoryObject`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this +[Entity Model](../../../integration-guide/entity-model) for the end-user. **DisplayName_L1** is the name of the entity type in _language number one_. If this language is _English_, a good example of value is `SharePoint - Object`. + +##### Example +``` + +**Conf/SharePoint/SharePoint Connector.xml** + +... ... + +```` +The SharePoint object attributes are modeled by [Entity Model](../../../integration-guide/entity-model), with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of properties: scalar and navigation. Scalar properties can be defined to represent scalar attributes such as ```city```, ```country``` or ```companyName```. represent associations such as group memberships. See the [Entity Model](../../../integration-guide/entity-model) topic for additional information. + +The main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of the property. A scalar property type is chosen among ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, and ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See more details about Target Column Index. See the [Entity Model](../../../integration-guide/entity-model) topic for additional information. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml +... + ... +```` + +In this example, we have created four entity types, each one corresponding to a notion in SharePoint. + +#### Write entity associations + +[Entity Model](../../../integration-guide/entity-model) types are associated through their navigation properties with [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) elements. + +##### Example + +```xml +**Conf/SharePoint/SharePoint Connector.xml** + +... ... +```` + + +The exact nature of the IDs are described by the associated [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type is followed by ```:``` and the name of an entity property. It is a [Binding](../../../integration-guide/toolkit/xml-configuration/metadata/binding) describing in one expression, the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of SharePoint objects (namely, the columns of the CSV source files generated by the export). + +The [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping), and Entity Type Mapping elements serve this purpose. + +#### Entity type mapping + +The [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) element maps the scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the ```ConnectionTable``` xml attribute. The target entity type name is written to the ```Identifier``` xml attribute. + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + ... + +```` +To do so, the entity type mapping element uses the [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target EntityType property which is written to the **Identifier** attribute. + +##### Example +``` + +**Conf/SharePoint/SharePoint Connector.xml** + +... ... + +```` +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source file data. + +#### Entity association mapping + +The [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) element maps the navigation properties used in [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +An [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) element refers to an [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) written to the ```Identifier``` xml attribute. Then, like [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), it maps column values from a CSV source file to an EntityType property. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... +```` + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Nav + +A [Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) can be added to include a link to the resources list in the left menu on the UI home screen. + +#### Parent menu item + +It is strongly recommended that you gather synchronized resources menu items under parent menu items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +##### Example + +```xml +**Conf/Nav.xml** + +... + +... +```` + + +#### Child menu item + +It is strongly recommended to use a new ```SharePoint Nav.xml``` file in the ```SharePoint``` connector's folder to add the SharePoint objects menu item. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Nav.xml +... +... + +```` +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root `Nav.xml` file. This new menu item gives access to the list of synchronized SharePoint entities. + +### Display + +It is strongly recommended that the display configuration be written to a new `SharePoint UI.xml` file in the `SharePoint` connector's folder. + +#### Display entity type + +The [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) describes how a single resource should be displayed. + +##### Example +``` + +**Conf/SharePoint/SharePoint UI.xml** + +... ... + +```` +The scalar properties require no configuration: they are automatically displayed. The only information that the [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +[Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) elements describe how a list of resources should be displayed. + +The [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) contains a list of display table column elements that identify which properties should be included in the list display. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml +... + ... +```` + +#### Internal display name + +An `InternalDisplayName` can also be declared as an [Entity Model](../../../integration-guide/entity-model). The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the identity) containing the string _"name"_. If no such property is found, the first declared property of the entity type is used. + +##### Example + +```xml +**Conf/SharePoint/SharePoint Connector.xml** + +... ... +```` + + +This example adds the ```InternalDisplayName``` to the ```SharePoint_Entity```, ```SharePoint_Role```, ```SharePoint_Object``` and ```SharePoint_RoleAssignment``` entity types to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) and [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) elements define [AccessControlPermission](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```SharePoint Profile Administrator.xml``` file. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Profile Administrator.xml +... + ... + +```` +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display `SharePoint_Entity` resource and role categories from the UI. + +## Jobs + +### Construction + +It is strongly recommended to write Jobs associated with the `SharePoint` connector to the `Conf/SharePoint/SharePoint Jobs.xml` file. + +A job is declared with the `` xml element. It contains Tasks that perform the main steps and other related operations. + +#### Example +``` + +**Conf/SharePoint/SharePoint Jobs.xml** + +... ... ... + +```` +Notice the __Agent__ attribute that contains the name of the Agent which executes the Job. This attribute is mandatory for a Job containing Tasks executed agent-side, even if a unique local Agent exists. See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +### Components + +The[Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync)job includes three steps: + +- Export +- Prepare-Synchro +- Synchro + +These three steps are all contained in a which allows the generation of the Incremental Synchronization configuration. See the [Create Connector Synchro Incremental](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental) topic for additional information. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml +... + ... +```` + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the[Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) uses: + +- a [Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) associated with +the Job itself, to read/write: + - `UJ_Jobs` and `UJ_Tasks` tables in a list of tasks + - `UJ_JobInstances` tables in the progress report +- a Profile for each Task, to read/write `UJ_TaskInstances` tables (Progress Report) and perform +other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + +```xml +**Conf/Profile AgentJob.xml** + +... ... +```` + + +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube) strongly recommends that you create a[Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile) to be used during the Synchronization jobs which will be different from the one used during the Provisioning job. This contributes to separating access rights. +The same principle applied even more rigorously would make Identity Manager create one profile per Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the [Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) tool, the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +__View Tasks__ + +- ```/Jobs/Task/Query``` + +__Progress Report__ + +- ```/Jobs/JobInstance/Query``` +- ```/Jobs/JobInstance/Update``` +- ```/Jobs/TaskInstance/Query``` +- ```/Jobs/TaskInstance/Update``` + +__Synchronization and Prepare-Synchronization__ + +- ```/Connectors/Connector/Query``` +- ```/Connectors/SynchronizeSession``` + +Granting access can be done via the [SynchronizationAccessControlRules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules) and the [Job View Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules). + +The following examples should be written to ```Conf/Profile AgentSychro.xml```. + +##### Example + +The following example entitles the administrator to run any Synchronization job: + + ``` + +```` +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via the[Job Execution Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules) scaffolding. + +##### Example +``` + +```` +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's a[Profile](../../../integration-guide/toolkit/xml-configuration/access-control/profile)is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) xml element. + +It is strongly recommended to write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the[Usercube-New-OpenIDSecret](../../../integration-guide/executables/references/new-openidsecret) tool. + + ``` + + Conf/OpenIdClients.xml +... + +... +```` + +```xml +**Conf/OpenIdClients.xml** + +... ... +```` + + +#### Set up the Agent to use ClientId/Secret pairs + +The ```ClientId/Secret``` pairs that the Agent may use are written to the Agent's [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) technical configuration set. + +The ```ClientId``` of such ```ClientId/Secret``` pairs can then be used as a value in a Task __OpenIdClient__ attribute. + +Pairs written in the ```OpenIdClient``` section may be used by Tasks. + +The Job itself uses the ```DefaultOpenIdClient``` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external scheduler. + +#### With Scheduler + +Use the [Job](../../../integration-guide/toolkit/xml-configuration/jobs/job) attribute. + +> This example uses Identity Manager's scheduler to execute the ```SharePoint_Synchronization_Delta``` job every fifteen minutes: +> +> ``` +> +> Conf/SharePoint/SharePoint Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the [crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the [Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) tool. + +##### Example + +The following command can be scheduled. It executes the ```SharePoint_Synchronization_Delta``` job using the "Job/Secret" authentication pair to connect to the Identity Manager Server at ```http://identitymanager.contoso.com```. + + ``` + +./Usercube-Invoke-Job.exe -j "SharePoint_Synchronization_Delta" --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" + +```` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-powershell-script.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-powershell-script.md new file mode 100644 index 0000000000..1abdb1cb52 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-powershell-script.md @@ -0,0 +1,309 @@ +--- +title: "Write a PowerShell Script for Provisioning" +description: "Write a PowerShell Script for Provisioning" +sidebar_position: 100 +--- + +# Write a PowerShell Script for Provisioning + +This guide shows how to write a PowerShell script used by the [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) connector. + +## Structure of a PowerShell Script + +The goal of the script is to append, for each provisioning order, a line in a CSV file. + +Let's consider the following `ResourceType`: + +```text +... + ... +``` + +The end of the CSV file must look like: + +```text +command;identifier;firstName;lastName +... +insert;007;James;Bond +... +``` + +### Define the common part of every script + +The goal of the common part is to get all required variables needed by the script. + +Two parameters are required at the top of the script: + +```text +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) +``` + +- `resultsFilePath` is the agent-side path of the result file containing the summary of the executed +and errored orders. +- `ordersPath` is the agent-side folder path containing the JSON provisioning orders. + +It is important for these settings to be defined at the top of the script and keep these names because they are filled by the `Fulfill-PowerShell` connector. + +The `Fulfill-CSV.ps1` script must be placed in the script folder of Identity Manager containing the `Environment.ps1` script. Thanks to this, environment variables (such as `$runtimePath`) are loaded and can be used in the script: + +```powershell +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") +``` + +### Define the specific function + +A function which is called for each provisioning order must be defined. + +#### Define the header + +The header is always the same. Only the name of the function can change: + +```json +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) +``` + +The previous parameter `$order` is an object corresponding to the following provisioning order (JSON): + +```json +{ + "ProvisioningOrdersList": [{ + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "PowerShellCsv_User" + }, + "Identifier": "PowerShellCsv_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } + }] +} +``` + +There can be more sections and attributes. + +#### Define mandatory parameters + +The `ChangeType` parameter (`Added`, `Deleted` or `Modified`) is always mandatory and must be checked. + +Depending on the function requirements, other parameters should be checked. For example, the function below always needs an identifier to work properly, therefore you should check its presence. + +```text + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } +``` + +#### Define order processing + +This is the last part of the function: + +- Parameters from the provisioning order are stored in variables. +- A specific treatment is applied if `ChangeType` is `Added`, `Deleted` or `Modified`. + +```text + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} +``` + +**Define how to send logs to Identity Manager** + +The three methods to log in Identity Manager are: + +- **Write-Host**: writes Information in the log. +- **Throw**: raises an exception (which stops the script), and writes the Error in the log (the +provisioning order will be errored too). +- **Write-Error**: writes Error in the log (the provisioning order will be errored too). It is not +recommended because the script continues its execution. + +Now that the function has been defined, the main code of the script can be written. + +### Write the main code of the script + +**Read the options parameter from the standard input** + +The options parameter isn't mandatory in the JSON file. If it isn't provided, don't perform this step. + +```text +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello +``` + +**Rest of the main script** + +In general, this part contains the code to connect to the external system and executes the `Usercube-Visit-Orders` script. + +```shell +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} +``` + +Never modify `Usercube-Visit-Orders.ps1`. + +## Synthesis + +### Skeleton + +To sum up the previous part, the script can be written as follows: + +```text +# Common part + +# Specific function + # Header of the function + # Check mandatory parameters + # Order processing (treatment for Added, Deleted or Modified) + +# Main script + # Read standard input (Optional) + # Rest of the main script (Connection, Usercube-Visit-Order...) +``` + +### Full script + +The full script is as follows: + +```shell +# Common part + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +# Specific function + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +# Main script + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-robotframework-script.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-robotframework-script.md new file mode 100644 index 0000000000..0d2ac28f6d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-fulfill-robotframework-script.md @@ -0,0 +1,433 @@ +--- +title: "Write a Robot Framework Script" +description: "Write a Robot Framework Script" +sidebar_position: 130 +--- + +# Write a Robot Framework Script + +This guide shows how to write a Robot Framework script that will be used by [Robot Framework](../../../integration-guide/connectors/references-connectors/robotframework). + +## Structure of a Robot Framework Script + +### Build the skeleton + +A Robot Framework script is divided into four main parts: + +1. **Settings**: contains the instructions to import library or external resource files. +2. **Variables**: contains the global variables shared by all the functions in the script. +3. **Keywords**: contains all the functions defined by the user. +4. **Test Cases**: contains the functions which will be run when the script is launched. + +#### Example + +```text +*** Settings *** +Library Telnet + +*** Variables *** +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + +*** Test Cases *** +Run Provisioning + Open Telnet Connection +``` + +Let's analyze the four parts of this example: + +- **Settings**: we import here the Telnet library to use the functions defined in it. +- **Variables**: we define the variable `IPADDRESS` to use it later. +- **Keywords**: we define a custom function called `Open Telnet Connection`. It will use a function +defined in the Telnet library (called `Open Connection`) and the variable `IPADDRESS` which has been defined before in the `Variables` section. +- **Test Cases**: we define here the main function which we choose to call `Run Provisioning` (it +can be named anything), and which will be run when launching the script. It will use the function `Open Telnet Connection`. + +Robot Framework needs two spaces between two different instructions to parse them correctly. For example, `Open Connection` consists of only one instruction. Only one space is thus needed between the two words. But, `Open Connection ${IPADDRESS}` consists of two instructions, the function and the parameter. Two spaces are then required to separate `Connection` from `${IPADDRESS}`. To read your script more easily, you could also use the pipe character (`|`) between instructions, like this: `Open Connection | ${IPADDRESS}`. + +See the [Robot Framework Libraries](https://robotframework.org/#robot-framework-libraries) for additional information. + +### Define specific functions + +To use a Robot Framework script for provisioning external systems with Identity Manager, the following elements are required in the script: + +- The import of a resource file written by Identity Manager called +`UsercubeRobotFramework.resource`. +- The definition of three functions which will be called by Identity Manager to perform three +required actions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. These functions are where you will write the actions to perform on the external system. +- The use of one function to start the provisioning called `Launch Provisioning`. + +Never modify the resource file `UsercubeRobotFramework.resource`. + +#### Example + +The resource file defined at the beginning of the script is located in Identity Manager's `Runtime` folder. Therefore, you will have to change the path accordingly. + +```text +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + ... + +ExecuteDelete + [Arguments] ${order} + ... + +ExecuteModify + [Arguments] ${order} + ... + +... + +*** Test Cases *** +Run Provisioning + ... + Launch Provisioning + ... +``` + +The parameter `${order}` is mandatory only for the three functions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. It is an object corresponding to the following sample provisioning order (JSON): + +```json +{ + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "RobotFramework_User" + }, + "Identifier": "RobotFramework_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } +} +``` + +The elements of `${order}`can be accessed like this: `${order['Changes']['identifier']}`. + +See the [Robot Framework User Guide](https://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html) for additional information. + +## Keywords + + | Keyword | Details | + | --- | --- | + | Catch Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args` if the keyword launched by `Try Keyword` failed. If `Try Keyword` was not called, this keyword will not do anything. `Catch Keyword` should always be called right after `Try Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | + | Generate Password | **Description** Generates a password based on the [Password Reset Settings](../../../integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings) associated to the [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings) being provisioned. `Send Password Notification` should always be called after `Generate Password`, preferably right after the password is used. If `Send Password Notification` is not called before the provisioning of the resource is over, it will automatically be called. If multiple passwords should be generated, `Send Password Notification` should be called after each password generation. **Returns** `Password`: string | + | Get Secure Data | **Arguments** `Attribute`: string `Erase Data`: boolean **Description** Retrieves the secured option `Attribute` from the connector configuration. If `Erase Data` is set to true, the secured option is deleted once it is read. **Example** Get Login option and erase it: ```Get Secure Data | Login | True``` | + | Launch Provisioning | **Description** Launches the provisioning defined by the provisioning orders. This keyword is required for any provisioning to happen. | + | Log Debug | **Arguments** `Message`: string **Description** Logs `Message` at the `Debug` log level. **Example** Log a keyword failure message: `Log Debug The keyword has failed` | + | Log Error | **Arguments** `Message`: string **Description** Logs `Message` at the `Error` log level. **Example** Log a keyword failure message: `Log Error The keyword has failed` | + | Send Password Notification | **Description** Sends a notification containing the last password generated. If `Generate Password` is called and `Send Password Notification` is not called before the provisioning of the resource is over, `Send Password Notification` will automatically be called. | + | Try Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args`, and ignores its errors. If `Keyword` fails, the keyword sent to `Catch Keyword` will run. `Try Keyword` should always be called right before `Catch Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | + +## Error handling + +Consider a web application that contains user information. Suppose a user is missing from the web application. When the script attempts to reach the user's information page, it will reach an error page, and fail. The next user's provisioning starts, but the web browser is still on the error page, so the script keeps failing. + +In this example, if a user's provisioning fails, each subsequent provisioning will fail. This failure issue can be solved with the error handling custom keywords. + +Consider the following example using the Robot Framework Selenium library: + +```text +Open Identity Manager Website + Open Browser + Connect To Usercube + [Teardown] Close Browser + +Restart Browser + [Arguments] ${url} + Log Debug An error has occured, restarting the browser + Close Browser + Open Browser ${url} + +Connect To Usercube + Try Keyword Go To Usercube.com + Catch Keyword Restart Browser Usercube.com + Page Should Contain Usercube +``` + +In this example, the keyword `Open Identity Manager Website` opens a browser, then calls `Connect To Usercube`. To ensure that the browser is closed regardless of the script's success, the `Close Browser` keyword is used in a teardown. A keyword in a teardown is always executed regardless of what happens in the script or in the teardown. + +The `Restart Browser` keyword logs a debug message before restarting the browser to help debug the script. The `Connect To Usercube` tries to use the `Go To` keyword to connect to the `Usercube.com` web page. As `Go To` is used with `Try Keyword`, if the execution fails, `Restart Browser` is called by `Catch Keyword`. This means that if the browser fails to load `Usercube.com`, the browser restarts. Last, `Connect To Usercube` verifies that the page contains the word `Usercube`. + +### Error Handling for ExecuteAdd, ExecuteDelete, and ExecuteModify + +The `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` methods are harder to interact with. First, it is not possible to get their execution status within the script. Second, if the execution failed, it should be kept as a failure in order to log the failure. + +To simplify error handling, consider the following structure: + +```text +Execute Add + [Arguments] ${order} + Try Keyword Add User ${order} + Catch Keyword Restart Program And Fail Add User failed. + +Add User + [Arguments] ${order} + Click New User + Fill In Information ${order} + Click Add User + +Restart Program And Fail + [Arguments] ${failmessage} + Close Program + Start Program + Fail ${failmessage} +``` + +In this example, `ExecuteAdd` does not call the custom keywords to add a new user directly, and only calls `Add User` instead. This means that it is possible to call `Add User` from the `Try Keyword` keyword. If `Add User` fails, then `Execute Add` fails. Therefore it is possible to catch a failure with this structure. + +Note that `Restart Program And Fail` fails. This failure is necessary as the provisioning order would be counted as a success otherwise. + +## Testing a RobotFramework script + +In order to write a RobotFramework script, we need to test that it works. It is possible to test the script by running a fulfillment job from the Identity Manager interface. While this kind of test proves that everything works as expected, it can take a long time. There is a faster method to check that the script runs. + +Suppose the RobotFramework script's path is `RobotFramework/script.robot`. + +We need the following elements : + +- A provisioning order, in folder `RobotFrameworkScript/Order`. The provisioning order can be +encrypted or unencrypted. The script will write the encrypted results to `RobotFrameworkScript/Order/results.csv`. +- The path to the `Runtime` folder. In our example, we will consider this path as +`C:/identitymanagerDemo/Runtime`. + +The `RobotFramework/script.robot` script may be run from the command prompt. + +```text +cd RobotFramework + +robot --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +This command will generate an output file, a log file, and a report file in the `RobotFramework` folder. This command will also write information to the command prompt. + +For most testing cases, we only care about the command prompt information and the log file, written at `RobotFramework/log.html`. The other outputs can be removed. + +```text +cd RobotFramework + +robot --loglevel NONE --report NONE --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +### `Get Secure Data` and `Generate Password` + +Most keywords are not different when a script is launched manually. The keywords `Get Secure Data` and `Generate Password` are exceptions. + +- `Get Secure Data`: This keyword expects the Robot Framework process to receive a json list of +attributes in the stdin stream. This can be provided manually by writing the data in the command prompt. As an example, if the script requires a `Login` and `Password` attribute : `{"Login":"login","Password":"password"}` +- `Generate Password`: This keyword expects a file that contains the +[Password Reset Settings](../../../integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings) associated to the provisioned [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings). The easiest way to enable the `Generate Password` keyword is as follow: + - Launch the Robot Framework fulfillment through the Identity Manager web application with a +blank script. + - Copy the `PasswordResetSettings` folder generated in the most recent subfolder of +`Work/FulfillRobotFramework`. + - Paste the folder in the same folder as the provisioning order. + +## Use Case: Write a Script to Fulfill a CSV File + +The goal of the script is to append, for each provisioning order, a line in a CSV file located on an external system which we will access through a Telnet connection. + +Let's consider the following `ResourceType`: + +```text +... + ... +``` + +The end of the CSV file must look like: + +```text +command;identifier;firstName;lastName +... +Insert;007;James;Bond +... +``` + +### Define settings + +In every Robot Framework script, we need to import the resource file `UsercubeRobotFramework.resource`. In this example, we also need to import the Telnet library to use its functions. + +```text +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet +``` + +### Define variables + +To connect to the external system through Telnet, we need an IP address corresponding to the external system. We will store the IP address in the global variable `${IPADDRESS}`. We also use the global variable `${CSVFILEPATH}` to define the CSV file where the data will be written in the external system. + +```text +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 +``` + +### Define custom keywords + +We define all the custom functions which we will use to provision the external system: + +- `Delete CSV File`: removes a possible pre-existing CSV file. +- `Write In CSV`: executes a command to write the line in the CSV file in the external system. +- `Write Data`: formats the line to write in the CSV and calls `Write In CSV` to write it. +- `Write Header`: defines the header to write in the CSV and calls `Write Data` to write it. +- `Open Telnet Connection`: opens the Telnet connection to the external system using the login and +the password defined in the [Robot Framework](../../../integration-guide/connectors/references-connectors/robotframework) attribute in `appsettings.agent.json`, as well as the IP address defined in the `Variables` section. + +```text +*** Keywords *** +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} +``` + +The method `Get Secure Data` will retrieve the value of the attributes filled in the options in `appsettings.agent.json`. This is the method strongly recommended by Identity Manager. However, you could also enter the value directly into the script (example: `${LOGIN}= UserName`). This may be easier for initial testing purposes. + +### Define mandatory keywords + +To be able to provision the external system, we need the three required functions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. These methods are called by the connector depending on the action to perform on the external system. + +```text +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} +``` + +Here, for each action, we use the function `Write Data` defined in the previous section to write the changes to the CSV file with a corresponding word `Insert`, `Delete` or `Update`. + +### Define test cases + +The function launched by the Robot Framework script will be written in the section `Test Cases` and will be called `Run Provisioning`. + +```text +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections +``` + +In our test case, we will perform the following operations in `Run Provisioning`: + +- Open the Telnet connection with the external system. +- Remove a possible pre-existing CSV file. +- Write the header to the new CSV file. +- Launch the Identity Manager provisioning. The method `Launch Provisioning` is mandatory when using +the Robot Framework connector. +- Close the Telnet connection with the external system. + +### Read the full script + +The full script is as follows: + +```text +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-sync-powershell-script.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-sync-powershell-script.md new file mode 100644 index 0000000000..fafe42f887 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-sync-powershell-script.md @@ -0,0 +1,12 @@ +--- +title: "Write a PowerShell Script for Synchronization" +description: "Write a PowerShell Script for Synchronization" +sidebar_position: 110 +--- + +# Write a PowerShell Script for Synchronization + +This guide shows how to write a PowerShell script used by the [PowerShellSync](../../../integration-guide/connectors/references-connectors/powershellsync) connector. + +The documentation is not yet available for this page and will be completed in the near future. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-ticket-template.md b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-ticket-template.md new file mode 100644 index 0000000000..48830ab4df --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/configuration-details/write-ticket-template.md @@ -0,0 +1,82 @@ +--- +title: "Write a Template for a Ticket Connector" +description: "Write a Template for a Ticket Connector" +sidebar_position: 90 +--- + +# Write a Template for a Ticket Connector + +This guide shows how to write a template that will be used by a Ticket connector to complete the title and the description of the ticket. The information which will be written in the ticket will come from the generated provisioning order and from literal strings written in the template. + +## Attributes + + | Name | Details | + | --- | --- | + | Username | **Type** String **Description** Is the name of the user for which the ticket is created. | + | ResourceType | **Type** String **Description** Is the identifier or the resource type. | + | UsercubeProfileLink | **Type** String **Description** Is the link allowing to access the user profile. | + | AddedLinkedEntities | **Type** List **Description** Is the list of links to add in the system. | + | RemovedLinkedEntities | **Type** List **Description** Is the list of links to remove in the system. | + | DisplayAdd | **Type** Boolean **Description** True if there are any links to add. | + | DisplayRemove | **Type** Boolean **Description** True if there are any links to remove. | + | Entity | **Type** Dictionary **Description** Is the list of values to assign to the resource. | + | ProvisioningOrder.ChangeType | **Type** String **Description** Corresponds to the action of the provisioning order (Added, Deleted, Modified). | + | ProvisioningOrder.Changes | **Type** Dictionary **Description** Is the list of changes. | + | ProvisioningOrder.Resource | **Type** Dictionary **Description** Is the current state of the resource. | + | ProvisioningOrder.Owner | **Type** Dictionary **Description** Is the owner of the resource. | + +## Operations + +The template uses the [Mustache](https://mustache.github.io/mustache.5.html) syntax. Several operations are already provided, but you can find more on this [page](https://handlebarsjs.com/guide/builtin-helpers.html). + +Identity Manager also provides a way of using conditions with Mustache for the following operations: + +- `>`: superior to +- `<`: inferior to +- `==`: equal to +- `!=`: different from + +### Example + +```json +{{#each ProvisioningOrder.Changes}} + {{#ifCond this '==' 'INTERNAL'}} + This account is for an internal employee. + {{else}} + This account is for an external employee. + {{/ifCond}} +{{/each}} +``` + +This template goes through all the changes provided by the provisioning order. If any one of them meets the condition for an internal employee, we display the internal employee message. Several messages can be shown if several changes meet the condition. + +## Template example + +```json +Please create a resource "{{ResourceType}}" for user {{Username}}. + +**For more information on the user, see: {{UsercubeProfileLink}}** + +{{#ifCond ProvisioningOrder.ChangeType '==' 'Deleted'}} + To delete the account, please contact the IT team. +{{/ifCond}} + +{{#each ProvisioningOrder.Changes}} + This is a change: {{this}} +{{/each}} + +The resource must have the following values: +{{#Entity.GetEnumerator}} + - {{Key}}: {{Value}} +{{/Entity.GetEnumerator}} + +{{#DisplayAdd}} +Add the following links: +{{/DisplayAdd}} +{{#AddedLinkedEntities}} + - {{Name}} +{{#Values.GetEnumerator}} + - {{Value}}: {{Key}} +{{/Values.GetEnumerator}} +{{/AddedLinkedEntities}} +``` diff --git a/docs/identitymanager/6.3/integration-guide/connectors/entitypropertymapping-format.md b/docs/identitymanager/6.3/integration-guide/connectors/entitypropertymapping-format.md new file mode 100644 index 0000000000..cbe89ec7b9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/entitypropertymapping-format.md @@ -0,0 +1,133 @@ +--- +title: "References: Format for the EntityPropertyMapping" +description: "References: Format for the EntityPropertyMapping" +sidebar_position: 40 +--- + +# References: Format for the EntityPropertyMapping + +This page lists all available formats for entity properties, in order to help you manage said formats when exporting and fulfilling resources from/to external systems. + +The attribute `Format` can be defined in an EntityPropertyMapping to indicate the format of the data in the external system. It will allow Identity Manager to correctly convert the data to its own format during the export and fulfillment processes. + +## Available Formats + +### Active Directory / LDAP / OpenLDAP + + | Format | Corresponding Property Type | Note | + | --- | --- | --- | + | _Bit:``:``_ | String/Int16/Int32/Int64 | When provisioning a bitmask property, for example `userAccountControl`, the format must contain the identifier of the property and the bit to be provisioned, for example `bit:userAccountControl:2`. | + | _Bool_ | Bool | | + | _Byte_ | Byte | | + | _Bytes/Binary_ | Bytes/Binary | | + | _Concat:separator_ | String | Mono-valued attribute that may contain multiple values separated by a `` (example: `extensionAttribute15` which requires using `concat:;`) | + | _DateTime/1601Date_ | DateTime | [Classic LDAP Dates](https://www.epochconverter.com/ldap) and [Generalized DateTimes](https://ldapwiki.com/wiki/GeneralizedTime) | + | _Double_ | Double | | + | _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | + | _Int16_ | Int16 | | + | _Int32_ | Int32 | | + | _Int64_ | Int64/ForeignKey/Option | Some attributes are stored as long integers (_Int64_) even though their name implies that they hold dates, like `accountExpires` and `pwdLastSet` attributes. | + | _MultivaluedText_ | String | Multi-valued attribute flattened to a string containing values separated by a `\n`. Its provisioning with a scalar rule requires a specific sorting, see the focus under this table. | + | _RDN_ | String | [Relative Distinguished Name](https://ldap.com/ldap-dns-and-rdns/) | + | _SID_ | String | [Security Identifiers](https://ldapwiki.com/wiki/ObjectSID) | + +#### Focus on Bit + +Some systems use bitmask properties, i.e. properties containing a set of boolean flags represented by individual bits. + +Scalar properties are provisioned by scalar rules, usually changing the whole value of the property. For bitmask properties, changing the whole value often requires an unnecessarily complex expression. Hence, a bitmask property should be modified one bit at a time (bit provisioning). In order to change only one flag without altering the others, a bitmask property must be completed by one fictitious property for each bit to be modified. + +Then scalar rules can be created for each single-bit property individually. + +In a given resource type, there should be scalar rules either for the bitmask property, or for the single-bit "sub-properties", not both. + +> For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit +> of `userAccountControl`. +> +> ![New Property for Bit Provisioning](/images/identitymanager/bitprov_property_v603.webp) +> +> XML configuration looks like the following: +> +> ```xml +> +> +> +> ... +> +> +> +> +> ... +> +> ``` + +When creating a property of bit format: + +- through the UI, there is no need filling the connection column field, because it will be filled +automatically once the format fields are filled. A manual value for connection column would be overridden. +- through XML configuration, the connection column must be specified manually but there are no +additional requirements. + +#### Focus on MultivaluedText + +To provision a `MultivaluedText` property, the associated scalar rule's source object must return a `string`, where the values are separated by a `\n`. Most of the time, the value of the source object is computed with an expression. + +The order of the values within the property is important, because Identity Manager will use the results of the synchronization and of the computation of the scalar rule's expression. Identity Manager compares both results to compute the `Verified` provisioning state if they are found equal. Regarding that fact, if the scalar rule's expression does not compute the `MultivaluedText` with the values in the same order as Identity Manager's synchronization, the property will never be `Verified`. + +Netwrix Identity Manager (formerly Usercube)  recommends, in the scalar rule's expression, ordering the elements before joining them into a `string` with `myList.OrderBy(e => e, StringComparer.OrdinalIgnoreCase)`, where `myList` is the list of values. + +> For example, the scalar rule's C# expression for a `MultivaluedText` can look like: +> +> ``` +> +> +> +> ``` + +### ServiceNow + + | Format | Corresponding Property Type | Description | + | --- | --- | --- | + | _Bool_ | Bool | | + | _Byte_ | Byte | | + | _Bytes/Binary_ | Bytes/Binary | | + | _DateTime or Date_ | DateTime | Date in ServiceNow format | + | _Double_ | Double | | + | _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | + | _Int16_ | Int16 | | + | _Int32_ | Int32 | | + | _Int64_ | Int64/ForeignKey/Option | | + +#### Example + +In this example, we will export and fulfill the start date of an employee in a ServiceNow instance. + +We define an [Entity Model](../../integration-guide/entity-model) called `u_startdate` with the **Type**`DateTime` to display it as a date in the UI. + +```xml +ServiceNow Connector.xml +... + ... +``` + +To correctly export the start date from ServiceNow, we transform the string received into a string that is readable as a date by Identity Manager. To do so, we must declare in the EntityTypeMapping that we will not receive a simple string, but a string formatted as a `DateTime`. + +```xml +ServiceNow Connector.xml +... + ... +``` + +This allows the export of the attribute `u_startdate` as a date in Identity Manager's format. + +The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** declared in the ResourceType. + +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/index.md b/docs/identitymanager/6.3/integration-guide/connectors/index.md new file mode 100644 index 0000000000..faf52faadc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/index.md @@ -0,0 +1,141 @@ +--- +title: "Connectors" +description: "Connectors" +sidebar_position: 40 +--- + +# Connectors + +Connectors are Identity Manager's links to the managed systems, the technical representation of the entity model. A connector is used to export data as CSV source files for Identity Manager's synchronization process and to fulfill entitlement assignments to a given managed system. See the [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector),[Entity Model](../../integration-guide/entity-model), and [Upward Data Synchronization](../../integration-guide/synchronization/upward-data-sync) topics for additional information. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to third-party applications, i.e. the applications used in your organization, such as Active Directory, ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) + +Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of one connector for each application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. + +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- Synchronization in the managed system-to-Identity Manager direction +- Provisioning in the Identity Manager-to-managed system direction + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of the system's data in the form of CSV files. These files are cleaned and loaded into Identity Manager. In other words, synchronizing means taking a snapshot of the managed system's data and loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to either automatically write these orders to the managed system or to create a ticket for manual provisioning. + +> For example, we can use the data from Identity Manager's identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the +> [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) +> topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity Manager's central identity repository. While both inbound and outbound connectors allow data to flow both ways, they do not work in the same manner. See the [Create an HR Connector](../../user-guide/optimize/hr-connector-creation) topic for additional information. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD: + +- A connector must be created, first as a named container which will include the connections and +entity types related to one managed system; See the [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector) topic for additional information. + + > We create a connector named `AD` (so far, an empty shell). + +- A connector is linked to an agent which acts as the go-between for Identity Manager's server and +the managed system; See the [Architecture](../../introduction-guide/architecture) topic for additional information. + + > Our `AD` connector uses the provided SaaS agent. + +- A connection describes the technology used that enables data to flow back and forth between +Identity Manager and the managed system; See the [Connection](../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Identity Manager. + +You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), and generic connections to communicate with any application (CSV, Powershell, RobotFramework, SQL, etc.). + +- The shape of the extracted managed system's data is modeled by entity types (we will use the term +resource to refer to an entity type that has been instantiated); See the [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) topic for additional information. + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- The intent of resources within the managed system is made clear by categorizing resources into +resource types. See the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) and [Categorize Resources](../../user-guide/set-up/categorization) topics for additional information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource type. + +**Local vs. Saas agents** : To simplify things, Identity Manager has made it possible to start configuring connectors without installing a local agent in your organization's network. Instead, you can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). See the [Architecture](../../introduction-guide/architecture) topic for additional information. + +## Configure a Connector + +Netwrix Identity Manager (formerly Usercube)recommends creating and configuring a connector via the UI. See the [Connect to a Managed System](../../user-guide/set-up/connect-system) topic for additional information. + +## Supported Systems + + | Connector | Description | Synchronization | Provisioning | + | --- | --- | --- | --- | + | Active Directory | Exports and fulfills data from/to an Active Directory instance. See the [Active Directory](../../integration-guide/connectors/references-connectors/activedirectory) topic  for additional information. | √ | √ | + | Azure | Exports Azure resources, role definitions and role assignments. See the [Azure](../../integration-guide/connectors/references-connectors/azure) topic for additional information. | √ | X | + | Microsoft Entra ID (formerly Microsoft Azure AD) | Exports and fulfills data from/to a Microsoft Entra ID instance. See the Microsoft Entra ID, [For Microsoft Entra ID](../../integration-guide/connectors/configuration-details/create-connector/entra-ID), and [For Microsoft Entra ID](../../integration-guide/connectors/configuration-details/setup-incremental-sync/entra-ID) topics for additional information. | √ | X | + | CSV | Exports data from a CSV file. See the [CSV](../../integration-guide/connectors/references-connectors/csv) topic for additional information. | √ | X | + | EasyVista | Exports data from an EasyVista-compliant system. See the [EasyVista](../../integration-guide/connectors/references-connectors/easyvista) topic for additional information. | √ | √ | + | EasyVista Ticket | Creates tickets in an EasyVista instance. See the [EasyVista Ticket](../../integration-guide/connectors/references-connectors/easyvistaticket) and [Write a Template for a Ticket Connector](../../integration-guide/connectors/configuration-details/write-ticket-template) topics for additional information. | X | √ | + | Google Workspace | Exports and fulfills users and groups from/to a Google Workspace instance. See the [Google Workspace](../../integration-guide/connectors/references-connectors/googleworkspace) topic for additional information. | √ | √ | + | Home Folder | Export home folders from input directories. See the [Home Folder](../../integration-guide/connectors/references-connectors/homefolder) topic for additional information. | √ | X | + | InternalResources | Opens manual provisioning tickets in Identity Manager. See the [Internal Resources](../../integration-guide/connectors/references-connectors/internalresources) topic for additional information. | X | √ | + | InternalWorkflow | Retrieves provisioning order files from a connector or a resource type list, and starts a workflow accordingly. See the [InternalWorkflow](../../integration-guide/connectors/references-connectors/internalworkflow) topic for additional information. | X | √ | + | Json | Generates JSON files for each provisioning order. See the [JSON](../../integration-guide/connectors/references-connectors/json) topic for additional information. | X | √ | + | LDAP | Exports and fulfills data from/to an LDAP-compliant system. See the [LDAP](../../integration-guide/connectors/references-connectors/ldap) topic for additional information. | √ | √ | + | LDIF | Generates CSV source files from an LDIF file. See the [LDIF](../../integration-guide/connectors/references-connectors/ldif) topic for additional information. | √ | X | + | Microsoft Excel | Exports data from an XLSX file. See the [Microsoft Excel](../../integration-guide/connectors/references-connectors/excel) topic for additional information. | √ | X | + | Microsoft Exchange | Exports data from a Microsoft Exchange instance. See the [Microsoft Exchange](../../integration-guide/connectors/references-connectors/microsoftexchange) topic for additional information. | √ | √ | + | OData | Exports entities from an OData instance. See the [OData](../../integration-guide/connectors/references-connectors/odata) topic for additional information. | √ | X | + | OpenLDAP | Exports and fulfills from/to an OpenLDAP directory. See the [OpenLDAP](../../integration-guide/connectors/references-connectors/openldap) topic for additional information. | √ | √ | + | PowerShell | Executes PowerShell scripts to generate CSV source files from otherwise unsupported sources. See the [PowerShellProv](../../integration-guide/connectors/references-connectors/powershellprov), [Write a PowerShell Script for Provisioning](../../integration-guide/connectors/configuration-details/write-fulfill-powershell-script), and [Fulfill Microsoft Exchange via PowerShell](../../integration-guide/connectors/configuration-details/powershell-fulfill) topics for additional information. | X | √ | + | RACF | Exports data from a RACF file. See the [RACF](../../integration-guide/connectors/references-connectors/racf) topic for additional information. | √ | X | + | Robot Framework | Executes Robot Framework scripts to fulfill data to external systems. See the [Robot Framework](../../integration-guide/connectors/references-connectors/robotframework), [Write a Robot Framework Script](../../integration-guide/connectors/configuration-details/write-fulfill-robotframework-script), [Interact with a Web Page via Robot Framework](../../integration-guide/connectors/configuration-details/interact-web-page-robotframework), and [Interact with a GUI Application via Robot Framework](../../integration-guide/connectors/configuration-details/interact-gui-robotframework) topics for additional information. | X | √ | + | SAP | Exports and fulfills data from/to an SAP system. See the [SAP Netweaver](../../integration-guide/connectors/references-connectors/sapnetweaver) topic for additional information. | √ | X | + | SAP ERP 6.0 | Exports and fulfills data from/to an SAP ERP 6.0 system. See the [SAP ERP 6.0 and SAP S4/HANA](../../integration-guide/connectors/references-connectors/saperp6) topics for additional information. | √ | √ | + | SCIM | Exports and fulfills data from/to a SCIM-compliant web application. See the [SCIM](../../integration-guide/connectors/references-connectors/scim), [Export CyberArk Data via SCIM ](../../integration-guide/connectors/configuration-details/scim-cyberark-export) and [ Provision Salesforce Users' Profiles via SCIM](../../integration-guide/connectors/configuration-details/scim-salesforce-provisioning-entitlements) topics for additional information. | √ | √ | + | ServiceNow Entity Management | Manages ServiceNow entities. See the [ServiceNow](../../integration-guide/connectors/references-connectors/servicenowentitymanagement) topic for additional information. | √ | √ | + | ServiceNow Ticket | Creates tickets in ServiceNow. See the [ServiceNowTicket](../../integration-guide/connectors/references-connectors/servicenowticket) topic for additional information. | X | √ | + | SharedFolder | Scans a Windows file directory and exports a list of folders, files, users and their associated permissions. See the [SharedFolders](../../integration-guide/connectors/references-connectors/sharedfolder) topic for additional information. | √ | X | + | SharePoint | Exports a SharePoint's list of objects, users, groups, roles and their relationships. See the [SharePoint](../../integration-guide/connectors/references-connectors/sharepoint) and [Set up SharePoint's Export and Synchronization](../../integration-guide/connectors/configuration-details/sharepoint-export) topics for additional information. | √ | √ | + | SQL | Exports data from various Database Management Systems. See the [Sql](../../integration-guide/connectors/references-connectors/sql) topic for additional information. | √ | X | + | SQL Server Entitlements | Exports server and database principals from Microsoft SQL Server. See the [Sql Server Entitlements](../../integration-guide/connectors/references-connectors/sqlserverentitlements) topic for additional information. | √ | X | + | Top Secret | Exports the Top Secret (TSS) users and profiles. See the [Top Secret](../../integration-guide/connectors/references-connectors/topsecret) topic for additional information. | √ | X | + | Workday | Exports data from a Workday instance. See the [Workday](../../integration-guide/connectors/references-connectors/workday) topic for additional information. | √ | X | + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/activedirectory.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/activedirectory.md new file mode 100644 index 0000000000..e05b0379bf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/activedirectory.md @@ -0,0 +1,356 @@ +--- +title: "Active Directory" +description: "Active Directory" +sidebar_position: 10 +--- + +# Active Directory + +This connector exports and fulfills users and groups from/to an [Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services) instance. + +This page is about Directory/Active Directory. See the Active Directory topic for additional information. + +![Package: Directory/Active Directory](/images/identitymanager/packages_ad_v603.webp) + +## Overview + +Active Directory is a directory service developed by Microsoft for Windows domain networks. The Active Directory connector exports Active Directory (AD) entries to Identity Manager's resource repository. This connector also enables automated provisioning from the resource repository to the AD. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. +- Opening the LDAP feed from Identity Manager's server to the Active Directory, with the ports 389 +for LDAP and 636 for LDAPS. +- A **service account** with reading and writing permissions on the target Active Directory instance. It +means that the Replicating Directory Changes rights are required for the **service account**, but also for the Active Directory root and the AD children. See the instructions below for additional information. +- An SSL connection which is mandatory for the AD connector to initialize and change a password. +- Enabling rights inheritance in the **Advanced Security Settings**. + +### Enable Active Directory Permissions + +To enable permissions, the Active Directory administrator must do the following: + +**Step 1 –** Check the **View** details in the Active Directory and Computers. + +![Enable Permissions - Step 1](/images/identitymanager/references_connectors_activedirectory_01.webp) + +**Step 2 –** Open the **Advanced Security Settings** dialog box for the domain root. + +![Enable Permissions - Step 2](/images/identitymanager/references_connectors_activedirectory_02.webp) + +**Step 3 –** Select the **Replicating Directory Changes** check box from the list. + +![Enable Permissions - Step 3](/images/identitymanager/references_connectors_activedirectory_03.webp) + +**Step 4 –** To change groups' membership, in the Applies field, select Descendent Group object and select the **Read Members** and **Write Members** check boxes from the list. + +![Read/Write Members](/images/identitymanager/references_connectors_activedirectory_04.webp) + +**Step 5 –** To Reset Password capabilities, in the Applies field, select Descendent User object and select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. + +![Read/Write Lockout Times](/images/identitymanager/references_connectors_activedirectory_05.webp) + +Administrator rights must **not** be granted to the **service account**. Doing otherwise would create a security breach. Administrator rights must **only** be granted to the target perimeter. + +## Export + +For a configured set of Active Directory entries, this connector exports all attributes from the connector's configuration to CSV files. + +The export is executed by a job from the UI, or via Usercube-Export-ActiveDirectory.exe in the command prompt. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the *appsettings.agent.json* > Connections section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +                { +                ... +                "Connections": { +                ... +                "": { +                ... +                } +                } +            } +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- **not** begin with a digit. +- **not** contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures a connection to the Active Directory Domain Controller +> contoso.server.com using Basic Authentication with **BaseDN**, **Login**, **Password** with +> EnableSSL for all entries ( "Filter": "(objectclass=\*)"): +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> *appsettings.agent.json* +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Filter": "(objectclass=*)", +>                     "Servers": [>                     { +>                     "Server": "contoso.server.com", +>                     "BaseDN": "DC=contoso,DC=com" +>                     } +>], +>                     "AuthType": "Basic", +>                     "AsAdLds": false, +>                     "EnableSSL": true, +>                     "Login": "Contoso", +>                     "NoSigning": false, +>                     "Password": "ContOso$123456789", +>                     "RetryDelay": 10 +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | + | AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It is used for extracting the schema through the connection screen. | + | EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. recommended when using AuthType set to Basic because basic authentication packets are **not** encrypted by default. SSL is **not** available on Linux. | + | NoSigning optional | Boolean | True to disable Kerberos encryption. | + | AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | + | Login optional | String | Login used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | + | Password optional | String | Password used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | + | Filter required | String | Value that filters out the corresponding entries from the AD instance which will **not** be exported. **only** non-filtered entries are exported. The filter value complies with Microsoft's [search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | + | RetryDelay optional | Int32 | Time (in milliseconds) after which Identity Manager retries a timeout request. | + | RequestTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | + | ConnectionTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | + +### Output details + +This connector is meant to generate: + +- A file named ``\_entries.csv, with one column for each property having a +ConnectionColumn and each property without it but used in an entity association; + +Any property can be exported in a specific format when specified. See the [References: Format for the EntityPropertyMapping](../../../integration-guide/connectors/entitypropertymapping-format) topic for additional information. + +- An additional file for each related table other than entries; +- A cookie file named ``\_cookie.bin, containing the time of the last export +in order to perform incremental exports. + +:::note + Most exports can be run in complete mode, where the CSV files will contain all entries, or in incremental mode, where CSV files will contain **only** the entries which have been modified since the last synchronization. +::: +A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) can use the option --ignore-cookies. + +The CSV files are stored in the ExportOutput folder, and the cookie file in the ExportCookies folder. See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information. + +For example, with the following configuration example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +                                      ConnectionColumn="dn" IsUniqueKey="true" />  ConnectionColumn="objectCategory" Format="rdn" />  ConnectionColumn="objectGuid" IsPrimaryKey="true" Format="guid" />  ConnectionColumn="objectSid" IsUniqueKey="true" Format="sid"/>  ConnectionColumn="pwdLastSet" Format="1601date" />  ConnectionColumn="thumbnailPhoto" Format="binary" />Column1="parentdn" ConnectionTable="ADExport_entries" EntityPropertyMapping1="AD_Entry:dn" EntityPropertyMapping2="AD_Entry:dn" Connector="AD" />Column2="member" ConnectionTable="ADExport_members" EntityPropertyMapping1="AD_Entry:dn" EntityPropertyMapping2="AD_Entry:dn" Connector="AD" /> +``` + +We would have `C:/identitymanagerContoso/Temp/ExportOutput/*ADExport_entries.csv*` with a column for each scalar property. See the [Entity Model](../../../integration-guide/entity-model) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +*ADExport_entries.csv* +                command,dn,objectCategory,objectGuid,objectSid,pwdLastSet,thumbnailPhoto,parentdn +            ... +``` + +Also, ADExport_member as ConnectionTable in a mapping will trigger the generation of the file `C:/identitymanagerContoso/Temp/ExportOutput/*ADExport_member.csv*` with member as link attribute: + +```xml +*ADExport_member.csv* +                command,dn,member +            ... +``` + +And `C:/identitymanagerContoso/Work/ExportCookies/ADExport_cookie.bin` + +### Synchronize multiple forests + +This connector can export resources from multiple forests trusted by the same AD domain. + +It requires specifying the **Server** and **BaseDN** pairs in **Servers** for all the forests used as source for the export. + +Each **BaseDN** will generate a cookie file, but the entries from all **BaseDN** properties will be written to the same CSV file. + +> The following example exports data from two sources: both on the same **Server** +> (contoso.server.com), but on two different **BaseDN**s (DC=contoso,DC=com and +> DC=defense,DC=contoso,DC=com). +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> *appsettings.agent.json* +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Servers": [>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     }, +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>], +>                     "AuthType": "", +>                     "Login": "", +>                     "Password": "", +>                     "Filter": "<(objectclass=*)>", +>                     "EnableSSL": "" +>                     } +>                     } +>                 } +> ``` +> +> The export creates two cookie files: ADExport_cookie_0.bin for the first **BaseDN**, and +> ADExport_cookie_1.bin for the second **BaseDN**, but the entries of both **BaseDN** properties +> will be written in *ADExport_entries.csv*. + +## Fulfill + +This connector writes to the Active Directory, to create, update and delete entries, initiated manually through the UI or automatically by enforcing the policy. See the [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example connects to an AD LDS system located at contoso.server.com. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> *appsettings.agent.json* +>                     { +>                     ... +>                     "Connections": { +>                     ... +>                     "ADFulfillment": { +>                     "Servers": [>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>], +>                     "AuthType": "Basic", +>                     "AsAdLds": "true", +>                     "EnableSSL": true, +>                     "Login": "", +>                     "NoSigning": false, +>                     "Password": "", +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + + | Name | Type | DescriptionDetails | + | --- | --- | --- | + | Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | + | AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It isInfo: used for extracting the schema through the connection screen. | + | EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. **NOTE:** recommended when using AuthType set to Basic because basic authentication packets are **not** encrypted by default. SSL is **not** available on Linux. | + | NoSigning optional | Boolean | True to disable Kerberos encryption. | + | AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | + | Login optional | String | Login used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | + | Password optional | String | Password used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state disabled, corresponding to the useraccountcontrol value 514. When it is approved, its disabled state is removed and the useraccountcontrol value becomes 512. + +### Provision multiple forests + +Same as for export, this connector can fulfill resources to multiple forests trusted by the same AD domain, by specifying the Server and BaseDN pairs in Servers for all forests. + +The following example fulfills data to two targets: both on the same Server (contoso.server.com), but on two different BaseDNs (DC=contoso,DC=com and DC=defense,DC=contoso,DC=com). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +                { +                ... +                "Connections": { +                ... +                "ADFulfillment": { +                "Servers": [{ +                "Server": "", +                "BaseDN": "" +                }, +                { +                "Server": "", +                "BaseDN": "" +                }], +                "AuthType": "Basic", +                "Login": "", +                "Password": "", +                "AsAdLds": "true" +                } +                } +            } +``` + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update requests. + +If these attributes are **not** synchronized in Identity Manager, then they cannot be computed and provided by scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning order, through the ResourceType's ArgumentsExpression. + +The following example adds the attribute description with a value depending on what is modified: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +                 +                             +``` + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the appsettings.encrypted.agent.json file. See the +[RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption) topic for additional information. +- An Azure Key Vault safe; See the +[Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) topic for additional information. + +- A CyberArk Vault able to store Active Directory's Login, Password and Server. See the +[CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/azure.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/azure.md new file mode 100644 index 0000000000..ea788450e3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/azure.md @@ -0,0 +1,127 @@ +--- +title: "Azure" +description: "Azure" +sidebar_position: 20 +--- + +# Azure + +This connector exports [Azure](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure) resources, role definitions and assignments. + +This page is about [Azure](../../../integration-guide/connectors/references-packages/azure). + +![Package: Cloud/Azure](/images/identitymanager/packages_azure_v603.webp) + +## Prerequisites + +Implementing this connector requires at least the `Security Reader` role, because Identity Manager does not access the [Azure API](https://docs.microsoft.com/en-us/rest/api/azure/) on behalf of a user but with [its own identity](https://docs.microsoft.com/en-us/rest/api/azure/). + +## Export + +For a given Azure tenant with resources, this connector exports Azure resources, role definitions and role assignments to CSV files. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +***appsettings.agent.json*** + +{ ... "Connections": { ... "": { ... } } } +```` + + +The identifier of the connection and thus the name of the subsection must: + +- be unique. + +- not begin with a digit. + +- not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +> The following example +> +> ``` +> +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "AzureExport": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "25d408a1925d4c081925b\d40819", +> "SubscriptionId": "Contoso", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "AzurePath": "https://management.azure.com/.default", +> "AzurePathApi": "https://management.azure.com", +> "ResponseUri": "https://agent.usercubecontoso.com" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (client) ID__ | + | ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | + | TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (tenant) ID__ | + | ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | + | --- | --- | + | --- | --- | + | SubscriptionId required | __Type__ String __Description__ GUID that uniquely identifies the subscription associated to the ```ApplicationId```. [See how to find it](https://www.youtube.com/watch?v=6b1J03fDnOg&t=3s). | + | AzurePath default value: ```https://management.azure.com/.default``` | __Type__ String __Description__ Scope requested to access a protected API. For this flow (client credentials), the scope should be of the form __`{ResourceIdUri/.default}`__. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation). | + | AzurePathApi default value: ```https://management.azure.com``` | __Type__ String __Description__ Azure Uri API. | + +### Output details + +This connector is meant to generate to the Export Output folder the following CSV files: + +```_RoleDefinition.csv``` with the following columns: +- __id__: role definition's Azure id; +- __name__: role definition's id; +- __roleName__: role definition's name; +- __type__: role definition's type, for example it can describe if it is a built-in role or a customized one; +- __description__: role definition's description. +```_Resource.csv``` with the following columns: + +- __id__: resource's Azure id; +- __name__: resource's name; +- __type__: resource's type; +- __location__: resource's geographical location; +- __managedBy__: GUID or Azure id of the resource's manager; +- __principalId__: resource's identity PrincipalId; +- __ResourceIdentitytype__: resource's identity type. + +```_RoleAssignment.csv``` with the following columns: +- __id__: role assignment's Azure id; +- __name__: role assignment's id; +- __roleDefinitionId__: role definition's Azure id; +- __principalId__: Microsoft Entra ID (formerly Microsoft Azure AD)'s object GUID; +- __scope__: resource's Azure id. + +See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)topic for additional information. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption) configured in the ```appsettings.encrypted.agent.json``` file; +- An [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe; + +- A [CyberArk's AAM Credential Providers +](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) able to store Azure's ```ApplicationId``` and ```ApplicationKey```. +```` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/csv.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/csv.md new file mode 100644 index 0000000000..0d7477f949 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/csv.md @@ -0,0 +1,186 @@ +--- +title: "CSV" +description: "CSV" +sidebar_position: 40 +--- + +# CSV + +This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values). + +This page is about [CSV](../../../integration-guide/connectors/references-packages/csv). + +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) + +## Overview + +Files in CSV format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the source file to be in CSV format. + +## Export + +This export copies the information found in a CSV file and transforms it into a new CSV file in the Identity Manager's format. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).csv", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).csv", +> "Encoding": "UTF-16", +> "Separator": ";", +> "IsFileNameRegex": true, +> "NumberOfLinesToSkip": 1, +> "ValuesToTrim": [> "*", +> "%" +>] +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | + | PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | + | IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | + | ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `--- +title: "CSV" description: "CSV" sidebar_position: 40 +--- + +# CSV + +This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values). + +This page is about [CSV](../../../integration-guide/connectors/references-packages/csv). + +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) + +## Overview + +Files in CSV format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the source file to be in CSV format. + +## Export + +This export copies the information found in a CSV file and transforms it into a new CSV file in the Identity Manager's format. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).csv", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).csv", +> "Encoding": "UTF-16", +> "Separator": ";", +> "IsFileNameRegex": true, +> "NumberOfLinesToSkip": 1, +> "ValuesToTrim": [> "*", +> "%" +>] +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | + | PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | + | IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | + | Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + | NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the Export Output folder. See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)topic for additional information. + +For example, when exporting a connection named `HRCountries`, the output file will be named `HRCountries.csv`. + +The file's columns come from the header line from the input CSV file. + +All columns with headers, even empty ones, will be written to the output. However, columns without headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), nor a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection). + +Still, data protection can be ensured through an [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvista.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvista.md new file mode 100644 index 0000000000..bf48f3c8d0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvista.md @@ -0,0 +1,209 @@ +--- +title: "EasyVista" +description: "EasyVista" +sidebar_position: 50 +--- + +# EasyVista + +This connector exports and fulfills users from/to an [EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en)-compliant system. + +This page is about EasyVista . + +![Package: ITSM/EasyVista](/images/identitymanager/packages_easyvista_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by using tickets. This allows users to manage projects, materials and teams through a customizable interface. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic; +- An EasyVista account with reading/writing permissions on the target instance; +- A view to be created in EasyVista for each type of entity to export. + +## Export + +This connector exports a list of users, with their attributes specified in the connector's configuration, to CSV files. + +It can also export any custom entity, provided that a view exists for it in EasyVista. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> "Connections": { +> ... +> "ExportEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword", +> "ExportSettingsOptions": { +> "Profiles": "https://easy-vista.instance.com/api/v1/11111/internalqueries?queryguid={019B0523-F1C4-4G84-AA04-47BA16F16EB2}&filterguid={Z8A61D04-EZEC-42F1-A3E1-E9E09654BE68}&viewguid={2740V37A-A0ZC-4E50-A1F1-CF0987B9EFEA}" +> } +> } +> } +> } +> ``` + +The `ExportSettingsOptions` attribute is necessary only if custom entities are exported. It is not required if only the users are exported. Besides, `"Profiles"` is used here as an example and corresponds to a name to identify the exported entities. + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URI of the server to connect to. | + | Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | + | Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | + | Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | + | --- | --- | + | --- | --- | + | ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/images/identitymanager/easyvista_view_v523.webp) | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) export output folder: + +- a CSV file, named `_Employees.csv`, with one column for each property having +a `ConnectionColumn` and each property without it but used in an entity association; +- a CSV file for each customized entity, named `_.csv`. + +> For example, with the following entity type mapping for employees: +> +> ``` +> +> ConnectionColumn="last_name" /> +> +> ``` +> +> And the following entity type mapping for profiles: +> +> ``` +> +> EntityType Identifier="EasyVista_Profiles" DisplayName_L1="EasyVista Profiles" Property Identifier="NAME_EN" DisplayName_L1="NAME_EN" TargetColumnIndex="23" Type="String" Type="String" IsKey="true" //EntityTypeEntityTypeMapping Identifier="EVProfiles" Connector="ExportEasyVista" ConnectionTable="EasyVistaExport_Profiles" Property Identifier="PROFILE_GUID">>>> ><<<<< +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/*EasyVistaExport_Employees.csv*` as follows: +> +> ``` +> *EasyVistaExport_Employees.csv* +> last_name +> Talma Bart +> Tanner Carol +> Taverner David +> Taylor Eric +> Telemann Franck +> Thomson Georges +> ... +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/*EasyVistaExport_Profiles.csv*` as follows: +> +> ``` +> *EasyVistaExport_Profiles.csv* +> NAME_EN, PROFILE_GUID +> Administration {value of the PROFILE_GUID} +> LOB Manager {value of the PROFILE_GUID} +> Product Team {value of the PROFILE_GUID} +> Project Manager {value of the PROFILE_GUID} +> ... +> +> ``` + +Users created from the API are retrieved by Identity Manager only after a complete synchronization. + +## Fulfill + +The EasyVista connector writes to EasyVista to **create**, **archive** (delete from Identity Manager's point of view) and **update** employees, initiated manually through the UI or automatically by reinforcing the policy. See the [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "FulfillEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URI of the server to connect to. | + | Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | + | Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | + | Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | + +### Output details + +This connector can: + +- **create** and **update** employees and their profiles, but is limited by +[API limitations](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Integration/WebService%20REST/REST%20API%20-%20Create%20an%20employee/); + +In particular, this connector cannot set dates nor the `employee_id` property. + +- **archive** employees, i.e. set the `CONTRACT_END_DATE` to the date of the fulfill execution. + +This action is performed when Identity Manager fulfills a provisioning order with a `Deleted` change type. + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), +configured in the `appsettings.encrypted.agent.json` file; +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + +- A +[CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) able to store EasyVista's `Login`, `Password`, `Account` and `Server`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvistaticket.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvistaticket.md new file mode 100644 index 0000000000..e33469681e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/easyvistaticket.md @@ -0,0 +1,72 @@ +--- +title: "EasyVista Ticket" +description: "EasyVista Ticket" +sidebar_position: 60 +--- + +# EasyVista Ticket + +This connector opens tickets in [EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en) for manual provisioning. + +This page is about [EasyVista Ticket](../../../integration-guide/connectors/references-packages/easyvistaticket). + +![Package: Ticket/EasyVista](/images/identitymanager/packages_easyvistaticket_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by using tickets. This allows users to manage projects, materials and teams through a customizable interface. + +This connector focuses on the creation of EasyVista tickets for editing manually EasyVista resources. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent); +- An EasyVista account with reading/writing permissions on the target instance. + +## Export + +This connector exports some of EasyVista entities, see the export capabilities of the [EasyVista](../../../integration-guide/connectors/references-packages/easyvista) connector. Some entities cannot be exported. + +## Fulfill + +This connector writes to EasyVista to **create** incident and request tickets containing information to **create**, update or delete a resource. It does **not** **create** a resource directly. + +Once created, the ticket is managed in EasyVista, **not** in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the provisioning state of the resource accordingly. See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) topic to find out more on how to configure password reset settings. + +See the fulfill capabilities of the [EasyVista](../../../integration-guide/connectors/references-connectors/easyvista) connector. + +> For example: +> +> ``` +> *appsettings.agent.json* +> "EasyVistaManual": { +> "Server": "https://example.easyvista.com/", +> "Login": "username", +> "Password": "password", +> "Account": "11111" +> }, +> +> ``` + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), +configured in the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + +- a +[CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) able to store EasyVista's `Login`, `Password`, `Account` and `Server`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/excel.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/excel.md new file mode 100644 index 0000000000..dfcf39c0ac --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/excel.md @@ -0,0 +1,210 @@ +--- +title: "Microsoft Excel" +description: "Microsoft Excel" +sidebar_position: 140 +--- + +# Microsoft Excel + +This connector exports datasheets from a [Microsoft Excel](https://www.microsoft.com/en-us/microsoft-365/excel) (XLSX) file. + +This page is about [Excel](../../../integration-guide/connectors/references-packages/excel). + +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) + +## Overview + +Microsoft Excel files using the XLSX file format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the input file to be in the XLSX format. + +## Export + +This connector copies the information from an XLSX file into CSV files, one per spreadsheet, while filtering out spreadsheets and trimming values if needed. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).xlsx", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).xlsx", +> "IsFileNameRegex": "true", +> "SheetOptions": [> { +> "SheetIgnored": "false", +> "NumberOfLinesToSkip": 1 +> }, +> { +> "SheetIgnored": "true" +> } +>], +> "ValuesToTrim": [> "$", +> "%" +>] +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | + | PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | + | IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | + | ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `--- +title: "Microsoft Excel" description: "Microsoft Excel" sidebar_position: 140 +--- + +# Microsoft Excel + +This connector exports datasheets from a [Microsoft Excel](https://www.microsoft.com/en-us/microsoft-365/excel) (XLSX) file. + +This page is about [Excel](../../../integration-guide/connectors/references-packages/excel). + +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) + +## Overview + +Microsoft Excel files using the XLSX file format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the input file to be in the XLSX format. + +## Export + +This connector copies the information from an XLSX file into CSV files, one per spreadsheet, while filtering out spreadsheets and trimming values if needed. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).xlsx", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).xlsx", +> "IsFileNameRegex": "true", +> "SheetOptions": [> { +> "SheetIgnored": "false", +> "NumberOfLinesToSkip": 1 +> }, +> { +> "SheetIgnored": "true" +> } +>], +> "ValuesToTrim": [> "$", +> "%" +>] +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | + | PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | + | IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | + | | | + | --- | --- | + | SheetOptions optional | **Type** Sheet Option List **Description** List of options for each sheet of the input file. The first element of the list sets the options for the first sheet, the second element for the second sheet, etc. | + +##### SheetOptions + + | Name | Details | + | --- | --- | + | SheetIgnored required | **Type** Boolean **Description** `True` to exclude the sheet from export. | + | --- | --- | + | --- | --- | + | NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder a CSV file per spreadsheet included in the export, named `_.csv` where `` is the spreadsheet's index. + +Note that `0` is the first index, not `1`. + +> For example, when exporting the content of a 2-sheet Excel file with a connection named +> `HRContoso`, the output files will be named `HRContoso_0.csv` for the first spreadsheet, and +> `HRContoso_1.csv` for the second. + +The file's columns come from the header line from the input Excel file. + +All columns with headers, even empty ones, will be written to the output. However, columns without headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), nor a [CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)Vault. + +Still, data protection can be ensured through an [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/googleworkspace.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/googleworkspace.md new file mode 100644 index 0000000000..351579c674 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/googleworkspace.md @@ -0,0 +1,156 @@ +--- +title: "Google Workspace" +description: "Google Workspace" +sidebar_position: 70 +--- + +# Google Workspace + +This connector exports and fulfills users and groups from/to a [Google Workspace](https://developers.google.com/workspace) instance. + +This page is about [Google Workspace](../../../integration-guide/connectors/references-packages/googleworkspace). + +![Package: Directory/Google Workspace](/images/identitymanager/packages_workspace_v603.webp) + +## Overview + +Google Workspace provides a set of softwares and products developed by Google. The Google Workspace connector exports and fulfills users and groups from/to a Google Workspace instance. It exports user-group memberships too. + +## Prerequisites + +Implementing this connector requires: + +- reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation; +- a service account impersonating the following permission scopes: +[https://www.googleapis.com/auth/admin.directory. user](https://www.googleapis.com/auth/admin.directory.user) and [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). + +See [Google's documentation](https://developers.google.com/workspace/guides/**create**-credentials#googles-documentation) Google's documentation to **create** the service account with the right impersonation. + +:::tip + Remember, Google's documentation describes this procedure as optional, while the Google Workspace connector requires it. +::: +## Export + +This connector extracts users, groups and user-group memberships from a Google Workspace instance, and write the output to CSV files. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal", +> "PageSize": "100" +> } +> } +> } +> +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to **create** these credentials](https://developers.google.com/workspace/guides/**create**-credentials#see-googles-documentation-to-**create**-these-credentials). | + | User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | + | --- | --- | + | --- | --- | + | PageSize default value: 50 | **Type** Int32 **Description** Number of items, i.e. users and/or groups and/or memberships, retrievable from Google Workspace by each API call (from 1 to 500). | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: + +- `GoogleExportFulfillment_Users.csv` and `GoogleExportFulfillment_Groups.csv` whose headers come +from the entity type mapping's `ConnectionColumn` and from the entity association mappings' columns which are not _members_ columns; +- `GoogleExportFulfillment_Members.csv` with the following columns: + - **value**: ID of the group; + - **MemberId**: ID of the group member. + +If the connection column describes a sub-property, then the name should have the following pattern: `{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ``` +> +> +> +> ``` +> +> Note that we have here `AgreedToTerms` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. + +## Fulfill + +This connector can write to Google Workspace to **create**, **update**, and/or **delete** users and user-group memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal" +> } +> } +> } +> +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to **create** these credentials](https://developers.google.com/workspace/guides/**create**-credentials#see-googles-documentation-to-**create**-these-credentials). | + | User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), nor a [CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)Vault. + +Still, data protection can be ensured through an [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/homefolder.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/homefolder.md new file mode 100644 index 0000000000..d08a43b575 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/homefolder.md @@ -0,0 +1,126 @@ +--- +title: "Home Folder" +description: "Home Folder" +sidebar_position: 80 +--- + +# Home Folder + +This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directory)' content. + +This page is about [Home Folders](../../../integration-guide/connectors/references-packages/home-folders). + +![Package: Storage/Home Folders](/images/identitymanager/packages_homefolders_v603.webp) + +## Overview + +Home Folders, also called Home Directory, is a user-dedicated storage area where users' personal files can be accessed. In general, a home folder is private so only its owner and administrators can access it. Moreover, the folders are often centralized because they are located on a network server. It allows making backups regularly and easily accessing the folders. + +## Prerequisites + +Implementing this connector requires: + +- reading first how to +[Set, View, Change, or Remove Special Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772196(v=ws.10)) and check the [File and Folder Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)) list; +- an account with at least the special permission Read on all home folders in order to be able to +export them. + +## Export + +This connector exports all the home folders to a CSV file. + +This connector performs only complete export, not incremental. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "HomeFolderExport": { +> "InputDirectories": [> "C:/ContosoFolder", +> "C:/ContosoFolder2", +>], +> "Domain": "Windows", +> "Interactive": true, +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | InputDirectories required | **Type** String List **Description** List of the directories that contain the home folders to be exported. | + | Domain optional | **Type** String **Description** Domain of the account used to access the home folders. | + | Interactive default value: False | **Type** Boolean **Description** `True` to set the authentication as interactive. `False` to set it batch. [See Microsoft's documentation for more details](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera#see-microsofts-documentation-for-more-details). | + | --- | --- | + | --- | --- | + | Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | + | Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`,to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder, with the following columns: + +- **Command**: empty for now, as the connector performs only complete export. +- **Name**: name of the home folder. + +> For example, when exporting with a connection named `HomeFolderExport`, then the output file will +> be named `*HomeFolderExport.csv*` and will look like: +> +> ``` +> *HomeFolderExport.csv* +> Command,Name +> ... +> ``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), +configured in the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection)safe; + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +Home Folder's `Login` and `Password`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/index.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/index.md new file mode 100644 index 0000000000..9f35bc6452 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/index.md @@ -0,0 +1,146 @@ +--- +title: "References: Connectors" +description: "References: Connectors" +sidebar_position: 20 +--- + +# References: Connectors + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your organization's systems. Here is a list of reference connectors: + +- [Active Directory](../../../integration-guide/connectors/references-connectors/activedirectory) + +Exports and fulfills users and groups from/to an Active Directory instance. + +- [Azure](../../../integration-guide/connectors/references-connectors/azure) + +Exports Azure resources, role definitions and assignments. + +- [CSV](../../../integration-guide/connectors/references-connectors/csv) + +Exports data from a CSV file. + +- [EasyVista](../../../integration-guide/connectors/references-connectors/easyvista) + +Exports and fulfills users from/to an EasyVista-compliant system. + +- [EasyVista Ticket](../../../integration-guide/connectors/references-connectors/easyvistaticket) + +Opens tickets in EasyVista for manual provisioning. + +- [Google Workspace](../../../integration-guide/connectors/references-connectors/googleworkspace) + +Exports and fulfills users and groups from/to a Google Workspace instance. + +- [Home Folder](../../../integration-guide/connectors/references-connectors/homefolder) + +Exports home folders' content. + +- [InternalWorkflow](../../../integration-guide/connectors/references-connectors/internalworkflow) + +Triggers workflows in Identity Manager for a system's provisioning orders. + +- [Internal Resources](../../../integration-guide/connectors/references-connectors/internalresources) + +Opens manual provisioning tickets in Identity Manager. + +- [JSON](../../../integration-guide/connectors/references-connectors/json) + +Generates JSON files for each provisioning order. + +- [LDAP](../../../integration-guide/connectors/references-connectors/ldap) + +Exports and fulfills entries from/to a LDAP-compliant system. + +- [LDIF](../../../integration-guide/connectors/references-connectors/ldif) + +Exports entries from a LDIF file. + +- [ Microsoft Entra ID](../../../integration-guide/connectors/references-connectors/microsoftentraid) + +Exports and fulfills user and groups from/to a Microsoft Entra ID instance. + +- [Microsoft Excel](../../../integration-guide/connectors/references-connectors/excel) + +Exports datasheets from a Microsoft Excel (XLSX) file. + +- [Microsoft Exchange](../../../integration-guide/connectors/references-connectors/microsoftexchange) + +Exports mailboxes from a Microsoft Exchange instance. + +- [NIM Profile](../../../integration-guide/connectors/references-connectors/nimprofile) + + Exports and fulfills NIM Profiles from/to a Netwrix Identity Manager instance + +- [OData](../../../integration-guide/connectors/references-connectors/odata) + +Exports and fulfills entries from/to an OData instance. + +- [Okta](../../../integration-guide/connectors/references-connectors/okta) + +Exports and fulfills entries from/to an Okta instance. + +- [OpenLDAP](../../../integration-guide/connectors/references-connectors/openldap) + +Exports and fulfills entries from/to an OpenLDAP directory. + +- [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) + +Writes to an external system via a PowerShell script. + +- [PowerShellSync](../../../integration-guide/connectors/references-connectors/powershellsync) + +Exports data from an external system via a Powershell script. + +- [RACF](../../../integration-guide/connectors/references-connectors/racf) + +Exports users and profiles from a RACF file. + +- [Robot Framework](../../../integration-guide/connectors/references-connectors/robotframework) + +Writes to an external system via a Robot Framework script. + +- [SAP ERP 6.0 and SAP S4/HANA](../../../integration-guide/connectors/references-connectors/saperp6) + +Exports and fulfills users and roles from/to a SAP ERP 6.0 or SAP S4/HANA instance. + +- [SAP Netweaver](../../../integration-guide/connectors/references-connectors/sapnetweaver) + +Exports and fulfills users and roles from/to a SAP Netweaver instance. + +- [SCIM](../../../integration-guide/connectors/references-connectors/scim) + +Exports and fulfills entities from/to a SCIM-compliant application. + +- [ServiceNow](../../../integration-guide/connectors/references-connectors/servicenowentitymanagement) + +Exports and fulfills any data from/to a ServiceNow CMDB. + +- [ServiceNowTicket](../../../integration-guide/connectors/references-connectors/servicenowticket) + +Opens tickets in ServiceNow for manual provisioning. + +- [SharedFolders](../../../integration-guide/connectors/references-connectors/sharedfolder) + +Exports users and permissions from Windows shared folders. + +- [SharePoint](../../../integration-guide/connectors/references-connectors/sharepoint) + +Exports sites, folders, groups and permissions from a SharePoint instance. + +- [Sql](../../../integration-guide/connectors/references-connectors/sql) + +Exports data from one of various Database Management Systems. + +- [Sql Server Entitlements](../../../integration-guide/connectors/references-connectors/sqlserverentitlements) + +Exports entitlements from Microsoft SQL Server. + +- [Top Secret](../../../integration-guide/connectors/references-connectors/topsecret) + +Exports users and profiles from a Top Secret (TSS) instance. + +- [Workday](../../../integration-guide/connectors/references-connectors/workday) + +Exports users and groups from a Workday instance. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalresources.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalresources.md new file mode 100644 index 0000000000..968437eb27 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalresources.md @@ -0,0 +1,23 @@ +--- +title: "Internal Resources" +description: "Internal Resources" +sidebar_position: 100 +--- + +# Internal Resources + +This connector opens manual provisioning tickets in Identity Manager. + +This page is about: + +- Ticket/Identity Manager +- Ticket/Identity Manager And Create/Update/Delete resources + +See the [Manual Ticket](../../../integration-guide/connectors/references-packages/manual-ticket) and [Manual Ticket and CUD Resources](../../../integration-guide/connectors/references-packages/manual-ticket-and-cud-resources) topics for additional information. + +![Package: Ticket/identitymanager](/images/identitymanager/packages_identitymanagerticket_v603.webp) + +![Package: Ticket/identitymanager And Create/Update/Delete resources](/images/identitymanager/packages_identitymanagerticketcud_v603.webp) + +See the [Provision Manually](../../../user-guide/administrate/provisioning/manual-provisioning) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalworkflow.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalworkflow.md new file mode 100644 index 0000000000..785dd64c53 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/internalworkflow.md @@ -0,0 +1,192 @@ +--- +title: "InternalWorkflow" +description: "InternalWorkflow" +sidebar_position: 90 +--- + +# InternalWorkflow + +This connector triggers workflows in Identity Manager for a system's provisioning orders. + +This page is about Identity Manager Internal Workflow. See the [Workflow](../../../integration-guide/connectors/references-packages/workflow) topic for additional information. + +![Package: Usercube/Workflow](/images/identitymanager/packages_workflow_v603.webp) + +## Overview + +This connector is singular because it does **not** connect Identity Manager to an external system. + +Instead, it is made to read the provisioning orders of a given connector or resource type, **and** launch specific workflows still within Identity Manager, depending on each order's type (creation, update, deletion). + +It works via a JSON file used to set the workflow to launch along with its arguments such as its message **and** body. + +## Prerequisites + +Implementing this connector requires: + +- Knowledge of the basic principles of Identity Manager's workflows. See the +[Workflow](../../../integration-guide/connectors/references-packages/workflow) topic for additional information. +- Configuring in Identity Manager the workflows for the arrival of a new user, the update of a +pre-existing user, **and** for the departure of a user + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector retrieves the files containing provisioning orders that correspond to a given list of connectors or resource types, **and** then starts workflows according to the type of the provisioning orders (Added, Modified, Deleted) found in the JSON files. + +### Configuration + +This process is configured through a connection in the UI **and**/or the XML configuration, **and** in the *appsettings.agent.json* > **Connections** section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +:::note + The identifier of the connection **and** thus the name of the subsection must: +::: +- be unique +- **not** begin with a digit +- **not** contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` **and** `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "Connections": { +    ... +    "HR_Person_To_Directory_UserRecord": { +        "WorkflowJsonPath": "" +    } +  } +} +``` + +The configuration setting must have the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | WorkflowJsonPath required | String | Path of the JSON file used to configure this connector. | + +**WorkflowJsonPath** + +The file specified in WorkflowJsonPath must have a specific structure. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*FulfillInternalWorkflow.json* +{ +  "SourceEntityIdentifier": "Directory_UserRecord", +  "NavigationToTargetEntity": "User", +  "NavigationTargetToSource": "Records", +  "TargetEntityTypeIdentifier": "Directory_User", +  "FulfillInternalWorkflowConfigurations": [{ +      "ChangeType": "Added", +      "Model": { +        "WorkflowIdentifier": "Directory_User_StartInternal", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow start: $Changes:LastName$ - $Changes:FirstName$, EmployeeId: $Changes:EmployeeId$", +        "Body": "body of workflow $Changes:EmployeeId$ - $Changes:Site.Label$" +      }, +      "ScalarProperties": [ +        "LastName", +        "FirstName", +        "ContractStartDate", +        "ContractEndDate"], +      "NavigationProperties": ["Category", +        "Service", +        "Site"] +    }, +    { +      "ChangeType": "Modified", +      "Model": { +        "WorkflowIdentifier": "Directory_User_ChangeName", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow Update: $Resource:LastName$ - $Resource:FirstName$, EmployeeId: $Resource:EmployeeId$", +        "Body": "body of workflow Update for  $Resource:EmployeeId$ " +      }, +      "ScalarProperties": ["FirstName", +        "LastName"] +    }, +    { +      "ChangeType": "Deleted", +      "Model": { +        "WorkflowIdentifier": "Directory_User_End", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow end Directory_Person for $Resource:LastName$ - $Resource:FirstName$", +        "Body": "body if workflow end for $Resource:LastName$ - $Resource:FirstName$" +      }, +      "DateProperties": ["ContractEndDate"] +    } +  ] +} +``` + +:::tip + Remember, as workflows' aspects are computed during the fulfill process, all the required properties must be present in the provisioning order **and** in this JSON file. +::: +**Setting attributes** + +The table below summarizes the setting attributes. + + | Name | Type | Description | + | --- | --- | --- | + | Body required | String | Body of the message transmitted by the workflow. | + | ChangeType required | String | Type of the provisioning order: Added; Modified; Deleted. | + | DateProperties optional | DateTime List | List of the properties corresponding to the dates that the workflow is to fill in. **NOTE:** When **not** specified **and** ChangeType is set to Deleted, then the dates are filled with the workflow's execution date. | + | Message required | String | Message sent to the accounts impacted by the workflow. | + | NavigationProperties optional | String List | List of the navigation properties to get from the provisioning orders in order to complete the workflow. | + | NavigationTargetToSource optional | String | Navigation property that makes the link from the target entity type to the source entity type. **NOTE:** Required when using records. For example, it's **not** required when working with departments or sites. See the[Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change) topic for additional information. | + | NavigationToTargetEntity optional | String | Navigation property that makes the link from the source entity type to the target entity type. **NOTE:** Required when using records. For example, it's **not** required when working with departments or sites. See the[Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change) topic for additional information. | + | ScalarProperties optional | String List | List of the scalar properties to get from the provisioning orders in order to complete the workflow. | + | SourceEntityIdentifier required | String | Identifier of the source entity type of the workflow. | + | TransitionIdentifier required | String | Identifier of the workflow's transition after execution. | + | TargetEntityTypeIdentifier required | String | Identifier of the target entity type of the workflow. | + | WorkflowIdentifier optional | String | Identifier of the workflow to be started. **NOTE:** Optional but **recommended** because it acts as default value when there is no related ArgumentsExpression or it does **not** return a valid identifier. See the[Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. | + +The table below summarizes the variables for messages **and** bodies. + + | Name | Type | Description | + | --- | --- | --- | + | Changes | String List | Prefix used to get data from the **Changes** section of the provisioning order. Example **Changes:LastName** retrieves the value of the **LastName** property from the order's changes. | + | Resource | String List | Prefix used to get data from Identity Manager's database. Example **Resource:LastName** retrieves the value of the **LastName** property from the database. | + +### Output details + +All three types of workflows (onboarding, update **and** off-boarding) can be completed with the fulfill Internal Workflow. + +## Authentication + +See the following to figure out authentication. + +**Password reset** + +This connector does **not** reset passwords. + +**Credential protection** + +This connector has no credential attributes, **and** therefore does **not** use RSA encryption, nor a CyberArk Vault. See the [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption) **and** [CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) topics for additional information. + +Still, data protection can be ensured through an Azure Key Vault safe. See the [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault)topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/json.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/json.md new file mode 100644 index 0000000000..6cc0ec9560 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/json.md @@ -0,0 +1,16 @@ +--- +title: "JSON" +description: "JSON" +sidebar_position: 110 +--- + +# JSON + +This connector generates [JSON](https://www.json.org/json-en.html) files for each provisioning order. + +**This page is about [JSON](../../../integration-guide/connectors/references-packages/json)** + +![Package: Custom/JSON](/images/identitymanager/packages_json_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldap.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldap.md new file mode 100644 index 0000000000..38c536ba21 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldap.md @@ -0,0 +1,269 @@ +--- +title: "LDAP" +description: "LDAP" +sidebar_position: 120 +--- + +# LDAP + +This connector exports and fulfills entries from/to an [LDAP](https://ldap.com/)-compliant system. + +This page is about: + +- [Generic LDAP](../../../integration-guide/connectors/references-packages/generic-ldap); +- [Oracle LDAP](../../../integration-guide/connectors/references-packages/oracle-ldap); +- [Apache Directory](../../../integration-guide/connectors/references-packages/apache-directory); +- [Red Hat Directory Server](../../../integration-guide/connectors/references-packages/red-hat-directory-server). + +![Package: Directory/Generic LDAP](/images/identitymanager/packages_ldapgeneric_v603.webp) + +![Package: Directory/Oracle LDAP](/images/identitymanager/packages_ldaporacle_v603.webp) + +![Package: Directory/Apache Directory](/images/identitymanager/packages_ldapapache_v603.webp) + +![Package: Directory/Red Hat Directory Server](/images/identitymanager/packages_ldapredhat_v603.webp) + +## Overview + +The Lightweight Directory Access Protocol (LDAP) is a flexible and well supported standards-based mechanism for interacting with directory servers. + +## Prerequisites + +Implementing this connector requires reading first the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation. + +## Export + +For a configured set of LDAP entries, this connector exports the list of all attributes from the connector's configuration. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> "Connections": { +> ... +> "LDAPExport": { +> "Servers": [> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Controls": [ +> "PagedResult", +> "DomainScope" +>], +> "NoSigning": false, +> "EnableSSL": true +> } +> ], +> "Tables": [> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(objectclass=*)", +> "Scope": "Subtree" +> }, +> { +> "Table": "member", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(&(member=*)(objectclass=groupOfEntries))", +> "Scope": "Subtree" +> } +>], +> "SizeLimit": 5000, +> "TimeLimit": 5, +> "TimeOut": 30 +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Servers required | **Type** Server List **Description** List of servers to connect to. | + | Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve entries and links. **Note:** having a table named `entries` is mandatory. | + | SizeLimit optional | **Type** Int32 **Description** Maximum number of objects returned in the search request. **Note:** ignored when using `Servers`:`Controls`. | + | TimeLimit optional | **Type** Int32 **Description** Maximum duration (in seconds) of the request. | + | TimeOut optional | **Type** Int32 **Description** Time period (in seconds) before the connection to the LDAP is closed. | + +##### Servers + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the target domain controller. | + | Controls optional | **Type** String List **Description** List of the controls that will be applied to the request. Possible values are: `PagedResult` to limit the number of returned queries. Results will be returned in smaller and limited packets. `DomainScope` to enable domain control, i.e. the LDAP server won't generate any referrals when completing a request, and the search is restricted to a single name context. **Note:**`PagedResult` is required when using `DomainScope`. [See more details in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-domain-scope-oid). | + | --- | --- | + | --- | --- | + | EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | + | NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | + | --- | --- | + | --- | --- | + | AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | + | Login optional | **Type** String **Description** Login used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + | Password optional | **Type** String **Description** Password used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + +##### Tables + + | Name | Details | + | --- | --- | + | BaseDN required | **Type** String **Description** Base Distinguished Name to be used to connect to the server. | + | Table required | **Type** String **Description** Name of the table: it should be `entries` for the main entries, and the name of the LDAP's link attribute otherwise. | + | --- | --- | + | --- | --- | + | Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | + | Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder one file per element in **Tables**, named `_.csv`, with one column for each property having a `ConnectionColumn` and each property without it but used in an entity association. + +Any property can be exported in a specific format when specified. See the [References: Format for the EntityPropertyMapping](../../../integration-guide/connectors/entitypropertymapping-format) topic for additional information. + +> With the previous example and the following entity type mapping: +> +> ``` +> +> ConnectionColumn="displayName" /> ConnectionColumn="dn" IsUniqueKey="true" /> ConnectionColumn="entryUuid" IsPrimaryKey="true" /> ConnectionColumn="objectClass" Format="multivaluedtext" /> ConnectionColumn="ou" />Column1="parentdn" ConnectionTable="LDAPExport_Entries" EntityPropertyMapping1="LDAP_Entry:dn" EntityPropertyMapping2="LDAP_Entry:dn" Connector="LDAP" />Column2="member" ConnectionTable="LDAPExport_member" EntityPropertyMapping1="LDAP_Entry:dn" EntityPropertyMapping2="LDAP_Entry:dn" Connector="LDAP" /> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/*LDAPExport_entries.csv*` like: +> +> ``` +> *LDAPExport_entries.csv* +> displayName,dn,entryUuid,objectClass,ou,parentdn +> ... +> +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/*LDAPExport_member.csv*` like: +> +> ``` +> *LDAPExport_member.csv* +> dn,member +> ... +> +> ``` + +## Fulfill + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the Identity Manager UI or by assignment policy enforcement. See the [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "LDAPFulfillment": { +> "Servers": [> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +>], +> "Tables": [> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com" +> } +>], +> "IsLdapPasswordReset": true, +> "AsAdLds": false +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Servers required | **Type** Server List **Description** List of servers to connect to. | + | Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve the entries and the links. **Note:** having a table named `entries` is mandatory. | + | AsAdLds required | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. | + | IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and provided by scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to learn how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +LDAP's `Login`, `Password` and `Server`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldif.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldif.md new file mode 100644 index 0000000000..6c625d2293 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/ldif.md @@ -0,0 +1,100 @@ +--- +title: "LDIF" +description: "LDIF" +sidebar_position: 130 +--- + +# LDIF + +This connector exports entries from an [LDIF](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) file. + +This page is about [LDIF](../../../integration-guide/connectors/references-packages/ldif). + +![Package: Directory/LDIF](/images/identitymanager/packages_ldif_v603.webp) + +## Overview + +The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry). It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request. + +## Prerequisites + +Implementing this connector requires no particular prerequisites. + +## Export + +This connector generates a CSV file from an input LDIF file containing entries to be exported. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection)in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "LdifExport": { +> "LDIFFile": "C:/identitymanagerContoso/Contoso/contoso.ldif", +> "FilterAttribute": "objectClass", +> "FilterValues": "user organizationalUnit", +> "Attributes": ["dn", "objectClass", "cn", "SAMAccountName", "Name", "userprincipalname"], +> "LdifEncoding": "UTF-8", +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | LDIFFile required | **Type** String **Description** Path of the LDIF input file. | + | FilterAttribute required | **Type** String **Description** Property from the connector's configuration whose value is to be compared with the values from `FilterValues`, in order to filter the entries to export. | + | FilterValues required | **Type** String **Description** List of values to be compared with the value of `FilterAttribute`, in order to filter the entries to export. Identity Manager will export only the entries matching the filter. **Note:** multiple values must be separated by white spaces. | + | Attributes required | **Type** String List **Description** List of properties from the connector's configuration to be exported. | + | LdifEncoding default value: UTF-8 | Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder a CSV file named `LdifExport.csv`, with the following columns: + +```text +LdifExport.csv +Command,dn,objectClass,cn,SAMAccountName,Name,userprincipalname +Insert,value1,value2,...,valueN +``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Credential protection + +This connector has no credential attributes, and therefore does not use [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), nor a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection)Vault. + +Still, data protection can be ensured through an [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftentraid.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftentraid.md new file mode 100644 index 0000000000..df9e1640a7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftentraid.md @@ -0,0 +1,212 @@ +--- +title: "Microsoft Entra ID" +description: "Microsoft Entra ID" +sidebar_position: 30 +--- + +# Microsoft Entra ID + +This connector exports and fulfills user and groups from/to a [Microsoft Entra ID](https://www.microsoft.com/fr-fr/security/business/identity-access/microsoft-entra-id) (formerly Microsoft Azure AD) instance. + +See the[Microsoft Entra ID](../../../integration-guide/connectors/references-packages/azure-active-directory)topic for additional information. + +![Package: Directory/Microsoft Entra ID](/images/identitymanager/packages_azuread_v603.webp) + +## Overview + +Microsoft Entra ID is Microsoft's cloud-based identity and access management service which helps your employees sign in and access resources in: + +- External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS +applications; +- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps +developed by your own organization. + +## Prerequisites + +Implementing this connector requires giving Identity Manager [application permissions](https://docs.microsoft.com/en-us/graph/auth/auth-concepts#application-permissions), because Identity Manager does not access the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) on behalf of a user but with [its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-service), and delegated permissions are not enough. These application permissions require the consent of an administrator of the target Microsoft Entra ID tenant. + +See the [Register for Microsoft Entra ID](../../../integration-guide/connectors/configuration-details/azuread-register) topic on how to register Identity Manager as an application with the Microsoft Identity Platform in order to grant Identity Manager a service account which authenticates with the target Microsoft Entra ID. + +## Export + +For a configured set of directory objects on an Microsoft Entra ID instance, this connector exports the list of configured attributes in the associated entity type mapping to a CSV file. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration. See the [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. + +Or in the `appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +:::note + The identifier of the connection and thus the name of the subsection must: +::: +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "MicrosoftEntraIDExport": { +        "ApplicationId": "", +        "ApplicationKey": "<25d408a1925d4c081925b\d40819>", +        "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +        "MicrosoftGraphPathApi": "", +        "ResponseUri": "" +    } +  } +} +``` + +**Setting attributes** + +The table below summarizes the setting attributes of Microsoft Entra ID connector. + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationId (required) | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | + | ApplicationKey (required) | String | Secret associated with the `ApplicationId` **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | + | TenantId (required) | String | GUID that uniquely identifies the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | + | ResponseUri (default value: `http://localhost`) | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | + | MicrosoftAuthorityPath (optional) | String | Pattern for Microsoft Authority Path. | + | MicrosoftGraphPath (default value: https://graph.microsoft.com/.default) | String | Scope requested to access a protected API. **NOTE:** For this flow (client credentials), the scope should be of the form `{ResourceIdUri/.default}`. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation) for additional information. | + | MicrosoftGraphPathApi (default value: `https://graph.microsoft.com/v1.0/`) | String | Microsoft Graph Uri API. | + +### Output details + +This connector is meant to generate the following files: + +- `_directoryobjects.csv` containing the property values from the entity type +mapping associated with the connection. + +:::note + The values are exported from the entities listed in the attribute `C0` of the `EntityTypeMapping`. +::: +For example, with the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +          +``` + +Four entities are exported (`user`; `group`; `directoryRole`; `servicePrincipal`) and whose names are to be found in the column `@odata.type`. Then `MicrosoftEntraIDExport_directoryobjects.csv` looks like: + +``` MicrosoftEntraIDExport_directoryobjects.csv Command,@odata.type,accountEnabled,id,mail ... ``` +:::tip + Remember, attributes described as "Supported only on the Get `` API" in the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) documentation cannot be retrieved through this connector. The export task will raise an error if these attributes are used in your EntityTypeMapping. +::: +This connector supports [Microsoft Entra ID Schema Extensions](https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions) but does not support [Microsoft Graph Schema Extensions](https://docs.microsoft.com/en-us/graph/extensibility-schema-groups). + +- `__.csv` describing the navigation property from +one entity to another. + +For example `AzureADExport_members_group.csv` would look like: +``` MicrosoftEntraIDExport_members_group.csv Command,groupId,id ... ``` + +Where command can be `insert`, `update` or `delete`; groupId is the id of the group; id is the id of the group member (in this context). + +:::note + Only the navigation properties `members` and `owners` are exported. These navigation properties are automatically detected according to the data exported. +::: +- one file `_cookie_.bin` per entity, containing an URL with a +`delta token` useful for incremental export. + + > For example `MicrosoftEntraIDExport_cookie_user.bin` + +:::tip + Remember, most exports can be run in complete mode, where the CSV files will contain all entries, or in incremental mode, where CSV files will contain only the entries which have been modified since the last synchronization. +::: +A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) can use the option --ignore-cookies. + +The CSV files are stored in the Export Output folder, and the cookie file in the Export Cookies folder. See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information. + +For more details, see Microsoft's documentation on [columns and attributes synchronized to Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized). + +## Fulfill + +This connector writes to the Microsoft Entra ID, to create, update and delete Microsoft Entra ID objects, initiated manually through the UI or automatically by enforcing the policy. See the [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "MicrosoftEntraIDFulfillment": { +        "ApplicationId": "", +        "ApplicationKey": "<84468d65324ghj\de9864d3d7e89026>", +        "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +        "MicrosoftGraphPathApi": "", +        "ResponseUri": "" +    } +  } +} +``` + +**Setting attributes** + +The table below summarizes the setting attributes. + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationId required | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | + | ApplicationKey required | String | Secret associated with the `ApplicationId`. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | + | TenantId required | String | **NOTE:** GUID that uniquely identifies the Azure tenant. value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | + | ResponseUri default value: `http://localhost` | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | + | MicrosoftGraphPathApi default value: https://graph.microsoft.com/v1.0/ | String | Microsoft Graph Uri API. | + +### Output details + +This connector can create a new resource, update and delete any Microsoft Entra ID objects and groups' memberships via the UI. + +## Authentication + +See the following to figure out authentication. + +**Password reset** + +See the[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information on how to configure password reset settings. + +**Credential protection** + +Data protection can be ensured through: + +- [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), +configured in the `appsettings.encrypted.agent.json` file +- An [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) +safe; + +- A +[CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) Vault able to store Microsoft Entra ID's `ApplicationId` and `ApplicationKey`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftexchange.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftexchange.md new file mode 100644 index 0000000000..980cd977a6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/microsoftexchange.md @@ -0,0 +1,134 @@ +--- +title: "Microsoft Exchange" +description: "Microsoft Exchange" +sidebar_position: 150 +--- + +# Microsoft Exchange + +This connector exports mailboxes from a [Microsoft Exchange](https://support.microsoft.com/en-us/office/what-is-a-microsoft-exchange-account-47f000aa-c2bf-48ac-9bc2-83e5c6036793) instance. + +This page is about [Microsoft Exchange](../../../integration-guide/connectors/references-packages/microsoft-exchange). + +![Package: Server/Microsoft Exchange](/images/identitymanager/packages_exchange_v603.webp) + +## Overview + +Microsoft Exchange Server is Microsoft's email, calendar, contact, scheduling and collaboration platform. It is deployed on the Windows Server operating system (OS) for business use. This connector uses [Exchange Server PowerShell (Exchange Management Shell)](https://docs.microsoft.com/en-us/powershell/exchange/exchange-management-shell?view=exchange-ps) to export databases and mailboxes. + +## Prerequisites + +Implementing this connector requires: + +- a Microsoft Exchange Server 2010, or later. +[See here Exchange Server 2016's requirements](https://docs.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2016); +- installing Windows PowerShell. +[See how to connect to Exchange servers using remote PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps). + +## Export + +This connector exports [mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps) and [mailbox databases](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailboxdatabase?view=exchange-ps). Two CSV files are generated, one with the [mailbox properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)) (like `Database`, `EmailAddresses`, `ServerName` , etc.) and the other with [mailbox database properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)) (like `Name`, `Server`, `Mounted`, etc.). These properties are explicitly part of the PowerShell script used by Identity Manager. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "MicrosoftExchangeExport": { +> "AuthType": "Kerberos", +> "Server": "http://mailbox01.contoso.com/PowerShell/" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** Address of the Exchange Server used by the remote PowerShell: `http:///PowerShell/` where `` is the fully qualified domain name of the Exchange server, like `mailbox01.contoso.com`. | + | PowerShellScriptPath default value: `{your Identity Manager path}/Runtime/Export-Exchange.ps1` | **Type** String **Description** Path of the export script file. | + +### Output details + +This connector is meant to generate the following files: + +- `_mailboxes.csv` with the following columns: + +``` _databases.csv Command,Database,EmailAddresses,UseDatabaseRetentionDefaults,RetainDeletedItemsUntilBackup,DeliverToMailboxAndForward,ExchangeGuid,ExchangeUserAccountControl,ForwardingAddress,ForwardingSmtpAddress,IsMailboxEnabled,ProhibitSendQuota,ProhibitSendReceiveQuota,RecoverableItemsQuota,RecoverableItemsWarningQuota,CalendarLoggingQuota,IsResource,IsLinked,IsShared,SamAccountName,AntispamBypassEnabled,ServerName,UseDatabaseQuotaDefaults,UserPrincipalName,WhenMailboxCreated,IsInactiveMailbox,AccountDisabledIsDirSynced,Alias,OrganizationalUnit,DisplayName,MaxSendSize,MaxReceiveSize,PrimarySmtpAddress,RecipientType,RecipientTypeDetails,Identity,IsValid,Name,DistinguishedName,Guid,ObjectCategory,WhenChangedUTC,WhenCreatedUTC,ObjectState Insert,value1,value2,...,valueN ``` + > For example, we could have + > `C:/identitymanagerContoso/Temp/ExportOutput/MicrosoftExchangeExport_mailboxes.csv`. + +[See more details on mailbox properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)). + +- `_databases.csv` with the following columns: +``` _databases.csv Command,Name,Server,Mounted,ObjectCategory,Guid,WhenChangedUTC,WhenCreatedUTC,ObjectState Insert,value1,value2,...,valueN ``` + +[See more details on mailbox database properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)). + +- `_cookie.bin` which stores the time of the last successful export, thus +allowing incremental processes. + +The CSV files are stored in the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output, and the cookie file in the Export Cookies folder. + +## Fulfill + +This connector can **create**, **update** or **delete**[ mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps)' addresses (PrimarySmtpAddress, ProxyAddress) and mailbox databases. + +As it works via a PowerShell script. See the [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) topic for additional information. + +Identity Manager's PowerShell script can be found in the SDK in `Usercube.Demo/Scripts/Fulfill-Exchange.ps1`. + +See the [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) topic for additional information. + +## Authentication + +### Authentication Type + +This connector uses Kerberos authentication when trying to connect with the Exchange Server. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection)able to store +Microsoft Exchange's `Server`. + +This kind of credential protection can be used only for the export process. + +The fulfill process' credentials can be protected by following the instructions for the PowerShellProv connector. See the [PowerShellProv](../../../integration-guide/connectors/references-connectors/powershellprov) topic for additional information + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/nimprofile.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/nimprofile.md new file mode 100644 index 0000000000..a9dbaafdbf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/nimprofile.md @@ -0,0 +1,270 @@ +--- +title: "NIM Profile" +description: "NIM Profile" +sidebar_position: 110 +--- + +# NIM Profile + +This connector exports and fulfills profile assignments from/to an Identity Manager instance. + +This page is about [NIM Profile](../../../integration-guide/connectors/references-packages/nimprofile). + +![Package: Netwrix Identity Manager/NIM Profile](/images/identitymanager/packages_nimprofile_v63.png) + +## Overview + +The NIM (Netwrix Identity Manager) Profile connector enables Identity Manager to manage its own profile assignments. This connector allows you to: + +- Automatically assign profiles based on rules +- Include assigned profiles in access certification campaigns +- Apply separation of duties risk rules to Identity Manager profile permissions +- Leverage the full governance lifecycle (approval workflows, audit trails, role mining, etc.) + +The connector supports two operational modes: + +- **Local mode**: Manage profile assignments within the same Identity Manager instance (target instance = source instance) +- **Remote mode**: Manage profile assignments in a different Identity Manager instance (target instance ≠ source instance) + +## Prerequisites + +Implementing this connector requires: + +- An Identity Manager instance with properly configured profiles +- For Remote mode: API connectivity between the source and target Identity Manager instances + +### Permissions + +The open id client must have the following permissions: + +- **Read, Write, Create, Delete permissions** on the target instance to export/provision/deprovision profile assignments: + - `/AccessControl/AssignedProfile/Query` + - `/AccessControl/AssignedProfile/Update` + - `/AccessControl/AssignedProfile/Create` + - `/AccessControl/AssignedProfile/Delete` + +The user generating the [NIM Profile Template](#configuration-template) must have the permission `/Connector/Connection/Update` + +## Configuration Template + +The NIM Profile connector uses an automated configuration wizard that generates the necessary connector configuration based on a template. + +More specifically, based on the profiles, dimensions and entity types in the target instance, the wizard will generate and deploy: +- Entity types and associations +- Single roles (one per profile) +- Resource types +- Correlation rules +- Query rules +- Navigation and scalar rules +- UI components (views and menu items) +- A dedicated category for the connector + +![NIM Profile Modal](/images/identitymanager/nimProfileModal_v63.png) +When generating the configuration, as seen above, the following elements need to be specified: +- **Policy**: Defines where to include the category, single roles, resource types, and rules +- **Profile**: Defines the profile used to specify the access control rules +- **MenuItem**: Determines where to nest the sub-menu items for the NIM connector in the user interface (see screenshot below showing menu item locations). For example, in the demo configuration, `Nav_Connectors` should be used. Parent Menu Item `Nav` can be used. It will add the items to the root of the navigation left panel on the Home page. For more information, refer to the [Menu Item documentation](../../toolkit/xml-configuration/user-interface/menuitem). + +![NIM Profile Menu Items](/images/identitymanager/nimProfile_MenuItem_v63.png) + +:::note +In complex scenarios, when the owner entity type is different from the identity entity type (the entity type bound via the `ResourceIdentityProperty` setting), the wizard generates multiple Resource Types per profile, one for each identity correlation path (e.g., separate Resource Types for nominative and administrative accounts). +::: + +The connector supports scenarios where: + +- Users have multiple profile assignments +- Profiles are parameterized with multiple dimension values +- Users have both time-limited and permanent profile assignments + +:::warning +The product currently faces limitations concerning evolutions: +- If the target instance's configuration changes (profiles added or removed, dimensions modified, ...), the connector configuration may become outdated. This could lead to uncorrelated resources for newly added profiles. For now, the only option is to re-create a connection and re-run the configuration wizard to regenerate the connector configuration. +- Since the generation of the template also creates hard coded resources, it is not yet possible to export the configuration from one environment and import it in another environment. The template needs to be generated using the wizard in the second environment too. +::: + +### Local Mode vs Remote Mode + +#### Local Mode (Self-Management) + +In Local mode, the source and target instances are the same. This is the simplest configuration: no manual steps are required, all expressions are automatically computed. The generated rules can always be manually adjusted after deployment if needed. + +:::note +When the owner entity type differs from the identity entity type, binding expressions for query and correlation rules are inferred from the existing correlation rules linking the two entity types. When multiple correlation rules exist for the same Resource Type, only the one with the highest confidence level is used. +::: + +#### Remote Mode + +In Remote mode, the source and target instances are different. + +The wizard cannot automatically determine how to map identities between the source and the target Identity Manager instances. The following steps must therefore be performed: +- Locate Placeholder Expressions (for Query and Correlation Rule): Placeholders contain the text "PLACEHOLDER" and include guidance. +- Update Query Rules: For each Resource Type, replace the placeholder with an expression that returns the target instance user identifier. + + For example: + + ```csharp + C#:userRecord: return userRecord.User?.Identifier.ToString(); + ``` + +- Update Correlation Rules: For each Resource Type, with the same logic as for Query Rules, modify to correlate users between instances. +- Test the Configuration: + - Run an Export job to verify data is exported correctly + - Run a Synchronization job to import the data + - Run a ComputeRoleModel job to test correlation + - Verify that profile assignments are being correlated correctly + - If correlation fails (0 matches found), review and correct the user binding expressions + +:::warning +In Remote mode, if placeholder expressions are not replaced, the connector will appear to work (Export and Synchronization jobs complete successfully), but no correlation will occur. +::: + +## Export + +For a configured NIM Profile connection, this connector exports profile assignments from the target Identity Manager instance. + +### What is Exported + +The connector exports: + +- **Profile Metadata**: Profile definitions (from `UA_Profiles` table) +- **Assignment Context**: Profile context values (from `UA_ProfileContexts` table) +- **User Associations**: Links between profiles and users (from `UA_AssignedProfiles` table) +- **Dimension Values**: Parameter values for parameterized profiles. For assigned profiles, dimensions include the [dimensions](../../toolkit/xml-configuration/metadata/dimension/) defined in the configuration but also single roles, composite roles, resource types as well as categories. + +### Configuration + +The connection configuration is created through the UI during connector setup. + +For Local mode, no additional connection settings are required beyond selecting "Local" mode. + +For Remote mode, the connection settings must be configured through the UI or in the `appsettings.agent.json` > `Connections` section: + +```json +// appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + "Mode": "Remote", + "ServerUrl": "https://target.instance.com", + "ClientId": "your-client-id", + "ClientSecret": "your-client-secret" + } + } +} +``` + +#### Setting Attributes + + | Name | Type | Description | + | --- | --- | --- | + | Mode
*required* | String | Connection mode: `Local` or `Remote`. | + | ServerUrl
*Required for Remote mode* | String | The URL of the target Identity Manager instance to manage. Not required for Local mode. | + | ClientId
*Required for Remote mode* | String | OAuth client ID for authenticating with the target instance API. Not required for Local mode. | + | ClientSecret
*Required for Remote mode* | String | OAuth client secret for authenticating with the target instance API. Not required for Local mode. | + +### Output Details + +This connector generates a file named `_AssignedProfile.csv`, with columns for: +- **Id**: Target instance assignment ID +- **StartDate**: Assignment start date +- **EndDate**: Assignment end date +- **UserId**: Reference to the assigned user +- **ProfileId**: Reference of the assigned profile +- **Parameter dimension values**: For each profile parameter +- **Email**: Email for the assignment + +As well as a file named `_Profile.csv`, with columns for: +- **Id**: Id of the profile +- **Identifier**: Reference of the profile +- **DisplayName_L1**: Name of the profile + +Additional CSV files are generated for profile context values (dimensions as well as categories, single roles, composite roles and resource types). + +## Fulfill + +This connector provisions profile assignments to the target Identity Manager instance. + +:::note +The `BlockProvisioning` property is set to `true` and the `ApprovalWorkflowType` is set to `ManualAssignmentNotAllowed` on generated Resource Types. +Therefore provisioning must occur through the Role Model engine based on Single Role assignments only. Once the orders are created, they have to be reviewed in the Provisioning Review screen. +::: + +### Configuration + +The fulfillment configuration is automatically generated by the wizard and includes: + +- **Resource Type Mappings**: Type `NimResourceTypeMapping` linked to the NIM Profile connection +- **Provisioning Rules**: Navigation rules for profile and parameter values, Scalar rules for dates +- **Correlation Rules**: Rules to match existing assignments and avoid duplicates + +### Output Details + +The connector: +- Creates new `UA_AssignedProfiles` and `UA_ProfileContexts` for granted assignments +- Updates existing profile assignments +- Deletes profile assignments for permissions that need to be revoked +- Generates historization in both source and target instances + +## Best Practices + +### Before Deployment + +- **Review target instance schema**: Ensure profiles are properly configured with correct parameters +- **Plan identity correlation**: In Remote mode, document the user mapping strategy before running the wizard +- **Test in non-production**: Deploy and test the connector in a development environment first + +### After Deployment + +- **Validate correlation**: Run test exports and synchronization to verify correlation is working correctly +- **Monitor provisioning**: Review initial provisioning operations to ensure assignments are created correctly +- **Document expressions**: If using Remote mode, document the user binding expressions for future reference + +## Troubleshooting + +### Export completes but no data is synchronized + +| Possible cause | Resolution | +| --- | --- | +| Target instance has no profile assignments | Check target instance `UA_AssignedProfiles` table | +| Access Control Rule has filters | Verify the open id client has permissions to `/AccessControl/AssignedProfile/Query` and can access all + profile assignments | + +### No correlation occurs + +| Possible cause | Resolution | +| --- | --- | +| Placeholder expressions not replaced (Remote mode) | Check Query Rules and Correlation Rules for "PLACEHOLDER" text | +| Incorrect user binding expressions | Verify user binding expressions return valid identifiers | +| User data not synchronized to source instance | Synchronize before correlating profile assignments | + +### Fulfillment operations are not executed + +| Possible cause | Resolution | +| --- | --- | +| `BlockProvisioning` preventing fulfillment | Check Provisioning Review for pending operations | +| No Single Roles assigned to users | Verify the single role rules for the profiles are properly defined and that users have appropriate Single Role assignments | +| Role Model not computed | Run the Compute Role Model job to generate provisioning operations | + +### Computed profiles display as non-conforming + +[ProfileRules](../../toolkit/xml-configuration/access-control/profilerulecontext) will continue to be computed. To ensure that computed profiles are properly recognized by the Compute Role Model job and do not display as non-conforming, Profile rules should be written through Single Role rules as for other connectors, rather than using ProfileRules. + +## Authentication + +### Password Reset + +This connector does not reset passwords. + +### Credential Protection + +For Remote mode connections, data protection can be ensured through: + +- [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption) configured in the `appsettings.encrypted.agent.json` file +- An [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe + +Consider storing API credentials in: + +- A [CyberArk's AAM Credential Providers](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) able to store the target instance URL and API credentials diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/odata.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/odata.md new file mode 100644 index 0000000000..9a68dd1fd4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/odata.md @@ -0,0 +1,131 @@ +--- +title: "OData" +description: "OData" +sidebar_position: 160 +--- + +# OData + +This connector exports and fulfills data from/to an [OData](https://www.odata.org/) instance. + +This page is about [OData](../../../integration-guide/connectors/references-packages/odata). + +![Package: Custom/OData](/images/identitymanager/packages_odata_v603.webp) + +## Overview + +OData (Open Data Protocol) comply with ISO/IEC and OASIS standards. This protocol defines the best approaches for using RESTful APIs. OData helps you focus on your business logic while building RESTful APIs without having to worry about the various approaches to define request and response headers, status codes, HTTP methods, URL conventions, media types, payload formats, query options, etc. + +## Prerequisites + +Implementing this connector requires reading first the appsettings documentation. + +Identity Manager's service is based on [OData RFC](https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html). + +## Export + +This connector extracts all entity sets with all the information needed to rebuild them. This is based on the connector's metadata. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ODataExport": { +> "Server": "https://YourODataService.com/", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the data system. | + | Login optional | **Type** String **Description** Login to connect to the system. | + | Password optional | **Type** String **Description** Password to connect to the system. | + | BearerToken optional | **Type** String **Description** Token to authenticate to the system. | + | ClientId optional | **Type** String **Description** Id to connect to the system via OpenId. | + | ClientSecret optional | **Type** String **Description** Password to connect to the system via OpenId. | + | AuthenticationUrl optional | **Type** String **Description** URL to request the authentication via OpenId. | + +#### XML configuration requirements + +This connector requires from the XML configuration: + +- An +[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping): + - with the same identifier as the related entity type; + - related to the right connector; + - related to a connection table named `_`; + - with properties whose connection columns represent the property's path in the entity, see the +configuration example below; +- An +[Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping): + - with the same identifier as the related entity association; + - with its `Column1` in the format `UsercubeNav_:` for the +related property in the association; + - with its `Column2` in the format `Of:` for the related +property in the association; + - related to a connection table named `__`. + +The information contained in the entity types and entity associations does not impact the export. + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder one CSV file for each entity set provided in the connector's configuration. + +The files' column headers come from the entity type mapping's `ConnectionColumn` properties. + +If the connection column describes a sub-property, then the name should have the following pattern: `{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ```xml +> +> +> +> +> ``` +> +> ```xml +> +> +> +> +> ``` +> +> Note that we have here `UserName` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/okta.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/okta.md new file mode 100644 index 0000000000..c2633b5287 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/okta.md @@ -0,0 +1,254 @@ +--- +title: "Okta" +description: "Okta" +sidebar_position: 170 +--- + +# Okta + +This connector exports and fulfills entries from/to Okta application. + +![okta](/images/identitymanager/okta.webp) + +## Overview + +Okta is an access management solution that provides SSO and federation capabilities for single sign-on, multi-factor authentication, and API access management. Okta's platform is widely used by organizations to protect accesses for digital identities in an increasingly complex and interconnected digital world. + +### Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation +- An Okta Token with specific permissions on the target instance + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +### Configuration + +To configure the Okta connector it is necessary to: + +**Step 1 –** Create a new user for Netwrix Identity Manager (formerly Usercube). + +In order to do so you must connect to the Okta administration console `https://myexample-admin.okta.com` and create a new Netwrix Identity Manager (formerly Usercube) user. + +:::note + For some Okta deployments it is possible to create a service account or to Manage an Okta user account as a service account. +::: +**Step 2 –** Assign administrator role and permissions to the Netwrix Identity Manager (formerly Usercube) user. + +**Step 3 –** Generate a Token for the Netwrix Identity Manager (formerly Usercube) user. + +See the [Okta documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/service-accounts/service-accounts-overview.htm) for additional information. + +### Export + +This connector exports a list of users, groups, applications with their attributes specified in the connector's configuration, to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the appsettings.agent.json > Connections section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} +``` + +### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | Server required | String | URI of the data system. | + | ApiKey required | String | User token value. | + +### Output details + +This connector can create, delete and update users, groups and applications, and is meant to generate the following to the ExportOutput folder : + +- A CSV file, named ``\_users.csv, with one column for each property either +having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groups.csv, with one column for each property either +having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_apps.csv, with one column for each property either +having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groupsapps.csv, with one column for each property +either having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groupsusers.csv, with one column for each property +either having a ConnectionColumn or which is used in an entity association; + +For example, with the following entity type mapping for users: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml + +     +     +     +     +     +     +     +     +     +     +     +     +     +….   + +   +     +     +     +     +     +     +     +     +     +     +     +   +``` + +And the following entity type mapping for groups: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +   +``` + +And the following entity type mapping for applications: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +  +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +   +``` + +Then we will have `C:/identitymanagerContoso/Sources/OktaExportFulfillment_users.csv` as follows: + +```text +id, status, created, activated, statusChanged, lastLogin, lastUpdated, passwordChanged, type.id, profile.city, profile.costCenter, profile.countryCode, profile.department, profile.displayName +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_groups.csv` as follows: + +``` +id, created, lastUpdated, lastMemberShipUpdated, type, profile.description, profile.name +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_apps.csv` as follows: + +```text +id, created, lastUpdated, status, name, label +``` + +### Fulfill + +The Okta connector writes to Okta to create, update and delete entries, initiated manually through the UI or automatically by enforcing the policy. See the [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} +``` + +### Password reset + +The password reset settings configuration is described in the appsettings.agent.json file. See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the appsettings.encrypted.agent.json file +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection)Vault able to +store Okta Login, Password, Account and Server. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/openldap.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/openldap.md new file mode 100644 index 0000000000..c0c2ce5ee9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/openldap.md @@ -0,0 +1,232 @@ +--- +title: "OpenLDAP" +description: "OpenLDAP" +sidebar_position: 180 +--- + +# OpenLDAP + +This connector exports and fulfills entries from/to an [OpenLDAP](https://www.openldap.org/) directory. + +This page is about [OData](../../../integration-guide/connectors/references-packages/odata). + +![Package: Directory/Open LDAP](/images/identitymanager/packages_ldapopen_v603.webp) + +## Overview + +OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). + +## Prerequisites + +Implementing this connector requires: + +- reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation; +- a service account with reading and writing permissions on the target OpenLDAP server; +- enabling SyncProv Overlay for the OpenLDAP server. + +To perform a complete export without the SyncProv Overlay enabled, use rather the [LDAP](../../../integration-guide/connectors/references-connectors/ldap) connector. + +## Export + +This connector exports to CSV files the content of an OpenLDAP Directory. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections":{ +> ... +> "OpenLDAPExport": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Filter": "(|(objectclass=person)(objectclass=ou))", +> "Scope": "SubTree", +> "SSL": "true" +> } +> ... +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** IP address and port of the OpenLDAP server. | + | DistinguishedName required | **Type** String **Description** Distinguished Name of the domain controller. | + | Login required | **Type** String **Description** OpenLDAP server's login. | + | Password required | **Type** String **Description** OpenLDAP server's password. | + | SSL optional | **Type** Boolean **Description** `True` to enable SSL (Secure Socket Layer) protocol for authentication requests. | + | --- | --- | + | --- | --- | + | TimeFormat default value: 60 | **Type** Int32 **Description** Timeout (in seconds) for the export's requests to the targeted server. | + | WaitingTimeInSeconds default value: 30 | **Type** Int32 **Description** Time period (in seconds) during which pulling for changes is not allowed during the persistent phase. | + | --- | --- | + | --- | --- | + | Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | + | Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder: + +- a CSV file, named `_entry.csv`, with one column for each property having a +`ConnectionColumn` and each property without it but used in an entity association; + +Any property can be exported in a specific format when specified. See the [References: Format for the EntityPropertyMapping](../../../integration-guide/connectors/entitypropertymapping-format) topic for additional information. + +- a CSV file for each `ConnectionTable` in a related `EntityTypeMapping` or +`EntityAssociationMapping`, and which is not an `entry`, named `_.csv`; + + > For example, `OpenLDAPExport_member` as `ConnectionTable` in a mapping will generate the file + > `Open*LDAPExport_member.csv*` with `member` as link attribute. + +- `_cookie.bin` which stores the time of the last successful export, thus +allowing incremental processes. + +Most exports can be run in complete mode, where the CSV files will contain all entries, or in incremental mode, where CSV files will contain only the entries which have been modified since the last synchronization. + +A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) can use the option `--ignore-cookies`. + +The CSV files are stored in the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder, and the cookie file in the Export Cookies folder. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/OpenLDAPExport.csv` like: +> +> ``` +> entry.csv +> Command,entryUUID,dn,cn,objectClass,parentdn +> Insert,value1,value2,...,valueN +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/Open*LDAPExport_member.csv*` like: +> +> ``` +> *LDAPExport_member.csv* +> Command,entryUUID,member +> Insert,value1,value2,...,valueN +> ``` + +## Fulfill + +This connector fulfills via the LDAP connector's fulfill process. + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the Identity Manager UI or by [Evaluate Policy](../../../integration-guide/role-assignment/evaluate-policy) enforcement. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "OpenLDAPFulfillment": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "SSL": "true", +> "IsLdapPasswordReset": "true" +> } +> } +> } +> ``` + +#### Setting attributes + + | | | + | --- | --- | + | Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | + | Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + | --- | --- | + | --- | --- | + | IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and provided by scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), +configured in the `appsettings.encrypted.agent.json` file; +- an +[Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + +- a +[Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store OpenLDAP's `Login`, `Password` and `Server`. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellprov.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellprov.md new file mode 100644 index 0000000000..bf53623ed9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellprov.md @@ -0,0 +1,140 @@ +--- +title: "PowerShellProv" +description: "PowerShellProv" +sidebar_position: 190 +--- + +# PowerShellProv + +This connector writes to an external system via a [PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [PowerShellProv](../../../integration-guide/connectors/references-packages/powershellprov). + +![Package: Custom/PowerShellProv](/images/identitymanager/packages_powershellprov_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language. Unlike most shells which accept and return text, PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET objects. This fundamental change brings entirely new tools and methods for automation. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute +a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, +[see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to +execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is +meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly +Usercube)' guidelines below. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector executes a PowerShell script for the creation, deletion and update of any entity linked to the managed system. + +> For example, it can fulfill the `mailboxes` entity from Microsoft Exchange. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills a CSV file through the script `Fulfill-CSV.ps1`, for a single target +> managed system identified by the `PowerShellCsvFulfillment` subsection: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-CSV.ps1", +> "Options": { +> "Message": "Hello", +> "Login": "admin", +> "Password": "secret" +> } +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | PowerShellScriptPath required | **Type** String **Description** Path of the executed PowerShell script (.ps1). | + | Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` In order for the script to access these options, the following two lines of code must be included in the script: `$options = [System.Console]::ReadLine() $options = ConvertFrom-Json $options` Afterwards, any one of these variables can be easily accessed: `$options.Login$options.Password # -> admin and secret` | + +### Write a script + +See how to [Write a PowerShell Script for Provisioning](../../../integration-guide/connectors/configuration-details/write-fulfill-powershell-script) to allow provisioning with this connector. + +## Authentication + +### Password reset + +The PowerShell script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Login (optional) | `Connections----Options--Login` | + | Password (optional) | `Connections----Options--Password` | + | PowerShellScriptPath | `Connections----PowerShellScriptPath` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +the attributes from the `Options` section that are compatible with cyberark. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example, consider `Login` and `Password` values stored in the `PowerShellCsv_Account` account: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "Options": { +> "Login": "PowerShellCsv_Account", +> "Password": "PowerShellCsv_Account" +> } +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellsync.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellsync.md new file mode 100644 index 0000000000..1049969e78 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/powershellsync.md @@ -0,0 +1,102 @@ +--- +title: "PowerShellSync" +description: "PowerShellSync" +sidebar_position: 200 +--- + +# PowerShellSync + +This connector exports data from an external system via a [PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [PowerShellSync](../../../integration-guide/connectors/references-packages/powershellsync). + +![Package: Custom/PowerShellSync](/images/identitymanager/packages_powershellsync_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language. Unlike most shells which accept and return text, PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET objects. This fundamental change brings entirely new tools and methods for automation. + +Data can be synchronized from any managed system by writing a PowerShell script that generates the relevant CSV files for Identity Manager. The PowerShellSync connector provides all the necessary tools for an easy integration of the script with Identity Manager's synchronization mechanisms. + +When Identity Manager provides a native connector for a given system, for example the Active Directory connector, Netwrix Identity Manager (formerly Usercube)highly recommends using the native connector rather than this PowerShell connector. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute +a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, +[see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to +execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is +meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly +Usercube)' guidelines below. + +## Export + +This connector executes a PowerShell script that generates one or several CSV files. These files are to be used during the synchronization of the data from the managed system targeted by the PowerShellSync connector. + +The CSV files must be written to the `$OutputPath`. + +The export is executed by a job from the UI, or via `Usercube-Export-Powershell.exe` in the command prompt. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "PowerShellExport": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Export-CSV.ps1", +> } +> } +> } +> ``` + +##### Setting attributes + + | Name | Details | + | --- | --- | + | PowerShellScriptPath required | **Type** String **Description** Path of the PowerShell script (.ps1) to be executed. | + +### Write a script + +Identity Manager provides a few variables to be used in the PowerShell script. + + | Name | Details | + | --- | --- | + | OutputPath | **Type** String **Description** Prefix of the path of the generated CSV file. **Info:** the synchronization process requires the generated CSV file to be located in a very specific location, with a specific name prefix. Hence the need for this predefined variable. **Value** [``](../../../integration-guide/network-configuration/agent-configuration/appsettings)`/ExportOutput/_` **Example** In this example, if the temp folder is named `Temp` and the connection `PowerShellExport`, then the generated file is: `Temp/ExportOutput/PowerShellExport_users.csv`. ```generateCSV | Export-CSV ($OutputPath + "users.csv")` where`generateCSV``` is a generic PowerShell method that generates CSV files. | + | IsIncremental | **Type** Boolean **Description** Variable to be used to provide a different behavior for complete and incremental synchronization. | + +## Fulfill + +There are no fulfill capabilities for this connector. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/racf.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/racf.md new file mode 100644 index 0000000000..4cdded1f89 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/racf.md @@ -0,0 +1,107 @@ +--- +title: "RACF" +description: "RACF" +sidebar_position: 210 +--- + +# RACF + +This connector exports users and profiles from a [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) file. + +This page is about [RACF](../../../integration-guide/connectors/references-packages/racf). + +![Package: MainFrame/RACF](/images/identitymanager/packages_racf_v603.webp) + +## Overview + +Resource Access Control Facility (RACF) is a security program from IBM OS/390 used to protect users' resources by controlling their accesses. The RACF connector exports the information saved by RACF about users, groups and access authorities. + +## Prerequisites + +Implementing this connector requires the input file to be in the RACF format, but it can have any extension. + +## Export + +This connector extracts the information found in a RACF file and transforms it into CSV files in Identity Manager format. + +Be aware that Identity Manager supports only the RACF records represented by the following codes: + +- [0100; 0120; 0101; 0102](https://www.ibm.com/docs/en/zos/2.1.0?topic=records-record-formats-produced-by-database-unload-utility#0100-0120-0101-0102) +(groups); +- [0200; 0203](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-user-record-formats) (users); +- [0500; 0503](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-general-resource-record-formats) +(general resources). + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads RACF data from the `C:/identitymanagerContoso/RacfFile.csv` iso-8859-1 file +> and exports it to CSV files in Identity Manager format: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "RACF": { +> "Path": "C:/identitymanagerContoso/RacfFile.csv", +> "Encoding": "iso-8859-1", +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Path required | **Type** String **Description** Path of the RACF file to be exported. | + | --- | --- | + | --- | --- | + | Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder one CSV file per record type (0100, 0200, etc.), named `_.csv`. + +> For example, consider an export with a connection named `ExportRacf`, and a source file containing +> the record types 0100, 0120, 0203. Then we will have three output files named +> `ExportRacf_0100.csv`, `ExportRacf_0120.csv` and `ExportRacf_0203.csv`. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), nor a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection). + +Still, data protection can be ensured through an [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/robotframework.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/robotframework.md new file mode 100644 index 0000000000..94246f1c3a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/robotframework.md @@ -0,0 +1,131 @@ +--- +title: "Robot Framework" +description: "Robot Framework" +sidebar_position: 220 +--- + +# Robot Framework + +This connector writes to an external system via a [Robot Framework](https://robotframework.org) script. + +**This page is about [Robot Framework](../../../integration-guide/connectors/references-packages/robot-framework)** + +![Package: Custom/Robot Framework](/images/identitymanager/packages_robot_v603.webp) + +## Overview + +Robot Framework is an open-source automation framework which can be used for robotic process automation (RPA). This framework is easy to use thanks to its human-readable syntax. It has a modular architecture that can be extended by [libraries](https://robotframework.org/#libraries) implemented with Python or Java. These libraries provide various tools to interact with a managed system. + +## Prerequisites + +Implementing this connector requires the agent to include the following elements: + +- [Python](https://www.python.org/downloads/) 3.7 or above. Specific Robot Framework libraries may +require a specific Python version; +- Python folder location in the `PATH` environment variable list and the location of its subfolder +`Scripts`; +- Robot Framework: use `pip install robotframework` in the command prompt. If the installation ran +correctly, `robot.exe` should be in your path. You can confirm this by running `gcm robot` in a powershell console. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector can **create**, **update** and/or **delete** any entity linked to the managed system. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills in a CSV file by using the script `FulfillRobotFramework.robot`: +> +> ``` +> *appsettings.agent.json* +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "RobotFrameworkScriptPath": "C:/identitymanagerDemo/Scripts/FulfillRobotFramework.robot", +> "Options": { +> "Message": "Hello" +> } +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | RobotFrameworkScriptPath required | **Type** String **Description** Path to the executed Robot Framework script (.robot). | + | Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` Access these options in the script using the following method: `${login}= Get Secure Data Login False ${password}= Get Secure Data Password True` **Info:** when the boolean argument from `Get Secure Data` is set to `True`, then the value is stored in the variable and erased from memory, hence not retrievable on next call. This enables control over sensitive data like passwords by defining the lifetime of the variable containing sensitive data. **Warning:** never use `Get Secure Data` when `Options` is empty. | + +### Write a script + +See how to [Write a Robot Framework Script](../../../integration-guide/connectors/configuration-details/write-fulfill-robotframework-script) to allow provisioning with this connector. + +## Authentication + +### Password reset + +The script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- an [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Login (optional) | `Connections----Options--Login` | + | Password (optional) | `Connections----Options--Password` | + | RobotFrameworkScriptPath | `Connections----RobotFrameworkScriptPath` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +the attributes from the `Options` section that are compatible with cyberark. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example, consider `Login` and `Password` values stored in the `RobotFramework_Account` +> account: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "Options": { +> "Login": "RobotFramework_Account", +> "Password": "RobotFramework_Account" +> } +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/saperp6.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/saperp6.md new file mode 100644 index 0000000000..728afefa8b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/saperp6.md @@ -0,0 +1,293 @@ +--- +title: "SAP ERP 6.0 and SAP S4/HANA" +description: "SAP ERP 6.0 and SAP S4/HANA" +sidebar_position: 230 +--- + +# SAP ERP 6.0 and SAP S4/HANA + +This connector exports and fulfills users and roles from/to an [SAP ERP 6.0](https://www.sap.com/products/erp/what-is-sap-erp.html) or [SAP HANA](https://www.sap.com/products/technology-platform/hana/what-is-sap-hana.html) instance. + +This page is about ERP/SAP ERP 6.0. + +![Package: ERP/SAP ERP 6.0](/images/identitymanager/packages_saperp6_v603.webp) + +## Overview + +The SAP Enterprise Resource Planning (SAP ERP) software incorporates the core business processes of an organization, such as finance, production, supply chain services, procurements, human resources (HR), etc. The SAP ERP connector exports and fulfills data from/to an SAP ERP 6.0 system. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. +- An ASE or HANA database with a service account, as a database administrator +- A service account, as a SAP user with at least the roles for user management +- The prerequisites for reading should be set up +- The prerequisites for writing should be set up + +ASE or HANA database with a service account, as a database administrator + +To connect to the SAP database using SSH, use the following commands: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +su sybaba +isql -S -U -P -X +``` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +isql -S ABA -Usapsso -PV1H#M$4JIgU$qd -X +``` + +Service account, as a SAP user with at least the roles for user management + +Create a login for Identity Manager's service account with at least reading access on user management tables by using a command from the table below: + + | Table | Usage | + | --- | --- | + | USR02 | Users table | + | AGR_USERS | Links between Users and Roles | + | AGR_TEXTS | Roles labels according to the language | + | USER_ADDR | | + | AGR_1016 AGR_PROF | Links between Profiles and Roles | + | USR10 | Profiles tables | + | USR11 | Profiles labels | + | AGR_DEFINE | Roles table | + | AGR_AGRS | Composition links | + | USGRP | Groups table | + | USGRPT | Groups labels | + | UST04 | Links between Users and Profiles | + | UST10C | Links between Profiles and Sub-profiles | + | AGR_TCODES | Links between Roles and Transactions | + | T002 | Languages codes | + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. +```text +execute sp_addlogin , , +go +use ABA +go +execute sp_adduser +go +grant select on ABA.SAPSR3.USR02 to usercube +grant select on ABA.SAPSR3.AGR_USERS to usercube +grant select on ABA.SAPSR3.USER_ADDR to usercube +grant select on ABA.SAPSR3.AGR_1016 to usercube +grant select on ABA.SAPSR3.USR10 to usercube +grant select on ABA.SAPSR3.USR11 to usercube +grant select on ABA.SAPSR3.AGR_AGRS to usercube +grant select on ABA.SAPSR3.USGRP to usercube +grant select on ABA.SAPSR3.UST04 to usercube +grant select on ABA.SAPSR3.AGR_TCODES to user +grant select on ABA.SAPSR3.T002 to usercube +Go +``` +**Set up the prerequisites for reading** + +To set up the prerequisites for reading follow the steps below. + +**Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Identity Manager. + +![connectorreadprerequisites1](/images/identitymanager/connectorreadprerequisites1.webp) + +**Step 2 –** Unzip the "hdbclient.zip" archive to C: drive and add the path to the Path environment variables. + +![connectorreadprerequisites2](/images/identitymanager/connectorreadprerequisites2.webp) + +**Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and `HDBADOTNETCORE=C:\hdbclient\dotnetcore`. + +**Set up the prerequisites for writing** + +:::note + Make sure the Read prerequisites are configured first. +::: +**Step 1 –** Copy the provided DLL `sapnwrfc.dl` into the Runtime of Identity Manager. + +**Step 2 –** Unzip the `dotnet86.zip` archive to `C:\dotnetx86`. + +**Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Identity Manager. + +![connectorwriteprerequisites](/images/identitymanager/connectorwriteprerequisites.webp) + +**Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. + +![connectorwriteprerequisites2](/images/identitymanager/connectorwriteprerequisites2.webp) + +**Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 (e.g.: `C: \donetx86\dotnet.exe`). + +## Export + +This connector extracts users, roles, profiles, profile memberships, role memberships and groups from an SAP ERP instance, and writes the output to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the ***appsettings.agent.json*** > **Connections** section. See the [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +:::tip + Remember, the identifier of the connection and thus the name of the subsection must: +::: +- Be unique +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "serverUrl", +            "AseLogin": "login", +            "AsePassword": "password", +            "Instance": "sapInstance", +            "Port": "4242", +            "Client": "123", +            "Language": "fr" +        } +    } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | + | AseLogin required | String | Login to connect to SAP ASE. | + | AsePassword required | String | Password to connect to SAP ASE. | + | Client required | String | Client id of SAP. | + | Instance required | String | Instance of the SAP database. | + | Language required | String | SAP language. | + | Port required | String | Port of the SAP ERP server. | + | Server required | String | URL of the SAP ERP server. | + +### Output details + +This connector is meant to generate to the ExportOutput folder the following files: + +- SAPExportFulfillment_users.csv; +- SAPExportFulfillment_roles.csv; +- SAPExportFulfillment_usersroles.csv; +- SAPExportFulfillment_profiles.csv; +- SAPExportFulfillment_profilesprofiles.csv; +- SAPExportFulfillment_rolesprofiles.csv; +- SAPExportFulfillment_usersprofiles.csv; +- SAPExportFulfillment_rolesroles.csv; +- SAPExportFulfillment_groups.csv; +- SAPExportFulfillment_rolestransactions.csv. + +See the [Application Settings](../../network-configuration/agent-configuration/appsettings) topic for additional information. + +## Fulfill + +This connector can provision users, role memberships and group memberships to SAP ERP. + +### Configuration + +Same as for export, fulfill is configured through connections. See the SAP ERP 6.0 and SAP S4/HANA topic for additional information. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "", +            "BapiLogin": "", +            "BapiPassword": "" +        } +    } +} +``` + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | + | Server required | String | URL of the SAP ERP server. | + | BapiLogin required | String | Login to connect to the specified server. | + | BapiPassword required | String | Password to connect to the specified server. | + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information on how to configure password reset settings. + +When setting a password for an SAP ERP user, the password attribute is defined by the password specified in the corresponding RessourceTypeMapping. See the Sap Resource Type Mapping topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Server | Connections--``--Server | + | AseLogin | Connections--``--AseLogin | + | AsePassword | Connections--``--AsePassword | + | Instance | Connections--``--Instance | + | Port | Connections--``--Port | + | Client | Connections--``--Client | + | Language | Connections--``--Language | + | BapiLogin | Connections--``--BapiLogin | + | BapiPassword | Connections--``--BapiPassword | + | SystemNumber | Connections--``--SystemNumber | + +- A cyberark Vault able to store Active Directory's Login, Password, and Server. + +See the [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault), and [cyberark's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)topics for additional information. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.cyberark.agent.json* +{ +  ... +  "Connections": { +    ... +    "SAPExportFulfillment": { +        "Login": "SAPExportFulfillment_cyberarkKey", +        "Password": "SAPExportFulfillment_cyberarkKey", +        "Server": "SAPExportFulfillment_cyberarkKey" +    } +  } +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sapnetweaver.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sapnetweaver.md new file mode 100644 index 0000000000..23131f6466 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sapnetweaver.md @@ -0,0 +1,169 @@ +--- +title: "SAP Netweaver" +description: "SAP Netweaver" +sidebar_position: 240 +--- + +# SAP Netweaver + +This connector exports and fulfills users and roles from/to an [SAP Netweaver](https://www.sap.com/france/products/technology-platform/hana/what-is-sap-hana.html) instance. + +This page is about [SAP S/4 HANA](../../../integration-guide/connectors/references-packages/saphana). + +![Package: ERP/SAP S/4 HANA](/images/identitymanager/packages_sap_v603.webp) + +## Overview + +SAP ERP is an enterprise resource planning software developed by the German company SAP SE. The software incorporates the key business functions of an organization. ERP software includes programs in all core business areas, such as procurement, production, materials management, sales, marketing, finance, and human resources (HR). + +## Prerequisites + +Implementing this connector requires: + +- reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation; +- a service account with reading and writing permissions on the SAP server. + +## Export + +This connector exports users, roles, role memberships and groups from an SAP instance and writes the output to CSV files. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +```json +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the SAP server. | + | Login required | **Type** String **Description** Login to authenticate to the specified server. | + | Password required | **Type** String **Description** Password to authenticate to the specified server. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: + +- `sap_users.csv` with the following columns: + +``` sap_users.csv Command,logonname,isserviceuser,firstname,lastname,salutation,title,jobtitle,mobile,displayname,description,email,fax,locale,timezone,validfrom,validto,lastmodifydate,islocked,isaccountlocked,ispasswordlocked,ispassworddisabled,telephone,department,id,securitypolicy,datasource,company,streetaddress,city,zip,pobox,country,state,orgunit,accessibilitylevel,passwordchangerequired Insert,value1,value2,...,valueN ``` +- `sap_groups.csv` with the following columns: +``` sap_groups.csv Command,uniquename,displayname,description,lastmodifydate,id,datasource,distinguishedname Insert,value1,value2,...,valueN ``` + +- `sap_roles.csv` with the following columns: + +``` sap_roles.csv Command,uniquename,displayname,description,lastmodifydate,id,datasource,scopes,actions Insert,value1,value2,...,valueN ``` +- `sap_roles_member.csv` with the following columns: +``` sap_roles_member.csv Command,id,member Insert,value1,value2,...,valueN ``` + +## Fulfill + +This connector writes to SAP to create, update, and/or delete users, groups, roles and group memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the SAP server. | + | Login required | **Type** String **Description** Login to authenticate to the specified server. | + | Password required | **Type** String **Description** Password to authenticate to the specified server. | + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to learn more on how to configure password reset settings. + +When setting a password for an SAP user, the password attribute is defined by the password specified in the corresponding [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings). + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Server | `Connections----Server` | + | Login | `Connections----Login` | + | Password | `Connections----Password` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +Active Directory's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Login": "SAPExportFulfillment_CyberArkKey", +> "Password": "SAPExportFulfillment_CyberArkKey", +> "Server": "SAPExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/scim.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/scim.md new file mode 100644 index 0000000000..e7e43bf68f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/scim.md @@ -0,0 +1,332 @@ +--- +title: "SCIM" +description: "SCIM" +sidebar_position: 250 +--- + +# SCIM + +This connector exports and fulfills entities from/to a [SCIM](https://www.okta.com/blog/2017/01/what-is-scim/) compliant application. + +This page is about: + +- Custom/SCIM +- CRM/Salesforce +- Messaging/Slack +- PAM/cyberark + +![Package: Custom/SCIM](/images/identitymanager/packages_scim_v603.webp) + +![Package: CRM/Salesforce](/images/identitymanager/packages_salesforce_v603.webp) + +![Package: Messaging/Slack](/images/identitymanager/packages_slack_v603.webp) + +![Package: PAM/cyberark](/images/identitymanager/packages_cyberark_v603.webp) + +## Overview + +System for Cross-domain Identity Management (SCIM) is a Request for Comments (RFC) standard. It describes a REST API with specific endpoints to get and set data in a web application for IGA purposes. It allows an identity provider to manage the web application's accounts. For more details about SCIM and RFC, see the [IETF document](https://tools.ietf.org/html/rfc7644). + +:::note + Similarly to the Salesforce REST-based API, SCIM for Salesforce enables reading and writing attributes, but writes to a smaller subset. For example, the following properties are manageable by the Salesforce REST-based API but not SCIM: `PermissionSetGroup`, `PermissionSetLicense`, `UserPermissionsKnowledgeUser`, `UserPermissionsInteractionUser`, `UserPermissionsSupportUser`, `CallCenterId`, `SenderEmail`. +::: +See the [Salesforce's documentation](https://help.salesforce.com/s/articleView?id=sf.identity_scim_rest_api.htm&type=5) for additional information. + +## Prerequisites + +Implementing this connector requires the web application that you want to synchronize to implement SCIM Version 2.0 or later. + +The implementation of the Salesforce connector requires the completion of the following steps: + +- Connect the application +- Enable OAuth authentication +- Reset the user token +- Configure the Salesforce connection + +**Connect the application** + +To connect to the Salesforce application do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![salesforce-newconnectedapp](/images/identitymanager/salesforce-newconnectedapp.webp) + +**Step 3 –** Go to **App Manager** and ****create** a Connected App**. + +![salesforce-enableoauth](/images/identitymanager/salesforce-enableoauth.webp) + +**Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth Scopes. + +**Step 5 –** Save the Application. + +![salesforce-manageconnectedapps](/images/identitymanager/salesforce-manageconnectedapps.webp) + +**Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. + +![salesforce-manageconsumerdetails](/images/identitymanager/salesforce-manageconsumerdetails.webp) + +**Step 7 –** Click on **Manage Consumer Details**. + +![salesforce-consumerkey](/images/identitymanager/salesforce-consumerkey.webp) + +**Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. + +**Enable OAuth authentication** + +To enable the OAuth authentication do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![oauthauthentication](/images/identitymanager/oauthauthentication.webp) + +**Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, enable the option to **Allow OAuth Username-Password Flows**. + +**Reset the user token** + +To reset the user token do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-usertoken-settings](/images/identitymanager/salesforce-usertoken-settings.webp) + +**Step 2 –** Click on **Settings** under the profile details. + +![salesforce-resetseuritytoken](/images/identitymanager/salesforce-resetseuritytoken.webp) + +**Step 3 –** Click on **Reset My Security Token**. + +![salesforce-checkemail](/images/identitymanager/salesforce-checkemail.webp) + +**Step 4 –** An email containing the new token will be sent. + +**Configure the Salesforce connection** + +To configure the Salesforce connection do the following: + +**Step 1 –** Log into Identity Manager using an admin account. + +![salesforce-connector](/images/identitymanager/salesforce-connector.webp) + +**Step 2 –** **create** a new Salesforce connector. + +![salesforce-connection](/images/identitymanager/salesforce-connection.webp) + +**Step 3 –** Add a new Salesforce connection. + +![salesforce-agent-settings](/images/identitymanager/salesforce-agent-settings.webp) + +**Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. + +The configuration of the Salesforce connector is completed. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the ***appsettings.agent.json*** > **Connections** section. See the [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +:::tip + Remember, the identifier of the connection and thus the name of the subsection must: +::: +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +The following example gets information via SCIM on a web application whose URL base is `https://example.for.doc.com`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "SCIMExport": { + "ApplicationId": "", + "Server": "", + "ApplicationKey": "", + "Login": "", + "Password": "", + "Filter": "" + } + } +} +``` + +Here we use an account's credentials (login and password) with our application's credentials (ApplicationId and ApplicationKey). + +The filter `?filter=active eq \"true\"` retrieves active Users from the external system. + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | Filter optional | String | Filters applied in the SCIM request retrieving the entities. You should write the filters as you would write them in the URL (including the "?"). For more details on the syntax, see the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document). Syntax:EntityNameInSCIM1|scimFilter1\*EntityNameInSCIM2|scimFilter2\*EntityNameInSCIM3|scimFilter3 | + | OAuth2Url optional | String | URL which get tokens for the requests. The system can usually find this information, but sometimes the system gets it wrong, like Salesforce for example. | + | PageSize default value: 200 | String | Maximum number of elements returned by one request. | + | Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | + | ApplicationId optional | String | Login of the application or of the application's Id provider. | + | Login optional | String | Login of the account. | + | OAuthToken optional | String | Generated OAuth token to connect to the application. | + | Password optional | String | Password of the account. | + | ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; cyberark - required when this connector targets cyberark. | + +The credential attributes (ApplicationId, ApplicationKey, Login and Password) are used to obtain a token from the application for our requests. + +### Output details + +This connector is meant to generate to the ExportOutput folder the following CSV files: + +- One file for each SCIM entity, coming from entity type mappings's connection tables, named +`_.csv`, with one column for each property having a ConnectionColumn and each property without it but used in an entity association; +- One file for each membership, coming from entity association mappings's connection tables, +named` _members_.csv`, with the following columns: + - Value — ID of the group + - MemberId — ID of the group member +- One file for each entity named Containers such as cyberark's privileged data, named +`_privilegedData_Containers.csv`. + +See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) and [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) topics for additional information. + +For the connector to work properly, the connection tables must follow the naming conventions too: `_ for entities and _members_` for links. + +If the connection column describes a sub-property, then the name should have the following pattern: `{property}:{sub-property}`. The character ":" should not be used in other situations. + +For example, if we want to retrieve information about Users, Groups and Groups' members, we should have the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +ConnectionTable="SCIMExport_Users"> ConnectionColumn="id" IsPrimaryKey="true" /> ConnectionColumn="name:givenName" /> ConnectionColumn="emails:value" />ConnectionTable="SCIMExport_Groups"> ConnectionColumn="id" IsPrimaryKey="true" /> ConnectionColumn="displayName" />Column1="value" EntityPropertyMapping1="Salesforce_Group:SF_id" Column2="MemberId" EntityPropertyMapping2="Salesforce_User:SF_id" Connector="Salesforce" ConnectionTable="SCIMExport_members_Groups" /> +``` + +We would have SCIMExport_Users.csv with the column headers id, `name:givenName` and `emails:value`, `SCIMExport_Groups.csv` with the column headers id and `displayName`, and `SCIMExport_members_Groups.csv` with the column headers value and `MemberId`. + +Each column contains the value of the corresponding attribute. SCIM attributes are described in the [RFC document](https://tools.ietf.org/html/rfc7643). + +### Limitations + +The incremental mode only works for User entities and not for the others like Groups or Roles. It means that entities like Groups or Roles are always handled with the complete mode. + +## Fulfill + +This connector writes to the managed web application to **create**, **update**, and/or **delete** users with their attributes and group memberships, but no group or other entities. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example writes information to SCIM on a web application whose URL base is +> `https://example.for.doc.com`. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "SCIMFulfillment": { +> "ApplicationId": "", +> "Server": "", +> "ApplicationKey": "", +> "Login": "", +> "Password": "", +> "ServiceSupportBulk": true, +> "BulkMaxOperation": 10 +> } +> } +> } +> ``` +> +> Here we use an account's credentials (login and password) with our application's credentials +> (ApplicationId and ApplicationKey). +> +> We specify that bulk requests are supported with a maximum of 10 operations per request. + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | BulkMaxOperation optional | Int32 | Maximum number of operations which can be sent in one bulk request. | + | ServiceSupportBulk optional | Boolean | True to allow bulk requests. depends on the web application's SCIM implementation. See the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document) for additional information. | + | Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | + | ApplicationId optional | String | Login of the application or of the application's Id provider. | + | ApplicationKey optional | String | Password of the application or of the application's Id provider. | + | Login optional | String | Login of the account. | + | OAuthToken optional | String | Generated OAuth token to connect to the application. | + | Password optional | String | Password of the account. | + | ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; cyberark - required when this connector targets cyberark. | + +The credential attributes (ApplicationId, ApplicationKey, Login, and Password) are used to obtain a token from the application for our requests. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | ApplicationId | Connections--``--ApplicationId | + | ApplicationKey | Connections--``--ApplicationKey | + | BulkMaxOperation | Connections--``--BulkMaxOperation | + | Login | Connections--``--Login | + | Password | Connections--``--Password | + | ServiceSupportBulk | Connections--``--ServiceSupportBulk | + | Server | Connections--``--Server | + +- A cyberark Vault able to store Active Directory's Login, Password, and Server. + +See the [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault), and [cyberark's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)topics for additional information. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.cyberark.agent.json* +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Login": "SAPExportFulfillment_cyberarkKey", + "Password": "SAPExportFulfillment_cyberarkKey", + "Server": "SAPExportFulfillment_cyberarkKey" + } + } +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowentitymanagement.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowentitymanagement.md new file mode 100644 index 0000000000..aba1394e90 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowentitymanagement.md @@ -0,0 +1,261 @@ +--- +title: "ServiceNow" +description: "ServiceNow" +sidebar_position: 260 +--- + +# ServiceNow + +This connector exports and fulfills any data, including users and roles, from/to a [ServiceNow CMDB](https://www.servicenow.com/products/servicenow-platform/configuration-management-database.html). + +This page is about [ServiceNow](../../../integration-guide/connectors/references-packages/servicenow). + +![Package: ITSM/ServiceNow](/images/identitymanager/packages_servicenow_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical management support. The company specializes in IT service management (ITSM), IT operations management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and customer interactions via a variety of apps and plugins. This section focuses on ServiceNow Entity Management. To learn about how to use this connector to **create** tickets for other resources, see [ServiceNow Ticket](../../../integration-guide/connectors/references-packages/servicenow-ticket). + +## Prerequisites + +Implementing this connector requires: + +- reading first the appsettings documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing +permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports to CSV files ServiceNow's tables (Users, Groups, Group Memberships). + +An incremental search is possible to retrieve added and updated records but a full delta (including deleted items) can't be performed. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example retrieves from users only those that are active, and no filter is applied to +> the other tables. A single request can retrieve up to 5,000 entries, no more. This means that if +> there are 6,000 `sys_user` to retrieve, then all of them will be retrieved but with two requests. +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | + | Login required | **Type** String **Description** Username of the service account used to connect to the server. | + | Password required | **Type** String **Description** Password of the service account used to connect to the server. | + | ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | --- | --- | + | --- | --- | + | Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | + | Login required | **Type** String **Description** Username of the service account used to connect to the server. | + | Password required | **Type** String **Description** Password of the service account used to connect to the server. | + | ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder one CSV file for each table, named `_.csv`. + +Identity Manager lists the tables to retrieve based on [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping)'s and [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping)'s connection tables. + +For the connector to work properly, the connection tables must follow the naming convention too: `_`. + +> For example, with the following configuration: +> +> ``` +> +> /> +> +> ``` +> +> We would have: +> +> ``` +> *ServiceNowExportFulfillment_sys_user.csv* +> sys_id,active,name,user_name,email +> ... +> +> ``` +> +> *ServiceNowExportFulfillment_sys_group.csv* sys_id,name,description ... +> +> ``` +> *ServiceNowExportFulfillment_sys_user_grmember.csv* +> user,group +> ... +> +> ``` + +## Fulfill + +This connector writes to ServiceNow to **create**, **update**, and/or **delete** any data. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | + | Login required | **Type** String **Description** Username of the service account used to connect to the server. | + | Password required | **Type** String **Description** Password of the service account used to connect to the server. | + | ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + | OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to learn more on how to configure password reset settings. + +When setting a password for an ServiceNow user, the password attribute is defined by the password specified in the corresponding [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings). + +### Credentials protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Server | `Connections----Server` | + | Login | `Connections----Login` | + | Password | `Connections----Password` | + | ClientId | `Connections----ClientId` | + | ClientSecret | `Connections----ClientSecret` | + | OAuth2Url | `Connections----OAuth2Url` | + | Filter | `Connections----Filter` | + | ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Login": "ServiceNowExportFulfillment_cyberarkKey", +> "Password": "ServiceNowExportFulfillment_cyberarkKey", +> "Server": "ServiceNowExportFulfillment_cyberarkKey", +> "ClientId": "ServiceNowExportFulfillment_cyberarkKey", +> "ClientSecret": "ServiceNowExportFulfillment_cyberarkKey" +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowticket.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowticket.md new file mode 100644 index 0000000000..68db6f80ad --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/servicenowticket.md @@ -0,0 +1,111 @@ +--- +title: "ServiceNowTicket" +description: "ServiceNowTicket" +sidebar_position: 270 +--- + +# ServiceNowTicket + +This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for manual provisioning. + +This page is about [ServiceNow Ticket](../../../integration-guide/connectors/references-packages/servicenow-ticket). + +![Package: Ticket/ServiceNow](/images/identitymanager/packages_servicenowticket_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical management support. The company specializes in IT service management (ITSM), IT operations management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and customer interactions via a variety of apps and plugins. This section focuses on ServiceNow ticket creation for the fulfillment of resources that can't or shouldn't be performed with an existing fulfill. To learn about how to manage entities, see [ServiceNow](../../../integration-guide/connectors/references-connectors/servicenowentitymanagement)Entity Management. + +## Prerequisites + +Implementing this connector requires: + +- reading first the +[appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing +permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports some of ServiceNow entities, see the export capabilities of the [ServiceNow](../../../integration-guide/connectors/references-connectors/servicenowentitymanagement)connector. Some entities cannot be exported. + +## Fulfill + +This connector writes to ServiceNow to **create** incident and request tickets containing information to **create**, update or delete a resource. It does **not** **create** nor update a resource directly. + +Once created, the ticket is managed in ServiceNow, **not** in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the provisioning state of the resource accordingly. See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) topic for additional information. + +See the fulfill capabilities of the [ServiceNow](../../../integration-guide/connectors/references-connectors/servicenowentitymanagement)connector. + +> For example: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic to learn more on how to configure password reset settings. + +When setting a password for a ServiceNow user, the password attribute is set to the chosen value and the user's **password_needs_reset** attribute is set to `true`. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Server | `Connections----Server` | + | Login | `Connections----Login` | + | Password | `Connections----Password` | + | ClientId | `Connections----ClientId` | + | ClientSecret | `Connections----ClientSecret` | + | OAuth2Url | `Connections----OAuth2Url` | + | TicketCookieDirectoryPath | `Connections----TicketCookieDirectoryPath` | + | ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Login": "ServiceNowFulfillManual_cyberarkKey", +> "Password": "ServiceNowFulfillManual_cyberarkKey", +> "Server": "ServiceNowFulfillManual_cyberarkKey", +> "ClientId": "ServiceNowFulfillManual_cyberarkKey", +> "ClientSecret": "ServiceNowFulfillManual_cyberarkKey" +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharedfolder.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharedfolder.md new file mode 100644 index 0000000000..57a9eb7211 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharedfolder.md @@ -0,0 +1,165 @@ +--- +title: "SharedFolders" +description: "SharedFolders" +sidebar_position: 290 +--- + +# SharedFolders + +This connector exports users and permissions from Windows shared folders. + +This page is about [Shared Folders](../../../integration-guide/connectors/references-packages/shared-folders). + +![Package: Storage/Shared Folders](/images/identitymanager/packages_sharedfolders_v603.webp) + +## Overview + +Also known as UFA (Identity Manager Folder Access), this connector can be used to scan the access rights assigned to folders and files in computers and networks which comply with the [Windows File Security and Access Rights systems](https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights). + +## Prerequisites + +Implementing this connector requires an account with the permissions: + +- to access all relevant folders and files and read their entitlements; +- **Log on as a batch job** in the local group policy, when the connector's authentication mode is +batch. + + ![SharedFolder - Permission for Batch Authentication](/images/identitymanager/sharedfolder_permission.webp) + +## Export + +This connector scans shared folders in order to export their content to CSV files. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads `12` levels of folders in the folders `R&D_Projects` and `Management` +> in the network `OfficeNetwork` and in `C:/`. We only read entitlements about folders and we don't +> have access rights to the entitlements associated with the SIDs `S-1-3-2-4` and `S-5-7-6-8`. We +> use the service account [account@example.com](mailto:account@example.com) with its related +> password and domain, and interactive connection: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "InputDirectories": ["OfficeNetwork/R&D_Projects", "OfficeNetwork/Management", "C:/"], +> "OnlyDirectoryScan": "true", +> "LevelOfScan": "12", +> "ListOfSIDToAvoid": ["S-1-3-2-4", "S-5-7-6-8"], +> "Login": "account@example.com", +> "Password": "accountexamplepassword", +> "Domain": "Example", +> "Interactive": true +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | InputDirectories required | **Type** String List **Description** Paths of the folders to be scanned. | + | Domain optional | **Type** String **Description** Domain of the account used to access files and read their access rights. | + | Interactive default value: False | **Type** Boolean **Description** `True` to set authentication as interactive, `False` to set it as batch. | + | LevelOfScan optional | **Type** Int32 **Description** Number of file and folder levels to be scanned. By default, it scans the whole folder tree for each input directory. | + | ListOfSIDToAvoid optional | **Type** String List **Description** SIDs (users or groups) to exclude from the scan. | + | OnlyDirectoryScan default value: False | **Type** Boolean **Description** `True` to scan only folders' entitlements and not files', `False` to scan all. | + | --- | --- | + | --- | --- | + | Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | + | Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: + +- `_ACE.csv`, with the following columns: + - **key**: concatenation of `Right`, `Path` and `OwnerSID`; + - **Path**: path of the folder or file; + - **Right**: entitlement among the following, listed from weakest to strongest: +ListDirectory / ReadData / CreateFiles / WriteData / AppendData / CreateDirectories / ReadExtendedAttributes / WriteExtendedAttributes / ExecuteFile / Traverse / DeleteSubdirectoriesAndFiles / ReadAttributes / WriteAttributes / Write / Delete / ReadPermissions / Read / ReadAndExecute / Modify / ChangePermissions / TakeOwnership / Synchronize / FullControl + - **AllowOrDeny**: `0` (or `false`) if the entitlement is allowed, `1` (or `true`) if it is +denied; + - **OwnerSID**: SID of the entitlement's owner. +- `_PathInformations.csv`, with the following columns: + - **Path**; + - **ParentPath**: path of the file's or folder's parent folder; + - **BlockInheritance**: `true` if the file or folder blocks entitlement inheritance in the tree; + - **Hierarchy**: hierarchy in the scanned tree. +- `_SID.csv`, with only one column **SID**. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Domain | `Connections----Domain` | + | Interactive | `Connections----Interactive` | + | LevelOfScan | `Connections----MembersFile` | + | ListOfSIDToAvoid | `Connections----ListOfSIDToAvoid` | + | Login | `Connections----Login` | + | OnlyDirectoryScan | `Connections----OnlyDirectoryScan` | + | Password | `Connections----Password` | + | InputDirectories | `Connections----InputDirectories` | + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store +Active Directory's `Login` and `Password`. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "Login": "SharedFolderSettings", +> "Password": "SharedFolderSettings" +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharepoint.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharepoint.md new file mode 100644 index 0000000000..129b2b754f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sharepoint.md @@ -0,0 +1,264 @@ +--- +title: "SharePoint" +description: "SharePoint" +sidebar_position: 280 +--- + +# SharePoint + +This connector exports sites, folders, groups and permissions from a [SharePoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) instance. + +This page is about Storage/SharePoint. + +![Package: Storage/SharePoint](/images/identitymanager/packages_sharepoint_v603.webp) + +## Overview + +SharePoint is a system used by organizations to store, organize, share and access information. + +## Prerequisites + +Implementing this connector requires an account with the permissions to access all items and read their entitlements. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +                                   +                                                *appsettings.agent.json* +{ +    ... +    "Connections": { +        ... +        "": { +            ... +        } +    } +} +                                 +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +The following example scans the example.sharepoint.com SharePoint at the more detailed level (ListItem) with the account [account.example@acme.com](mailto:account.example@usercube.com): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +    ... +    "Connections": { +        ... +        "SharePointExport": { +                "Server": "https://example.sharepoint.com/", +                "Scanlevel": "ListItem", +                "Login": "account.example@usercube.com", +                "Password": "account'sexamplepassword", +                "CsvUrls": "C:/identitymanager/source/SP_others.csv ¤URL ¤," +        } +    } +} +``` + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | Login required | String | Login of the account used to access files and read their entitlements. | + | Password required | String | Password of the account used to access files and read their entitlements. | + | Server required | String | URL of the SharePoint website to scan. | + | Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | + | TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | + | Scanlevel default value: ListItem | Scanlevel | Level of scan to be performed, from less to more detailed: Site; List; and ListItem. | + | CsvUrls optional | String | Path, column and separator (split by ¤) of the CSV file containing the other sites to be scanned. Useful when scanning a SharePoint with a root site (https://example.sharepoint.com) **with other sites** (https://example.sharepoint.com/sites/OtherSite) which are not sub-sites (https://example.sharepoint.com/SubSite). Sub-sites don't need to be provided through a CSV file because they are found from the root site. | + +### Limitations + +Synchronization in incremental mode does not retrieve user account changes, because SharePoint is not able to provide this information through its API. + +To avoid unnecessary scanning and to increase performance, the connector in incremental mode does not scan user accounts from the sites given through CsvUrls. However, it still retrieves the folders, groups, permissions and the links between users and these elements. + +When needing to retrieve all of user account information, then go through complete synchronization instead of incremental. + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: + +`_Entity.csv`, with the following columns: + +- **command**: empty for complete synchronization, and `merge` for incremental; +- **Collection**: SharePoint server's URL where the information was found; +- **Id**: Identifier of the entity; +- **SharePointId**: Identifier of the entity in the scanned site; +- **Name**: name of the entity; +- **Description**: description of the entity; +- **PrincipalType**: type of the entity, for example `User`, `SecurityGroup` or `SharePointGroup`, +etc.; +- **Email**: email of the user; +- **IsEmailAuthenticationGuestUser**: `true` if the email is for the authentication of a guest user; +- **IsSiteAdmin**: `true` if the user is a site administrator; +- **IsShareByEmailGuestUser**: `true` if the user is a guest invited by email; +- **AadObjectId**: Microsoft Entra ID (formerly Microsoft Azure AD)'s identifier of the entity; + +`_GroupMember.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Group_Id**: Identifier of the group; +- **Entity_Id**: Identifier of the entity related to the group member; + +`_GroupMemberScanFail.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **PrincipalType**; + +`_Role.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **Permissions**: permissions concatenated together with line breaks; + +`_RoleAssignment.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Key**: concatenation (with `-`) of the `Role_Id`, the `Entity_Id` and the `SecurableObject_Key`; +- **Role_Id**: Identifier of the role; +- **Entity_Id**: Identifier of the entity related to the role; +- **Entity_Name**: name of the group member; +- **SecurableObject_Key**: concatenation (with `|`) of the `Collection` and the relative URLs where +the object was found; + +`_SecurableObject.csv`, with the following columns: + +- **command**; +- **Key**: concatenation (with `|`) of the `Collection` and the relative URLs where the object was +found; +- **Collection**; +- **Level**: level where the securable object was found, among: `Site`; `List`; `ListItem`; +- **Label**: title or display name of the securable object; +- **ParentKey**: key of the securable object's parent; +- **ScanStatus**: status of the scan (success or fail); +- **HasUniqueRoleAssignments**: `true` if entitlement inheritance is blocked for this securable +object; + +`_SecurableObjectRightInheritance.csv`, with the following columns: + +- **command**; +- **Collection**; +- **SecurableObject_Key**; +- **Inheritance_Key**: key of the ancestor object that the securable object gets its inherited +rights from; + +`_SecurableObjectScanFail.csv`, with the following columns: + +- **command**; +- **Key**: concatenation (with `|`) of the `Collection` and the relative URLs where the object was +found; +- **Collection**; +- **Level**; +- **Label**; +- **ParentKey**; +- **HasUniqueRoleAssignments**. + +## Fulfill + +Identity Manager's fulfill functionality can add and remove members from existing SharePoint groups. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +*appsettings.agent.json* +{ +    ... +    "Connections": { +        ... +        "SharePointFulfillment": { +                "Server": "https://example.sharepoint.com/", +                "Scanlevel": "ListItem", +                "Login": "account.example@usercube.com", +                "Password": "account'sexamplepassword", +                "CsvUrls": "C:/identitymanager/source/SP_others.csv ¤URL ¤," +        } +    } +} +``` + +#### Setting attributes + + | Name | Type | Description | + | --- | --- | --- | + | Login required | String | Login of the account used to access files and read their entitlements. | + | Password required | String | Password of the account used to access files and read their entitlements. | + | Server required | String | URL of the SharePoint website to scan. | + | Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | + | TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file; +- An Azure Key Vault safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | Domain | `Connections----Domain` | + | Login | `Connections----Login` | + | Password | `Connections----Password` | + | Scanlevel | `Connections----Scanlevel` | + | TimeOut | `Connections----TimeOut` | + | Server | `Connections----Server` | + | CsvUrls | `Connections----CsvUrls` | + +- A cyberark Vault able to store SharePoint's `Login` and `Password`. + +See the [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption), [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault), and [cyberark's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)topics for additional information. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```text +                                                 +                                                        *appsettings.cyberark.agent.json* +{ +    ... +    "Connections": { +        ... +        "SharePointFulfill": { +                "Login": "SharePointSettings", +                "Password": "SharePointSettings" +        } +    } +} +                                         +``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sql.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sql.md new file mode 100644 index 0000000000..f82e290a7e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sql.md @@ -0,0 +1,219 @@ +--- +title: "Sql" +description: "Sql" +sidebar_position: 300 +--- + +# Sql + +This connector exports data from one of various [Database Management Systems](https://en.wikipedia.org/wiki/Database#database-management-systems). + +This page is about: + +- Database/[Generic SQL](../../../integration-guide/connectors/references-packages/generic-sql); +- Database/[SQL Server](../../../integration-guide/connectors/references-packages/sql-server); +- Database/[MySQL](../../../integration-guide/connectors/references-packages/mysql); +- Database/[ODBC](../../../integration-guide/connectors/references-packages/odbc); +- Database[Oracle Database](../../../integration-guide/connectors/references-packages/oracle-database); +- Database/[PostgreSQL](../../../integration-guide/connectors/references-packages/postgresql); +- [SAP ASE](../../../integration-guide/connectors/references-packages/sapase). + +![Package: Directory/Database/Generic SQL](/images/identitymanager/packages_sqlgeneric_v603.webp) + +![Package: Directory/Database/Microsoft SQL Server](/images/identitymanager/packages_sqlserver_v603.webp) + +![Package: Directory/Database/MySQL](/images/identitymanager/packages_sqlmy_v603.webp) + +![Package: Directory/Database/ODBC](/images/identitymanager/packages_sqlodbc_v603.webp) + +![Package: Directory/Database/Oracle](/images/identitymanager/packages_sqloracle_v603.webp) + +![Package: Directory/Database/PostgreSQL](/images/identitymanager/packages_sqlpostgre_v603.webp) + +![Package: Directory/Database/SAP ASE](/images/identitymanager/packages_sqlsap_v603.webp) + +## Overview + +A database is a collection of relational data which represents some aspects of the real world. A database system is designed to be built and populated with data for a specific task. + +A Database Management System (DBMS) is a software for storing and retrieving users' data while considering appropriate security measures. + +> Some popular DBMS systems are Microsoft SQL Server, MySQL, Oracle, PostgreSQL, etc. + +The goal of this connector is to connect to a DBMS and execute a query in order to export a table. + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a DBMS system; + > For example for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15). +- creating a database `MyDb` with several tables and data so the user can query on the database, for +testing purposes. + +## Export + +This connector exports the content of any table from an SQL database and writes it to a CSV file. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures the connection to Microsoft SQL Server and exports the table +> `UC_Connectors` from the database `MyDb`: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "SqlExport": { +> "ConnectionString" : "data source=.;Database=MyDb;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "SqlCommand": "SELECT * FROM [MyDb].[dbo].[UC_Connectors]" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | + | Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | + | --- | --- | + | --- | --- | + | SqlCommand optional | **Type** String **Description** SQL request to be executed. **Note:** when not specified and `SqlFile` neither, then all the[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) of this connector will be exported. | + | SqlFile optional | **Type** String **Description** Path of the file containing the SQL request to be executed. **Note:** ignored when `SqlCommand` is specified. **Note:** when not specified and `SqlFile` neither, then all the [Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) of this connector will be exported. | + | CsvEncoding default value: UTF-8 | **Type** String **Description** Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + | ProviderClassFullName optional | **Type** String **Description** Invariant name to register the provider. **Note:** required when querying a DBMS other than Microsoft SQL Server. | + | ProviderDllName optional | **Type** String **Description** DLL, i.e. name and extension, to be loaded by the connector. **Note:** the DLL must be in the `Runtime` folder. **Note:** required when querying a DBMS other than Microsoft SQL Server. | + | IsolationLevel default value: ReadUncommitted | **Type** String **Description** Locking behavior of the transaction: `ReadUncommitted`; `ReadCommitted` - used for the databases that do not support the ReadUncommitted level, like Oracle databases. | + +### Connect to other DBMS + +Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: + +1. Download and extract the package. + > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). +> + > ![MySQL: Download Package](/images/identitymanager/sql_downloadpackage.webp) +2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. + > For MySQL, the DLL is `MySql.Data.dll`. +3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: + + - for a DBMS handled by Identity Manager's packages, by accessing the +[References: Packages](../../../integration-guide/connectors/references-packages); + + > For MySQL: +> + > ![Package Characteristics Example](/images/identitymanager/sql_packagecharacteristics.webp) + + - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with +**Factory** in its name. + + > If MySQL were not part of Identity Manager's packages, you would see + > [MySqlClientFactory](https://dev.mysql.com/doc/dev/connector-net/latest/api/data_api/MySql.Data.MySqlClient.MySqlClientFactory.html). + +The **Factory** class must derive from **DbProviderFactory**. After verification, the `ProviderClassFullName` can be found in the **Inheritance Hierarchy** of the class. + + > For MySQL, here `ProviderDllName` is **MySql.Data.dll** and `ProviderClassFullName` is + > **MySql.Data.MySqlClient.MySqlClientFactory**. +> + > Then the following example configures the connection to MySQL and exports the table + > `UC_Connectors` from the database `MyDb` (the SQL command is inside `mySql.sql`): +> + > ``` + > *appsettings.agent.json* + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString" : "Server=localhost;Database=MyDb;Uid=root;Pwd=secret", + > "SqlFile": "C:/identitymanagerDemo/Conf/Sql/mySql.sql", + > "ProviderClassFullName": "MySql.Data.MySqlClient.MySqlClientFactory", + > "ProviderDllName": "MySql.Data.dll" + > } + > } + > } + > ``` +> + > Another example for ODBC: +> + > ``` + > *appsettings.agent.json* + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString": "Driver=ODBC Driver 17 for SQL Server;Server={YOUR-PC}\\SQLEXPRESS;Database={Database Name};Hostname=Localhost;DBALIAS={Database Alias};trusted_connection=Yes", + > "ProviderClassFullName": "System.Data.Odbc.OdbcFactory", + > "ProviderDllName": "System.Data.Odbc.dll", + > "SqlCommand": "SELECT * FROM {Table Name}", + > "IsolationLevel": null + > } + > } + > } + > ``` + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder one CSV file, named `.csv` whose columns correspond to the columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | ConnectionString | `Connections----ConnectionString` | + | SqlCommand | `Connections----SqlCommand` | + | SqlFile | `Connections----SqlFile` | + | CsvEncoding | `Connections----CsvEncoding` | + | ProviderClassFullName | `Connections----ProviderClassFullName` | + | ProviderDllName | `Connections----ProviderDllName` | + | Timeout | `Connections----Timeout` | + +[Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) is not available for this connector. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sqlserverentitlements.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sqlserverentitlements.md new file mode 100644 index 0000000000..b859e676eb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/sqlserverentitlements.md @@ -0,0 +1,166 @@ +--- +title: "Sql Server Entitlements" +description: "Sql Server Entitlements" +sidebar_position: 310 +--- + +# Sql Server Entitlements + +This connector exports entitlements from [Microsoft SQL Server](https://www.microsoft.com/en-us/sql-server/). + +This page is about [SQL Server Entitlements](../../../integration-guide/connectors/references-packages/sql-server-entitlements). + +![Package: Database/Microsoft SQL Server Entitlements](/images/identitymanager/packages_sqlservermanagement_v603.webp) + +## Overview + +Identity Manager can manage permissions within Microsoft SQL Server, by exporting the server's and databases' principals, i.e. entities that can request Microsoft SQL Server's resources. + +SQL Server supports three types of principals: + +- logins at the server level; +- users at the database level; +- roles (if any) at either level. + +Every principal includes a security identifier (SID). + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a Microsoft SQL Server system; + + > For example, for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15); + +- understanding the concept of principals, roles and permissions; + + > A little help on that with: +> + > > [Principals (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/principals-database-engine?view=sql-server-2017); +> + > > [Create a Login](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-login?view=sql-server-2017); +> + > > [Server-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-2017); +> + > > [Create a Database User](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017); +> + > > [Database-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-2017); +> + > > [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine?view=sql-server-2017); +> + > > [Permissions Hierarchy (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-hierarchy-database-engine?view=sql-server-2017). + +- a `ConnectionString` with a `Login` to connect to the SQL Server, where either the login has the +**sysadmin** role, or: + + - the login has the **securityadmin** role, in order to export **server principals**; + - each database to export has a database user attached to the login with at least one role among +**db_accessadmin**, **db_owner** and **db_securityadmin**, in order to export **database principals**. + +[Securables](https://docs.microsoft.com/en-us/sql/relational-databases/security/securables?view=sql-server-2017) can also be defined manually for both the server and **database principals**, but this is more complicated and hence not recommended. + +## Export + +This connector exports from one or several databases to CSV files the following tables: + +- `sys.server_principals`; +- `sys.server_role_members`; +- `sys.database_principals`; +- `sys.database_role_members`. + +This connector exports only in complete mode. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Microsoft SQL Server and exports the principals +> from the databases `UsercubeDemo` and `AdventureWorks2017`: +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "SqlServerEntitlementsExport": { +> "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "Databases": ["UsercubeDemo", "AdventureWorks2017"] +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | + | Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | + | --- | --- | + | --- | --- | + | Databases optional | **Type** String List **Description** List of databases to be exported. **Note:** when not specified, all databases from the SQL Server are exported. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: + +- `_serverPrincipals.csv`; +- `_serverRoleMembers.csv`; +- `_databasePrincipals.csv`; +- `_databaseRoleMembers.csv`. + +> For example, if the connection identifier is **SqlServerEntitlementsExport**, then the file names +> are `SqlServerEntitlementsExport_serverPrincipals.csv`, etc. + +The output files' columns are the columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | ConnectionString | `Connections----ConnectionString` | + | Timeout | `Connections----Timeout` | + +[Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) is not available for this connector. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/topsecret.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/topsecret.md new file mode 100644 index 0000000000..befe3b7731 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/topsecret.md @@ -0,0 +1,16 @@ +--- +title: "Top Secret" +description: "Top Secret" +sidebar_position: 320 +--- + +# Top Secret + +This connector exports users and profiles from a [Top Secret](https://www.ibm.com/docs/en/szs/2.2?topic=audit-top-secret) (TSS) instance. + +This page is about [TSS](../../../integration-guide/connectors/references-packages/tss). + +![Package: Mainframe/Top Secret](/images/identitymanager/packages_tss_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/workday.md b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/workday.md new file mode 100644 index 0000000000..52764cbe1f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-connectors/workday.md @@ -0,0 +1,191 @@ +--- +title: "Workday" +description: "Workday" +sidebar_position: 330 +--- + +# Workday + +This connector exports users and groups from a [Workday](https://www.workday.com/en-us/products/talent-management/overview.html) instance. + +This page is about [Workday](../../../integration-guide/connectors/references-packages/workday). + +![Package: ERP/Workday](/images/identitymanager/packages_workday_v603.webp) + +## Prerequisites + +Implementing this connector requires: + +- using Workday Web Services (WWS) Directory +[v34.2](https://community.workday.com/sites/default/files/file-hosting/productionapi/versions/v34.2/index.html) or later; + + > For example, the + > [Human Resources](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/Human_Resources.html) + > Web Service contains operations that expose Workday Human Capital Management Business Services + > data, including Employee, Contingent Worker and Organization information. + +- access to the Web Services that are to be used; +- the [XPath](https://www.w3.org/TR/1999/REC-xpath-19991116/) syntax to configure and select the +attributes to export. + +## Export + +This connector exports any entity available in WWS. + +### Configuration + +This process is configured through a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) in the UI and/or the XML configuration, and in the `*appsettings.agent.json* > Connections` section: + +```json +*appsettings.agent.json* +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Workday and exports `Worker_ID` and `User_ID` +> from the entity Workers returned in +> [Get_Workers_Response](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml): +> +> ``` +> *appsettings.agent.json* +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "InputFilePath": "C:/identitymanagerContoso/Temp/*bodies.json*", +> "Login": "USERCUBE@contoso", +> "Password": "contoso1996", +> "Server": "https://workday.com/ccx/service/contoso" +> } +> } +> } +> ``` + +#### Setting attributes + + | Name | Details | + | --- | --- | + | InputFilePath required | **Type** String **Description** Path of the JSON file defining which entities and attributes are to be exported. See more details below. | + | Login required | **Type** String **Description** Login used to authenticate to Workday. | + | Password required | **Type** String **Description** Password used to authenticate to Workday. | + | Server required | **Type** String **Description** URL of the targeted Workday instance. **Syntax:**`https://####.workday.com/ccx/service/tenantName` (**without** the Web Service part). | + +##### InputFilePath + +The file specified in `InputFilePath` must have a specific structure, with a section for each entity to be exported. + +> For example: +> +> ``` +> *bodies.json* +> { +> "Requests": [> { +> "XmlBody": " ", +> "EntityName": "workers", +> "IncrementalTag": "Transaction_Log_Criteria_Data", +> "WebService": "Human_Resources/v34.2" +> } +>] +> } +> ``` + + | Name | Details | + | --- | --- | + | XmlBody required | **Type** String **Description** Request to send to the Web Service. **Syntax:** `"XmlBody": " ... "` - the request body must begin with `` and end with ``; - inside the body, the entity request must use the namespace `bsvc`; - the body must fit on a single line. **Tip:** write the body in a separate XML file and use [TextFixer](https://www.textfixer.com/tools/remove-line-breaks.php) to remove line breaks. **Tip:**[see an example](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Request.xml). | + | XPaths optional | **Type** String Pair List **Description** One or several key-value pairs, where: - the key is the attribute name that will be the column name in the output CSV file; - the value is the XPath used in the response to get the attribute value. **Info:** useless most of the time because the information is provided by entity type mappings and entity association mappings. **Still useful** when using the exe directly. **Note:** Netwrix Identity Manager (formerly Usercube)recommends using an **XPath** to the property `WID`, because it helps logs (in Trace mode) find entities with multi-valued properties. **Syntax:** `"XPaths": { "Attribute_1_Name": "XPath 1", ... "Attribute_N_Name": "XPath N" }` | + | EntityName required | **Type** String **Description** Name of the entity, which conditions the name of the output file. | + | IncrementalTag optional | **Type** String **Description** XML tag associated with the incremental request. **Note:** in the xml request, `` must be the parent of `` which is the parent of `` and ``. **Note:** when not specified, this entity is always exported in complete mode. **Warning:** the `IncrementalTag` part must not be added manually in `XmlBody` because the connector adds it automatically when exporting in incremental mode. | + | WebService required | **Type** String **Description** Name and version of the Web Service. | + +### Output details + +This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder: + +- one CSV file for each entity, named `_.csv`, with the following +columns: + + - **Command**: used for +[Prepare Synchronization Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask); + - one column for each XPath found in the +[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping)' connection columns and [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping)' columns. [See Workday's documentation to compute XPaths](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml).``` `\_.csv` + +**Command,Key_XPath_1,Key_XPath_2,...,Key_XPath_N Add,value1,value2,...,valueN** + +```unknown +``` + +- a cookie file named `workday__cookie.bin`, containing the time of the last +export in order to perform an incremental export. + +Most exports can be run in complete mode, where the CSV files will contain all entries, or in incremental mode, where CSV files will contain only the entries which have been modified since the last synchronization. + +A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) can use the option `--ignore-cookies`. + +> For example, with the following configuration: +> +> ``` +> +> ConnectionColumn="bsvc:Worker_Data/bsvc:Worker_ID" IsUniqueKey="true" /> ConnectionColumn="bsvc:Worker_Data/bsvc:User_ID" IsUniqueKey="true" /> +> +> ``` +> +> We choose to export only the entity `workers`, so the output is generated to +> `WorkdayExport_workers.csv` in the +> [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export +> Output directory . +> +> The CSV file will include three columns: `Command`; `bsvc:Worker_Data/bsvc:Worker_ID` and +> `bsvc:Worker_Data/bsvc:User_ID`. + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection), configured in +the `appsettings.encrypted.agent.json` file; +- An [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) safe; + + | Attribute | Naming Convention for the Key in Azure Key Vault | + | --- | --- | + | InputFilePath | `Connections----InputFilePath` | + | Login | `Connections----Login` | + | Password | `Connections----Password` | + | Server | `Connections----Server` | + +- A +[Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) able to store Workday's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in cyberark, into an account whose identifier can be retrieved by Identity Manager from `*appsettings.cyberark.agent.json*`. + +> For example: +> +> ``` +> *appsettings.cyberark.agent.json* +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "Login": "WorkdayExport_Account", +> "Password": "WorkdayExport_Account" +> } +> } +> } +> ``` + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/active-directory.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/active-directory.md new file mode 100644 index 0000000000..edc3b21714 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/active-directory.md @@ -0,0 +1,18 @@ +--- +title: "Active Directory" +description: "Active Directory" +sidebar_position: 10 +--- + +# Active Directory + +Manages users and groups in Active Directory. This package supports incremental synchronization with the DirSync mechanism. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Active Directory | + | Identifier | Usercube.AD@0000001 | + | Export | Usercube-Export-ActiveDirectory.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/apache-directory.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/apache-directory.md new file mode 100644 index 0000000000..49741f4487 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/apache-directory.md @@ -0,0 +1,18 @@ +--- +title: "Apache Directory" +description: "Apache Directory" +sidebar_position: 20 +--- + +# Apache Directory + +Manages users and groups in Apache Directory. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Apache Directory | + | Identifier | Usercube.LDAP.Apache@0000001 | + | Export | Usercube-Export-Ldap.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure-active-directory.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure-active-directory.md new file mode 100644 index 0000000000..d246182d04 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure-active-directory.md @@ -0,0 +1,18 @@ +--- +title: "Microsoft Entra ID" +description: "Microsoft Entra ID" +sidebar_position: 40 +--- + +# Microsoft Entra ID + +Manages users and groups in Microsoft Entra ID. This package supports incremental synchronization with the delta API. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Microsoft Entra ID | + | Identifier | Usercube.AzureAD@0000001 | + | Export | Usercube-Export-AzureAD.dll | + | Fulfill | Usercube-Fulfill-AzureAD.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure.md new file mode 100644 index 0000000000..7f512fd9f0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/azure.md @@ -0,0 +1,18 @@ +--- +title: "Azure" +description: "Azure" +sidebar_position: 30 +--- + +# Azure + +Exports Azure resources, role definitions and role assignments. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Cloud/Azure | + | Identifier | Usercube.Azure@0000001 | + | Export | Usercube-Export-Azure.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/csv.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/csv.md new file mode 100644 index 0000000000..bd8d8bcbdc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/csv.md @@ -0,0 +1,18 @@ +--- +title: "CSV" +description: "CSV" +sidebar_position: 50 +--- + +# CSV + +Exports CSV to prepare synchronization. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | File/CSV | + | Identifier | Usercube.CSV@0000001 | + | Export | Usercube-Export-Csv.dll | + | Fulfill | NONE | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/cyberark.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/cyberark.md new file mode 100644 index 0000000000..f4e7ec45a2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/cyberark.md @@ -0,0 +1,18 @@ +--- +title: "CyberArk" +description: "CyberArk" +sidebar_position: 60 +--- + +# CyberArk + +Manages CyberArk entities, including user and group assignments. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | PAM/CyberArk | + | Identifier | Usercube.SCIM.CyberArk@0000001 | + | Export | Usercube-Export-Scim.dll | + | Fulfill | Usercube-Fulfill-Scim.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvista.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvista.md new file mode 100644 index 0000000000..9988f1c64a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvista.md @@ -0,0 +1,18 @@ +--- +title: "EasyVista" +description: "EasyVista" +sidebar_position: 70 +--- + +# EasyVista + +Manages users inside an EasyVista instance. This package supports incremental synchronization. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | ITSM/EasyVista | + | Identifier | Usercube.EasyVista@0000001 | + | Export | Usercube-Export-EasyVista.dll | + | Fulfill | Usercube-Fulfill-EasyVista.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvistaticket.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvistaticket.md new file mode 100644 index 0000000000..6e728aee98 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/easyvistaticket.md @@ -0,0 +1,18 @@ +--- +title: "EasyVista Ticket" +description: "EasyVista Ticket" +sidebar_position: 80 +--- + +# EasyVista Ticket + +Creates tickets inside an EasyVista instance. This package does not support incremental synchronization. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Ticket/EasyVista | + | Identifier | Usercube.EasyVistaTicket@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-ToEasyVistaTicket.dll and Usercube-EasyVistaTicket-UpdateFulfillmentState.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/excel.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/excel.md new file mode 100644 index 0000000000..dbf553c549 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/excel.md @@ -0,0 +1,18 @@ +--- +title: "Excel" +description: "Excel" +sidebar_position: 90 +--- + +# Excel + +Exports Excel data sheets. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | File/Excel | + | Identifier | Usercube.Excel@0000001 | + | Export | Usercube-Export-Excel.dll | + | Fulfill | NONE | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-ldap.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-ldap.md new file mode 100644 index 0000000000..b25f2ed055 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-ldap.md @@ -0,0 +1,18 @@ +--- +title: "Generic LDAP" +description: "Generic LDAP" +sidebar_position: 100 +--- + +# Generic LDAP + +Manages entries in an LDAP compliant directory. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Generic LDAP | + | Identifier | Usercube.LDAP@0000001 | + | Export | Usercube-Export-Ldap.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-scim.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-scim.md new file mode 100644 index 0000000000..379fe610d8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-scim.md @@ -0,0 +1,18 @@ +--- +title: "Generic SCIM" +description: "Generic SCIM" +sidebar_position: 110 +--- + +# Generic SCIM + +Manages entities in SCIM compatible application. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/SCIM | + | Identifier | Usercube.SCIM@0000001 | + | Export | Usercube-Export-Scim.dll | + | Fulfill | Usercube-Fulfill-Scim.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-sql.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-sql.md new file mode 100644 index 0000000000..169352df5e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/generic-sql.md @@ -0,0 +1,21 @@ +--- +title: "Generic SQL" +description: "Generic SQL" +sidebar_position: 120 +--- + +# Generic SQL + +Exports data from a SQL database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/Generic SQL | + | Identifier | Usercube.SQL@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + +When creating a connection to a database which is not handled by Identity Manager's packages, you'll need to fill in the `ProviderDllName` and `ProviderClassFullName` properties of the [Sql](../../../integration-guide/connectors/references-connectors/sql) connector using the procedure given in the example. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/googleworkspace.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/googleworkspace.md new file mode 100644 index 0000000000..d70d2ced5a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/googleworkspace.md @@ -0,0 +1,18 @@ +--- +title: "Google Workspace" +description: "Google Workspace" +sidebar_position: 130 +--- + +# Google Workspace + +Manages Google Workspace entities. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Google Workspace | + | Identifier | Usercube.GoogleWorkspace@0000001 | + | Export | Usercube-Export-GoogleWorkspace.dll | + | Fulfill | Usercube-Fulfill-GoogleWorkspace.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/home-folders.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/home-folders.md new file mode 100644 index 0000000000..9879de754a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/home-folders.md @@ -0,0 +1,18 @@ +--- +title: "Home Folders" +description: "Home Folders" +sidebar_position: 140 +--- + +# Home Folders + +Manages Home Folders. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Storage/Home Folders | + | Identifier | Usercube.HomeFolder@0000001 | + | Export | Usercube-Export-HomeFolder.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/identitymanager-database.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/identitymanager-database.md new file mode 100644 index 0000000000..86441628fd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/identitymanager-database.md @@ -0,0 +1,18 @@ +--- +title: "Database" +description: "Database" +sidebar_position: 460 +--- + +# Database + +Updates the Identity Manager database for each provisioning order. This package is used for HR systems, authoritative systems or other Identity Manager instances. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Usercube/Database | + | Identifier | Usercube.FulfillDatabase@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-InternalResources.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/index.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/index.md new file mode 100644 index 0000000000..657aefd16b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/index.md @@ -0,0 +1,206 @@ +--- +title: "References: Packages" +description: "References: Packages" +sidebar_position: 30 +--- + +# References: Packages + +If you are looking for the dll of a given package, be aware that you can often find it in the [nuget catalog](https://www.nuget.org/packages). Then you can follow the procedure: + +1. Download and extract the package. + +2. Copy the dll file (corresponding to the appropriate .Net version) to the `Runtime` folder. + +- [Active Directory](../../../integration-guide/connectors/references-packages/active-directory) + +Manages users and groups in Active Directory. This package supports incremental synchronization with the DirSync mechanism. + +- [Apache Directory](../../../integration-guide/connectors/references-packages/apache-directory) + +Manages users and groups in Apache Directory. + +- [Azure](../../../integration-guide/connectors/references-packages/azure) + +Exports Azure resources, role definitions and role assignments. + +- [CSV](../../../integration-guide/connectors/references-packages/csv) + +Exports CSV to prepare synchronization. + +- [CyberArk](../../../integration-guide/connectors/references-packages/cyberark) + +Manages CyberArk entities, including user and group assignments. + +- [EasyVista](../../../integration-guide/connectors/references-packages/easyvista) + +Manages users inside an EasyVista instance. This package supports incremental synchronization. + +- [EasyVista Ticket](../../../integration-guide/connectors/references-packages/easyvistaticket) + +Creates tickets inside an EasyVista instance. This package supports incremental synchronization. + +- [Excel](../../../integration-guide/connectors/references-packages/excel) + +Exports Excel data sheets. + +- [Generic LDAP](../../../integration-guide/connectors/references-packages/generic-ldap) + +Manages entries in an LDAP compliant directory. + +- [Generic SCIM](../../../integration-guide/connectors/references-packages/generic-scim) + +Manages entities in SCIM compatible application. + +- [Generic SQL](../../../integration-guide/connectors/references-packages/generic-sql) + +Exports data from a SQL database. + +- [Google Workspace](../../../integration-guide/connectors/references-packages/googleworkspace) + +Manages Google Workspace entities. + +- [Home Folders](../../../integration-guide/connectors/references-packages/home-folders) + +Manages Home Folders. + +- [JSON](../../../integration-guide/connectors/references-packages/json) + +Generate JSON files for each provisioning order. These JSON can then be used by custom scripts. + +- [LDIF](../../../integration-guide/connectors/references-packages/ldif) + +Exports entries from a LDIF file. + +- [Manual Ticket](../../../integration-guide/connectors/references-packages/manual-ticket) + +Opens manual provisioning tickets in Identity Manager. + +- [Manual Ticket and CUD Resources](../../../integration-guide/connectors/references-packages/manual-ticket-and-cud-resources) + +Opens manual provisioning tickets in Identity Manager. + +- [Microsoft Entra ID](../../../integration-guide/connectors/references-packages/azure-active-directory) + +Manages users and groups in Microsoft Entra ID (formerly Microsoft Azure AD). This package supports incremental synchronization with the delta API. + +- [Microsoft Exchange](../../../integration-guide/connectors/references-packages/microsoft-exchange) + +Manages Microsoft Exchange mailboxes. This package supports incremental synchronization. + +- [MySQL](../../../integration-guide/connectors/references-packages/mysql) + +Export data from a MySQL database. + +- [NIM Profile](../../../integration-guide/connectors/references-packages/nimprofile) + + Manages Netwrix Identity Manager profiles in the local or a remote instance. + +- [OData](../../../integration-guide/connectors/references-packages/odata) + +Manages OData entities. + +- [ODBC](../../../integration-guide/connectors/references-packages/odbc) + +Exports data from a generic ODBC compatible database. + +- [Open LDAP](../../../integration-guide/connectors/references-packages/open-ldap) + +Manages entries in Open LDAP. This package supports incremental synchronization with the sysrepl mechanism. + +- [Oracle Database](../../../integration-guide/connectors/references-packages/oracle-database) + +Export data from an Oracle database. + +- [Oracle LDAP](../../../integration-guide/connectors/references-packages/oracle-ldap) + +Manages entries in Oracle Internet Directory. + +- [PostgreSQL](../../../integration-guide/connectors/references-packages/postgresql) + +Export data from a PostgreSQL database. + +- [PowerShellProv](../../../integration-guide/connectors/references-packages/powershellprov) + +Fulfills an external system with a custom PowerShell script. + +- [PowerShellSync](../../../integration-guide/connectors/references-packages/powershellsync) + +Create a CSV export from a Powershell Script. + +- [RACF](../../../integration-guide/connectors/references-packages/racf) + +Exports the RACF users and profiles. + +- [Red Hat Directory Server](../../../integration-guide/connectors/references-packages/red-hat-directory-server) + +Manages entries in a Red Hat Directory Server. + +- [Robot Framework](../../../integration-guide/connectors/references-packages/robot-framework) + +Fulfills an external system using a Robot Framework script. + +- [Salesforce](../../../integration-guide/connectors/references-packages/salesforce) + +Manages Salesforce entities. + +- [SAP ASE](../../../integration-guide/connectors/references-packages/sapase) + +Exports data from a SAP ASE database. + +- [SAP ERP 6.0](../../../integration-guide/connectors/references-packages/saperp6) + +Manages users and roles in SAP ERP 6.0. + +- [SAP S/4 HANA](../../../integration-guide/connectors/references-packages/saphana) + +Manages users and roles in SAP S/4 HANA. + +- [ServiceNow](../../../integration-guide/connectors/references-packages/servicenow) + +Manages any data in the CMDB, including users and roles. This package supports incremental synchronization. + +- [ServiceNow Ticket](../../../integration-guide/connectors/references-packages/servicenow-ticket) + +Opens tickets in ServiceNow for the manual provisioning. + +- [Shared Folders](../../../integration-guide/connectors/references-packages/shared-folders) + +Manages users and permissions in Shared Folders. + +- [SharePoint](../../../integration-guide/connectors/references-packages/sharepoint) + +Exports sites, folders, SharePoint groups and permissions. + +- [Slack](../../../integration-guide/connectors/references-packages/slack) + +Manages Slack entities. + +- [SQL Server](../../../integration-guide/connectors/references-packages/sql-server) + +Export data from a SQL Server database. + +- [SQL Server Entitlements](../../../integration-guide/connectors/references-packages/sql-server-entitlements) + +Exports SQL Server Entitlements. + +- [TSS](../../../integration-guide/connectors/references-packages/tss) + +Exports the Top Secret users and profiles. + +- [Unplugged](../../../integration-guide/connectors/references-packages/unplugged) + +Manages an unplugged system with a completely custom data model. + +- [Database](../../../integration-guide/connectors/references-packages/identitymanager-database) + +Updates the Identity Manager database for each provisioning order. This package is used for HR systems, authoritative systems or other Identity Manager instances. + +- [Workday](../../../integration-guide/connectors/references-packages/workday) + +Manages users and groups in Workday. + +- [Workflow](../../../integration-guide/connectors/references-packages/workflow) + +Triggers workflows in Identity Manager for each provisioning order. + diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/json.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/json.md new file mode 100644 index 0000000000..67c1b83ab8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/json.md @@ -0,0 +1,18 @@ +--- +title: "JSON" +description: "JSON" +sidebar_position: 150 +--- + +# JSON + +Generate JSON files for each provisioning order. These JSON can then be used by custom scripts. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/JSON | + | Identifier | Usercube.FulfillToFile@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-ToFile.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/ldif.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/ldif.md new file mode 100644 index 0000000000..78080670f8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/ldif.md @@ -0,0 +1,18 @@ +--- +title: "LDIF" +description: "LDIF" +sidebar_position: 160 +--- + +# LDIF + +Exports entries from a LDIF file. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/LDIF | + | Identifier | Usercube.LDIF@0000001 | + | Export | Usercube-Export-Ldif.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources.md new file mode 100644 index 0000000000..36bc43713a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources.md @@ -0,0 +1,36 @@ +--- +title: "Manual Ticket and CUD Resources" +description: "Manual Ticket and CUD Resources" +sidebar_position: 180 +--- + +# Manual Ticket and CUD Resources + +Opens manual provisioning tickets in Identity Manager. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Ticket/identitymanager And Create/Update/Delete resources | + | Identifier | Usercube.UpdateManualProvisioningTicket@0000001 | + | Export | NONE | + | Fulfill | `Usercube-UpdateManualProvisioningTicket.dll` and `Usercube-Update-FulfillmentStates.dll` | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + +## Virtual Resources + +This package allows to create tickets in the Manual Provisioning screen. + +After the validation of the ticket, the state of the resource will be `Executed`. If a synchronization is available for the system manually fulfilled, the state could change to `Verified` if the synchronized data are the ones expected. If the external system cannot be synchronized, Identity Manager offers the possibility to create virtual resources. It means that the data is not provided by a synchronization, but we trust the validation of the ticket in the manual provisioning screen. The resources are created accordingly as if they were coming from an external system. + +## Rights for CUD Resources + +If this package is used from the interface, the necessary rights will be automatically added. If this package is used from the XML configuration, some rights will need to be added to allow the creation, update or deletion of virtual resources. + +### Example + +Here is an example for an entity type called `MyTicketEntity`: + +```xml + +``` diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket.md new file mode 100644 index 0000000000..acf1a3a398 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/manual-ticket.md @@ -0,0 +1,18 @@ +--- +title: "Manual Ticket" +description: "Manual Ticket" +sidebar_position: 170 +--- + +# Manual Ticket + +Opens manual provisioning tickets in Identity Manager. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Ticket/identitymanager | + | Identifier | Usercube.Manual@0000001 | + | Export | NONE | + | Fulfill | Usercube-Update-FulfillmentStates.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/microsoft-exchange.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/microsoft-exchange.md new file mode 100644 index 0000000000..4559fd60ba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/microsoft-exchange.md @@ -0,0 +1,18 @@ +--- +title: "Microsoft Exchange" +description: "Microsoft Exchange" +sidebar_position: 190 +--- + +# Microsoft Exchange + +Manages Microsoft Exchange mailboxes. This package supports incremental synchronization. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Server/Microsoft Exchange | + | Identifier | Usercube.MicrosoftExchange@0000001 | + | Export | Usercube-Export-MicrosoftExchange.dll | + | Fulfill | Usercube-Fulfill-PowerShell.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/mysql.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/mysql.md new file mode 100644 index 0000000000..414719ff56 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/mysql.md @@ -0,0 +1,24 @@ +--- +title: "MySQL" +description: "MySQL" +sidebar_position: 200 +--- + +# MySQL + +Export data from a MySQL database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/MySQL | + | Identifier | Usercube.SQL.MySQL@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + | ProviderClassFullName | MySql.Data.MySqlClient.MySqlClientFactory | + | ProviderDllName | MySql.Data.dll | + +To use this package, `MySql.Data.dll` needs to be [downloaded from the MySQL website](https://dev.mysql.com/downloads/connector/net/) (selecting the **.NET & Mono** operating system) and copied to the `Runtime` folder. + +You can click on the **Archives** tab to find other versions. diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/nimprofile.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/nimprofile.md new file mode 100644 index 0000000000..b137fd2899 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/nimprofile.md @@ -0,0 +1,18 @@ +--- +title: "NIM Profile" +description: "NIM Profile" +sidebar_position: 210 +--- + +# NIM Profile + +Manages Profile assignments in Identity Manager instances through the Role Model engine. Supports both local self-management and remote peer management modes. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Usercube/NIM Profile | + | Identifier | Usercube.NimProfile@0000001 | + | Export | Usercube-Export-Nim.dll | + | Fulfill | Usercube-Fulfill-Nim.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odata.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odata.md new file mode 100644 index 0000000000..522e90237f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odata.md @@ -0,0 +1,17 @@ +--- +title: "OData" +description: "OData" +sidebar_position: 220 +--- + +# OData + +Manages OData entities. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/OData | + | Identifier | Usercube.OData@0000001 | + | Export | Usercube-Export-OData.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odbc.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odbc.md new file mode 100644 index 0000000000..45e74b1c5e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/odbc.md @@ -0,0 +1,20 @@ +--- +title: "ODBC" +description: "ODBC" +sidebar_position: 210 +--- + +# ODBC + +Exports data from a generic ODBC compatible database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/ODBC | + | Identifier | Usercube.SQL.ODBC@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + | ProviderClassFullName | System.Data.Odbc.OdbcFactory | + | ProviderDllName | System.Data.Odbc.dll | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/open-ldap.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/open-ldap.md new file mode 100644 index 0000000000..d8f801fb41 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/open-ldap.md @@ -0,0 +1,18 @@ +--- +title: "Open LDAP" +description: "Open LDAP" +sidebar_position: 230 +--- + +# Open LDAP + +Manages entries in Open LDAP. This package supports incremental synchronization with the sysrepl mechanism. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Open LDAP | + | Identifier | Usercube.OpenLDAP@0000001 | + | Export | Usercube-Export-OpenLdap.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-database.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-database.md new file mode 100644 index 0000000000..f5a98ed81a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-database.md @@ -0,0 +1,29 @@ +--- +title: "Oracle Database" +description: "Oracle Database" +sidebar_position: 240 +--- + +# Oracle Database + +Export data from an Oracle database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/Oracle | + | Identifier | Usercube.SQL.Oracle@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + | ProviderClassFullName | Oracle.ManagedDataAccess.Client.OracleClientFactory | + | ProviderDllName | Oracle.ManagedDataAccess.Core | + +For this package, the default isolation level is **ReadCommitted**. + +To use this package, `Oracle.ManagedDataAccess.Core` needs to be [downloaded from the Oracle website](https://www.oracle.com/database/technologies/net-downloads.html) (selecting the `ODP.NET` release) and copied to the `Runtime` folder. + +:::note + The DLL in the "Oracle.ManagedDataAccess" package isn't compatible with .NET 8 + +::: diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-ldap.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-ldap.md new file mode 100644 index 0000000000..91d927ba14 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/oracle-ldap.md @@ -0,0 +1,18 @@ +--- +title: "Oracle LDAP" +description: "Oracle LDAP" +sidebar_position: 250 +--- + +# Oracle LDAP + +Manages entries in Oracle Internet Directory. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Oracle LDAP | + | Identifier | Usercube.LDAP.Oracle@0000001 | + | Export | Usercube-Export-Ldap.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/postgresql.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/postgresql.md new file mode 100644 index 0000000000..3363669cb7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/postgresql.md @@ -0,0 +1,20 @@ +--- +title: "PostgreSQL" +description: "PostgreSQL" +sidebar_position: 260 +--- + +# PostgreSQL + +Export data from a PostgreSQL database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/PostgreSQL | + | Identifier | Usercube.SQL.PostgreSQL@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + | ProviderClassFullName | Npgsql.NpgsqlFactory | + | ProviderDllName | Npgsql.dll | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellprov.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellprov.md new file mode 100644 index 0000000000..e00f17dedc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellprov.md @@ -0,0 +1,18 @@ +--- +title: "PowerShellProv" +description: "PowerShellProv" +sidebar_position: 270 +--- + +# PowerShellProv + +Syncronizes an external system with a custom PowerShell script. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/PowerShellProv | + | Identifier | Usercube.Powershell@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-PowerShell.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellsync.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellsync.md new file mode 100644 index 0000000000..f527b23e07 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/powershellsync.md @@ -0,0 +1,18 @@ +--- +title: "PowerShellSync" +description: "PowerShellSync" +sidebar_position: 280 +--- + +# PowerShellSync + +Syncronizes an external system with a custom PowerShell script. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/PowerShellSync | + | Identifier | Usercube.PowershellSync@0000001 | + | Export | Usercube-Export-PowerShell.dll | + | Fulfill | NONE | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/racf.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/racf.md new file mode 100644 index 0000000000..6ed7297aaf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/racf.md @@ -0,0 +1,18 @@ +--- +title: "RACF" +description: "RACF" +sidebar_position: 290 +--- + +# RACF + +Exports the RACF users and profiles. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Mainframe/RACF | + | Identifier | Usercube.RACF@0000001 | + | Export | Usercube-Export-Racf.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/red-hat-directory-server.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/red-hat-directory-server.md new file mode 100644 index 0000000000..c53f894c00 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/red-hat-directory-server.md @@ -0,0 +1,18 @@ +--- +title: "Red Hat Directory Server" +description: "Red Hat Directory Server" +sidebar_position: 300 +--- + +# Red Hat Directory Server + +Manages entries in a Red Hat Directory Server. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Directory/Red Hat Directory Server | + | Identifier | Usercube.LDAP.RedHat@0000001 | + | Export | Usercube-Export-Ldap.dll | + | Fulfill | Usercube-Fulfill-Ldap.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/robot-framework.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/robot-framework.md new file mode 100644 index 0000000000..9bf1b71eb7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/robot-framework.md @@ -0,0 +1,18 @@ +--- +title: "Robot Framework" +description: "Robot Framework" +sidebar_position: 310 +--- + +# Robot Framework + +Fulfills an external system using a Robot Framework script. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/Robot Framework | + | Identifier | Usercube.RobotFramework@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-RobotFramework.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/salesforce.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/salesforce.md new file mode 100644 index 0000000000..e2a9f702eb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/salesforce.md @@ -0,0 +1,18 @@ +--- +title: "Salesforce" +description: "Salesforce" +sidebar_position: 370 +--- + +# Salesforce + +Manages Salesforce entities. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | CRM/Salesforce | + | Identifier | Usercube.SCIM.Salesforce@0000001 | + | Export | Usercube-Export-Scim.dll | + | Fulfill | Usercube-Fulfill-Scim.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sapase.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sapase.md new file mode 100644 index 0000000000..4bd00b7545 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sapase.md @@ -0,0 +1,20 @@ +--- +title: "SAP ASE" +description: "SAP ASE" +sidebar_position: 320 +--- + +# SAP ASE + +Exports data from a SAP ASE database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/SAP ASE | + | Identifier | Usercube.SQL.SAPAse@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | + | ProviderClassFullName | AdoNetCore.AseClient.AseClientFactory | + | ProviderDllName | AdoNetCore.AseClient.dll | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saperp6.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saperp6.md new file mode 100644 index 0000000000..0ddc8cbc78 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saperp6.md @@ -0,0 +1,18 @@ +--- +title: "SAP ERP 6.0" +description: "SAP ERP 6.0" +sidebar_position: 330 +--- + +# SAP ERP 6.0 + +Manages users and roles in SAP ERP 6.0. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | ERP/SAP ERP 6.0 | + | Identifier | Usercube.SAP.ERP60@0000001 | + | Export | Usercube-Export-SapErp6.dll | + | Fulfill | Usercube-Fulfill-SapErp6.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saphana.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saphana.md new file mode 100644 index 0000000000..b49f59b3d7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/saphana.md @@ -0,0 +1,18 @@ +--- +title: "SAP S/4 HANA" +description: "SAP S/4 HANA" +sidebar_position: 340 +--- + +# SAP S/4 HANA + +Manages users and roles in SAP S/4 HANA. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | ERP/SAP S/4 HANA | + | Identifier | Usercube.SAP@0000001 | + | Export | Usercube-Export-Sap.dll | + | Fulfill | Usercube-Fulfill-Sap.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow-ticket.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow-ticket.md new file mode 100644 index 0000000000..7668be8a1e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow-ticket.md @@ -0,0 +1,18 @@ +--- +title: "ServiceNow Ticket" +description: "ServiceNow Ticket" +sidebar_position: 390 +--- + +# ServiceNow Ticket + +Opens tickets in ServiceNow for the manual provisioning. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Ticket/ServiceNow | + | Identifier | Usercube.SnowTicket@0000001 | + | Export | NONE | + | Fulfill | `Usercube-Fulfill-ToServiceNowTicket.dll` and `Usercube-ServiceNowTicket-UpdateFulfillmentState.dll` | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow.md new file mode 100644 index 0000000000..2ed3e3d66b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/servicenow.md @@ -0,0 +1,18 @@ +--- +title: "ServiceNow" +description: "ServiceNow" +sidebar_position: 380 +--- + +# ServiceNow + +Manages any data in the CMDB, including users and roles. This package supports incremental synchronization. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | ITSM/ServiceNow | + | Identifier | Usercube.ServiceNow@0000001 | + | Export | Usercube-Export-ServiceNow.dll | + | Fulfill | Usercube-Fulfill-ServiceNow.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/shared-folders.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/shared-folders.md new file mode 100644 index 0000000000..6d276f8fe3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/shared-folders.md @@ -0,0 +1,18 @@ +--- +title: "Shared Folders" +description: "Shared Folders" +sidebar_position: 410 +--- + +# Shared Folders + +Manages users and permissions in Shared Folders. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Storage/Shared Folders | + | Identifier | Usercube.SharedFolder@0000001 | + | Export | Usercube-Export-SharedFolder.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sharepoint.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sharepoint.md new file mode 100644 index 0000000000..6349cfdc43 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sharepoint.md @@ -0,0 +1,18 @@ +--- +title: "SharePoint" +description: "SharePoint" +sidebar_position: 400 +--- + +# SharePoint + +Exports sites, folders, SharePoint groups and permissions. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Storage/SharePoint | + | Identifier | Usercube.SharePoint@0000001 | + | Export | Usercube-Export-SharePoint.dll | + | Fulfill | Usercube-Fulfill-SharePoint.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/slack.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/slack.md new file mode 100644 index 0000000000..30ecad446b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/slack.md @@ -0,0 +1,18 @@ +--- +title: "Slack" +description: "Slack" +sidebar_position: 420 +--- + +# Slack + +Manages Slack entities. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Messaging/Slack | + | Identifier | Usercube.SCIM.Slack@0000001 | + | Export | Usercube-Export-Scim.dll | + | Fulfill | Usercube-Fulfill-Scim.dll | + | Has Incremental Mode | True | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server-entitlements.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server-entitlements.md new file mode 100644 index 0000000000..0ddc95086b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server-entitlements.md @@ -0,0 +1,18 @@ +--- +title: "SQL Server Entitlements" +description: "SQL Server Entitlements" +sidebar_position: 360 +--- + +# SQL Server Entitlements + +**Exports SQL Server Entitlements** + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/SQL Server Entitlements | + | Identifier | Usercube.SQL.SQLServerEntitlements@0000001 | + | Export | Usercube-Export-SqlServerEntitlements.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server.md new file mode 100644 index 0000000000..8021bf1437 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/sql-server.md @@ -0,0 +1,18 @@ +--- +title: "SQL Server" +description: "SQL Server" +sidebar_position: 350 +--- + +# SQL Server + +Export data from a SQL Server database. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Database/SQL Server | + | Identifier | Usercube.SQL.SQLServer@0000001 | + | Export | Usercube-Export-Sql.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/tss.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/tss.md new file mode 100644 index 0000000000..dd879fec0c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/tss.md @@ -0,0 +1,18 @@ +--- +title: "TSS" +description: "TSS" +sidebar_position: 430 +--- + +# TSS + +Exports the Top Secret users and profiles. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Mainframe/Top Secret | + | Identifier | Usercube.TSS@0000001 | + | Export | Usercube-Export-Tss.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/unplugged.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/unplugged.md new file mode 100644 index 0000000000..ef4f5d04f3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/unplugged.md @@ -0,0 +1,18 @@ +--- +title: "Unplugged" +description: "Unplugged" +sidebar_position: 440 +--- + +# Unplugged + +Manages an unplugged system with a completely custom data model. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Custom/Unplugged | + | Identifier | Usercube.Custom@0000001 | + | Export | NONE | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workday.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workday.md new file mode 100644 index 0000000000..cd5117b3e6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workday.md @@ -0,0 +1,18 @@ +--- +title: "Workday" +description: "Workday" +sidebar_position: 470 +--- + +# Workday + +Manages users and groups in Workday. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | ERP/Workday | + | Identifier | Usercube.Workday@0000001 | + | Export | Usercube-Export-Workday.dll | + | Fulfill | NONE | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workflow.md b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workflow.md new file mode 100644 index 0000000000..58ee343e61 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/connectors/references-packages/workflow.md @@ -0,0 +1,18 @@ +--- +title: "Workflow" +description: "Workflow" +sidebar_position: 480 +--- + +# Workflow + +Triggers workflows in Identity Manager for each provisioning order. + + | Package Characteristics | Value | + | --- | --- | + | Display Name | Usercube/Workflow | + | Identifier | Usercube.FulfillWorkflow@0000001 | + | Export | NONE | + | Fulfill | Usercube-Fulfill-InternalWorkflows.dll | + | Has Incremental Mode | False | + | Publisher | Identity Manager | diff --git a/docs/identitymanager/6.3/integration-guide/entity-model.md b/docs/identitymanager/6.3/integration-guide/entity-model.md new file mode 100644 index 0000000000..860b03568b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/entity-model.md @@ -0,0 +1,180 @@ +--- +title: "Entity Model" +description: "Entity Model" +sidebar_position: 30 +--- + +# Entity Model + +At the heart of any successful IGA project, dwells an efficient data model. + +The data involved in the project, be it reference data, identities, or from the managed systems', needs to be modeled in a way that is both relevant to the organization and to Identity Manager. + +Identity Manager�allows integrators to adapt the data model to the target organization, instead of forcing the organization to fit in a pre-conceived hardwired model. This philosophy has proven successful by Identity Manager's field experience and project feedback. + +## Entity-Relationship model + +The model for all resources (that means data from the managed system, reference data and identities) is written in the applicative configuration in the form of an [Entity-Relationship model](https://en.wikipedia.org/wiki/Entity:relationship_model), called the **entity model**. See the [Toolkit for XML Configuration](../integration-guide/toolkit) topic for additional information. + +The model is organized into cohesive **connectors**, one for each managed system, and one for the reference data/identity repository. + +An **entity model** describes the shape of resources (the **metadata**) and how they are built from real world sources of truth (the **mapping**). + +### Metadata + +The **metadata** of a resource is the description of the resources' shape. Using the _Entity-Relationship_ vocabulary, it's a list of property names and types for a resource. + +The metadata is written using [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype), [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) and [Entity Association](../integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +#### Entity types + +Every resource is assigned an [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) that describes its shape. + +It's a description of the resource: it can be a managed system's resource or a real world entity such as an identity or a department. + +An [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) includes: + +- One or more [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) +- Zero or more +[Entity Association](../integration-guide/toolkit/xml-configuration/metadata/entityassociation) + +#### Entity properties + +Properties are key-value pairs, with a name and type that describes the nature of the value held by the property. They are described by [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) properties. + +There are two kind of properties: **Scalar Properties** and **Navigation Properties**. + +**Scalar Properties** simply hold a value: a string, a number, a date for example. + +Available types include: + +- `String` +- `Bytes` +- `Int32` (32 bits integer) +- `Int64` (64 bits integer) +- `DateTime` +- `Bool` (boolean) +- `Guid` +- `Double` +- `Binary` (binary file like an image) + +For these types, the UI and binding system transforms the value retrieved from the database into the corresponding type for display. + +**Navigation Properties** properties hold links between the parent resource and another resource. + +**Navigation Properties** type is `ForeignKey`. + +**Navigation Properties** are completed by an Entity Association that explicitly describe the nature of the link. + +#### Entity association + +An [Entity Association](../integration-guide/toolkit/xml-configuration/metadata/entityassociation) describes a link between entity types. It connects a pair of navigation properties, from two **Entity Types**. + +There are two types of navigational properties: + +- _mono-valued_, that link to a [single](https://en.wikipedia.org/wiki/One-to-one_(data_model)) +entity; +- _multi-valued_, that link to a +[collection](https://en.wikipedia.org/wiki/many-to-many_(data_model)) of entities. + +Given a navigation property A of EntityType 1, linking EntityType 1 to navigation properties B of EntityType 2, then navigation property B is called the reverse property of navigation property A and navigation property A is called the reverse property of navigation property B. + +**For example,** + +- The _User_ entity type has the navigational property _Positions_ (a link to **zero or +more\_**Position\_ entities); +- The _Position_ entity type has the navigational property _Person_ (a link to **zero or +one\_**User\_ entity); +- The navigational property _Person_ is the reverse link of the navigational property _Positions;_ +- The _User_ entity type has the navigational property _Manager_ (a link to **zero or one\_**User\_ +entity); +- The _User_ entity type has the navigational property _Subordinates_ (a link to **zero or +more\_**User\_ entities); +- The navigational property _Subordinates_ is the reverse link of the navigational property +_Manager_. + +#### Locatable property + +Some property values must be available in several languages. In this case, we define a **neutral property** and as many corresponding properties as languages. + +The built-in _InternalDisplayName_ property is a neutral property. Its associated properties are named \_`InternalDisplayName___L{Index}`_ where \_Index_ reference the [Languages](../integration-guide/toolkit/languages). + +#### Computed property + +A property can be calculated from other properties. The [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) property expression element allows the expression of a computed property. It references the property (specifying the entity type's identifier and the property's identifier) and expresses the calculation based on a given entity using the calculation [Expressions](../integration-guide/toolkit/expressions) syntax. + +An element `` can be used to calculate a scalar property or a mono-valued navigation property. In the latter case, the expression must return an integer that corresponds to the primary key of the target entity. + +#### Display name + +Every declared **EntityType** automatically has the `InternalDisplayName` property even if it is not explicitly declared in the applicative configuration. + +It represents a user-friendly name for **EntityType** that is used in the UI if needed. + +Its value can be explicitly computed by an [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) property expression. Otherwise, a default value is automatically computed by Identity Manager�using the first property of the **EntityType** where `identifier` contains the string _"name"_. If no such property is found, the first declared property of the **EntityType** is used instead. + +The _InternalDisplayName_ property will be used as a default label of the entity in the UI. + +#### Database mapping + +Resources from the **resource repository** are stored in the generic UR_Resources table. + +This table has: + +- 128 columns to store scalar properties (index 0 to 127). The first four are reserved for big +scalar properties values (as many as 4000 unicode char). he other columns are limited to 442 unicode char. These columns are named C0 to C3V following a base-32 convention for naming. + +- 25 columns to store mono-valued navigational properties values (index 128 to 152). These columns +are named `I0` to `I4N` following a base-32 convention for naming. + +_Multi-valued navigation property_ values are stored in the UR_ResourceLinks junction table. + +Binary property values (such as pictures or files) are stored in the UR_ResourceFiles table. + +### Mapping + +Identity Manager's Entity Model also contains **a mapping** between the external data and [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype) properties or [Entity Association](../integration-guide/toolkit/xml-configuration/metadata/entityassociation). That's why entity types are organized into **connectors**. The **mapping\_**connects\_ entity types to external sources of truth. + +This information is provided by the [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), their [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and [Entity Association Mapping](../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). + +To build Identity Manager�resources from external data found in the managed system, the entity model provides a mapping between the external data (often in the form of CSV files, see [Upward Data Synchronization](../integration-guide/synchronization/upward-data-sync)) and entity properties. This information is provided by the [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), their [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping)and [Entity Association Mapping](../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). + +Every [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping)maps a CSV column to a scalar [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype). + +Every [Entity Association Mapping](../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) maps a CSV column to a navigation [Entity Type](../integration-guide/toolkit/xml-configuration/metadata/entitytype). + +#### Format + +When exporting entries from an external system, the results are usually retrieved as simple strings, written in a CSV file, and imported into the Identity Manager�Database as-is. But an external system will rarely uses the same format as Identity Manager to store objects such as dates. + +Let's take, for example, a case where we want to store an employee's start date: + +- In the external system, the date is stored as a string with the format `2020-09-29 22:00:00`. +- In Identity Manager, dates are stored as strings in the format `20200929220000` + +We need to transform the input data, from the export, into something readable by Identity Manager�and, when writing to the external system, transform Identity Manager's data back into something readable by the external system. + +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) + +The format used in the external system can be provided through the [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) using the [References: Format for the EntityPropertyMapping](../integration-guide/connectors/entitypropertymapping-format) attribute to help Identity Manager�to convert data appropriately. + +If the field in the external system is not forced to a specific value type, but is free-form (example: a string field in which date values are stored but which can sometimes hold other values), we strongly recommend not using the `Format` attribute to prevent inconsistent user input in the external system. + +#### Primary key + +When writing an [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping), one of the _scalar properties_ should be chosen as primary key. This property will be used by Identity Manager�to [uniquely identify a resource](https://en.wikipedia.org/wiki/Primary_key). It is hence crucial to choose carefully as many of Identity Manager's processes and optimizations depend on this choice. + +### SQL views + +The `UR_Resource` table contains resources from all the connectors, for all the Entity Types. Columns names are not semantically meaningful because they have generic I\*/C\* names. For this reason, Identity Manager�provides SQL views to help the user explore the resource repository from the database. The views are useful to understand how Identity Manager�works or to debug a faulty configuration. + +SQL Views are built by the [Create Database Views Task](../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask). + +SQL Views created by this tool are identified in the database by a `zz_` prefix. + +Created views are not used by the Identity Manager�engine directly. Identity Manager's engine always creates, reads, updates and deletes from the `UR_*` tables. + +## Records + +The **entity model** is enhanced with **records** to handle positions and movements of staff. See the [Identity Management](../integration-guide/identity-management) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/executables/index.md b/docs/identitymanager/6.3/integration-guide/executables/index.md new file mode 100644 index 0000000000..2872e6ac9d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/index.md @@ -0,0 +1,11 @@ +--- +title: "Executables" +description: "Executables" +sidebar_position: 180 +--- + +# Executables + +The documentation is not yet available for this page and will be completed in the near future. + +See the Executables topic for additional information. diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/agent.md b/docs/identitymanager/6.3/integration-guide/executables/references/agent.md new file mode 100644 index 0000000000..b47d05393d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/agent.md @@ -0,0 +1,31 @@ +--- +title: "Usercube-Agent" +description: "Usercube-Agent" +sidebar_position: 10 +--- + +# Usercube-Agent + +This tool runs the Agent on a separate server instance. The Agent is able to communicate with the [Usercube-Server ](../../../integration-guide/executables/references/server). + +## Examples + +With a properly configured environment, the following command runs the agent. It listens on two different ports: + +```shell +./Usercube-Agent.exe --urls "http://localhost:6001;http://localhost:6002" +``` + +When the Agent starts, the following log should be displayed (if the log level is set to _Information_): + +```json +[xx:xx:xx INF] Now listening on: http://localhost:6001 +[xx:xx:xx INF] Now listening on: http://localhost:6002 +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --urls required | **Type** String **Description** URL(s) that the agent is listening to. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/anonymize.md b/docs/identitymanager/6.3/integration-guide/executables/references/anonymize.md new file mode 100644 index 0000000000..41ec470ff2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/anonymize.md @@ -0,0 +1,111 @@ +--- +title: "Usercube-Anonymize" +description: "Usercube-Anonymize" +sidebar_position: 20 +--- + +# Usercube-Anonymize + +This tool anonymizes data based on a certain knowledge of the database and the data structure. + +## Overview + +Anonymizing data helps unlock situations where it is necessary to send data to varied teams while guaranteeing the privacy of the data owners. + +> For example, it can be necessary to transmit data to an integration team that needs to set up +> tests or a development environment to work on the applicative configuration. For example, users +> sometimes need to send data to Identity Manager's support team to reproduce a bug and get it +> corrected. + +## Technical Principles + +Anonymizing can be performed on data: + +- from a CSV file, with the output written to a new CSV file; +- directly inside a SQL database, overwriting existing data with the anonymized data. + +In this case, the plain data is lost. So make sure to work on a copy of the original database. + +Several types of data can be anonymized, according to distinct substitution methods that are deterministic and non-reversible: + +- **strings** have each alphabetical character substituted for another alphabetical character; + + > For example, `John Doe` becomes `Xert Okl`. + +Diacritical characters are replaced by a non-diacritical equivalent. + +- **numbers** have each digit substituted for another digit; + + > For example, `54689` becomes `32016`. + +- **emails** have the username anonymized, while leaving the domain name as is; + + > For example, `johndoe@contoso.com` becomes `xertoekl@contoso.com`. + +- Active Directory's **RDN** properties (Relative Distinguished Names), in the _attribute=value_ format, +are anonymized via the string method on the value, leaving the attribute as is. + + > For example, `CN=John Doe` becomes `CN=Xert Okl`. + +## Examples + +### Anonymizing a CSV file + +The following example anonymizes the `first_name`, `last_name`, `email` and `phone` column of the following CSV file: + +```text +id,first_name,last_name,email,gender,phone +1,Darrin,Crumpe,dcrumpe0@nifty.com,Male,2666420820 +2,Lyon,Boddam,lboddam1@eepurl.com,Male,5927617041 +3,Roxana,Prose,rprose2@statcounter.com,Female,5134883113 +4,Vladimir,Grisedale,vgrisedale3@blogtalkradio.com,Male,1338476916 +5,Jaquith,Pendrich,jpendrich4@merriam-webster.com,Female,1894520819 +6,Art,Sweatland,asweatland5@boston.com,Male,5066492715 +7,Lynelle,Klammt,lklammt6@stumbleupon.com,Female,5653774981 +8,Chicky,Blatherwick,cblatherwick7@walmart.com,Male,4095068397 +9,Delilah,Kauscher,dkauscher8@de.vu,Female,9324858513 +10,Estelle,Melmeth,emelmeth9@dot.gov,Female,2176715812 +``` + +The following command outputs the anonymized data in STDOUT. + +```csharp +**./Usercube-Anonymize.exe -n C:/Projects/identitymanager/Documentation/exampleSources/Anonymizer/users.csv -s "," --columns first_name,last_name,mail:email,number:phone** +``` + +The output is: + +```text +id,first_name,last_name,email,gender,phone +1,Afccrp,Icqesl,aicqesl0@nifty.com,Male,6111065265 +2,Mdhp,Qhaafe,mqhaafe1@eepurl.com,Male,4665125502 +3,Chlfpf,Schnl,cschnl2@statcounter.com,Female,4230223223 +4,Imfarerc,Ocrnlafml,iocrnlafml3@blogtalkradio.com,Male,2332051621 +5,Jfkqrfg,Slpacrig,jslpacrig4@merriam-webster.com,Female,2260465226 +6,Fcf,Nalffmfpa,fnalffmfpa5@boston.com,Male,4511066524 +7,Mdplmml,Bmfeef,mbmfeef6@stumbleupon.com,Female,4143550622 +8,Igribd,Qmffglcarib,iqmffglcarib7@walmart.com,Male,0564512365 +9,Almrmfg,Bfqniglc,abfqniglc8@de.vu,Female,6360242423 +10,Lnflmml,Elmelfg,lelmelfg9@dot.gov,Female,6251524226 +``` + +### Anonymizing a SQL Server table + +The following example **overwrites** the `UR_Resources` table of Identity Manager's database with anonymized data for the `C3`, `C8`, `CA`, `CB`, `CC` and `CD` columns for all resources whose `Type` is `17`. + +```shell +.\Usercube-Anonymize.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" --table UR_Resources --columns "number:C3,C8,number:CA,mail:CB,number:CC,number:CD" --select-query "select * FROM UR_Resources WHERE Type = 17" +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --columns required | **Type** **strings** **Description** Columns from the CSV or SQL database that need anonymizing. **Usage** The value is a string sequence in the form `type:columname`, separated by a coma `,`, where `type` is used to choose the anonymize algorithm from among the following formats: `string` (default value); `mail`; `number`; `**RDN**`, and where `columnname` is the actual name, not case-sensitive, of the column to anonymize. | + | --connection-string optional | **Type** String **Description** Connection string to the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | + | --csv-separator (-s) default value: ; | **Type** String **Description** Separator of the input CSV file, provided between simple quotes. **Note:** used **only when** anonymizing a CSV file. | + | --entry-file (-n) optional | **Type** String **Description** Path to the input CSV file to anonymize. **Note:** required when anonymizing a CSV file. | + | --no-transaction optional | **Type** No Value **Description** Disables the SQL transaction for the request made by the anonymizing tool to the target SQL Server database. **Warning:** NETWRIX recommends using this option **only when** using transactions leads to a failure (exceeded RAM usage, exceeded CPU usage), because it could corrupt the data from the database. Make sure to prepare a backup of the database before using this option. **Note:** used **only when** anonymizing a database. | + | --output (-o) default value: STDOUT | **Type** String **Description** Path of the output CSV file to write the anonymized data. **Note:** used **only when** anonymizing a CSV file. | + | --select-query (-q) optional | **Type** String **Description** SQL query to filter the rows to be anonymized. **Note:** used **only when** anonymizing a database, and useful **only when** the query includes a "WHERE" condition, otherwise the `--table` and `--columns` arguments are enough. **Usage** The table targeted by the query must be on the table specified in `--table`. **Examples** `SELECT Id, name, firstName FROM Resources WHERE resourceType = 'Person'` is a query with a simple condition. `SELECT * FROM Persons WHERE resourceType = 'Person' AND specialFlag = 'TopSecret'` selects all columns, and adds a specific condition. | + | --table (-t) optional | **Type** String **Description** Name of the table from the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/check-expressionsconsistency.md b/docs/identitymanager/6.3/integration-guide/executables/references/check-expressionsconsistency.md new file mode 100644 index 0000000000..458327963e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/check-expressionsconsistency.md @@ -0,0 +1,32 @@ +--- +title: "Usercube-Check-ExpressionsConsistency" +description: "Usercube-Check-ExpressionsConsistency" +sidebar_position: 390 +--- + +# Usercube-Check-ExpressionsConsistency + +This tool is used to check the C# expressions consistency. + +## Examples + +The following example checks the C# expressions compatibility with Identity Manager. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +.\Usercube-Check-ExpressionsConsistency.exe --database-connection-string "data source=.;Database=UsercubeV5demo;Integrated Security=SSPI;Min Pool Size=10;Encrypt=false" --output-path "C:\UsercubeDemo\Dump" +``` + +In case errors are found they will be displayed as: + +```xml +In Custom/User/Directory User Connector.xml(12), Method "System.Linq.Enumerable.MaxBy" cannot be called on entities. +``` + +## Arguments + + | Argument Name | Type | Description | + | --- | --- | --- | + | --database-connection-string required | String | SQL database connection string. | + | --output-path | String | Full path of the folder in which the file containing expression compilation errors will be saved. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/compute-correlationkeys.md b/docs/identitymanager/6.3/integration-guide/executables/references/compute-correlationkeys.md new file mode 100644 index 0000000000..464ef1401b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/compute-correlationkeys.md @@ -0,0 +1,37 @@ +--- +title: "Usercube-Compute-CorrelationKeys" +description: "Usercube-Compute-CorrelationKeys" +sidebar_position: 40 +--- + +# Usercube-Compute-CorrelationKeys + +This tool is used to compute the values of all correlation keys. + +## Examples + +The following example computes the correlation keys of the database defined by the connection string, for all entity types. + +```shell +**./Usercube-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | + | --- | --- | + | --- | --- | + | --database-connection-string required | **Type** String **Description** Connection string of the database. | + | --- | --- | + | --- | --- | + | --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | + | --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | + | --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | + | --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | + | --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in [SelectUserByIdentityQueryHandler](../../../integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting). | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/configuration-transform.md b/docs/identitymanager/6.3/integration-guide/executables/references/configuration-transform.md new file mode 100644 index 0000000000..f80bf03848 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/configuration-transform.md @@ -0,0 +1,47 @@ +--- +title: "Usercube-Configuration-Transform" +description: "Usercube-Configuration-Transform" +sidebar_position: 50 +--- + +# Usercube-Configuration-Transform + +This tool applies a series of transformations specified in a JSON file, on the content of a given directory. + +## Example + +The following example searches all occurrences of `Directory_User` in the files inside `C:/identitymanagerDemo/Conf` whose names: + +- contain `guest` to replace all occurrences with `Directory_Guest`; +- contain `bot` to replace all occurrences with `Directory_Bot`. + +The resulting files are saved in `C:/identitymanagerDemo/ConfTransformed`. + +```json +**./Usercube-Configuration-Transform.exe --input "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/ConfTransformed" --transformation-file "C:/identitymanagerDemo/*transformations.json*"** +``` + +***transformations.json*** + +```json +{ + "*guest*": { + "Directory_User": "Directory_Guest" + }, + "*bot*": { + "Directory_User": "Directory_Bot" + } +} +``` + +```` +## Arguments + + | Argument Name | Details | + | --- | --- | + | --input required | __Type__ String __Description__ Path of the directory on which the transformations are to be applied. | + | --transformation-file required | __Type__ String __Description__ Path of the JSON file that contains the transformations to be applied. The first half of the following JSON transformation file intends to search all files in the input directory whose names are ```filename``` (case-insensitively). In those files, any occurrence of ```ToBeReplaced``` (case-sensitively) is replaced with ```Replacement```. ```{ "filename": { "ToBeReplaced": "Replacement" }, "partialfilename*": { "ToBeReplaced2": "Replacement2" } }``` __Note:__ instead of a specific file name, Identity Manager can search for files whose names contain a specific string, using the character ```*```. | + | --- | --- | + | --- | --- | + | --output required | __Type__ String __Description__ Path of the folder where the result will be saved. | +```` diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/create-databaseviews.md b/docs/identitymanager/6.3/integration-guide/executables/references/create-databaseviews.md new file mode 100644 index 0000000000..159fa3fc57 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/create-databaseviews.md @@ -0,0 +1,40 @@ +--- +title: "Usercube-Create-DatabaseViews" +description: "Usercube-Create-DatabaseViews" +sidebar_position: 60 +--- + +# Usercube-Create-DatabaseViews + +Generates entity model SQL views in the Identity Manager database. All views are prefixed by `zz_`. This tool deletes all views starting by `zz_` and creates views from the entity model described in the running configuration. + +For every **EntityType**, a matching SQL view is created from the UR_Resource table. + +## Example + +The following example allows the user to connect to Identity Manager server at `http://identitymanager.contoso.com`, using the ClientId `Job` and Secret `secret`, to generate views for Identity Manager's database. + +```shell +./Usercube-Create-DatabaseViews.exe --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" --log-level Debug +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --progress-use-database optional | **Type** String **Description** Update progress in the SQL database. | + | --progress-use-database-child-instance optional | **Type** String **Description** Initiate child task instance. | + | --progress-use-api optional | **Type** String **Description** Update progress with the API. | + | --- | --- | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + +You can explore created views in the Identity Manager database's Views folder in SQL Server Management Studio + +![SSMS Views](/images/identitymanager/identitymanager-create-databaseviews_ssms.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/csv-transform.md b/docs/identitymanager/6.3/integration-guide/executables/references/csv-transform.md new file mode 100644 index 0000000000..1b7bdfa91f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/csv-transform.md @@ -0,0 +1,64 @@ +--- +title: "Usercube-CSV-Transform" +description: "Usercube-CSV-Transform" +sidebar_position: 30 +--- + +# Usercube-CSV-Transform + +## Examples + +### Define a primary key + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with the following headers line: + +`Login,Company,Email,FirstName,LastName` + +To avoid having too much duplicated information on each line in a CSV file, we need to define a primary key for the file which will allow the pooling of common information. We choose to concatenate the values of the columns `Login` and `Company ` with a `-` as separator in an `Id` column, which will be defined as key for our file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example.csv --columns-concat "Login Company - ID"`--columns-key ID``` + +### Handle multi-valued columns in a generated file + +Consider the file `C:/identitymanagerContoso/Sources/hr_example123.csv` with the following headers line separated by a `;`: + +`GroupAzure;Members;GroupSharePoint;Members` + +This file is automatically generated by a script and the suffix (`123`here) is incremented on each generation. Thus, we need to use a regex to avoid changing the command line for each new generated file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ;` + +The file contains two headers with the same name, each related to one kind of group. Thus, we need to rename one of these headers. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure"` + +In this example, we will consider that the two Members columns contain all members for each group separated by a `,` for the first Members column, and by a `*` for the second one. We need to transform these columns in Identity Manager's format for multi-valued attributes. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure" --columns-multivalued "MembersAzure ," "Members *"` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --input-path required | **Type** String **Description** Specifies the CSV file to modify. **Example** Define `C:/identitymanagerContoso/Sources/hr_example.csv` as input file: `--input-file C:/identitymanagerContoso/Sources/hr_example.csv`. | + | --output-path optional | **Type** String **Description** Specifies the output path, which is the exports' output path by default. **Example** Define `C:/identitymanagerContoso/Test` as output folder: `--output-path "C:/identitymanagerContoso/Test"`. | + | --new-name optional, required **if** --regex is true | **Type** String **Description** Specifies the new name for the output file. **Example** Define new name `hr_transformed.csv`: `--new-name hr_transformed.csv`. | + | --input-file-encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Example** `--input-file-encoding UTF-16`. | + | --headers-edit-index optional | **Type** String List **Description** Specifies the headers to edit by index, which is particularly useful to rename empty headers. Each member of the list is written like `index newHeader`. **Example** Add or replace header at index 1 with `ExampleHeader` : `--headers-edit-index "1 ExampleHeader"`. | + | --headers-edit-name optional | **Type** String List **Description** Specifies the headers to rename (first found) with the new name. Each member of the list is written like `currentHeader newHeader`. **Example** Rename headers `CompanyId` into `Company` and `int32_1` into `int32`: `--headers-edit-name "CompanyId Company" "int32_1 int32"`. | + | --headers-remove-index optional | **Type** Integer **Description** Specifies the headers to remove by index. This command can be used to remove the second occurrence of a duplicate header by specifying its index. **Example** Remove header located at index 5: `--headers-remove-index 5`. | + | --headers-remove-name optional | **Type** String List **Description** Specifies the headers to remove by name (first found). **Example** Remove first occurrences of headers `date1` and `bool1`: `--headers-remove-name date1 bool1`. | + | --new-headers optional | **Type** String List **Description** **ONLY** for files without headers, specifies the new headers **except** the ones created by the concatenation of columns. **Example** Defines `header1` and `header2` as headers of the file: `--new-headers header1 header2`. | + | --columns-concat optional | **Type** String List **Description** Specifies the columns to concatenate and how. Each member of the list is written like `column1Header column2Header`. If you want to specify characters between the column values, you can write `column1Header column2Header charactersBetween`. This operation creates a new column where it puts the result of the concatenation. This column header is the concatenation of the headers, but you can change it by writing the member like `column1Header column2Header charactersBetween newColumnHeader`. **Example** Concatenate columns: - `Company` and `Employee` with a `-` between them. `ID` will be the new column header. - `guid1` and `bytes1` with `_` between them. - `int32_2` and `int64_2` with nothing in between. `--columns-concat "Company Employee - ID" "guid1 bytes1 _" "int32_2 int64_2"` . | + | --columns-multivalued optional | **Type** String List **Description** Specifies the columns with multi-valued values not splittable with breaks. Each member of the list is written like `columnHeader separator`. **Example** Handle columns `multivalued1`, using separator `,`, and `multivalued2`, using separator `*`: `--columns-multivalued "multivalued1 ," "multivalued2 *"`. | + | --columns-date optional | **Type** String List **Description** Specifies the columns with date values, and their date format, to format them into Identity Manager's format. Each member of the list is written like `columnHeader dateFormat`. **Example** Format date columns `date1` and `date2`, using the format `yyyyddMMHHmmss`: `--columns-date "date1 yyyyddMMHHmmss" "date2 yyyyddMMHHmmss"`. | + | --columns-bool optional | **Type** String List **Description** Specifies the columns with Boolean values to convert them into Identity Manager's format. **Example** Format Boolean columns `bool1` and `bool2`: `--columns-bool bool1 bool2`. | + | --columns-int32 optional | **Type** String List **Description** Specifies the columns with Int32 values to convert them into Identity Manager's format. **Example** Format Int32 columns `int32_1` and `int32_2 `: `--columns-int32 int32_1 int32_2`. | + | --columns-int64 optional | **Type** String List **Description** Specifies the columns with Int64 values to convert them into Identity Manager's format. **Example** Format Int64 columns `int64_1`and `int64_2`: `--columns-int64 int64_1 int64_2`. | + | --columns-guid optional | **Type** String List **Description** Specifies the columns with Guid values to convert them into Identity Manager's format. **Example** Format Guid columns `guid1`and `guid2`: `--columns-guid guid1 guid2`. | + | --columns-bytes optional | **Type** String List **Description** Specifies the columns with Bytes values to convert them into Identity Manager's format. **Example** Format Bytes columns `bytes1` and `bytes2`: `--columns-bytes bytes1 bytes2`. | + | --columns-key optional | **Type** String List **Description** Specifies the columns key to delete duplicates (the first line found is the one we keep). A column created by this tool can be specified as a key column through this argument, like the columns created by the `--columns-concat` for example. **Example** Define columns `RawId` and `ID` as keys: `--columns-key RawId ID`. | + | --- | --- | + | --- | --- | + | --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | + | --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/decrypt-file.md b/docs/identitymanager/6.3/integration-guide/executables/references/decrypt-file.md new file mode 100644 index 0000000000..7d4a94ff2f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/decrypt-file.md @@ -0,0 +1,30 @@ +--- +title: "Usercube-Decrypt-File" +description: "Usercube-Decrypt-File" +sidebar_position: 70 +--- + +# Usercube-Decrypt-File + +In Identity Manager, files are encrypted by default. This tool decrypts an input file to save it into an output file or an OutPutConsole that can be used in Powershell scripts or programs. + +## Examples + +### Result loaded in OutPutConsole (PowerShell Script) + +The following example, used in a Powershell script, saves in the variable `decryptFile` the string obtained by decrypting the files specified by the `ordersFile` variable. The decryption is made using the agent side certificate defined in the agent's `appsettings.json`. + +```shell +**$decryptFile = & ./Usercube-Decrypt-File.exe --files $ordersFile** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --files (-f) required | **Type** String **Description** List of all the files to decrypt. | + | --encoding (-e) default value: UTF-8 | **Type** String **Description** Encoding used for any encryption/decryption. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + | --output-path (-o) optional | **Type** String **Description** Output path to save all decrypted files. **Note:** used only when the result is saved in a file. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/deploy-configuration.md b/docs/identitymanager/6.3/integration-guide/executables/references/deploy-configuration.md new file mode 100644 index 0000000000..c7d7ae34f5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/deploy-configuration.md @@ -0,0 +1,64 @@ +--- +title: "Usercube-Deploy Configuration" +description: "Usercube-Deploy Configuration" +sidebar_position: 80 +--- + +# Usercube-Deploy Configuration + +Retrieves all XML configuration files from a given folder, in order to calculate the configuration items to insert, update or delete in the application. + +## Examples + +**Locally** + +The following example deploys an on-premise configuration via a direct connection to the database through its connection string: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +**Remotely** + +The following example deploys a SaaS configuration via an HTTP POST request to the server of the remote configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --api-url https://my_usercube_instance.com +``` + +:::info + To be able to deploy a SaaS configuration, you must first provide your Identity Manager administrator with identity information. See the [Deploy the Configuration](../../../integration-guide/toolkit/deploy-configuration) topic for additional information. +::: +## Arguments + +The table below displays the arguments for the Identity Manager configuration deployment. + + | Argument Name | Type | Description | + | --- | --- | --- | + | --configuration-directory (-d) required | String | Path to the configuration folder. | + | --continuous-deployment (-a) optional | No Value | Enables automatic deployment when saving an XML file. | + | --deployment-slot optional | DeploymentSlot | Type of the targeted server among the slot names provided by Netwrix' SaaS team. For example: Development, Staging, Production. it is required when working in a SaaS production environment. | + | --dump-changes-directory optional | String | Path to a directory that will receive the logs of all modifications made to the database. _Remember,_ it can be used with --simulate-only for an additional security before deploying to production. | + | --enable-saas-checks optional | No Value | Enables the checks necessary to deploy in a SaaS environment. _Remember,_ it is enabled automatically when working in SaaS. This argument can be used when deploying locally in order to anticipate a future SaaS deployment. | + | --force-bindings (-bi) optional | No Value | Forces the recomputation of binding paths in the database. | + | --force-cascade-delete optional | No Value | Enables the deletion or archiving of XML configuration items that require extra care and/or approval, usually for dependency issues. _Remember,_ Netwrix recommends using this option only when prompted by the deployment tool. | + | --force-categories (-c) optional | No Value | Forces the recomputation of the counters for role categories in the database. | + | --force-expressions (-e) optional | No Value | Forces the recomputation of C# expressions in the database. | + | --force-permissions (-p) optional | No Value | Forces the recomputation of access permissions in the database. | + | --force-translations optional | No Value | Forces the recomputation of the translations for the activity template states and the internal display name properties in the database. | + | --http-client-timeout-supplement optional | Int32 | Duration (in minutes) after which the deployment command times out, in addition to the default 30 minutes. | + | --no-create-index optional | No Value | Disables the creation of indexes related to the configuration. _Remember,_ Netwrix recommends using this option only when advised by the support team. | + | --reset-database optional | No Value | Deletes the whole database and creates an empty one before deploying. | + | --resource-identity-property optional | String | Overrides the resource identity property used by the **SelectUserByIdentityQueryHandler** settings. | + | --simulate-only optional | No Value | Computes and previews on the screen all the changes to be made, but without editing the database. | + | --api-client-id optional | String | Login of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | + | --api-secret optional | String | Password of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | + | --api-url optional | String | URL of the server to export/deploy the configuration to, for remote changes. _Remember,_ it is required when --database-connection-string is not specified. | + | --database-connection-string optional | String | Connection string of the database. _Remember,_ it is required when --api-url is not specified. | + | --product-translation optional | No Value | Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](../../../integration-guide/ui/producttranslations) topic for more details on how to import the product's translations. | + | --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate.md b/docs/identitymanager/6.3/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate.md new file mode 100644 index 0000000000..21d32ab634 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate.md @@ -0,0 +1,61 @@ +--- +title: "Usercube-EasyVistaTicket-UpdateFulfillmentState" +description: "Usercube-EasyVistaTicket-UpdateFulfillmentState" +sidebar_position: 90 +--- + +# Usercube-EasyVistaTicket-UpdateFulfillmentState + +The use of this executable supposes a previous use of the `Usercube-Fulfill-ToEasyVistaTicket` executable. + +`Usercube-Fulfill-ToEasyVistaTicket` creates tickets in an EasyVista instance: `Usercube-EasyVistaTicket-UpdateFulfillmentState` sets the fulfillment state of the corresponding assigned resource types in Identity Manager for tickets that are closed (`Executed`) or canceled (`Error`). + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for all resource types that have a target entity type of the connector `EasyVista`, we set the fulfillment state of the corresponding assigned resource types. + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for the resource types `EasyVista_NominativeUser` and `EasyVista_Administrator`, we set the fulfillment state of the corresponding assigned resource types. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an[OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --url required | **Type** String **Description** EasyVista API Endpoint URL. | + | --account required | **Type** String **Description** EasyVista account. | + | --login required | **Type** String **Description** Path of the file used for complete synchronization. | + | --password required | **Type** String **Description** EasyVista server password. | + | --- | --- | + | --- | --- | + | --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | + | --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | + | --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | + | --vault optional | **Type** String **Description** Vault uri. | + | --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | + | --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | + | --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/encrypt-file.md b/docs/identitymanager/6.3/integration-guide/executables/references/encrypt-file.md new file mode 100644 index 0000000000..8fea46bb51 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/encrypt-file.md @@ -0,0 +1,37 @@ +--- +title: "Usercube-Encrypt-File" +description: "Usercube-Encrypt-File" +sidebar_position: 100 +--- + +# Usercube-Encrypt-File + +In Identity Manager, files are encrypted by default. This tool encrypts an input file or the InputConsole of a Powershell program or file to save it as an encrypted output file. This task cannot be configured in the configuration. + +## Examples + +### Launch the tools with input console (powershell script) + +The following example, used in a Powershell script, decrypts the file(s) specified by the `csvResult` variable and saves the result in the location specified in `resultsFile`. The encryption is made using the certificate's thumbprint, store location and store name. + +```shell +$csvResult | & ./Usercube-Encrypt-File.exe --file-cert-thumbprint $certificateThumbprint --file-cert-store-location $certificateStoreLocation --file-cert-store-name $certificateStoreName --output-path $resultsFile +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --files (-f) optional | **Type** String **Description** List of all the files to encrypt. **Note:** required when the entry is made of files. | + | --output-path (-o) optional | **Type** String **Description** Output path to save the encrypted files or input console. | + | --- | --- | + | --- | --- | + | --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | + | --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | + | --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | + | --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | + | --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | + | --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-bacpac.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-bacpac.md new file mode 100644 index 0000000000..356d29360a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-bacpac.md @@ -0,0 +1,38 @@ +--- +title: "Usercube-Export-Bacpac" +description: "Usercube-Export-Bacpac" +sidebar_position: 10 +--- + +# Usercube-Export-Bacpac + +This tool exports the database to a bacpac file, as a backup. + +## Examples + +The following example generates to `C:/identitymanagerDemo` a bacpac file from the Identity Manager database with the given connection string and based on the bacpac template from the SQL folder. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Export-Bacpac.exe --database "" -s "" --bacpac-path 0 --template-bacpac-path "" +``` + +## Arguments + +The list of arguments: + + | Argument Name | Type | Description | + | --- | --- | --- | + | --database-connection-string (-s) required | String | Connection string of the database. | + | --database required | String | Name of the database. | + | --template-bacpac-path required | String | Path of the empty bacpac file or dacpac file containing the database schema. The database export tool includes a .dacpac file, ``, in the Runtime folder and should be used as the value for this parameter. It can be generated manually by exporting an empty Identity Manager database. | + | --temp-bacpac-path optional | String | Path of the temporary folder storing the database's data. | + | --bacpac-path required | String | Path of the generated bacpac file. | + | --without-history default value: false | Boolean | True to exclude history data. | + | --without-job-instances default value: false | Boolean | True to exclude job and task instances. | + | --without-workflow-instances default value: false | Boolean | True to exclude workflow instances. | + | --without-campaign-instances default value: false | Boolean | True to exclude access certification campaign items. | + | --without-temp default value: false | Boolean | True to exclude the data of temporary tables. | + | --without-all default value: false | Boolean | True to exclude history data, job and task instances, workflow instances and access certification campaign items. _Remember,_ this option represents the usual use-case. | + | --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-configuration.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-configuration.md new file mode 100644 index 0000000000..f21c023509 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-configuration.md @@ -0,0 +1,147 @@ +--- +title: "Usercube-**export**-Configuration" +description: "Usercube-**export**-Configuration" +sidebar_position: 110 +--- + +# Usercube-**export**-Configuration + +Generates in a folder the files of the configuration found in the database. + +While the **deployment** process is about taking the configuration elements from the XML files to insert them in the database, the **export** process is about taking the configuration elements from the database to generate XML files: + +- A basic **export** will **export** the XML configuration that was latest deployed to the database, +including images like logos and favicons; +- A **marked** **export** will **export** the whole configuration as XML files, including the configuration +elements **created via the UI**; + +As Identity Manager can be configured by writing manually in XML files and/or using the UI, the **marked** **export** helps combining both. + +Netwrix Identity Manager (formerly Usercube) recommends configuring Identity Manager via the UI as much as possible, and completing the configuration via XML files when needed. + +- a basic **export** will **export** the translation JSON files; +- a scaffolding **export** will **export** the XML configuration generated by scaffoldings. + +![Schema - **export** Process](/images/identitymanager/identitymanager-export-configuration.webp) + +For **all** **export** types, Netwrix Identity Manager (formerly Usercube) recommends using as output directory a folder other than the one containing the old XML configuration. This way, the exported configuration does not overwrite the old one, and: + +- the changes can be clearly viewed in a file comparison tool; +- the interesting changes can be selected individually and inserted in the old configuration, to +update the configuration while keeping any manual changes such as comments. + +### Focus on the **marked** **export** + +By default, the configuration elements **created via the UI** are stored in the database just like the rest of the configuration, but they are not included in **deployment** and **export** processes. + +While UI elements **are not marked**, they are not included in the XML/database comparison performed during the configuration **deployment** process. It means that deploying any configuration will not affect UI elements. + +On the other hand, once UI elements **are marked**, they will be included in the XML/database comparison performed during the next configuration **deployment** process. Then, if these UI elements are not in the deployed XML files, they will be removed from the database. + +Be careful about what configuration to deploy and **export**. + +When configuring through both the UI and XML files, make sure to: + +- **export** **all** UI modifications before making changes in XML files and deploying the configuration +again; +- Deploy **all** XML modifications before making changes in the UI and exporting the configuration +again. + +## Examples + +### Locally vs. remotely + +The following example exports an on-premise configuration via a direct connection to the database through its connection string: + +```shell +./Usercube-**export**-Configuration.exe -d "C:/identitymanager/ExportedConf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +The following example exports a SaaS configuration via an HTTP POST request to the server of the remote configuration: + +```shell +**./Usercube-**export**-Configuration.exe -d "C:/identitymanager/ExportedConf" --api-url https://my_usercube_instance.com** +``` + +To be able to **export** a SaaS configuration, you must first provide your Identity Manager administrator with identity information. See the [**export** the Configuration](../../../integration-guide/toolkit/export-configuration) topic for additional information. + +### Basic **export** for a change of environment + +The following example exports **all** configuration elements of the database as a set of XML files, to the `C:/identitymanager/ExportedConf` folder, for example to move from the pre-production environment to the production environment. + +```shell +./Usercube-**export**-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" +``` + +**all** XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML files, generated based on the configuration elements from the database. + +The default behavior of this tool exports **all** XML files, from the configuration elements stored in the database and the XML/database relationships, as well as logos and favicons. **Translations are not exported**. + +**Most modifications made in the UI will be ignored too**. + +### **export** UI configuration elements outside the role model + +The following example exports **all** configuration elements as a set of XML files, including the configuration modifications made through the UI, **except any elements linked to the role model**. + +```shell +./Usercube-**export**-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-**export** +``` + +**all** XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML files, generated based on the configuration elements from the database, **including UI elements** (not role-model-related) that are now **marked** for **export**. + +### **export** **all** UI configuration elements + +The following example exports **all** configuration elements as a set of XML files, including **all** configuration modifications made through the UI, especially role-model-related elements. + +```shell +./Usercube-**export**-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-**export** --mark-rolemodel-for-**export** +``` + +**all** XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML files, generated based on the configuration elements from the database, including **all** UI elements that are now **marked** for **export**. + +### **export** translation files + +The following example exports to `C:/identitymanager/ExportedConf` the JSON translation files stored in the database, one per language, replacing the ancient versions potentially pre-existing in the output directory. + +```shell +./Usercube-**export**-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --**export**-translation +``` + +### **export** scaffoldings for debug + +The following example exports XML files containing the configuration generated by **all** scaffoldings. It exports one folder per scaffolding type, and in each folder one XML file per scaffolding, containing the configuration generated by the scaffolding. + +```shell +./Usercube-**export**-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ConfScaffoldings" --**export**-scaffolding +``` + +**all** XML files from `C:/identitymanager/ConfScaffoldings` are removed and replaced with the new set of XML files, generated based on the scaffoldings from the configuration. + +The scaffolding **export**'s output is meant only for viewing in debug situations and **must not be inserted in the configuration**. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --configuration-directory (-d) required | **Type** String **Description** Path of a directory that will receive the exported configuration. | + | --default-file optional | **Type** String **Description** Path of the file where configuration items are stored by default, when they are not related to a predefined storing file. **Note:** when not specified, these items are not exported. | + | --**export**-scaffolding optional | **Type** No Value **Description** Exports **all** scaffoldings and the scaffolded items, i.e. **all** items generated by scaffoldings. | + | --**export**-translation optional | **Type** No Value **Description** Exports the JSON files containing **all** translations, by language. | + | --format-configuration optional | **Type** No Value **Description** Formats the configuration from the folder specified in `--configuration-directory`, in order to correspond to the **export** result. | + | --mark-for-**export** optional | **Type** No Value **Description** Exports **all** configuration elements that were **created via the UI**, except for those linked to the role model, i.e. the elements exported by the `--mark-rolemodel-for-**export**` option. | + | --mark-rolemodel-for-**export** optional | **Type** No Value **Description** Exports **all** the configuration elements linked to the role model: `SingleRole`; `CompositeRole`; `SingleRoleRule`; `CompositeRoleRule`; and the following rules when they are linked to a role: `PendingApprovalRule`; `ResourceNavigationRule`; `ResourceScalarRule`; `ResourceTypeRule`; `ResourceBinaryRule`. **Warning:** this argument cannot be used without the `--mark-for-**export**` option. | + | --**marked**-paths optional | **Type** String List **Description** Identifiers of the elements configured through the UI that need to be exported and thus **marked** for **export**. **Note:** used to **export** specific elements, while the `--mark-*-for-**export**` options are meant to **export** whole packages of elements. | + | --- | --- | + | --- | --- | + | --api-client-id optional | **Type** String **Description** Login of the account authorized by Netwrix Identity Manager (formerly Usercube) for configuration **export**/**deployment** in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | + | --api-secret optional | **Type** String **Description** Password of the account authorized by NETWRIX for configuration **export**/**deployment** in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | + | --api-url optional | **Type** String **Description** URL of the server to **export**/deploy the configuration to, for remote changes. **Note:** required when `--database-connection-string` is not specified. | + | --- | --- | + | --- | --- | + | --database-connection-string optional | **Type** String **Description** Connection string of the database. **Note:** required when `--api-url` is not specified. | + | --product-translation optional | **Type** No Value **Description** Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](../../../integration-guide/ui/producttranslations) topic for additional information. | + | --scope optional | **Type** String **Description** Path of a folder or file to **export**/deploy, instead of exporting/deploying the whole configuration. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-csv.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-csv.md new file mode 100644 index 0000000000..c27a89e589 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-csv.md @@ -0,0 +1,57 @@ +--- +title: "Usercube-Export-Csv" +description: "Usercube-Export-Csv" +sidebar_position: 120 +--- + +# Usercube-Export-Csv + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `,` as separator and `UTF8` encoding, it can be exported with the command: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file will be located in `C:/identitymanagerContoso/Temp/ExportOutput/HREXAMPLE.csv` and the content will be a copy of `hr_example.csv`'s one and an `UTF8` encoding. + +### Define a separator + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `;` as separator. + +As `,` is considered to be the default separator, we must set it: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --separator ;` + +The result's content will be the same but with `,` as separator. + +### Use a regex file name + +Consider that you deal with a generated file that follows the regex: `C:/identitymanagerContoso/Sources/hr_example(.*?).csv`, for example `C:/identitymanagerContoso/Sources/hr_example5fH8g1.csv`. If several files match with the regex, the executable uses the last one that was generated. + +You can put your regex and precise that it is one with the `--regex` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --regex` + +## Use the Path Duality and the Not-Launch-Export System + +In a larger context, the export might be used for complete or incremental synchronization. That is why it has two paths: `--raw-files-path` for complete synchronizations, `--path-incremental` for incremental ones. + +In the export's scope, it only means one thing, what path must be used depends on `--ignore-cookies`: its presence meaning that we are in a complete synchronization context and we use `--raw-files-path`; its absence that we are in an incremental one and we use `--path-incremental`. + +It means that if the user gives `--ignore-cookies` and not `--raw-files-path`, or if they give neither `--ignore-cookies` nor `--path-incremental`, the export will not be launched to prevent any problem (complete data for an incremental synchronization for example). The `--force-complete` argument bypasses this security: in the product, it is used for the initialization job, where we want to perform a complete synchronization, even for CSV connections with only an incremental path. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | + | --output-path required | **Type** String **Description** Output path for the files generated by the export. | + | --- | --- | + | --- | --- | + | --ignore-cookies optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | + | --- | --- | + | --- | --- | + | --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | + | --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-easyvista.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-easyvista.md new file mode 100644 index 0000000000..8dd7d9e7b4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-easyvista.md @@ -0,0 +1,47 @@ +--- +title: "Usercube-Export-EasyVista" +description: "Usercube-Export-EasyVista" +sidebar_position: 130 +--- + +# Usercube-Export-EasyVista + +This tool is made to export entities from an EasyVista instance to CSV files. + +The hardcoded entities named `Employees` can be fetched directly using the URL of the EasyVista instance. To export other entities, you have to create a view of your data on EasyVista to be able to fetch an `internalquery`. + +## Examples + +### Exporting entities by specifying attributes + +It is possible to export data by specifying the attribute names to fetch, for each exported table: + +```json +--url "https://test-fr-vp-01.easyvista-training.com" --login "usercube" --password "usercube2021" --connection-identifier "ConnectionEasyVista" --attributes "table1=[NAME_FR, LOGIN]|table2=[NAME_EN, PROFIL]|Employee=[EMPLOYEE_ID]" --output-path "C:/EasyVistaExport" --account "{account}" --cookie-path "C:/EasyVistaExport" --log-level Verbose --fetching-urls "HTTPS://test-fr-vp-01.easyvista-training.com/api/v1/50011/internalqueries?queryguid={3226F4FE-F3FC-4301-965A-32E546707BD0}&filterguid={9F3146C5-4EE0-4D1A-A4B9-8DC87A63C4E4}&viewguid={99E2223F-C1E0-4A14-87E8-C39C14325C03}" "HTTPS://test-fr-vp-01.easyvista-training.com/api/v1/50011/internalqueries?queryguid={57667FCD-134B-48A7-A188-CE700EF02C15}&filterguid={B4B3A15D-1DE2-41B5-91A7-A8E8343784E1}&viewguid={DB9C013B-28E0-45C8-A4C2-79E7D43C5421}" --entity-names "table1" "table2" +``` + +### Exporting entities using entities defined in configuration + +It is also possible to export data by specifying the Identity Manager's server URL, so the export tool automatically fetches the entity type mapping property names linked to the specified connection: + +```json +--url "https://test-fr-vp-01.easyvista-training.com" --login "usercube" --password "usercube2021" --connection-identifier "ConnectionEasyVista" --output-path "C:/EasyVistaExport" --account "{account}" --cookie-path "C:/EasyVistaExport" --log-level Verbose --fetching-urls "HTTPS://test-fr-vp-01.easyvista-training.com/api/v1/50011/internalqueries?queryguid={3226F4FE-F3FC-4301-965A-32E546707BD0}&filterguid={9F3146C5-4EE0-4D1A-A4B9-8DC87A63C4E4}&viewguid={99E2223F-C1E0-4A14-87E8-C39C14325C03}" "HTTPS://test-fr-vp-01.easyvista-training.com/api/v1/50011/internalqueries?queryguid={57667FCD-134B-48A7-A188-CE700EF02C15}&filterguid={B4B3A15D-1DE2-41B5-91A7-A8E8343784E1}&viewguid={DB9C013B-28E0-45C8-A4C2-79E7D43C5421}" --entity-names "table1" "table2" --api-url "http://localhost:5000" --api-client-id Job --api-secret secret +``` + +For each exported table, there is a resulting CSV file containing exported data. + +The server has to be running. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --attributes optional | **Type** String list **Description** List of attributes to enrich the research. Format is: ```-at "Table1=[last_name, begin_of_contract, department_id, location_id] | Table2=[profile_id, e_mail]"``` | + | --fetching-urls required **if** --entity-names is set | **Type** String list **Description** The specific URLs to fetch data, corresponding to entity names. It must be the same length and have the same order as `--entity-names`. | + | --entity-names required **if** --fetching-urls is set | **Type** String list **Description** The corresponding table names to fetch data, corresponding to fetching URLs. It must be the same length and have the same order as `--fetching-urls`. | + | --- | --- | + | --- | --- | + | --url required | **Type** String **Description** EasyVista API Endpoint URL. | + | --account required | **Type** String **Description** EasyVista account. | + | --login required | **Type** String **Description** Path of the file used for complete synchronization. | + | --password required | **Type** String **Description** EasyVista server password. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-excel.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-excel.md new file mode 100644 index 0000000000..6443bc7d38 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-excel.md @@ -0,0 +1,68 @@ +--- +title: "Usercube-Export-Excel" +description: "Usercube-Export-Excel" +sidebar_position: 140 +--- + +# Usercube-Export-Excel + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.xlsx` with `UTF8` encoding, it can be exported using these command's arguments: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file(s) will be located in `C:/identitymanagerContoso/Temp/ExportOutput/`. Their number corresponds to the number of sheets in the XLSX file and they would be labeled: `HREXAMPLE_0.csv`, `HREXAMPLE_1.csv`, ... `HREXAMPLE_n-1.csv` where n corresponds to the amount of spread sheets of the XLSX file. The encoding is `UTF8` and the separator is `,`. + +### Skipping some file's lines + +The possibility to skip lines is made available using the `--lines-to-skip` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --lines-to-skip 10` + +As a consequence, the exported file would include the content of the XLSX file without the ten first lines. + +### Regex in file name + +Considering a generated file following the regex: `C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx`, for instance `C:/identitymanagerContoso/Sources/hr_example5fH8g1.xlsx`, if several files match with the regex, the executable would use the most recent one. + +The regex can be included in the filename and would need to be precised using the `--is-regex` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --is-regex` + +### Choosing value to trim + +It's possible to precise characters to trim using the `--values-to-trim` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --values-to-trim e` + +The CSV output file will see every words beginning and ending by "e" (lower-case, this process is case sensitive) removed of this letter. + +### Ignoring particular sheets + +The `--sheets-ignored` argument allows the user to specify for each sheet if it should be ignored during the export. More precisely, a list of true or false arguments should be specified respectively to the sheets. Let's say the `C:/identitymanagerContoso/Sources/hr_example.xlsx` file possesses three sheets, in order to export the first and the last ones the arguments would be: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --sheets-ignored false true true false` + +Thus, two CSV files would be created corresponding to the the chosen ones: `HREXAMPLE_0.csv` and `HREXAMPLE_3.csv`. + +## Path Duality and the Not-Launch-Export System + +The export executable might be used for a complete or an incremental synchronization. Thus, it possesses two paths that could be precised - depending on the case - with the `--raw-files-path` for complete synchronizations argument or the `--path-incremental` for incremental ones. + +At the end of the day, the `--not-incremental` argument defines the export behavior: if present it means a complete synchronization should be performed and the `--raw-files-path` argument must be precised; if missing an incremental synchronization would be performed using `--path-incremental`. + +It means that if the user provide the `--not-incremental` argument and no `--raw-files-path`, or if the user doesn't provide `--not-incremental` nor `--path-incremental`, the export will not be launched to prevent any issue (complete data for an incremental synchronization for instance). The `--force-complete` argument bypasses this safeguard: during the initialization job for example, where we want to perform a complete synchronization, even for Excel connections with only an incremental path. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --not-incremental optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | + | --is-regex optional | **Type** No Value **Description** The file's name is a regex so we find the last generated corresponding file. | + | --- | --- | + | --- | --- | + | --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | + | --output-path required | **Type** String **Description** Output path for the files generated by the export. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/export-scim.md b/docs/identitymanager/6.3/integration-guide/executables/references/export-scim.md new file mode 100644 index 0000000000..4a899d7696 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/export-scim.md @@ -0,0 +1,63 @@ +--- +title: "Usercube-Export-Scim" +description: "Usercube-Export-Scim" +sidebar_position: 150 +--- + +# Usercube-Export-Scim + +This tool is made to export entries from a SCIM API to CSV files. + +## Examples + +### Exporting entities by specifying attributes + +It is possible to export data by specifying the attribute names to fetch, for each exported table: + +```text +--server "https://scim-server.com" --connection-identifier "ConnectionSCIM" --output-path "C:/SCIMExport" --cookie-path "C:/SCIMExport" --log-level Verbose --login "usercube" --password "usercube2021" --filter-entities "Users|username eq \"john\";username name:givenName|familyName" +``` + +### Exporting entities using entities defined in configuration + +It is also possible to export data by specifying the Identity Manager's server URL, so the export tool automatically fetches the entity type mapping property names linked to the specified connection: + +```text +--server "https://scim-server.com" --login "usercube" --password "usercube2021" --connection-identifier "ConnectionSCIM" --output-path "C:/SCIMExport" --cookie-path "C:/SCIMExport" --log-level Verbose --api-url "http://localhost:5000" --api-client-id Job --api-secret secret +``` + +The server has to be running. + +### Exporting entities with a token authentication + +It is possible to export data by specifying the attribute names to fetch, for each exported table: + +```text +--server "https://scim-server.com" --connection-identifier "ConnectionSCIM" --output-path "C:/SCIMExport" --cookie-path "C:/SCIMExport" --log-level Verbose --oauth-token "MyToken" --filter-entities "Users|username eq \"john\";username name:givenName|familyName" +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --cookie-path required | **Type** String **Description** Path of the cookie file for incremental export. | + | --filter-entities optional | **Type** String **Description** List of the non group entities and corresponding attributes to export. Syntax: EntityNameInSCIM1 | + | --filter-entities-group optional | **Type** String **Description** Works as �filter-entities but for entities with members. Syntax: EntityNameInSCIM1 | + | --attributes-in-filter optional | **Type** No Value **Description** Specifies true if the server is not available and the entities and their attributes to export are given in the filter-entities and filter-entities-group arguments. | + | --- | --- | + | --- | --- | + | --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | + | --output-path required | **Type** String **Description** Output path for the files generated by the export. | + | --- | --- | + | --- | --- | + | --ignore-cookies optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | + | --- | --- | + | --- | --- | + | --server required | **Type** String **Description** URL of the SCIM endpoints of your application, not including the v2. | + | --login optional | **Type** String **Description** Specifies the login of the account you may need. | + | --password optional | **Type** String **Description** Specifies the password of the account you may need. | + | --application-id optional | **Type** String **Description** Specifies the application connection login or the login of your application's id provider. | + | --application-key optional | **Type** String **Description** Specifies the application connection password or the password of your application's id provider. | + | --oauth-url optional | **Type** String **Description** The server's url when using OAuth2 authentication. | + | --oauth-token optional | **Type** String **Description** Specifies the OAuth token to connect to the application. | + | --scim-syntax optional | **Type** Enum **Description** Specifies the syntax used for requests body. Has to be one of those values: Salesforce (default value) or CyberArk | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/fillbankingdatabase.md b/docs/identitymanager/6.3/integration-guide/executables/references/fillbankingdatabase.md new file mode 100644 index 0000000000..cc11fd2585 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/fillbankingdatabase.md @@ -0,0 +1,25 @@ +--- +title: "Usercube-FillBankingDatabase" +description: "Usercube-FillBankingDatabase" +sidebar_position: 160 +--- + +# Usercube-FillBankingDatabase + +## Example + +### Import the banking sources to the BankingSystem database. + +The Banking demo application uses a database named `BankingSystem`. Once the database is created, the tables should be created and the sources should be imported, otherwise the Banking demo application will be empty. + +Consider that the database's connection string is `"data source=.;Database=BankingSystem;"`, the sources are located in the `C:/SDK/DemoApps/Sources` folder, and the `BankingSystemTables` script is located in `C:/SDK/DemoApps/Banking`. We initialize the database to create its tables, and import the sources. + +`--connection-string "data source=.;Database=BankingSystem;" --sources-path C:/SDK/DemoApps/Sources --banking-sql-path C:/SDK/DemoApps/Banking` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --banking-sql-path required | **Type** String **Description** Specifies the path to the folder containing the `BankingSystemTables.sql` file. **Example** Set path to `C:/SDK/DemoApps/Banking`: `--connection-string "data source=.;Database=BankingSystem;"`. | + | --connection-string required | **Type** String **Description** Specifies the connection string of the `BankingSystem` database. **Example** Set the connection string's data source to the local machine: `--connection-string "data source=.;Database=BankingSystem;"`. | + | --sources-path required | **Type** String **Description** Specifies the path to the banking sources folder. **Example** Set path to `C:/SDK/DemoApps/Sources`: `--sources-path C:/SDK/DemoApps/Sources`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-easyvista.md b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-easyvista.md new file mode 100644 index 0000000000..76af57e027 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-easyvista.md @@ -0,0 +1,55 @@ +--- +title: "Usercube-Fulfill-EasyVista" +description: "Usercube-Fulfill-EasyVista" +sidebar_position: 170 +--- + +# Usercube-Fulfill-EasyVista + +This executable creates, updates and archives employees in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --url required | **Type** String **Description** EasyVista API Endpoint URL. | + | --account required | **Type** String **Description** EasyVista account. | + | --login required | **Type** String **Description** Path of the file used for complete synchronization. | + | --password required | **Type** String **Description** EasyVista server password. | + | --- | --- | + | --- | --- | + | --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | + | --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | + | --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | + | --vault optional | **Type** String **Description** Vault uri. | + | --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | + | --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | + | --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-scim.md b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-scim.md new file mode 100644 index 0000000000..ff197c8265 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-scim.md @@ -0,0 +1,50 @@ +--- +title: "Usercube-Fulfill-Scim" +description: "Usercube-Fulfill-Scim" +sidebar_position: 180 +--- + +# Usercube-Fulfill-Scim + +This executable creates, updates and deleles entries in an application using the SCIM API. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "SCIM" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "SCIM_NominativeUser" "SCIM_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --server required | **Type** String **Description** URL of the SCIM endpoints of your application, not including the v2. | + | --login optional | **Type** String **Description** Specifies the login of the account you may need. | + | --password optional | **Type** String **Description** Specifies the password of the account you may need. | + | --application-id optional | **Type** String **Description** Specifies the application connection login or the login of your application's id provider. | + | --application-key optional | **Type** String **Description** Specifies the application connection password or the password of your application's id provider. | + | --oauth-url optional | **Type** String **Description** The server's url when using OAuth2 authentication. | + | --oauth-token optional | **Type** String **Description** Specifies the OAuth token to connect to the application. | + | --scim-syntax optional | **Type** Enum **Description** Specifies the syntax used for requests body. Has to be one of those values: Salesforce (default value) or CyberArk | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-toeasyvistaticket.md b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-toeasyvistaticket.md new file mode 100644 index 0000000000..6ede894cba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/fulfill-toeasyvistaticket.md @@ -0,0 +1,55 @@ +--- +title: "Usercube-Fulfill-ToEasyVistaTicket" +description: "Usercube-Fulfill-ToEasyVistaTicket" +sidebar_position: 190 +--- + +# Usercube-Fulfill-ToEasyVistaTicket + +This executable creates tickets in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --url required | **Type** String **Description** EasyVista API Endpoint URL. | + | --account required | **Type** String **Description** EasyVista account. | + | --login required | **Type** String **Description** Path of the file used for complete synchronization. | + | --password required | **Type** String **Description** EasyVista server password. | + | --- | --- | + | --- | --- | + | --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | + | --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | + | --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | + | --vault optional | **Type** String **Description** Vault uri. | + | --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | + | --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | + | --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/generate-configuration.md b/docs/identitymanager/6.3/integration-guide/executables/references/generate-configuration.md new file mode 100644 index 0000000000..78f3bfdad9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/generate-configuration.md @@ -0,0 +1,80 @@ +--- +title: "Usercube-Generate-Configuration" +description: "Usercube-Generate-Configuration" +sidebar_position: 200 +--- + +# Usercube-Generate-Configuration + +Generates from a CSV file the configuration of a connector with these entities. + +## Overview + +Two subcommands are possible for generation. + +- simpleconnector +- complexconnector + +The simple connector allows you to generate the configuration for a CSV file and create the connector. The complex connector allows you to generate the configuration for a list of CSV files and create the connector. + +### 1. Simple connector + +From a CSV file, generates the configuration of the entity representing the CSV file. + +**The subcommand\_\_\_**simpleconnector**\_**must precede the arguments.\_\_ + +### 2. Complex connector + +From a list of CSV files, generates the configuration of the entities representing each file. The complex connector requires as an argument an xml file containing all the CSV files to be processed as well as the primary keys of these files. + +**Example of xml file** + +```csharp + +``` + +- Path: CSV file path. +- File: Name of the files to be processed. +- PrimaryKey: Fills in the primary key of the CSV file. +- Header: Column name in the CSV file. +- EntityTypeName: Indicates the name of the entity to be created. +- Name: name of the connector to be created. + +**The subcommand\_\_\_**complexconnector**\_**must precede the arguments.\_\_ + +## Examples + +### Simple connector + +```shell +**./Usercube-Generate-Configuration.exe simpleconnector -g "C:/GeneratedFile/file" -f "C:/SourceFile/confFile.csv"** +``` + +### Complex connector + +```xml +**./Usercube-Generate-Configuration.exe complexconnector -g "C:/GeneratedFile/file" "C:/SourceFile/confFile.xml"** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --generated-file (-g) required | **Type** String **Description** Path to the generated file. | + | --csv-path (-h) optional | **Type** String **Description** Path to the CSV file. **Note:** used only for a simple connector. | + | --encoding (-e) optional | **Type** String **Description** Encoding of the CSV file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Note:** used only for a simple connector. | + | --csv-separator (-t) optional | **Type** String **Description** Column separator of the CSV file. **Note:** used only for a simple connector. | + | --generated-connector (-r) optional | **Type** String **Description** Name of the generated connector. **Note:** used only for a simple connector. | + | --keep-all-columns (-k) optional | **Type** No Value **Description** Keeps all the columns. | + | --connector-description optional | **Type** String **Description** XML file that describes the CSV files and their primary key columns. | + | --- | --- | + | --- | --- | + | --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | + | --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | + | --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | + | --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | + | --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | + | --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/get-jobsteps.md b/docs/identitymanager/6.3/integration-guide/executables/references/get-jobsteps.md new file mode 100644 index 0000000000..9be3e18c26 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/get-jobsteps.md @@ -0,0 +1,78 @@ +--- +title: "Usercube-Get-JobSteps" +description: "Usercube-Get-JobSteps" +sidebar_position: 210 +--- + +# Usercube-Get-JobSteps + +This agent-side tool returns the list of all tasks present in a given job. + +## Examples + +```shell +.\Usercube-Get-JobSteps.exe --api-url "http://localhost:5000" --api-client-id "Job" --api-secret "secret" --job-identifier "InitializationJob" + +Task : InitializationJob_0_CreateDatabaseViews, Order : 0 +Task : InitializationJob_1_AD_ExportActiveDirectory_Initial_ADExport, Order : 1 +Task : InitializationJob_2_LDAP_ExportLDAP_Initial_LDAPExport0, Order : 2 +Task : InitializationJob_3_LDAP_ExportLDAP_Initial_LDAPExport1, Order : 3 +Task : InitializationJob_4_AD_PrepareSynchronizationActiveDirectory_Initial, Order : 4 +Task : InitializationJob_5_HR_PrepareSynchronization_Initial, Order : 5 +Task : InitializationJob_6_LDAP_PrepareSynchronization_Initial, Order : 6 +Task : InitializationJob_7_SAB_PrepareSynchronization_Initial, Order : 7 +Task : InitializationJob_8_AD_SynchronizeActiveDirectory_ForceSynchronization, Order : 8 +Task : InitializationJob_9_HR_Synchronize_ForceSynchronization, Order : 9 +Task : InitializationJob_10_LDAP_Synchronize_ForceSynchronization, Order : 10 +Task : InitializationJob_11_SAB_Synchronize_ForceSynchronization, Order : 11 +Task : Init_SetAdminProfile, Order : 12 +Task : Init_DatabaseIndex, Order : 13 +Task : InitializationJob_14_AllEntities_UpdateEntityPropertyExpressions, Order : 14 +Task : InitializationJob_15_AllEntities_ComputeCorrelationKeys, Order : 15 +Task : InitializationJob_16_ComputeRoleModel, Order : 16 +Task : InitializationJob_17_Directory_GenerateProvisioningOrders_ForceProvisioning, Order : 17 +Task : InitializationJob_18_Directory_FulfillInternalResources_IgnoreHistorization, Order : 18 +Task : InitializationJob_19_AllEntities_ComputeCorrelationKeys, Order : 19 +Task : InitializationJob_20_ComputeRoleModel, Order : 20 +Task : Init_SetManualAssignments, Order : 21 +Task : Init_ApproveFutureuserAccountContol, Order : 22 +Task : InitializationJob_23_AllEntities_ComputeCorrelationKeys, Order : 23 +Task : InitializationJob_24_ComputeRoleModel, Order : 24 +Task : InitializationJob_25_Directory_GenerateProvisioningOrders_ForceProvisioning, Order : 25 +Task : InitializationJob_26_Directory_FulfillInternalResources_IgnoreHistorization, Order : 26 +Task : InitializationJob_27_AllEntities_ComputeCorrelationKeys, Order : 27 +Task : InitializationJob_28_ComputeRoleModel, Order : 28 +Task : InitializationJob_29_Directory_GenerateProvisioningOrders_ForceProvisioning, Order : 29 +Task : InitializationJob_30_Directory_FulfillInternalResources_IgnoreHistorization, Order : 30 +Task : Directory_Collect_Initial, Order : 31 +Task : Directory_Synchronization_Init, Order : 32 +Task : InitializationJob_33_AllEntities_UpdateEntityPropertyExpressions, Order : 33 +Task : InitializationJob_34_DeployConfiguration, Order : 34 +Task : InitializationJob_36_AllEntities_ComputeCorrelationKeys, Order : 35 +Task : InitializationJob_37_ComputeRoleModel, Order : 36 +Task : InitializationJob_38_ComputeRiskScores, Order : 37 +Task : Init_LoadApplications, Order : 38 +Task : Init_LoadPhotos, Order : 39 +Task : InitializationJob_41_UpdateClassification, Order : 40 +Task : InitializationJob_42_SetInternalUserProfiles, Order : 41 +Task : InitializationJob_43_ResetValidFrom, Order : 42 +Task : InitializationJob_44_UpdateParametersContextDisplayNames, Order : 43 +Task : Init_Translate, Order : 44 +Task : Init_SetLastLogon, Order : 45 +Task : Init_SuggestedRoles, Order : 46 +Task : InitializationJob_49_AllEntities_ComputeCorrelationKeys, Order : 47 +Task : InitializationJob_50_ComputeRoleModel, Order : 48 +Task : InitializationJob_51_SavePreExistingAccessRights, Order : 49 +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --api-client-id optional | **Type** String **Description** Login to Identity Manager server. | + | --api-secret optional | **Type** String **Description** Password to Identity Manager server. | + | --api-url optional | **Type** String **Description** URL of Identity Manager server. | + | --job-identifier required | **Type** String **Description** Identifier of the job whose tasks/steps are to be listed. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/index.md b/docs/identitymanager/6.3/integration-guide/executables/references/index.md new file mode 100644 index 0000000000..42a174aa1a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/index.md @@ -0,0 +1,170 @@ +--- +title: "References: Executables" +description: "References: Executables" +sidebar_position: 10 +--- + +# References: Executables + +- [Usercube-Agent ](../../../integration-guide/executables/references/agent) + +Runs the Agent. + +- [Usercube-Anonymize ](../../../integration-guide/executables/references/anonymize) + +Transforms strings to anonymize given data. + +- [Usercube-Compute-CorrelationKeys](../../../integration-guide/executables/references/compute-correlationkeys) + +Computes the values of all correlation keys. + +- [Usercube-Configuration-Transform](../../../integration-guide/executables/references/configuration-transform) + +Applies a series of transformation. + +- [Usercube-Create-DatabaseViews](../../../integration-guide/executables/references/create-databaseviews) + +Generates entity model SQL views in the Identity Manager database. + +- [Usercube-CSV-Transform](../../../integration-guide/executables/references/csv-transform) + +Modifies a CSV file by performing operations on its headers and/or columns. + +- [Usercube-Decrypt-File](../../../integration-guide/executables/references/decrypt-file) + +Decrypts an input file to save it into an output file or an OutPutConsole that can be used in Powershell scripts or programs. + +- [ Usercube-Deploy Configuration](../../../integration-guide/executables/references/deploy-configuration) + +Retrieves all XML configuration files from a given folder, in order to calculate the configuration items to insert, update or delete in the application. + +- [Usercube-EasyVistaTicket-UpdateFulfillmentState](../../../integration-guide/executables/references/easyvistaticket-updatefulfillmentstate) + +Updates the assigned resource types according to EasyVista tickets state. + +- [Usercube-Encrypt-File](../../../integration-guide/executables/references/encrypt-file) + +Encrypts an input file or the InputConsole of a Powershell program or file to save it as an encrypted output file. + +- [Usercube-Export-Bacpac](../../../integration-guide/executables/references/export-bacpac) + +Exports the database to a bacpac file. + +- [Usercube-Export-Configuration](../../../integration-guide/executables/references/export-configuration) + +Generates in a folder the files of the configuration found in the database. + +- [Usercube-Export-Csv ](../../../integration-guide/executables/references/export-csv) + +Exports CSV files. + +- [Usercube-Export-EasyVista](../../../integration-guide/executables/references/export-easyvista) + +Exports CSV files. + +- [Usercube-Export-Excel ](../../../integration-guide/executables/references/export-excel) + +Exports Excel files. + +- [Usercube-Export-Scim ](../../../integration-guide/executables/references/export-scim) + +Exports SCIM entries to a CSV file. + +- [Usercube-FillBankingDatabase ](../../../integration-guide/executables/references/fillbankingdatabase) + +Fills the `BankingSystem` database for the Banking demo application. + +- [Usercube-Fulfill-EasyVista](../../../integration-guide/executables/references/fulfill-easyvista) + +Creates, updates and archives employees in an EasyVista instance. + +- [Usercube-Fulfill-Scim ](../../../integration-guide/executables/references/fulfill-scim) + +Creates, updates and deleles entries in an application using the SCIM API. + +- [Usercube-Fulfill-ToEasyVistaTicket ](../../../integration-guide/executables/references/fulfill-toeasyvistaticket) + +Creates ticket in an EasyVista instance. + +- [Usercube-Generate-Configuration ](../../../integration-guide/executables/references/generate-configuration) + +Generates from a CSV file the configuration of a connector with these entities. + +- [Usercube-Get-JobSteps](../../../integration-guide/executables/references/get-jobsteps) + +Returns the list of all tasks present in a given job. + +- [Usercube-Invoke-Job](../../../integration-guide/executables/references/invoke-job) + +Launches a job on the agent side. + +- [Usercube-Invoke-ServerJob](../../../integration-guide/executables/references/invoke-serverjob) + +Launches jobs on the server side. + +- [Usercube-Login](../../../integration-guide/executables/references/login) + +Provides an authentication token needed for SaaS configuration deployment/export. + +- [Usercube-Manage-Configuration Dependent Indexes](../../../integration-guide/executables/references/manage-configurationdependantindexes) + +Creates the necessary indexes based on the latest deployed configuration to optimize performances. + +- [Usercube-Manage-History](../../../integration-guide/executables/references/manage-history) + +Manages the data history stored in the database. It can purge old data or consolidate the history. + +- [Usercube-New-OpenIDSecret](../../../integration-guide/executables/references/new-openidsecret) + +Allows to generate the hashed password of the secret to connect to the given client for agent side job Identity Manager. + +- [Usercube-PasswordGenerator](../../../integration-guide/executables/references/passwordgenerator) + +Generates a password. + +- [Usercube-Prepare-Synchronization](../../../integration-guide/executables/references/prepare-synchronization) + +Cleanses exported CSV files. + +- [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) + +Encrypts a .pfx archive password using a Identity Manager provided RSA key. + +- [Usercube-Protect-X509JsonFile](../../../integration-guide/executables/references/protect-x509jsonfile) + +Encrypts sensitive data from a given JSON file. + +- [Usercube-Protect-X509JsonValue](../../../integration-guide/executables/references/protect-x509jsonvalue) + +Encrypts the values of sensitive data. + +- [Usercube-RefreshSchema](../../../integration-guide/executables/references/refreshschema) + +Refreshes the schema of a given connection. Takes as input a connection, and refreshes its schema. The result of the update is stored into the database. + +- [Usercube-Send-PasswordNotification ](../../../integration-guide/executables/references/send-passwordnotification) + +Sends a mail notification for a password initialization or change. + +- [Usercube-Server ](../../../integration-guide/executables/references/server) + +Runs the Server. + +- [Usercube-Update-EntityPropertyExpressions ](../../../integration-guide/executables/references/update-entitypropertyexpressions) + +Recomputes the values of all properties defined via expressions. + +- [Usercube-Upgrade-ConfigurationVersion ](../../../integration-guide/executables/references/upgrade-configurationversion) + +Upgrades your configuration from your current version entered in settings to the latest version. + +- [Usercube-Upgrade-DatabaseVersion ](../../../integration-guide/executables/references/upgrade-databaseversion) + +Runs all the migration scripts to upgrade the database. + +- [Usercube-Agent ](../../../integration-guide/executables/references/agent) + +Runs the Agent. + +- [Usercube-Check-ExpressionsConsistency](../../../integration-guide/executables/references/check-expressionsconsistency) + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/invoke-job.md b/docs/identitymanager/6.3/integration-guide/executables/references/invoke-job.md new file mode 100644 index 0000000000..f0aa2b7749 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/invoke-job.md @@ -0,0 +1,84 @@ +--- +title: "Usercube-Invoke-Job" +description: "Usercube-Invoke-Job" +sidebar_position: 220 +--- + +# Usercube-Invoke-Job + +This tool launches a job on the agent side. + +## Behavior Details + +The Usercube-Invoke-Job.exe tool is a **state machine**. + +![Schematization](/images/identitymanager/job_operation.webp) + +When a job is launched, the **state machine** starts by computing all the tasks that must be launched in the job. + +Each task is assigned a launch order which can be configured in [Job](../../../integration-guide/toolkit/xml-configuration/jobs/job) steps. All the job's tasks are grouped together according to their launch order, and they are launched by group. Such task grouping allows the job to be faster executed. + +The launch orders of all the tasks of a job can be listed by using the [Usercube-Get-JobSteps](../../../integration-guide/executables/references/get-jobsteps) executable. + +Before any task is launched, the **state machine** checks the task's parent tasks in order to verify whether the task must be launched or not. + +If the task must be launched, then the **state machine** checks whether the task should be started server- or agent-side. + +Then the task is launched, and then: + +- if the task completes successfully, then the next task is loaded and started, or if this was the +last task then the job ends successfully; +- if the task exits in error, then the whole job exits in error and stops; +- if the job is requested to stop from the UI, then the job's state switches to `cancelled` and is +transmitted to the current task in order to not launch the next task; + +A canceled job is not stopped straight away, as the current task first needs to be finished. + +- if the task exits in error while the warning mode is active, then the next job is loaded. + +Only export tasks can have this warning mode. + +- if the task exits blocked, then the whole job stops and can be restarted manually at its +breakpoint; + +Only synchronization and provisioning tasks can exit blocked. + +In the case where the job is blocked and restarted: + +- if the blocked task is a +[Synchronize Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask), then the **state machine** runs a synchronization validation on the related connector, and uses the id of the blocked task instance to synchronize the related tables; +- if the blocked task is a +[Generate Provisioning Orders Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask), then the **state machine** forces the same provisioning on the related connector. + +Both the synchronization validation and the forced provisioning are virtual jobs that do not exist in the database. However, they will be visible in the UI which keeps track of any launched task. + +In both cases, the **state machine** resumes the job with the tasks that were not started due to the blockage. + +Any task launched by the **state machine** is linked to a job instance in order to keep track of the launch group. + +## Example + +```shell +./Usercube-Invoke-Job.exe -j "AccessCertificationEnd" --api-secret secret --api-client-id Job --api-url "http://localhost:5000" +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | | | + | --- | --- | + | --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | + | --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | + | --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | + | --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | + | --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | + | --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | + | --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | + | --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | + | --- | --- | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect /Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect /Secret pair/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/invoke-serverjob.md b/docs/identitymanager/6.3/integration-guide/executables/references/invoke-serverjob.md new file mode 100644 index 0000000000..810a137fce --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/invoke-serverjob.md @@ -0,0 +1,35 @@ +--- +title: "Usercube-Invoke-ServerJob" +description: "Usercube-Invoke-ServerJob" +sidebar_position: 230 +--- + +# Usercube-Invoke-ServerJob + +## Invoke a Job (Server Side) + +To launch the job in the Server side only you need to run the executable Usercube-Invoke-ServerJob.exe. + +To know the task launch orders in job use the following exe: Usercube-Get-Job Steps .exe. See the [Usercube-Get-JobSteps](../../../integration-guide/executables/references/get-jobsteps) topic for additional information. + +## Examples + +```shell +**.\Usercube-Invoke-ServerJob.exe -g "CleanDatabase" -s secret** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | | | + | --- | --- | + | --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | + | --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | + | --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | + | --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | + | --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | + | --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | + | --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | + | --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/login.md b/docs/identitymanager/6.3/integration-guide/executables/references/login.md new file mode 100644 index 0000000000..7ec2b26841 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/login.md @@ -0,0 +1,39 @@ +--- +title: "Usercube-Login" +description: "Usercube-Login" +sidebar_position: 240 +--- + +# Usercube-Login + +Delegates the authentication process to a third-party Identity Provider which will provide an authentication token required to allow the remote deployment/export of Identity Manager configuration. + +The provided authentication token is meant to be sent to the Identity Manager administrator. + +## Examples + +The following example launches the authentication to Identity Manager's in-house Identity Provider (IDP). It will open your default browser to `http://localhost:5005` where you will be redirected to Identity Manager's IDP that will provide you with the authentication token. + +```shell +**./Usercube-Login.exe** +``` + +The following example launches the authentication to a specific Identity Provider whose authentication URL and Client Id are respectively `https://my_oidc_authentication_server.com` and `34b3c-fb45da-3ed32`. It will open your default browser to `http://localhost:5005` where you will be redirected to the IDP that will provide you with the authentication token. + +```shell +**./Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32** +``` + +The following example launches the authentication to Identity Manager's Identity Provider, but using a specific port `5050`. It will open your default browser to `http://localhost:5050` where you will be redirected to Identity Manager's IDP. that will provide you with the authentication token. + +```shell +**./Usercube-Login.exe --port 5050** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --authority optional | **Type** String **Description** Base URL of the Identity Provider used for authentication. When not specified, Identity Manager provides an in-house Identity Provider. | + | --client-id optional | **Type** String **Description** Client Id of the application authorized to delegate the authentication to the specified Identity Provider. When not specified, Identity Manager provides the Client Id for the in-house Identity Provider. **Note:** ask for this id to your internal administrator. | + | --port default value: 5005 | **Type** Int64 **Description** Port used to run the local web page. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/manage-configurationdependantindexes.md b/docs/identitymanager/6.3/integration-guide/executables/references/manage-configurationdependantindexes.md new file mode 100644 index 0000000000..75193d1078 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/manage-configurationdependantindexes.md @@ -0,0 +1,39 @@ +--- +title: "Usercube-Manage-Configuration Dependent Indexes" +description: "Usercube-Manage-Configuration Dependent Indexes" +sidebar_position: 250 +--- + +# Usercube-Manage-Configuration Dependent Indexes + +This tool creates the necessary SQL indexes based on the latest deployed configuration to optimize certain queries performances. + +## Available optimizations: + +- Creates SQL indexes and statistics to optimize searches on specific entity types +- Creates SQL indexes to optimize joins between records and main entity types +- Creates SQL indexed views used to compute dashboard counters + +## Examples + +```shell +./Usercube-Manage-ConfigurationDependantIndexes.exe -e "Directory_User" -r "Directory_UserRecord" "Directory_Guest" -dc -s "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a +``` + +./Usercube-Manage-ConfigurationDependantIndexes.exe -auto -dc -s "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +```text +## Arguments + + | Argument Name | Details | + | --- | --- | + | --entityTypes (-e) optional | __Type__ String List __Description__ Sets the list of entity types for which optimization indexes will be created/updated. | + | --recordEntityTypes (-r) optional | __Type__ String List __Description__ Sets the list of record entity types for which optimization indexes will be created/updated. | + | --userProperties (-p) optional | __Type__ String List __Description__ Sets the list of User' properties that link the records and the users. (the order of the given userProperties' must match the order of the given recordEntityTypes'). | + | --dashboardCounter (-dc) optional | __Type__ No Value __Description__ Adjusts the indexed views for the dashboard counters appropriately. | + | --auto optional | __Type__ No Value __Description__ The entity types, record entity types and user properties are deduced automatically from the provisioning rules configured in the database. | + | --apply-to-database (-a) optional | __Type__ No Value __Description__ Directly applies the resulting SQL script to the database. | + | --- | --- | + | --- | --- | + | --database-connection-string required | __Type__ String __Description__ Connection string of the database. | +``` diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/manage-history.md b/docs/identitymanager/6.3/integration-guide/executables/references/manage-history.md new file mode 100644 index 0000000000..b55d5c0aa9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/manage-history.md @@ -0,0 +1,106 @@ +--- +title: "Usercube-Manage-History" +description: "Usercube-Manage-History" +sidebar_position: 260 +--- + +# Usercube-Manage-History + +This tool optimizes the data history stored in the database, reducing its size and enhancing database performance. + +The inner workings of this executable are based on the `ValidFrom` and `ValidTo` attributes that specify the validity period of a given assignment. These attributes are inside the following tables which are the tables actually purged: `ur_resources`; `ur_resourcelinks`; `up_assignedcompositeroles`; `up_assignedsingleroles`; `up_assignedresourcenavigations`; `up_assignedresourcetypes`. + +## Examples + +**Purge before a period** + +To clean the database **periodically**, it can be purged of all the history older than a given period of time. + +The following example deletes all the history from the database that is more than 12-month old: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Manage-History.exe --purge-before-months 12 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +**Purge before a date** + +The database can be purged of all history older than a given date. + +The following example deletes all the history from the database older than May 26th 1993: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Manage-History.exe --purge-before-date 19930526 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +**Optimize** + +The database's history can be optimized by removing intermediate versions based on their age, for example keeping only one version the last week, one per month the last 6 months and then one per year for 3 years. + +The following example reduces the history from the database, keeping at most one history version per interval. Here we keep one version per day (1440 minutes) in the last 7 days, then one version per month (43920 minutes) in the last 6 months before the previously defined period, then one version per year (525960 minutes) in the last 2 years before the previously defined periods. + +![Schema - Optimize](/images/identitymanager/tools_managehistory_schema.webp) + +For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the versions are merged in the following way: + +- The latest version is kept +- The oldest date is kept (that is, in the database, the `ValidFor` is equal to the one of the +oldest version in the considered period). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Manage-History.exe --optimize "1440:7 43920:6 525960:2" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +If you want to configure a time period when there is no purge and all history is kept as is, then you can specify a short duration that allows a single change, for example only one minute. The following example copies the previous one, in addition we want to keep all changes of the last 6 hours (360 minutes): `--optimize 1:360 1440:7 43920:6 525960:2`. + +**Clean duplicates** + +As given data can have several versions in the database, redundant rows can be deleted and replaced with one row that covers the consolidated time range. + +The following example remove all duplicates in the database. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +**./Usercube-Manage-History.exe --clean-duplicates --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"** +``` + +The following example remove all duplicates induced by the `pwdLastSet` property. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Manage-History.exe --clean-duplicates --excluded-resource-columns "pwdLastSet" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +**Solicit memory rather than the database** + +To reduce the database load, the tool's optimizations can be made via the local device's memory. + +The following example deletes all the history from the database that is more than 12-month old, **the optimizations being computed in memory instead of in the database**: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```shell +./Usercube-Manage-History.exe --purge-before-months 12 --in-memory --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +## Arguments + + | Argument Name | Type | Description | + | --- | --- | --- | + | --clean-duplicates optional | No Value | Removes duplicate historical data. | + | --entity-type required if --excluded-resource-columns is set | String | When using `--clean-duplicates` option, defines the entity type (Id or Identifier) that should have its duplicates removed from the `UR_Resources` table. | + | --excluded-resource-columns required if --entity-type is set | String list | When using `--clean-duplicates` option, defines the list of column names (the name of the columns in the `UR_Resources` table, or the Identifier of the corresponding um_entityproperty) to exclude when comparing rows of `UR_Resources` table. | + | --in-memory default value: False | No value | Performs optimizations in memory instead of the database. It implies heavy memory consumption but light SQL load. | + | --optimize optional | String list | Reduces the history and optimizes the versions that are kept based on the precision given through ranges in the argument. A range is specified by a duration in minutes followed by the number of occurrences. For example 60:10 defines a range of 60 minutes repeated 10 times, or 10 snapshots repeated at 60 minute intervals. For each interval, at most one version is kept in the history. The intervals are evaluated in the given order from now, backwards. In the previous example, it means the more recent versions are kept with a high precision (one per day initially), then with lesser and lesser precision (one per month and then one per year). If the data has not changed over an interval, no optimization can be done. | + | --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. | + | --purge-before-months optional | String | Deletes all the history older than the given number of months. | + | --database-connection-string required | String | Connection string of the database. | + +The available actions (clean duplicates; purge; optimize) are all optional, but at least one must be used in the executable command. diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/new-openidsecret.md b/docs/identitymanager/6.3/integration-guide/executables/references/new-openidsecret.md new file mode 100644 index 0000000000..f1c4f357c5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/new-openidsecret.md @@ -0,0 +1,29 @@ +--- +title: "Usercube-New-OpenIDSecret" +description: "Usercube-New-OpenIDSecret" +sidebar_position: 270 +--- + +# Usercube-New-OpenIDSecret + +This tools generates an hash. In practice, we hash a client secret but the tool can generate randomly a hash without an input string. The name of the executable is: Usercube-New-OpenIDSecret.exe'. + +## Examples + +```shell +./Usercube-New-OpenIDSecret.exe --client-secret Shared secret for 'secret' is 'K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=' +```` + + +The output shows the client secret and its hashed version. It must be entered in the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) configuration. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --client-secret optional | __Type__ String __Description__ OpenID client secret that will be hashed by the program. | + | --- | --- | + | --- | --- | + | --log-level optional | __Type__ LogLevel __Description__ Level of log information among: ```Verbose```; ```Debug```; ```Information```; ```Warning```; ```Error```; ```Fatal```. | +```` + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/passwordgenerator.md b/docs/identitymanager/6.3/integration-guide/executables/references/passwordgenerator.md new file mode 100644 index 0000000000..495ae342f2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/passwordgenerator.md @@ -0,0 +1,30 @@ +--- +title: "Usercube-PasswordGenerator" +description: "Usercube-PasswordGenerator" +sidebar_position: 280 +--- + +# Usercube-PasswordGenerator + +## Example + +### Manually generate a password + +Consider an external system that is fulfilled manually and requires a new password. + +To avoid writing the password in any file while still choosing a cryptographically secure password, we generate it just before using it. + +`--auto-generate true --digit-chars 2 --lower-case-chars 6 --symbol-chars 2 --upper-case-chars 2` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --default-password required if auto-generate is false | **Type** String **Description** Specifies the default password used when `--auto-generate` is false. **Example** Set default password to password: `--default-password password`. | + | --auto-generate default value: false | **Type** No Value **Description** Specifies if the password should be the default password or generated automatically. **Example** Use default password: `--auto-generate false`. | + | --digit-chars default value: 0 | **Type** Integer **Description** Specifies the number of digits in the generated password. If the value is strictly positive, additional digits may be generated if `--generated-length` is higher than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`. **Example** Generate a password with 2 digits: `--digit-chars 2`. | + | --generated-length default value: 0 | **Type** Integer **Description** Specifies the length of the generated password. If it is lower than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`, the length of the generated password is equal to the sum. If it is higher than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`, extra characters of any type will be generated. **Example** Set a password length of 12: `--generated-length 12`. | + | --lower-case-chars default value: 0 | **Type** Integer **Description** Specifies the number of lower case characters in the generated password. If the value is strictly positive, additional lower case characters may be generated if `--generated-length` is higher than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`. If the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars` is 0, only lower case characters will be generated. **Example** Generate a password with 6 lower case characters: `--lower-case-chars 6`. | + | --strength-check default value: "^.\*" | **Type** String **Description** The regular expression to check the password strength. By default, any password passes the strength check. **Example** Accept any password: `--strength-check ^.*`. | + | --symbol-chars default value: 0 | **Type** Integer **Description** Specifies the number of symbols in the generated password. If the value is strictly positive, additional symbols may be generated if `--generated-length` is higher than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`. **Example** Generate a password with 2 symbols: `--symbol-chars 2`. | + | --upper-case-chars default value: 0 | **Type** Integer **Description** Specifies the number of upper case characters in the generated password. If the value is strictly positive, additional upper case characters may be generated if `--generated-length` is higher than the sum of `--digit-chars`, `--lower-chase-chars`, `--symbol-chars`, and `--upper-case-chars`. **Example** Generate a password with 2 upper case characters: `--upper-case-chars 2`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/prepare-synchronization.md b/docs/identitymanager/6.3/integration-guide/executables/references/prepare-synchronization.md new file mode 100644 index 0000000000..bc9f67d646 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/prepare-synchronization.md @@ -0,0 +1,105 @@ +--- +title: "Usercube-Prepare-Synchronization" +description: "Usercube-Prepare-Synchronization" +sidebar_position: 290 +--- + +# Usercube-Prepare-Synchronization + +`Usercube-Prepare-Synchronization` is used as the second step of the [Synchronization](../../../integration-guide/synchronization) process. It cleanses exported CSV files before sending them to the server for database loading. It is performed on the _Agent_ side. + +## Behavior Details + +The task reads files from the source directory, usually the temp folder > ExportOutput folder. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in +[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) as three files: + +- For every entity type of the relevant _Connector_ involved in an +[Entity Type Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or an [Entity Association Mapping](../../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping), a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the work folder > Collect directory. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will +be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the +_Prepare-Synchronization_ step computes changes. This computation is based on the result of the last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the `previous` folder in the _export directory_. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +For _incremental_ mode, it is **recommended**, whenever possible, to use managed systems to compute changes. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with performance that Identity Manager can't match. Using managed systems for these operations avoids generating heavy files and alleviates Identity Manager's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a _command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in the `previous` folder inside the _export directory_. It will be used as a reference for the next _incremental_ Prepare-Synchronization to compute the changes, if needed. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +Tampering with the `previous` folder content would result in false changes leading to false computation. It would result in data corruption in the Identity Manager database. To restore the Identity Manager database and reflect the managed system data updates, a _complete\_\_Sync Up_ would be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed _incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +### Example + +The figure models the complete _Prepare-Synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ and _manager_). + +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) + +## Examples + +`Usercube-Prepare-Synchronization` can be used as an executable file as follows: + +```text +./Usercube-Prepare-Synchronization --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connector --agent myagent --synchronization-mode complete +``` + +## Arguments + + | Name | Details | + | --- | --- | + | --agent required | **Type** [Agent](../../../integration-guide/toolkit/xml-configuration/connectors/agent) **Description** Identifier of the agent where the task runs. | + | --connector required | **Type** [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) **Description** Identifier of the linked connector. The task is linked to a connector whose entity types are synchronized. | + | --synchronization-mode required | **Type** [Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync)Mode **Description** Synchronization mode for this task can be one of the following: - Initial - Complete - Incremental This must be the same as the associated Export and Synchronize tasks. Use _initial_ if this is the first time the target managed system is synchronized. Use _complete_ to load the data from the managed system as a whole. Use _incremental_ to consider only incremental changes from the last synchronization. In _incremental_ mode, the Prepare-Synchronization task computes changes in the source managed system since the last _Prepare-Synchronization_. | + | --sources-directory default value: ExportOutput | **Type** String **Description** Directory path, relative to temp folder, from which export files to cleanse are read. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information | + | --working-directory default value: Collect | **Type** String **Description** The directory path, relative to work folder, to which intermediary and cleansed files are stored. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information | + | --- | --- | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) topic for additional information. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) topic for additional information. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/protect-certificatepassword.md b/docs/identitymanager/6.3/integration-guide/executables/references/protect-certificatepassword.md new file mode 100644 index 0000000000..1db2edd3da --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/protect-certificatepassword.md @@ -0,0 +1,44 @@ +--- +title: "Usercube-Protect-CertificatePassword" +description: "Usercube-Protect-CertificatePassword" +sidebar_position: 300 +--- + +# Usercube-Protect-CertificatePassword + +This tool helps protecting `.pfx` archives passwords. Given a plain text password, it generates an encrypted version, that can be stored in a configuration file in place of the plain text one. The tool uses a hard-coded secret RSA key to generate the encrypted password. Identity Manager uses the same key to retrieve the plain text password and read the `.pfx` archive. + +## Examples + +Given a `.pfx` archive protected by the `secret` password, an encrypted version can be generated with the following command: + +```shell +./Usercube-Protect-CertificatePassword.exe --pfx-password "secret" +``` + +The output is the following : + +```text +**ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA==** +``` + +This encrypted password can now be copied to the relevant location in a configuration file. For example : + +```json +*appsettings.json* + +{ +... + "EncryptionCertificate": { + "File": "C:/UsercubeAgentContoso/contoso.pfx", + "Password": "ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA==" + } +... +} +``` + +## Arguments + + | Name | Details | + | --- | --- | + | --pfx-password required | **Type** String **Description** Password of the `.pfx` archive's to encrypt. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonfile.md b/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonfile.md new file mode 100644 index 0000000000..2f2b35c70a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonfile.md @@ -0,0 +1,115 @@ +--- +title: "Usercube-Protect-X509JsonFile" +description: "Usercube-Protect-X509JsonFile" +sidebar_position: 310 +--- + +# Usercube-Protect-X509JsonFile + +This tool is used to encrypt a JSON file containing sensitive connection data, for example the `appsettings-agent.json` file, with [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption). The encryption is based on the information given in your `appsettings.json` file about either a PFX file or the location of the encryption certificate in the Microsoft store. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +This tool `Usercube-Protect-X509JsonFile` is used to encrypt a whole file, in comparison to the [Usercube-Protect-X509JsonValue](../../../integration-guide/executables/references/protect-x509jsonvalue) tool that encrypts only a given value. This tool is more appropriate than `Usercube-Protect-X509JsonValue` when you have many lines to encrypt. + +## Examples + +The command below encrypts the `*appsettings.agent.json*` file from the `C:/identitymanagerTraining` folder and creates the `*appsettings.encrypted.agent.json*` file in the same folder. + +```json +**./Usercube-Protect-X509JsonFile.exe --input-json-file-path "C:/identitymanagerTraining/*appsettings.agent.json*" --output-json-file-path "C:/identitymanagerTraining/*appsettings.encrypted.agent.json*"** +``` + +For example it takes this : + +```json +*appsettings.agent.json* + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": 0 + }, + "OpenId": { + "OpenIdClients": { + "Job": "secret" + }, + "DefaultOpenIdClient": "Job" + }, + + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "http://localhost:3000" + }, + "NotificationSettings": { + "Cultures": ["en"] + } + }, + ... +} +``` + +And it returns this : + +```json +*appsettings.encrypted.agent.json* + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": "kxABAEh6CpUOAOMBNPNLKazx9I0vqummv24acN292gonFiK4ov81bjqE2ic+n+HqastXU2aTQcl3IefhEXn9KA2dhnIbDTXB4GhOn9lL9AzUfwKXBr5EBmVy7ggruG2ewpWGK1c3LBJ35km9XvCnzSHLfolZwHNPwM/8b/C6XqSzieoFcO5H92IGJ1lFRboacvp0rO+SkkUv63Ewsk+1MrVLa63oBgWfY6PhMeJvNpWGqCD+I614hB6jE2Li/recwQIPd10XEgFM1OEkZ5ZiO+URxX7MCBe1o20rTaczKR7e7lLQGa/e3Y3i1sFnCm+yRm/lzw0qtDvOtCXlPT13EsHsUunxnR3uH4R6lRBXT30OKobaX7MTQjGkLRChss/GVGCK5w==" + }, + "OpenId": { + "OpenIdClients": { + "Job": "kxABAOkh0BF2GdMedpzmKZZWVWc8IYaiZO2dofmt7lLBP3vMYgLLZYNDyR3x7Ah7tA1r6oSL5gBT3mSFyXB63NJk+QmZqNW1LWdzh+3U+DvNdQw4OfDfFlC5F+nH3/L5iqWc+h1jMlaQBpkqf42Vr8HwFKtqMXLJVXEIyeHSPgHRp1iOjGkNSRNrRQGJ4pVyo0xKmcWsz3qGYf0SnJIzRJ++PcYh/dJgxHAZFsDnV55X3zg72J8teoIEG82GdNjmCV/W4S4edNCYa1gL3KpgDGQq1GEed71Ht1tVYlHlJ4hckE++otQqTgRA2p4nFvo3LmlMag6k4EQRzEk6TOHUlGjUtYgpzMuPqei8/3CRXy5o8YW5R0wVFJJ/jSfYrvR3M9SwJw==" + }, + "DefaultOpenIdClient": "kxABANLI/Qx7X8L1VtIl+FM4RtYlTLLpUUBCp2pucY+jzjlwhbF9fjJhhTP/KmeCj8M2yB4AA1V3AQgcEBvg92I1vCAWXIBgCjz6LUD2yf4FCpACaxNgiBZVAaCELNCgbKDgy9UB1j4sCozpEzReLVtYdOX+KFbGU6zJ808jnrLFMz+YHT4LXMyF94A5Zl86DFT9br6PwR75qImvjDlIUt+7/I8WrT1Nnqn2hXxqzAd1J2W5Xv8Bt9sXFmskSZN9PyOo9EY9t5lVGq++IqjGPWh4vQAXCzIsfRgUfU7PfHKVuSKSHbME1EZwG/FjzOe8B4bO2q/a/qLtGgygyX5ExEkZ/IcrtSZnTdqC83AfyexlEv9Z3wWFAoKGDtI3zhmCZYnuZQ==" + }, + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "kxABAFAEx4fWwG/ANPVTf/WGyccDxoR2xCy+x+U3Ny1KkqnOFw+SizePTgINTzBaYHLTHABQD0GWW6U+4qiG6DpcIcdAD0VVnddqB5a+YIE0reufXYhZTrDU/9yeG6aUWIHkLl9UudC/nnW6zMrjChiJhJvT7csFKdgbqUazZT56hR0i6XS36a5h2/tTWhbZTkk1Dil5JP7xUcu5CMWyXMUvGvK8gfQozYxo/DJTOiLrWjg5ION1yx+ZqPhcIUxgYaBjxSpfT6U9YMy5mE9JGqf7W76baS9fOVr3H1DAL02icX29uJAcsw1r9k1rJQIKEhAuqTNeuqF6C6iPHJAsail+iteOJEYgBSACRz7Te4t6Hp7PBs0FfP0WY1oL+1T+p7X+HaO1jAJhE50J2AKhGNXTZfE=" + }, + "NotificationSettings": { + "Cultures": ["kxABAPwTbpFUbP9xT9HyqtTuMLKT9sVD0Qq1kCsI44d12vJEcW2MMy9K5vKakwTPeJpvY6SafELoHc7AjKnh8ZJi0/Yu4dieE5W+5uXY1uaghYJ/2VjimzIsDhvRhm90xUlaMjdFBjx4HAnxBAtEbEjifdGHxZ0L9F305hXSTORj53u76ctCE5D9HPTN3AgLmyIGv5NExwhD4sgppbf6PWjTEZ7yNcoUpkkS4pJ6BMz+PaQo26A2rMP710zQgG72an4XvxSoR3SwSm0fhLCASgYi8YOZw0j/cfxl/LrW1EQ7gyW0/Mw9v1YRNH3DkbWSeHZ3odhDWdaWkzR6yOEt5hO60eM0w8Tjoed30Jwf+enf1rJFStDe/dhg6vjUIaTn6tt1Gw=="] + } + }, + ... +} +``` + +The previous command can be useful to encrypt, for example, an Active Directory's login used by the agent during the synchronization process. + +The login to encrypt is stored in the following format, compliant with the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent).json structure: + +***appsettings.beforeEncryption.json*** + +```json +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "Administrator" + } + } +} +``` + +This command writes encrypted values from `*appsettings.agent.json*` to `C:/identitymanagerTraining/*appsettings.encrypted.agent.json*` following the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent).json structure: + +``` +*appsettings.encrypted.agent.json* +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "kxABAM9LW6vyx3TpDXoU5mKKQAwxxNcH9Q2z+dk+E7BNzrI346fUUiPmnJlOJZNX8bA1sokpDHTJBJngdF8LqVuWhk0t+IBpHE+iRJZ4q6i/CzX/OnpoGEHLSL5gZUixIqn9kul5AbxI38d/aGkCGIeAGY73rf0eQRizB2uR/ObR/H9jm3dHGt3TUNyOH4WqdwrXL0WTeMyfme6O+2PMoGvmjVF04keicuisjj/jROxTcDKe69qjPuCJZabR69CA2qP1TPMDMy/zlg8bzRZKepw8VxI4OpIKrbwhaUTauJMR6URPsOZ54fdocKi3oEyvpm2AhX4YF8GpOw7fBQrPWte/JJFOxgIzH1Kh0d0YhC2ZpMCXexfOlB2Y9afWG/t7rdi4VDsEf8gwj+IJ3HbE0dtIPLw=" + } + } +} +``` + +## Arguments + + | Name | Details | + | --- | --- | + | --input-json-file-path required | **Type** String **Description** Path of the input to-be-encrypted json file. | + | --output-json-file-path required | **Type** String **Description** Path of the output encrypted json file. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonvalue.md b/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonvalue.md new file mode 100644 index 0000000000..9b7c417493 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/protect-x509jsonvalue.md @@ -0,0 +1,81 @@ +--- +title: "Usercube-Protect-X509JsonValue" +description: "Usercube-Protect-X509JsonValue" +sidebar_position: 320 +--- + +# Usercube-Protect-X509JsonValue + +This tool is used to encrypt sensitive connection data, for example data from the `appsettings.agent.json` file, with [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption). The encryption is based on the information given in your `appsettings.json` file about either a PFX file or the location of the encryption certificate in the Microsoft store. See the [Application Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) topic for additional information. + +This tool `Usercube-Protect-X509JsonValue` is used to encrypt only given values, in comparison to the Usercube-Protect-X509JsonValue tool that encrypts a whole file. This tool is more appropriate than `Usercube-Protect-X509JsonFile` when you have only a few lines to encrypt. + +## Examples + +The command below encrypts the task agent configuration `0` and the OpenId Client `secret` used in the `appsettings.agent.json` file. + +``` +**./Usercube-Protect-X509JsonValue.exe --values "0" "secret"** +``` + +As a response, the powershell returns one string per given value. + +``` +PS C:/identitymanagerTraining/Runtime> ./Usercube-Protect-X509JsonValue.exe --values "0" "secret" +kxABACJhXxJwnGJSug/nE6ODGGYwnzhX1WeYUHmS7gkMLpF15K7POOZAVWsl93zuYaVStPK0sV+U6mOE4h5IzbT083Uac+/NKic+qNZLYi4PRum+G17pIeSMBu3z7GQJxGGkAeX7dwf0kc/oDW5yAQ1BtFN+k27UHZkUrz0fe/eOZwTHbgV5sSUM+6pXW6IQd2VnVRRKLyWij0MAKsCNlHtv6QE73b8P8u7liRdzWOueqE2blAZk0rm0JzFxZlUQKgIMBTk2cuFWph7rp8dp8h8mDKJl9xbYzAtmM/rgXuhcMYryIrlqFeBWt1J65cfL7HNQb6OX7Imb2LQZmZMI2xc1gFyiXjeINeMriYm3zecnSBMiYEGW6RddE6doJOtrTyznrg== +kxABAJT+2u1C1r0JI8criUz15QkI71x6/BPeNMlPWEL5ZHkTvZWVnMLG/zNJz9PvnjfecROC4fkxPRI5U+sF8W1caH8DtxnzM0ctYD0QtRcpS9z48y2mUzOzl3pU68BQyosyZGZW0ifXVI9UJVGMzMTfWloCw+R+xfZHviYLVGT8y2PKkCBdNp7IcZN4qT6mq8AmTIMSgwagR854n1EHn8lT5nUUFmhZ7iIJ/sonEVG4uyTAjND9YXSsfL9dm2ipTzXrybruIkVU051aczdohreMRsfeSB6TDAYa3GEMNeAb3CzI5I/6NpKYEzZEoYu4JXAzE6bqHeK2oVJyrmTL11kwq4m9fTMwlwmB0GaPeJtbQoih6TIX2qlOPfQdsrZt0dl5qw== +``` + +Then you just need to copy and paste them. + +The following example shows how to update the OpenId ClientSecret matching the "ContosoCharlotte" OpenId ClientId in the `appsettings.encrypted.agent.json` file. + +The initial `appsettings.encrypted.agent.json` file resembles the following: + +``` +*appsettings.encrypted.agent.json before update* +{ + ... + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "dKIHkloXG6i1LkxkhjkKoVKS9gFO7Hx8VUm" + } + } +} +``` + +The new ClientSecret to encrypt is _charlotte2028_. + +Using the `Usercube-Protect-X509JsonValue.exe`: + +``` +./Usercube-Protect-X509JsonValue.exe --values charlotte2028 +``` + +The `--values` parameter also accepts multiple white-space-separated values for encryption. + +The output, in the console, shows the encrypted value for the _charlotte2028_ string. + +``` +**kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw==** +``` + +The last step is to update the `appsettings.encrypted.agent.json` file by copy/pasting this new encrypted value to replace the old one. It results in: + +``` +*appsettings.encrypted.agent.json after update* +{ + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw==" + } + } +} +``` + +## Arguments + + | Name | Details | + | --- | --- | + | --values required | **Type** String **Description** List of values to encrypt. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/refreshschema.md b/docs/identitymanager/6.3/integration-guide/executables/references/refreshschema.md new file mode 100644 index 0000000000..a61839ac85 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/refreshschema.md @@ -0,0 +1,32 @@ +--- +title: "Usercube-RefreshSchema" +description: "Usercube-RefreshSchema" +sidebar_position: 330 +--- + +# Usercube-RefreshSchema + +## Examples + +`Usercube-RefreshSchema` can be used as an executable file as follows: + +``` +dotnet Usercube-RefreshSchema.dll --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connection-id -2 +``` + +The credentials used to connect to the connection come from the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent). + +## Arguments + + | Name | Details | + | --- | --- | + | --connection-id \*required | **Type** Integer **Description** Id of a connection whose schemas are updated. See the [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topic for additional information. | + | --- | --- | + | --- | --- | + | --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | + | --api-url required | **Type** String **Description** URL of Identity Manager server. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/send-passwordnotification.md b/docs/identitymanager/6.3/integration-guide/executables/references/send-passwordnotification.md new file mode 100644 index 0000000000..09f68ccfd2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/send-passwordnotification.md @@ -0,0 +1,31 @@ +--- +title: "Usercube-Send-PasswordNotification" +description: "Usercube-Send-PasswordNotification" +sidebar_position: 340 +--- + +# Usercube-Send-PasswordNotification + +## Examples + +### Manually send a password initialization mail notification + +Consider a user who needs an account in an external system. Consider that this account requires a password. + +As an example, we will consider that the id of the [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings) associated with the external system is 10, and the id of the assigned resource type associated with the user is 1000. + +Once the password is set, we need to communicate this password to the user. We send a mail notification to inform the user. + +`--password true --assigned-resource-type 1000 --resource-type-mapping 10` + +For the notification to be sent, the server set at **appsettings** > **ApplicationUri** should be running. The [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings) should have an associated [Password Reset Settings](../../../integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings). For the notification to be sent, the password reset settings should at least contain a notified email binding. For the notification to make sense, the password reset settings should at least contain a beneficiary full name binding. + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --assigned-resource-type required | **Type** String **Description** Specifies the id of the assigned resource type corresponding to the user and the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **AssignedResourceTypeId**. **Example** Send a notification for the assigned resource type with id 1000: `--assigned-resource-type 1000`. | + | --password required | **Type** String **Description** Specifies the new password that will be sent by mail. **Example** Send a notification for the password NewPassword: `--password NewPassword`. | + | --resource-type-mapping required | **Type** String **Description** Specifies the id of the [Resource Type Mappings](../../../integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings) corresponding to the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **ResourceType** > **Id**, as the resource type and its corresponding resource type mapping share the same id. **Example** Send a notification for the resource type mapping with id 10: `--resource-type-mapping 10`. | + | --notification-cc optional | **Type** Integer **Description** Specifies an address that should also receive the notification. **Example** Add [admin@acme.admin](mailto:admin@acme.admin) to the mail CC: `--notification-cc admin@acme.admin`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/server.md b/docs/identitymanager/6.3/integration-guide/executables/references/server.md new file mode 100644 index 0000000000..09785337c7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/server.md @@ -0,0 +1,30 @@ +--- +title: "Usercube-Server" +description: "Usercube-Server" +sidebar_position: 350 +--- + +# Usercube-Server + +This tool runs the main Identity Manager Server. + +## Examples + +With a properly configured environment, the following command runs the server. It listens on two different ports: + +``` +./Usercube-Server.exe --urls "http://localhost:5000;http://localhost:5001" +``` + +When the Server starts, the following log should be displayed (if the log level is set to _Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:5000 +[xx:xx:xx INF] Now listening on: http://localhost:5001 +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --urls required | **Type** String **Description** URL(s) that the server is listening to. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/update-entitypropertyexpressions.md b/docs/identitymanager/6.3/integration-guide/executables/references/update-entitypropertyexpressions.md new file mode 100644 index 0000000000..0d9ed19465 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/update-entitypropertyexpressions.md @@ -0,0 +1,38 @@ +--- +title: "Usercube-Update-EntityPropertyExpressions" +description: "Usercube-Update-EntityPropertyExpressions" +sidebar_position: 360 +--- + +# Usercube-Update-EntityPropertyExpressions + +This tool is used to recompute the values of all properties defined via expressions (C#, etc.), usually to prepare for a connector's synchronization. + +## Examples + +The following example updates the property expressions of the database defined by the connection string, for all entity types. + +``` +**./Usercube-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --batch-select-size (-q) default value: 10000 | **Type** Int32 **Description** Batch size for SELECT queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | + | --batch-update-size (-c) default value: 20000 | **Type** Int32 **Description** Batch size for UPDATE queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | + | --- | --- | + | --- | --- | + | --database-connection-string required | **Type** String **Description** Connection string of the database. | + | --- | --- | + | --- | --- | + | --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | + | --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | + | --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | + | --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | + | --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in the [Select User by Identity Query Handler Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting). | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-configurationversion.md b/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-configurationversion.md new file mode 100644 index 0000000000..a52e654934 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-configurationversion.md @@ -0,0 +1,30 @@ +--- +title: "Usercube-Upgrade-ConfigurationVersion" +description: "Usercube-Upgrade-ConfigurationVersion" +sidebar_position: 370 +--- + +# Usercube-Upgrade-ConfigurationVersion + +This tool is used to upgrade your configuration from your current version entered in settings to the latest version. + +## Examples + +``` +**./Usercube-Upgrade-ConfigurationVersion.exe --version "5.1.0" --xml-path "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/Conf2"** +``` + +In this example, the configuration files are in the folder "C:/identitymanagerDemo/Conf" and at version "5.1.0". This tools will upgrade all the xml files to the latest version and save them in the folder "C:/identitymanagerDemo/Conf2". + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --version required | **Type** String **Description** Current version. | + | --xml-path required | **Type** String **Description** Current xml configuration folder to migrate. | + | --- | --- | + | --- | --- | + | --output required | **Type** String **Description** Path of the folder where the result will be saved. | + | --- | --- | + | --- | --- | + | --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-databaseversion.md b/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-databaseversion.md new file mode 100644 index 0000000000..03ae4f279b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/executables/references/upgrade-databaseversion.md @@ -0,0 +1,44 @@ +--- +title: "Usercube-Upgrade-DatabaseVersion" +description: "Usercube-Upgrade-DatabaseVersion" +sidebar_position: 380 +--- + +# Usercube-Upgrade-DatabaseVersion + +This tool is used to run the necessary migration scripts in order to upgrade the database structure from its current version to the most recent version. + +## Examples + +To upgrade a database with the connection string `databaseConnectionString`, go to the Runtime folder of the newest version and launch the tool with the following argument: + +``` +**./Usercube-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString"** +``` + +If the database has been correctly upgraded, the following message should appear: `Database has been upgraded to version X.X.X`, with "X.X.X" being the newest version to which the migration was made. + +### With a Mode + +The following example runs the database upgrade tool only for backward compatible changes. + +``` +**./Usercube-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges** +``` + +### With the Execute Predefined + +The following example runs the database upgrade tool only for backward compatible changes and the predefined script. As the predefined script is always executed in the other modes, this option is useful only when specifying `--mode BackwardCompatibleChanges`. + +``` +**./Usercube-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges --execute-predefined** +``` + +## Arguments + + | Argument Name | Details | + | --- | --- | + | --connection-string (-s) required | **Type** String **Description** Connection string to the database. **Example** `--connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"` | + | --execute-predefined optional | **Type** No Value **Description** Indicates that the predefined SQL file must be executed, when using the `BackwardCompatibleChanges` mode. | + | --mode default value: All | **Type** Enum **Description** `All` - run all the script types. `BackwardCompatibleChanges` - only execute backward compatible scripts. **Note:** the previous runtime can still work. `BreakingChanges` - only execute breaking scripts. **Note:** the server must be stopped. `CleanupChanges` - only execute cleanup scripts, to cleanup the database after the server restarted with the new runtime. **Example** `--mode BreakingChanges` | + | --force-version optional | **Type** String **Description** Forces the database version instead of using the current one to replay the migration scripts. | diff --git a/docs/identitymanager/6.3/integration-guide/governance/accesscertification.md b/docs/identitymanager/6.3/integration-guide/governance/accesscertification.md new file mode 100644 index 0000000000..f7a316633f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/accesscertification.md @@ -0,0 +1,189 @@ +--- +title: "Access Certification" +description: "Access Certification" +sidebar_position: 20 +--- + +# Access Certification + +The Access Certification module enables chosen end-users to carry out assignment certification campaigns, which aim to certify assignments of entitlements. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for specific identities, in order to certify them and express an audit opinion that justifies their necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters you can choose to focus on: + +- A certain category of roles +- A certain type of assignment +- Assignments not certified since a certain date +- Assignments presenting a certain level of risk. See the +[Manage Risks](../../user-guide/optimize/risk-management) topic for additional information. + +Identity Manager uses an access certification campaign to define the campaign's scope including: + +- The start and end date of the campaign +- The group of entitlement assignments to be certified during the campaign. + +### Job for access certification + +After the campaign's creation, access certification items are assigned to reviewers (Identity Manager end-users) by the CreateAccessCertificationJob, composed of the following tasks: + +- Identity Manager-Update-AccessCertificationCampaign simply applies the campaign's scope, +determines which permissions are to be certified, by computing certification orders; +- Identity Manager-Set-AccessCertificationReviewer assigns one review for each access certification +item to end-users whose profile's scope of responsibility matches the entitlement to be certified; +- Identity Manager-Send-AccessCertificationNotification sends notifications to concerned reviewers. +- Identity Manager-Process-AccessCertificationItems processes the access certification item +decisions and generates the corresponding deprovisioning orders. + +## Set up the Configuration + +Configuring the Access Certification module entails: + +- Setting up profiles to carry out the certification +- Configuring their scope of responsibility +- Enabling automatic and forwarded assignments of access certification items to end-users + +### Campaign creation + +At least one Identity Manager profile needs permissions to create campaigns. + +Such permission can be granted using the AccessReviewAdministrationAccessControlRules scaffolding. See the [Access Review Administration Access Control Rules](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules) topic for additional information. + +The administrator profile, created with CreateAdministratorProfile scaffolding, already has these permissions. See the [Create Administrator Profile](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile) topic for additional information. + +If you are not using the AccessReviewAdministrationAccessControlRules scaffolding, the user cannot query on dimensions when editing the owner filters, so you need to give the permissions on the correct contexts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +         +``` + +### Profile scope of responsibility + +The scope of responsibility of a profile is a set of criteria that defines which assignment of entitlements this profile will certify. For example, the **Manager** profile is responsible for reviewing entitlement assignments of identities working in their department. + +A profile's scope of responsibility is configured by giving access, with access control rules, to a specific set of access certification items that match the profile's scope of responsibility criteria. + +The option to display only the **Approve** or **Deny** buttons next to the Access Certification items can be configured by the administrator on the UI in the **Settings**>**Features**. + +##### Example + +This example shows how to set the scope of responsibility for the **Manager** profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +                ... + +``` + +The filter indicates that a review with the **Manager** profile can only access items for which the binding Owner.Directory_User:MainRecord.Organization.Id matches their dimension organization's value. + +This example needs to be completed with either automatic assignment or manual assignment capabilities. + +For certification items to be assigned to a profile, a permission context has to be added to the access control rule. + +### Access certification item assignments + +Access certification items can be assigned to end-users via: + +- Automatic assignments, computed by the reviewer-setting task when a given profile's scope of +responsibility matches the entitlement to be certified +- Forwarded assignments, automatically assigned to an end-user, but then manually forwarded to +another user from the UI + +#### Automatic assignments + +For a profile to be the target of an automatic assignment of an access certification item, it needs the `/Custom/AccessCertification/AutoAssigned/{entityTypeName}` permission. + +##### Example + +This example completes the previous one by adding the automatic assignment capabilities. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +                 +``` + +This example enables automatic assignments of access certification items that match the filter to end-users with the **Manager** profile. + +If the filter criterion is matched for several end-users, only one is assigned the certification item, and this assignment is made randomly. Therefore, in order to have a cleaner reviewing architecture, it is recommended to carefully set the Filter attributes in the access control rules so that no two end-users' scope of responsibility overlap. + +#### Forwarded assignments + +The target profiles need the following `/Custom/AccessCertification/ManualAssigned/{entityTypeName}` permission. + +The example below allows the **Manager** profile to be the target of forwarded assignments. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +             +``` + +There is no filter so the Manager profile can certify all forwarded certification orders for the Directory_User entity type, regardless of his previously configured scope of responsibility. + +It is recommended to have a larger scope for forwarded certification orders than for automatically assigned ones. + +### Certification policy + +Scopes of responsibility can also be defined in terms of access certification campaign policy. See the [AccessCertificationCampaignPolicy](../../integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy) topic for additional information. + +Assigning an access certification campaign policy to an access certification campaign allows the creation of campaigns dedicated specifically to one set of reviewers. + +The following example creates a new policy named Manager. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +It automatically appears on the campaign creation screen, and binds itself to the created campaign: + +![Campaign creation screen with policies](/images/identitymanager/creation_5.1.6.webp) + +To use it, modify the access control rules by adding a filter on the campaign policy. See the [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) topic for additional information. + +##### Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +                         +``` + +In this example, the **Manager** profile is only able to certify items for a campaign defined with the **Manager** policy. + +A default policy is already defined. If no filter is set when giving the permission, the policy is not considered. + +### Access certification item processing + +Once entitlement assignments have been reviewed (accepted or rejected), the final step is to apply these decisions with the processing task, eventually denying assignments. This is done through the UI. See the Access Certification topic for additional information. + +The user needs to have the correct permission to launch the item processing: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +     +``` + +It is also possible to add access control filters when creating the permission set so that users can only access certain type of campaigns. See the [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) topic for additional information. + +This permission also is given by the AccessReviewAdministrationAccessControlRules scaffolding. See the [Access Review Administration Access Control Rules](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/governance/index.md b/docs/identitymanager/6.3/integration-guide/governance/index.md new file mode 100644 index 0000000000..32c3f5569e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/index.md @@ -0,0 +1,34 @@ +--- +title: "Governance" +description: "Governance" +sidebar_position: 120 +--- + +# Governance + +Identity Manager's governance features intend to provide tools that control assignments of entitlements and measure IGA policies efficiency. Control over the assignments is achieved by designing a role model, automating assignments, using the risk management module, and performing certification campaigns. Measuring policies efficiency is enabled by reporting and auditing capabilities. + +Reporting, access certification campaigns and risk management are three important tools that complete the governance arsenal. + +## Reporting + +With reporting features, stakeholders can measure the effect of IGA policies on the assignment landscape and adjust if needed. Governance also helps produce audit-ready reports. You can start to set up governance features relatively early in your Identity Manager journey and measure your progress from the very start. + +Identity Manager puts users in control of their reporting. Rich features, such as the query module, help produce custom reports that can be used to check the assignment policy results, or gather information for an audit. + +## Access Certification Campaigns + +A certification campaign is a recurring event, scheduled for example every week, month or year, during which managers review their team members' entitlements. Sensitive assignments are then kept or removed. + +Certification campaigns are the best way to make sure past assignment decisions are still in the best interest of the organization. They can be a good way to mitigate a lack of automation in your assignment decisions concerning, for example, movers or leavers. + +Identity Manager's certification module also helps managers produce accurate reports that they can present to an auditor. + +See the [Access Certification](../../integration-guide/governance/accesscertification) topic to learn how to configure certification campaigns. + +## Risk Management + +The risk management module provides tools for identifying entitlement assignments that pose a security risk. The module facilitates the analysis and mitigation of different kinds of risks such as Segregation of Duties (SoD) or High Privilege. Risks can be used to identify sensitive assignments that should be reviewed first during a certification campaign. + +See the [Risk Management](../../integration-guide/governance/risks) topic to learn how to configure risks. + diff --git a/docs/identitymanager/6.3/integration-guide/governance/reporting/analyze-powerbi.md b/docs/identitymanager/6.3/integration-guide/governance/reporting/analyze-powerbi.md new file mode 100644 index 0000000000..cf9bab0382 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/reporting/analyze-powerbi.md @@ -0,0 +1,100 @@ +--- +title: "Analyze Identity Manager's Data with Power BI" +description: "Analyze Identity Manager's Data with Power BI" +sidebar_position: 20 +--- + +# Analyze Identity Manager's Data with Power BI + +This topic explains how to prepare Identity Manager's data and use it in Power BI, with the final goal to generate user-friendly reports. + +## Overview + +[Power BI](https://powerbi.microsoft.com/en-us/why-power-bi/) is used with Identity Manager to generate user-friendly reports in an interactive way, based on Identity Manager's database. + +The SaaS edition [Power BI Service](https://www.microsoft.com/en-US/download/details.aspx?id=58494) contains an integrated Identity Manager connector, so we simply need to make Identity Manager's data usable by configuring a particular data model. + +As this new model is to be organized into XML elements called universes, we will call the new data model the universe model. + +Based on this model, Power BI will be able to: + +- query the database +- generate a model containing the data that we want to include in reports +- transform data if needed +- generate customized graphic reports +- publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) + +![Process Schema](/images/identitymanager/powerbi_process.webp) + +## Prerequisites + +Identity Manager's licenses for Power BI as well as Identity Manager Data are required to operate. + +Integrators need to know: + +- Identity Manager's data model, i.e. the entity names, the associations between the entities to +display, etc. from both Identity Manager-hard-coded and customized parts +- what data needs to be displayed in the end + +:::note + Power BI is able to analyze all Identity Manager's data, hard-coded and customized, but only current data, i.e. nothing from the history. +::: +## Analyze Identity Manager's Data with Power BI + +Build the universe model by proceeding as follows: + +**Step 1 –** Define the appropriate universes using scaffoldings. See the [Queries](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries) topic for additional information. + +:::tip + Remember, in order to understand business intelligence, with its universes, entity instances and association instances. See the [Universe](../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) topic for additional information. Also note that XML objects that automatically generate XML snippets that would be complex and/or tedious to write manually. See the[Scaffoldings](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings) topic for additional information. +::: +Netwrix recommends creating no more than one universe to generate one report, to prevent issues about name uniqueness. + +**Step 2 –** Connect Power BI to Identity Manager to visualize the output model. See the [Connect Power BI to Identity Manager](../../../integration-guide/governance/reporting/how-tos/connect-powerbi) topic for additional information. + +The Power BI applications **Desktop**, **Service** and **Report Server** all offer the Identity Manager plugin to access Identity Manager's database. + +**Step 3 –** Remember to clear the cache in Power BI when modifying universes, to ensure that all changes are considered. + +**Step 4 –** Customize the queries in Power BI, if needed, with the [M language](https://docs.microsoft.com/en-us/powerquery-m). + +You can see in Power BI queries that Identity Manager must be specified as a source via the expression `Source = Usercube.Universes("")`. + +Integrators may need to customize the model to make it more understandable and easily usable by end-users. + +For example, the following M query removes the column Company Id from the table Directory_User_Records, considering that we do not need it for future reports. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +let +    Source = Usercube.Universes(""}) +in +    Directory_User_Records_WithoutCompany +``` + +Another common use for manual queries is the denormalization of the model, when it simplifies the future queries and reports for end-users. + +**Step 5 –** Generate reports and publish them for end-users by following the steps listed in the [Power BI documentation.](https://docs.microsoft.com/en-us/power-bi/create-reports/) + +This is how you analyze Identity Manager data through Power BI. + +## Maintain the Model + +In order to maintain the model you must remember the ones listed below. + +**Refresh data** + +You must define, in Power BI Service or Report Server, a frequency for data refresh so that reports display up-to-date data. See the [Power BI documentation](https://docs.microsoft.com/en-us/power-bi/connect-data/refresh-data) for additional information. + +Data is often refreshed once a day. Define the refresh frequency according to your needs. + +**Foresee the Impact of Model Modifications** + +A change inside an existing entity, for example adding a scalar field, does not require any particular actions on the universe model. + +A change in an association requires making the corresponding change in the universe model, as association instances (in the universe model) are based on entity associations in Identity Manager's data model. See the [Entity Association](../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/governance/reporting/connect-powerbi.md b/docs/identitymanager/6.3/integration-guide/governance/reporting/connect-powerbi.md new file mode 100644 index 0000000000..b027d41fea --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/reporting/connect-powerbi.md @@ -0,0 +1,63 @@ +--- +title: "Connect Power BI to Identity Manager" +description: "Connect Power BI to Identity Manager" +sidebar_position: 10 +--- + +# Connect Power BI to Identity Manager + +This guide shows how to connect Power BI to Identity Manager. + +## Overview + +When facing a periodic need for producing specific reports, especially when a visual presentation is required, Identity Manager offers the possibility to connect to the [Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will allow you to create customized reports with a vast range of display options (such as graphs, charts, matrixes, etc.) using Identity Manager's universes. + +## Prerequisites + +- Power BI Desktop must be installed on your device. +- Identity Manager's server must be running. + +## Connect Power BI to Identity Manager + +Connect Power BI to Identity Manager by proceeding as follows: + +1. Open Power BI Desktop. +2. Click on **Get data** either in the welcome window or in the home menu. + + ![Get Data](/images/identitymanager/powerbi_getdata.webp) + +3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and +click on **Connect**. + + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) + +4. Enter Identity Manager's server URL in the opening window. + + ![Server URL](/images/identitymanager/powerbi_url.webp) + +5. In the opening window, enter the +[OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. + + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) + +6. You can now access in the left panel the +[Universe](../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. + + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) + +**Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. + +7. Once you've selected all the tables you need, click on **Load** to import data to the Power BI +report. You can also click on **Transform data** to open the query editor and make other changes in your tables, rows and columns. + +## Clear the Cache + +Remember to clear the cache in Power BI to ensure that all changes are considered. + +Clear the cache by proceeding as follows: + +1. In Power BI, click on **File** > **Options and settings** > **Options**. +2. In the **Data Load** tab, click on **Clear Cache**. + + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/analyze-powerbi.md b/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/analyze-powerbi.md new file mode 100644 index 0000000000..1ff194de90 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/analyze-powerbi.md @@ -0,0 +1,94 @@ +# Analyze Identity Manager's Data with Power BI + +This topic explains how to prepare Identity Manager's data and use it in Power BI, with the final goal to generate user-friendly reports. + +## Overview + +[Power BI](https://powerbi.microsoft.com/en-us/why-power-bi/) is used with Identity Manager to generate user-friendly reports in an interactive way, based on Identity Manager's database. + +The SaaS edition [Power BI Service](https://www.microsoft.com/en-US/download/details.aspx?id=58494) contains an integrated Identity Manager connector, so we simply need to make Identity Manager's data usable by configuring a particular data model. + +As this new model is to be organized into XML elements called universes, we will call the new data model the **universe model**. + +Based on this model, Power BI will be able to: + +- query the database +- generate a model containing the data that we want to include in reports +- transform data if needed +- generate customized graphic reports +- publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) + +![Process Schema](/images/identitymanager/powerbi_process.webp) + +## Prerequisites + +Identity Manager's licenses for Power BI as well as Identity Manager Data are required to operate. + +Integrators need to know: + +- Identity Manager's data model, i.e. the entity names, the associations between the entities to +display, etc. from both Identity Manager-hard-coded and customized parts +- what data needs to be displayed in the end + +:::note + Power BI is able to analyze all Identity Manager's data, hard-coded and customized, but only current data, i.e. nothing from the history. +::: +## Analyze Identity Manager's Data with Power BI + +Build the **universe model** by proceeding as follows: + +**Step 1 –** Define the appropriate universes using scaffoldings. See the [Queries](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries) topic for additional information. + +:::tip + Remember, in order to understand business intelligence, with its universes, entity instances and association instances. See the [Universe](../../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) topic for additional information. Also note that XML objects that automatically generate XML snippets that would be complex and/or tedious to write manually. See the[Scaffoldings](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings) topic for additional information. +::: +Netwrix recommends creating no more than one universe to generate one report, to prevent issues about name uniqueness. + +**Step 2 –** Connect Power BI to Identity Manager to visualize the output model. See the [Connect Power BI to Identity Manager](../../../../integration-guide/governance/reporting/how-tos/connect-powerbi) topic for additional information. + +The Power BI applications **Desktop**, **Service** and **Report Server** all offer the Identity Manager plugin to access Identity Manager's database. + +**Step 3 –** Remember to clear the cache in Power BI when modifying universes, to ensure that all changes are considered. + +**Step 4 –** Customize the queries in Power BI, if needed, with the [M language](https://docs.microsoft.com/en-us/powerquery-m). + +You can see in Power BI queries that Identity Manager must be specified as a source via the expression `Source = Usercube.Universes("")`. + +Integrators may need to customize the model to make it more understandable and easily usable by end-users. + +For example, the following M query removes the column Company Id from the table Directory_User_Records, considering that we do not need it for future reports. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +let +    Source = Usercube.Universes(""}) +in +    Directory_User_Records_WithoutCompany +``` + +Another common use for manual queries is the denormalization of the model, when it simplifies the future queries and reports for end-users. + +**Step 5 –** Generate reports and publish them for end-users by following the steps listed in the [Power BI documentation.](https://docs.microsoft.com/en-us/power-bi/create-reports/) + +This is how you analyze Identity Manager data through Power BI. + +## Maintain the Model + +In order to maintain the model you must remember the ones listed below. + +**Refresh data** + +You must define, in Power BI Service or Report Server, a frequency for data refresh so that reports display up-to-date data. See the [Power BI documentation](https://docs.microsoft.com/en-us/power-bi/connect-data/refresh-data) for additional information. + +Data is often refreshed once a day. Define the refresh frequency according to your needs. + +**Foresee the Impact of Model Modifications** + +A change inside an existing entity, for example adding a scalar field, does not require any particular actions on the **universe model**. + +A change in an association requires making the corresponding change in the **universe model**, as association instances (in the **universe model**) are based on entity associations in Identity Manager's data model. See the [Entity Association](../../../../integration-guide/toolkit/xml-configuration/metadata/entityassociation) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/connect-powerbi.md b/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/connect-powerbi.md new file mode 100644 index 0000000000..10f6b16ac5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/reporting/how-tos/connect-powerbi.md @@ -0,0 +1,57 @@ +# Connect Power BI to Identity Manager + +This guide shows how to connect Power BI to Identity Manager. + +## Overview + +When facing a periodic need for producing specific reports, especially when a visual presentation is required, Identity Manager offers the possibility to connect to the [Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will allow you to create customized reports with a vast range of display options (such as graphs, charts, matrixes, etc.) using Identity Manager's universes. + +## Prerequisites + +- Power BI Desktop must be installed on your device. +- Identity Manager's server must be running. + +## Connect Power BI to Identity Manager + +Connect Power BI to Identity Manager by proceeding as follows: + +1. Open Power BI Desktop. +2. Click on **Get data** either in the welcome window or in the home menu. + + ![Get Data](/images/identitymanager/powerbi_getdata.webp) + +3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and +click on **Connect**. + + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) + +4. Enter Identity Manager's server URL in the opening window. + + ![Server URL](/images/identitymanager/powerbi_url.webp) + +5. In the opening window, enter the +[OpenIdClient](../../../../integration-guide/toolkit/xml-configuration/access-control/openidclient)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. + + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) + +6. You can now access in the left panel the +[Universe](../../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. + + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) + +**Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. + +7. Once you've selected all the tables you need, click on **Load** to import data to the Power BI +report. You can also click on **Transform data** to open the query editor and make other changes in your tables, rows and columns. + +## Clear the Cache + +Remember to clear the cache in Power BI to ensure that all changes are considered. + +Clear the cache by proceeding as follows: + +1. In Power BI, click on **File** > **Options and settings** > **Options**. +2. In the **Data Load** tab, click on **Clear Cache**. + + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/governance/reporting/index.md b/docs/identitymanager/6.3/integration-guide/governance/reporting/index.md new file mode 100644 index 0000000000..70a70f5941 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/reporting/index.md @@ -0,0 +1,12 @@ +--- +title: "Reporting" +description: "Reporting" +sidebar_position: 10 +--- + +# Reporting + +The Reporting module is used to generate basic reports in CSV using [API query grammar](../../../integration-guide/api/squery), or advanced reports using the [Business Intelligence](../../../integration-guide/toolkit/xml-configuration/business-intelligence) module. + +See the [Generate Reports](../../../user-guide/administrate/reporting) topic for additional information on generating reports. + diff --git a/docs/identitymanager/6.3/integration-guide/governance/review-prolonged-entitlements.md b/docs/identitymanager/6.3/integration-guide/governance/review-prolonged-entitlements.md new file mode 100644 index 0000000000..a65a46cc5b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/review-prolonged-entitlements.md @@ -0,0 +1,22 @@ +--- +title: "Review Prolonged Entitlements" +description: "Review Prolonged Entitlements" +sidebar_position: 30 +--- + +# Review Prolonged Entitlements + +This guide shows how to allow a manager to review the permissions prolonged by a grace period. + +## Overview + +Consider an entitlement given via a role which is defined with a grace period. Consider that this role is assigned automatically to some users by a rule of the role model. If this rule changes and the users are supposed to lose the role, then they keep it for the time defined by the grace period, and the role's workflow state switches from `Automatic` to `Prolonged`. Then a manager must access these entitlements in the **Role Review** screen, to either approve or decline the role prolongation. See the [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) topic for additional information. + +## Assign the Right to Review Prolonged Entitlements + +The right to review prolonged entitlements is given by adding the appropriate `AccessControlRule` on a profile. A profile should get the right to review prolonged entitlements given for both single and composite roles. Technically speaking, we need to create one access control rule for assigned single roles, and another one for assigned composite roles. In this case we give access to the workflow state 27 which is the workfow state `Prolonged` linked with the grace period. + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/governance/risks.md b/docs/identitymanager/6.3/integration-guide/governance/risks.md new file mode 100644 index 0000000000..fd49cf69e3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/governance/risks.md @@ -0,0 +1,123 @@ +--- +title: "**Risk Management**" +description: "**Risk Management**" +sidebar_position: 40 +--- + +# **Risk Management** + +The **Risk Management** module provides tools for identifying assignments of entitlement that pose a security risk. The module helps analyze and mitigate different kinds of risks such as _Segregation of Duties_ or _High Privilege_. This is the basis for auditing and performing access certifications with a risk-based method. + +## Overview + +A [Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) describes a sensitive situation of entitlement assignments that needs to be monitored. + +**Risk Management** is essential to auditing. End-users can define models of risks, assigned to identities based on their entitlement assignments. This action identifies identities whose entitlement landscape might pose a threat or a surface of attack. The identified risks for a given identity inform the auditor about the exact nature of the threat to help making decisions and finding methods of remediation. + +To identify the identities that represent the highest risk, Identity Manager computes a risk score for all identities, based on both the roles already assigned and the roles that are subject of the current request. The higher the score, the higher the threat. The identities with the highest risk scores are the priority of the next [Access Certification](../../integration-guide/governance/accesscertification) campaign. + +See the [Manage Risks](../../user-guide/optimize/risk-management)topic for additional information on how to use the **Risk Management** module to identify entitlement assignments that pose a security risk. + +## Risk Definition + +A [Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) is an object that describes a sensitive situation of assignments of entitlements. + +The assignment of a risk to an identity highlights, for a potential auditor, the need to closely reconsider said the assignments of said identity. + +A risk is always: + +- part of a [Policy](../../integration-guide/toolkit/xml-configuration/provisioning/policy); +- assigned to identities belonging to a specific entity type that was decided during the risk +creation; +- organized inside a type; +- linked to an exemption policy. + +## Risk Type + +The type of a risk informs the auditor about the exact nature of the situation that the risk describes. It helps understand the possible causes, the importance of the security threat and methods of remediation. + +Identity Manager supports two types of risks: + +- a **segregation-of-duties** risk identifies a threat due to the conjunction of two or more +fine-grained entitlements for the same identity, for example if an identity requests an entitlement and is also the validator for said entitlement; +- a **high-privilege** risk identifies a threat due to the assignment of one or more highly sensitive +entitlements, for example the `Domain User` group in an Active Directory. + +## Risk Exemption Policy + +All risks are assigned an exemption policy that defines the behavior of Identity Manager regarding risks when entitlements are manually requested. + +### **blocking** + +Risk-triggering permission requests can be forbidden with the **blocking** exemption policy. If at least one of the detected risks in the requested entitlement set has the **blocking** exemption policy, then Identity Manager does not allow the set to be requested at all. A message is displayed and the request must be cancelled: + +![Exemption Policy - **blocking**](/images/identitymanager/risks_blocking_v522.webp) + +### **approval required** + +Yet, instead of being unilaterally forbidden, risk-triggering permission requests can be authorized with an additional role review approval with the **approval required** exemption policy. If at least one of the detected risks in the requested entitlement set has the **approval required** exemption policy, then Identity Manager adds a step where this new set must be reviewed by a knowledgeable user like a security officer. A message is displayed and the request can be continued or cancelled: + +![Exemption Policy - **approval required**](/images/identitymanager/risks_requiredapproval_v522.webp) + +If the request is performed, then a line appears on the **Role Review** screen. + +The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following risk icon. + +![Home Page - Role Review](/images/identitymanager/risks_riskicon_v522.svg) + +### **warning** + +Risk-triggering permissions can also be allowed with only a **warning** with the **warning** exemption policy. If all detected risks in the requested entitlement set has the **warning** exemption policy, then Identity Manager displays a message and the request can be continued or cancelled: + +![Exemption Policy - **warning**](/images/identitymanager/risks_warning_v522.webp) + +### Upon Profile + +The **blocking** and **approval required** exemption policies can be ignored according to the profile of the user and their scope of responsibility, with respectively the **blocking** upon profile and **approval required** upon profile exemption policies. Then they can be assimilated to the **warning** policy if the user has the right permission, respectively **/ProvisioningPolicy/Risk/OverrideBlocking** and **/ProvisioningPolicy/Risk/OverrideApproval**, otherwise they behave like the **blocking** and **approval required** policies. + +Like in the example below, the two permissions can be chained together. For the connected user, a risk that would have been **blocking** otherwise, is just a **warning**. + +``` + <AccessControlRule Profile="Administrator" EntityType="Risk" Identifier="Administrator_Risk_Override" DisplayName_L1="Administrator_Risk_Override"> <Entry Permission="/ProvisioningPolicy/Risk/OverrideBlocking" CanExecute="true" /> <Entry Permission="/ProvisioningPolicy/Risk/OverrideApproval" CanExecute="true" /> +``` + +## Risk Assignment + +### Risk Rules + +[Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) are assigned to resources manually by a knowledgeable user or automatically, by the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. + +When a risk is assigned to a resource, a new identified risk is created under the `UP_IdentifiedRisks` table. + +Automatic assignment of risks is based on [Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) rules. For each new fine-grained assignment on a resource, risk rules are applied. If one of the rules matches the resource state, the related risks are assigned to the resource. Those rules are themselves based on fine-grained entitlements, such as an Active Directory account or group membership, modeled by the navigation rules within Identity Manager. See the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +A risk rule states that a risk is assigned to a resource if the resource has one or several specific fine-grained entitlements. The number of triggering entitlements depends on the risk type. For example, the **segregation-of-duties** risks depends on at least two entitlements. The other types of risk depend on one or more entitlements. + +### Fine-grained entitlement + +A fine-grained entitlement assigned to a resource-identity in Identity Manager is modeled by navigation property values of the resources owned by the identity. + +To write a risk rule, the end-user has to describe a fine-grained entitlement for a resource-identity. + +This is the way: + +1. Choose an [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) of which +the resource-identity could be owner. +2. Choose a navigation property of that entity type. +3. Choose a value for that navigation property. The value would be a resource from the unified +resource repository. + +This final value is a fine-grained entitlement, linked to the owner resource-identity through the navigation property and the ownership relationship. + +## Risk Score + +Once [Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) are assigned to identities, Identity Manager computes a risk score for each relevant identity. + +This score allows an auditor to prioritize the [Access Certification](../../integration-guide/governance/accesscertification) campaign. The identity with the highest risk score poses a more serious security threat and has to be handled first. + +During access certification, assignments that are responsible for triggering the risk will be examined and then, kept or discarded. + +The risk score computation is performed by the risk score task. + +![Compute Risk Score Task](/images/identitymanager/risks_riskcomputetask_v522.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/identity-management/identity-repository.md b/docs/identitymanager/6.3/integration-guide/identity-management/identity-repository.md new file mode 100644 index 0000000000..258d31b211 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/identity-management/identity-repository.md @@ -0,0 +1,57 @@ +--- +title: "Identity Repository" +description: "Identity Repository" +sidebar_position: 10 +--- + +# Identity Repository + +One of the main purposes of an IGA tool is to build a comprehensive repository containing all identities in the organization. This repository is essential in order to set up the features for identity lifecycle management, and manage entitlement assignments. + +## Overview + +The identity repository is supposed to contain the list of all kinds of identities in the company. Each identity will be represented by a set of properties that are to be used in the calculations for entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) +> +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) + +The identity repository can be created and updated by: + +- uploading an Excel file provided by Identity Manager with the right model; +- using Identity Manager's workflows; +- synchronizing HR files to Identity Manager via a specific connector. + +Netwrix Identity Manager (formerly Usercube) recommends creating the identity repository by downloading the provided Excel file, filling it with HR information, and uploading it back. See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) topic to learn how to create the workforce repository. + +Then perform mass updates with the same kind of process, and update an Individual Identity via Identity Manager's workflows. See the [Update Identities in Bulk](../../user-guide/maintain/identity-data-modification/mass-update) and [Update an Individual Identity](../../user-guide/maintain/identity-data-modification/individual-update)topics for additional information. + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. + diff --git a/docs/identitymanager/6.3/integration-guide/identity-management/index.md b/docs/identitymanager/6.3/integration-guide/identity-management/index.md new file mode 100644 index 0000000000..24ac40668b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/identity-management/index.md @@ -0,0 +1,29 @@ +--- +title: "Identity Management" +description: "Identity Management" +sidebar_position: 10 +--- + +# Identity Management + +Identity management is about creating a repository of identities (all kinds of identities) along with the entitlements that they need to work. One of the main purposes of an IGA tool is to help create the identity repository, and to keep it up-to-date with identities' lifecycles within the company. + +"Identities' lifecycles" mean any Joiners, Movers and Leavers (JML) process, i.e. staff changes, i.e. any user's onboarding, position modification and offboarding. + +See the [Identity Repository](../../integration-guide/identity-management/identity-repository) topic for additional information. See the [Identity Lifecycle: Joiners, Movers and Leavers](../../integration-guide/identity-management/joiners-movers-leavers) topic for additional information on how Identity Manager handles the Joiners, Movers and Leavers (JML) process. + +Identities in Identity Manager are mostly humans, both internal and external workers, but can also be applications, bots, service accounts, or anything. + +Identities are stored in the database as [Resources](../../integration-guide/resources), which helps with Identity Manager's internal mechanisms, for example to modelize identities with [Entity Model](../../integration-guide/entity-model) types. + +Additional interesting parts of identity management are: + +- the synchronization of identity changes through several repositories, for example both Identity +Manager and the AD; +- the provisioning of identity properties directly to the connected systems, based on the +computation of the [Role Model](../../integration-guide/role-model). + +See the [Synchronization](../../integration-guide/synchronization) topic for additional information. + +See the [Provisioning](../../integration-guide/provisioning) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/index.md b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/index.md new file mode 100644 index 0000000000..4b58e08518 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/index.md @@ -0,0 +1,14 @@ +--- +title: "Identity Lifecycle: Joiners, Movers and Leavers" +description: "Identity Lifecycle: Joiners, Movers and Leavers" +sidebar_position: 20 +--- + +# Identity Lifecycle: Joiners, Movers and Leavers + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: records. + +In Identity Manager, the JML process is done through workflows or through synchronization to the HR system. + +See the [Onboarding and Offboarding](../../../integration-guide/identity-management/joiners-movers-leavers/on-offboarding) and [Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change) topics for additional information on onboarding and offboarding and position changes via records. + diff --git a/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md new file mode 100644 index 0000000000..77669c2585 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md @@ -0,0 +1,55 @@ +--- +title: "Onboarding and Offboarding" +description: "Onboarding and Offboarding" +sidebar_position: 10 +--- + +# Onboarding and Offboarding + +In Identity Manager, onboarding and offboarding are done through workflows or through synchronization to the HR system. + +## Onboarding + +The onboarding process for a new employee or contractor is materialized by the **creation of a new resource** in the identity repository. This creation triggers the fulfillment of the entitlements required by the user to perform their duties and be productive on day one. + +The entitlement fulfillment can be performed in different ways: + +- Identity Manager suggests the entitlements needed by the new user, prepares the provisioning +procedures, and wait for the manual trigger of a manager or security officer. +- Identity Manager automatically triggers the provisioning of the entitlements needed by the new +user, without any more human input. + +See the [Role Assignment](../../../integration-guide/role-assignment) topic for additional information on entitlement assignment. + +The automation of the entitlement assignment processes can be really helpful. However, you should not be looking for a full automation, but rather the smart automation of basic assignments such as "birthrights", while the sensitive ones keep a manual process. + +See the [Automate Assignments](../../../user-guide/optimize/assignment-automation) topic for additional information about the assignment automation. + +## Offboarding + +The offboarding process doesn't necessarily mean the deletion of the resource from the identity repository because, for legal and/or security purposes, the company may need to be able to access a person's history in the company for a certain time, even after their departure. + +This is why the departure triggers the **removal of all entitlements** for the departing identity. Hence, Identity Manager knows all the past and present entitlements of any identity. + +## **period of validity** + +The joining and leaving of an identity are materialized by the identity's **period of validity**. This way, the resource is valid from the start date until the end date. + +These start and end dates can be configured to be different from the actual start and end dates of the user's contract in the company. + +These dates should then be part of entity types' properties (for example as `StartDate` and `EndDate`), in order to be used in [Record Section](../../../integration-guide/toolkit/xml-configuration/provisioning/recordsection) and [Context Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/contextrule). + +![Identities - Validity Period](/images/identitymanager/validityperiod.webp) + +At the start date, the resource is created and a few entitlements are assigned to the identity. + +Between the start and end dates, the identity is part of all of Identity Manager's calculations (role model, etc.). + +At the end date, all the entitlements previously assigned to the identity are removed. + +After the end date and until its explicit deletion, the resource is still in the identity repository, but it is not part of any calculation anymore. + +Keeping track of former employees usually helps solve issues involving orphan accounts. + +A resource is deleted either via a resource-deletion workflow, or via the synchronization of HR files if the user was removed from HR lists. + diff --git a/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/position-change.md b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/position-change.md new file mode 100644 index 0000000000..41ffb81caa --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/identity-management/joiners-movers-leavers/position-change.md @@ -0,0 +1,158 @@ +--- +title: "Position Change via Records" +description: "Position Change via Records" +sidebar_position: 20 +--- + +# Position Change via Records + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: records and contexts. + +In Identity Manager, position changes are made through workflows or through synchronization to the HR system. + +## Overview + +The entitlements of a user must be updated with the user's position changes: the entitlements needed for the previous position are removed, and the entitlements needed for the next position are added. This is essential to **prevent users from cumulating entitlements** when moving. + +Just like onboarding, the entitlement fulfillment can be performed either by using Identity Manager's suggestions for the needed entitlements and adjusting them, or trusting Identity Manager with an automated fulfillment. + +Identity Manager's calculations for entitlement assignments rely on heuristics, through identities' key properties called [Entitlement Management](../../../introduction-guide/overview/entitlement-management). + +> For example, consider an entity type modeling identities with their job title, department and +> location. +> +> Then a user working as a accountant in Paris will receive different entitlements from another user +> working as a marketing specialist in Scranton. + +Hence **entitlement assignment is usually based on identities' positions**. + +Within the company, an identity can hold one or several positions, sometimes several positions simultaneously. + +## A Model for Identity Changes + +Any change in an identity's lifecycle, such as a position change, usually entails a change in a given set of properties simultaneously. + +> For example, a position change can typically trigger a change at least in the job title and +> location, together with the position start and end dates. + +It seems natural to model identities by splitting their properties into three entities: one for users' personal data, one for their contract(s) and one for their position(s): + +![Records Origin - Three-Entity Model](/images/identitymanager/recordsorigin_firstmodel.webp) + +A user can have several positions over time, even simultaneously. A user's contract can change over time too. Even personal data is subject to change. This is why we can have several sets of personal data (and/or several contracts and/or several positions) for a single user, and also why the `User` entity is meant to contain only users' unique identifiers. + +> For example, in personal data a marriage can imply a name change, a user can start with a +> fixed-term contract and change to a permanent one, and position change is obvious. + +Even without allowing simultaneous positions, contracts or personal data sets, this model helps **anticipate upcoming changes**. + +### Contexts + +The model is supposed to facilitate the [Provisioning](../../../integration-guide/provisioning) provisioning of user data and entitlements, yet this first model does not meet all expectations. In case of multiple personal data sets for a single user over time, or multiple contracts, or multiple positions, which values should be used to apply the rules of the role model? How to combine all start and end dates to make sure that all rules are applied based on the right input? These issues imply complex C# expressions in provisioning rules. + +> For example, let's write a C# expression to compute users' **display names** based only on their first +> and last names. To make sure that **display names** are computed using valid input, we write the +> following: +> +> ``` +> +> C#:user:return user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.FirstName + ' ' + personalData.LastName).FirstOrDefault(); +> +> ``` +> +> Now a more complex example: let's write a C# expression to compute users' **departments** based on +> their organization's **display names**, but also their employee identifiers in parenthesis: +> +> ``` +> +> C#:user:return user.Positions.Where(position => position.Start < DateTime.Now && position.End > DateTime.Now).Select(position => position.Organization.DisplayName).FirstOrDefault() + " (" + user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.EmployeeId).FirstOrDefault() + ")"; +> +> ``` + +To simplify the expressions, the model needs to be "flattened" in order to provide all the data of a given user, valid at a given date. Hence users must be modeled by a set datasheets generated by Identity Manager, where all values in one datasheet are valid on a given time period. + +> For example, consider the following situation: Mark Barn is a user who has, at day D0, a given set +> of personal data, a given contract and a given position. At day D1, his contract changes from +> fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap +> from day D2 to day D3 when the first position ends. +> +> ![User Example](/images/identitymanager/recordsorigin_userexample.webp) +> +> Over time, the three entities are as follows: +> +> ![Example - Timelines](/images/identitymanager/recordsorigin_timelines.webp) +> +> From this, Identity Manager is able to combine the start and end dates of all entities at all +> times to generate the following datasheets, named contexts: +> +> ![Example - Contexts](/images/identitymanager/recordsorigin_contexts.webp) + +Contexts are the result of the combination of all entities (personal data, contract and position) so that all values contained in a given context are valid on a given period of time. + +Users can be modeled by up to n\*n\*n contexts, and even more when elements overlap (positions in this example). + +The complexity that comes from the combination of all start and end dates is tackled by Identity Manager's engine when it generates users' contexts. As the start and end dates of each value are pre-computed by Identity Manager, this user model highly **simplifies provisioning rules**. + +> The C# expressions from the previous example can be written, for the same result, as the +> following, first for users' **display names**, then **departments**: +> +> ``` +> +> C#:record:return record.FirstName + ' ' + record.LastName; +> +> ``` +> +> C#:record:return record.Organization.DisplayName + " (" + record.EmployeeId + ")"; +> +> ``` +> +> ``` + +### Records + +The final step to a viable model is to find a way to **store optimally** this context model in the database, in order to be able to perform fast requests. Hence, the final model gathers all entities (personal data, contracts and positions), including their respective start and end dates, into a single entity named records, where a context is a record instance: + +![Records Origin - Final Model](/images/identitymanager/recordsorigin_thirdmodel.webp) + +While there are as many contexts for a user as the number of changes in the user's datasheet, there are only as many records as needed to store each value at least once. + +> With the example used for the explanation of contexts with `PD`, `C1`, `C2`, `P1` and `P2`, we +> generate 5 contexts but store only 2 records: `{PD; C1; P1}` and `{PD; C2; P2}`. +> +> From these 2 records, we can rebuild the 5 contexts. + +Contexts can be considered as the conversion tool between the two user models. + +This way, the model stores only Max(n) records instead of n\*n\*n. + +Plus, Identity Manager does not need to archive old data, because records and contexts are used only to simplify the application of provisioning rules. As only valid values are provisioned, there is no need to keep track. + +This means that a change to be **effective immediately** will not trigger the creation of a new record nor a new context. The record containing the old data will simply be updated. + +A change to be **effective in future** can trigger the creation of a new record. + +### Configuration + +This identity model can be implemented by configuring a [Context Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/contextrule) and [Record Section](../../../integration-guide/toolkit/xml-configuration/provisioning/recordsection): + +```` +`````` + +*Personal data section (default section):* + +*Contract section:* `````` `````` `````` + +*Position section:* `````` `````` `````` `````` `````` `````` `````` `````` `````` `````` `````` + +```` +## Position Change + +The position change process for an existing worker is materialized by the assignment/update/removal +of a record to/from an identity. This assignment/update/removal triggers the fulfillment of the +entitlements required by the user based on the properties of a valid record. + +When several contexts are valid at the same time for a given identity, conflicts can arise during +entitlement assignment. They are solved by Identity Manager's engine that establishes a priority +between valid contexts. + diff --git a/docs/identitymanager/6.3/integration-guide/index.md b/docs/identitymanager/6.3/integration-guide/index.md new file mode 100644 index 0000000000..f53d477512 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/index.md @@ -0,0 +1,39 @@ +--- +title: "Integration Guide" +description: "Integration Guide" +sidebar_position: 30 +--- + +# Integration Guide + +This guide is designed to provide the tools and knowledge to fully understand and configure Identity Manager to match your project's needs. + +## Target Audience + +This guide is meant to be read by **integrators** who configure Identity Manager to match their project's needs. + +## Prior Knowledge + +A basic knowledge of **Identity and Access Management** (IAM) and more precisely of **Identity and Governance Administration** (IGA) is required to really understand, implement and use Identity Manager's features. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the [Introduction Guide](../introduction-guide) to fully benefit from the Integration Guide's content. + +### Technical skills + +As Identity Manager is a web application, some classic devops skills are needed: + +- Web servers, especially IIS: declare a web site; configure an application pool. +- SQL Server: query data in the database with SQL, including with joins; insert/update data with +SQL; for advanced use, an understanding of database indexes. +- Coding: very basic C# skills; PowerShell scripts. +- XML and JSON syntax for configuration files. +- Git or other source control tools. + +The other technical skills greatly depend on the connectors needed for your projects. The most frequent ones are: + +- Excel and CSV +- LDAP and Active Directory: understanding of LDAP attributes and of group membership. +- Microsoft Entra ID (formerly Azure Active Directory) +- Exchange +- REST API programming + diff --git a/docs/identitymanager/6.3/integration-guide/modules.md b/docs/identitymanager/6.3/integration-guide/modules.md new file mode 100644 index 0000000000..1a4bf80dee --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/modules.md @@ -0,0 +1,19 @@ +--- +title: "Modules" +description: "Modules" +sidebar_position: 50 +--- + +# Modules + +Identity Manager can integrate with other software for issues such as credential protection and logging. To use these integration modules, they just need to be configured in Identity Manager's `appsettings.json` file. Below is more module-specific information. + +## Credentials Protection + +- [Azure Key Vault](../integration-guide/network-configuration/agent-configuration/azure-key-vault) +- [CyberArk's AAM Credential Providers ](../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers) + +## Logging + +- [Export Logs to a Log Management System](../integration-guide/monitoring/qradar-setting) + diff --git a/docs/identitymanager/6.3/integration-guide/monitoring/index.md b/docs/identitymanager/6.3/integration-guide/monitoring/index.md new file mode 100644 index 0000000000..d67acd6cd0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/monitoring/index.md @@ -0,0 +1,503 @@ +--- +title: "Monitoring" +description: "Monitoring" +sidebar_position: 150 +--- + +# Monitoring + +Identity Manager uses [Serilog](https://github.com/serilog/), a highly customizable logging tool, to provide monitoring capabilities. + +See the [References: Logs](../../integration-guide/monitoring/references) topic for additional information on the list of existing logs. + +## Introduction + +Serilog configuration is written to both _Agent_'s and _Server_'s `appsettings` sets. The relevant top-level section is `Serilog`. + +A full description of Serilog's configuration capabilities is available in [Serilog's official documentation](https://github.com/serilog/serilog-settings-configuration#serilogs-official-documentation). + +Identity Manager-specific configuration is detailed here. + +## Log Level and Namespaces + +### Priority + +Logs can be filtered according to a _log level_. + +A priority order between the log levels is established. + +From low priority to high priority, available log levels are: + +- `Verbose` +- `Debug` +- `Information` +- `Warning` +- `Error` +- `Fatal` + +Every log message is associated with a log level and a user-defined _namespace_. Identity Manager provides the Identity Manager namespace, associated with logs relevant to the user. + +### MinimumLevel + +The `MinimumLevel` section sets the lowest priority log level that will be displayed. Every log message associated with a log level of priority strictly lower than the minimum level is ignored. + +`MinimumLevel` value can either be a log level or an object with the following attributes and subsections: + +- **Default** sets the minimum log level. +- `Override` allows the user to set a different minimum log level for logs from a specific +namespace. See the Monitoring topic for additional information. + +Within Identity Manager, the following example is a good practice: default logs with a priority lower than `Error` are filtered out, except for log messages from the Identity Manager namespace. + +``` +appsettings.json +{ + ... + "Serilog": { + ... + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + } + } +} +``` + +### Custom namespaces + +Here is a table giving some namespace that you could add in the `Override` section, in order to monitor the associated module. + + | Module | Namespace | + | --- | --- | + | Identity Manager | Identity Manager | + | Scheduler (server side) | Usercube.Jobs.Scheduler.Server | + | Scheduler (agent side) | Usercube.Jobs.Scheduler | + +## Log Properties + +Each log has a specific set of log properties, defined using the context of the server when generating the log (see [Formatting](https://github.com/serilog/serilog/wiki/Formatting-Output#formatting)). + +It is possible to modify the format message of the log displayed by overriding the `outputTemplate` of the logs: + +``` +appsettings.json +{ + ... + "Serilog": { + "MinimumLevel": { + "Default": "Verbose", + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] ClientId:{ClientId} {Message:lj}{NewLine}{Exception}" + } + } + ] + } +} +``` + +Among all default properties, Identity Manager adds the ClientId log property which can be displayed when using the previous `outputTemplate` format. + +## Filters + +In addition to the Microsoft log levels, Serilog provides a [Filters](https://github.com/serilog/serilog-filters-expressions) feature to build more advanced filter queries on log messages. + +## Sinks + +Serilog allows the user to route log messages to a variety of logging destinations. Every destination is referred to as a sink. [Sinks](https://github.com/serilog/serilog/wiki/Provided-Sinks) allows logs to be routed to destination such as standard consoles, files and logging services. See the Monitoring topic for additional information. + +Identity Manager's supported sinks are: + +- `Serilog.Sinks.ApplicationInsights`; +- `Serilog.Sinks.Async`; +- `Serilog.Sinks.Console` to write to the console; +- `Serilog.Sinks.Datadog.Logs`; +- `Serilog.Sinks.File` to write to a file; +- `Serilog.Sinks.Map`; +- `Serilog.Sinks.Network` to write to another network; + + > For example, this sink can be used when producing a JSON output for QRadar. + +- `Serilog.Sinks.PeriodicBatching`; +- `Serilog.Sinks.Splunk.Durable` to send logs to Splunk; +- `Serilog.Sinks.Syslog`. + + > For example, this sink can be used when producing an + > [RFC3164](https://tools.ietf.org/html/rfc3164) or + > [RFC5424](https://tools.ietf.org/html/rfc5424) output for QRadar. + +The log messages can be routed to several logging destinations simultaneously. These destinations are described in the **WriteTo** attribute. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [{ + "Name": "Destination1", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.227", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }], + "Filter": [{ + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + }] + } +} +``` + +There can only be one **Filter** attribute associated with a **WriteTo** attribute. Therefore, the filter defined in the **Filter** attribute is applied to all the destinations contained in the **WriteTo** attribute. To filter only one destination at a time, sub-loggers can be used. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [{ + "Name": "Logger1", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.127", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }], + "Filter": [{ + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + }] + } + } + }, + { + "Name": "Logger2", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [{ + "Name": "Destination2", + "Args": { + "uri": "192.168.13.100", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination3", + "Args": { + "uri": "192.168.13.408", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }], + "Filter": [{ + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Test') and EventId.Id >= 800" } + }] + } + } + } + ] + } +} +``` + +In the example above, the filter defined in **Logger1** will only apply to **Destination1**, and the filter defined in **Logger2** will only apply to **Destination2** and **Destination3**. + +When using `Serilog.Sinks.File`, the setting `shared` should be set to `true` in the `Args` section to enable Identity Manager's **Monitoring** screen functionality. + +As this `shared` setting allows several systems to interact with the log file simultaneously, so we can have both Serilog writing to the log file and Identity Manager reading it to display its content on the **Monitoring** screen. + +``` +{ + ... + "Serilog": { + "WriteTo": [{ + "Name": "File", + "Args": { + "path": "../Temp/Server/Usercube-log.txt", + "shared": true, + } + }] + } +} +``` + +## QRadar + +QRadar is a supported destination for Identity Manager's logs. + +See the [Export Logs to a Log Management System](../../integration-guide/monitoring/qradar-setting) topic to learn how to send Identity Manager's logs to your QRadar system. + +Three output formats are available for QRadar-routed logs: + +- JSON +- RFC3164 +- RFC5424 + +#### JSON output + +JSON output uses _Serilog.Sinks.Network_ sink. + +The following configures a QRadar JSON output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [{ + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }], + "Filter": [{ + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + }] + } + } + } + ] + } +} +``` + +#### RFC3164 or RFC5424 output + +Using `Serilog.Sinks.SyslogMessages`_Sink_, the **Serilog.writeTo.configureLogger.Args.format** attribute is set to `RFC3164` or `RFC5424`. + +The following configures a QRadar RFC5424 output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": ["Serilog.Sinks.Syslog"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UdpSyslog", + "Args": { + "host": "192.168.13.110", + "port": "514", + "appName": "Usercube", + "format": "RFC5424", + "facility": "Local0", + "secureProtocols": "SecureProtocols.None", + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} +``` + +## Application Insights + +Identity Manager supports the [Application Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) integration. It means that you can monitor the lifecycle of the application through a dedicated interface, which can be useful to measure performance, observe how the application is used or detect performance anomalies. + +### Configuration + +Both the server and the agent support the Application Insights integration. To set it up, you need to create your own Application Insights instance (see [Create New Resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource)). Once done, you should have an instrumentation key. To plug the server or the agent into the Application Insights instance, you simply have to set the key at the root of the appsettings file: + +``` +appsettings.json +{ + ... + "ApplicationInsights": { + "InstrumentationKey": "YOUR-INSTRUMENTATION-KEY" + } +} +``` + +This configuration will automatically add a `Serilog.Sinks.ApplicationInsights` to the Serilog configuration. Thus, declaring explicitly an ApplicationInsights _sink_ in the Serilog configuration is useless. The `ApplicationInsights` section does not only affect the logging system, but also sends metrics periodically such as the percentage of CPU usage. + +## Logs Monitoring via User Interface + +Identity Manager offers the ability to download the application logs directly through the User Interface (UI) via the **Monitoring** screen in the **Administration** section on the Dashboard. + +SaaS installations support this feature automatically while on-premises installations support this in two ways. The first one is to leverage the path to the logs from the Serilog configuration when writing application logs into a single file. See the example below. The second option is described in the following subsection. + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [{ + "Name": "File", + "Args": { + "path": "../Temp/Server/Usercube-log.txt", + "shared": true, + } + }] + } +} +``` + +### `LogsPath` + +if you store Identity Manager logs thanks to an external mechanism (the web server, etc), then you have to use the second option in order to enable this feature which is via an ad hoc parameter at the root of the appsettings called `LogsPath` indicating the path where the application logs are located: + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": ["Console"], + }, + "LogsPath": "C:/inetpub/logs/LogFiles" +} +``` + +If logs are all stored in one file, provide the path to the file. If they are stored in multiple separate files within a directory, provide the path to the directory and Identity Manager will handle providing the most recent logs. + +## Default Configuration + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": ["Console"], + "Using": ["Serilog.Sinks.File"], + "MinimumLevel": "Error", + "WriteTo": [{ + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + }] +} +} +``` + +## Configuration Examples + +### Write log messages + +This example configures _Serilog_ to write log messages to the `../Temp/Server/identitymanager-log.txt` file. + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": ["Console"], + "Using": ["Serilog.Sinks.File"], + "MinimumLevel": "Error", + "WriteTo": [{ + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + }] +} +} +``` + +### Reduce logging process overhead + +This example shows how to reduce the overhead of the logging process for Identity Manager's main thread by delegating work to a background thread, using the _Async\_\_Sink_. + +``` +appsettings.json +{ + ... +"Serilog": { + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Debug" + } + }, + "WriteTo": [{ + "Name": "Async", + "Args": { + "configure": [ + { + "Name": "File", + "Args": { + "path": "C:/Projects/LogTest/identitymanager-test.txt", + "shared: true, + "buffered": "true" + } + }] + } + }, + { + "Name": "Console" + } + ] + } +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/monitoring/qradar-setting.md b/docs/identitymanager/6.3/integration-guide/monitoring/qradar-setting.md new file mode 100644 index 0000000000..af1781be2d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/monitoring/qradar-setting.md @@ -0,0 +1,302 @@ +--- +title: "Export Logs to a Log Management System" +description: "Export Logs to a Log Management System" +sidebar_position: 10 +--- + +# Export Logs to a Log Management System + +This guide shows how to use the logging configuration (Serilog) to send Identity Manager's logs into a log management system, potentially using specific plug-ins to parse the logs. + +Supported log management systems are: + +- [QRadar](https://www.ibm.com/fr-fr/products/qradar-siem); +- [Splunk](https://docs.splunk.com/Documentation/Splunk); +- DataDog. + +## Overview + +Typically, a Serilog configuration includes three parts: **MinimumLevel**, **Using** and **WriteTo**. See the [Monitoring](../../integration-guide/monitoring) topic for additional information. + +### Identity Manager's DSM in QRadar + +Identity Manager's Device Support Module is a plug-in that allows your QRadar system to parse Identity Manager's logs, when producing a JSON output. + +Logs can be sent into QRadar without using Identity Manager's DSM in QRadar, but the logs just won't be parsed. Not all Identity Manager's logs can be sent to QRadar. See the [References: Logs](../../integration-guide/monitoring/references) topic for additional information. + +In order to get Identity Manager's DSM, import from QRadar the `Usercube_1.0.0.zip` file, accessible in the `Runtime` folder. Identity Manager's DSM is set to automatically detect the source. This means that, once Serilog is configured to send logs to QRadar, performing a few actions in Identity Manager should make the detection possible. + +## Export Logs to a Log Management System + +Export logs to a log management system by proceeding as follows: + +1. In +[Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings), make sure to have a **Serilog** section: + +```json +{ ... "Serilog": { ... } ... } +``` + +2. In the **Serilog** section, add a **Using** section to contain the used sink which depends on the +logs' destination, output format, etc. See the list of supported [Monitoring](../../integration-guide/monitoring). + +Concerning QRadar, Netwrix Identity Manager (formerly Usercube) strongly recommends using the JSON format, as it can be parsed by Identity Manager's DSM or easily by a homemade parser. + +For example, to produce a JSON output for QRadar: + +```json +appsettings.json + + { + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + ... + } + ... + } + ``` + +For example, to produce an output for Splunk: +```json +appsettings.json + + { + ... + "Serilog": { + "Using": ["Serilog.Sinks.Console", + "Serilog.Sinks.Splunk.Durable" + ], + ... + } + ... + } +``` +3. Add a **MinimumLevel** section to define which logs are to be sent to the log management system. + +In order to be sent to any system, Identity Manager's logs must be configured with **MinimumLevel** set to `Information`, or lower. + +For example, we can define the logs' minimum level to `Information`. This way, all logs from +the [References: Logs](../../integration-guide/monitoring/references) with `Information` level or higher are +sent. +```json +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + ... + } + ... +} + +``` +4. Add a **WriteTo** section to specify the expected output. + +While **uri**/**host**/**splunkHost** specifies the IP address of the machine hosting your log management system, the rest of **Args** configuration must be set just like the examples below. + +For example, to produce a JSON output for QRadar: +``` + +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } +] + } +} + +``` +For example, to produce an RFC5424 output for QRadar +([see more information about UdpSyslog attributes](https://github.com/IonxSolutions/serilog-sinks-syslog#see-more-information-about-udpsyslog-attributes)): +``` +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "UdpSyslog", + "Args": { + "host": "192.168.13.110", + "port": "514", + "appName": "Usercube", + "format": "RFC5424", + "facility": "Local0", + "secureProtocols": "SecureProtocols.None", + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} `{NewLine}``{Exception}`" + } + } + ] + } +} + +``` +For example, to produce an output for Splunk: +``` +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "SplunkEventCollector", + "Args": { + "splunkHost": , + "eventCollectorToken": "", + "bufferFileFullName": "log-buffer.txt" + } + } +] + } +} + +``` +5. When needing to restrict the logs sent to the system, add a filter and wrap all **WriteTo** +configuration into a sub-logger, in which case the **Name** at **WriteTo**'s root must be `Logger`. See the [Monitoring](../../integration-guide/monitoring) topic for additional information. + +For all formats, in order to send only the right logs using the specified filter, the **WriteTo** part must contain a sub-logger with its own filter. Otherwise, the filter will be applied to all sinks. + +For example, among Identity Manager's logs, only the logs described in the e [References: Logs](../../integration-guide/monitoring/references) can be parsed by QRadar's DSM and should be used by a SIEM system. Hence the importance of having a filter and a sub-logger. + +Never include logs with event ids inferior to 500, in order not to be overwhelmed with logs improper to be used by SIEM systems like QRadar. + +The following example filters out any log whose event id is lower than 500. +``` +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } +], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } +] + } + } + } + ... + ] + } +} + +``` +You could want to filter out the logs whose event ids are 500 too, by replacing +`EventId.Id >= 500` with `EventId.Id >= 501` in the filter. Or you could want to filter out +only the logs whose event ids are 502, by replacing `EventId.Id >= 500` with +``EventId.Id >= 500 and EventId.Id `<>` 502`` in the filter. + +6. When needing to override the log level for this particular sub-logger, add an additional +**MinimalLevel** section in the **WriteTo** section. +``` + +appsettings.json + +{ + ... + "Serilog": { + "Using": ["Serilog.Sinks.Network"], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Warning" + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } +], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } +] + } + } + } + ... + ] + } +} + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/monitoring/references.md b/docs/identitymanager/6.3/integration-guide/monitoring/references.md new file mode 100644 index 0000000000..46e1d23cab --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/monitoring/references.md @@ -0,0 +1,89 @@ +--- +title: "References: Logs" +description: "References: Logs" +sidebar_position: 20 +--- + +# References: Logs + +## Definition + +This section provides descriptions for logs which are meant to be sent to other systems like SIEMs, for example QRadar. + +The description will use this template for each log: + +**EventId id: int** + +EventId name: string + +**LogLevel: Trace||Verbose||Debug||Information||Warning||Error||Critical** + +Arguments: + +- argument1 (string): description1 (string) +- argument2 (string): description2 (string) +- argument3 (string): description3 (string) + +The EventId id must be unique so we could use it to filter the logs we send. See the [Monitoring](../../integration-guide/monitoring) topic for additional information. + +#### 500 + +**EventId id: 500** + +EventId name: Workflow.StartWorkflowInstance + +**LogLevel: Information** + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 501 + +**EventId id: 501** + +EventId name: Workflow.ResumeWorkflowInstance + +**LogLevel: Information** + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 502 + +**EventId id: 502** + +EventId name: SelectEntityByIdQueryHandler.Handle + +**LogLevel: Information** + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource + +#### 503 + +**EventId id: 503** + +EventId name: SelectEntityByIdQueryHandler.Handle + +**LogLevel: Error** + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource +- ExceptionMessage: Exception's message + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings-agent.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings-agent.md new file mode 100644 index 0000000000..944488af04 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings-agent.md @@ -0,0 +1,137 @@ +--- +title: "appsettings.agent" +description: "appsettings.agent" +sidebar_position: 20 +--- + +# appsettings.agent + +The appsettings.agent.json file is meant to contain configuration data to be used by the agent to run Identity Manager. + +It includes: + +- Connections to the managed systems +- Password reset settings +- Connections to potential additional databases +- OpenId information +- Specific task configuration + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +"UsercubeAgent": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity ManagerAgent, its content will be ignored, but it can still be used to store information for human use. + +## Supported Sections + + | Name | Type | Description | + | --- | --- | --- | + | Connections optional | List of Connections | Connection information of all the systems managed by this agent, for synchronization and fulfillment configuration. This section contains a subsection for each connection containing the connection's agent settings. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Connections": {     …     "": {       "": "":        …     }   } }` Example: `{   …   "Connections": {     …     "Directory": {       "Path": "C:\UsercubeDemo\Sources\Directory.xlsx"     },     "ServiceNowExportFulfillment": {       "Server": "https://INSTANCE.service-now.com/api/now/table",       "Login": "LOGIN",       "Password": "PASSWORD"     }   } }` See the [Create a Connection](../../../user-guide/set-up/connect-system/connection-creation)and [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) topics for additional information. | + | Databases optional | List of Databases | Names and connection strings of all databases used by the agent through InvokeSqlCommandTask, other than Identity Manager's database and other than the databases provided in Identity Manager's available packages. This subsection contains a subsection for each additional database. **NOTE:** The Database is a subsection of the Connections section mentioned above. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Databases": {     "": ""   } }` Example: `{   …   "Databases": {     "UsercubeContoso": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"   } }` | + | OpenId optional | OpenId | OpenId information, i.e. the ClientIds and related ClientSecrets that the agent may use to authenticate to the server in order to launch jobs and tasks. In order to launch jobs and tasks, the profiles related to these OpenId credentials must possess the required permissions. | + | PasswordResetSettings optional | PasswordResetSettings | Parameters which configure the reset password process for the managed systems that support it. | + | SourcesRootPaths optional | String Array | List of folder paths from which Identity Manager is allowed to read. This option is used to validate the sources files defined in file-based connections. These paths are case sensitive. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "SourcesRootPaths": ["C:/identitymanagerContoso/SourceHR", "C:/identitymanagerContoso/SourcesPhone"]  }` | + | TaskAgentConfiguration optional | TaskAgentConfiguration | Various settings to customize the behavior of some agent tasks. | + +## OpenId + + | Name | Type | Description | + | --- | --- | --- | + | AgentIdentifier required | String | Identifier of the agent, as it is named in the XML configuration. With the following configuration: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `` We could have the following setting in the agent's appsettings.agent.json: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     …     "AgentIdentifier": "MyAgent"   } }` | + | DefaultOpenIdClient required | String | ClientId that defines the default OpenId pair, from the OpenIdClients section, used by the agent to authenticate to the server. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret1",       "Admin": "secret2",       "Agent": "secret3"     },     "DefaultOpenIdClient": "Agent"   } }` | + | OpenIdClients required | List of OpenIdClients | Pairs of ClientIds and non-hashed ClientSecrets, to override the corresponding secrets specified in the XML configuration. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret",       "Admin": "secret2"     }   } }` | + +## PasswordResetSettings + + | Name | Type | Description | + | --- | --- | --- | + | EncryptionCertificate required | EncryptionCertificate | Location of the public key certificate and the private key used to handle input and output files' encryption. | + | MailSettings optional | MailSettings | Settings for configuring the SMTP server, used to send password reset email notifications. | + | NotificationSettings optional | NotificationSettings | Settings to configure password reset notifications. | + | TokenBuildingSettings optional | TokenBuildingSettings | Settings to build the confirmation token used by the password reset's **two-way** mode. The confirmation token is a base-64 encoded JSON Web Token (JWT) token that contains the information required to complete password reset when in **two-way** mode. It is appended to the confirmation Uri. | + | TwoFactorSettings optional | TwoFactorSettings | Settings to configure the password reset's **two-way** mode, i.e. the process where Identity Manager sends emails containing links to users for them to click on it and reset their passwords. | + +### EncryptionCertificate + +If you are using the certificate provided in the SDK, the agent will be unable to launch. You must create your own certificate. + +Encryption certificate information can be set in one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive +(also called [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both the public key certificate and the private key. + + | Name | Type | Description | + | --- | --- | --- | + | File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": ""   } }` | + | Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": "",     "Password": ""   } }` | + +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. + + | Name | Type | Description | + | --- | --- | --- | + | DistinguishedName Required if Thumbprint is empty | String | Subject distinguished name of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "DistinguishedName": ""     …   } }` | + | StoreLocation required | String | Location of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreLocation": ""   } }` | + | StoreName required | String | Name of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreName": ""   } }` | + | Thumbprint Required if DistinguishedName is empty | String | Thumbprint of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "Thumbprint": "<6261A70E599642A21A57A605A73B6D2AE7C5C450>"     …   } }` | + +:::tip + Remember, Netwrix recommends using Windows' certificate store. +::: +On the other hand, the PFX file takes priority over Windows' certificate, which means that when `File` is specified then the PFX certificate is used, even if the options for Windows' certificate are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +### MailSettings + + | Name | Type | Description | + | --- | --- | --- | + | FromAddress Required if PickupDirectory is empty | String | Email address used by Identity Manager to send notifications. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "FromAddress": "",       …     }   } }` | + | Host Required if PickupDirectory is empty | String | SMTP server domain name or an IP address. To be used only when UseSpecifiedPickupDirectory is set to false. | + | Password Required | String | Password that Identity Manager will use to login to the SMTP server. used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | + | PickupDirectory Required if FromAddress/Host are empty | | Path to the pickup directory. See the [Send Notifications](../../../installation-guide/production-ready/email-server) topic for additional information. See more details on the pickup directory feature. To be used only when UseSpecifiedPickupDirectory is set to true. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "PickupDirectory": "<../Mails>",       …     }   } }` | + | Username required | String | Username for Identity Manager to login to the SMTP server. Used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | + | AllowedDomains optional | String | List of domains to which the SMTP server is authorized to send emails. Domain names must be separated by `;`. | + | CatchAllAddress optional | String | Catch-all address that will receive all of Identity Manager's emails instead of usual users. this is helpful for testing before going live. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllAddress": "",       …     }   } }` | + | CatchAllCCAddress optional | String | Catch-all address that will receive all of Identity Manager's emails **as cc** (carbon copied). Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllCCAddress": "",       …     }   } }` | + | Enabled default value: True | Boolean | True to enable email sending. When set to false, no email is sent by Identity Manager. | + | EnableSsl default value: False | Boolean | **DEPRECATED**: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | + | SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | + | Port default value: 0 | String | SMTP server port. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | + | UseDefaultCredentials default value: False | Boolean | True to use the default username/password pair to login to the SMTP server. When set to false, Windows authentication is used. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | + | UseSpecifiedPickupDirectory default value: False | Boolean | True to write emails as local files in the specified PickupDirectory instead of sending them as SMTP packets. See the [Send Notifications](../../../installation-guide/production-ready/email-server)topic for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "UseSpecifiedPickupDirectory": true,       …     }   } }` | + +### NotificationSettings + + | Name | Type | Description | + | --- | --- | --- | + | Cultures default value: ["en"] | String Array | List of languages in which reset-password email notifications will be sent, among: fr and en. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "NotificationSettings": {       "Cultures": ["fr", "en"]     }   } }` | + +### TokenBuildingSettings + + | Name | Type | Description | + | --- | --- | --- | + | ValidFor default value: 03:00:00 | String | Validity period of the issued token, and thus of the password reset link. The format must be HH:mm:ss Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "TokenBuildingSettings": {       "ValidFor": "<03:00:00>"     }   } }` | + +### TwoFactorSettings + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationUri required | String | URI of the Identity Manager application. **NOTE:** this helps create the links in the emails for **two-way** password reset. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            "ApplicationUri": ""            …         }     } }` | + | ResetConfirmationUri required | String | Base URI for the password reset link that is sent to the user. The password reset confirmation token is appended to the ResetConfirmationUri. The resulting URI is sent to the user. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            …            "ResetConfirmationUri": ""         }     } }` | + +## TaskAgentConfiguration + + | Name | Type | Description | + | --- | --- | --- | + | HttpClientTimeoutSupplement default value: 0 | Integer | Additional minutes that extend the default timeout (30 minutes) of the HttpClient instance used to send requests to the server. Here the total timeout will be 50 minutes: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "TaskAgentConfiguration": {     …      "HttpClientAdditionalTimeout": 20   } }` | + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings.md new file mode 100644 index 0000000000..b0ce387e2b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/appsettings.md @@ -0,0 +1,307 @@ +--- +title: "Application Settings" +description: "Application Settings" +sidebar_position: 10 +--- + +# Application Settings + +This section describes the settings available in the agent's *appsettings.json* file, located in the agent's working directory or in environment variables. + +:::note + JSON files **can** contain any additional information that you might find useful. See the example below. +::: +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +For example, in order to store the agent's address, we **can** add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +*appsettings.json* +"UsercubeAgent": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity Manager Agent, its content will be ignored, but it **can** still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationUri (required) | Uri | Server's listening URI. Used by the agent to send requests to the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `*appsettings.json* {  "ApplicationUri": " " }` | + | Jobs (optional) | Job | Settings to configure all jobs with common values. | + | Scheduler (optional) | Scheduler | Settings to configure Identity Manager's scheduler. | + | TaskTimeoutSupplement default value: 0 | Int32 | Additional time (in minutes) for the Invoke-Job tool's Timeout property. Example: `*appsettings.json* {     "TaskTimeoutSupplement": 10 }` | + | InstallationDirectoryPath default value: Usercube-agent.exe directory | String | Path of the installation directory. It is used to read other configuration files. | + | EncryptionCertificate (required) | EncryptionCertificate | Settings to configure the encryption of specific files. | + | IdentityServer (required) | IdentityServer | Settings to configure the agent's encrypted network communication, for example with the server or a browser. | + | Authentication (required) | Authentication | Settings to configure end-user authentication, for example for users to launch a job from the UI. | + | Serilog (optional) | Logger setting | Settings to configure the logging service, complying to the Logger properties and structure. See the [Monitoring](../../../integration-guide/monitoring) topic for additional information. Example: `*appsettings.json* {   "Serilog": {     "WriteTo": ["Console"],     "MinimumLevel": {       "Default": "Error",       "Override": {         "Usercube": "Information"         }       }     } }                         ` | + | Cors (optional) | Cors | Settings to configure the agent's [CORS policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CORS), which is useful when using **non-integrated** agents. | + | ApplicationInsights (optional) | ApplicationInsights | Settings to plug to and configure the [AppInsights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | + | TempFolderPath (optional) | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file **can** be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. Note that this path **can** be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. Note that this path **can** be overridden by **ResetSettings** > **PickupDirectory**. - Deployment these elements **can** be removed, but make sure to restart the server after doing so. Example: `*appsettings.json* {   "TempFolderPath": "../Temp" }` | + | WorkFolderPath (optional) | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: `*appsettings.json* {   "WorkFolderPath": "../Work" }` | + | JobLaunchTimeout default value: 7500 | String | Time period (in milliseconds) after which, if a launched job has not started, it is considered in error. Example: `*appsettings.json* {   "JobLaunchTimeout": 9000 }` | + | InvokeSqlCommands default value: null | String | List of parameter sets used to override InvokeSqlCommandTasks' SQLInputFile and OutputPath parameters from the XML configuration. See the [Invoke Sql Command Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask) topic for additional information. For each task to override, the key must be the task's identifier. Example: `*appsettings.json*  {        "InvokeSqlCommands": {         "InvokeSqlCommandTask_Identifier": {           "SQLInputFile": "YourInputFilePath",           "OutputPath": "YourOutputFilePath"  },         } }` | + +## Jobs + +Below is an example of job that **can** be executed by the agent. + +For example: + +``` +*appsettings.json* +{ +  ... +  "Jobs": { +    "MaxTaskBatchSize": "2" +  } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | MaxTaskBatchSize default value: 5 | Int64 | Maximum number of tasks that **can** be launched simultaneously, thus avoiding timeout issues. When executing a job, Identity Manager launches simultaneously the tasks of a same Level. See the [Job](../../../integration-guide/toolkit/xml-configuration/jobs/job) topic for additional information. If the number of same-level tasks exceeds MaxTaskBatchSize, then Identity Manager inserts new levels. These effective levels **can** be seen in the job's logs or with the Usercube-Get-JobSteps executable. See the [Usercube-Get-JobSteps](../../../integration-guide/executables/references/get-jobsteps) topic for additional information. | + +## Scheduler + +Below is an example of scheduling and a list of attributes. + +For example: + +``` +*appsettings.json* +{ +  ... +  "Scheduler": { +    "Enabled": "true", +    "MaxLockWatchTime": 3600 + } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | Enabled (optional) | Boolean | True to activate Identity Manager's scheduler. | + | MaxLockWatchTime default value: 1800 | Int32 | Time period (in seconds) to spend watching for the scheduler's lock file before launching it. When set to 0 the duration is infinite, and when set to a negative value the scheduler launch fails if the lock file already exists. This parameter prevents a failure if Identity Manager's scheduler has already been launched from another source. | + +## Encryption Certificate + +This information **can** be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive +(also called [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or .pfx file) stored in the Agent's host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. + +:::note + Netwrix recommends using Windows' certificate store. +::: +On the other hand, the PFX file takes priority over Windows' certificate, which means that when File is specified then the PFX certificate is used, even if the options for Windows' certificate are specified too. In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +**As a PFX file** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } +``` + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +:::note + Storing a .pfx file password in plain text in a production environment is **strongly discouraged**. It **should** always be encrypted using the Usercube-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. +::: +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. storing a .pfx file's password in plain text in a production environment is **strongly discouraged**. It **should** always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the[Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. | + +**As a Certificate in the Windows Store** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } +``` + +The Windows certificate is set using these attributes: + + | Name | Type | Details | + | --- | --- | --- | + | DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | + | Thumbprint (optional) | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | + | StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | + | StoreName (required) | String | Name of the relevant Windows certificate store. | + +**Using Azure Key Vault** + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the Vault connection. See the [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +"": { +    "CertificateAzureKeyVault": "" +} +``` + +## Identity Server + +Just like the Encryption Certificate, this information **can** be set one of two ways. + +**As a PFX file** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +*appsettings.json* +"": { +  "X509KeyFilePath": "<./identitymanager.pfx>", +  "X509KeyFilePassword": "" +} +``` + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | X509KeyFilePath (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. | + | X509KeyFilePassword (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +:::note + Storing a .pfx file password in plain text in a production environment is **strongly discouraged**. It **should** always be encrypted using the Usercube-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. +::: +**As a Certificate in the Windows Store** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +*appsettings.json* +"": { +  "X509SubjectDistinguishedName":"", +  "X509StoreLocation": "", +  "X509StoreName": "" +} +``` + +The certificate is set using these attributes: + + | Name | Type | Description | + | --- | --- | --- | + | X509StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | + | X509StoreName (required) | String | Name of the relevant Windows certificate store. | + | X509SubjectDistinguishedName (optional) | String | SubjectDistinguishedName of the certificate. It is required when X509Thumbprint is not defined. | + | X509Thumbprint (optional) | String | Thumbprint of the certificate. It is required when X509SubjectDistinguishedName is not defined. | + +:::note + If you are using the certificate provided in the SDK, the agent will fail when launching. You must create your own certificate. +::: +You **can** get the DistinguishedName of the certificate using OpenSSL: + +``` +openssl x509 -noout -in {certificate file name with full path} -subject +``` + +## Authentication + +An example of authentication and a list of attributes. + +``` +*appsettings.json* +{ +  ... +  "Authentication": { +    "Enabled": true, +    "RequireHttpsMetadata": true +  } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | Enabled default value: true | Boolean | True to enable authentication. | + | RequireHttpsMetadata default value: true | Boolean | True to set HTTPS required for the discovery endpoint. | + +## Cors + +An example of cors and a list of attributes. + +``` +*appsettings.json* +{ +  ... +  "Cors": { +    "AllowAnyHeader": true, +    "AllowAnyMethod": false, +    "AllowCredentials": true +  } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | AllowAnyHeader default value: false | Boolean | True to enable the [Access-Control-Allow-Headers: \*](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + | AllowAnyMethod default value: false | Boolean | True to enable the [Access-Control-Allow-Methods: \*](https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + | AllowCredentials default value: false | Boolean | True to enable the [Access-Control-Allow-Credentials: true](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + +## Application Insights + +Identity Manager supports the Application Insights integration. It means that you **can** monitor the lifecycle of the application through a dedicated interface, which **can** be useful to measure performance, observe how the application is used or detect performance anomalies. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +*appsettings.json* +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +``` + +The application insights details are: + + | Name | Type | Details | + | --- | --- | --- | + | InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See Microsoft's documentation to create an[ instrumentation key](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource). | + +:::note + The logs sent to AppInsights are configured through the Logger properties. See the [Monitoring](../../../integration-guide/monitoring) topic for additional information. + +::: + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/azure-key-vault.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/azure-key-vault.md new file mode 100644 index 0000000000..0618699a53 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/azure-key-vault.md @@ -0,0 +1,90 @@ +--- +title: "Azure Key Vault" +description: "Azure Key Vault" +sidebar_position: 40 +--- + +# Azure Key Vault + +## Prerequisites + +First, NETWRIX recommends reading: +- [Azure Key Vault's overview documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) and [Basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts); +- How to [sign in to Azure and create a vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal#sign-in-to-azure-and-create-a-vault); +- About [Azure Key Vault's secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets) because secrets are the data that Identity Manager needs to collect. + +## Compatible Settings + +Every key from appsettings.agent.json that has a **string** value can be saved as a secret into Microsoft Entra ID (formerly Azure AD) Key Vault. See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +Check the examples in connectors' credential protection sections. See the [ServiceNow](../../../integration-guide/connectors/references-connectors/servicenowentitymanagement) topic for additional information. + +## Write Settings to the Vault + +After creating the Azure Key Vault, open its page on Azure's portal and [add a secret](https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal#add-a-secret). + +The important part of adding a secret in Azure Key Vault is defining its name and value: +- As secrets' **names** can only contain alphanumeric characters and double dashes (`--`) as separator, the keys from the appsettings.agent.json file must contain only alphanumeric characters too; +- Secrets' **values** are simply the value associated with the key in the JSON file. + +For example, for the Active Directory: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "ADExport": { +      "Servers": [{ +          "Server": "", +          "BaseDN": "" +        }, +        { +          "Server": "", +          "BaseDN": "" +        }], +      "AuthType": "", +      "Login": "", +      "Password": "", +      "Filter": "(objectclass=*)", +      "EnableSSL": "false", +    } +  } +} +``` +To save the login to Azure Key Vault, create a secret whose name and value are respectively `` and ``. + +To save the second server, create a secret whose name and value are respectively `` and ``. + +:::tip + Remember, the index of the first element is `0`. +::: +This way, **values** from the Azure Key Vault take priority over the **values** from the appsettings files. + +For example, if Login exists in both Azure Key Vault and appsettings.agent.json, then the value from Azure Key Vault is used. + +## Configure Usercube + +Netwrix Identity Manager (formerly Usercube) uses the default Azure credentials to connect to the vault. Since the implementation of default Azure credential is controlled by Microsoft see the [Default Azure Credential](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) page for additional information. + +> For example: +> ```json +> *appsettings.json* +> +> { +> ... +> "AzureKeyVault": { +> "Vault" : "https://usercubekeyvault.vault.azure.net/", +> "ConnectionString": "RunAs=App;AppId={};TenantId={<7a06f56c-47a8-469b-b0c0-089ec0666bd1>};AppKey={}" +> } +> } +>``` + + | Name | Details | + | --- | --- | + | Vault
required | **Type**
**string**

**Description**

*DNS Name* found on the page of the vault in Azure's portal.
**Info:** usually in the format `https://yourVault.vault.azure.net/`.

| + | ConnectionString
default value: null | **Type**
**string**

**Description**

Identification token used to retrieve the various connection keys found in the Azure Key Vault. It concatenates a series of options defining the authentication to Azure Key Vault.

`null` - the connection is established with the current user.
**Warning**: this user must be connected to the Microsoft Entra ID (formerly Azure Active Directory) instance and to the correct tenant.

Otherwise, Identity Manager gets the token from Microsoft Entra ID via:

`RunAs=App` - a [managed identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-does-the-managed-identities-for-azure-resources-work).
**Warning**: connecting via a managed identity must be enabled on Azure's App Service.

`RunAs=App;`**`AppId={ClientId of user-assigned identity}`** - a user-assigned identity.

`RunAs=App;`**`AppId={TestAppId};KeyVaultCertificateSecretIdentifier={KeyVaultCertificateSecretIdentifier}`** - the application and a certificate's secret, for custom services authentication.

`RunAs=App;`**`AppId={AppId};TenantId={TenantId};CertificateThumbprint={Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser}`** - a certificate with a thumbprint on TenantId.

`RunAs=App;AppId={AppId};TenantId={TenantId};`**`CertificateSubjectName={Subject};`**`CertificateStoreLocation={LocalMachine or CurrentUser}` - a certificate with a DN on TenantId.

`RunAs=App;AppId={AppId};TenantId={TenantId};`**`AppKey={ClientSecret}`** - a secret.

| + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers.md new file mode 100644 index 0000000000..aa911f3cad --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers.md @@ -0,0 +1,271 @@ +--- +title: "CyberArk's AAM Credential Providers" +description: "CyberArk's AAM Credential Providers" +sidebar_position: 50 +--- + +# CyberArk's AAM Credential Providers + +This guide shows how to protect sensitive data by connecting Identity Manager to CyberArk's Application Access Manager (AAM) Credential Providers. + +## Data Protection + +Identity Manager often needs to connect to [Connectors](../../../integration-guide/connectors) with credentials that need protection. See the [Connectors](../../../integration-guide/connectors) topic for additional information. + +By default, the data used to connect to external systems is stored in plain text in the **Connections** section of the `appsettings.agent.json` file. This is not a secure option. + +## CyberArk for Data Protection + +CyberArk's Application Access Manager (AAM) Credential Providers, part of the Privileged Access Security solution, is used to stop storing hard-coded credentials in applications, scripts or configuration files, and instead store them in CyberArk's vault to be centrally logged and managed. + +This way, the company can easily become compliant with potential internal and regulatory requirements of periodic password replacement, and able to securely monitor privileged access across all systems, databases and applications. + +CyberArk is made of **vaults**. Inside a vault, **safes** can be created and **owners** allocated. **Accounts** and files can then be stored in **safes** accessible by users. + +This section explains how Identity Manager retrieves these **Accounts** from CyberArk. + +## Prerequisites + +CyberArk AAM can be used either with: + +- **agentless AAM**: +[Central Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-Central%20-Credential-Provider.htm?tocpath=Get%20Started%7COfferings%7C_____3#central-credential-provider) (works with Web Service using REST); +- **agent-based AAM**: +[Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/lp_cp.htm?tocpath=Get%20Started%7COfferings%7C_____1#credential-provider) (works with C/C++ Application Password SDK). + +Implementing the Credential Provider method requires placing the C/C++ Application Password SDK DLL, named `CPasswordSDK.dll` (on 32-bit systems) or `CPasswordSDK64.dll` (on 64-bit systems), to the `Runtime` folder of Identity Manager. + +Identity Manager supports both AAMs. [CyberArk's overview](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-CyberArk-Application-Identity-Management-Solution.htm?tocpath=Get%20Started%7C_____1#cyberarks-overview) can help choose which AAM to go to. + +See more details about Credential Provider's [system requirements](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/SysReq-Credential-Provider.htm?tocpath=Installation%7CSystem%20Requirements%7C_____1#system-requirements) and [installation guide](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/installing-the-Credential-Provider.htm?TocPath=Installation%7CCredential%20Provider%7CInstall%20the%20Credential%20Provider%7C_____0#installation-guide). + +## Compatible Settings + +The following table sums up which **keys** from `appsettings.agent.json`'s **Connections** section can be saved to CyberArk: + + | Use Case | Possible Key | + | --- | --- | + | Login | `Login / ApplicationId / ClientId` | + | Password | `Password / ApplicationKey / ClientSecret` | + | Address | `Server / MicrosoftGraphPathApi / ResponseUri` | + +Any [Connectors](../../../integration-guide/connectors) using one of these attributes as key can retrieve the associated value from CyberArk. + +> For example, +> [Active Directory](../../../integration-guide/connectors/references-connectors/activedirectory) can +> retrieve: `Login`; `Password`; `Server`. + +## Set Authorization Details + +While the application's identifier is **required**, setting an authentication method and allowed machines is optional but **recommended** for security concerns. + +### **AppID** + +[See CyberArk's documentation on how to add an application to the vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#see-cyberarks-documentation-on-how-to-add-an-application-to-the-vault). + +CyberArk uses for each client application an **AppID**, i.e. a unique name to identify the application's permissions to access given **safes** and stored secrets. + +### Authentication + +Several [authentication methods](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#authentication-methods) are available to protect the whole system and make sure that Identity Manager actually does the API calls. + +Netwrix Identity Manager (formerly Usercube)recommends: + +- Using the certificate's serial number (see below how to configure certificates) when working with +the **agentless AAM** - Central Credential Provider; +- Generating a hash with the AIMGetAppInfo utility when working with the **agent-based AAM** - +Credential Provider. + +### Allowed machines + +Finally, [allowed machines](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#allowed-machines) can be added to the safe. This way, the Credential Provider verifies that only applications running from an authorized machine can access secrets. + +### SSL certificate + +**if** IIS is configured with `AIMWebService` set to `Require SSL`, then an SSL certificate must be provided. + +Identity Manager does not require a certificate, so it can be launched without certificate-related parameters, **if** CyberArk is configured to allow it. + +## Create a CyberArk Account + +CyberArk's Password Vault Web Access (PVWA) is meant to enable users to access sensitive data through **Accounts** in CyberArk, from any local or remote location. + +The following procedure requires credentials in order to connect to PVWA. + +Create a CyberArk account by [adding it to the PVWA](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/cv_Managing-Single-**Accounts**.htm?tocpath=Administration%7CCredential%20Provider%7CAccounts%20and%20Safes%7C_____1#adding-it-to-the-pvwa), defining at least the following properties: + +``` + | Property Name | Key in appsettings.agent.json | + | --- | --- | + | Username | Login | + | Address | Server | + | Password | Password | + +Netwrix Identity Manager (formerly Usercube) recommends customizing the account's name because it will be used in [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) to retrieve this account from the vault. +``` + +## Assign the Permissions + +[See CyberArk's documentation on how to add a safe member](https://docs.cyberark.com/PAS/13.0/en/Content/PASIMP/**safes**-add-a-safe-member-ClassicUI.htm?tocpath=Administrator%7CPrivileged%20Accounts%7CAccess%20Control%7CSafes%20and%20Safe%20members%7CClassic%20interface%7C_____3). + +In order to assign the permissions to access the application, follow CyberArk's instructions to [build the environment for the Credential Provider in the PVWA](https://docs.cyberark.com/AAM-CP/13.0/en/Content/CP%20and%20ASCP/Building-CP-Environment.htm). + +The aim here is to give the right permissions to: + +- the AAM user, by default named `Prov_{Credential Provider machine name}`, meant to enable the +Credential Provider to authenticate to the vault and retrieve passwords; +- the application, via its **AppID**. + +## Configure Usercube + +Connect Identity Manager to CyberArk by adding to the agent's `*appsettings.json*` file a specific section. + +> For example: +> +> ``` +> *appsettings.json* +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "**AppID**", +> "Server" : "serverUrl", +> "File": "certificateFilePath", +> "Password": "certificatePassword", +> "DistinguishedName": "certificateSubjectDistinguishedName", +> "Thumbprint": "certificateThumbprint", +> "StoreName": "certificateStoreName", +> "StoreLocation": "certificateStoreLocation" +> }, +> ... +> } +> ``` + +### Vault settings + + | Name | Details | + | --- | --- | + | UseCyberArkSetting default value: False | **Type** Boolean **Description** `True` to enable the CyberArk Provider for Identity Manager. | + | SafeName **required** | **Type** String **Description** Name of the safe containing the **Accounts** used by Identity Manager. See the CyberArk's AAM Credential Providers topic for additional information. | + | ApplicationId **required** | **Type** String **Description** Application ID of the application that can access the safe. See the CyberArk's AAM Credential Providers topic for additional information. | + | Server **required** | **Type** String **Description** URL configured for the CyberArk Vault. It is **recommended** to use HTTPS for security purposes. **Note:** the `Server` attribute is only used with the CyberArk Central Credential Provider (**agentless AAM**). | + +### Certificate settings + +Certificate settings are only used with the Central Credential Provider (**agentless AAM**). They set the location of the public key certificate and the private key used by the agent to handle encrypted network communications with CyberArk. + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive +(also called [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or `.pfx` file) stored in the _Agent_'s host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains both the public key certificate and the private key. + +Netwrix Identity Manager (formerly Usercube)recommends using Windows' certificate store. + +On the other hand, the PFX file takes priority over Windows' certificate, which means that when `File` is specified then the PFX certificate is used, even **if** the options for Windows' certificate are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> *appsettings.json* +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "**AppID**", +> "Server" : "serverUrl", +> "File": "C:/UsercubeAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> }, +> ... +> } +> ``` + +The archive is set using the following attributes: + + | Name | Details | + | --- | --- | + | File **required** | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Info:** storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) tool. | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> *appsettings.json* +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "**AppID**", +> "Server" : "serverUrl", +> "DistinguishedName": "CN=contoso, OU=Biz, O=Contoso, L=Marseille, S=MA, C=FR", +> "StoreName": "My", +> "StoreLocation": "LocalMachine" +> }, +> ... +> } +> ``` + +The Windows certificate is set using these attributes: + + | Name | Details | + | --- | --- | + | DistinguishedName optional | **Type** String **Description** _SubjectDistinguishedName_ of the store certificate. **Note:** **required** when `Thumbprint` is not specified. | + | Thumbprint optional | **Type** String **Description** _Thumbprint_ of the store certificate. **Note:** **required** when `DistinguishedName` is not specified. | + | StoreLocation **required** | **Type** String **Description** Location of the relevant Windows certificate store: `LocalMachine` or `CurrentUser`. | + | StoreName **required** | **Type** String **Description** Name of the relevant Windows certificate store. | + +## Identity Manager's CyberArk Vault + +Once configured, Identity Manager retrieves the sensitive **values** from CyberArk via the `*appsettings.cyberArk.agent.json*` file. See the CyberArk's AAM Credential Providers topic for additional information. + +In this file: + +- the **keys** must follow the same structure as in the **Connections** of the `appsettings.agent.json` +file; +- the **values** are the names of the **Accounts** created before. + +> The following example saves in CyberArk the credentials for `AD_Export`, with the **Accounts** +> `AdAccount` and `AdServer2`: +> +> ``` +> *appsettings.cyberArk.agent.json* +> { +> "Connections": { +> "AD_Export": { +> "Login": "AdAccount", +> "Password": "AdAccount", +> "Servers": [> { +> "Server": "AdAccount" +> }, +> { +> "Server": "AdServer2" +> } +>] +> } +> } +> } +> ``` +> +> Thus, when launching a job via the `AD_Export` connection, Identity Manager gets the **values** for +> `Login`, `Password` and `Server` from CyberArk, and the others from `appsettings.agent.json`. + +After updating `*appsettings.cyberArk.agent.json*`, the agent must be restarted for the changes to take effect. + +To get a given property's value, Identity Manager reads first the section in `*appsettings.cyberArk.agent.json*` for the appropriate connection. Only **if** the property is not listed here will Identity Manager read the corresponding section in `appsettings.agent.json` to find it. + +Thus, when a property is listed in both appsettings files, the value from the CyberArk vault takes priority over the one from the usual appsettings file. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/index.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/index.md new file mode 100644 index 0000000000..f825eef861 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/index.md @@ -0,0 +1,63 @@ +--- +title: "Agent Configuration" +description: "Agent Configuration" +sidebar_position: 20 +--- + +# Agent Configuration + +Identity Manager Agent's configuration includes connection information to the managed systems and to the Server. Protection of sensitive credentials can be achieved through RSA encryption, storing information within a CyberArk Vault, or using an Azure Key Vault safe. + +## Configuration Files + +The Agent configuration uses two sets of settings: the agent **appsettings** set and the **appsettings.agent** set. + +1. The [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) set is written either to the Agent's working +directory appsettings.json file or as environment variables. See the [Architecture](../../../integration-guide/architecture) topic for additional information. +2. The [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) set is written as environment variables or to +the appsettings.agent.json files from the Agent's working directory. +3. There are two additional files involved in the _Agent_'s configuration to protect sensitive data: +appsettings.encrypted. agent. json and appsettings.cyberark.agent.json. See the [RSA Encryption](../../../integration-guide/network-configuration/agent-configuration/rsa-encryption) and [CyberArk's AAM Credential Providers ](../../../integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers)topics for additional information. + +## Protect Credentials + +Managed system credentials are sensitive information. Identity Manager offers three strategies to protect sensitive data. + +### RSA encryption + +Any Agent configuration setting value can be encrypted using `Usercube-Protect-X509JsonValue` and `Usercube-Protect-X509JsonFile` tools. An encrypted value is then written to the appsettings.encrypted.agent.json file. + +It means that any sensitive setting value that the user chooses to protect this way won't be written to the appsettings.agent.json file but to the appsettings.encrypted.agent.json file. + +### CyberArk Vault + +Any Agent configuration setting value can be encrypted using Identity Manager's CyberArk integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be written to the appsettings.agent.json file but stored within a CyberArk Vault. + +### Azure Key Vault safe + +Any Agent configuration setting value can be encrypted using Identity Manager's Azure Key Vault integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be written to the appsettings.agent.json file but stored within an Azure Key Vault safe. + +## Merge Priority + +Because of the credential protection system, the Agent connection information to managed systems can be written to the following configuration sources: + +- The appsettings.agent.json file which contains plain text, non-encrypted setting information. +- The appsettings.encrypted.agent.json file which contains encrypted setting information. +- An [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) safe. +- A CyberArkVault referenced by the appsettings.cyberark.agent.json file. +- The appsettings. connection.json file. + +Each configuration source is loaded one after the other, in the following order: + +1. appsettings.agent.json +2. appsettings.encrypted.agent.json +3. _Azure Key Vault_ safe +4. _CyberArk Vault_ +5. appsettings.connection.json + +If a json key is defined in multiple configuration source, only the last loaded json key is preserved to build the final configuration. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/rsa-encryption.md b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/rsa-encryption.md new file mode 100644 index 0000000000..0a24f44869 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/agent-configuration/rsa-encryption.md @@ -0,0 +1,57 @@ +--- +title: "RSA Encryption" +description: "RSA Encryption" +sidebar_position: 30 +--- + +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Identity Manager's tools: + +- [Usercube-Protect-X509JsonValue](../../../integration-guide/executables/references/protect-x509jsonvalue) +to encrypt given values; +- [Usercube-Protect-X509JsonFile](../../../integration-guide/executables/references/protect-x509jsonfile) +to encrypt a whole file. + +The file encryption tool should be used only on files that contain only plain text values, not already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` and `appsettings.encrypted.agent.json` files. Identity Manager will read first the values from the encrypted appsettings files, before reading those from the usual non-encrypted appsettings files. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the same for the encrypted appsettings files and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted appsettings files without having to encrypt the whole files again. + +## Focus on the Encrypted Appsettings Files + +The `appsettings.encrypted.json` and `appsettings.encrypted.agent.json` files contain respectively the `appsettings.json` and `appsettings.agent.json` files' sensitive setting values which are protected by RSA encryption. + +These files follow the exact same structure as the [Agent Configuration](../../../integration-guide/network-configuration/agent-configuration). + +### Read the Encrypted Files + +Identity Manager can use an RSA decoding algorithm fed by a [public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/configure-okta.md b/docs/identitymanager/6.3/integration-guide/network-configuration/configure-okta.md new file mode 100644 index 0000000000..b456dbe61a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/configure-okta.md @@ -0,0 +1,74 @@ +--- +title: "Configure Okta" +description: "Configure Okta" +sidebar_position: 70 +--- + +# Configure Okta + +This guide shows how to configure the OIDC to set up the authentication to Identity Manager. + +## Create the Application + +On the Okta dashboard: + +![Add Application](/images/identitymanager/okta_addapplication.webp) + +**Step 1 –** Select the **Applications** section and click on the **Add Application** button. + +![Create New App](/images/identitymanager/okta_createnewapp.webp) + +**Step 2 –** Then click on the **Create New App** button. + +![Create Native App](/images/identitymanager/okta_createnativeapp.webp) + +**Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. Click on **Create**. + +**Step 4 –** In **General Settings**, name your Application. You can also add a logo. + +**Step 5 –** In the **Configure OpenID Connect** section, enter the connection redirection URL in the part: **Login redirect URLs**. To find out this URL, just take the URL of the Identity Manager application and add `/signin-oidc`. The Identity Manager disconnection redirection URL is also necessary. To construct it, take Identity Manager's URL again and, at the end, add `/signout-callback-oidc`. + +:::note + The **Logout redirect URLs** section is marked as optional but it is mandatory for Identity Manager. +::: +![Save Application](/images/identitymanager/okta_saveapplication.webp) + +## Configure the Client Credentials + +The client secret in Identity Manager is required for the OIDC connection. You must therefore configure this OIDC connection option in the application. In the Application Dashboard, click on **Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and save the changes. + +![Client Credentials](/images/identitymanager/okta_clientcredentials.webp) + +## Configure the Application Settings + +In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. + +![Application Section](/images/identitymanager/okta_applicationsection.webp) + +## Configure the appsettings.json + +To successfully configure the OpenId protocol, you can refer to the dedicated section in the detailed guide. See the [ End-User Authentication](../../integration-guide/network-configuration/server-configuration/end-users-authentication) for additional information. + +Below is an illustrative example of how to set up your `appsettings.json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  ... +  "OpenId": { +    "Enabled": true, +    "Okta": { +      "AuthenticationScheme": "Okta Authentication", +      "Authority": "https://your-domain.okta.com/oauth2/default", +      "ClientId": "Your Client ID", +      "ClientSecret": "Your Client Secret", +      "DisplayName": "Okta Display Name", +      "NameClaimType": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", +      "SaveToken": true +    } +  } +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/how-tos/okta.md b/docs/identitymanager/6.3/integration-guide/network-configuration/how-tos/okta.md new file mode 100644 index 0000000000..46a83af54c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/how-tos/okta.md @@ -0,0 +1,68 @@ +# Configure Okta + +This guide shows how to configure the OIDC to set up the authentication to Identity Manager. + +## Create the Application + +On the Okta dashboard: + +![Add Application](/images/identitymanager/okta_addapplication.webp) + +**Step 1 –** Select the **Applications** section and click on the **Add Application** button. + +![Create New App](/images/identitymanager/okta_createnewapp.webp) + +**Step 2 –** Then click on the **Create New App** button. + +![Create Native App](/images/identitymanager/okta_createnativeapp.webp) + +**Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. Click on **Create**. + +**Step 4 –** In **General Settings**, name your Application. You can also add a logo. + +**Step 5 –** In the **Configure OpenID Connect** section, enter the connection redirection URL in the part: **Login redirect URLs**. To find out this URL, just take the URL of the Identity Manager application and add `/signin-oidc`. The Identity Manager disconnection redirection URL is also necessary. To construct it, take Identity Manager's URL again and, at the end, add `/signout-callback-oidc`. + +:::note + The **Logout redirect URLs** section is marked as optional but it is mandatory for Identity Manager. +::: +![Save Application](/images/identitymanager/okta_saveapplication.webp) + +## Configure the Client Credentials + +The client secret in Identity Manager is required for the OIDC connection. You must therefore configure this OIDC connection option in the application. In the Application Dashboard, click on **Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and save the changes. + +![Client Credentials](/images/identitymanager/okta_clientcredentials.webp) + +## Configure the Application Settings + +In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. + +![Application Section](/images/identitymanager/okta_applicationsection.webp) + +## Configure the appsettings.json + +To successfully configure the OpenId protocol, you can refer to the dedicated section in the detailed guide. See the [ End-User Authentication](../../../integration-guide/network-configuration/server-configuration/end-users-authentication) for additional information. + +Below is an illustrative example of how to set up your `appsettings.json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +                { +                ... +                "OpenId": { +                "Enabled": true, +                "Okta": { +                "AuthenticationScheme": "Okta Authentication", +                "Authority": "https://your-domain.okta.com/oauth2/default", +                "ClientId": "Your Client ID", +                "ClientSecret": "Your Client Secret", +                "DisplayName": "Okta Display Name", +                "NameClaimType": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", +                "SaveToken": true +                } +                } +                } +``` + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/index.md b/docs/identitymanager/6.3/integration-guide/network-configuration/index.md new file mode 100644 index 0000000000..e67f6e84dd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/index.md @@ -0,0 +1,173 @@ +--- +title: "Network Configuration" +description: "Network Configuration" +sidebar_position: 230 +--- + +# Network Configuration + +Identity Manager's network technical configuration includes: + +- Database connection +- Managed systems connection +- Synchronization and fulfillment processes +- End-user authentication +- Logging + +## Introduction + +Configuration settings are saved in configuration files or in the host system's environment variables. + +Configuration settings are detailed further in the following sections: + +- Server configuration, including connection to the database and end-user authentication. See the +[Server Configuration](../../integration-guide/network-configuration/server-configuration) topic for additional information. +- Agent configuration, including connection to the managed systems. See the +[Agent Configuration](../../integration-guide/network-configuration/agent-configuration) topic for additional information. +- Monitoring, indicating how to set up monitoring for Identity Manager. See the +[Monitoring](../../integration-guide/monitoring)topic for additional information. + +## Write Settings + +How to write settings for the network configuration. + +### Sets, sections and values + +Configuration setting values are organized by functionality into three sets: + +1. The Server's appsettings set gathers general-purpose settings for the Server (including database +connection and end-user authentication). See the [Server Configuration](../../integration-guide/network-configuration/server-configuration) topic for additional information. +2. The Agent's appsettings set gathers general-purpose settings for the Agent executable process. +See the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) topic for additional information. +3. The appsettings.agent set gathers settings for the Agent's connection to the managed systems. See +the [appsettings.agent](../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information. + +Each set can be seen as a [tree-like structure](https://en.wikipedia.org/wiki/Tree_(data_structure)) where leaves are a name-value pair: the name of the setting and the value of the setting. + +Within a Configuration Set Tree, settings are organized into meaningful sections which can be further organized into subsections, leading to a tree-like structure where sections are nodes. For example, settings involving end-user authentication are gathered in the Authentication section, containing another subsection for every authentication method such as OpenId or OAuth. + +This means that every setting value either belongs to the settings root node or to a section, itself belonging to a parent section. + +![tree like structure](/images/identitymanager/tree-like-structure.webp) + +### Configuration files + +Settings can be written as `json` objects stored in `.json` files in the Server or Agent working directory. + +Relevant files for the Server can be found in the Server working directory: + +- `appsettings.json` + +Relevant files for the Agent can be found in its working directory: + +- `appsettings.json` +- `appsettings.agent.json` +- `appsettings.encrypted.agent.json` +- `appsettings.cyberArk.agent.json` + +Each setting file is organized into several sections as shown in the Sets, Sections and values diagram. See the [Architecture](../../integration-guide/architecture) topic for additional information. + +Each section's name matches a top level attribute of the file's `json` object. + +The section content is written as the matching attribute's value which can be broken down into a set of setting attributes and subsection attributes. + +Each subsection can then be broken down into more setting attributes and deeper nested subsections. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +settings.example.json +{ +      "sectionA": { +              "subsectionnameA1":{ +                        "settingnameA11":"settingA11value", +                        "settingnameA12":"settingA12value" +              }, +              "settingnameA2": "settingvalueA2", +                }, +      "sectionB": { +              "settingnameB1": "settingB1value", +              "settingnameB2": "settingB2value" +      } +} +``` + +In Integrated-agent mode, agent configuration is written to the Server's `appsettings.json` file. See the [Overview](../../installation-guide/overview) topic for additional information. + +#### Reminder + +The backslash character `\` is an escape character in a JSON file. An error will appear when parsing the JSON file if the backslash is followed by a non-escapable character. To use a backslash in a string, it must be escaped by another backslash. + +In this example, the value for the attribute Password will be parsed as ``: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +{ +        "Password": "" +} +``` + +### Environment variables + +Alternatively, settings can be stored as environment variables on Identity Manager's host system. + +Each setting value is stored as the value of an environment variable whose name is the concatenation of all the ancestor sections and the setting name separated by **\_\_** (two underscores). + +Here is an example showing how to construct a setting environment variable name from its matching `json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +{ +        "Scheduler": { +                "Enabled": true, +                "LockFilePath": "../Temp/scheduler.lock" +        }, +        "Swagger": { +                "Enabled": true +        } +} +``` + +The name becomes Scheduler**Enabled, Scheduler**LockFilePath and Swagger\_\_Enabled. + +## Manage Several Environments + +How to manage several network environments. + +### Using files + +Every setting value can be overwritten to fit a specific environment. + +The environment within which Identity Manager runs is set by the system environment variable ASPNETCORE_ENVIRONMENT. The default value is Production. Usual examples include Development, Staging, and Production. + +To overwrite setting values for a specific environment, one can write environment-specific configuration files. + +For every appsettings.``.json file, an appsettings.``.``.json can be created where `` is the name of the relevant environment matching the ASPNETCORE_ENVIRONMENT value. + +The appsettings.``.``.json file has the exact same section/attribute/subsection shape as the main appsettings file. + +Identity Manager's configuration will be the result of merging both files. + +Should a setting be written in both files, Identity Manager will use the appsettings.``.``.json value. + +Leveraging this priority mechanism is how one can override a setting value to match a particular environment. Another mechanism can be used: using environment variables. + +### Using environment variables + +Setting values can also be stored as environment variables on Identity Manager's host system. Environment-variables-stored setting values have priority over json-file-stored setting values. Here is how to use this mechanism to handle multiple environments. + +In the web.config file, an `` element in the node `` > `` > `` > `` is used to set a setting value for the application. + +### Configuration stages + +Configuration encompasses: + +- The Server configuration with a connection to the database and end-user authentication. See the +[Server Configuration](../../integration-guide/network-configuration/server-configuration) topic for additional information. +- The Agent configuration with a connection to the managed systems. See the +[Agent Configuration](../../integration-guide/network-configuration/agent-configuration)topic for additional information. +- The Logger configuration. See the [Monitoring](../../integration-guide/monitoring)topic for additional +information. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/password-management.md b/docs/identitymanager/6.3/integration-guide/network-configuration/password-management.md new file mode 100644 index 0000000000..e66e503051 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/password-management.md @@ -0,0 +1,49 @@ +--- +title: "Password Management" +description: "Password Management" +sidebar_position: 50 +--- + +# Password Management + +The Password Management module offers a set of password-related operations on resources of certain types (Active Directory, Microsoft Entra ID (formerly Microsoft Azure AD), Service Now, etc...). + +## Possible Password Operations + +Depending on the target system of the manipulated resource, the following operations are possible: + +### Password initialization + +This operation **can be started manually by the user through the UI** (with the "Manage Accounts" option on user pages) **or automatically during the fulfillment process** of the corresponding resource. + +It consists of initializing the password and sending a notification containing instructions to a configurable email address. + +The password initialization can be done in two different ways: + +- One-Way: Identity Manager sets the initial password, and sends it as part of the instructions +notification. +- Two-Way: The instructions notification contains a link to a page where the email recipient +initializes the password. + +### Password change + +**UI-only** operation that allows the user to change the password. + +### Password reset + +**UI-only** operation that allows the user to reset the password. + +### Account unlocking + +**UI-only** operation that allows the user to unlock an account that has been blocked due to too many incorrect password attempts. + +## Possible operations per managed system + +Identity Manager provides a predefined set of possible operations per managed system (which cannot be changed by the configuration). + + | | Initialize | Change | Reset | Unlock | _Notes_ | + | --- | --- | --- | --- | --- | --- | + | Active Directory | YES | YES | YES | YES | **Required authentication mode:** Basic with SSL or Negotiate | + | LDAP | YES | YES | YES | YES | **Required authentication mode:** Basic with SSL or Negotiate | + | Microsoft Entra ID | YES | NO | YES | NO | - | + | Service Now | YES | NO | NO | NO | - | diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/proxy.md b/docs/identitymanager/6.3/integration-guide/network-configuration/proxy.md new file mode 100644 index 0000000000..38c3b3a2f3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/proxy.md @@ -0,0 +1,187 @@ +--- +title: "Proxy Server" +description: "Proxy Server" +sidebar_position: 30 +--- + +# Proxy Server + +Identity Manager server or agent can be configured to go through a proxy server to access internal or external web resources. + +## Introduction + +A Identity Manager agent often needs to access internal or external systems using the HTTP protocol. It may easily be configured to use a proxy server through which all or part of the HTTP traffic will be routed. + +## Proxy Related Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables: + +- `HTTPS_PROXY`: the proxy server used on HTTPS requests. +- `NO_PROXY`: a comma-separated list of hostnames that should be excluded from proxying. + +The dotnet environment does not rely on the OS-wide proxy configuration. It is mandatory to use the above-mentioned environment variables to configure the proxy. + +### HTTPS_PROXY + +The `HTTPS_PROXY` environment variable may be the hostname or IP address, optionally followed by a colon and port number, or it may be an http URL, optionally including a username and password for Proxy Server authentication. + +The URL must start with `http`, **not https**, and cannot include any text after the hostname, IP, or port. + +This example shows various ways to properly configure a proxy server using Powershell: + +``` +# A hostname with port (recommended syntax) +$env:HTTPS_PROXY="proxy.contoso.com:6060" +# A hostname without port +$env:HTTPS_PROXY="proxy.contoso.com" +# An IP address with port +$env:HTTPS_PROXY="10.65.1.1:6060" +# A URL with port: +# Warning: Even if we want to route HTTPS traffic, we MUST give a URL with http scheme. +# Warning: Do not add trailing slash. +$env:HTTPS_PROXY="http://proxy.contoso.com:6060" +``` + +We recommend using the `:` syntax since it is not misleading. We discourage using the `http://:` syntax since it is not intuitive to indicate the `http` scheme to route `https` traffic. However, if you decide to use this syntax, do not forget to include a comment stating that `http` scheme is mandatory at the configuration level, even if it will not be used at runtime. + +#### Do not do + +This example shows the wrong ways to initialize the `HTTPS_PROXY` environment variable. The environment variable will be **silently ignored** and the traffic will not be routed through the proxy. + +``` +# WRONG: A URL with https scheme +$env:HTTPS_PROXY="https://proxy.contoso.com:6060" +# WRONG: A URL with text after the port number +$env:HTTPS_PROXY="http://proxy.contoso.com:6060/" +# WRONG: A URL with text after the hostname +$env:HTTPS_PROXY="http://proxy.contoso.com/" +``` + +#### Authenticated proxy + +When the proxy server needs the user to be authenticated, the `HTTPS_PROXY` environment variable can include the username and password as follows: + +``` +# A URL to authenticate to the proxy with login=mylogin and password=mypassword +$env:HTTPS_PROXY="http://mylogin:mypassword@proxy.contoso.com:6060" +``` + +### NO_PROXY + +The `NO_PROXY` environment variable is a comma-separated list of hostnames that should be excluded from proxying. To exclude all subdomains ("wildcard" exclusion), domains in the `NO_PROXY` list need to be prefixed with a dot (`.`), which is standard, but not particularly well documented. **Do not use the star (`*`) prefix !!!** + +This example shows various ways to exclude domains from proxying: + +``` +# Exclude only www.google.com: +# www.google.com: will not go through the proxy +# maps.google.com: will go through the proxy +$env:NO_PROXY="www.google.com" +# Exclude only www.google.com and www.microsoft.com: +$env:NO_PROXY="www.google.com,www.microsoft.com" +# Exclude all google.com and all microsoft.com subdomains: +# Do not prepend the domain name with a '*' +# www.google.com: will not go through the proxy +# maps.google.com: will not go through the proxy +# www.microsoft.com: will not go through the proxy +$env:NO_PROXY=".google.com,.microsoft.com" +``` + +#### Do not do + +This example shows the wrong ways to initialize the `NO_PROXY` environment variable. + +``` +# WRONG: starting with '*' to indicate a wildcard exclusion +# Only the domain exactly named *.contoso.com will be excluded from proxying, +# which means there is no exclusion configured. +$env:NO_PROXY="*.contoso.com" +``` + +## Where to Define Proxy Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables, they can be defined in various places according to the practices in place in your organization: + +- At OS level +- At user level: for the user running the Identity Manager server or agent +- At IIS level: in the application `web.config` file + +Note that when creating an environment variable in IIS `web.config` file, all child processes created by the IIS application will inherit from this environment variables. For example, while running the Identity Manager agent all tasks started by the agent will inherit the proxy environment variables. + +This example shows how to configure the proxy in the IIS `web.config` file: + +``` + + + ... + +``` + +## Testing the Proxy Configuration + +To test the proxy configuration for the dotnet environment, it is advised to use Powershell 5 or Powershell Core. + +In the following examples, you may adapt the proxy hostname/port and the URL to test. + +### Using Powershell 5 + +To test that a Identity Manager agent using a proxy server can reach the Identity Manager server: Go to the `/Runtime` directory. + +``` +$env:HTTPS_PROXY="proxy.contoso.com" +./Usercube-Invoke-Job.exe --api-url https://contoso.usercube.com/ --api-client-id Job --api-secret secret -j UnknownJob + +# Given the credentials are valid, you should get an exception as follows: +# ---> System.Exception: Job: UnknownJob is not found +# This exception shows that the server has been reached and that the job identifier is not known. +# The proxy is properly configured !!! +``` + +**Do not use** Invoke-WebRequest or Test-NetConnection to test the proxy configuration. In Powershell 5, these tools are using a different network stack from dotnet environment and are using the OS-wide proxy settings. They will ignore the `HTTPS_PROXY` environment variable + +### Using Powershell Core + +Powershell Core is based on the same network stack as dotnet environment. The proxy configuration can be tested using the Invoke-WebRequest and Test-NetConnection tools. If tests are successful using Invoke-WebRequest, they will be successful too if the same environment variables are provided to the Identity Manager server or agent. + +Powershell Core will only take the `HTTPS_PROXY` environment variable into account if it was created before the Powershell Core process was started. + +``` +# Create the environment variable in this Powershell Core process. +# This variable will not alter the proxy configuration of this process. +$env:HTTPS_PROXY="proxy.contoso.com" +# Start a child Powershell Core process which will inherit from the HTTPS_PROXY environment variable. +# This variable will alter the proxy configuration of this child process. +pwsh +Invoke-WebRequest https://contoso.usercube.com/ +# The result should display an HTTP 200 response from the Identity Manager server. + +# Go back to the parent Powershell parent process. +exit +``` + +### Known errors when proxy is not properly configured + +When the proxy environment variables does not match the expected format, they will be **silently** ignored. + +- If `HTTPS_PROXY` is ignored, the network stack will try to directly access public URL's without +going through the proxy. +- If `NO_PROXY` is ignored, the internal traffic will be routed through the proxy. + +When testing the proxy configuration, if you get one of the following error message: + +- ` No such host is known.` +- `Hote inconnu` + +It means that the `HTTPS_PROXY` is not set or does not match the expected format. The HTTP client tries to directly resolve the public hostname instead of resolving the proxy hostname. + +Review the `HTTPS_PROXY` value, check that it does not: + +- use the `https` scheme +- include trailing slashes or characters after the hostname:port + +## Reference Documentation + +- [HttpClient.DefaultProxy](https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.defaultproxy?view=net-8.0&viewFallbackFrom=netcore-8.0#httpclientdefaultproxy): +reference for environment variables. +- NO_PROXY: [unofficial documentation](https://stackoverflow.com/a/62663469) for wildcard domain +exclusion diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/database-connection.md b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/database-connection.md new file mode 100644 index 0000000000..963c28d1e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/database-connection.md @@ -0,0 +1,80 @@ +--- +title: "Connection to the Database" +description: "Connection to the Database" +sidebar_position: 40 +--- + +# Connection to the Database + +The connection of Identity Manager's server to the database is set through the `appsettings` top-level `ConnectionString` and the `AzureCredentials` attributes: + + | Name | Details | + | --- | --- | + | ConnectionString required | **Type** String **Description** Identification token used to retrieve the connection information for the server to access Identity Manager's database in SQL Server. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](../../../installation-guide/production-ready/server) topic for additional information. **Example**`{ "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" } ` | + | ConnectionStringGovernor required | **Type** String **Description** Identification token used to retrieve the connection information to SQL Server Resource Governor which is a feature used to manage SQL Server's workload and system resource consumption. **Info:** Resource Governor enables specifying limits on the amount of CPU, physical I/O, and memory that incoming application requests can use. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](../../../installation-guide/production-ready/server) topic for additional information. **Note:** all tasks and jobs use this connection string, when specified. **Example**`{ "ConnectionStringGovernor": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | + | AzureCredentials required | **Type** Azure Credentials **Description** Settings used with the `ConnectionString` to access the database in SQL Server, hosted on Microsoft Entra ID (formerly Microsoft Azure AD). | + +## AzureCredentials + +The database can be accessed one of two ways: + +- either by specifying `User Id` and `password` keywords directly in the connection string: + + > For example: +> + > ```json + > "ConnectionString": "data source=.;Database=UsercubeContoso;User + > Id=UsercubeServerContoso;Password=myPassword;Min Pool Size=10;encrypt=false;" + > ``` + +- or, to avoid exposing the `User Id` and `password` in a connection string sent through the network, by using the built-in Microsoft Entra ID authentication method: + + > For example: +> + > ```json + > "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial + > Catalog=;Persist Security + > Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;" + > ``` + +[See Microsoft's documentation for more details about authentication methods](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) + +> The following example authenticates with ClientId and ClientSecret: +```json + { + ... + "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", + + "AzureCredentials": { + "ClientId": "", + "AADTenantId": "", + "ClientSecret": "" + } + } + ``` + + The following example authenticates with a pfx-stored public key certificate (password-protected pfx archive): + + ```json +{ + ... + "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", + + "AzureCredentials": { + "ClientId": "", + "AADTenantId": "", + "EncryptionCertificate": { + "File": "", + "Password": "" + } + } + } + ``` + + | Name | Details | + | --- | --- | + | ClientId optional | **Type** String **Description** Client ID obtained from Microsoft Entra ID when [registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. | + | AADTenantId optional | **Type** String **Description** Microsoft Entra ID's tenant identifier obtained when registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. **Note:** remember to set Identity Manager as owner of the targeted database when registering Identity Manager as an application in Microsoft Entra ID. | + | ClientSecret optional | **Type** String **Description** Microsoft Entra ID's client secret used by Identity Manager to authenticate.**Note:** used only if `EncryptionCertificate` is not specified. | + | EncryptionCertificate required, if ClientSecret is not defined | **Type** Encryption Certificate **Description** Location of the certificate used by Identity Manager to authenticate, instead of the `ClientSecret`. | + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/end-users-authentication.md b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/end-users-authentication.md new file mode 100644 index 0000000000..0cd86fdf5b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/end-users-authentication.md @@ -0,0 +1,895 @@ +--- +title: "End-User **authentication**" +description: "End-User **authentication**" +sidebar_position: 30 +--- + +# End-User **authentication** + +## Overview + +Before end-users can connect to Identity Manager through the UI, they will have to authenticate. + +Identity Manager supports seven **authentication** methods organized into two categories: Internal methods and External methods. + +It is highly **recommended** that you use an External method. Internal methods are mostly used for debug, test and development purposes. + +**Internal methods** + +The Internal methods use Identity Manager Server's internal **authentication** server. They rely on one of these Identity Server User Stores: + +- Test User Store, used in development environments. +- **Active Directory User Store**, using an Active Directory to authenticate. + +**External methods** + +External methods use external **authentication** providers. + +Identity Manager supports five types of external **authentication** providers of which four are based on different flavors of the OAuth 2.0 protocol, and the last one is integrated with Windows. + +The types of **authentication** providers supported by Identity Manager are: + +- [OpenIdConnect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows **authentication** (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-**authentication**) + +**Using more than one provider** + +For each **authentication** method, one or several **authentication** providers can be set up. If several **authentication** providers are set up, end-users will be prompted to choose their preferred method of **authentication**. + +Internal method & test mode form: + +![authent_1](/images/identitymanager/authent_1.webp) + +External method prompt: + +![authent_2](/images/identitymanager/authent_2.webp) + +## Identity Server RSA Key Pair + +A public key certificate and a private key are used to handle encrypted communication with external **authentication** providers. This is used, for example, by the Identity Manager Server to retrieve the provider's signing key. It is mandatory to validate JWT tokens in an OAuth-flavor scenario. + +This information can be set one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called `.pfx` file) stored in +the Agent's host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. + +### PFX file + +The archive is set using the following attributes on the appsettings > IdentityServer section: + +- X509KeyFilePath is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the +Agent's host file system. +- X509KeyFilePassword (optional) is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive +password. + +**Example** + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json + "": { + "X509KeyFilePath":C:/UsercubeAgentContoso/contoso.pfx", + "X509KeyFilePassword": "YourPasswordHere" + } +``` + +### Certificate + +The certificate from a Windows certificate store is set up using these attributes on the appsettings > IdentityServer section: + + | Name | Description | + | --- | --- | + | X509SubjectDistinguishedName optional (if Thumbprint is non-empty) | Sets the store certificate's SubjectDistinguishedName. | + | X509Thumbprint optional (if DistinguishedName is non-empty) | Sets the store certificate's Thumbprint. | + | X509StoreLocation required | Sets the Relevant Windows certificate store's location: `LocalMachine` or `CurrentUser`. | + | X509StoreName required | Sets the relevant Windows certificate store's name. | + +**Example** + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +"": { + "X509SubjectDistinguishedName":"", + "X509StoreLocation": "", + "X509StoreName": "" +} +``` + +:::note + Identity Manager Server won't start if the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive set up during this step is identical to the one provided with the SDK. Users must provide their own certificate. Self-signed certificates are accepted as valid. See the[Install the Server](../../../installation-guide/production-ready/server)topic for additional information. +::: +## Configuration Section Description + +**authentication** is set up using the following two sections of the Server's appsettings set: + +- IdentityServer +- **authentication** + +```json +{ + "IdentityServer":{ + ... + }, + "**authentication**":{ + ... + } +} +``` + +The **authentication** section mostly fits the following pattern: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +"<**authentication**>":{ + <**authentication** Protocol 1>:{ + <**authentication** Provider 1>:{ + ... + }, + ...., + <**authentication** Provider n>:{ + ... + }, + }, + <**authentication** Protocol 2>:{ + <**authentication** Provider 1>:{ + ... + }, + ...., + <**authentication** Provider n>:{ + ... + }, + } +} +``` + +Several **authentication** providers can be defined (here above, `<**authentication** Provider 1>` to `<**authentication** Provider n>`), using one or several **authentication** protocols (here above, `<**authentication** Protocol 1>` and `<**authentication** Protocol 2>`). + +Most of the **authentication** providers need the user to choose an AuthenticationScheme. It is a string that will be used to uniquely identify this **authentication** method in Identity Manager. Its goal is to enable Identity Manager's testers to identify which **authentication** method is used in the logs or in the code, with a mnemonic name. Any name can be used as long as all AuthenticationSchemes are different. + +:::note + This guide doesn't cover how to set up **authorizations** within Identity Manager. **Authorization** for an end-user to access Identity Manager resources relies on assigning roles to profiles. Identity credentials used for **authentication** must be linked to these profiles in the applicative configuration. See the [Various XML Settings](../../../integration-guide/network-configuration/settings)topic for additional information. +::: +**authentication**-related settings are done through the following sections of the appsettings set: + +- IdentityServer +- **authentication** + +See the[Architecture](../../../integration-guide/architecture)topic for additional information. + +### Identity Server + +This is the general-purpose **authentication** settings section. + +The Identity Server section allows the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | Enabled (default value: true) | Boolean | Enables or disables the Identity Server. | + | AllowWindowsAuthentication (default value: false) | Boolean | Allows Windows **authentication**. Will work only when the **Active Directory User Store** is enabled. | + | ShowPII (default value: false) | Boolean | Sets whether or not PII is shown in logs. For security reasons, this setting should be used sparingly. | + | ValidationKeys (optional) | String Array | Allows the definition of public certificate paths for token validation. | + | IssuerURI (optional) | String | Sets the unique name of this server instance. | + | PostLogoutRedirectUri (optional) | String | Sets a specific URI to which the user will be redirected after a successful logout. | + | PublicOrigin (optional) | String | Sets the origin name for this Identity Manager Server instance. Useful if end-users authenticate through a proxy server. | + | X509File (required) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the Agent's host file system. | + | X509KeyFilePassword (optional) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + | X509SubjectDistinguishedName (optional) | String | Sets the store certificate's SubjectDistinguishedName. | + | X509Thumbprint (optional) | String | Sets the store certificate's Thumbprint. | + | X509StoreLocation (required) | String | Sets the relevant Windows certificate store's location. | + | X509StoreName (required) | String | Sets the relevant Windows certificate store's name. | + +### **authentication** + +This section contains specific settings for each configuration method. + +At the root, the following properties can be used: + + | Name | Type | Description | + | --- | --- | --- | + | Enabled default value: true | Boolean | Enables or disables **authentication**. | + | RequireHttpsMetadata default value: true | Boolean | Specifies whether HTTPS is required for the discovery endpoint. | + | AllowLocalLogin required | Boolean | If `true`, a Login Form replaces Windows **authentication**. | + | CookieLifeTime default value: 8 | Int | Maximum duration (in hours) after which the session expires automatically. | + | LifeTimeSliding default value: 10 | Int | Duration (in minutes) after which the session expires automatically, if no action is taken during this time. | + +Then, a subsection for every **authentication** method is used. Supported subsections are: + +- OpenId +- OAuth +- WsFederation +- SAML2 +- ActiveDirectoryUserStore +- TestUserStore + +## Set Up Integrated Windows **authentication** (IWA) + +This **authentication** method can be used to authenticate users within an Active Directory domain using their respective domain account. + +This **authentication** is **silent**: when an end-user tries to access Identity Manager, the browser retrieves identity credentials from the Windows session where the user is logged in and sends them to the domain controller for **authentication**. The domain controller confirms the user's identity and validates it for Identity Manager. The end-user doesn't have to input any credentials. + +:::note + If Integrated Windows **authentication** is used, internal methods have to be disabled with the `"AllowLocalLogin":false` setting. +::: +### Requirements + +Setting up this **authentication** method requires the following: + +- Identity Manager runs as an [Internet Information Services (IIS)](https://www.iis.net/) website. +- Windows **authentication** is +[enabled on Windows server](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016). +- Windows **authentication** is +[enabled for the Identity Manager IIS ](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/**authentication**/windowsauthentication/#enabled-for-the-usercube-iis)[enabled for the Identity Manager IIS website](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/**authentication**/windowsauthentication/#enabled-for-the-usercube-iis-website) website. + +### Configuration + +Integrated Windows **authentication** is configured using the following sections: + +- Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. + +- Set the ****authentication**** > **AllowLocalLogin** attribute to `false`. + +1. Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. +2. Set the ****authentication**** > **AllowLocalLogin** attribute to `false`. + +> The following example sets up Windows **authentication**. Windows Server and IIS requirements have +> been checked. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ```json +> *appsettings.json* +> ... +> "":{ +> "AllowWindowsAuthentication":"", +> }, +> "<**authentication**>":{ +> "AllowLocalLogin":"", +> } +> ... +> +> ``` + +## Set Up an OpenID Connect Provider + +One or several OpenID Connect **authentication** providers can be set up under the **authentication** > OpenId section. + +**Multiple providers** + +One or several OpenID Connect **authentication** providers can be set up. + +**Registration process** + +Using an OpenID Connect **authentication** requires the Identity Manager Server to be registered to the provider. A ClientID and a ClientSecret are issued as a result of the registration process. They both allow Identity Manager to identify itself to the **authentication** provider. [See an example](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings) of how to register Identity Manager to an Microsoft Entra ID (formerly Microsoft Azure AD) used as OpenID Connect provider. + +**Callback URL** + +The target OpenID Connect provider needs to be aware of the URI where to send the **authentication** token if the **authentication** succeeds. Depending on the provider, it is called a callback URL, a callback path, an **Authorization** callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OpenID Connect is `/signin-oidc` where `` is the address of your Identity Manager Server such as `https://identitymanager.contoso.com`. + +**Authority** + +An OpenID Connect provider is identified by its Authority, according to the [OpenID ](https://openid.net/connect/)Connect specifications. + +**NameClaimType** + +To authorize an end-user, Identity Manager Server retrieves a specific claim (a key-value pair, transmitted through the OIDC-issued JWT token) returned by the provider and looks for a resource that matches this claim's value. The comparison is carried out according to the resource and property set as the end-user's identity in the applicative configuration. See the [Select User by Identity Query Handler Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting) + +The name of the claim that is retrieved for this purpose defaults to `sub` which is one of the standard [Claim names for the OpenID Connect protocol](https://openid.net/specs/openid-connect-core-1_0.html#claim-names-for-the-openid-connect-protocol). However, some providers might not fill the `sub` value with meaningful data, or use non-standard Claim names. + +For this reason, the name of the claim that is retrieved by Identity Manager for **Authorization** purposes can be set up according to the provider's specifics. + +:::note + Users should be able to get a list of the claim names used by their **authentication** providers from their providers' portal website, documentation or administrators. +::: +For example, the following claim provides no meaningful `sub` value. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "name": "", + "preferred_username": "", + "sub": "<11v7ert42azerttyZD6d4>" +} +``` + +Using the following applicative configuration setting that sets `Ad_Entry:userPrincipalName` as the value to be matched against a claim in order to identify a user's profile, the `preferred_username` NameClaimType should be used. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json + +``` + +### Configuration + +First, the OpenID Connect method must be enabled. + +Under the OpenId section: + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | Enables or disables the OpenId connection. | + +For each OpenID Connect provider to integrate, a new section is added under the OpenID subsection. Any section name can be used. This section name is only used as a means for the user to find the **authentication** method in the configuration files. + +Under the new subsection, the following parameters are used to configure the **authentication** method: + + | Name | Type | Description | + | --- | --- | --- | + | AuthenticationScheme required | String | Is the unique identifier of this **authentication** method within Identity Manager. Any string value can be used, unique among all **authentication** methods. | + | DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the **authentication** method. | + | ClientId required | String | Is the Client ID issued during the registration of Identity Manager to the chosen OpenID Connect provider. | + | ClientSecret required | String | Is the Client Secret issued during the registration of Identity Manager to the chosen OpenID Connect provider. | + | Authority required | String | This URL identifies the OpenID Connect provider for Identity Manager according to the [OpenID Connect specifications](https://openid.net/connect/). It can be retrieved from the target OpenID Connect provider documentation. For example, [Microsoft's documentation ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)indicates the Microsoft Identity Platform OpenID Connect[ ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)authority. | + | NameClaimType optional | String | Sets the type of the claim that will be retrieved by Identity Manager to identify the end-user. The retrieved claim will be compared against the resource and property set as the end-user's identity in the applicative configuration. See the [Select User by Identity Query Handler Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting)topic for additional information. | + | Scopes optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). By default, the requested scopes are: openid, profile and email. | + | SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if **authentication** uses an Okta provider. See the [Configure Okta](../../../integration-guide/network-configuration/how-tos/okta)topic for additional information. | + | MetadataAddress optional | String | URL address of a copy of the metadata, used when the authority metadata cannot be accessed from the Identity Manager server, for example because of a firewall. | + | RequireHttpsMetadata default value: true | Boolean | By default the authority metadata must use HTTPS. Set to `false to use a simple HTTP metadata, in case a local copy of the metadata is used or for test environment. | + | ResponseMode optional | String | Response mode for OpenIdConnect. - Query - FormPost - Fragment [See OpenId documentation](https://openid.net/specs/openid-connect-core-1_0.html). | + | ResponseType optional | String | Response type for OpenIdConnect. - Code - CodeIdToken - CodeIdTokenToken - CodeToken - IdToken - IdTokenToken - None - Token See examples in the [OpenId documentation.](https://openid.net/specs/openid-connect-core-1_0.html#openid-documentation) | + +**Example** + +This example configures an OpenId Connect authority located at [https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69](https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69). + +This **authentication** provider is identified within the *appsettings.json* OpenId Connect providers list as OpenId1. + +Within Identity Manager, it will be identified with the **authentication** scheme AzureOIDC. + +It will be displayed as Connection Microsoft Entra ID with OIDC protocol in the UI external login prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "**authentication**": + { + ... + "OpenId": { + "Enabled": "", + "OpenId1": { + "AuthenticationScheme": "", + "DisplayName": "", + "ClientId": "<6779ef20e75817b79602>", + "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", + "Authority": "", + "NameClaimType": "", + "Scopes": ["", ""] + } + } + } +} +``` + +## Set Up an OAuth Provider + +One or several OAuth **authentication** providers can be set up under the **authentication** > OAuth section. + +**Multiple providers** + +One or several OAuth **authentication** providers can be set up. + +**Registration process** + +Using an OAuth **authentication** requires Identity Manager Server to be registered to the provider. A ClientID and a ClientSecret are issued as a result of the registration process. They both allow Identity Manager to identify itself to the **authentication** provider. + +#### Callback URL + +The target OAuth provider needs to be aware of the URI where to send the **authentication** token if the **authentication** succeeds. Depending on the provider, it is called a callback URL, a callback path, an **Authorization** callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OAuth is ``/`` where `` is the address of your Identity Manager Server such as https://identitymanager.contoso.com and `` can be set up to any value chosen by the user using the CallbackPath configuration attribute. The only constraint is to make sure the CallbackPath value in Identity Manager's configuration is the same as in the OAuth provider registration screen for Identity Manager. + +### Configuration + +First, the OAuth method must be enabled under the **authentication** > OAuth section. + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | Enables or disables the OAuth connection. | + +Then, users must create a new section per OAuth provider. Users are free to choose any section name. Its sole purpose is for users to find the **authentication** method in the configuration files. + +Each section is configured with the following settings: + + | Name | Type | Description | + | --- | --- | --- | + | AuthenticationScheme required | String | Is the unique identifier of this **authentication** method within Identity Manager. Any string value can be used, unique among all **authentication** methods. | + | DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the **authentication** method. | + | ClientId required | String | Is the Client ID issued to Identity Manager during the registration process. | + | ClientSecret required | String | Is the Client Secret issued to Identity Manager during the registration process. | + | ClaimsIssuer required | String | Is a unique identifier that will mark claims issued by this OAuth provider for Identity Manager. This mark is used for debugging, monitoring, or security purposes in situations where multiple OAuth providers are involved. It's still useful if only one provider is used. Any string value can be used. Convention dictates that it is a URL shaped value such as https://accounts.google.com. | + | AuthorizationEndpoint required | String | Is the provider's **Authorization** Endpoint URI. This is where the end-user's browser is redirected to start the **authentication** process. Usually ends with /auth or /authorize. This information must be retrieved from the provider's portal. | + | TokenEndpoint required | String | Is the provider's Token Endpoint URI. This is where the client sends token requests, using an **Authorization** code obtained during the **authentication** process. This information must be retrieved from the provider's portal. | + | CallbackPath required | String | Sets the callback path where the client is redirected after a successful **authentication**. Any string value can be used as long as it is reported to the provider during the registration process. | + | SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if **authentication** uses an Okta provider. See the [Configure Okta](../../../integration-guide/network-configuration/configure-okta)topic for additional information. | + | Scope optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). | + +**Example** + +The following example configures an OAuth-based **authentication** provider identified as OAuthContoso_Washington in the configuration file. + +It will be displayed as Contoso OAuth Washington in the UI external login prompt, and uniquely identified within Identity Manager by the **authentication** scheme contoso_0987. + +Identity Manager Server marks received claims using [https://accounts.google.com](https://accounts.google.com) as a claim issuer identifier. + +/signin-oauth has been chosen as CallbackPath and set up as such in the OAuth provider's portal during Identity Manager's registration. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "**authentication**": + { + ... + "OAuth": { + "Enabled": "", + "OAuthContoso_Washington": { + "AuthenticationScheme": "", + "DisplayName": "", + "ClientId": "<6779ef20e75817b79602>", + "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", + "ClaimsIssuer": "", + "AuthorizationEndpoint": "", + "TokenEndpoint": "", + "CallbackPath": "", + "Scopes": ["", ""] + } + } + } +} +``` + +## Set Up a WS-Federation Provider + +One or several WS-Federation **authentication** providers can be set up under the **authentication** > WsFederation subsection. Examples of WS-Federation providers include Active Directory Federation Services (ADFS) and Microsoft Entra ID (AAD). + +**Multiple providers** + +One or several WS-Federation **authentication** providers can be set up. + +**Registration process** + +Using a WS-Federation **authentication** requires Identity ManagerServer to be registered to the provider. A Wtrealm value is set up during the registration process. The value can be generated by the provider, or set manually as a URL-shaped string value. This allows Identity Manager to identify itself to the **authentication** provider. Here are two examples of registration process: + +- with an +[Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#active-directory-federation-services) provider +- with an +[Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) provider + +**Callback URL** + +The target WS-Federation provider needs to be aware of the URI where to send the **authentication** token if the **authentication** succeeds. Depending on the provider, it is called a callback URL, a callback path, an **Authorization** callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for WS-Federation is ``/signin-wsfed where `` is the address of your Identity Manager Server such as https://identitymanager.contoso.com. + +**Encryption algorithm** + +The nature of the encryption algorithm used for exchanging the sign-in key with the provider is automatically negotiated between Identity Manager Server and the **authentication** server. The most secure algorithm that both systems support is chosen. + +### Configuration + +First, the WS-Federation must be enabled under the **authentication** > WsFederation section: + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | Enables or disables the **WS-Federation** **authentication**. | + +Then, users must create a new subsection per **WS-Federation** provider. They are free to choose any section name. Its sole purpose is for users to find the **authentication** method in the configuration files. + +Each section is configured with the following settings: + + | Name | Description | + | --- | --- | + | MetadataAddress required | Identifies, for Identity Manager, the target **WS-Federation** server's metadata. This information is to be retrieved from the app registration process or directly from the **WS-Federation** provider. The value commonly ends with the path `/`FederationMetadata/2007-06/FederationMetadata.xml. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is https://``/federationmetadata/2007-06/federationmetadata.xml with `` the name of your ADFS server such portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), it is also known as **Federation Metadata Document**. It is available in Identity Manager's registered app _blade_, in the _endpoint_ panel, _Federation Metadata Document_ value. It looks like https://bbd35166-7c13-49f3-8041-9551f2847b69/FederationMetadata/2007-06/FederationMetadata.xml with bbd35166-7c13-49f3-8041-9551f2847b69 Microsoft Entra ID tenant id. | + | Wtrealm required | Identifies the Identity Manager app within the **WS-Federation** provider. This information is available directly at the **authentication** provider's portal. It is chosen during the registration process. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is the value set as the relying party WS-Federation Passive protocol URL parameter during the [registration](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#registration) of Identity Manager to the ADFS server. It usually looks like an URL such as https://portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), this is the Application ID URI. It is available from Identity Manager's registered app blade > Expose an API > APP ID URI. It has been either chosen by the user or generated by the [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/**authentication**/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) provider during the Expose an API > set > save step of the registration. Generated values look like api://bbd35166-7c13-49f3-8041-9551f2847b69. | + | DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the **authentication** method. | + | AuthenticationScheme required | Is the unique identifier of this **authentication** method within Identity Manager. Any string value can be used, unique among all **authentication** methods. | + +**Example** + +This example configures a WS-Federation-based **authentication** provider identified as WsFederationContoso_LA in the configuration file. + +Within Identity Manager, it will be identified with the **authentication** scheme WsFederationAAD. + +It will be displayed as _Connection Microsoft Entra ID with WS-Federation protocol_ in the UI external login prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "**authentication**": + { + ... + "WsFederation": { + "Enabled": "", + "WsFederationContoso_LA": { + "AuthenticationScheme": "", + "DisplayName": "", + "MetadataAddress": "", + "Wtrealm": "" + } + } + } +} +``` + +## Set Up SAML2 **authentication** + +One or several **SAML2** **authentication** providers can be set up under the **authentication** > SAML2 section. + +Identity Manager does not provide a signature for SAML2 **authentication**. + +**Multiple providers** + +One or several **SAML2** **authentication** providers can be set up. + +**Registration process** + +Using a **SAML2** **authentication** requires Identity Manager Server to be registered to the provider. An **Entity ID URI** value is set up for Identity Manager during the registration process. It is used as the prefix for scopes and as the value of the audience claim in access tokens. The value can be generated by the provider, or set manually as a URL-shaped string value. This allows Identity Manager to identify itself to the **authentication** provider. + +**Reply URL** + +The target **SAML2** provider needs to be aware of the URI where to send the **authentication** token if the **authentication** succeeds. This URI is called **Reply URL** or **Assertion Consumer Service (ACS) URL**. + +During the registration process, the provider will ask for the URL. + +Identity Manager's **Reply URL** for **SAML2** is ``/Saml2/Acs where `` is the address of your Identity Manager Server such as https://identitymanager.contoso.com. + +Make sure to enter this exact URL which is treated case sensitively. + +**Configuration** + +First, the SAML2 method must be enabled under the **authentication** > SAML2 section. + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | Enables or disables SAML2 **authentication**. | + +Then, users must create a new subsection per SAML2 provider. Users are free to choose any section name. Its sole purpose is for users to find the **authentication** method in the configuration files. + +Each section is configured with the following settings: + + | Name | Description | + | --- | --- | + | MetaDataLocation required | Identifies, for Identity Manager, the target SAML2 server's metadata. This information is to be retrieved from the app registration process or directly from the SAML2 provider. The value commonly ends with the path /FederationMetadata/2007-06/FederationMetadata.xml. | + | IdentityProviderEntityID required | Is the Identity Provider Issuer (also known as provider Entity ID) that identifies the provider to Identity Manager. This information is to be retrieved from the provider's portal. For Microsoft Entra ID, it is the first line of metadata file. | + | DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the **authentication** method. | + | EntityIdAppliUriID required | Is Identity Manager's Entity ID issued during the registration process. Also referred to as an Identifier URI. For Microsoft Entra ID, it is set during the Expose an API > set > save step of the registration. Generated values look like api://bbd35166-7c13-49f3-8041-9551f2847b69. | + | NameIdFormat optional | Is the requested format of the subject's name identifier. | + | MinIncomingSigningAlgorithm optional | Is minimal signing algorithm to validate SAML2 response. | + | EncryptionCertificate optional | Sets the location of the public key certificate and the private key used to handle input and output files encryption. **NOTE:** This is required to enable logout. | + +> This example configures a SAML2-based **authentication** provider identified as SAMLConnection in the +> configuration file. +> +> It will be displayed as Connection Azure ActiveDirectory with SAML2 protocol in the UI external +> login prompt. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ```json +> { +> "**authentication**": +> { +> ... +> "SAML2": { +> "Enabled": true, +> "SAMLConnection": { +> "DisplayName": "", +> "EntityIdAppliUriID": "", +> "MetaDataLocation": "", +> "": "", +> "EncryptionCertificate": { +> ... +> } +> } +> } +> } +> } +> ``` + +### Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive +(also called [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. + +:::tip + Remember, Netwrix recommends using Windows' certificate store. +::: +On the other hand, the PFX file takes priority over Windows' certificate, which means that when `File` is specified then the PFX certificate is used, even if the options for Windows' certificate are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +:::tip + Remember, the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and EncryptionCertificate are defined at the same level in the configuration file. +::: +#### As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + ... + "EncryptionCertificate": { + "File": "", + "Password": "" + } +} +``` + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Identity Manager-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe[ ](../../../integration-guide/executables/references/protect-certificatepassword)tool. | + +#### As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + ... + "EncryptionCertificate": { + "DistinguishedName":"", + "StoreLocation": "", + "StoreName": "" + } +} +``` + +The Windows certificate is set using these attributes: + + | Name | Type | Description | + | --- | --- | --- | + | DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. **NOTE:** This is required when Thumbprint is not specified. | + | Thumbprint (optional) | String | Thumbprint of the store certificate. **NOTE:** This is required when DistinguishedName is not specified. | + | StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | + | StoreName (required) | String | Name of the relevant Windows certificate store. | + +##### Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the Vault connection. See the [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) topic for additional information. + +:::tip + Remember, the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and EncryptionCertificate are defined at the same level in the configuration file. +::: +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "**authentication**": { + ... + "SAML2": { + "Enabled": true, + "": { + ... + "AzureKeyVault": { + "Vault": "", + "ConnectionString": "..." + }, + "EncryptionCertificate": { + "CertificateAzureKeyVault": "" + } + } + } + } +} +``` + +## Set Up Internal Methods + +When Internal Methods is enabled, the end-user is prompted via a form to input a login and a password. The login to be used is defined within the applicative configuration's Select User By Identity Query Handler Setting element. See the [Various XML Settings](../../../integration-guide/network-configuration/settings) topic for additional information. + +First, the AllowLocalLogin parameter needs to be set to true in the **authentication** section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +"<**authentication**>":{ + "AllowLocalLogin":true +} +``` + +Then, **Active Directory User Store** or Test User Store can be enabled. + +### **Active Directory User Store** + +The **Active Directory User Store** allows users to authenticate with a login and password that will be compared against the Active Directory content. + +Several forests can be set up as identity providers for **authentication**. This allows, for example, the **authentication** of users that belong to different **Active Directory forests**. + +It is configured under the **authentication** > ActiveDirectoryUserStore section. + +First, the ActiveDirectoryUserStore must be enabled. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +"<**authentication**>":{ + "AllowLocalLogin":true, + "ActiveDirectoryUserStore": { + "Enabled": true + ... + } +} +``` + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | True to enable **authentication** via the **Active Directory User Store**. | + +In the same section, several **authentication** providers can be defined, each one based on an Active Directory **forest**. + +For each **forest**, a new section is added under ActiveDirectoryUserStore. Any name may be chosen for the **forest** section as long as it is unique. Two **forest** sections can't be identical though. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +"": { + "Enabled": true, + "Forest1": { + "AuthenticationScheme": "<...>", + "Server": "<...>", + ... + } +} +``` + +Under the new **forest** section, the following parameters are used to configure the **authentication** method. + +> The following example sets a single **authentication** method, based on the Forest1 **forest**. The domain +> controller is located at 127.168.0.1. If the user enters the login MyLogin, the resulting logon +> will be CONTOSO\paris\MyLogin. The Postfix won't be used as a Prefix is already provided. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ```json +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Domain": "", +> "Prefix": "", +> "Postfix": "" +> } +> } +> ``` +> +> In the following example, if the user enters the login MyLogin, the resulting logon will be +> MyLogin@Identity Manager.contoso. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ```json +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Postfix": "" +> } +> } +> ``` +> +> The following example enables **authentication** via the **Active Directory User Store**, for the Forest1 +> **forest**,by checking not only the password and account activation, but also whether the password is +> expired. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ```json +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Domain": "", +> "FastBind": false +> ... +> } +> } +> ``` + + | Name | Type | Description | + | --- | --- | --- | + | AuthenticationScheme required | String | Unique identifier of this **authentication** method within Identity Manager. Any string value can be used, unique among all **authentication** methods. | + | Server required | String | Identification of the domain controller that runs the Active Directory Domain Service against which the **authentication** is performed. Based on [Microsoft's documentation](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection?view=dotnet-plat-ext-8.0), the format is defined either: - by a domain name - by an LDAP server name - or a dotted string representing the IP address of the LDAP server/Domain Controller (example: 98.20.33.2). Optionally, this parameter may also include a port number, separated from the host by a colon (example: 98.20.33.2:4520). | + | Domain optional | String | Identification of the Active Directory domain or sub-domain against which the **authentication** will be performed. It is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Domain\login. The domain is used only if no postfix was provided. This parameter is ignored if the domain or the UPN suffix is already specified in the login. This is the case for a login that conforms to the format domain\login or login@domain.com. | + | FastBind default value: True | Boolean | True to check a user's credentials by verifying only the password and account activation. | + | NoSigning default value: true | Boolean | Enables or disables [Kerberos encryption](https://en.wikipedia.org/wiki/Kerberos_(protocol)). | + | Prefix optional | String | Is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Prefix\login. The Postfix isn't used if the domain or the UPN suffix is already specified in the login. | + | Postfix optional | String | Is used to complete the user's login in a principal name fashion. The Postfix corresponds to the User Principal Name (UPN) suffix. The resulting logon will resemble login@Postfix. The Postfix isn't used if the domain or the UPN suffix is already specified in the login, or if the Prefix is already provided. | + | Ssl default value: false | Boolean | Enables or disables SSL for network communication between Identity Manager and the Active Directory. | + +### Test User Store + +A Test User Store can be set up under the **authentication** > TestUserStore section. It allows all users to authenticate with their login and the same password. + +:::tip + Remember, this should **never** be used in a production environment. +::: +The following parameters are available under the **authentication** > TestUserStore section: + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | Enables or disables the OpenId Connection. | + | Password required | String | Is the password for all users to authenticate Identity Manager. | + +**Example** + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ + "**authentication**": + { + "AllowLocalLogin":true + ... + "": { + "Enabled": true, + "Password": "" + } + } +} +Here is an example using both `IdentityServer` and `**authentication**` sections. +*appsettings.json* +{ + ... + "IdentityServer": { + "X509KeyFilePath": "<./identitymanagerContoso.pfx>", + "X509KeyFilePassword": "" + }, + "**authentication**": { + "RequireHttpsMetadata": false, + "TestUserStore": { + "Enabled": "", + "Password": "" + }, + "AllowLocalLogin": true + } + ... +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/general-purpose.md b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/general-purpose.md new file mode 100644 index 0000000000..4c65cdf746 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/general-purpose.md @@ -0,0 +1,293 @@ +--- +title: "Application Settings" +description: "Application Settings" +sidebar_position: 10 +--- + +# Application Settings + +This section describes the settings available in the server's appsettings.json file, located in the server's working directory or in environment variables. + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +"": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity Manager Agent, its content will be ignored, but it can still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationUri required | String | URI of the server to use in log messages, to communicate with the server in tasks, to allow certain redirect URIs. It must be the same as the agent's appsettings.json's ApplicationUri. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       "ApplicationUri": "usercubeserver.contoso.com:5000" }` | + | EncryptionCertificate required | EncryptionCertificate | Settings to configure the encryption of specific files. | + | License | String | License key of the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       "License": "{"LicensedTo":"","ValidTo":"<20120905>","IdentityQuota":"<10000>","Signature":"<…>"}" }` | + | Agents optional | Agent List | List of agents' settings used to work on several environments. See the [Architecture](../../../integration-guide/architecture) topic for additional information. This way, each Agent's URI/URL is configured without altering the database. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       "Agents": {             "Local": {                   "Uri": ""             },             …       } }` | + | AppDisplay optional | AppDisplay | Settings to override the application display XML configuration. See the [App Display Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting) topic for additional information. It is useful to change the application's theme and name without redeploying the whole configuration. | + | ApplicationInsights optional | ApplicationInsights | Settings to plug to and configure the [App Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | + | DataProtection optional | DataProtection | Settings to configure the encryption used for the authentication cookies and the anti-forgery tokens. The data protection can be configured to share the keys between several instances of Identity Manager's server, for example when deployed in a cluster where the servers do not have the same machine id. | + | DefaultPageSize optional | UInt | Default number of items returned when using squeries, if none specified in PageSize or in squery limit. | + | HstsPreload optionalAttribute default value: false | Boolean | Sets the preload parameter of the Strict-Transport-Security header. Preload is not part of the RFC specification, but is supported by web browsers to preload [HSTS](https://hstspreload.org/) sites on fresh install. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `
*appsettings.json*

{
  ...
  "HstsPreload":  true
}
 ` | + | InstallationDirectoryPath default value: Usercube-Server.exe | String | Path of the installation directory. It is used to read other configuration files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …      "InstallationDirectoryPath":  "" }` | + | MailSettings optional | String | Settings to configure the email service. | + | MaxActors default value: 20 maximum value: 50 | UInt | The maximum number of recipients who will be notified of the Workflow changes and can take action. If the number of recipients is exceeding the MaxRecipients value, then the actors will have the task assigned to them but they will not receive an email notification. In order for all actors to receive an email notification the MaxRecipients should be increased as well. | + | MaxPageSize optionalAttribute | UInt | It represents the maximum number of items returned when using squeries. | + | MaxRamPercentageRoleMining optional | UInt | **On-premises installations only.** Limits memory usage for role mining operations as a percentage of available RAM (0-100). Identity Manager always estimates memory requirements before executing role mining. When this setting is greater than 0, operations are prevented if the estimated memory exceeds the specified percentage of available RAM. When not set or set to 0, no percentage-based limit is applied, though operations are still prevented if they would require more memory than total system RAM. Use this setting to prevent role mining from consuming excessive memory on shared servers. Example: `appsettings.json { … "MaxRamPercentageRoleMining": 75 }` See the [Role Mining](../../../integration-guide/role-mining#memory-limitations) topic for additional information. | + | NotUseAgent default value: false | Boolean | True to disable the use of the agent. See the[Architecture](../../../integration-guide/architecture) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "":  true }` | + | OpenIdClients optional | OpenIdClient List | List of hashed secrets used to override the plain-text secrets from the OpenIdClient XML configuration. See the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient) topic for additional information. This way, Identity Manager stores only hashed secrets, for security purposes. Each environment must have its own secret, distinct from the others. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "OpenIdClients": {             "Job": {                   "": ""             },             "PowerBI": {                   "": "<7b8N2NWka5alDrjM7rFqf7+xqq9LIcT5jSoQ+1Ci2V0>"             }       } }` | + | PowerBISettings optional | PowerBISettings | Settings to configure the API used by Power BI to access Identity Manager data. | + | Serilog optional | Serilog | Settings to configure the logging service, complying to the Logger properties and structure. See the [Monitoring](../../../integration-guide/monitoring) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "Serilog": {             "WriteTo": ["Console"],             "MinimumLevel": {                   "Default": "Error",                   "Override": {                         "Usercube": "Information"                   }             }       } }` | + | Swagger optional | Swagger | By enabling [Swagger ](https://swagger.io/tools/swagger-ui/)you can visualize and interact with the API's resources without having any of the implementation logic in place. It is automatically generated from Identity Manager's API, with the visual documentation making it easy for back-end implementation and client-side consumption. | + | TempFolderPath default value: ../Temp | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. This path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. This path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment These elements can be removed, but make sure to restart the server after doing so. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "" }` | + | WorkFolderPath default value: ../Work | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "" }` | + +## Swagger + +Swagger is set using the attribute below. + + | Name | Type | Description | + | --- | --- | --- | + | Enabled required | Boolean | True to enable Swagger. Example: `appsettings.json {       …     "Swagger": {         "Enabled": false       }, }` **NOTE:** We recommend setting this to false for production environments. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive +(also called [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or .pfx file) stored in the Agent's host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. +- _Remember,_ Netwrix recommends using Windows' certificate store. A subject name can identify +multiple certificates in the same Certificate Store since the Subject Name needs not to be unique. If there are multiple certificates identified by the subject name given in the appsettings, Identity Manager will use the first one. However it is not possible to say exactly which certificate will be loaded first. The thumprint is unique among the certificates so it can help with for the certificate identification. + +**As a PFX file** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } +``` + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a .pfx file password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. + +The archive is set using the following attributes: + + | Name | Type | Description | + | --- | --- | --- | + | File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | + | Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the [Usercube-Protect-CertificatePassword](../../../integration-guide/executables/references/protect-certificatepassword) topic for additional information. | + +**As a Certificate in the Windows Store** + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } +``` + +The Windows certificate is set using these attributes: + + | Name | Type | Description | + | --- | --- | --- | + | DistinguishedName optional | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | + | Thumbprint optional | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | + | StoreLocation required | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | + | StoreName required | String | Name of the relevant Windows certificate store. | + +**Using Azure Key Vault** + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the Vault connection. See the [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +"": { +    "CertificateAzureKeyVault": "" +}     +``` + +**Disabling file encryption** + +The encryption of specific files can be disabled via the following attribute: + + | Name | Type | Description | + | --- | --- | --- | + | EncryptFile default value: true | Boolean | True to encrypt specific files such as logs or temporary files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       EncryptionCertificate": {             "EncryptFile": false       } }` | + +## Mail Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  ... +  "MailSettings": { +    "FromAddress": "", +    "PickupDirectory": "", +    "UseSpecifiedPickupDirectory": true, +    "UseDefaultCredentials": false, +    "SecureSocketOption": "" +  } +} +``` + +The mail settings details are: + + | Name | Type | Description | + | --- | --- | --- | + | FromAddress required | String | Email address used as sender for Identity Manager's emails. | + | AllowedDomains optional | String | List of allowed domains, separated by `;`. | + | CatchAllAddress optional | String | Email address to be used as catchAll. | + | CatchAllCCAddress optional | String | Email address to be used as CC catchAll. | + | Enabled default value: true | Boolean | True to activate Identity Manager's email services. | + | EnableSsl default value: false | Boolean | DEPRECATED: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. To be used only when UseSpecifiedPickupDirectory is set to false. | + | MaxRecipients default value: 20 | String | The maximum number of recipients visible in the "To", "CC" and "BCC" fields. Any additional recipient will be deleted automatically. | + | SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. To be used only when UseSpecifiedPickupDirectory is set to false. | + | Host optional | String | Name or IP address of the host used for SMTP transactions. It is required when UseSpecifiedPickupDirectory is set to false. | + | Password optional | String | Password to be used with the user name as credentials. | + | PickupDirectory optional | String | Path of the folder where Identity Manager will save the email messages. It is useful and required when UseSpecifiedPickupDirectory is set to true. | + | Port optional | String | Port used for SMTP transactions. It is required when Host is defined. | + | UseDefaultCredentials default value: false | Boolean | True to use in requests the default credentials instead of those from UserName and Password here. | + | UserName optional | String | User name to be used with the user name as credentials. | + | UseSpecifiedPickupDirectory default value: false | Boolean | True to save email messages to the folder specified in PickupDirectory instead of sending them to their recipients through the host specified in Host. Required when Host is not defined. | + +## Application Insights + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +``` + +The application insights details are: + + | Name | Type | Description | + | --- | --- | --- | + | InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See the Microsoft [Create an Application Insights resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource) article for information on creating an instrumentation key. | + +:::note + The logs sent to AppInsights are configured through the Logger properties. See the [Monitoring](../../../integration-guide/monitoring) topic for additional information. +::: +## PowerBI Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  "PowerBISettings": { +    "PageSize": 500 +  }} +``` + +The PowerBI Settings details are: + + | Name | Type | Description | + | --- | --- | --- | + | PageSize default value: 1000 | Int32 | Size of the page containing the data returned by the API. | + +## Data Protection + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  "DataProtection": { +    "KeysPath": "", +    "X509KeyFilePath": "<../identitymanager.pfx>", +    "X509KeyFilePassword": "" +  }, +}         +``` + +The Data Protection details are: + + | Name | Type | Description | + | --- | --- | --- | + | KeysPath default value: ../Work/DataProtection | String | Path of the location where the keys' descriptions are stored. | + | X509KeyFilePath optional | String | Path of the custom certificate used to protect the keys. | + | X509KeyFilePassword optional | String | Password of the custom certificate used to protect the keys. | + +## App Display + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +appsettings.json +{ +  ... +  "AppDisplay": { +    "PrimaryColor": "<#01CDE9>", +    "SecondaryColor": "<#EA6E1A>", +    "BannerColor": "<#EA6E1A>", +    "BannerTextColor": "<#ffffff>", +    "ApplicationNamePrefix": "", +    "ApplicationName": "" +  }, +  ... +}          +``` + +The App Display details are: + + | Name | Type | Description | + | --- | --- | --- | + | ApplicationName optional | String | Name of the application, visible on the application's tabs. | + | ApplicationNamePrefix optional | String | Prefix to be displayed before the application name. | + | BannerColor optional | String | HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | + | BannerTextColor optional | String | HEX code of the color for the banner's text. | + | PrimaryColor optional | String | HEX code of the color for the highlighted buttons. | + | SecondaryColor optional | String | HEX code of the color for the background of the authentication screen. | + +See the [App Display Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/index.md b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/index.md new file mode 100644 index 0000000000..dfebebea93 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/index.md @@ -0,0 +1,59 @@ +--- +title: "Server Configuration" +description: "Server Configuration" +sidebar_position: 10 +--- + +# Server Configuration + +Identity Manager Server's technical configuration includes settings on end-user authentication, database connection and some general-purpose settings. + +## Configuration Files + +The Server configuration is included in the Server's appsettings set. The appsettings set content can be written to appsettings.json in the Server's working directory or to environment variables. See the [Architecture](../../../integration-guide/architecture) topic for additional information. + +The server appsettings supported attributes and sections are described in the following sections: + +- [Database Connection](../../../integration-guide/network-configuration/server-configuration/database-connection) +- [End-User Authentication](../../../integration-guide/network-configuration/server-configuration/end-users-authentication) +- [General-Purpose Settings](../../../integration-guide/network-configuration/server-configuration/general-purpose) + +## Secret and Certificate Management + +All the certificates and secrets present in the settings can be loaded with an Azure Key Vault. + +See the [Azure Key Vault](../../../integration-guide/network-configuration/agent-configuration/azure-key-vault) topic for additional information. + +## Default Configuration + +The default behavior of the server configuration is outlined through an example. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ +        "IdentityServer": { +                // Token signing certificate stored in a file +                "X509KeyFilePath": "<./identitymanagerContoso.pfx>", +                // Optional certificate password +                "X509KeyFilePassword": "" +        }, +        "Authentication": { +                "RequireHttpsMetadata": false, +                "TestUserStore": { +                        "Enabled": "", +                        "Password": "" +                }, +                "AllowLocalLogin": true +        } + + "InstallationDirectoryPath": "", + "ConnectionString": "data source=.;Database=;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", + "ApplicationUri": "", + "EncryptionCertificate": { + "File": "<>", + "Password": "<>" + } +} +``` + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/rsa-encryption.md b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/rsa-encryption.md new file mode 100644 index 0000000000..11353b56f4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/server-configuration/rsa-encryption.md @@ -0,0 +1,57 @@ +--- +title: "RSA Encryption" +description: "RSA Encryption" +sidebar_position: 20 +--- + +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Netwrix Identity Manager (formerly Usercube)'s tools: + +- [Usercube-Protect-X509JsonValue](../../../integration-guide/executables/references/protect-x509jsonvalue) +to encrypt given values; +- [Usercube-Protect-X509JsonFile](../../../integration-guide/executables/references/protect-x509jsonfile) +to encrypt a whole file. + +The file encryption tool should be used only on files that contain only plain text values, not already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` file. Netwrix Identity Manager (formerly Usercube)  will read first the values from the encrypted appsettings file, before reading those from the usual non-encrypted appsettings file. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the same for the encrypted appsettings file and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted appsettings file without having to encrypt the whole file again. + +## Focus on the Encrypted Appsettings File + +The `appsettings.encrypted.json` file contains the `appsettings.json` file's sensitive setting values which are protected by RSA encryption. + +This file follows the exact same structure as the [Server Configuration](../../../integration-guide/network-configuration/server-configuration) files. + +### Read the Encrypted File + +Identity Manager can use an RSA decoding algorithm fed by a [public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/settings.md b/docs/identitymanager/6.3/integration-guide/network-configuration/settings.md new file mode 100644 index 0000000000..366a7cf4e4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/settings.md @@ -0,0 +1,196 @@ +--- +title: "Various XML Settings" +description: "Various XML Settings" +sidebar_position: 60 +--- + +# Various XML Settings + +This section describes Identity Manager's [Settings](../../integration-guide/toolkit/xml-configuration/metadata/settings) available in the applicative configuration. Those are mandatory. + +## ConfigurationVersion + +This setting is used to track the current configuration version. + +``` +**** +``` + +- **Version** defines the configuration version. +- **Description** describes this version in detail. +- **Misc** misc. + +## AppDisplay + +This setting is used to customize the application display. + +``` +**** +``` + +- **PrimaryColor** defines the primary color. +- **SecondaryColor** defines the secondary color. +- **BannerColor** defines the banner (header displaying logo and navigation bar) color. +- **BannerTextColor** defines the banner text color. +- **ApplicationName** defines the application name. +- **LogoFile** defines the logo path. Concerning the logo, for an ideal result, the following ratio +should be used: 5:1. +- **LogoMimeType** defines the logo mime type. +- **FaviconFile** defines the favicon path. +- **FaviconMimeType** defines the favicon mime type. +- **FullNameSeparator** defines the full name separator (default value is `�`). +- **DisableProvisioningCounters** disables the counters related to the provisioning screens (**Role +Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and **Manual Provisioning** - default value is `false`). + +## CustomLinks + +This setting enables the configuration of custom links that let the user navigate to a custom static HTML page. Only two CustomLinkSetting can be configured. + +The example below defines two custom links accessible through the URLs "_your-Identity Manager-domain_/LegalNotice" and "your-Identity Manager-domain/TermsOfService", each showing the content of the corresponding HTML file depending on the currently selected language. + +``` + +``` + +- **Url\_**(required)\_ defines the url address from which to access the custom page. +- **Path*L1***(required)\_ defines the path (from the configuration root) to the HTML file to be +rendered depending on the currently selected language in the user interface (`Path_L1` to `Path_L16` are available). Only `Path_L1` is required. While navigating to a custom link, if no HTML path was defined for the current language, then `Path_L1` is taken as default. + +To be displayed correctly, images should be embedded in the HTML files as Base64 images using the `src` attribute like this : ``. You can easily convert your images using this [Base64 Image Encoder](https://elmah.io/tools/base64-image-encoder/). + +To navigate to the custom links from the user interface, NETWRIX recommends configuring a `MenuItem` with a `URI` value matching the custom link `URL`. The following example defines two menu items, accessible from the user account tab in the top right corner of the interface, that allows the user to navigate to the defined URI addresses. + +``` + +``` + +![LCustomLinksUserMenu.webp](/images/identitymanager/customlinksusermenu_v523.webp) + +## DashboardItemNumber + +Some sections on the dashboard contain multiple links. These links are quick links with counters to the review page filtered by entity type. The links are sorted by entity type priority. + +![LDashboardItemNumber.webp](/images/identitymanager/dashboarditemnumber.webp) + +By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is displayed with the concatenation of remaining counters. + +This setting is used to customize the number of links to displayed on each section. + +The max number of links to display is 5. + +``` +**** +``` + +- **RoleReviewSection** defines the number of links to display in the "Role Review" section. +- **ProvisioningReviewSection** defines the number of links to display in the "Provisioning Review" +section. +- **RoleReconciliationSection** defines the number of links to display in the "Role Reconciliation" +section. +- **ResourceReconciliationSection** defines the number of links to display in the "Resource +Reconciliation" section. +- **ManualProvisioningSection** defines the number of links to display in the "Manual Provisioning" +section. +- **MyTasksSection** defines the number of links to display in the "My Tasks" section. + +## SelectUserByIdentityQueryHandler + +_This attribute matches an end-user with a resource from the unified resource repository._ + +Authorization mechanisms within Identity Manager rely on assigning [Profiles](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles) to an identity-resource that stands for the end-user digital identity. + +To that end, and end-user authentication credentials are linked to such an identity-resource using the following pattern: + +1. Authentication credentials are retrieved; +2. Authentication credentials are trimmed using the **AfterToken** and/or **BeforeToken** +attributes; +3. The trimmed result is matched against the **ResourceIdentityProperty** of resources with an +EntityType **OwnerEntityType**; +4. The matching resource found is used to find a profile and authorization for that digital +identity. + +**Attributes** + +- **ResourceIdentityProperty** is the identity-resource property supposed to match the +authentication login used by the end-user. +- **OwnerEntityType** is the entity type of the resources used to store digital identities within +Identity Manager. +- **BeforeToken\_**(optional)\_ defines the first character used to trim the authentication login. +- **AfterToken\_**(optional)\_ defines the second character used to trim the authentication login. + +The trimmed result is the content of the authentication login between _AfterToken_ and _BeforeToken_. If _BeforeToken_ is empty, trimmed result is everything after _AfterToken_. If _AfterToken_ is empty, trimmed result is everything before _BeforeToken_. + +- **ResourceDisplayNameProperty** is the property used for displaying login data at the top right of +the application. +- **OwnerPhotoTagProperty** defines the photo property for Identity Manager users. + +**Example** + +The following example links the authentication credentials of an end-user to its matching resource of EntityType **Directory_User**. + +In this example, authentication has been set up using [ End-User Authentication](../../integration-guide/network-configuration/server-configuration/end-users-authentication). In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of **Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity within Identity Manager. + +``` + +``` + +## SelectPersonasByFilterQueryHander + +This setting is used to filter the entity type used by authentication mechanism. + +``` +**** +``` + +- **ResourceDisplayNameProperty** represents the display property. +- **OwnerPhotoTagProperty** defines the photo tag property. +- **PersonTypeFilterProperty** defines the filter property. +- **PersonTypeFilter** defines the filter value. +- **MailProperty** defines the mail property. + +## SelectAllPerformedByAssociationQueryHandler + +This setting enables task delegation to a group of people. + +``` +**** +``` + +- **RootEntityType** indicates the entity type on which the delegation is applied. +- **Binding** defines the binding used to get the list of identities to delegate to. + +_NB: In order for delegation to work, users that are part of the delegate group must have at least one assigned profile_ + +## Scheduling CleanDataBase + +If the default value for the Task CleanDataBase needs to be overridden, define this setting: + +``` + +``` + +- `Timeout`: Defines the maximum time a Job or Task can wait after the last run. +- `CronTabExpression`: Define the cron to launch the CleanDatabase Job. + +#### 7. Password Generation Setting + +It is possible to override some aspects of the password generation (used in password reset features) using the following setting: + +``` +**** +``` + +- `AllowedSymbolChars`: A string containing the list of symbol chars to be used in the generated +password. The default value is : `!;.,?()[]-_&%$+{}@` + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/appsettings.connection.md b/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/appsettings.connection.md new file mode 100644 index 0000000000..dd8bc72e93 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/appsettings.connection.md @@ -0,0 +1,18 @@ +--- +title: "appsettings.connection" +description: "appsettings.connection" +sidebar_position: 10 +--- + +# appsettings.connection + +## Define configuration through UI + +On some configuration screens, such as the connector screen, it is possible to define some of the [Agent Configuration](../../../integration-guide/network-configuration/agent-configuration). This configuration is stored in the **appsettings.connection.json** file, located inside the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) work folder. + +The **appsettings.connection.json** file has the exact same structure as the other [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) file. + +This configuration file has the highest priority among others agent's configuration sources . See the [Agent Configuration](../../../integration-guide/network-configuration/agent-configuration) topic for additional information. + +You should not modify this file manually. + diff --git a/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/index.md b/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/index.md new file mode 100644 index 0000000000..5a8819ddb3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/network-configuration/technical-files/index.md @@ -0,0 +1,12 @@ +--- +title: "Technical Files" +description: "Technical Files" +sidebar_position: 40 +--- + +# Technical Files + +This section gathers information relative to the technical files that Identity Manager could use or generate in its lifecycle. + +- [appsettings.connection](../../../integration-guide/network-configuration/technical-files/appsettings.connection) + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/custom.md b/docs/identitymanager/6.3/integration-guide/notifications/custom.md new file mode 100644 index 0000000000..c8da9087bf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/custom.md @@ -0,0 +1,29 @@ +--- +title: "Custom Notifications" +description: "Custom Notifications" +sidebar_position: 20 +--- + +# Custom Notifications + +Custom notifications can be configured for specific needs, to be triggered by a workflow, or periodically via a task. + +## Workflow-Triggered Notifications + +A notification can be configured to be sent to one or several users right after the execution of a given activity in [Workflows](../../integration-guide/workflows). + +> For example, when a user is created in Identity Manager through a workflow, a notification can be +> sent to the user's manager. A notification can also be sent when someone must process an action +> for a workflow to continue. + +The configuration is made through the XML tag [Notification Aspect](../../integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect). + +## Periodic Notifications + +A notification can be configured to be sent to a given user on a regular basis at specified times, through the [Send Notifications Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask) as part of a job. + +> For example, a notification can be sent automatically to remind a manager that someone arrives in +> their team a month before the arrival, and again a week before. + +The configuration is made through the XML tag [Notification](../../integration-guide/toolkit/xml-configuration/notifications/notification). + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/how-tos/customize-native-notification.md b/docs/identitymanager/6.3/integration-guide/notifications/how-tos/customize-native-notification.md new file mode 100644 index 0000000000..4c87920cfc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/how-tos/customize-native-notification.md @@ -0,0 +1,40 @@ +# Customize a Native Notification + +This guide shows how to set a template other than the default one for native notifications. + +## Overview + +Identity Manager natively sends notifications for usual cases. See the [Native Notifications](../../../integration-guide/notifications/native) topic for additional information. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If the provided templates do not meet your exact needs, then they can be replaced by personalized templates. + +## Customize a Native Notification + +Customize a native notification by proceeding as follows: + +1. Among the +[Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate), get the identifier of the notification whose templates are to be replaced. + + > For example, to customize the notification for one-way password reset: `OneWayPasswordReset`. + +2. In `Runtime/NotificationTemplates`, copy to the configuration folder the cshtml template(s) +associated to the notification that need to be overridden. + + > For example, we can copy the template for the email's body but keep the provided template for + > the subject. Then we have: `Conf/Templates/MyOneWayPasswordReset.cshtml`. +> + > Let's say that we also need to customize the email's subject in French which is the language + > 2: `Conf/Templates/MyOneWayPasswordReset_Subject.fr.cshtml` + +3. Customize the template(s) previously copied to the configuration folder. +4. Configure an XML element +[Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) with the identifier collected at step 1, and the relative path(s) to the customized template(s). + + > For example: +> + > ``` +> + > +> + > ``` + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/how-tos/set-language.md b/docs/identitymanager/6.3/integration-guide/notifications/how-tos/set-language.md new file mode 100644 index 0000000000..4f7bae0f64 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/how-tos/set-language.md @@ -0,0 +1,46 @@ +# Set Notifications' Languages + +This guide shows how to set the language for all notifications. + +## Overview + +Identity Manager sends all kinds of notification emails whose language is by default the language specified in the configuration as the first language. + +The language can also be configured explicitly with a language code. If this language code is not defined, then notifications use the first language. + +## Set the First Language + +Set the first language for the whole application by proceeding as follows: + +1. In the XML configuration, create a `Language` with `IndicatorNumber` set to `1`. See the +[Language](../../../integration-guide/toolkit/xml-configuration/metadata/language) topic for additional information. + + > For example, to set English as the first language: +> + > ``` +> + > IndicatorNumber="1" /> +> + > ``` + +2. Deploy the configuration and relaunch the server. + +## Set the Language Explicitly + +Set the language explicitly for server-side-task notifications by proceeding as follows: + +1. In the XML configuration, configure `MailSetting` with a `LanguageCode`See the +[Mail Setting](../../../integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting) topic for additional information. + + > For example, to set the language to English: +> + > ``` +> + > LanguageCode="en-US" /> +> + > ``` + +When `LanguageCode` is not defined, then the language of notifications will be the first language, i.e. the one specified with `Indicator` set to `1`. + +2. Deploy the configuration and relaunch the server. + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/index.md b/docs/identitymanager/6.3/integration-guide/notifications/index.md new file mode 100644 index 0000000000..60c88e896f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/index.md @@ -0,0 +1,14 @@ +--- +title: "Notifications" +description: "Notifications" +sidebar_position: 130 +--- + +# Notifications + +Identity Manager is able to send notification emails when an action is expected, or a job ends with an error. + +Identity Manager provides [Native Notifications](../../integration-guide/notifications/native) for usual cases, for example provisioning review, resource reconciliation, and role reconciliation. + +[Custom Notifications](../../integration-guide/notifications/custom) can be configured for specific needs, to be triggered by a workflow, or periodically via a task. + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/access-certification.md b/docs/identitymanager/6.3/integration-guide/notifications/native/access-certification.md new file mode 100644 index 0000000000..77a9928877 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/access-certification.md @@ -0,0 +1,9 @@ +--- +title: "Access Certification" +description: "Access Certification" +sidebar_position: 20 +--- + +# Access Certification + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/customize-native-notification.md b/docs/identitymanager/6.3/integration-guide/notifications/native/customize-native-notification.md new file mode 100644 index 0000000000..11fd9e0dcb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/customize-native-notification.md @@ -0,0 +1,46 @@ +--- +title: "Customize a Native Notification" +description: "Customize a Native Notification" +sidebar_position: 70 +--- + +# Customize a Native Notification + +This guide shows how to set a template other than the default one for native notifications. + +## Overview + +Identity Manager natively sends notifications for usual cases. See the [Native Notifications](../../../integration-guide/notifications/native) topic for additional information. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If the provided templates do not meet your exact needs, then they can be replaced by personalized templates. + +## Customize a Native Notification + +Customize a native notification by proceeding as follows: + +1. Among the +[Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate), get the identifier of the notification whose templates are to be replaced. See the [Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) topic for additional information. + + > For example, to customize the notification for one-way password reset: `OneWayPasswordReset`. + +2. In `Runtime/NotificationTemplates`, copy to the configuration folder the cshtml template(s) +associated to the notification that need to be overridden. + + > For example, we can copy the template for the email's body but keep the provided template for + > the subject. Then we have: `Conf/Templates/MyOneWayPasswordReset.cshtml`. +> + > Let's say that we also need to customize the email's subject in French which is the language + > 2: `Conf/Templates/MyOneWayPasswordReset_Subject.fr.cshtml` + +3. Customize the template(s) previously copied to the configuration folder. +4. Configure an XML element +[Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) with the identifier collected at step 1, and the relative path(s) to the customized template(s). + + > For example: +> + > ``` +> + > +> + > ``` + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/errored-jobs.md b/docs/identitymanager/6.3/integration-guide/notifications/native/errored-jobs.md new file mode 100644 index 0000000000..8fe96622cf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/errored-jobs.md @@ -0,0 +1,12 @@ +--- +title: "Jobs with Errors" +description: "Jobs with Errors" +sidebar_position: 60 +--- + +# Jobs with Errors + +Identity Manager is able to send notification emails when a job ends with an error. The notification email is sent to the user who has the necessary rights and the permission. + +See the [Native Notifications](../../../integration-guide/notifications/native) and [Profiles & Permissions](../../profiles-permissions) topics for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/index.md b/docs/identitymanager/6.3/integration-guide/notifications/native/index.md new file mode 100644 index 0000000000..0f60576c3a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/index.md @@ -0,0 +1,35 @@ +--- +title: "Native Notifications" +description: "Native Notifications" +sidebar_position: 10 +--- + +# Native Notifications + +Identity Manager provides native notifications for usual cases, for example role review, provisioning review, access certification, manual provisioning, etc. + +## Overview + +Identity Manager natively sends notifications for: + +- Password reset to the users whose passwords are reset; +- Access certification to the users selected as reviewers; +- [Manual Provisioning](../../../integration-guide/notifications/native/manual-provisioning), provisioning review and role review to the +users who own a profile with the permissions to perform the corresponding actions; +- Jobs that finished in state completed/errored/aborted/blocked/warning to the users who own a +profile with the corresponding permissions. + +Concerning the notifications sent via permissions: In order to receive the notifications, a profile must have the full permission path. Having a (great-)parent permission will not enable notifications for all child entities. + +For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission `/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. + +See the [References: Permissions](../../profiles-permissions/permissions) topic for additional information. + +Each permission can be configured in an [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) so that the corresponding notification is disabled. + +All notifications are built based on cshtml templates. The templates for native notifications can be found in `/Runtime/NotificationTemplates`. + +The templates for native notifications can be adjusted to specific needs through the XML tag [Notification Template](../../../integration-guide/toolkit/xml-configuration/notifications/notificationtemplate). + +See the [Customize a Native Notification](../../../integration-guide/notifications/native/customize-native-notification) for additional information on how to customize native notifications. + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/manual-provisioning.md b/docs/identitymanager/6.3/integration-guide/notifications/native/manual-provisioning.md new file mode 100644 index 0000000000..d50d63e44f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/manual-provisioning.md @@ -0,0 +1,25 @@ +--- +title: "Manual Provisioning" +description: "Manual Provisioning" +sidebar_position: 30 +--- + +# Manual Provisioning + +Identity Manager natively sends notifications concerning manual provisioning. + +## Overview + +### Notification Trigger + +The notifications are sent after a `FulfillTask` with a connection based on the [Manual Ticket](../../../integration-guide/connectors/references-packages/manual-ticket) package. + +### Notification Recipients + +The notifications are sent to the users who own a profile with the following permission: `/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` where `{entityType_identifier}` is the **source** entity type. :::note + In order to receive the notifications, a profile must have the full permission path. Having a (great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a profile to perform manual provisioning with `Directory_User` as the **source** entity type, **and receive the corresponding notifications**. On the contrary, the permission `/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for all entity types, **but not receive the corresponding notifications**. +::: +The permission can be configured in an [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) so that notifications are disabled. + diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/password-reset.md b/docs/identitymanager/6.3/integration-guide/notifications/native/password-reset.md new file mode 100644 index 0000000000..4c2d6970e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/password-reset.md @@ -0,0 +1,9 @@ +--- +title: "Password Reset" +description: "Password Reset" +sidebar_position: 10 +--- + +# Password Reset + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/provisioning-review.md b/docs/identitymanager/6.3/integration-guide/notifications/native/provisioning-review.md new file mode 100644 index 0000000000..39c1351ab4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/provisioning-review.md @@ -0,0 +1,9 @@ +--- +title: "Provisioning Review" +description: "Provisioning Review" +sidebar_position: 40 +--- + +# Provisioning Review + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.3/integration-guide/notifications/native/role-review.md b/docs/identitymanager/6.3/integration-guide/notifications/native/role-review.md new file mode 100644 index 0000000000..43fa7fae4d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/native/role-review.md @@ -0,0 +1,9 @@ +--- +title: "Role Review" +description: "Role Review" +sidebar_position: 50 +--- + +# Role Review + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.3/integration-guide/notifications/set-language.md b/docs/identitymanager/6.3/integration-guide/notifications/set-language.md new file mode 100644 index 0000000000..9dac7d2810 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/notifications/set-language.md @@ -0,0 +1,52 @@ +--- +title: "Set Notifications' Languages" +description: "Set Notifications' Languages" +sidebar_position: 30 +--- + +# Set Notifications' Languages + +This guide shows how to set the language for all notifications. + +## Overview + +Identity Manager sends all kinds of notification emails whose language is by default the language specified in the configuration as the first language. + +The language can also be configured explicitly with a language code. If this language code is not defined, then notifications use the first language. + +## Set the First Language + +Set the first language for the whole application by proceeding as follows: + +1. In the XML configuration, create a `Language` with `IndicatorNumber` set to `1`. See the +[Language](../../integration-guide/toolkit/xml-configuration/metadata/language) topic for additional information. + + > For example, to set English as the first language: +> + > ``` +> + > +> + > ``` + +2. Deploy the configuration and relaunch the server. + +## Set the Language Explicitly + +Set the language explicitly for server-side-task notifications by proceeding as follows: + +1. In the XML configuration, configure `MailSetting` with a `LanguageCode`See the +[Mail Setting](../../integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting) topic for additional information. + + > For example, to set the language to English: +> + > ``` +> + > +> + > ``` + +When `LanguageCode` is not defined, then the language of notifications will be the first language, i.e. the one specified with `Indicator` set to `1`. + +2. Deploy the configuration and relaunch the server. + diff --git a/docs/identitymanager/6.3/integration-guide/profiles-permissions/create-assign-profiles/index.md b/docs/identitymanager/6.3/integration-guide/profiles-permissions/create-assign-profiles/index.md new file mode 100644 index 0000000000..56f958b68c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/profiles-permissions/create-assign-profiles/index.md @@ -0,0 +1,65 @@ +--- +title: "Create and Assign Profiles" +description: "Create and Assign Profiles" +sidebar_position: 20 +--- + +# Create and Assign Profiles + +This guide shows how to create in the XML configuration profiles and the appropriate rules to assign +these profiles automatically. + +## Create a Profile + +Here is the xml configuration to create a profile in Identity Manager. See the +[Profile](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profile.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Automatically Assign Profiles + +To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and +ProfileRule. See the +[Access Control Rule](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md) +and +[Profile Rule Context](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext.md) +topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +## Configure the Set InternalUserProfiles Task + +The Identity Manager-Set-InternalUserProfiles task is mandatory to automatically assign the profile. +The task can be selected from the Job provisioning list. See the +[Set Internal User Profiles Task](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +           +``` + +Here the TaskEntityType is the reference to connect to Identity Manager and the ResourceType is the +same as in the ProfileRuleContext. Once this configuration is done you can add the task in the job +which provisions the Connector AD. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +                     +``` diff --git a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/index.md b/docs/identitymanager/6.3/integration-guide/profiles-permissions/index.md similarity index 100% rename from docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/index.md rename to docs/identitymanager/6.3/integration-guide/profiles-permissions/index.md diff --git a/docs/identitymanager/6.3/integration-guide/profiles-permissions/permissions/index.md b/docs/identitymanager/6.3/integration-guide/profiles-permissions/permissions/index.md new file mode 100644 index 0000000000..6638964c6c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/profiles-permissions/permissions/index.md @@ -0,0 +1,1997 @@ +--- +title: "References: Permissions" +description: "References: Permissions" +sidebar_position: 10 +--- + +# References: Permissions + +Here is a list of permissions required for different user profiles: + +- /AccessCertification/AccessCertificationCampaign/Create + + Permission to create objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Delete + + Permission to delete objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Process + + Permission to process AccessCertificationCampaign decisions. + +- /AccessCertification/AccessCertificationCampaign/Query + + Permission to query and read objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Update + + Permission to update objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaignPolicy/Query + + Permission to query and read objects of type AccessCertificationCampaignPolicy. + +- /AccessControl/AccessControlEntry/Create + + Permission to create objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Delete + + Permission to delete objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Query + + Permission to query and read objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Update + + Permission to update objects of type AccessControlEntry. + +- /AccessControl/AccessControlFilter/Create + + Permission to create objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Delete + + Permission to delete objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Query + + Permission to query and read objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Update + + Permission to update objects of type AccessControlFilter. + +- /AccessControl/AccessControlPermission/Query + + Permission to query and read objects of type AccessControlPermission. + +- /AccessControl/AccessControlRule/Create + + Permission to create objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Delete + +**Permission to delete objects of type AccessControlRule** + +- /AccessControl/AccessControlRule/Query + + Permission to query and read objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Update + + Permission to update objects of type AccessControlRule. + +- /AccessControl/AssignedProfile/Create + + Permission to create objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Delete + + Permission to delete objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Query + + Permission to query and read objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Update + + Permission to update objects of type AssignedProfile. + +- /AccessControl/OpenIdClient/Create + + Permission to create objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Delete + + Permission to delete objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Query + + Permission to query and read objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Update + + Permission to update objects of type OpenIdClient. + +- /AccessControl/Profile/Create + + Permission to create objects of type Profile. + +- /AccessControl/Profile/Delete + + Permission to delete objects of type Profile. + +- /AccessControl/Profile/Query + + Permission to query and read objects of type Profile. + +- /AccessControl/Profile/Update + + Permission to update objects of type Profile. + +- /AccessControl/ProfileRuleContext/Query + + Permission to query and read objects of type ProfileRuleContext. + +- /Connectors/Agent/Create + + Permission to create objects of type Agent. + +- /Connectors/Agent/Delete + + Permission to delete objects of type Agent. + +- /Connectors/Agent/Query + + Permission to query and read objects of type Agent. + +- /Connectors/Agent/Update + + Permission to update objects of type Agent. + +- /Connectors/Connection/Create + + Permission to create objects of type Connection. + +- /Connectors/Connection/Delete + + Permission to delete objects of type Connection. + +- /Connectors/Connection/Query + + Permission to query and read objects of type Connection. + +- /Connectors/Connection/Update + + Permission to update objects of type Connection. + +- /Connectors/ConnectionColumn/Query + + Permission to query and read objects of type ConnectionColumn. + +- /Connectors/ConnectionPackage/Query + + Permission to query and read objects of type ConnectionPackage. + +- /Connectors/ConnectionTable/Query + + Permission to query and read objects of type ConnectionTable. + +- /Connectors/Connector/Create + + Permission to create objects of type Connector. + +- /Connectors/Connector/Delete + + Permission to delete objects of type Connector. + +- /Connectors/Connector/Query + + Permission to query and read objects of type Connector. + +- /Connectors/Connector/Update + + Permission to delete objects of type EntityAssociationMapping. + +- /Connectors/EntityAssociationMapping/Create + +**Permission to create objects of type EntityAssociationMapping** + +- /Connectors/EntityAssociationMapping/Delete + +**Permission to delete objects of type EntityAssociationMapping** + +- /Connectors/EntityAssociationMapping/Query +- Permission to query and read objects of type EntityAssociationMapping. +- /Connectors/EntityAssociationMapping/Update + + Permission to update objects of type EntityAssociationMapping. + +- /Connectors/EntityPropertyMapping/Create + + Permission to create objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Delete + + Permission to delete objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Query + + Permission to query and read objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Update + +**Permission to update objects of type EntityPropertyMapping** + +- /Connectors/EntityTypeMapping/Create + +**Permission to create objects of type EntityTypeMapping** + +- /Connectors/EntityTypeMapping/Delete + +**Permission to delete objects of type EntityTypeMapping** + +- /Connectors/EntityTypeMapping/Query + + Permission to query and read objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Update + +**Permission to update objects of type EntityTypeMapping** + +- /Connectors/EntityTypeMappingByConnectorIdQuery/Query + + Permission to query and read objects of type EntityTypeMappingByConnectorIdQuery + +- /Connectors/PasswordResetContextsByIdsQuery/Query + + Permission to query and read objects of type PasswordResetContextsByIdsQuery + +- /Connectors/ProvisionerResourceTypeMapping/Query + + Permission to query and read objects of type ProvisionerResourceTypeMapping + +- /Connectors/ProvisioningSession + + Permission to get provisioning orders from server for a connector. + +- /Connectors/ResourceTypeMapping/Query + + Permission to query and read objects of type ResourceTypeMapping (resource types' fulfill + settings in the UI) when launching a resource-type-related job. + +- /Connectors/SynchronizeSession + + Permission to send connector files to the server. + +- `/Custom/AccessCertification/AutoAssigned/{entityType_identifier}` + + Permission to be automatically assigned to an access certification item corresponding to an + access right owned by an object of type `entityType_identifier`. + +- `/Custom/AccessCertification/ManualAssigned/{entityType_identifier}` + + Permission to be manually assigned to an access certification item corresponding to an access + right owned by an object of type `entityType_identifier`. + +- `/Custom/ManageAccounts/{entityType_identifier}` + + Permission to display the Manage Accounts menu for resources corresponding to an access right + owned by an object of type `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/AssignedRoles/{entityType_identifier}` + + Permission to view the roles assigned to an object of type entityType_identifier. + +- `/Custom/ProvisioningPolicy/BulkPerformManualProvisioning/{entityType_identifier}` + + Permission to perform bulk validations on the **Manual Provisioning** page. + +- `/Custom/ProvisioningPolicy/BulkReconciliateResources/{entityType_identifier}` + + Permission to perform bulk validations on the **Resource Reconciliation** page. + +- `/Custom/ProvisioningPolicy/BulkReviewProvisioning/{entityType_identifier}` + + Permission to perform bulk validations on the **Provisioning Review** page (only for errored + orders). + +- `/Custom/ProvisioningPolicy/BulkRoleReconciliation/{entityType_identifier}` + + Permission to perform bulk validations on the **Role Reconciliation** page. + +- `/Custom/ProvisioningPolicy/PendingAssignedResourceTypes/{resourceType_identifier}` + + Permission to query and read all the pending assigned resource types linked to + `{resourceType_identifier}`. + +- `/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` + + Permission to perform manual provisioning, access the corresponding screens and be notified + accordingly, when `{entityType_identifier}` is the source entity type. + +- `/Custom/ProvisioningPolicy/ReconciliateResources/{entityType_identifier}` + + Permission to reconcile resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/ReconciliateRoles/{entityType_identifier}` + + Permission to reconcile role corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/ReviewProvisioning/{entityType_identifier}` + + Permission to review provisioning corresponding to an access right owned by an object of type + `entityType_identifier`. + +- The permission's recipient will receive a notification email. + + :::note + In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + ::: + + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md)topic + for additional information. + +- `/Custom/ProvisioningPolicy/ReviewRoles/{entityType_identifier}` + + Permission to review roles corresponding to an access right owned by an object of type + entityType_identifier. + + The permission's recipient will receive a notification email. + + :::note + In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + ::: + + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md)topic + for additional information. + +- `/Custom/Reports/{reportQuery_identifier}` + + Permission to access reports corresponding to the query `reportQuery_identifier`. + +- `/Custom/ResourceChanges/{connector_identifier}` + + Permission to query and read any resource changes from the `ResourceChanges` table. + +- `/Custom/ResourceFileChanges/{connector_identifier}` + + Permission to query and read any resource file changes from the `ResourceFileChanges` table. + +- `/Custom/ResourceFiles/{entityType_identifier}/{property_identifier}/View` + + Permission to query and read any resource files from the `ResourceFile` table corresponding to + the property `property_identifier` of the entity `entityType_identifier`, for example the + `Directory_User` photo property. This permission is generated by the + [`ViewAccessControlRules`](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules.md) + scaffolding. + +- `/Custom/ResourceLinkChanges/{connector_identifier}` + + Permission to query and read any resource link changes from the `ResourceLinkChanges` table. + +- `/Custom/Resources/{entityType_identifier}/Create` + + Permission to create resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Delete` + + Permission to delete resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Query` + + Permission to query and read resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Self` + + Permission to view self resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/SelfOwnedResources` + + Permission to view self owned resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/SelfTargetResources` + + Permission to view self target resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Update` + + Permission to update resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/View` + + Permission to view resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/ViewOwnedResources` + + Permission to view owned resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/ViewTargetResources` + + Permission to view target resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}` + + Permission to access the workflow `workflow_identifier`at the activty `activity_identifier` in + the state `activityTemplateState_shortIdentifier`. + +- `/Custom/Workflows/Supervise/{entityType_identifier}` + + Permission to supervise a workflow corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/WorkflowsNotifications/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}` + + Permission to be notified on a workflow's specific state. Applies to notifications specifying + the recipient's type: `Profile`. + +- /EntityTypeMappings + + Permission to see the entity types. + +- /Jobs/Job/Create + + Permission to create objects of type Job. + +- /Jobs/Job/Delete + + Permission to delete objects of type Job. + +- /Jobs/Job/Query + + Permission to query and read objects of type Job. + +- /Jobs/Job/Update + + Permission to update objects of type Job. + +- /Jobs/JobInstance/Create + + Permission to create objects of type JobInstance. + +- /Jobs/JobInstance/Delete + + Permission to delete objects of type JobInstance. + +- /Jobs/JobInstance/Query + + Permission to query and read objects of type JobInstance. + +- /Jobs/JobInstance/Update + + Permission to update objects of type JobInstance. + +- /Jobs/JobStep/Create + + Permission to create objects of type JobStep. + +- /Jobs/JobStep/Delete + +**Permission to delete objects of type JobStep** + +- /Jobs/JobStep/Query + + Permission to query and read objects of type JobStep. + +- /Jobs/JobStep/Update + + Permission to update objects of type JobStep. + +- /Jobs/RunJob/GetLog + + Read permission for JobLog. + +- /Jobs/RunJob/Launch/Aborted + + Permission to send notification for job launched which ends in state Aborted. + +- /Jobs/RunJob/Launch/Blocked + + Permission to send notification for job launched which ends in state Blocked. + +- /Jobs/RunJob/Launch/Completed + + Permission to send notification for job launched which ends in state Completed. + +- /Jobs/RunJob/Launch/Errored + + Permission to send notification for job launched which ends in state Errored. + +- /Jobs/RunJob/Launch/Warning + + Permission to send notification for job launched which ends in state Warning. + +- /Jobs/RunJob/Repair/Aborted + + Permission to send notification for job relaunched which ends in state Aborted. + +- /Jobs/RunJob/Repair/Blocked + + Permission to send notification for job relaunched which ends in state Blocked. + +- /Jobs/RunJob/Repair/Completed + + Permission to send notification for job relaunched which ends in state Completed. + +- /Jobs/RunJob/Repair/Errored + + Permission to send notification for job relaunched which ends in state Errored. + +- /Jobs/RunJob/Repair/Warning + + Permission to send notification for job relaunched which ends in state Warning. + +- /Jobs/Task/Create + + Permission to create objects of type Task. + +- /Jobs/Task/Delete + + Permission to delete objects of type Task. + +- /Jobs/Task/Query + + Permission to query and read objects of type Task + +- /Jobs/Task/Update + +**Permission to update objects of type Task** + +- /Jobs/TaskDependOnTask/Create + + Permission to create objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Delete + + Permission to delete objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Query + + Permission to query and read objects of type TaskDependOnTask + +- /Jobs/TaskDependOnTask/Update + + Permission to update objects of type TaskDependOnTask. + +- /Jobs/TaskDimension/Create + + Permission to create objects of type TaskDimension. + +- /Jobs/TaskDimension/Delete + + Permission to delete objects of type TaskDimension. + +- /Jobs/TaskDimension/Query + + Permission to query and read objects of type TaskDimension. + +- /Jobs/TaskDimension/Update + + Permission to update objects of type TaskDimension. + +- /Jobs/TaskEntityType/Create + + Permission to create objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Delete + + Permission to delete objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Query + + Permission to query and read objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Update + +**Permission to update objects of type TaskEntityType** + +- /Jobs/TaskIdByIdentifiersQuery/Query + + Permission to query and read objects of type TaskIdByIdentifiersQuery. + +- /Jobs/TaskInstance/Create + + Permission to create objects of type TaskInstance. + +- /Jobs/TaskInstance/Delete + + Permission to delete objects of type TaskInstance. + +- /Jobs/TaskInstance/Query + + Permission to query and read objects of type TaskInstance. + +- /Jobs/TaskInstance/Update + + Permission to update objects of type TaskInstance. + +- /Jobs/TaskResourceType/Create + + Permission to create objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Delete + + Permission to delete objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Query + + Permission to query and read objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Update + + Permission to update objects of type TaskResourceType. + +- /Metadata/Binding/Create + + Permission to create objects of type Binding. + +- /Metadata/Binding/Delete + + Permission to delete objects of type Binding. + +- /Metadata/Binding/Query + + Permission to query and read objects of type Binding. + +- /Metadata/Binding/Update + + Permission to update objects of type Binding. + +- /Metadata/BindingItem/Query + + Permission to query and read objects of type BindingItem. + +- /Metadata/Dimension/Create + + Permission to create objects of type Dimension. + +- /Metadata/Dimension/Delete + + Permission to delete objects of type Dimension. + +- /Metadata/Dimension/Query + + Permission to query and read objects of type Dimension. + +- /Metadata/Dimension/Update + + Permission to update objects of type Dimension. + +- /Metadata/EntityAssociation/Create + + Permission to create objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Delete + + Permission to delete objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Query + + Permission to query and read objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Update + + Permission to update objects of type EntityAssociation. + +- /Metadata/EntityProperty/Create + + Permission to create objects of type EntityProperty. + +- /Metadata/EntityProperty/Delete + + Permission to delete objects of type EntityProperty. + +- /Metadata/EntityProperty/Query + + Permission to query and read objects of type EntityProperty. + +- /Metadata/EntityProperty/Update + + Permission to update objects of type EntityProperty. + +- /Metadata/EntityType/Create + + Permission to create objects of type EntityType. + +- /Metadata/EntityType/Delete + + Permission to delete objects of type EntityType. + +- /Metadata/EntityType/Query + + Permission to query and read objects of type EntityType. + +- /Metadata/EntityType/Update + + Permission to update objects of type EntityType. + +- /Metadata/Language/Query + + Permission to query and read objects of type Language. + +- /Metadata/Setting/Create + +**Permission to create objects of type Setting** + +- /Metadata/Setting/Delete + +**Permission to delete objects of type Setting** + +- /Metadata/Setting/Query + + Permission to query and read objects of type Setting + +- /Metadata/Setting/Update + +**Permission to update objects of type Setting** + +- /Monitoring + + Permission to download server logs from the User Interface (from the **Monitoring** screen). + +- /ProvisioningPolicy/AssignedCompositeRole/Comment + +**Permission to comment objects of type AssignedCompositeRole** + +- /ProvisioningPolicy/AssignedCompositeRole/Create + +**Permission to create objects of type AssignedCompositeRole** + +- /ProvisioningPolicy/AssignedCompositeRole/Delete + +**Permission to delete objects of type AssignedCompositeRole** + +- /ProvisioningPolicy/AssignedCompositeRole/Query + + Permission to query and read objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Update + +**Permission to update objects of type AssignedCompositeRole** + +- /ProvisioningPolicy/AssignedResourceBinary/Create + +**Permission to create objects of type AssignedResourceBinary** + +- /ProvisioningPolicy/AssignedResourceBinary/Delete + +**Permission to delete objects of type AssignedResourceBinary** + +- /ProvisioningPolicy/AssignedResourceBinary/Query + + Permission to query and read objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Update + +**Permission to update objects of type AssignedResourceBinary** + +- /ProvisioningPolicy/AssignedResourceNavigation/Create + +**Permission to create objects of type AssignedResourceNavigation** + +- /ProvisioningPolicy/AssignedResourceNavigation/Delete + +**Permission to delete objects of type AssignedResourceNavigation** + +- /ProvisioningPolicy/AssignedResourceNavigation/Query + + Permission to query and read objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Update + +**Permission to update objects of type AssignedResourceNavigation** + +- /ProvisioningPolicy/AssignedResourceScalar/Create + +**Permission to create objects of type AssignedResourceScalar** + +- /ProvisioningPolicy/AssignedResourceScalar/Delete + +**Permission to delete objects of type AssignedResourceScalar** + +- /ProvisioningPolicy/AssignedResourceScalar/Query + + Permission to query and read objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Update + +**Permission to update objects of type AssignedResourceScalar** + +- /ProvisioningPolicy/AssignedResourceType/Comment + +**Permission to comment objects of type AssignedResourceType** + +- /ProvisioningPolicy/AssignedResourceType/Create + +**Permission to create objects of type AssignedResourceType** + +- /ProvisioningPolicy/AssignedResourceType/Delete + +**Permission to delete objects of type AssignedResourceType** + +- /ProvisioningPolicy/AssignedResourceType/ManualProvisioningReview + + Permission to review manual provisioning for object of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Query + + Permission to query and read objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Update + +**Permission to update objects of type AssignedResourceType** + +- /ProvisioningPolicy/AssignedSingleRole/Comment + +**Permission to comment objects of type AssignedSingleRole** + +- /ProvisioningPolicy/AssignedSingleRole/Create + +**Permission to create objects of type AssignedSingleRole** + +- /ProvisioningPolicy/AssignedSingleRole/Delete + +**Permission to delete objects of type AssignedSingleRole** + +- /ProvisioningPolicy/AssignedSingleRole/Query + + Permission to query and read objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Update + +**Permission to update objects of type AssignedSingleRole** + +- /ProvisioningPolicy/AutomationRule/Create + +**Permission to create objects of type AutomationRule** + +- /ProvisioningPolicy/AutomationRule/CreateSimulation + + Permission to create objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Delete + +**Permission to delete objects of type AutomationRule** + +- /ProvisioningPolicy/AutomationRule/DeleteSimulation + + Permission to delete objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Query + + Permission to query and read objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/Simulation + + Permission to query and read objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Updat + +**Permission to update objects of type AutomationRule** + +- /ProvisioningPolicy/AutomationRule/UpdateSimulation + + Permission to update objects of type AutomationRule in simulation + +- /ProvisioningPolicy/Category/Create + +**Permission to create objects of type Category** + +- /ProvisioningPolicy/Category/Delete + +**Permission to delete objects of type Category** + +- /ProvisioningPolicy/Category/Query + + Permission to query and read objects of type Category + +- /ProvisioningPolicy/Category/Update + +**Permission to update objects of type Category** + +- /ProvisioningPolicy/CompositeRole/Create + +**Permission to create objects of type CompositeRole** + +- /ProvisioningPolicy/CompositeRole/CreateSimulation + + Permission to create objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Delete + +**Permission to delete objects of type CompositeRole** + +- /ProvisioningPolicy/CompositeRole/DeleteSimulation + + Permission to delete objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Query + + Permission to query and read objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/Simulation + + Permission to query and read objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Update + +**Permission to update objects of type CompositeRole** + +- /ProvisioningPolicy/CompositeRole/UpdateSimulation + + Permission to update objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Create + +**Permission to create objects of type CompositeRoleRule** + +- /ProvisioningPolicy/CompositeRoleRule/CreateSimulation + + Permission to create objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Delete + +**Permission to delete objects of type CompositeRoleRule** + +- /ProvisioningPolicy/CompositeRoleRule/DeleteSimulation + + Permission to delete objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Query + + Permission to query and read objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/Simulation + + Permission to query and read objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Update + +**Permission to update objects of type CompositeRoleRule** + +- /ProvisioningPolicy/CompositeRoleRule/UpdateSimulation + + Permission to update objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/ContextRule/Create + +**Permission to create objects of type ContextRule** + +- /ProvisioningPolicy/ContextRule/CreateSimulation + + Permission to create objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Delete + +**Permission to delete objects of type ContextRule** + +- /ProvisioningPolicy/ContextRule/DeleteSimulation + + Permission to delete objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Query + + Permission to query and read objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/Simulation + + Permission to query and read objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Update + +**Permission to update objects of type ContextRule** + +- /ProvisioningPolicy/ContextRule/UpdateSimulation + + Permission to update objects of type ContextRule in simulation + +- /ProvisioningPolicy/IdentifiedRisk/Query + + Permission to query and read objects of type IdentifiedRisk + +- /ProvisioningPolicy/MiningRule/Create + +**Permission to create objects of type MiningRule** + +- /ProvisioningPolicy/MiningRule/Delete + +**Permission to delete objects of type MiningRule** + +- /ProvisioningPolicy/MiningRule/Query + + Permission to query and read objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Update + +**Permission to update objects of type MiningRule** + +- /ProvisioningPolicy/Policy/Create + +**Permission to create objects of type Policy** + +- /ProvisioningPolicy/Policy/CreateSimulation + + Permission to create objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Delete + +**Permission to delete objects of type Policy** + +- /ProvisioningPolicy/Policy/DeleteSimulation + + Permission to delete objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Query + + Permission to query and read objects of type Policy + +- /ProvisioningPolicy/Policy/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type Policy + +- /ProvisioningPolicy/Policy/Simulation + + Permission to query and read objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Update + +**Permission to update objects of type Policy** + +- /ProvisioningPolicy/Policy/UpdateSimulation + + Permission to update objects of type Policy in simulation + +- /ProvisioningPolicy/PolicySimulation/Create + +**Permission to create objects of type PolicySimulation** + +- /ProvisioningPolicy/PolicySimulation/Delete + +**Permission to delete objects of type PolicySimulation** + +- /ProvisioningPolicy/PolicySimulation/Query + + Permission to query and read objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Start + +**Permission to start a simulation of a policy** + +- /ProvisioningPolicy/PolicySimulation/Update + + Permission to update objects of type PolicySimulation. + +- /ProvisioningPolicy/PredefinedFunctionQuery/Query + + Permission to query and read objects of type PredefinedFunctionQuery + +- /ProvisioningPolicy/Provisioning/Start + + Permission to compute Provisioning. + +- /ProvisioningPolicy/RedundantAssignment/Query + + Permission to access the **Redundant Assignment** page. + +- /ProvisioningPolicy/RedundantAssignment/Start + + Permission to compute redundant assignments and remove them. + +- /ProvisioningPolicy/ResourceBinaryRule/Create + + Permission to create objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Delete + + Permission to delete objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/DeleteSimulation + + Permission to delete objects of type ResourceBinaryRule in simulatio.n + +- /ProvisioningPolicy/ResourceBinaryRule/Query + + Permission to query and read objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceBinaryRule + +- /ProvisioningPolicy/ResourceBinaryRule/Simulation + + Permission to query and read objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Update + + Permission to update objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/UpdateSimulation + + Permission to update objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Create + + Permission to create objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/CreateSimulation + + Permission to create objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Delete + +**Permission to delete objects of type ResourceClassificationRule** + +- /ProvisioningPolicy/ResourceClassificationRule/DeleteSimulation + + Permission to delete objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Query + + Permission to query and read objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/Simulation + + Permission to query and read objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Update + +**Permission to update objects of type ResourceClassificationRule** + +- /ProvisioningPolicy/ResourceClassificationRule/UpdateSimulation + + Permission to update objects of type ResourceClassificationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Create + +**Permission to create objects of type ResourceCorrelationRule** + +- /ProvisioningPolicy/ResourceCorrelationRule/CreateSimulation + + Permission to create objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Delete + +**Permission to delete objects of type ResourceCorrelationRule** + +- /ProvisioningPolicy/ResourceCorrelationRule/DeleteSimulation + + Permission to delete objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Query + + Permission to query and read objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/Simulation + + Permission to query and read objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Update + +**Permission to update objects of type ResourceCorrelationRule** + +- /ProvisioningPolicy/ResourceCorrelationRule/UpdateSimulation + + Permission to update objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceHistory/Query + + Permission to query and read objects of type ResourceHistory + +- /ProvisioningPolicy/ResourceManageableAccounts/Query + + Permission to query and read objects of type ResourceManageableAccounts + +**/ProvisioningPolicy/ResourceNavigationRule/Create** + +- Permission to create objects of type ResourceNavigationRule +- /ProvisioningPolicy/ResourceNavigationRule/CreateSimulation + + Permission to create objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Delete + +**Permission to delete objects of type ResourceNavigationRule** + +- /ProvisioningPolicy/ResourceNavigationRule/DeleteSimulation + + Permission to delete objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Query + + Permission to query and read objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/Simulation + + Permission to query and read objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Update + +**Permission to update objects of type ResourceNavigationRule** + +- /ProvisioningPolicy/ResourceNavigationRule/UpdateSimulation + + Permission to update objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Create + +**Permission to create objects of type ResourceQueryRule** + +- /ProvisioningPolicy/ResourceQueryRule/CreateSimulation + + Permission to create objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Delete + +**Permission to delete objects of type ResourceQueryRule** + +- /ProvisioningPolicy/ResourceQueryRule/DeleteSimulation + + Permission to delete objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Query + + Permission to query and read objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/Simulation + + Permission to query and read objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Update + +**Permission to update objects of type ResourceQueryRule** + +- /ProvisioningPolicy/ResourceQueryRule/UpdateSimulation + + Permission to update objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Create + +**Permission to create objects of type ResourceScalarRule** + +- /ProvisioningPolicy/ResourceScalarRule/CreateSimulation + + Permission to create objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Delete + +**Permission to delete objects of type ResourceScalarRule** + +- /ProvisioningPolicy/ResourceScalarRule/DeleteSimulation + + Permission to delete objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Query + + Permission to query and read objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/Simulation + + Permission to query and read objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Update + +**Permission to update objects of type ResourceScalarRule** + +- /ProvisioningPolicy/ResourceScalarRule/UpdateSimulation + + Permission to update objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceType/Create + +**Permission to create objects of type ResourceType** + +- /ProvisioningPolicy/ResourceType/CreateSimulation + + Permission to create objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Delete + +**Permission to delete objects of type ResourceType** + +- /ProvisioningPolicy/ResourceType/DeleteSimulation + + Permission to delete objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Query + + Permission to query and read objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/Simulation + + Permission to query and read objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Update + +**Permission to update objects of type ResourceType** + +- /ProvisioningPolicy/ResourceType/UpdateSimulation + + Permission to update objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Create + +**Permission to create objects of type ResourceTypeRule** + +- /ProvisioningPolicy/ResourceTypeRule/CreateSimulation + + Permission to create objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Delete + +**Permission to delete objects of type ResourceTypeRule** + +- /ProvisioningPolicy/ResourceTypeRule/DeleteSimulation + + Permission to delete objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Query + + Permission to query and read objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/Simulation + + Permission to query and read objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Update + +**Permission to update objects of type ResourceTypeRule** + +- /ProvisioningPolicy/ResourceTypeRule/UpdateSimulation + + Permission to update objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/Risk/Create + +**Permission to create objects of type Risk** + +- /ProvisioningPolicy/Risk/Delete + +**Permission to delete objects of type Risk** + +- /ProvisioningPolicy/Risk/OverrideApproval + + ermission to transform an approval risk into a warning risk + +- /ProvisioningPolicy/Risk/OverrideBlocking + + Permission to transform a blocking risk into an approval risk + +- /ProvisioningPolicy/Risk/Query + + Permission to query and read objects of type Risk + +- /ProvisioningPolicy/Risk/Update + +**Permission to update objects of type Risk** + +- /ProvisioningPolicy/RoleMapping/Create + +**Permission to create objects of type RoleMapping** + +- /ProvisioningPolicy/RoleMapping/Delete + +**Permission to delete objects of type RoleMapping** + +- /ProvisioningPolicy/RoleMapping/Query + + Permission to query and read objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Update + +**Permission to update objects of type RoleMapping** + +- /ProvisioningPolicy/SingleRole/Create + +**Permission to create objects of type SingleRole** + +- /ProvisioningPolicy/SingleRole/CreateSimulation + + Permission to create objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Delete + +**Permission to delete objects of type SingleRole** + +- /ProvisioningPolicy/SingleRole/DeleteSimulation + + Permission to delete objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Query + + Permission to query and read objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/Simulation + + Permission to query and read objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Update + +**Permission to update objects of type SingleRole** + +- /ProvisioningPolicy/SingleRole/UpdateSimulation + + Permission to update objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRoleRule/Create + +**Permission to create objects of type SingleRoleRule** + +- /ProvisioningPolicy/SingleRoleRule/CreateSimulation + + Permission to create objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Delete + +**Permission to delete objects of type SingleRoleRule** + +- /ProvisioningPolicy/SingleRoleRule/DeleteSimulation + + Permission to delete objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Query + + Permission to query and read objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/Simulation + + Permission to query and read objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Update + +**Permission to update objects of type SingleRoleRule** + +- /ProvisioningPolicy/SingleRoleRule/UpdateSimulation + + Permission to update objects of type SingleRoleRule in simulation + +- /Report/GenerateReportFileFromQuery/Query + + Permission to query and read objects of type GenerateReportFileFromQuery + +- /Report/GenerateReportFileFromReportQuery/Query + + Permission to query and read objects of type GenerateReportFileFromReportQuery + +- /Report/ReportQuery/Create + +**Permission to create objects of type ReportQuery** + +- /Report/ReportQuery/Delete + +**Permission to delete objects of type ReportQuery** + +- /Report/ReportQuery/Query + + Permission to query and read objects of type ReportQuery + +- /Report/ReportQuery/Update + +**Permission to update objects of type ReportQuery** + +- /Resources/Incremental/Query + + Permission to query and read objects of type Resource and Resource Link incrementally changed + +- /Resources/Resource/Create + +**Permission to create objects of type Resource** + +- /Resources/Resource/Delete + +**Permission to delete objects of type Resource** + +- /Resources/Resource/Query + + Permission to query and read objects of type Resource + +- /Resources/Resource/Update + +**Permission to update objects of type Resource** + +- /Settings/Manage +- /Universes/EntityInstance/Query + + Permission to query and read objects of type EntityInstance + +- /Universes/Universe/Query + + Permission to query and read objects of type Universe + +- /Universes/UniverseData/Query + + Permission to query and read objects of type UniverseData + +- /UserInterface/ActivityFormNameByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type ActivityFormNameByWorkflowInstanceIdQuery + +- /UserInterface/ApplicationInformationsQuery/Query + + Permission to query and read objects of type ApplicationInformationsQuery + +- /UserInterface/ConnectorResourceType/Create + +**Permission to create objects of type ConnectorResourceType** + +- /UserInterface/ConnectorResourceType/Delete + +**Permission to delete objects of type ConnectorResourceType** + +- /UserInterface/ConnectorResourceType/Update + +**Permission to update objects of type ConnectorResourceType** + +- /UserInterface/DisplayEntityAssociation/Create + +**Permission to create objects of type DisplayEntityAssociation** + +- /UserInterface/DisplayEntityAssociation/Delete + +**Permission to delete objects of type DisplayEntityAssociation** + +- /UserInterface/DisplayEntityAssociation/Query + + Permission to query and read objects of type DisplayEntityAssociatio + +- /UserInterface/DisplayEntityAssociation/Update + +**Permission to update objects of type DisplayEntityAssociation** + +- /UserInterface/DisplayEntityProperty/Create + +**Permission to create objects of type DisplayEntityProperty** + +- /UserInterface/DisplayEntityProperty/Delete + +**Permission to delete objects of type DisplayEntityProperty** + +- /UserInterface/DisplayEntityProperty/Query + + Permission to query and read objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Update + +**Permission to update objects of type DisplayEntityProperty** + +- /UserInterface/DisplayEntityType/Create + +**Permission to create objects of type DisplayEntityType** + +- /UserInterface/DisplayEntityType/Delete + +**Permission to delete objects of type DisplayEntityType** + +- /UserInterface/DisplayEntityType/Query + + Permission to query and read objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Update + +**Permission to update objects of type DisplayEntityType** + +- /UserInterface/DisplayPropertyGroup/Create + +**Permission to create objects of type DisplayPropertyGroup** + +- /UserInterface/DisplayPropertyGroup/Delete + +**Permission to delete objects of type DisplayPropertyGroup** + +- /UserInterface/DisplayPropertyGroup/Query + + Permission to query and read objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Update + +**Permission to update objects of type DisplayPropertyGroup** + +- /UserInterface/DisplayTable/Create + +**Permission to create objects of type DisplayTable** + +- /UserInterface/DisplayTable/Delete + +**Permission to delete objects of type DisplayTable** + +- /UserInterface/DisplayTable/Query + + Permission to query and read objects of type DisplayTable + +- /UserInterface/DisplayTable/Update + +**Permission to update objects of type DisplayTable** + +- /UserInterface/DisplayTableColumn/Create + +**Permission to create objects of type DisplayTableColumn** + +- /UserInterface/DisplayTableColumn/Delete + +**Permission to delete objects of type DisplayTableColumn** + +- /UserInterface/DisplayTableColumn/Query + + Permission to query and read objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Update + +**Permission to update objects of type DisplayTableColumn** + +- /UserInterface/DisplayTableDesignElement/Query + + Permission to query and read objects of type DisplayTableDesignElement + +- /UserInterface/EntityTypeMappingByUiContextQuery/Query + + Permission to query and read objects of type EntityTypeMappingByUiContextQuery + +- /UserInterface/Form/Create + +**Permission to create objects of type Form** + +- /UserInterface/Form/Delete + +**Permission to delete objects of type Form** + +- /UserInterface/Form/Query + + Permission to query and read objects of type Form + +- /UserInterface/Form/Updat + +**Permission to update objects of type Form** + +- /UserInterface/FormControl/Create + +**Permission to create objects of type FormControl** + +- /UserInterface/FormControl/Delete + +**Permission to delete objects of type FormControl** + +- /UserInterface/FormControl/Query + + Permission to query and read objects of type FormControl + +- /UserInterface/FormControl/Update + +**Permission to update objects of type FormControl** + +- /UserInterface/HierarchyDataByEntityTypeIdQuery/Query + + Permission to query and read objects of type HierarchyDataByEntityTypeIdQuery + +- /UserInterface/Indicator/Create + +**Permission to create objects of type Indicator** + +- /UserInterface/Indicator/Delete + +**Permission to delete objects of type Indicator** + +- /UserInterface/Indicator/Query + + Permission to query and read objects of type Indicator + +- /UserInterface/Indicator/Update + +**Permission to update objects of type Indicator** + +- /UserInterface/IndicatorItem/Create + +**Permission to create objects of type IndicatorItem** + +- /UserInterface/IndicatorItem/Delete + +**Permission to delete objects of type IndicatorItem** + +- /UserInterface/IndicatorItem/Query + + Permission to query and read objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Update + +**Permission to update objects of type IndicatorItem** + +- /UserInterface/PersonasByFilterQuery/Query + + Permission to query and read objects of type PersonasByFilterQuery + +- /UserInterface/Reload + + Permission to reset the container, in order to update the permissions and the displayed + configuration. + +- /UserInterface/ResourceReadForm/Query + + Permission to query and read objects of type ResourceReadForm + +- /UserInterface/ResourceReadFormActions/Query + + Permission to query and read objects of type ResourceReadFormActions + +- /UserInterface/ResourceSearchForm/Query + + Permission to query and read objects of type ResourceSearchForm + +- /UserInterface/ResourceSelfForm/Query + + Permission to query and read objects of type ResourceSelfForm + +- /UserInterface/SearchBar/Create + +**Permission to create objects of type SearchBar** + +- /UserInterface/SearchBar/Delete + +**Permission to delete objects of type SearchBar** + +- /UserInterface/SearchBar/Query + + Permission to query and read objects of type SearchBar + +- /UserInterface/SearchBar/Update + +**Permission to update objects of type SearchBar** + +- /UserInterface/SearchBarCriterion/Create + +**Permission to create objects of type SearchBarCriterion** + +- /UserInterface/SearchBarCriterion/Delete + +**Permission to delete objects of type SearchBarCriterion** + +- /UserInterface/SearchBarCriterion/Query + + Permission to query and read objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Update + +**Permission to update objects of type SearchBarCriterion** + +- /UserInterface/Tile/Create + +**Permission to create objects of type Tile** + +- /UserInterface/Tile/Delete + +**Permission to delete objects of type Tile** + +- /UserInterface/Tile/Query + + Permission to query and read objects of type Tile + +- /UserInterface/Tile/Update + +**Permission to update objects of type Tile** + +- /UserInterface/TileDesignElement/Query + + Permission to query and read objects of type TileDesignElement + +- /UserInterface/TileItem/Create + +**Permission to create objects of type TileItem** + +- /UserInterface/TileItem/Delete + +**Permission to delete objects of type TileItem** + +- /UserInterface/TileItem/Query + + Permission to query and read objects of type TileItem + +- /UserInterface/TileItem/Update + +**Permission to update objects of type TileItem** + +- /UserInterface/UserByIdentityQuery/Query + + Permission to query and read objects of type UserByIdentityQuery + +- /UserInterface/WorkflowFormByNameQuery/Query + + Permission to query and read objects of type WorkflowFormByNameQuery + +- /UserInterface/WorkflowFormByWorkflowIdQuery/Query + + Permission to query and read objects of type WorkflowFormByWorkflowIdQuery + +- /Workflows/Activity/Create + +**Permission to create objects of type Activity** + +- /Workflows/Activity/Delete + +**Permission to delete objects of type Activity** + +- /Workflows/Activity/Query + + Permission to query and read objects of type Activity + +- /Workflows/Activity/Update + +**Permission to update objects of type Activity** + +- /Workflows/ActivityInstance/Query + + Permission to query and read objects of type ActivityInstance + +- /Workflows/ActivityInstanceAspectsQuery/Query + + Permission to query and read objects of type ActivityInstanceAspectsQuery + +- /Workflows/ActivityTemplate/Query + + Permission to query and read objects of type ActivityTemplate + +- /Workflows/ActivityTemplateState/Query + + Permission to query and read objects of type ActivityTemplateState + +- /Workflows/ActivityTemplateTransition/Query + + Permission to query and read objects of type ActivityTemplateTransition + +- /Workflows/HistorizedResourceFileByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type HistorizedResourceFileByWorkflowInstanceIdQuery + +- /Workflows/HomonymEntityLink/Create + +**Permission to create objects of type HomonymEntityLink** + +- /Workflows/HomonymEntityLink/Delete + +**Permission to delete objects of type HomonymEntityLink** + +- /Workflows/HomonymEntityLink/Query + + Permission to query and read objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Update + +**Permission to update objects of type HomonymEntityLink** + +- /Workflows/UserActivityInstance/AssignedTo + + Permission to update the actor on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/ExpectedDate + + Permission to update expected date on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/Query + + Permission to query and read objects of type UserActivityInstance + +- /Workflows/UserActivityInstanceCountQuery/Query + + Permission to query and read objects of type UserActivityInstanceCountQuery + +- /Workflows/Workflow/Create + +**Permission to create objects of type Workflow** + +- /Workflows/Workflow/Delete + +**Permission to delete objects of type Workflow** + +- /Workflows/Workflow/Query + + Permission to query and read objects of type Workflow + +- /Workflows/Workflow/Update + +**Permission to update objects of type Workflow** + +- /Workflows/WorkflowInstance/Query + + Permission to query and read objects of type WorkflowInstance + +- /Workflows/WorkflowInstance/Resume +- /Workflows/WorkflowInstance/Start +- /Workflows/WorkflowInstance/Supervise + +**Permission to supervise objects of type WorkflowInstance** + +- /Workflows/WorkflowInstanceData/Query + + Permission to query and read objects of type WorkflowInstanceData diff --git a/docs/identitymanager/6.3/integration-guide/profiles-permissions/rightsrestriction/index.md b/docs/identitymanager/6.3/integration-guide/profiles-permissions/rightsrestriction/index.md new file mode 100644 index 0000000000..9e19581c2d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/profiles-permissions/rightsrestriction/index.md @@ -0,0 +1,145 @@ +--- +title: "Restrict Users' Rights" +description: "Restrict Users' Rights" +sidebar_position: 30 +--- + +# Restrict Users' Rights + +This guide shows how to define rules to limit users' access rights, which is possible via several +elements. + +## Overview + +Each UI element can be accessed only by the users who have a profile with the appropriate access +rights. + +All of this page's examples are based on the following access rights to view the `Directory_User` +entity type: + +``` + + + +``` + +## Assign a Profile Based on Users' Dimensions + +Assign a profile based on users' dimensions by proceeding as follows: + +1. Create the appropriate dimensions. + + > The following example states two user criteria as dimensions: users' organizations and titles: + > + > ``` + > + > + > + > ``` + + See the [Dimension](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md) topic for + additional information. + +2. Write profile rules and profile rule contexts to make the previously created dimensions act as + filters in rules meant to assign profiles to users. + + > The following examples creates a rule assigning the `Manager` profile to specific users based + > on their organizations and titles, now that they both exist as dimensions: + > + > ``` + > + > + > + > ``` + + The profile rule context must use a Sub-Binding to define the entity type that contains the + dimension information. + + See the [Dimension](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md) topic for + additional information. + +## Limit an Entity's Visibility + +Limit an entity's visibility by proceeding as follows: + +1. Create at least one property group to gather a set of entity properties together. + + > For example: + > + > ``` + > + > + > + > ``` + + See the [Dimension](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md) topic for + additional information. + +2. Create an access control entity type to list all the properties whose visibility must be + restricted, and link them to a visibility group. + + > For example: + > + > ``` + > + > + > + > ``` + + As a result, all the properties listed in the access control entity type are hidden from users + by default when they have the usual permissions written above. See the + [Dimension](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md) topic for + additional information. + + To be able to see these properties, a user must have these permissions with a full access. + + > For example to give access to all properties: + > + > ``` + > + > + > + > ``` + > + > And to give access only to a property group: + > + > ``` + > + > + > + > ``` + + When there is not any profile with a full access, then the visibility restriction is lifted and + all users can access the properties. + +## Limit a Profile's Permissions + +Limit a profile's permissions by using filters in the access control rule that give permissions to +the profile. + +> For example to limit permissions based on a hardcoded value: +> +> ``` +> +> +> +> +> +> +> +> ``` +> +> And based on a dimension: +> +> ``` +> +> +> +> +> +> +> +> ``` + +See the [Dimension](/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md) topic for +additional information. diff --git a/docs/identitymanager/6.3/integration-guide/provisioning/argumentsexpression.md b/docs/identitymanager/6.3/integration-guide/provisioning/argumentsexpression.md new file mode 100644 index 0000000000..05a77d5d8c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/provisioning/argumentsexpression.md @@ -0,0 +1,86 @@ +--- +title: "Compute a Resource Type's Provisioning Arguments" +description: "Compute a Resource Type's Provisioning Arguments" +sidebar_position: 20 +--- + +# Compute a Resource Type's Provisioning Arguments + +This guide gives examples to understand how to configure a resource type's `ArgumentsExpression` attribute to compute a resource type's provisioning arguments, for example the identifier of the workflow to launch, or the identifier of the record to copy. + +## Examples + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, deletion). But in some more complex situations (like using multi records), several workflows are available for one type of action. As the configuration JSON file of an [InternalWorkflow](../../integration-guide/connectors/references-connectors/internalworkflow) connection cannot contain expressions, a resource type can be configured with the `ArgumentsExpression` attribute to explicit the arguments of provisioning orders, based on conditions and variables. + +The following example computes the identifier of the workflow to launch, based on the provisioning order as a variable (the returned value depends here mostly on the type of change): + +``` + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose that records are defined by their position and location, while other properties are the same for all records (usually the identity's personal data like the name and birth date). When creating a new record for an existing identity, you will want to copy an existing record from the database to modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already any: + +``` +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); + + if (resources.Any()) { + arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); + } +} + +**return arguments;" />** +``` + +## Attributes Provided by Usercube + + | Name | Details | + | --- | --- | + | ProvisioningOrder.ChangeType | **Type** String **Description** Action of the provisioning order. | + +## Methods Provided by Usercube + + | Name | Details | + | --- | --- | + | IsNone | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsNone() **Description** `True` when the provisioning order demands no change. **Note:** this method can be used only on `ChangeType`. | + | IsAdded | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsAdded() **Description** `True` when the provisioning order demands a resource addition. **Note:** this method can be used only on `ChangeType`. | + | IsUpdated | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsUpdated() **Description** `True` when the provisioning order demands a resource update. **Note:** this method can be used only on `ChangeType`. | + | IsDeleted | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsDeleted() **Description** `True` when the provisioning order demands a resource deletion. **Note:** this method can be used only on `ChangeType`. | + | HasChanged | **Type** Boolean **Usage** provisioningOrder.HasChanged("PropertyName") **Description** `True` when the provisioning order demands a change on a given property. | + | TryGetScalar | **Type** Boolean **Usage** provisioningOrder.TryGetScalar("PropertyName", out var myChange) **Description** `True` when `PropertyName` is a scalar property whose value is changed by the provisioning order. `myChange` takes the new value of `PropertyName` changed by the provisioning order. | + | TryGetAddedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetAddedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property to which new values are added by the provisioning order. `myChanges` takes the list of values of `PropertyName` added by the provisioning order. | + | TryGetRemovedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetRemovedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property from which some values are removed by the provisioning order. `myChanges` takes the list of values of `PropertyName` removed by the provisioning order. | + diff --git a/docs/identitymanager/6.3/integration-guide/provisioning/how-tos/argumentsexpression.md b/docs/identitymanager/6.3/integration-guide/provisioning/how-tos/argumentsexpression.md new file mode 100644 index 0000000000..c2534c9409 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/provisioning/how-tos/argumentsexpression.md @@ -0,0 +1,80 @@ +# Compute a Resource Type's Provisioning Arguments + +This guide gives examples to understand how to configure a resource type's `ArgumentsExpression` attribute to compute a resource type's provisioning arguments, for example the identifier of the workflow to launch, or the identifier of the record to copy. + +## Examples + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, deletion). But in some more complex situations (like using multi records), several workflows are available for one type of action. As the configuration JSON file of an [InternalWorkflow](../../../integration-guide/connectors/references-connectors/internalworkflow) connection cannot contain expressions, a resource type can be configured with the `ArgumentsExpression` attribute to explicit the arguments of provisioning orders, based on conditions and variables. + +The following example computes the identifier of the workflow to launch, based on the provisioning order as a variable (the returned value depends here mostly on the type of change): + +``` + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose that records are defined by their position and location, while other properties are the same for all records (usually the identity's personal data like the name and birth date). When creating a new record for an existing identity, you will want to copy an existing record from the database to modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already any: + +``` +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); + + if (resources.Any()) { + arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); + } +} + +**return arguments;" />** +``` + +## Attributes Provided by Usercube + + | Name | Details | + | --- | --- | + | ProvisioningOrder.ChangeType | **Type** String **Description** Action of the provisioning order. | + +## Methods Provided by Usercube + + | Name | Details | + | --- | --- | + | IsNone | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsNone() **Description** `True` when the provisioning order demands no change. **Note:** this method can be used only on `ChangeType`. | + | IsAdded | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsAdded() **Description** `True` when the provisioning order demands a resource addition. **Note:** this method can be used only on `ChangeType`. | + | IsUpdated | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsUpdated() **Description** `True` when the provisioning order demands a resource update. **Note:** this method can be used only on `ChangeType`. | + | IsDeleted | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsDeleted() **Description** `True` when the provisioning order demands a resource deletion. **Note:** this method can be used only on `ChangeType`. | + | HasChanged | **Type** Boolean **Usage** provisioningOrder.HasChanged("PropertyName") **Description** `True` when the provisioning order demands a change on a given property. | + | TryGetScalar | **Type** Boolean **Usage** provisioningOrder.TryGetScalar("PropertyName", out var myChange) **Description** `True` when `PropertyName` is a scalar property whose value is changed by the provisioning order. `myChange` takes the new value of `PropertyName` changed by the provisioning order. | + | TryGetAddedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetAddedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property to which new values are added by the provisioning order. `myChanges` takes the list of values of `PropertyName` added by the provisioning order. | + | TryGetRemovedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetRemovedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property from which some values are removed by the provisioning order. `myChanges` takes the list of values of `PropertyName` removed by the provisioning order. | + diff --git a/docs/identitymanager/6.3/integration-guide/provisioning/index.md b/docs/identitymanager/6.3/integration-guide/provisioning/index.md new file mode 100644 index 0000000000..b7bf803ad5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/provisioning/index.md @@ -0,0 +1,12 @@ +--- +title: "Provisioning" +description: "Provisioning" +sidebar_position: 60 +--- + +# Provisioning + +See how to anticipate changes due to provisioning thanks to [Thresholds](../../integration-guide/provisioning/prov-thresholds). + +See how to implement and perform [Provision](../../user-guide/administrate/provisioning). + diff --git a/docs/identitymanager/6.3/integration-guide/provisioning/prov-thresholds.md b/docs/identitymanager/6.3/integration-guide/provisioning/prov-thresholds.md new file mode 100644 index 0000000000..f128c7b6b5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/provisioning/prov-thresholds.md @@ -0,0 +1,30 @@ +--- +title: "Thresholds" +description: "Thresholds" +sidebar_position: 10 +--- + +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too many modifications. If the number of modifications exceeds the specified threshold, Identity Manager stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though **they should not all be**. Each action must be "guarded" by at least one threshold. + +Once the changes have been reviewed, the blocked job can be resumed (or not). See the [Synchronize Data](../../user-guide/set-up/synchronization) topic for additional information. + +## Thresholds for Provisioning + +Provisioning thresholds can be configured in XML files via [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) to count the number of resources impacted by provisioning inside a given resource type. These thresholds impact the generation of provisioning orders. They are configured with: + + | Absolute Threshold | Relative Threshold | + | --- | --- | + | `MaximumDelete` | `MaximumDeletePercent` | + | `MaximumInsert` | `MaximumInsertPercent` | + | `MaximumUpdate` | `MaximumUpdatePercent` | + +All thresholds are active. Therefore, the **lowest** threshold (according to the specific situation) would be the first to stop the generation of provisioning orders. + +Distinct [Thresholds](../../integration-guide/synchronization/synchro-thresholds) are configurable for synchronization. + diff --git a/docs/identitymanager/6.3/integration-guide/resources.md b/docs/identitymanager/6.3/integration-guide/resources.md new file mode 100644 index 0000000000..59ed8174c0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/resources.md @@ -0,0 +1,33 @@ +--- +title: "Resources" +description: "Resources" +sidebar_position: 20 +--- + +# Resources + +Identity Manager stores managed systems' data and identities as resources within a resource repository. + +## Resource Repository + +The source of truth for the engine is the data from external sources that are copied into Identity Manager's database. This persisted set of data, called _resources_, is stored in the **Resource Repository**. See the [Upward Data Synchronization](../integration-guide/synchronization/upward-data-sync) topic for additional information. + +The repository keeps a full history of all the changes performed to the resources. It is hence possible to retrieve a resource's value at a given date or what has been changed over a period. + +Resources can be added to the resource repository from one of four ways: + +1. Input data directly from the applicative configuration. This is useful for a very limited amount +of data. This is very often used for debugging or testing, less often in production. See the [Toolkit for XML Configuration](../integration-guide/toolkit) topic for additional information. +2. Input data from the UI. This requires configuring the UI and is the most straightforward way for +a reasonable amount of data. This is often used to input reference data that is not in the managed systems, or for which no source of truth exists. +3. Load data from a CSV file. This is how data from managed systems are loaded most of the time. See +the [Upward Data Synchronization](../integration-guide/synchronization/upward-data-sync) topic for additional information. Any reference of identity data can be loaded into Identity Manager using CSV files. This is useful if the target organization already possess such files or can produce them easily. +4. Compute new resources from existing resources. This can be achieved by using the provisioning +tools in a very specific way that is called _internal_ provisioning. This is often used to create the reference data from managed systems. +5. Insert data directly in the `UR_Resource` table from SQL queries. This is not very safe and +requires a great deal of expertise. + +When using methods 1. and 5., make sure to choose, for new resources, an `Id` that is not yet used for another resource in the database. Only use positive integer `Id`s for resource-identity (that is, the resource to which you plan on assigning roles). See the [Entitlement Assignment](../integration-guide/role-assignment/assignments-of-entitlements) topic for additional information. + +Resources need a model: the entity model. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/assignment-dates.md b/docs/identitymanager/6.3/integration-guide/role-assignment/assignment-dates.md new file mode 100644 index 0000000000..0d2986f5ff --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/assignment-dates.md @@ -0,0 +1,25 @@ +--- +title: "Assignment Dates" +description: "Assignment Dates" +sidebar_position: 20 +--- + +# Assignment Dates + +Entitlements can be assigned to users manually or automatically, but not on any time period. See the [Entitlement Assignment](../../integration-guide/role-assignment/assignments-of-entitlements) topic for additional information. + +## For Manual Assignments + +During the manual assignment of an entitlement, i.e. role or resource type, to a user, the start and end dates of the entitlement must follow simple rules: + +- the start date cannot be earlier than the earliest start date in all records of the user; +- the end date cannot be later than the latest end date in all records of the user. + +This means that requesting an entitlement without any start/end dates will actually assign the entitlement from the records' earliest start date to the latest end date. + +An entitlement cannot be requested with a start date earlier than today's date. But when requesting a role with an end date later than the records' latest end date, then the role will be assigned with its end date equal to the records' latest end date. + +## For Automatic Assignments + +The start and end dates of any automatic assignment are based on the dates from the [Context Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule)defined for the identities. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/assignments-of-entitlements.md b/docs/identitymanager/6.3/integration-guide/role-assignment/assignments-of-entitlements.md new file mode 100644 index 0000000000..15afa60d6c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/assignments-of-entitlements.md @@ -0,0 +1,152 @@ +--- +title: "Entitlement Assignment" +description: "Entitlement Assignment" +sidebar_position: 10 +--- + +# Entitlement Assignment + +Assigning entitlements means giving users specific permissions, or access rights, etc. + +## Overview + +As Identity Manager relies on a [**role**-based](https://en.wikipedia.org/wiki/**role**-based_access_control) assignment policy, entitlement assignment is simply **role** assignment. See the [**role** Model](../../integration-guide/role-model)topic for additional information. + +So once a user is assigned a **role**, Identity Manager must make the right changes in the managed system(s) to actually enable the corresponding permission. The values to be changed in the managed systems are specified in **provisioning orders**. + +Hence, an entitlement assignment is both the result of the execution of a provisioning order, and the enablement of an access right. + +## **Automatic** vs. **Manual** + +Within Identity Manager, assignments can be created automatically, or can result from **Manual** requests. + +**Automatic** assignments are created by Identity Manager when evaluating the policy, i.e. when computing **expected assignments** based on existing users and the policy's roles and rules. See the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) topic for additional information. **Automatic** assignments can: + +- Result directly from the application of assignment rules on identities. See the +[Assignment Policy](../../integration-guide/role-model/role-model-rules)topic for additional information. +- Be inferred and cascading from another assignment. + +**Manual** assignments and degradations are on the other hand, need to be requested individually through the UI. + +## Assignments' Approval Workflow + +Some entitlements require the approval of one or several knowledgeable users before actually being assigned. This is standard procedure in many security-concerned organizations. + +:::note + This is configurable through the **role**'s or resource type's approval workflow type. See the [Single **role**](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) topic for additional information. +::: +Each step of the approval workflow is associated with a workflow state, so that all assignments can be tracked and it is clear what step they are at. + +The same approval workflow is used for requests to add or remove roles. + +For example, Ms. Jackson requests for Mr. Smith the single **role** Server Room Access which has a two-step approval workflow: + +- At the end of the workflow, the assigned **role** has the workflow state **Requested**. +- Once the assignment is processed, the workflow state switches to **Pending Approval** 1/2. +- Once a reviewer approves the assignment, the state switches to **Pending Approval** 2/2 (and if +the reviewer declined the assignment, the state would switch to **Declined**). +- Once a second reviewer approves the assignment, the stat switches to **Approved** and the +assignment is finally effective. + +### **provisioning state** + +In addition to the workflow state that represents an assignment's progress in the approval workflow, any assignment also has a **provisioning state** to represent its progress in its lifetime from creation in the database to provisioning to the managed system and to its eventual deletion. + +:::note + Contrary to the workflow state that concerns all assignments, the **provisioning state** is only about the assignments that need provisioning. +::: +For example, roles exist only in Identity Manager and not in the managed systems, so assigned roles do not have a **provisioning state**, unlike assigned resource types, scalars and navigation, etc. + +![**provisioning state** Schema](/images/identitymanager/prov_stateschema_v523.webp) + +The schema sums up the usual progress of an assignment's **provisioning state**. + +For example, once Mr. Smith's **role** has completed the approval steps, we expect the provisioning of a navigation property: + +- It is not yet ready for provisioning because we decided to add a provisioning review by a +knowledgeable user because it is a sensitive permission, so the assigned resource navigation has the **Awaiting Approval** **provisioning state**. +- Once a reviewer approves the assignment, the **provisioning state** switches to **Pending**. +- Once **provisioning orders** are computed and transmitted to the agent, the state switches to +**Transmitted**. +- Once the agent confirms that the related order is executed, the state switches to **Executed**. +- Once synchronization validates the consistency of the provisioned value with the policy, the state +finally switches to **Verified**. + +Assignments whose **provisioning orders** are blocked because they are **Awaiting Approval** are to be reviewed on the **Provisioning Review** screen. + +## **non-conforming assignments** + +Once a policy is configured with all its rules and roles, Identity Manager can combine it with user information in order to determine the **expected assignments**, i.e. the list of all assignments that comply with the policy. + +On the other hand, via synchronization Identity Manager can read the **existing assignments**, i.e. the list of all assignments that actually exist in the managed systems. + +Technically speaking, Identity Manager creates entitlements in the managed systems, and "translates" them into **role** model language. In other words, Identity Manager create assignments based on the entitlements found in the systems. + +A simple comparison between these two lists defines the **non-conforming assignments**, i.e. the list of all assignments that **do not comply** with the policy. + +![**non-conforming assignments**](/images/identitymanager/governance_nonconforming.webp) + +A **non-conforming** assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: + +- Removed if Identity Manager correctly spotted it and the owner should indeed not possess this +permission; +- Kept as an **exception** if the configured rules do not apply to this particular case. + +:::note + **non-conforming assignments** are to be reviewed on the ****role** Reconciliation** and/or **Resource Reconciliation** screens. See the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) topic for additional information. +::: +**non-conforming assignments** can still be split into two categories: + +- **pre-existing** when they are found during the very first synchronization because they existed before +Identity Manager's implementation; +- Simply **non-conforming** when they are found later. + +For example, consider a (navigation) rule stating that the QuickBooks Level 1 Access **role** entitles its owner to the Active Directory QuickBooks group membership, that enables them to access the organization accounting balance information through QuickBooks. + +Now, let's say synchronization finds the Active Directory QuickBooks group membership for Mr. Smith's Active Directory account. The trouble is, Mr. Smith digital identity has not bee assigned the QuickBooks Access **role**: this is an inconsistency. + +In order to fix the inconsistency, Identity Manager creates the assignment of this **role** to Mr. Smith to be reviewed by a knowledgeable user who can determine whether the assignment is legitimate or results from a mistake. + +### Review automation + +Identity Manager provides automation rules to automate the review of **non-conforming assignments** by automatically approving/declining assignments that were pending approval for some time, if this behavior is desired. See the [Automate the Review of **non-conforming assignments**](../../user-guide/optimize/non-conforming-assignment-review-automation) topic for additional information. + +For example, the single **role** Server Room Access is requested for Mr. Smith, with a two-step approval workflow. Ms. Jackson is supposed to review it, and then Mr. Jones. If Ms. Jackson takes too long, an automation can approve it, or most likely decline it, automatically. This way, the approval process ends and will need to be restarted at a later date if the need is genuine. + +## Resource Type Assignments + +Resource types are not as intuitive as roles because they are more complex and subtle. Assigning a resource type materializes: + +- The creation of a resource, usually an account, in the managed system; +- The creation of scalar and navigation properties for this new resource; +- The categorization of the created resource, which means both the **correlation** of the resource to an +owner, and the **classification** of the resource into a specific type with specific rules between owner and owned resources. See the [Categorize Resources](../../user-guide/set-up/categorization) topic for additional information. + +### Reconciliation + +Just like any other assignment, a resource type assignment can be **non-confirming** when the resource's existence or its values **do not comply** with the policy. + +For example, a SAP account is found for a user who should not have one according to the **role** model's rules. + +:::note + An account can also be an **orphan** when it is found in the managed system, but no owner could be correlated. +::: +### Consolidated states + +A resource type assignment also has consolidated workflow and provisioning states to represent the progress of the resource's scalar and navigation assignments. + +Same as previously, the consolidated **provisioning state** represents the provisioning progress of the resource type assignment together with its nested scalar/navigation assignments. + +The **consolidated workflow state** represents the provisioning progress of the resource type assignment together with its nested scalar/navigation assignments, and it is described by the following values: + +- ConsolidatedWorkflowReviewState represents the progress in the approval workflow for a **Manual** +assignment; + +:::note + Except for very technical use cases, resource types should not be requested manually, they should only be inferred by a **role** and thus assigned automatically. +::: +- ConsolidatedWorkflowBlockedState indicates whether one or more of the nested scalars/navigations +are blocked; +- ConsolidatedWorkflowFoundState indicates whether one or more of the nested scalars/navigations are +stated as **non-conforming** or **pre-existing**. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/configureindirectpermissions.md b/docs/identitymanager/6.3/integration-guide/role-assignment/configureindirectpermissions.md new file mode 100644 index 0000000000..d451f581b5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/configureindirectpermissions.md @@ -0,0 +1,127 @@ +--- +title: "Configure Indirect Permissions" +description: "Configure Indirect Permissions" +sidebar_position: 80 +--- + +# Configure Indirect Permissions + +The following how-to assumes that you have already read the topic on [Indirect Permissions](../../integration-guide/role-assignment/indirectpermissions). + +## Configure Indirect Permissions in an Active Directory + +### Configure an indirect resource rule + +Configuring an Indirect Resource Rule in the Identity Manager Configuration is the only step needed to set up Indirect Permissions and can be done by answering the following questions: + +- What is the target Entity Type? There are multiple multiple Entity Types but for this example we +will choose `AD User (nominative)`. Another rule can be written if you want to handle Indirect Permissions for `AD User (administration)`. +- Which permissions can be obtained transitively in the Active Directory? Users get permissions by +being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Here, we do not want to. This also means +that `Correspondence`, `CorrespondenceMembershipProperty`, and `Entitlement` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + +``` + +```` + + +After adding this rule to the Configuration, do not forget to deploy the configuration. + +### Set up a test user + +The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. + +![Group Membership Schema](/images/identitymanager/indirectpermissionsadexample.webp) + +A running Active Directory instance is required to reproduce these steps yourself. + +#### Edit the Active Directory + +Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB```. Then add ```TestGroupA``` as a member of ```TestGroupB```. Finally add a test user as a member of ```TestGroupA```. The test user can be any existing user in the AD that is known by Identity Manager. + +#### Prepare Identity Manager + +Since we have manually edited the Active Directory, we first need to run an AD synchronization job. +Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : + +![Single Role Configuration Example](/images/identitymanager/srconf_5.2.1.webp) + +We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: + +![Composite Role Configuration](/images/identitymanager/crconf_5.2.1.webp) + +Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: + +![Navigation Rule Example](/images/identitymanager/navrule_5.2.1.webp) + +And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: + +![Single Role Rule Example](/images/identitymanager/srrule_5.2.1.webp) + +Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. + +#### Indirect permission display + +After running a [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask), Indirect Permissions should now appear for your test user. + +The next screenshots were taken after adding the direct assignment directly inside the Active Directory. As such, the direct permission is also flagged as ```Non-conforming```. + +If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: + +![View Permissions Simplified](/images/identitymanager/viewpermissionssimplified_5.2.1.webp) + +To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: + +![View Permissions Advanced](/images/identitymanager/viewpermissionsadvanced_5.2.1.webp) + +You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: + +![AD Assigned Resource Navigations](/images/identitymanager/adassignednavigations_5.2.1.webp) + +## Configure Indirect Permissions in an Microsoft Entra ID + +We can follow the same steps to configure this new rule: + +- What is the target Entity Type? + Once again, we will configure a rule for nominative users. The Entity Type is ```MicrosoftEntraID_DirectoryObject_NominativeUser```. +- Which permissions can be obtained transitively in the Microsoft Entra ID (formerly Microsoft Azure AD)? + Users get permissions by being members of a group. The property is ```memberOf```. +- Do we want to look for correspondences in another system? + Here, we do not want to (it is possible, but it is not the aim of this How-To). + This also means that ```Correspondence```, ```CorrespondenceMembershipProperty```, and ```Entitlement``` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` +## Configure Indirect Permissions in SharePoint using Correspondences from an Microsoft Entra ID + +We can follow the same steps to configure this new rule, but this time we will showcase the correspondence feature: + +- What is the target Entity Type? We first start in the Microsoft Entra ID. Once again, we will +configure a rule for nominative users. The Entity Type is `MicrosoftEntraID_DirectoryObject_NominativeUser`. +- Which permissions can be obtained transitively in the Microsoft Entra ID? Users get permissions by +being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Yes, we want to find correspondences in +SharePoint. A correspondence can be found using the `SharePointObject` property. +- Which permissions can be obtained transitively in SharePoint? Once again, users get permissions +based on which groups they are a member of. The property capturing this notion for SharePoint entities is `Group` +- Is being member of a group in SharePoint the type of permissions that we want to capture? While +this can be computed, we are rather interested in compiling which SharePoint objects a user can view/change/etc. We obtain this information using the `Entitlement` property. + +Finally, if we compile all this information and use the naming convention of the standard Identity Manager Demo, we get the following Indirect Resource Rule: +``` + + + +``` +This rule will also compute indirect permissions for the Microsoft Entra ID. +``` + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/conformingassignmentcomputation.md b/docs/identitymanager/6.3/integration-guide/role-assignment/conformingassignmentcomputation.md new file mode 100644 index 0000000000..921ce4f3e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/conformingassignmentcomputation.md @@ -0,0 +1,100 @@ +--- +title: "Conforming Assignments" +description: "Conforming Assignments" +sidebar_position: 90 +--- + +# Conforming Assignments + +The [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) is able to compute, for a given identity, the appropriate assignments. + +If you are interested in a detailed description of the actual Compute Role Model task algorithm, please refer to the Reference documentation. This article focuses more on the design decisions and the underlying philosophy of the process. + +## Overview + +This is how Identity Manager solves the identity lifecycle issue. + +> **FAQ**: During onboarding, moving, offboarding, how can we make sure that an identity has the +> appropriate assignments? +> What are the appropriate assignments? + +They are a trade-off between having enough assignments to work efficiently but not too many as to pose a security threat. + +Choosing the appropriate assignments is a science as much as an art. Identity Manager helps formalize decision rules to make them more efficient. But talking about assignments and their provisioning requires the appropriate language. + +## Roles + +> **FAQ**: What does assigning an entitlement means? + +In a target application, it is granting an account membership for a group, changing a person's clearance level, adding an authorized account to the access control list of a resource, etc. + +Performing an assignment requires a great deal of knowledge about the inner mechanisms of the target authorization mechanism. That makes talking about entitlement even more complicated. Am I talking about a group, a resource's access control list, a clearance level? + +Identity Manager here aims at: + +- Making every assignment decision more intentional. +- Making automation of those assignment decisions possible. + +For these goals, Identity Manager hides this complexity behind an ubiquitous language, using a widely known model: RBAC. In the end, talking about entitlements is talking about roles. No more multiple obscure authorization mechanisms. + +This makes thinking about entitlements within Identity Manager easy. The provisioning issues stay out of the way, and all the energy can be focused on designing the perfect assignment policy. + +The appropriate model also helps formalizing rules that can be used for automation. + +## Dimensions + +Assignment decisions for a user are always made based on the user's needs and legitimacy. + +> **FAQ**: Are employees working on tasks that need this assignment? Are they senior enough to have +> that responsibility? + +The basis for an assignment decision can be seen as a set of "identity attributes" that represent the place of the employee in the organization. + +We can formalize these "identity attributes", on which informal assignment decisions are made, by translating them into dimensions. Identity Manager's dimensions are exactly that: key criteria, on which assignment decisions are based. + +Just as roles, dimensions are a fundamental piece of the puzzle. Choosing dimensions forces users to sit down and really think about what really motivates assignment decisions in the organization. It is going to help with automation but it is also going to help come up with better decision rules, and hence improve the overall security of the organization. Assignment rules naturally flow from dimensions and roles. + +## Rules + +> **FAQ**: Do all employees working on a given task have the entitlements they need? + +Roles and dimensions are the basis for a language that enables users to formalize, in a very explicit way, the assignment policy: who should get what entitlement. Dimensions are criteria for decisions and roles are the result of a decision. We are now only missing the rules that map criteria to roles. + +Those are the assignment rules: single role rules and composite role rules. + +Writing the assignment policy actually becomes very easy. Once dimensions and roles are identified, assignment rules become obvious. + +The last difficulty is provisioning those assignments. + +## Provisioning + +> **FAQ**: Is the data from the target application complying with the rules created earlier? + +Translating roles into provisioning orders is finding out how the target application should be changed to satisfy the assignments. This is where the technical complexity that was hidden by the role, should be written. Authorization mechanisms map so well to RBAC that provisioning mechanisms naturally flow from the roles. + +Provisioning mechanisms all follow this pattern: + +1. Start with the **identity**. +2. Find the resource in the target application that should be updated to satisfy the assignment +requirement. It is often an account. That's the **correlation**. +3. Compute the value of the data that should be updated in the target resource. That's +**provisioning rules**. + +One last point to consider is that provisioning rules and correlation sometimes depend on the type of resource we are handling. Authorization mechanisms often discriminate between resources, depending on their relevance for security. We might need specific provisioning rules to enforce this difference. + +The resource type materializes the classification of resources of the same application into categories relevant from a security point of view. As a bonus, classifying resources help with governance. + +## The Role Model + +> **FAQ**: What is the role model in a nutshell? + +Dimensions, roles, assignment rules, resource type, provisioning rules. + +You start with dimensions. From there, roles are deduced from assignment rules. They are translated to provisioning orders, following scalar rules and correlation rules and resource types. + +## When There Are No Rules + +If you're not comfortable yet with writing rules that automatically assign roles, you can skip dimensions and start this whole process from roles. + +You can assign roles manually to users and still benefit from hiding the provisioning complexity inside roles, and have a good basis for writing down your assignment policy. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/evaluate-policy.md b/docs/identitymanager/6.3/integration-guide/role-assignment/evaluate-policy.md new file mode 100644 index 0000000000..495ca0bea0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/evaluate-policy.md @@ -0,0 +1,364 @@ +--- +title: "Evaluate Policy" +description: "Evaluate Policy" +sidebar_position: 40 +--- + +# Evaluate Policy + +Evaluate Policy is the core algorithm of the assignment policy. See the [Assignment Policy](../../integration-guide/role-model/role-model-rules) topic for additional information. + +The algorithm is applied by the server to a resource. It has the following responsibilities: + +- Enforcing the assignment rules: the algorithm outputs a list of **expected assignments** for the input +resource +- Evaluating risks +- Managing assignment lifecycle: updating provisioning states +- Purging expired assignments + +See the [Risk Management](../../integration-guide/governance/risks) topic for additional information. + +## Overview + +![Evaluate Policy Overview](/images/identitymanager/evaluate-policy-1.webp) + +The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of assignments of entitlements that comply with the assignment policy. + +That set is composed of roles that **should be** assigned to the resource and of scalar and navigation assignments that **should exist** for that resource as an **owner**. The latter are in fact values of target resource properties to fulfill from that resource fed in the algorithm. Those assignments are referred to as the **expected assignments**. Manual assignments and derogations are included as well, as they become rules within the assignment policy. + +Evaluate Policy also identifies the **existing assignments**. They represent the actual assignments read (or more accurately, deduced) from the managed systems' resources. + +Finally, the **Differences** between the **existing assignments** and the **expected assignments** are computed. As a result, a set of non-conforming assignments is revealed, to be fixed by provisioning or validated as derogations. + +Later, provisioning orders are edited, validated by a knowledgeable user and sent to the agent for connectors to fulfill and fix the **Differences**. + +Evaluate Policy is executed by the task `Usercube-Compute-RoleModel`, usually included in a regularly scheduled provisioning job. + +See the [Connectors](../../integration-guide/connectors), [Compute **role** Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask), and [Jobs](../../integration-guide/tasks-jobs/jobs) topics for additional information. + +## The Algorithm Steps + +**Step 1 –** **Select resources** from the resource repository, all the relevant properties for every resource. + +This includes: + +- Attribute values of the resource itself; +- Attribute values of the resources pointed to by a navigation property from the current resource; +- All **existing assignments** for these resources and their properties such as provisioning state and +workflow state; +- Every property of the source resource, if the resource is a target in an **owner**/target +relationship; +- Every property of the target resource, if the resource is an **owner** in an **owner**/target +relationship; + +Extracting and computing, in an acceptable amount of time, such a load of data is no trivial matter. + +The number of resources to consider is of the order of 100 000 entries for a system managing 10 000 identities among 4 managed systems. + +To improve execution time, two optimizations are used: + +- Identity Manager uses +[batching](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching) to perform the database request. The `SELECT` query is divided into sets of smaller queries called **batches**. The size of a batch is configurable in the Identity Manager-Compute-RoleModel, with the `BatchSelectSize` attribute. +- Identity Manager only selects resources for which a new assignment computation is needed. They are +resources updated during the last incremental synchronization, and resources that depend on them. They are identified by the dirty flag, set during incremental synchronization. See the [Upward Data Synchronization](../../integration-guide/synchronization/upward-data-sync) topic for additional information. + +:::note + For very few edge cases, dependencies between resource values can be difficult to identify within Identity Manager. An example involves entity property expressions using [LINQ](https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/linq/) syntax. See the [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype)topic for additional information. A second- or third-order binding used in such an expression actually defines a dependency. But Identity Manager does not account for it, because of performance-reliability trade-offs. That means a resource `R1`, using such an expression to compute one of its properties values from another resource `R2` property value, might not be updated even if `R2` has been updated by incremental synchronization. This too can be fixed by using complete synchronization once a day. +::: +**Step 2 –** **Compute **expected assignments**** + +The second step is building the expected assignment list by applying the assignment rules to the input resource. + +This step builds a list, from scratch, of every expected assignment, both **role** assignments and assignments issued from **provisioning rules**. + +The list contains: + +- **automatic** assignments, **inferred** from context-based rules +- **automatic** assignments, **inferred** from other assignments, according to **role**-based rules +- Manual assignments previously created and derogations previously validated +- Assignments updated by an automation rule. See the +[Automation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/automationrule) topic for additional information. + +To build the list, the algorithm first goes through composite **role** rules, single **role** rules, resource type rules, navigation rules, and applies them in that order. See the [Composite **role** Rule](../../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule), [Single **role** Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule), and [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topics for additional information. This takes care of **automatic** assignments. Every step influences the following one: single roles can be **inferred** from composite roles that have just been assigned by a reviewer or an automation rule for example. + +Then, manual assignments and derogations are added to the **expected assignments** list. They are extracted from the database, where they were saved after being added from the UI or validated through the UI, and are considered part of the **role** model. Manual assignments are identified by the Approved workflow state. Derogations are identified by the Found and Historic workflow states. + +**role** assignments as derogations are displayed to the end-user for confirmation in the **role** Reconciliation screen. As long as they are not denied, they are considered a part of the **role** model and will not be considered as a non-conforming difference to be fixed by provisioning. They are deduced from actual resources and resource values found in the managed system, that do not comply with the assignment rules, and are displayed in the Resource Reconciliation screen. + +Let's detail the rule enforcement mechanisms. + +**Match context rules** + +Dimensions are really the **basis** of an assignment process. See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +Before starting, a context rule is applied, giving for the input resource: + +- The dimension values +- The time period validity of every assignment computed during this Evaluate Policy iteration + +![Computing Context For Input Resource](/images/identitymanager/enforce-context.webp) + +**Computing expected **role** assignments** + +**role** assignments, on the other hand, are the **outcome** of the assignment process. See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +**role** assignments are the output of composite **role** rules and single **role** rules enforcement. The **outcome** of those rules, as assigned composite roles and assigned single roles, is conditioned by the input resource's context. They are the image of the status of trust and privilege granted to a resource-identity. + +![Computing Expected **role** Assignments](/images/identitymanager/compute-expected-1.webp) + +**Enforcing composite **role** rules** + +The first rules that are enforced are the composite **role** rules. See the [Composite **role** Rule](../../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule)topic for additional information. + +For every selected resource, this step enforces composite **role** rules. That means **assigning** a specific composite **role** to the input resource, based on its **context's dimension values**. This new assignment is materialized into a new object called an assigned composite **role**, stored in the `UP_AssignedCompositeRoles` table. The resource becomes the **owner** of the assigned composite **role**. + +Manual and derogatory assignments of composite roles found in the database are also added to the **expected assignments** list. + +Then automation rules are enforced on assigned composite roles. See the [Automation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/automationrule) topic for additional information. + +:::note + **Enforcing automation rules on an assignment** means to find, for each assignment, the matching automation rule, looking at the last review or the creation date, comparing it to the time defined in the rule and, if needed, apply the rule decision that may approve or decline the assignment. +::: +**Enforcing single **role** rules** + +Then, single **role** rules are enforced. That means **assigning** a specific single **role** to the input resource based on its context and existing assigned composite roles, i.e. the composite roles currently assigned to the resource. Both assigned composite roles freshly created by enforcing composite **role** rules and those already in the database are taken into account. In the former case, single roles created are said to be **inferred**. + +This is materialized into a new object called an assigned single **role**, stored in the UP_AssignedSingleRoles table. The resource becomes the **owner** of the assigned single **role**. + +Manual and derogatory assignments found in the database of single roles are also added to the **expected assignments** list. + +Then automation rules are enforced on assigned single roles. + +**Expected provisioning assignments** + +Fulfillment is just the **consequence** of the **role** assignment process. See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +Provisioning-orders-to-be are the output of resource type rules, navigation rules and scalar rules. The **outcome** of those rules, as assigned resource types, assigned resource navigation, and assigned resource scalar is conditioned by the input resource assigned roles, issued during the first expected **role** assignments computation or even earlier. They are the exact image of technical provisioning orders that are to be executed by the agent, after being validated by a knowledgeable user. See the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-expected-2.webp) + +**Enforcing resource type rules** + +Resource type rules are enforced. This means creating and adding assigned resource types to the **expected assignments** list. This means enforcing the need for a resource of that type to be created in the managed systems, with the input resource as its **owner**. + +Then automation rules are enforced on assigned resource types. + +A further step will correlate, to find the actual target resource if it exists. If not, it will eventually become a provisioning order to create such a resource. + +This can be seen as **assigning** a target resource to an **owner**. It's still important to note that the act of **assigning** a resource to an **owner** almost always is the **consequence** of a **role** assignment. Use cases for which a single, isolated resource, is "assigned" (i.e. created with specific values) is rare and is more of a solution to a specific technical problem. + +**Enforcing navigation rules** + +Finally, navigation rules are enforced. They aim to complete the information about the resource to be created because of the assigned resource types. If the type rule is the what, this is the how. + +For every assigned resource type, associated navigation rules are enforced. + +Navigation rules are conditioned on the resource's assigned single roles. If a specific single **role** is found as assigned to the **owner** resource of the assigned resource type (i.e. the input resource of the algorithm), an assigned resource navigation is created in the UP_AssignedResourceNavigation table, with the resource as its **owner**. The assigned resource navigation will eventually translate into a provisioning order. + +The assigned resource navigation is hence the **consequence**, in the form of a provisioning-order-to-be, of **assigning** a **role** to a resource. + +This means also no assigned resource type, no navigation assignment. Resource type rules are a prerequisite for the associated navigation rules to be enforced. + +**Enforcing scalar rules** + +Finally, the scalar rules associated with the target's resource type are enforced and become assigned resource scalars that will also result in a provisioning order. + +For every assigned resource type, associated scalar rules are enforced. + +They also aim to complete the information about the resource to be created because of the assigned resource types. + +Found manual assignments and derogation of resource types with their associated navigation and scalar assignments are added as well. + +**Step 3 –** **Match **existing assignments** with **expected assignments**** + +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-find-matching.webp) + +The **expected assignments** list is now built. + +For every expected/computed assigned resource type, assigned single **role** and assigned composite **role**, the algorithm finds the matching existing assignment, from the list of assignments. + +The existing list of assignments in the current database is composed of: + +- Assignments computed by the last Evaluate Policy; +- Assignments created by the classification task, including `Found` and `Historic` ones issued from +the analysis of the resource values from the managed system. + +The result is a list of **expected assignments** that have a counterpart in the list of **existing assignments**. + +**Step 4 –** **Assignments cleansing / purge** + +Some assignments are given an expiration date at creation (see the first step, context rules enforcement). This is the step where expired assignments are removed from the **expected assignments** list. + +They will not be deleted, but historized. The validTo column of the UP_Assigned\* is updated. + +Others have been manually denied via the provisioning review screen, or must be canceled because of rules or resource value changes. Those are deleted too. + +The result is a list of really **existing assignments**, without the expired, canceled or explicitly unwanted ones for any reason. + +**Step 5 –** **Correlation** + +![Computing Expected Provisioning Assignments](/images/identitymanager/correlation.webp) + +Resource correlation rules are enforced: for every expected assigned resource type, the algorithm looks for a target resource that correlates the **owner**, which is the input resource. + +If found, that correlated resource becomes the target of the assigned resource type. If not, a provisioning order of creation is written. + +A word about correlation. Correlation is achieved by using resource correlation rules. Each rule applies to a resource type. It defines for the source entity type a quantity computed from its attributes. It does the same for the target entity types. Those quantities are called **correlation keys**. For a given assigned resource type, the correlation algorithm tries to match the **owner** correlation key with all available resources of entity type target. If one is found equal, the matching resource becomes target of said assigned resource type. For every resource, **correlation keys** are computed by a regularly scheduled task and stored in the database. + +**Step 6 –** **Handle assignment lifecycle** + +Expected assigned resource scalars and assigned resource navigations matching existing counterparts are found. + +For every assigned resource type, assigned resource scalar and assigned resource navigation, the provisioning state is updated according to the correlated target resource values, the matching existing assignment state and the provisioning state transition algorithm. + +For **expected assignments** that have a matching existing counterpart, the correlated target resource values are analyzed. If they match the expected resource values, that means that the last provisioning order has been indeed well executed. The provisioning state of the associated assignment is switched to Applied. Same goes for the **role** assignments from which those scalar and navigation assignments originated. + +For **expected assignments** that do not have a matching existing counterpart, they receive their Pending or Blocked provisioning state. + +Blocked assignments are submitted for validation in the provisioning review screen. Blocked assigned resource types are associated with a **confidence level** that describes the level of confidence of the correlation between source and target. The **confidence level** is a configuration of the resource correlation rules. + +The workflow state is also analyzed; assignments with Approved (or Cancellation) have been approved (or denied) and can now be provisioned. + + | Workflow state | Description | + | --- | --- | + | 0—None | Used for Identity Manager's internal computation | + | 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) | + | 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the **role**. | + | 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) | + | 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) | + | 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the **role**. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) | + | 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) | + | 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | + | 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | + | 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | + | 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | + | 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | + | 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) | + | 17—Declined | The assignment is explicitly declined during one of the approval steps. | + | 20—Cancellation | The assignment is **inferred** by a **role** that was declined. ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) | + +**Step 7 –** **Delta** + +The existing and expected assignment lists are compared and yield a third list of **Differences**, i.e. non conforming values in the managed systems that need to be fixed. + +That list will eventually become provisioning orders that will be sent to the agent for fulfillment. + +**What constitutes a difference?** + +Expected resource and their values not matching the existing resource and their value, for an existing assignment with an `Applied` or `Executed` provisioning state. + +If the existing assignment is not yet `Applied` the agent might still be preparing the provisioning. A resource value that does not comply with the **role** model, but is in the fixing process (meaning an assignment with a provisioning state of `Pending` or `Sent`) will not come up in the UI. + +**Step 8 –** **Saving the result** + +At this point, Evaluate Policy has computed **expected assignments** for the resource, by applying rules and purging expired assignments. + +**expected assignments** are: + +- Assigned composite roles and assigned single roles, representing roles assigned to the resource +- Assigned resource scalars and assigned resource navigations, representing scalar and navigation +properties to fulfill to a target resource from that source resource, the ownership relationship between source and target being materialized by an assigned resource type. + +Expected assigned are written to the database, they will be the **basis** for the next step: fixing **Differences**. The writing is optimized by using bulk insert methods. + +To enhance the writing performances, it's not actual assigned\* that are written, but updates from the existing ones, using the delta computed at step 7. + +For fine-grained assignments such as assigned resource scalars and assigned resource navigations, Identity Manager stores the **policy value** i.e. the value computed by Evaluate Policy (not yet fulfilled) and the **current value** i.e. the value currently held by the target resource in the managed systems. + +From there, it is possible to retrieve the **Differences** between existing and **expected assignments** for that resource, at any time. + +Remember, the goal of building a set of assignments is twofold: + +- Building a catalog of **existing assignments** as assigned roles for non-technical users to consult. +- Fulfill target values from source resources so as the managed systems comply with the **role** model. + +The catalog of **existing assignments** is now available: they are assigned\* with an Applied provisioning state. Non technical-users can read assigned single roles and assigned composite roles. Technical users will be more interested in assigned resource scalars and assigned resource navigations. + +Fulfilling target values from source resources is going to take the form of provisioning orders, computed from assigned resource scalars and navigations in the Pending or Blocked state. + +## Fixing **Differences** + +The engine has computed a list of **expected assignments**. The difference with the managed system state, as a list of resource values that infer **Differences** in **role** assignments, can be fixed by provisioning the **expected assignments** to the managed systems. + +Some provisioning orders have to be reviewed by a knowledgeable user. Those are provisioning orders computed from assigned\* with a Blocked provisioning state. The UI provides screens to perform review and validation. + +Every provisioning order is to fix a difference that has been caused by a change in the source resource values or in its target resources. + +Let's see in details what kind of **Differences** Identity Manager deals with, and what kind of change in the managed systems triggers them. + +The workflow state of an assignment helps identify the nature of a difference between that assignment and the managed systems. + +### UI Overview + +**Differences** are displayed in the following screens: + +- **Provisioning Review** displays `Blocked` (non `Found`, non `Historic`) assigned resource types, +assigned resource navigations and assigned resource scalars. They must be reviewed by a knowledgeable technical end-user. They are assignments mirroring legit provisioning orders recently computed by the Evaluate Policy. +- **Resource Reconciliation** displays `Found` and `Historic` assigned resource types, assigned +resource navigations and assigned resource scalars. This is where non-conforming resource values or non-authorized accounts (i.e. a resource that should not exist at all) in the form of provisioning assignments are displayed. These assignments mirror, at the **resource value level**, derogations still not explicitly refused by a knowledgeable end-user. This is where an end-user can find provisioning assignments that would render legit the non-confirming values and non-authorized accounts found in the managed systems. +- ****role** Reconciliation** displays `Found` and `Historic` assigned single roles and assigned +composite roles. They are **role** assignments that mirror derogations, at the **role** level, still not explicitly refused by a knowledgeable end-user. This is where an end-user can find roles assignments that would render legit the non-confirming values and non-authorized accounts found in the managed systems. +- **Redundant Assignments** displays `Approved` assigned roles and assigned resource types tagged as +eligible to be turned into `Calculated`. + +:::tip + Remember, ****role** Review** is a little bit different as it displays manually requested assignments waiting for manual approval. +::: +### A target value to update + +A target resource scalar value is different from the scalar value obtained by applying scalar rules to the source resource. + +This could be caused by a change in the target value directly from within the managed system, before or after Identity Manager has been plugged in. For example, a target Active Directory account Email value has been changed. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the difference is about a change in the target made outside/before Identity Manager and found by synchronization. + +As Identity Manager does not overwrite managed systems values without confirmation from a knowledgeable user, the found non-conforming value will be displayed in the **Resource Reconciliation** screen, with the suggestion for update. The non-conforming value can either be kept, and become an exception and overwritten with the rules-issued value. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity Manager, or directly from within the managed system. For example, the HR system has updated the Name of an employee. Synchronization has detected the change in value, and reapplied rules. And now, the target Active Directory account name has to be updated. + +The corresponding assigned\* would be awarded a workflow state PolicyApproved given the difference is about a change in the source that caused the need for a change in the target because of the applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the **Provisioning Review** screen for validation in the form of a **resource update** provisioning order. + +### A target resource to create + +A target resource is missing. Applying navigation rules to a source resource yielded the need for a specific target resource that has not been found by synchronization. + +This could be caused by a **missing resource** in a managed system even before Identity Manager was plugged-in or the deletion of such a resource in the managed system afterward. For example, a nominative Active Directory account has not been created yet for that existing identity. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the difference is about a change or an omission in the target outside/before Identity Manager and found by synchronization. + +This case yields a provisioning order, that could be blocked, and hence displayed in the **Provisioning Review** screen for validation in the form of a **missing resource** provisioning order. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity Manager, or directly from within the managed system. For example, the HR system has updated the Job Title of an employee. Synchronization has detected it, and reapplied rules, and now, this identity has to be awarded a new Active Directory account with higher privileges. + +Or it could be caused by the manual assignment of a new **role** from within Identity Manager to an existing identity that would grant that identity with a new account and hence a target resource to create. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference is about a change in the source that caused the need to create a new target because of the applications of the rules. + +Those cases yield a provisioning order, that could be blocked, and hence displayed in the **Provisioning Review** screen for validation in the form of a **resource creation** provisioning order. + +### A target resource to delete + +An extra target resource has been found by synchronization, it's been correlated with our source resource, but no navigation rules applied to the source resource yielded the need for its existence. + +This could be caused by an extra resource created directly from within a managed system, or the change of a rule that makes some existing resources moot. For example, an administration Active Directory account has been created directly from the managed system and granted to an identity who, according to the rules, is not entitled to it. + +As Identity Manager does not overwrite managed systems values without confirmation from a knowledgeable user, the found non-authorized account will be displayed in the **Resource Reconciliation** screen, with the suggestion for deletion. The non-authorized account can either be kept, and become an exception and or be deleted to comply with the rules. + +The corresponding assigned\* would be awarded a workflow state `Historic` or `Found` given the difference is about an extra target added outside/before Identity Manager and found by synchronization. + +This could also be cause by a change in the source resource, by a previous fulfillment of Identity Manager, or directly from within the managed system. For example, the HR system has updated the `Job Title` of an employee. Synchronization has detected it, and reapplied rules, and now, this identity has to be awarded a new Active Directory account with lower privileges, the old one must be deleted. + +Or it could be caused by explicitly denying a **role** to an existing identity from within Identity Manager which would ripple through and forbid this account from existing. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference is about a change in the source that caused the need to deletion a target because of the applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the **Provisioning Review** screen for validation in the form of a **resource deletion** provisioning order. + +Provisioning orders are still fairly technical to read. Non compliant-roles, **inferred** from non-compliant resources in the managed systems, are also displayed in the ****role** Reconciliation** screen to be kept or deleted by less technical users. + +## Fulfilling + +Fulfilling assignments is the **role** of connectors. Provisioning orders are written and sent to the agent via the `Usercube-Generate-ProvisioningOrders` task is added to every provisioning job. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/existingassignmentsdeduction.md b/docs/identitymanager/6.3/integration-guide/role-assignment/existingassignmentsdeduction.md new file mode 100644 index 0000000000..e1c4404a24 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/existingassignmentsdeduction.md @@ -0,0 +1,93 @@ +--- +title: "Existing Assignments" +description: "Existing Assignments" +sidebar_position: 100 +--- + +# Existing Assignments + +The [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) can deduce from synchronized data a list of assignments for every identity. + +## Overview + +One of the main responsibilities of the Compute Role Model task is to translate data from the realm of the managed systems (such as accounts or groups) into the realm of roles. + +The process results in a list of existing assignments, expressed as assigned roles, for every identity. + +This is Identity Manager's first computation when deployed in an organization: assessing the current state of the managed system in order to suggest fixes. + +The main process can be summed up as: + +1. Finding the owner `O` of a resource `R` by applying correlation rules. +2. Deducing roles by applying provisioning rules (such as navigation or scalar) "in reverse". In +this step, Identity Manager tries to find the role that would have yielded a provisioning order for resource `R`, if assigned to identity `O`. + +The following use cases can be encountered. + +## Use Case 1: One Group, One Role + +This first use case involves a common role model situation: one single role represents one entitlement, for example an Active Directory group. + +Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory group _Internet_ through a navigation rule `N`. + +![use_case_1_rolemodel](/images/identitymanager/use_case_1_rolemodel.webp) + +We are going to consider here an identity named John Doe, and his Active Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com). + +The most straightforward way to think about this role model is to consider the direct flow. This would happen if John Doe's account wasn't a member of the _Internet_ group. + +1. Identity Manager performs the first synchronization, and correlates the nominative Active +Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com) to John Doe. +2. This account is _not_ a member of the AD group _Internet_. +3. A manager assigns the role to John Doe's identity using Identity Manager's UI. +4. The Compute Role Model task applies the navigation rule `N`. +5. A provisioning order for John Doe's Active Directory account becoming a member of the group +_Internet_ is issued. + +This is a typical onboarding scenario for John Doe that happens to start a new job within the organization after Identity Manager was deployed. + +Now, let's consider what happens for John Doe, if he started his job within the company before Identity Manager was ever deployed. + +The initial situation is an identity, John Doe, and a "lonely" Active Directory account, [john.doe@contoso.com](mailto:john.doe@contoso.com). + +This time, Identity Manager performs the "deduction" flow. + +Identity Manager performs the first synchronization and tries to correlate accounts with identities. This results in finding out that John Doe is the owner of the Active Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com). The synchronization also shows that the [john.doe@contoso.com](mailto:john.doe@contoso.com) account is a member of the _Internet_ Active Directory group. + +The situation in Identity Manager database at this point is the following. + +![use_case_1_sync](/images/identitymanager/use_case_1_sync.webp) + +Integrators have defined the Internet single role and linked it to the _Internet_ AD group through the navigation rule `N`. + +Now, the Compute Role Model task "studies" the role model: the only rule that assigns the _Internet_ Active Directory group is the navigation rule `N`. By following the rule in reverse, Identity Manager deduces that the role _Internet_ should _de facto_ be assigned to John Doe, so that the rules be consistent with the data found in the Active Directory. + +The role is now listed under John Doe's assignment list (permissions) in Identity Manager. + +![use_case_1_deduction](/images/identitymanager/use_case_1_deduction.webp) + +## Use Case 2: Several Groups, One Role + +This second use case involves another common role model situation: one single role represents two or more entitlements. The single role is used here to package several Active Directory group assignments, for example, assignments which are always granted together to perform certain tasks. + +For example, let _Sales manager_ be a single role linked to the Active Directory groups _operations_ and _sales_ through two navigation rules `N1` and `N2`. + +The "direct" flow here means that if John Doe is assigned the _Sales manager_ role, Identity Manager fulfills the _operations_ and _sales_ group memberships for John Doe's Active Directory account. + +Now, let's consider the reverse flow. If John Doe already had membership for the _operations_ and _sales_ group before Identity Manager was deployed, the AD Synchronization will detect it. By applying `N1` and `N2` in reverse, Identity Manager deduces that John Doe must have the _Sales manager_ single role. + +His trusted advisor, Mary Webster, isn't a member of the _operations_ group. She is only a member of the _sales_ group. Identity Manager applies `N1` in reverse, but there is only one Single Role (_Sales manager_) that grants the _sales_ group membership. The only way for Mary to be granted the _sales_ group membership from the role model point-of-view is to have been granted the _Sales manager_ role. For Identity Manager, it is as if Mary had been assigned this role, but is missing the _operations_ group. That is exactly how it is materialized: the identity for Mary in Identity Manager will be assigned the _Sales manager_ role, and a missing group membership will come up in the provisioning review screen. + +If the IGA administrator doesn't want Mary to be granted the _Sales manager_ role and hence the _operations_ group, another role must be created, that only grants the _sales_ group but not the _operations_ group. + +## Use Case 3: Several Groups, Several Roles + +The third use case is a less common one, but can still be a little confusing. + +Let's take two roles `B` and `C`. + +- `B` grants membership to two groups: `AD1` and `AD2`. +- `C` grants `AD2` and `AD3`. + +This time, if only `AD2` is found for a given user, no deduction can be made. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/generate-contexts.md b/docs/identitymanager/6.3/integration-guide/role-assignment/generate-contexts.md new file mode 100644 index 0000000000..551c9c2dcf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/generate-contexts.md @@ -0,0 +1,140 @@ +--- +title: "Generate Contexts" +description: "Generate Contexts" +sidebar_position: 50 +--- + +# Generate Contexts + +A context is a set of dimension-value pairs computed using the [Context Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule) or the combination of a context rule and the [Record Section](../../integration-guide/toolkit/xml-configuration/provisioning/recordsection) if record sections are configured. + +A context is used to compute the role assignments for an identity by verifying that the dimension-value pairs meet the role criteria. + +## Basic Context Generation + +When using only a context rule without a record section, the context generation is straightforward: a set of dimension-value pairs is created by computing the value of the dimension bindings on the [Context Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule). + +> For example, the following context rule defines guests' contexts based on their start date, end +> date, and company. +> +> ``` +> +> +> +> ``` + +## Identity Context Generation + +As described in the [Identity Management](../../integration-guide/identity-management), identities are complex to model. Records were introduced to tackle this complexity by allowing multiple positions for the same identity. + +[Record Section](../../integration-guide/toolkit/xml-configuration/provisioning/recordsection) go further by modeling the relationship between positions. Indeed with record sections, it is possible to define: + +- what are the shared properties between all positions? +- what are the properties unique to each position? +- what happens when there is a time gap between two positions, should the previous be extended or +should the future position be used to fill the gap? +- what happens when a position property value is not defined? + +Before illustrating how the record sections can be configured to handle most cases of position management, here is the background situation for the examples that follow: + +- A position is defined by a `JobTitle`, a `Location`, and a `Department`, all other properties +belong to the identity and are shared between all positions. +- Dimensions are `Category`, `JobTitle`, `Location`, and `Department`. +- Each position will have an `Id`. +- `Sx` represents the start date of the position, and x is the `Id` of the position. +- `Ex` represents the end date of the position, and x is the `Id` of the position. +- `Cs` represents the contract start date. +- `Ce` represents the contract end date. + +The following configuration shows the context rule that will be used for the examples. + +``` + +``` + +The context rule start/end dates bindings and expressions won't have any effect on the computation, they are overridden by the record sections dates properties. + +### Configuration of basic record sections + +``` +*Default section:* + + + +*Position record section:* + +``` + +The configuration above binds the position to the contract end date, meaning that a position without an end date will take the end date of the contract. The properties of the position record section cannot be propagated, meaning if a position does not have a `Location` it cannot take the `Location` of the previous or future position. + +The following image shows the positions of `Mark Barn` in a defined timeline. + +![simple-recordsection-identity](/images/identitymanager/simple-recordsection-identity.webp) + +With the given configuration and the identity of `Mark Barn`, the following contexts are generated: + +![simple-recordsection-result](/images/identitymanager/simple-recordsection-result.webp) + +Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. + +Any rules targeting identities with a `fulltime`Category`will be assigned to`Mark Barn`from`Cs`to`Ce```. + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `S1` to `E2`. + +Any rules targeting all identities will be assigned to `Mark Barn` from `Cs` to `E2` because from `E2` to `Ce` there isn't any position. This behavior can be overridden by specifying `ExtensionKind="None"` on the `Directory_UserRecord_Position` section. + +### Configuration of a position extension + +#### Extension of a property + +The record sections can help extend some position property value when for some time the identity does not have a position. For example, let's say that an identity can have multiple positions but they must be in the same `Location`. So it is safe to configure the record sections to copy the `Location` from a position if: + +- the identity does not have a position for some time; +- for a position, the `Location` is not defined. + +Here is the configuration needed to apply this policy. + +```` +*Default section:* + + + +*Position record section:* + `````` + `````` + `````` +```` + +The `ExtensionKind="None"` was removed for the `Location` property. + +Using the identity of `Mark Barn` the computed contexts should be as followed: + +![recordsection-withvaluecopy-result1](/images/identitymanager/recordsection-withvaluecopy-result1.webp) + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to `Ce`. + +#### Extension of a whole position + +The property value copy can be leveraged to extend a chosen position when for some time the identity does not have one. See the Generate Contexts topic for additional information. The following configuration and the identity of `Phoebe Buffay` will be used to showcase a position extension. It is done by removing the `ExtensionKind="None"` of the position properties. + +```` +*Default section:* + + + +*Position record section:* + + `````` `````` `````` + +```` + +![positionextension-identity](/images/identitymanager/positionextension-identity.webp) + +Two contexts will be generated. + +![positionextension-result](/images/identitymanager/positionextension-result.webp) + +By default, the previous position is extended when there is a gap. If there isn't any previous position then the next position will be anticipated. + +The choice of the position to extend can be configured by leveraging the `SortKeyExpression` in the position [Record Section](../../integration-guide/toolkit/xml-configuration/provisioning/recordsection). + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/configureindirectpermissions.md b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/configureindirectpermissions.md new file mode 100644 index 0000000000..a26568f422 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/configureindirectpermissions.md @@ -0,0 +1,121 @@ +# Configure Indirect Permissions + +The following how-to assumes that you have already read the topic on [Indirect Permissions](../../../integration-guide/role-assignment/indirectpermissions). + +## Configure Indirect Permissions in an Active Directory + +### Configure an indirect resource rule + +Configuring an Indirect Resource Rule in the Identity Manager Configuration is the only step needed to set up Indirect Permissions and can be done by answering the following questions: + +- What is the target Entity Type? There are multiple multiple Entity Types but for this example we +will choose `AD User (nominative)`. Another rule can be written if you want to handle Indirect Permissions for `AD User (administration)`. +- Which permissions can be obtained transitively in the Active Directory? Users get permissions by +being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Here, we do not want to. This also means +that `Correspondence`, `CorrespondenceMembershipProperty`, and `Entitlement` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + +``` + +```` + + +After adding this rule to the Configuration, do not forget to deploy the configuration. + +### Set up a test user + +The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. + +![Group Membership Schema](/images/identitymanager/indirectpermissionsadexample.webp) + +A running Active Directory instance is required to reproduce these steps yourself. + +#### Edit the Active Directory + +Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB```. Then add ```TestGroupA``` as a member of ```TestGroupB```. Finally add a test user as a member of ```TestGroupA```. The test user can be any existing user in the AD that is known by Identity Manager. + +#### Prepare Identity Manager + +Since we have manually edited the Active Directory, we first need to run an AD synchronization job. +Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : + +![Single Role Configuration Example](/images/identitymanager/srconf_5.2.1.webp) + +We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: + +![Composite Role Configuration](/images/identitymanager/crconf_5.2.1.webp) + +Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: + +![Navigation Rule Example](/images/identitymanager/navrule_5.2.1.webp) + +And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: + +![Single Role Rule Example](/images/identitymanager/srrule_5.2.1.webp) + +Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. + +#### Indirect permission display + +After running a [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask), Indirect Permissions should now appear for your test user. + +The next screenshots were taken after adding the direct assignment directly inside the Active Directory. As such, the direct permission is also flagged as ```Non-conforming```. + +If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: + +![View Permissions Simplified](/images/identitymanager/viewpermissionssimplified_5.2.1.webp) + +To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: + +![View Permissions Advanced](/images/identitymanager/viewpermissionsadvanced_5.2.1.webp) + +You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: + +![AD Assigned Resource Navigations](/images/identitymanager/adassignednavigations_5.2.1.webp) + +## Configure Indirect Permissions in an Microsoft Entra ID + +We can follow the same steps to configure this new rule: + +- What is the target Entity Type? + Once again, we will configure a rule for nominative users. The Entity Type is ```AzureAD_DirectoryObject_NominativeUser```. +- Which permissions can be obtained transitively in the Microsoft Entra ID (formerly Microsoft Azure AD)? + Users get permissions by being members of a group. The property is ```memberOf```. +- Do we want to look for correspondences in another system? + Here, we do not want to (it is possible, but it is not the aim of this How-To). + This also means that ```Correspondence```, ```CorrespondenceMembershipProperty```, and ```Entitlement``` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` +## Configure Indirect Permissions in SharePoint using Correspondences from an Microsoft Entra ID + +We can follow the same steps to configure this new rule, but this time we will showcase the correspondence feature: + +- What is the target Entity Type? We first start in the Microsoft Entra ID. Once again, we will +configure a rule for nominative users. The Entity Type is `AzureAD_DirectoryObject_NominativeUser`. +- Which permissions can be obtained transitively in the Microsoft Entra ID? Users get permissions by +being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Yes, we want to find correspondences in +SharePoint. A correspondence can be found using the `SharePointObject` property. +- Which permissions can be obtained transitively in SharePoint? Once again, users get permissions +based on which groups they are a member of. The property capturing this notion for SharePoint entities is `Group` +- Is being member of a group in SharePoint the type of permissions that we want to capture? While +this can be computed, we are rather interested in compiling which SharePoint objects a user can view/change/etc. We obtain this information using the `Entitlement` property. + +Finally, if we compile all this information and use the naming convention of the standard Identity Manager Demo, we get the following Indirect Resource Rule: +``` + + + +``` +This rule will also compute indirect permissions for the Microsoft Entra ID. +``` + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/infer-single-roles.md b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/infer-single-roles.md new file mode 100644 index 0000000000..5e1e035460 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/infer-single-roles.md @@ -0,0 +1,42 @@ +# Infer Single Roles with a Composite Role + +This guide shows how to assign several single roles via the assignment of one composite role. + +It is possible to infer SingleRoles with [Composite Role](../../../integration-guide/toolkit/xml-configuration/provisioning/compositerole). The SingleRole can only be inferred by the CompositeRole if both the CompositeRole and SingleRole rules are verified. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create [Dimension](../../../integration-guide/toolkit/xml-configuration/metadata/dimension) to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType "Organization" and "Title". + +``` + +``` + +## Create a Composite Role + +A CompositeRole is created in the same way as a SingleRole. + +``` +**** +``` + +## Assign the Composite Role Based on the Dimension + +This step is optional for our simple purpose of inferring single roles with a composite role. The composite role can be linked to a dimension, but it does not have to. + +The CompositeRoleRule can be limited with the use of dimensions. + +``` +**** +``` + +## Assign Single Roles Based on the Composite Role + +The link between a SingleRole and a CompositeRole is made in the SingleRoleRule. + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/restrict-assignment.md b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/restrict-assignment.md new file mode 100644 index 0000000000..e17eba6d33 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/how-tos/restrict-assignment.md @@ -0,0 +1,70 @@ +# Restrict the Assignment + +This guide shows how to use filters on dimensions and/or roles to restrict the assignment of a role or resource type. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create [Dimension](../../../integration-guide/toolkit/xml-configuration/metadata/dimension) to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType "Organization" and "Title". + +``` + +``` + +## Create a Single Role + +To be able to filter with the dimensions previously created, it is necessary to first create [Single Role](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) which will serve as a restriction to the assignment of ResourceTypes for a given source. + +The example below creates a SingleRole for the EntityType Directory_User (source of the ResourceTypes you want to restrict). + +``` + +``` + +## Assign the Role Based on the Dimension + +We will define a [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) on the "Title"; dimension with a given value to restrict the allocation of a resource in only one case. + +``` +**** +``` + +D1 represents the dimension whose ColumnMapping="1". + +``` +**** +``` + +The value in property D1 implies that the rule is checked only if the source resource has as association to the EntityType related to dimension 1 is "FCT0402". + +## Assign a Resource Type Based on the Role + +The restriction on the creation of these accounts is integrated directly into the type rule of the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype). This implies that the ResourceType will only apply if the [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) are checked. + +This part will link a SingleRole to a ResourceType. This implies that the allocation of a target resource to a source will only be done if the SingleRole rule(s) are verified. + +``` + .... + +``` + +### Use a navigation rule instead of a type rule + +A [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) in addition to filling a multi-valued association, also serves as an allocation context for a ResourceType. + +There are 3 ways to restrict the allocation of the ResourceType with a NavigationRule: + +- Fill in one or more dimensions directly in the NavigationRule. +- Fill in a SingleRole. +- Fill in one or more dimensions and a SingleRole. + +For the last 2 cases this will induce the ResourceType by the SingleRole. + +``` + ... + +``` + +In the example above the ResourceType does not need a TypeRule because the NavigationRule already serves as an allocation context. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/index.md b/docs/identitymanager/6.3/integration-guide/role-assignment/index.md new file mode 100644 index 0000000000..30ea55ee28 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/index.md @@ -0,0 +1,12 @@ +--- +title: "Role Assignment" +description: "Role Assignment" +sidebar_position: 90 +--- + +# Role Assignment + +Once the role model is established, role assignment can be performed, i.e. missing or non-conforming assignments can be detected in order to give users the appropriate access rights. + +Be sure to read first the documentation about the role model. See the [Role Model](../../integration-guide/role-model) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/indirectpermissions.md b/docs/identitymanager/6.3/integration-guide/role-assignment/indirectpermissions.md new file mode 100644 index 0000000000..5d1a49b73c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/indirectpermissions.md @@ -0,0 +1,69 @@ +--- +title: "Indirect Permissions" +description: "Indirect Permissions" +sidebar_position: 120 +--- + +# Indirect Permissions + +Identity Manager can compute, for a given identity, permissions that are obtained implicitly or indirectly through assignments. The [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) is responsible for this functionality. + +## Overview + +Assigning a role to a user can give them new permissions in a managed system by giving access to a new role or a new group, for example. This assignment is direct as it is entirely explicit. However, the user might also receive some **additional permissions that are inherited through the new permission** and that are not explicit. For instance in some systems, users can get permissions by being a member of a group but groups can also be members of other groups, and therefore allow for transitive permission acquisitions. These permissions are called indirect. This notion can also be extended when permissions in a managed system also give other permissions in an external system. + +Indirect Permissions are automatically computed by the [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) along with standard explicit or direct permissions during a full update. Indirect permissions will not be computed when processing a single user (for instance through "Repair Data (helpdesk)") or during simulations. + +## Configuration + +The computation of Indirect Permissions is based on the configured [Indirect Resource Rule](../../integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule). These rules tell Identity Manager how to navigate the managed system and how to recover permissions that a user inherits implicitly. An Indirect Resource Rule is composed of the following properties: + +- `ResourceType`:The +[Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) to which the rule will be applied. +- `Property` : The [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) +which corresponds to the user permission in the _target_ system. +- `Correspondence` (optional): The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) that is used to recover the correspondence of a resource from the _target_ system in the _external_ system. +- `CorrespondenceMembershipProperty` (optional) : The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) which corresponds to the user permission in an _external_ system. +- `Entitlement` (optional) : The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) that can be configured if the permission in the _external_ system needs to be recovered from the discovered resources. For instance one can use this property to recover the entitlements of Sharepoint groups (while `CorrespondenceMembershipProperty` will be used to recover the group membership graph). + +If either `Correspondence` or `CorrespondenceMembershipProperty` is specified, then the other property must be specified as well. + +If `Entitlement` is specified, then both `Correspondence` and `CorrespondenceMembershipProperty` also need to be specified. + +- `TargetEntityTypeProperty` : The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) which identifies each rule given a resource type. +- `TargetEntityTypeReflexiveProperty` : The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) which corresponds to the user permission in the _target_ system. +- `IndirectResourceBinding`: The [Bindings](../../integration-guide/toolkit/bindings) that is used to +recover an assignment from a permission in either system (target or external). It is also used to define the correspondence between resources in both systems. +- `IndirectResourceReflexiveProperty` (optional): The +[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) which corresponds to the user permission in an _external_ system. + +Correspondences between resources are necessarily one-sided: the Indirect Permissions computation is started in the managed system and if a correspondence is found, the computation will be continued in the external system. Correspondences won't be checked in the external system. + +An example of an Indirect Resource Rule configuration is available in How-To: [Configure Indirect Permissions](../../integration-guide/role-assignment/configureindirectpermissions) in an Active Directory. + +## What Can Be an Indirect Permission? + +The [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) will create indirect Assigned Resource Navigations for the permissions that it finds, but if and only if these permissions are associated with a [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype). + +If a [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) is associated with one of these Resource Navigation Rules, then an indirect Single Role will also be recovered. + +Finally, if at least one indirect Single Role is used to recover a [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole), then the Composite Role will also be indirect. + +## What Can Be Done with Indirect Permissions? + +Currently, Indirect Permissions are only displayed and found in the users' `View Permissions` tab in the `Advanced View`: Indirect Permissions (except Composite Roles) are hidden in the `Simplified View`. + +Although Indirect Permissions are marked as `Non-conforming`, they can be neither approved nor deleted. They also won't appear in Access certification campaigns. + +Indirect Permissions are always indicated by the following icon: +![Indirect Permission Icon](/images/identitymanager/ic_fluent_flow_20_regular.webp) + +## Disabling the Indirect Permission Computation + +In case of emergency, one can disable the computation of indirect permissions by adding the `"DisableIndirectPermissions": true` field to the root of the `appsettings`. While the computation is disabled, indirect permissions will be frozen in time: any existing one will not be deleted and any potential new one will not be added. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/infer-single-roles.md b/docs/identitymanager/6.3/integration-guide/role-assignment/infer-single-roles.md new file mode 100644 index 0000000000..5608c5f46a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/infer-single-roles.md @@ -0,0 +1,48 @@ +--- +title: "Infer Single Roles with a Composite Role" +description: "Infer Single Roles with a Composite Role" +sidebar_position: 70 +--- + +# Infer Single Roles with a Composite Role + +This guide shows how to assign several single roles via the assignment of one composite role. + +It is possible to infer SingleRoles with [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole). The SingleRole can only be inferred by the CompositeRole if both the CompositeRole and SingleRole rules are verified. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create a [Dimension](../../integration-guide/toolkit/xml-configuration/metadata/dimension) to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType "Organization" and "Title". + +``` + +``` + +## Create a Composite Role + +A CompositeRole is created in the same way as a SingleRole. + +``` +**** +``` + +## Assign the Composite Role Based on the Dimension + +This step is optional for our simple purpose of inferring single roles with a composite role. The composite role can be linked to a dimension, but it does not have to. + +The CompositeRoleRule can be limited with the use of dimensions. + +``` +**** +``` + +## Assign Single Roles Based on the Composite Role + +The link between a SingleRole and a CompositeRole is made in the SingleRoleRule. + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/nonconformingdetection.md b/docs/identitymanager/6.3/integration-guide/role-assignment/nonconformingdetection.md new file mode 100644 index 0000000000..2de4086f93 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/nonconformingdetection.md @@ -0,0 +1,50 @@ +--- +title: "Non-Conforming Assignments" +description: "Non-Conforming Assignments" +sidebar_position: 110 +--- + +# Non-Conforming Assignments + +The [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) is able to detect from synchronized data a list of non-conforming or missing resources/entitlements for every identity. That is one of Identity Manager's most powerful governance features, provided you have a full role model configured. + +## Build the conforming assignment list + +The **first step** is building the conforming assignment list, as explained in the [Conforming Assignments](../../integration-guide/role-assignment/conformingassignmentcomputation). This list (list `A`) includes the assignments that perfectly comply with the role model/assignment policy. + +## Build the existing assignment list + +The **second step** is building the existing assignment list (list `B`), as explained in the[Existing Assignments](../../integration-guide/role-assignment/existingassignmentsdeduction) every synced resource can be translated into a role assignment following the assignment rules "in reverse". + +## Compare both lists + +We can now **compare both lists** to find out if the managed systems really comply with the decided upon assignment policy. + +For every assignment from list `B` representing resources from the synced data: + +1. There is a rule path from the identity attribute to the resource provisioning order in the role +model. The assignment was expected, it can be found in list `A`. +2. There is no rule path from the identity attribute to the resource provisioning order in the role +model. The assignment was unexpected, it is not in list `A` or it is in list `A` but not with exactly the same property values. + +The "unexpected" (or non-conforming) assignments can be for example orphan accounts. Sometimes, the account itself should indeed exist according to the rules, but its attribute values are "unexpected", contradicting scalar rules. + +Non-conforming accounts are presented in the reconciliation screens: from the role point-of-view in the role reconciliation screen and from the resource point-of-view in the resource reconciliation screen. + +They need human confirmation to be either kept or destroyed. + +For every assignment from list `A` representing expected assignments: + +1. There is an exact match in list `B`. The managed system complies with the assignment policy for +this resource. +2. There is no match in list `B`: the managed system doesn't comply with the assignment policy. The +resource is missing (the account is missing). + +Missing accounts are presented in the provisioning review for validation before provisioning. + +Identity Manager will **never delete data** without having a user's confirmation first. That is the reason why these variations from the ideal aren't fixed automatically but submitted for review. + +Some users might wonder how they can perform governance if they don't have automated rules. Certification can help. By reviewing (even manually) the entitlement landscape, non-conforming account proliferation can be contained. + +This feature is the final touch of the **sync-fulfill-verify loop** that makes Identity Manager so efficient. It is exactly like a closed-loop control system with a feedback loop: perturbations, in the form of modifications in a managed system that don't go through Identity Manager first, trigger a reaction. This reaction uses the role model to suggest a fix. This is the only way for the state of the entitlement landscape to tend towards the ideal standards described by the rules. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/restrict-assignment.md b/docs/identitymanager/6.3/integration-guide/role-assignment/restrict-assignment.md new file mode 100644 index 0000000000..3e0d8ea812 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/restrict-assignment.md @@ -0,0 +1,76 @@ +--- +title: "Restrict the Assignment" +description: "Restrict the Assignment" +sidebar_position: 60 +--- + +# Restrict the Assignment + +This guide shows how to use filters on dimensions and/or roles to restrict the assignment of a role or resource type. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create a [Dimension](../../integration-guide/toolkit/xml-configuration/metadata/dimension) to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType "Organization" and "Title". + +``` + +``` + +## Create a Single Role + +To be able to filter with the dimensions previously created, it is necessary to first create [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) which will serve as a restriction to the assignment of ResourceTypes for a given source. + +The example below creates a SingleRole for the EntityType Directory_User (source of the ResourceTypes you want to restrict). + +``` + +``` + +## Assign the Role Based on the Dimension + +We will define a [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) on the "Title"; dimension with a given value to restrict the allocation of a resource in only one case. + +``` +**** +``` + +D1 represents the dimension whose ColumnMapping="1". + +``` +**** +``` + +The value in property D1 implies that the rule is checked only if the source resource has as association to the EntityType related to dimension 1 is "FCT0402". + +## Assign a Resource Type Based on the Role + +The restriction on the creation of these accounts is integrated directly into the type rule of the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype). This implies that the ResourceType will only apply if the [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) are checked. + +This part will link a SingleRole to a ResourceType. This implies that the allocation of a target resource to a source will only be done if the SingleRole rule(s) are verified. + +``` + .... + +``` + +### Use a navigation rule instead of a type rule + +A [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) in addition to filling a multi-valued association, also serves as an allocation context for a ResourceType. + +There are 3 ways to restrict the allocation of the ResourceType with a NavigationRule: + +- Fill in one or more dimensions directly in the NavigationRule. +- Fill in a SingleRole. +- Fill in one or more dimensions and a SingleRole. + +For the last 2 cases this will induce the ResourceType by the SingleRole. + +``` + ... + +``` + +In the example above the ResourceType does not need a TypeRule because the NavigationRule already serves as an allocation context. + diff --git a/docs/identitymanager/6.3/integration-guide/role-assignment/role-model-rules.md b/docs/identitymanager/6.3/integration-guide/role-assignment/role-model-rules.md new file mode 100644 index 0000000000..ce370a494a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-assignment/role-model-rules.md @@ -0,0 +1,169 @@ +--- +title: "Assignment Policy" +description: "Assignment Policy" +sidebar_position: 30 +--- + +# Assignment Policy + +The assignment policy is the set of rules enforced on the resources to compute automatic assignments and risks. It contains the role model and risks definition. + +## The Role Model + +The Introduction Guide introduced the role model and how it influences assigning entitlements to identities. Let's sum up the key principles here. See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +1. Identities are resources. +2. Assignments of entitlements are materialized by resources, their values and associations. +3. Identity Manager uses a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) +assignment policy to grant entitlements to identities, i.e. granting a role entails granting entitlements. +4. The role model is first a catalog of available roles +([Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) and [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole)), identified by meaningful names aimed at non-technical end-users. These roles represent status of trust and privileges, to be assigned to identities, manually or automatically. +5. The role model is also a set of rules aiming at assign automatically roles to identities, based +on relevant criteria, namely [Dimension](../../integration-guide/toolkit/xml-configuration/metadata/dimension). +6. The role model classifies resources by security concerns thanks to resource types. +7. The role model contains correlation rules identifying ownership of target resource by an +identity. +8. The role model contains provisioning rules describing if and how target resources and their +values should be computed from source resource values. + +Resource types, single roles and composite roles can be grouped into [Category](../../integration-guide/toolkit/xml-configuration/provisioning/category). They are used in the UI to organize the Roles catalog display. Categories are organized in a hierarchical tree structure. + +### Policy + +A [Policy](../../integration-guide/toolkit/xml-configuration/provisioning/policy) is a set of assignment rules. At least one policy must be declared. + +All resource types, single roles and composite roles and categories belong to a policy. + +## Dimensions And Contexts + +One of Identity Manager's distinctive feature is the use of [Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) methods to automatically grant fine-grained entitlements. + +Every identity in the organization operates within a specific context. It is a set of information relevant to making decisions about assigning entitlements for an identity. For example, an employee working in the R&D department of the New York office at Contoso Corporation is associated with the `{R&D, New York}` context. + +Analyzing contexts in the organization allows the integration team, in collaboration with a knowledgeable member of the target organization, to define key criteria on which to base assignments of entitlements decisions. Those key criteria are called dimensions. + +The integration team defines [Context Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule) and [Record Section](../../integration-guide/toolkit/xml-configuration/provisioning/recordsection)in the applicative configuration that assigns, for every identity, a context as a set of dimension-value pair. + +The details of how contexts are generated can be found in [Generate Contexts](../../integration-guide/role-assignment/generate-contexts). + +Every dimension is associated with a finite set of possible values. That means there is a finite set of possible context. Hence, typical contexts within which an identity operates are modeled. + +Contexts can then be used as a filter for choosing an identity to which to assign a role. + +This mechanism allows the integration team to define rules to take care of the most basics and repetitive assignments. For example, a [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) assigning a specific single role to the resources that match a specific context. + +##### Example + +A standard multi-site and multi-department organization would use the following dimensions: + +- `Location`, the physical location where an employee works. +- `Department`, the employee working department, such as `IT`, `Sales` or `Accounting`. + +Roles could be assigned based on location and department of the resource representing an identity. + +For a rule such as "every employee that works in IT must have access to the servers room", the `ServerRoomAccess` single role would be assigned to every resource of entity type `employee` whose context contains the value `IT` for the dimension `Department`. + +A context rule would have been written first, defining for every resource of entity type `employee` how to compute a context: the `Department` dimension value is found in the `department` property of the resource, the `Location` dimension value is found in the `site` property of the resource. + +## Write Roles And Assignments Rules + +The role model takes a very important place in the applicative configuration. It's built by the integration team, in collaboration with the target organization, to match the organization's needs and rules in security. + +The role model is built iteratively, together with the [Entity Model](../../integration-guide/entity-model), as they closely influence one another. See the [Entity Model](../../integration-guide/entity-model) topic for additional information. + +The role model evolves and lives during the whole IGA project's lifecycle. Organization rules change, roles and assignment rules are updated, deleted, added. + +The following gives a few ideas about how a to approach the writing of a role model. + +### 1. Identify single roles + +The first iteration of building of the organization reference model starts to reveal the archetypal responsibilities and positions of the members of the organization. A [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) is defined for every fine-grained organization-level responsibility or position. + +##### Example + +Contoso Corporation employs project managers in their Aircraft Design department to manage aircraft design projects for clients all around the world. Those projects involve aerodynamics and structure engineers, construction workers, quality control agents and sale engineers. + +Everyone in the team needs to access the Internet to do research and send e-mails. That's a first typical single role `Internet Access` that everyone should be assigned to be able to work. + +Aerodynamics engineers need to access remote high-performance computation servers specifically designed to solve aerodynamics equations. The sensitive nature of the data sent to those servers, plus the availability constraints, require restricting access to engineers that absolutely need it to perform their daily tasks. That's another responsibility, that can be translated to a single role `Aerodynamics Computation Server` for example, that grants access to those servers. + +Structure engineers, on the other hand, do not perform such heavy computations and do not need access to the aerodynamics computation server. They can work locally, performing computations on their own workstation. They're not assigned the `Aerodynamics Computation Server` role. + +Quality control agents need access to sensitive information such as accident reports, on the internal data server named `data0`. Those highly sensitive privileges are not assigned to everyone. They can be translated to the `Data Server data0` role. + +The project manager needs access to the `data0` and `data1` servers with client contracts. The `Data Server data0` and `Data Server data1` roles translate those responsibilities. + +### 2. Identify navigation rules and ownership + +For every [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) assigned to an identity, fine-grained entitlements need to be granted. Those are the resource values in a managed system. + +Hence, for every single role, the relevant managed systems, type of resource, and resource values to fulfill are identified. + +They are materialized by: + +- Provisioning rules, such as Resource Type rules that decide what resources should be found in the +managed systems; and navigation rules or scalar rules, that identify actual values to be fulfilled from the identity to which the single role is assigned; +- [Resource Correlation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) +that identify for an identity, the target resources to fulfill; +- Resource type that organize resources and describe a source/target (or owner/resource) +relationship. + +The resource types identified this way could be suggested to security officers for review, checking that they match their mental model of the managed system's resources. + +Sets of scalar rules and navigation rules relevant to a specific resource type are gathered into a resource type. + +#### Example + +Let's consider the `Internet Access` defined at step 1. + +In practice, Contoso Corporation authorizes or block a user Internet access by setting per-user outbound policies on their network firewall. The firewall integrates with Active Directory which make it possible to use Active Directory groups membership to enable or disable policies for a user. + +A security officer, to grant Internet access to an employee, would in practice assign a `Internet Access` group membership to their Active Directory account. That is a fine-grained entitlement entailed by the assignment of the `Internet Access` single role. That means that, to be able to grant or restrict Internet access, the link between an identity and their Active Directory account, used to login to work, must be known. + +To modelize that need within the role model, every identity with `Internet Access` single role is associated with an Active Directory account. We can find the Active Directory for an identity by comparing the identity email with the Active Directory entry e-mail. That's an example of [Resource Correlation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) that define the ownership of an Active Directory entry resource by an identity resource. + +### 3. Write assignment rules + +[Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) describe criteria for which a [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) is assigned to a resource. The main criterion is a dimension value. For a given resource, the single role is assigned if the resource's context matches the given dimension value. The second criterion is the assignment of a specific [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) (see further). + +A navigation rule describes a fine-grained entitlement in the form of resource association such as a group membership. Its enforcement is also conditioned by a single role assignment to the relevant source resource, which in turn materializes the link between a single role and a resource type. + +Those rules are used by Identity Manager to automate role assignments. They are absolutely optional. A first version of the project can rely on manual assignments of single roles. Those have meaningful names: Identity Manager already provides a value by allowing non-technical users to request or assign entitlements. Navigation and or scalar rules can be written in a second time to allow automated fulfillment. Single role rules can be written after that to set up automated assignments. + +##### Example + +The need for aerodynamics engineers to access the remote computation server is translated by a single role rule: if the department (a dimension) of that identity is `Aerodynamics R&D` (a dimension value), then the `Aerodynamics Computation Server` single role must be granted. + +The need for assignment of the `Internet Access` group to the Active Directory account, if the identity is assigned the `Internet Access` single role is modeled by a navigation rule that stipulates that if that identity is assigned that role, then the `memberOf` property of the owned Active Directory entry resource should be set to the AD group named `Internet Access`. + +### 4. Use Composite Roles To Organize Single Roles (optional) + +[Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) can be packaged into [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole). Assigning a composite role to an identity immediately assigns the packaged single role to that identity. Single roles assigned this way are said to be inferred. + +The [Composite Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule) (see composite role rules describe criteria for which a composite role is assigned to an identity. Then, the composite role can be used as a condition in a [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule). This is how packages are built. + +### Summary - A mental model to help build a role model + +To help build a role model, consider this mental model that captures the key events occurring between the assignments of a role and the actual assignment of entitlement. + +1. A resource-identity `Ri` is associated with a context `Ci`, i.e. dimension values. +2. `Ri` is assigned a single role `SRa`, manually or as a result of dimension comparisons. +3. Identity Manager's engine identifies a resource type `Rt` with the type rule `Tr` whose condition +matches `SRa` and/or `Ci`. +4. Using `Rt`'s definition, Identity Manager's engine identifies by correlation a target resource +`Tr` from the resource repository that must be created or updated to materialize `SRa`. +5. Identity Manager's engine identifies `Rt`'s navigation rule `Nr` whose condition matches `SRa` +and/or `Ci`, and associated scalar rules `Sr`. +6. Using `Sr` and `Nr`'s definition, Identity Manager's engine identifies `Tr`'s values to be +provisioned to materialize `SRa`. + +This series of steps is actually a very simplified version of the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. + +![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) + +**---** + +## Evaluate Policy + +This chapter gives the basis of the assignments vocabulary. The next chapter enlightens the reader about the inner details of the Evaluate Policy algorithm. See the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/role-mining.md b/docs/identitymanager/6.3/integration-guide/role-mining.md new file mode 100644 index 0000000000..13407f638f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-mining.md @@ -0,0 +1,127 @@ +--- +title: "Role Mining" +description: "Role Mining" +sidebar_position: 100 +--- + +# Role Mining + +Role mining aims to reduce the cost of entitlement management by automating entitlement assignments, via the analysis of existing assignments. See the [Automate Assignments](../user-guide/optimize/assignment-automation) topic for additional information. + +## Overview + +After the role catalog is established, the [Compute Role Model Task](../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) is able to assign single roles to users according to their attributes which are used as assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the Compute-RoleModel task is able to assign single roles to users according to their existing +> group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce [Single Role Rule](../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the dimensions that constitute the key criteria for existing role assignments. See the [Conforming Assignments](../integration-guide/role-assignment/conformingassignmentcomputation)topic for additional information. It detects the most probable links between identities dimensions and their roles in order to suggest the appropriate entitlement assignment rules. + +> For example, suppose that 80% of Netwrix Identity Manager (formerly Usercube) workers in +> Marseilles have access to an application "App". Then, role mining is most likely to recognize the +> working site as a relevant dimension, and suggest to create a rule that gives the "App" access to +> users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the [Create Roles in the Role Catalog](../user-guide/set-up/single-roles-catalog-creation). + +### Technical Principles + +Role mining works through [Mining Rule](../integration-guide/toolkit/xml-configuration/provisioning/miningrule) that Identity Manager applies with the [Get Role Mining Task](../integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an +entitlement request for a user. + + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, automatic rules should always have priority over suggested rules (via the `Priority` setting). + +### Impact on users' entitlements + +Consider that all users from a given organization have a given role. Then role mining will create a single role rule to assign automatically this role to any user of this organization. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 1](/images/identitymanager/rolemining_impact_usecase1.webp) + +Now consider that half of users in the organization have the role. Then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 2](/images/identitymanager/rolemining_impact_usecase2.webp) + +Starting from the previous example, consider now that users progressively request the role. As long as the ratio is below a given threshold, then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 3](/images/identitymanager/rolemining_impact_usecase3.webp) + +Starting from the previous example, consider now that users continue requesting the role. As soon as the ratio is above the threshold, then role mining will create a single role rule to assign automatically this role to any user in the organization. Then a few users are going to get the entitlement: + +![Impact Example - Use Case 4](/images/identitymanager/rolemining_impact_usecase4.webp) + +Starting from the previous example, consider now that, as a result of a reorganization or an access certification for example, some users do not have the role anymore. If the ratio is below the threshold, then role mining will remove the single role rule. If the role (or its policy) is configured with a grace period, users who need the role will not lose it. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 5](/images/identitymanager/rolemining_impact_usecase5.webp) + +## Perform Role Mining + +See the [Perform Role Mining](../user-guide/optimize/assignment-automation/role-mining) for additional information. + +### Simulation + +Be aware that you can configure the [Get Role Mining Task](../integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask) to generate role assignment rules either directly or in a [Simulation](../integration-guide/simulation). + +Simulating the results of role mining allows a knowledgeable user to analyze the impact of role mining on the role model, before applying them. + +![Schema - Role Mining](/images/identitymanager/rolemining_simulation.webp) + +The simulation tool gives another point of view on the role model as it emphasizes the changes. + +![Schema - Role Mining](/images/identitymanager/rolemining_simulationresults.webp) + +Identity Manager recommends simulating role mining before applying the results. + +## Memory Limitations + +Role mining analyzes large datasets to identify patterns in role assignments. To prevent system instability or out-of-memory errors, Identity Manager always estimates memory requirements before execution based on the number of dimensions, identities, and roles involved in the analysis. + +The system performs two checks: +1. **Basic check (always enabled)**: Prevents operations that would require more memory than the total system RAM +2. **Percentage-based check (optional)**: When `MaxRamPercentageRoleMining` is configured, prevents operations that would exceed the specified percentage of available RAM + +If the estimated memory requirement exceeds these limits, the operation fails with an error message rather than risking system crashes. + +**Common error message:** +> This role mining operation is too resource intensive. Please simplify your model by excluding non-relevant dimensions (use IsExcludedFromRoleMining). + +**Resolution options:** + +- **Exclude non-relevant dimensions**: Set `IsExcludedFromRoleMining="true"` on entity type dimensions that are not relevant for role assignment analysis. This reduces the dimensionality of the analysis and memory requirements. See the [Dimension](toolkit/xml-configuration/metadata/dimension) documentation for details on this attribute. +- **Process entity types separately**: Instead of using `AllEntities="true"` in your mining rule, create separate mining rules for specific entity types to reduce the scope of each analysis. +- **Adjust memory limits (on-premises only)**: Configure the `MaxRamPercentageRoleMining` setting to control what percentage of available RAM role mining operations can use. See the [Application Settings](../integration-guide/network-configuration/server-configuration/general-purpose) topic for configuration details. + +By limiting the scope of role mining analysis to relevant dimensions and entity types, you can ensure operations complete successfully while maintaining meaningful results. + diff --git a/docs/identitymanager/6.3/integration-guide/role-model/index.md b/docs/identitymanager/6.3/integration-guide/role-model/index.md new file mode 100644 index 0000000000..1ef9cdb3cb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-model/index.md @@ -0,0 +1,48 @@ +--- +title: "Role Model" +description: "Role Model" +sidebar_position: 80 +--- + +# Role Model + +The role model, with its computation and enforcement, is at the heart of Identity Manager's engine. It is composed mainly of roles, representing entitlements, and rules, enforcing the company assignment policies. + +Make sure to read the introduction on entitlement management first. See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +## Roles + +Roles represent entitlements from the managed systems, but expressed in a language understandable by non-technical people. + +A single role is meant to represent one entitlement from a managed system, by acting as a label, thus allowing better organization and readability. + +A composite role is meant to group several single roles into a meaningful, business-themed entitlement package. + +In this way, the role model can be seen as a [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) (RBAC). + +## Assignment Rules + +An [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) gives an entitlement to a user, usually based on (at least) one criterion from the user's data. Assignment rules are: + +- single role rules which assign single roles; +- composite role rules which assign composite roles; +- resource type rules which assign resources, usually accounts, of specific types. + +The identity criteria that trigger the rules are named dimensions. + +In this way, the role model can also be seen as an [Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) (ABAC) model. + +Identity Manager gives users access to given resources in the managed systems, based on roles and rules, but it does not override the managed systems' authorization mechanisms. + +## Enforcement of the Assignment Policy + +The company's policy for entitlement assignment is enforced by Identity Manager with the computation of the role model, through the [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) It applies all the configured rules, thus: + +- helping build a catalog of all available entitlements in the managed systems; See the +[Create Roles in Bulk](../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) topic for additional information. +- helping build the rules that define the assignment policy, i.e. the expected entitlement +assignments for all users; See the[Perform Role Mining](../../user-guide/optimize/assignment-automation/role-mining) topic for additional information. +- automating entitlement assignment; See the [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) topic for additional information. +- generating the provisioning orders that enable writing to the managed systems; See the [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation) topic for additional information. +- detecting assignments in the managed systems that do not comply with the policy; See the[Review Non-conforming Assignments](../../user-guide/administrate/non-conforming-assignment-review) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/role-model/role-model-rules.md b/docs/identitymanager/6.3/integration-guide/role-model/role-model-rules.md new file mode 100644 index 0000000000..ff0622f496 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/role-model/role-model-rules.md @@ -0,0 +1,163 @@ +# Assignment Policy + +The assignment policy is the set of rules enforced on the resources to compute automatic assignments and risks. It contains the role model and risks definition. + +## The Role Model + +The Introduction Guide introduced the [Entitlement Management](../../introduction-guide/overview/entitlement-management) and how it influences assigning entitlements to identities. Let's sum up the key principles here. + +1. Identities are resources. +2. Assignments of entitlements are materialized by resources, their values and associations. +3. Identity Manager uses a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) +assignment policy to grant entitlements to identities, i.e. granting a role entails granting entitlements. +4. The role model is first a catalog of available roles +([Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) and [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole)), identified by meaningful names aimed at non-technical end-users. These roles represent status of trust and privileges, to be assigned to identities, manually or automatically. +5. The role model is also a set of rules aiming at assign automatically roles to identities, based +on relevant criteria, namely [**dimension**](../../integration-guide/toolkit/xml-configuration/metadata/dimension). +6. The role model classifies resources by security concerns thanks to resource types. +7. The role model contains correlation rules identifying ownership of target resource by an +identity. +8. The role model contains provisioning rules describing if and how target resources and their +values should be computed from source resource values. + +Resource types, single roles and composite roles can be grouped into [Category](../../integration-guide/toolkit/xml-configuration/provisioning/category). They are used in the UI to organize the Roles catalog display. Categories are organized in a hierarchical tree structure. + +### Policy + +A [Policy](../../integration-guide/toolkit/xml-configuration/provisioning/policy) is a set of assignment rules. At least one policy must be declared. + +All resource types, single roles and composite roles and categories belong to a policy. + +## **dimensions** And Contexts + +One of Identity Manager's distinctive feature is the use of [Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) methods to automatically grant fine-grained entitlements. + +Every identity in the organization operates within a specific **context**. It is a set of information relevant to making decisions about assigning entitlements for an identity. For example, an employee working in the R&D department of the New York office at Contoso Corporation is associated with the `{R&D, New York}` **context**. + +Analyzing contexts in the organization allows the integration team, in collaboration with a knowledgeable member of the target organization, to define key criteria on which to base assignments of entitlements decisions. Those key criteria are called **dimensions**. + +The integration team defines [**context** Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule) and [Record Section](../../integration-guide/toolkit/xml-configuration/provisioning/recordsection)in the applicative configuration that assigns, for every identity, a **context** as a set of **dimension**-value pair. + +The details of how contexts are generated can be found in [Generate Contexts](../../integration-guide/role-assignment/generate-contexts). + +Every **dimension** is associated with a finite set of possible values. That means there is a finite set of possible **context**. Hence, typical contexts within which an identity operates are modeled. + +Contexts can then be used as a filter for choosing an identity to which to assign a role. + +This mechanism allows the integration team to define rules to take care of the most basics and repetitive assignments. For example, a [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) assigning a specific single role to the resources that match a specific **context**. + +##### Example + +A standard multi-site and multi-department organization would use the following **dimensions**: + +- `Location`, the physical location where an employee works. +- `Department`, the employee working department, such as `IT`, `Sales` or `Accounting`. + +Roles could be assigned based on location and department of the resource representing an identity. + +For a rule such as "every employee that works in IT must have access to the servers room", the `ServerRoomAccess` single role would be assigned to every resource of entity type `employee` whose **context** contains the value `IT` for the **dimension** `Department`. + +A **context** rule would have been written first, defining for every resource of entity type `employee` how to compute a **context**: the `Department` **dimension** value is found in the `department` property of the resource, the `Location` **dimension** value is found in the `site` property of the resource. + +## Write Roles And Assignments Rules + +The role model takes a very important place in the applicative configuration. It's built by the integration team, in collaboration with the target organization, to match the organization's needs and rules in security. + +The role model is built iteratively, together with the [Entity Model](../../integration-guide/entity-model), as they closely influence one another. + +The role model evolves and lives during the whole IGA project's lifecycle. Organization rules change, roles and assignment rules are updated, deleted, added. + +The following gives a few ideas about how a to approach the writing of a role model. + +### 1. Identify single roles + +The first iteration of building of the organization reference model starts to reveal the **archetypal** responsibilities and positions of the members of the organization. A [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) is defined for every fine-grained organization-level responsibility or position. + +##### Example + +Contoso Corporation employs project managers in their Aircraft Design department to manage aircraft design projects for clients all around the world. Those projects involve aerodynamics and structure engineers, construction workers, quality control agents and sale engineers. + +**Everyone** in the team needs to access the Internet to do research and send e-mails. That's a first typical single role `Internet Access` that **Everyone** should be assigned to be able to work. + +Aerodynamics engineers need to access remote high-performance computation servers specifically designed to solve aerodynamics equations. The sensitive nature of the data sent to those servers, plus the availability constraints, require restricting access to engineers that absolutely need it to perform their daily tasks. That's another responsibility, that can be translated to a single role `Aerodynamics Computation Server` for example, that grants access to those servers. + +Structure engineers, on the other hand, do not perform such heavy computations and do not need access to the aerodynamics computation server. They can work locally, performing computations on their own workstation. They're not assigned the `Aerodynamics Computation Server` role. + +Quality control agents need access to sensitive information such as accident reports, on the internal data server named `data0`. Those highly sensitive privileges are not assigned to **Everyone**. They can be translated to the `Data Server data0` role. + +The project manager needs access to the `data0` and `data1` servers with client contracts. The `Data Server data0` and `Data Server data1` roles translate those responsibilities. + +### 2. Identify navigation rules and ownership + +For every [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) assigned to an identity, fine-grained entitlements need to be granted. Those are the resource values in a managed system. + +Hence, for every single role, the relevant managed systems, type of resource, and resource values to fulfill are identified. + +They are materialized by: + +- Provisioning rules, such as resource type rules that decide what resources should be found in the +managed systems; and navigation rules or scalar rules, that identify actual values to be fulfilled from the identity to which the single role is assigned; +- [Resource Correlation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule), +that identify for an identity, the target resources to fulfill; +- Resource type that organize resources and describe a source/target (or owner/resource) +relationship. + +The resource types identified this way could be suggested to security officers for review, checking that they match their mental model of the managed system's resources. + +Sets of scalar rules and navigation rules relevant to a specific resource type are gathered into a resource type. + +#### Example + +Let's consider the `Internet Access` defined at step 1. + +In practice, Contoso Corporation authorizes or block a user Internet access by setting per-user outbound policies on their network firewall. The firewall integrates with Active Directory which make it possible to use Active Directory groups membership to enable or disable policies for a user. + +A security officer, to grant Internet access to an employee, would in practice assign a `Internet Access` group membership to their Active Directory account. That is a **fine-grained entitlement** entailed by the assignment of the `Internet Access` single role. That means that, to be able to grant or restrict Internet access, the link between an identity and their Active Directory account, used to login to work, must be known. + +To modelize that need within the role model, every identity with `Internet Access` single role is associated with an Active Directory account. We can find the Active Directory for an identity by comparing the identity email with the Active Directory entry e-mail. That's an example of [Resource Correlation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) that define the ownership of an Active Directory entry resource by an identity resource. + +### 3. Write assignment rules + +[Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) describe criteria for which a [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) is assigned to a resource. The main criterion is a **dimension** value. For a given resource, the single role is assigned if the resource's **context** matches the given **dimension** value. The second criterion is the assignment of a specific [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) (see further). + +A navigation rule describes a **fine-grained entitlement** in the form of resource association such as a group membership. Its enforcement is also conditioned by a single role assignment to the relevant source resource, which in turn materializes the link between a single role and a resource type. + +Those rules are used by Identity Manager to automate role assignments. They are absolutely **optional**. A first version of the project can rely on manual assignments of single roles. Those have meaningful names: Identity Manager already provides a value by allowing non-technical users to request or assign entitlements. Navigation and or scalar rules can be written in a second time to allow automated fulfillment. Single role rules can be written after that to set up automated assignments. + +##### Example + +The need for aerodynamics engineers to access the remote computation server is translated by a single role rule: if the department (a **dimension**) of that identity is `Aerodynamics R&D` (a **dimension** value), then the `Aerodynamics Computation Server` single role must be granted. + +The need for assignment of the `Internet Access` group to the Active Directory account, if the identity is assigned the `Internet Access` single role is modeled by a navigation rule that stipulates that if that identity is assigned that role, then the `memberOf` property of the owned Active Directory entry resource should be set to the AD group named `Internet Access`. + +### 4. Use Composite Roles To Organize Single Roles (**optional**) + +[Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) can be packaged into [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole). Assigning a composite role to an identity immediately assigns the packaged single role to that identity. Single roles assigned this way are said to be **inferred**. + +The [Composite Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule) (see composite role rules describe criteria for which a composite role is assigned to an identity. Then, the composite role can be used as a condition in a [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule). This is how packages are built. + +### Summary - A mental model to help build a role model + +To help build a role model, consider this mental model that captures the key events occurring between the assignments of a role and the actual assignment of entitlement. + +1. A resource-identity `Ri` is associated with a **context** `Ci`, i.e. **dimension** values. +2. `Ri` is assigned a single role `SRa`, manually or as a result of **dimension** comparisons. +3. Identity Manager's engine identifies a resource type `Rt` with the type rule `Tr` whose condition +matches `SRa` and/or `Ci`. +4. Using `Rt`'s definition, Identity Manager's engine identifies by correlation a target resource +`Tr` from the resource repository that must be **created or updated** to materialize `SRa`. +5. Identity Manager's engine identifies `Rt`'s navigation rule `Nr` whose condition matches `SRa` +and/or `Ci`, and associated scalar rules `Sr`. +6. Using `Sr` and `Nr`'s definition, Identity Manager's engine identifies `Tr`'s values to be +provisioned to materialize `SRa`. + +This series of steps is actually a very simplified version of the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. + +![Cascading From **dimensions** To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) + +**---** + +## Evaluate Policy + +This chapter gives the basis of the assignments vocabulary. The next chapter enlightens the reader about the inner details of the Evaluate Policy algorithm. See the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/simulation.md b/docs/identitymanager/6.3/integration-guide/simulation.md new file mode 100644 index 0000000000..83ae1061b8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/simulation.md @@ -0,0 +1,41 @@ +--- +title: "Simulation" +description: "Simulation" +sidebar_position: 110 +--- + +# Simulation + +Simulations aim to assess the impact of a modification in the role model, i.e. any modification of a role or rule, before it is applied. + +## Overview + +Identity Manager's simulations gather roles and rules which are to be created, modified or deleted, without being inserted in the actual role model straight away. More specifically, a simulation can involve: + +- [Resource Correlation Rule](../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) +and [Resource Classification Rule](../integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule); +- Scalar rules and navigation rules; +- [Resource Type](../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) rules; +- [Single Role](../integration-guide/toolkit/xml-configuration/provisioning/singlerole) and +[Composite Role](../integration-guide/toolkit/xml-configuration/provisioning/compositerole); +- [Single Role Rule](../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule)and +[Composite Role Rule](../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule). + +A simulation can also be created by the role mining tool for the automation of role assignments. See the [Perform Role Mining](../user-guide/optimize/assignment-automation/role-mining) topic for additional information. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + +Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and +provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +Netwrix Identity Manager (formerly Usercube) recommends using simulation whenever performing an action (creation/modification/deletion) on the role model. + +## Perform a Simulation + +See the [Perform a Simulation](../user-guide/optimize/simulation) for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/synchronization/index.md b/docs/identitymanager/6.3/integration-guide/synchronization/index.md new file mode 100644 index 0000000000..fb0eb8e1e1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/synchronization/index.md @@ -0,0 +1,16 @@ +--- +title: "Synchronization" +description: "Synchronization" +sidebar_position: 60 +--- + +# Synchronization + +The documentation is not yet available for this page and will be completed in the near future. + +See more information about [Upward Data Synchronization](../../integration-guide/synchronization/upward-data-sync). + +See how to [Synchronize Data](../../user-guide/set-up/synchronization)for a given managed system. + +See how to anticipate changes due to synchronization thanks to [Thresholds](../../integration-guide/synchronization/synchro-thresholds). + diff --git a/docs/identitymanager/6.3/integration-guide/synchronization/synchro-thresholds.md b/docs/identitymanager/6.3/integration-guide/synchronization/synchro-thresholds.md new file mode 100644 index 0000000000..3a98b63593 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/synchronization/synchro-thresholds.md @@ -0,0 +1,62 @@ +--- +title: "Thresholds" +description: "Thresholds" +sidebar_position: 20 +--- + +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too many modifications. If the number of modifications exceeds the specified threshold, Identity Manager stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though they should not all be. Each action must be "guarded" by at least one threshold. + +Once the changes have been reviewed, the blocked job can be resumed (or not). See the [Synchronize Data](../../user-guide/set-up/synchronization) topic for additional information. + +As long as a synchronization job is blocked for a connector, the export, prepare-synchronization and synchronization tasks of this connector are removed from incremental jobs. The synchronization is unblocked as soon as the blocked job is resumed, or as soon as a job involving the connector is launched in complete mode. + +## Thresholds for Synchronization + +Synchronization thresholds can be configured in XML files via: + +- [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) to +count the number of resources impacted by synchronization inside a given entity type. They are configured with: + + | Absolute Threshold | Relative Threshold | + | --- | --- | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + +- [Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) +to count the number of navigation properties impacted by synchronization inside a given entity type. They are configured with: + + | Absolute Threshold | Relative Threshold | + | --- | --- | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +- [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector) to count the number +of resources and/or navigation properties impacted by synchronization inside all entity types of a given connector. They are configured with: + + | Absolute Threshold | Relative Threshold | + | --- | --- | + | **Resources** | | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + | **Navigation Properties** | | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +All thresholds are active. Therefore, the **lowest** threshold (according to the specific situation) would be the first to stop synchronization. + +For example, in a connector, the default values for thresholds are 100 modifications for resources (`Maximum...Lines`) and 1000 modifications for navigation properties (`MaximumLink...Lines`). + +If we launch synchronization for an entity type whose threshold values are **lower than the connector's**, then Identity Manager blocks synchronization as soon as the number of modifications exceeds the entity type's threshold values. + +If the entity type's threshold values are **higher than the connector's**, then Identity Manager blocks synchronization as soon as the number of modifications exceeds the connector's threshold values (100 resources or 1000 navigation properties). + +Distinct [Thresholds](../../integration-guide/provisioning/prov-thresholds) are configurable for provisioning. + diff --git a/docs/identitymanager/6.3/integration-guide/synchronization/upward-data-sync.md b/docs/identitymanager/6.3/integration-guide/synchronization/upward-data-sync.md new file mode 100644 index 0000000000..e404d7cdf6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/synchronization/upward-data-sync.md @@ -0,0 +1,318 @@ +--- +title: "Upward Data Synchronization" +description: "Upward Data Synchronization" +sidebar_position: 10 +--- + +# Upward Data Synchronization + +Upward Data Synchronization (Sync Up) is the process that copies relevant managed systems data into Identity Manager's resource repository and translates them into resources that match the configured Entity Model. See the [Entity Model](../../integration-guide/entity-model) topic for additional information. + +Performing a _Sync Up_ allows the user to: + +- integrate the managed systems state with Identity Manager. The copied data serves as the basis for +the assignment computation; +- check that previously edited provisioning orders have been accurately executed; +- ascertains differences between the real managed system state and the +[Assignment Policy](../../integration-guide/role-model/role-model-rules) theoretical state. + +## Overview + +### A scheduled sync up per managed system + +_Sync Up_ is performed regularly, at least every day, as a set of [Tasks & Jobs](../../integration-guide/tasks-jobs). + +A _Sync Up_ is planned for every managed system that interact with Identity Manager. + +A _Sync Up_ is associated with a [Connectors](../../integration-guide/connectors). + +### Three sync up mode + +Identity Manager provides three distinct synchronization algorithms: + +- _incremental_ +- _complete_ +- _initial_ + +_Complete_ is most straightforward one. A _complete\_\_Sync Up_ loads the managed systems' data into Identity Manager as-is, replacing entirely the currently held data. + +As it involves sending large amounts of data over HTTP between _Agent_ and _Server_, _complete_ execution time can be quite large. + +To improve the _Sync Up_ execution time, Identity Manager provides the _incremental_ mode. This mode only considers changes made to the managed systems since the last _Sync Up_. Those are applied to the Identity Manager's database. Only changes are sent through the network, instead of whole data files, which allows the _Sync Up_ execution time to be greatly reduced. + +Changes are computed either by the managed system itself, given such capabilities are available, or by a Identity Manager's _Agent_. + +However, the _incremental_ mode cannot be 100% reliable for two reasons. + +First, it relies on external inputs that are not directly controlled by Identity Manager. Second, it only exports changes based on the managed system state, not on Identity Manager's database state. + +External perturbations could cause slight differences between the database's state and the managed systems'. Order can be restored by running a _complete_ Sync Up regularly. A _complete_ Sync Up ensures the database is in a stable state, faithfully reflecting the managed system state, before resuming the _incremental Sync Up_ iterations. + +Safeguards are also implemented to avoid accidental overwrites, that would be caused by an empty or incomplete input. + +Finally, the _initial\_\_Sync Up_ is designed to be used the first time a managed system connects to Identity Manager. Just as the _complete_, it loads the data as a whole. But, unlike the _complete_, it does not overwrites the currently held data and does not provide any safeguard. The _initial_ mode provides a quick way to perform the first _Sync Up_. The trade-off is security: _initial\_\_Sync Up_ should only be used the first time a managed system connected to Identity Manager and the database is empty, as far as this connector is concerned. Launching the Initial _Sync Up_ twice would actually load the same data twice whereas launching the _complete_ twice would have the same effect as launching the _complete_ once. + +### An ETL process + +_Sync Up_ is organized as an [Extract, Transform, Load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. It's composed of three steps: _export_, _prepare-synchronization_, and _synchronization_. + +## Export + +The _Export_ is the first step of the _Sync Up_. + +During this step, data is extracted from the managed system and generates _CSV files_ containing the managed system's raw data. The **output** of this process is called the **_CSV source files_**. They are written to the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory waiting to be used by the next-in-line _prepare-synchronization task_. + +The _Export_ occurs _Agent_-side. + +### Native support or custom process + +Depending on the managed systems capabilities, an _Export_ step can be performed by one of Identity Manager's native tasks or by custom scripts. + +#### Using native process + +Identity Manager's [Connectors](../../integration-guide/connectors) provide native _Export_ tasks for the most common managed systems. _Active Directory_, _SAP_, or _SharePoint_ are examples of natively supported managed systems. The output _CSV source files_ format is described in the [Connectors](../../integration-guide/connectors) section together with an exhaustive list of supported source managed systems. + +[Connectors](../../integration-guide/connectors)are Identity Manager's link to the managed system. They provide configurable export and fulfill capabilities that can be used by Identity Manager *as-is* without any further development. + +#### Using a custom process + +Exporting data from a managed system without a native Identity Manager process is still possible by writing a custom _Export_ process. + +If the managed system has built-in export capabilities, Identity Manager can simply rely on exports scheduled by the source managed system. Regularly, the managed system generates reports, in whatever format. A custom task, such as a [Invoke Expression Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask), can then be used to retrieve the generated exports, adapt them to the _CSV source files_ format expected by Identity Manager and copy them to the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory. The whole can be scheduled and orchestrated by a [Jobs](../../integration-guide/tasks-jobs/jobs). + +**For example**, a common scenario is to configure an HR management system to perform daily extracts of its data to CSV files for the _Agent_ to find. This usually can be set up without any Identity Manager's task, just by using the managed system and the organization's network capabilities. + +If the managed system does not provide built-in export features but provides an API or an exposed database, it's possible to write a custom _export_ process based on that API or direct requests to the managed system's database. This process can then be used as an _export task_ wrapped in a [Invoke Expression Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask) or an [Invoke Sql Command Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask). See the [Invoke Expression Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask) topic for additional information. Any Windows process that can be called from a PowerShell script and generate a CSV file can serve as an export process. + +**How to choose the custom CSV source file format ?** It's best to keep it simple and stick as closely as possible to the managed system data model. Data cleansing and translation to the resource repository's Entity Model is handled later in the _Sync Up_ process. There is no need to try and optimize the CSV source file format in a custom script. It's best to keep it close to the managed system to be able to spot early _export_ errors. + +### Export tasks output + +The format of the exported _CSV Source files_ depends on the chosen _Sync Up_ mode and on the used _export task_. Nonetheless, there are a few criteria that _prepare-synchronization_ expects to find in those files. + +First, it must be a CSV format. One line per entry, and every attribute as a column. + +Then, there is a slight difference between _Complete/Initial_ and _Incremental_ export. + +With the _Complete_ and _Initial_ modes, _CSV source files_ contain an exact extract of the managed system's data as a list of entries. At this point, the Entity Model is not yet involved. Every line of the _CSV source file_ mirrors a line in the source managed system database. + +With _Incremental_ mode, if the source managed system is able, one more column is added. It contains a ADD, UPDATE, or DELETE instruction. _Incremental_ export generates a list of changes made on the managed system since the last export, instead of an exact mirror of the data. Active Directory and Microsoft Entra ID (formerly Microsoft Azure AD), for example, are able to produce such exports, as LDIF files, that the Active Directory connector translates into _resources_ changes. Identity Manager's native support for ServiceNow and SCIM also provides such capabilities. + +In case the source managed system does not possess _incremental_ export capabilities, the changes computation is performed during the _prepare-synchronization_ step. + +Inside those constraints, every natively supported _export task_ generates its own _CSV source file format_, described in the [Connectors](../../integration-guide/connectors) section. Usually, two kinds of files are generated: _entries_, describing plain entries, and _associations_, describing associations between entries. + +All _CSV source files_ are written to the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory. + +At the end of the _export_ step, the Upward Data Synchronization contains several files per connectors, that will be translated into _resources_ during _prepare-synchronization_ and _synchronization_ steps thanks to Entity Mapping (see below). + +The [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory can also contain opaque [cookie files](https://ldapwiki.com/wiki/DirSync) used for incremental export of a few systems such as Active Directory, Microsoft Entra ID, ServiceNow, and SCIM. + +The reader might now understand how, as laid out in the overview, the input data could be unreliable given the volatile nature of the managed system export methods. _Complete_ and _incremental_ modes work together to find the best compromise between reliability and execution time. + +### Example + +The following example demonstrates the native Active Directory export process. + +Exporting data from an Active Directory can be achieved by using the [Export Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask) task within a Job. + +The Tasks requests from the source Active Directory all entries that match a configured filter. It outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries.csv`), information about group membership (`ad_members.csv`) and about the hierarchical organization (`ad_managers.csv`). + +![Active Directory Export Example](/images/identitymanager/ad_export_example.webp) + +`ad_entries.csv` contains raw AD entry data. + +``` +employeeID;businessCategory;extensionAttribute15;objectCategory;sAMAccountName;userPrincipalName;parentdn 00001;fames;ac;turpis;egestas;integer;eget 00002;ullamcorper;eget;nulla;facilisi;etiam 00003;integer;eget;aliquet;nibh;praesent +```` + + +```ad_managers.csv``` contains a list of associations, representing the link between an employee (```employeeId``` column) and their manager (```manager``` column). +``` employeeID;manager 00001,99812 00002,99812 00003,99812 + +```` +`ad_members.csv` contains also a list of associations, representing the link between a group +(identified by its `dn`) and its members (the `member` column). + + ``` + +dn;member CN=SG_APP_AG002,DC=internal;CN=U34811,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U18184,DC=internal CN=SG_APP_AG002,DC=internal;CN=U43405,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U51630,DC=internal +```` + + +## Entity Mapping + +The aim of the _Sync Up_ is to load managed systems' data into the resource repository. As such, it requires Identity Manager to translate data from the managed system format (or, more accurately, the _export task_'s output format) into the resource repository format, that is, the [Entity Model](../../integration-guide/entity-model). + +The translation rules are described in the applicative configuration by [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and [Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) elements. + +Entity Type Mapping elements map the resources _CSV source files_ columns to [Entity Model](../../integration-guide/entity-model) properties. Each mapping also identifies one column as the _primary key_ for this Entity Type. The _primary key_ is used to uniquely identify a resource in the _Sync Up_ process. It's mandatory to be able to perform _incremental__Sync Up_, as it allows to identify a resource on which an _update_ or a _delete_ has to be performed. + +[Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) elements translate the _CSV source files_ into [Entity Model](../../integration-guide/entity-model). They describe rules identifying associations between resources loaded thanks to the [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping). + +## Prepare Synchro + +_Prepare-Synchronization_ is the second step of the _Sync Up_. It transforms the _CSV source files_ further, before the _Synchronization_ step. + +It performs data cleansing and, in _incremental_ mode, computes changes made on the source managed system since the last _Prepare-Synchronization_. + +It's performed on the _Agent_-side. + +### Data cleansing + +The following actions are performed on the _CSV source files._ + +1. Removing columns that are not used in [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or [Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) +2. Entries that have a null primary key +3. Removing duplicates +4. Sorting entries according to the primary key + +The result of the _Prepare-Synchronization_ is stored in the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory as three files: + +For every entity type of the relevant _Connector_ involved in an[Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or an[Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) `````` , a ```.sorted.csv``` file is generated, containing the final, cleaned, sorted result. + +Duplicates are kept in a separate ```.duplicates.csv``` file. + +Null primary key entries are kept in a separate ```.nullpk.csv``` file. + +### Computing changes + +In _incremental_ mode, changes might need to be computed by the _Agent_. + +If the export step has provided computed changes, no further process is required. The changes will be sent as-is to the server. + +If the export step has provided a full extract of the managed systems, the _prepare-synchronization_ step computes changes. This computation is based on the result of the last data cleansing, generated by the previous _prepare-synchronization_, and stored in the ```previous``` folder in the [Application Settings](../../integration-guide/network-configuration/agent-configuration/appsettings) export directory. + +For _incremental_ mode, it is **recommended** to use managed systems to compute changes when possible. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with a performance that Identity Manager can't match. Also, using managed systems for these operations avoid generating heavy files and alleviate Identity Manager's processing load. + +The result is a set of clean lists of changes stored as ```.sorted.delta``` file containing a _command_ column. + +The _command_ column can take the following values: _insert_, _update_, _delete_, and _merge_. These are instructions for the _synchronization_ step to apply the changes to the database. + +The ```.sorted``` file (the original cleaned export file, not the changes) is stored in the ```previous``` folder inside the Upward Data Synchronization . It will be used as a reference for the next _incremental__prepare-synchronization_ to compute the changes if needed. + +Tampering with the ```previous``` folder content would result in false changes in order to be computed and result in data corruption in the Identity Manager database. To restore the Identity Manager database to a state faithful to the managed system, a _complete__Sync Up_ would be required. + +### Preparing the server + +At the beginning of every _prepare-synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain ```.sorted``` or ```.sorted.delta``` files that will be sent by the agent. + +This aims to prevent network errors that would cause an _incremental_ database update to happen more than once. + +That means several _export_ and _Prepare-Synchronization_ tasks can be executed simultaneously, they will be processed by the server one at a time in the right order. + +Of course, any notification of a _complete__Prepare-Synchronization_ would cancel the previous non-processed _incremental_ ones. As a _complete_ reloads the whole database, it renders _incremental_ changes computation moot. + +### Sending clean exports + +```.sorted``` or ```.sorted.delta``` files are sent over HTTP to the _Server_ for the last step. +### Prepare synchronization tasks + +- [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) is the standard _prepare-synchronization_ task. +- PrepareSynchronization Change Task is used to process data source files containing changes. +- PrepareSynchronization ActiveDirectory Task is specialized for Active Directory. This task handles Active Directory _incremental_ prepare-synchronization by using Active Directory _cookies_. + +### Example + +The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. + +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) + +## Synchro + +_Synchronization_ is the last step. It loads data into the resource repository from cleaned _CSV source files_. It's performed _Server_-side. + +### Translating + +Before writing to the Identity Manager's database, the _Server_ uses [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and[Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) to translate _CSV source files_ into _Entity Model compliant_ resources and resolve association links. + +### Tables + +The _Synchronization_ step involves four tables from Identity Manager's database. + +- UR_Resources contains the actual resources. +- Mono-valued associations ( target column index 128 to 137 included ) are stored in UR_Resources as well, +- Multi-valued associations ( target column index null or -1 or 0 to 127 included ) are stored in the UR_ResourceLinks table. +- UR_ResourcesChanges and UR_ResourceLinkChanges are intermediary tables, used by the complete mode as an extra step before committing changes to the UR_Resources and UR_ResourceLinks in the context of a safeguard mechanism. + +### Complete + +_Complete__synchronization_ starts with a ```.sorted.csv``` file that contains cleaned data, as in whole data, not mere changes. + +_Complete synchronization_ replaces entirely the database resources. That means that all resource, for that [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector), that are in the database but not in the _CSV source files_ will be deleted. That means no change made to the database from outside of the connectors or the UI are persistent. + +_Complete synchronization_ does not blindly insert data into Identity Manager database. Its aim is to update Identity Manager database to match the ```.sorted``` files received. + +To do so, ```.sorted``` files are translated into resources. Then, ```.sorted``` resources are compared against the currently hold database resources, matching Primary Key to Primary Key, to find differences. + +That means that, just as the _incremental_ mode, the complete mode will actually apply changes to the database. The difference being that the _complete_ synchronization computes the changes on the _Server_ and the _incremental_ computation computes the changes on the _Agent_ or the managed system. Hence, complete synchronization has to send large data files over the network and is slower. + +#### Safeguard + +Before actually updating the database, the number of changes to be applied to the database to match the ```.sorted``` resources is compared to a user-defined threshold. + +The threshold is a percentage of the total number of stored resources. If the number of changes goes over the threshold, the synchronization is blocked. This safeguard aims at detecting human or system errors that could corrupt Identity Manager's database. For example, a number of _delete_ commands greater than the threshold could be caused by an accidental empty _CSV source file_ being fed to the _synchronization_. + +For this purpose, changes are applied to an intermediary safeguard set of tables, UR_ResourcesChanges and UR_ResourceLinkChanges. The threshold is checked, and if validated, changes are applied to the UR_Resources and UR_ResourceLinks tables. + +### Initial + +_Initial_ synchronization loads the translated resources directly into the database, using INSERT SQL commands. There is no threshold checking, no comparing the data to insert to the currently held data to find differences. It should only be used on a managed system for which Identity Manager does not hold any resources yet. + +### Incremental + +The incremental mode uses a ```.sorted.delta``` file that contains changes. + +Thresholds are checked just as with the _complete_, using intermediary UR_ResourcesChanges and UR_ResourceLinkChanges. tables. + +Then, changes according to the _command_ column are applied to UR_Resources and UR_ResourceLinks. + +### Synchronization tasks + +- [Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask) is the standard _synchronization_ task. +- SynchronizeChanges Task is used to handle changes together with PrepareSynchronization Change Task. +- SynchronizeActive Directory Task is specialized for Active Directory. To be used with PrepareSynchronizationActiveDirectory Task. + +### Example + +This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Identity Manager database. + +![Active Directory Synchronization Example](/images/identitymanager/ad_synchro_example.webp) + +## Handling Errors + +The _syncro_ step is where potential errors laid out in the overview could impact the database. + +- The ```previous``` folder content could be tampered with; +- Managed systems limitations, or human error in the export step, could result in a wrong or incomplete _CSV source file_ being fed to the _Synchronization_; +- Identity Manager database could be restored to an older state to try and fix hardware failure or SQL tests gone wrong. + +These events, although exceptional, occur. They cause Identity Manager's database and the managed systems to be slightly off one another. The _incremental__Sync Up_ cannot fix these differences because the database is not taken into account in the changes computation. The _complete__Sync Up_ can fix it because it compares directly the database against the _export_ output files, i.e. it relies on the managed system's state, not on the database state. + +It is hence **recommended** to run at least a daily _complete_ synchronization to account for these exceptional events and quickly fix the errors they might have cause into the database. + +Remember that _incremental_ and _complete_ Sync Up modes use safeguards to avoid accidental overwrites. That means any error that could find its way into the database would be small. + +_Incremental_ mode also offers another optimization that will be described in the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) section. Trade-offs of that optimization can also be counterbalanced by running a daily _complete_ synchronization. + +## Thresholds + +A introduced earlier, to mitigate the risk of data loss in the case of abnormal data source files, the _synchronization Job_ is locked if the number of changes to apply goes over a specific threshold. + +Thresholds can be configured by the user in the applicative configuration and be specific to a [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector), an [Entity Type Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and/or an[Entity Association Mapping](../../integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). They are expressed as number of lines (ex: ```MaximumInsertedLines```) or as a rate (ex: ```MaxPercentageDeletedLines```). + +A synchronization task locked by a threshold can be unlocked by executing the Synchronization Validation task. + +Thresholds are ignored in _initial_ mode. + +The task's argument ```-force``` can be used to ignore thresholds. + +**---** + +Next, a word about the [Assignment Policy](../../integration-guide/role-model/role-model-rules). +```` + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/build-efficient-jobs.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/build-efficient-jobs.md new file mode 100644 index 0000000000..3a66dada33 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/build-efficient-jobs.md @@ -0,0 +1,123 @@ +--- +title: "Build Efficient Jobs" +description: "Build Efficient Jobs" +sidebar_position: 30 +--- + +# Build Efficient Jobs + +This topic shows how to build efficient jobs by minimizing their costs. + +:::note + The rules below must be followed when creating a new job, otherwise the frequent launch of this scheduled job will trigger errors in a SaaS environment. +::: +### Prerequisites + +In order to successfully launch a frequent job (defined as a job called more than once an hour) the following requirements need to be met: + +- Synchronize / Export Task in incremental mode +- The UpdateEntityPropertyExpressions /ComputeCorrelationKeys/ComputeRoleModel tasks do have the +SetRecentlyModifiedFlag set to true +- The ComputeCorrelationKeys/UpdateEntityPropertyExpressions tasks are computed on a subset of +Entity Types (not all Entity Types at once) +- UpdateEntityPropertyExpressions/ComputeCorrelationKeys/ComputeRole tasks are not duplicated +- SetInternalUserProfiles/ActivityInstanceActor tasks are not configured to launch + +## Rule 1: Use Scaffoldings + +Identity Manager provides scaffoldings to simplify XML configuration by generating complex XML fragments. See the [Scaffoldings](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings) topic for additional information. + +Most jobs are included in job scaffoldings, thus configured in the most optimal way. So start by using scaffoldings to build jobs. See the [Jobs](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs) topic for additional information. + +For example, the creation from scratch of a job to perform a complete synchronization for a connector will be tedious. Instead, use Identity Manager's scaffolding, like in the following example concerning the Microsoft Entra ID (formerly Microsoft Azure AD) connector. Instead of a few dozens of lines, write only the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +See the[Create Connector Synchro Complete](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete)for additional information. + +## Rule 2: Compute Only What's Necessary + +**Execute the tasks on the right entity types** + +Many tasks can be executed either on all entity types, or on a given list of entity types. + +Make sure to configure the tasks so that they are executed only on the relevant entity types, not all of them by default. + +For example, instead of using AllEntityType set to true, write the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +       + +``` + +**Launch incremental tasks rather than complete** + +When a task is supposed to be executed on changes only, then there is no use executing the task in complete mode. + +Make the relevant tasks incremental by flagging the resources that were recently modified. See the [Configure an Incremental Job](../../integration-guide/tasks-jobs/configure-incremental-job) topic for additional information. + +For example, instead of computing the role model as if it had never been computed before, apply only the changes by writing the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +   +``` + +Launch only the relevant tasks according to the logical chain + +Identity Manager's tasks are all linked together by a logical chain that implies that some tasks are supposed to be executed after some others. + +Make sure to understand the tasks' logical chain to launch only the relevant tasks. See the [Troubleshoot Connector Jobs](../../integration-guide/tasks-jobs/troubleshoot-connector-jobs) topic for additional information. + +For example, there is no use computing expressions or correlations if there was beforehand no change in the database. Thus, there should not be UpdateEntityPropertyExpressionsTask or ComputeCorrelationKeysTask without first SynchronizeTask or FulfillTask. + +## Rule 3: Wait for Recurring Tasks + +Inside a recurring job, there is no need including some tasks twice in order to have the whole cycle, because the next execution will complete what has been started. + +For example, Identity Manager's feedback loop uses the tasks for synchronization, computation of the role model, provisioning, then once more synchronization and computation of the role model. + +Instead of including any task twice, rather write a job with each task once, schedule a periodic execution of the job, and wait for the next execution to get the whole cycle. For example for the AD: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +                                ... +                ... +               ... +            ... +                ... +   +``` + +``` + +``` + +``` + +       + +``` + +``` +   +``` + +``` +                                ... +                ... +               ... +            ... +                ... +   +``` + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-incremental-job.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-incremental-job.md new file mode 100644 index 0000000000..dc3665a116 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-incremental-job.md @@ -0,0 +1,59 @@ +--- +title: "Configure an Incremental Job" +description: "Configure an Incremental Job" +sidebar_position: 60 +--- + +# Configure an Incremental Job + +This guide shows how to configure the relevant tasks to make a job incremental. + +## Overview + +When configured as such, Identity Manager is able to remember after synchronization which resources were modified, i.e. created, updated and/or deleted. + +It allows future tasks to be executed only on modified resources, in order to minimize jobs' execution times and costs. + +See the [Set Up Incremental Synchronization](../../integration-guide/tasks-jobs/jobfast) topic for additional information on a full Incremental job. + +## Configure a Job to Be Incremental + +Configure a job to be incremental by proceeding as follows: + +1. Configure the synchronization task +([Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask)) with `DoNotDeleteChanges` set to `true`. + +This way, Identity Manager keeps the list of all changed resources. + + > For example, to synchronize incrementally the Active Directory: +> + > ``` +> + > ... + > +> + > ``` + +2. Tag all changed resources by running +[Set Recently Modified Flag Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask) after SynchronizeTask. + + > For example, following the synchronization task for the Active Directory: +> + > ``` +> + > +> + > ``` + +3. Configure the next tasks with `Dirty` set to `true` to apply them only to resources flagged as +"dirty", i.e. recently modified. + + > For example, to compute correlation keys incrementally: +> + > ``` +> + > ... + > +> + > ``` + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-jobs.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-jobs.md new file mode 100644 index 0000000000..f8a40c7249 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/configure-jobs.md @@ -0,0 +1,22 @@ +--- +title: "Configure Jobs" +description: "Configure Jobs" +sidebar_position: 40 +--- + +# Configure Jobs + +This guide shows how to define the permissions for creating and using jobs thanks to scaffoldings. + +There are two important jobs in Identity Manager. The Complete Job and the Incremental Synchronization. This two Job Synchronize and fill are using to Synchronize and fill Connectors. See the [Set up Complete Synchronization](../../integration-guide/tasks-jobs/jobdaily) and [Set Up Incremental Synchronization](../../integration-guide/tasks-jobs/jobfast) topics for additional information. + +## Job Scaffoldings + +There are six scaffoldings in Identity Manager to automatically create jobs in the configuration: + +- A job for all connectors on an Agent (Complete/Incremental mode); See the +[Create Agent Synchro Complete](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete) and [Create Agent Synchro Incremental](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental) topics for additional information. +- A job for a specific connector (Complete/Incremental mode). +- [Create Initialization Job](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob) +- [Create Access Certification Job](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob) + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/fulfillldap.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/fulfillldap.md new file mode 100644 index 0000000000..bc111e9bfe --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/fulfillldap.md @@ -0,0 +1,67 @@ +--- +title: "Configure the Fulfill Task for a Connector" +description: "Configure the Fulfill Task for a Connector" +sidebar_position: 90 +--- + +# Configure the Fulfill Task for a Connector + +This guide shows how to create the adequate configuration to add the fulfill task of a given system (here LDAP) in a job. + +For Identity Manager fill an LDAP some configuration element are necessary. + +## Resource Type Mapping + +This configuration is to use the fill for the LDAP and configure the Reset Password. + +``` + +``` + +## Add connection information to AD Connect + +The [LDAP](../../integration-guide/connectors/references-connectors/ldap) connection information define this section to add all information to use the AD Fulfillment. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADFulfillment": { + "Servers": [{ + "Server": "paris.contoso.com", + "BaseDN": "DC=paris,DC=com" + }], + "AuthType": "Basic", + "Login": "CN=exampleCn,DC=exampleDc1,DC=exampleDc2", + "Password": "Password", + "AsAdLds": "true" + } + } +} +``` + +After defining this settings, encrypt this JSON file with [Usercube-Protect-X509JsonFile](../../integration-guide/executables/references/protect-x509jsonfile). + +## Configure The FulfillTask + +Configure The task with the same ResourceType using in ResourceTypeMapping. It's possible to use a connector instead of ResourceType. + +``` + +``` + +Integrate this Task in the job that provisions the AD connector. + +``` + ... + ... + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/index.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/index.md new file mode 100644 index 0000000000..52a73b0092 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/index.md @@ -0,0 +1,30 @@ +--- +title: "Tasks & Jobs" +description: "Tasks & Jobs" +sidebar_position: 190 +--- + +# Tasks & Jobs + +Identity Manager provides tasks to orchestrate together the executable files that perform IGA actions, and jobs to orchestrate the tasks together. + +See the [Tasks](../../integration-guide/tasks-jobs/tasks) topic for additional information. + +See the [Jobs](../../integration-guide/tasks-jobs/jobs) topic for additional information. + +See the [Tasks](../../integration-guide/toolkit/xml-configuration/jobs/tasks) topic for additional information. + +Make sure to read how to [Build Efficient Jobs](../../integration-guide/tasks-jobs/build-efficient-jobs). + +## Overview + +Netwrix Identity Manager (formerly Usercube) vision for the IGA software is a customizable solution. + +The main idea of Identity Manager is to offer a software solution that you can tailor to your needs by selecting IGA "blocks" and executing them in a specific order. + +This is why Identity Manager is not built as a monolithic software. It is made of a mosaic of small [specialized services](https://en.wikipedia.org/wiki/Microservices), cohesive independent functions, each one materialized into a building block of your Identity Manager solution. Each building block serves a specific and well delimited IGA function. + +These building blocks are called [Tasks](../../integration-guide/tasks-jobs/tasks), and can be easily organized together and scheduled in [Jobs](../../integration-guide/tasks-jobs/jobs). + +This approach makes for a perfectly customizable product. It also tremendously helps our users to ease into Identity Manager by allowing them to understand it piece by piece. + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobdaily.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobdaily.md new file mode 100644 index 0000000000..607e9642ff --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobdaily.md @@ -0,0 +1,160 @@ +--- +title: "Set up Complete Synchronization" +description: "Set up Complete Synchronization" +sidebar_position: 70 +--- + +# Set up Complete Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in complete mode. + +### 1. Objective + +Create a Synchronization Job in complete mode. This job is used to check for and fix differences in the resources data after the incremental synchronizations. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job for each connector and for each agent (see the [Create Connector Synchro Complete](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) topic for additional information) or a job for all connectors for each agent (see the [Create Agent Synchro Complete](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete) topic for additional information). + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` +**** +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an [Export Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask). Otherwise it is unnecessary. Choose the Export task corresponding to the connector. If the Export uses the incremental mode, set IgnoreCookieFile to true. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True so that the task is not blocking for the Job. + +Example : + +``` + +``` + +### 3. Create the Prepare Synchronization task + +Create the Prepare Synchronization Task with the connector. Set `SynchronizationMode="Complete"` , except for [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) which doesn't need this parameter. If it is a Synchronization Changes, or ActiveDirectory, you must precise it with the `Type` attribute. + +If the job contain Exports for the same connector add the a link between the PrepareSynchronization and the Export to check the final state of exports. + +Example : + +``` + +``` + +See the [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) for additional information on the PrepareSynchronization task configuration. + +### 4. Create the Synchronization task + +Create the SynchronizeTask with the same `Type` attribute as the PrepareSynchronizationTask. For the complete mode the parameter DoNotDeleteChanges must not be present in the task configuration. + +If the job contain Exports for the same connector add the a link between the Synchronization and the Export to check the final state of exports. + +Example : + +``` + +``` + +The Synchronization Validation Task is not needed , since it is managed by the [Jobs](../../integration-guide/tasks-jobs/jobs) state machine. + +For more information on Synchronization task configuration : [Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask) + +### 5. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given entityTypes or all entityTypes. + +Example : + +``` + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : [UpdateEntityPropertyExpressionsTask](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask) + +### 6. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all entityTypes. + +Example : + +``` +** ** +``` + +For more information about the ComputeCorrelationKey task configuration: [Compute Correlation Keys Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask) + +### 7. Create the ComputeRoleModel task + +Create the ComputeRoleModel Task to create the provisioning order. + +Example : + +``` + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) which have TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) + +### 8. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning orders. The Connector is the same as the connector set in the PrepareSynchronization. The ForceProvisioning parameter must not be set to true. It's the job state machine who launch this mode if necessary. + +Example : + +``` + +``` + +For more information on GenerateProvisioningOrder task configuration: [Generate Provisioning Orders Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask). + +### 9. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The fulfillment must be not launch in the job. + +``` + +``` + +### 10. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more [Resource Classification Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule) are configured for the connector. + +``` + +``` + +For more information on Update Classification Task : [Update Classification Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask) + +### 11. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more [Profile Rule Context](../../integration-guide/toolkit/xml-configuration/access-control/profilerulecontext) are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the state warning or if it was not started or no processing has been performed, launching this task becomes useless. + +``` + +``` + +For more information on SetInternalUserProfiles Task configuration : [Set Internal User Profiles Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask) + +### 12. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : [Job](../../integration-guide/toolkit/xml-configuration/jobs/job) + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobfast.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobfast.md new file mode 100644 index 0000000000..b3e89f3563 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobfast.md @@ -0,0 +1,183 @@ +--- +title: "Set Up Incremental Synchronization" +description: "Set Up Incremental Synchronization" +sidebar_position: 80 +--- + +# Set Up Incremental Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in incremental mode. + +### 1. Objective + +Create a Synchronization job in incremental mode. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job for each connector and for each agent (see : [Create Connector Synchro Incremental](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental)) or a job for all connector for each agent (see : [Create Agent Synchro Incremental](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` +**** +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an [Export Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask). Otherwise it is unnecessary. Choose the Export task corresponding to the connector. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True so that the task is not blocking for the Job. + +Example : + +``` + +``` + +### 3. Create the Prepare Synchronization task + +Create the PrepareSynchronizationTask with the connector. Set `SynchronizationMode="Incremental"` , except for [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) which doesn't need this parameter and LDAP connector who need complete mode. + +If the job contain Exports for the same connector add the a link between the Prepare Synchronization and the Export to check the final state of exports. + +Example : + +``` + +``` + +For more information on PrepareSynchronization task configuration : [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) + +### 4. Create the Synchronization task + +Create the SynchronizeTask corresponding to the Prepare Synchronization Task. If the Prepare Synchronization Task is a [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask), then choose the [Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask), else if it is Prepare Synchronization Active Directory Task choose Synchronization ADDir Sync, else choose [Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask). + +In Incremental mode, you must set the attribute `DoNotDeleteChanges="true"` + +For the Incremental mode add link between PrepareSynchronization and Synchronization task for the same connector. If the job contain Exports for the same connector add the a link between the Synchronization and the Export to check the final state of exports. + +Example : + +``` + +``` + +The Synchronization Validation Task is not needed , since it is managed by the [Jobs](../../integration-guide/tasks-jobs/jobs). + +For more information on Synchronization task configuration : [Synchronize Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask) + +### 5. Create the SetRecentlyModifiedFlag task + +Create the Set Recently Modified Flag task. + +Launching this is required only if at least one of the Synchronization in the job has made a change in the database. + +``` + +``` + +For more information on SetRecentlyModifiedFlag Task : [Set Recently Modified Flag Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask) + +### 6. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given entityTypes or all entitytypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : [Update Entity Property Expressions Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask) + +### 7. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all entityTypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + +``` + +For more information about the Compute Role Model correlation keys task configuration: [Compute Correlation Keys Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask) + +### 8. Create the ComputeRoleModel task + +Create the ComputeRoleModely Task to create the provisioning order. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) which have TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) + +### 9. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning orders. The Connector is the same as the connector set in the PrepareSynchronization. + +Example : + +``` + +``` + +For more information on provisioning task configuration: [Generate Provisioning Orders Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask). + +### 10. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The fulfillment must be not launch in the job. + +``` + +``` + +### 11. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more [Resource Classification Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule) are configured for the connector. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the Task SetRecentlyModifiedFlag has been started. + +``` + +``` + +For more information on Update Classification Task : [Update Classification Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask) + +### 12. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more [Profile Rule Context](../../integration-guide/toolkit/xml-configuration/access-control/profilerulecontext)are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the state warning or if it was not started or no processing has been performed, launching this task becomes useless. + +``` + +``` + +For more information on SetInternalUserProfiles Task configuration : [Set Internal User Profiles Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask) + +### 13. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : [Job](../../integration-guide/toolkit/xml-configuration/jobs/job) + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobs.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobs.md new file mode 100644 index 0000000000..9ea17b6f7e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/jobs.md @@ -0,0 +1,64 @@ +--- +title: "Jobs" +description: "Jobs" +sidebar_position: 20 +--- + +# Jobs + +A job is a succession of tasks, to be launched and potentially scheduled, which orchestrate together the executable files that perform IGA actions. + +## Anatomy of a Job + +Jobs are used to write sets of successive tasks, and schedule their execution. + +See how to configure [Job](../../integration-guide/toolkit/xml-configuration/jobs/job). + +A job can contain tasks explicitly, or contain steps used to call existing tasks in order to use a single task in several jobs. + +## Execution + +Jobs are executed by agents. + +The agent initiates the job and executes the agent-side tasks. Hence, the agent must have access to the relevant managed systems. The agent orders the execution of the server-side tasks, complying with the one-way data flow principle. + +A job can be triggered: + +- Once manually, through the **Job Execution** screen; +- Once manually, using Usercube-Invoke-Job.exe; +- Periodically, with Identity Manager's internal scheduler `CronTabExpression`; +- Periodically, with an external Scheduler such as +[Windows Task Scheduler](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page). + +## Monitoring + +Any job execution is logged into the UJ_JobInstances table. + +They can be monitored through the UI, via the **Job Execution** page. + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/tasks.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/tasks.md new file mode 100644 index 0000000000..d51ea81f8a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/tasks.md @@ -0,0 +1,40 @@ +--- +title: "Tasks" +description: "Tasks" +sidebar_position: 10 +--- + +# Tasks + +A task is Identity Manager's way to configure and use a given executable that performs a given IGA action. + +## Anatomy of a Task + +Each of Identity Manager's IGA actions is contained in a standard Windows executable file that can be launched using PowerShell. + +The choice of a simple standard format for Identity Manager's building blocks makes it very easy to pick and choose them _a la carte_ to configure the solution. + +Tasks are used to insert these blocks into Identity Manager's configuration, in order to be launchable via the UI, or even scheduled to be launched automatically periodically. + +> For example, Identity Manager's tasks include synchronization, computation of entitlement +> assignments, or provisioning of varied managed systems. See the list of all available +> [Tasks](../../integration-guide/toolkit/xml-configuration/jobs/tasks). + +## Data Consistency + +Every task is written as a [transactional process](https://en.wikipedia.org/wiki/Transaction_processing). This means that a task cannot be executed partially. It is either fully executed, or not executed at all. It guarantees data consistency as data cannot be harmed by a half-executed task. + +Every task is written as an [idempotent function](https://en.wikipedia.org/wiki/Idempotence). This means that, for a given input, applying a task one time will produce the same result as applying it several times. It guarantees data consistency as it prevents the potential side-effects of a retry which might occur following a network error, or a task failure. + +Every task is designed as a [single responsibility process](https://en.wikipedia.org/wiki/Single-responsibility_principle). This principle ensures that two distinct tasks do not have an effect on similar pieces of the system. This guarantees data consistency by avoiding incompatible changes to be committed by different tasks at the same time. For the same reasons, a given task cannot be executed twice simultaneously. + +## Task Modes + +Two distinct modes exist to execute tasks inside jobs: + +- In **complete** mode, tasks process whole inputs with **all data**. +- In **incremental** mode, tasks only consider the changes that occurred since their last execution. +This mode is not available for all tasks. + +Both modes can be performed considering potential filters if said tasks involve a specific selection of data instead of whole inputs. The difference between these modes lies in the consideration of **all data** for the **complete** mode, versus only the **last changes** for the **incremental** mode. + diff --git a/docs/identitymanager/6.3/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md b/docs/identitymanager/6.3/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md new file mode 100644 index 0000000000..afc5e21aa6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md @@ -0,0 +1,93 @@ +--- +title: "Troubleshoot Connector Jobs" +description: "Troubleshoot Connector Jobs" +sidebar_position: 50 +--- + +# Troubleshoot Connector Jobs + +This guide helps understand the behavior of synchronization and provisioning tasks in order to spot and fix errors. + +## Overview + +A managed system is synchronized and provisioned to/from Identity Manager with the following task sequence: + +![Synchronization/Provisioning Schema](/images/identitymanager/troubleshoot_synchroprovschema.webp) + +### Export data + +Exporting means that the agent reads the system's data and takes it out to one or several external files, as tables. + +The output is stored in `Temp/ExportOutput`. + +In order to spot what was exported or not for the next incremental export, cookie files are stored in `Temp/ExportCookies`. + +See the [Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration) topic for additional information. + +### Prepare synchronization + +Preparing the synchronization means that the agent reads the tables, output of the export step, and produces one file for each association (also named multi-valued navigation property), where the data is prepared for synchronization. + +> For example, the data is sorted according to their primary keys, in order to optimize the +> comparison with the database. + +The output is stored in `Work/Collect`, and sent to the server to queue in `Work/Synchronization`. + +See the [Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration) topic for additional information on how to prepare the synchronization executable `Usercube-Prepare-Synchronization`. + +### Synchronize + +Synchronizing means reading the data of the external file, output of the preparation step, and taking it to Identity Manager. + +This is done by the synchronization executable Identity Manager-Synchronize. + +#### Synchronization: build the difference + +The server compares the exported files, output of the preparation step, with the previous data of the system, and with the data contained in the database. Based on this comparison, the changes are stored in the database. + +The output is stored in `UR_ResourceChanges`. + +#### Synchronization: finalize + +When at least one synchronization [Thresholds](../../integration-guide/synchronization/synchro-thresholds) is exceeded, the change list can be seen in the **Synchronization Changes** tab, accessible from the job progress screen. + +When the synchronization thresholds are not exceeded, or they are bypassed, the potential preparatory files are consumed and the changes are applied. + +The server updates the values of the properties computed via expressions. A user's history can be used to view the impact of this step on the properties. + +### Apply the policy + +Applying the policy means that the server prepares the correlation keys and computes the role model. + +Preparing the correlation keys means that the server recomputes the keys that will later link accounts to their owners. The output is stored in `UP_ResourceCorrelationKeys`. + +This is done by the correlation key computation executable `Usercube-Compute-CorrelationKeys`. + +Computing the role model means that the server applies all the rules in order to assign accounts and entitlements to identities. + +The assigned accounts and entitlements are stored in `UP_Assigned*`, and can be seen in users' **View Permissions** tab. + +This is done by the role model computation executable `Usercube-Compute-RoleModel`. + +### Generate provisioning orders + +Generating the provisioning orders means that the server builds JSON files to prepare the execution of provisioning. + +The output is stored in `Work/ProvisioningOrders`. + +This is done by the order generation executable `Usercube-Generate-ProvisioningOrders`. + +### Provision + +Provisioning means that the agent asks the server to send the provisioning orders, in order to read the orders and actually make modifications to the managed system. + +Once consumed, the files are moved to the subfolder `Downloaded`. + +This is done by the provisioning executables `Usercube-Fulfill-*`. + +In order to test the provisioning step, there is no need relaunching the whole task sequence. You can, for example, keep a provisioning order from the previous step, and adjusting it before launching provisioning. + +## Troubleshoot + +Troubleshoot an error in a connector job by running each step individually until you see something that you did not expect. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/adjust-scaffoldings.md b/docs/identitymanager/6.3/integration-guide/toolkit/adjust-scaffoldings.md new file mode 100644 index 0000000000..dcd80a543e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/adjust-scaffoldings.md @@ -0,0 +1,169 @@ +--- +title: "Adjust Scaffolded Configuration" +description: "Adjust Scaffolded Configuration" +sidebar_position: 110 +--- + +# Adjust Scaffolded Configuration + +This guide shows how to adjust the XML configuration elements created by scaffoldings. + +## Overview + +A scaffolding is an XML element that will generate a complex XML fragment. It is like a configuration shortcut that helps configure easily a set of XML elements that are usually configured together. + +See the list of all existing [Scaffoldings](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md). + +In most situations, scaffoldings are enough to generate the configuration required to meet the functional needs. + +However, in some cases, scaffoldings do not meet the exact needs and must be adjusted to generate the right XML configuration. + +NETWRIX recommends writing XML configuration by first using scaffoldings, adjusting it if needed, and as a last resort, when no scaffolding meets the needs, writing the configuration manually. + +## Adjust Scaffolded Configuration + +Adjust XML configuration generated by a scaffolding by proceeding as follows: + +1. When working via the UI, start by exporting UI configuration elements. See the +[Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration.md) topic for additional information. +2. Write an XML element whose identifier is the same as the one generated by the scaffolding. + +Any identifier can be found in the [Scaffoldings](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic, in the section displaying the generated XML fragment. + +3. Add `ConsolidationMode` to the element's properties. + + - By default, the XML item written manually completely replaces the one generated by the +scaffolding. + +The default behavior should be used when needing to rewrite one or a few of the items generated by a scaffolding, not all of them. + +When needing to rewrite the scaffolding's whole output, just remove the scaffolding and write the item(s) manually. + + > For example, the `ViewTemplateAdaptable` scaffolding generates, for the `LDAP_Entry` + > entity type, a default display name for all LDAP resources, a display table to view the + > resources, and the corresponding permissions to access the table. Supposing that the + > resulting display table does not fit the needs, we could need to write a customized + > display table from scratch: +> + > ``` +> + > + > + > + > + > +> + > ```` +> > + > The display table's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display table ```LDAP_Entry``` is defined by the `````` properties written manually here, as well as its `````` child elements written manually here. + > ```` + + > Still from the `ViewTemplateAdaptable` scaffolding, suppose now that the default display + > name does not fit the needs, then we could write a customized display name from scratch: +> + > ``` +> + > +> + > ```` +> > + > The entity property expression's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display name ```LDAP_Entry_InternalDisplayName``` is defined by the `````` properties written manually here. + > ```` + + - Set to `Merge`, the XML item generated by the scaffolding is completed with additional parent +properties and/or child elements written manually, while keeping the parent properties and the child elements defined in the scaffolding. + + > For example, the `WorkforceModule` scaffolding generates the `Directory_User` entity type + > (among other things) with a specific set of properties. We could choose to add some + > properties in the entity type: +> + > ``` +> + > + > + > + > +> + > ```` +> > + > The entity type's identifier must be the same as the one generated by the scaffolding. Then the entity type ```Directory_User``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the properties written manually here. + > ```` + + > The `WorkforceModule` scaffolding also generates the + > `Directory_UserRecord_UniqueValue_Email` aspect (among other things) that uses unicity + > check rules to generate a unique email address for each new user. We could choose to add a + > unicity check rule in the aspect to compare the new email address to the existing ones + > from Microsoft Entra ID (formerly Microsoft Azure AD): +> + > ``` +> + > + > SourceExpression="C#:record:var firstName = + > record.FirstName.Simplify()?.ToLowerInvariant(); var lastName = + > record.LastName.Simplify()?.ToLowerInvariant(); if (string.IsNullOrEmpty(firstName) || + > string.IsNullOrEmpty(lastName)) { /_ Data missing _/ return null; } +> + > var result = firstName + "." + lastName; + > if (iteration > 0) + > { + > result += iteration.ToString(); + > } +> + > return result;" TargetEntityType="MicrosoftEntraID_DirectoryObject" TargetExpression="C#:azure_ad: + > if(string.IsNullOrEmpty(azure_ad.mail)) + > { + > return null; + > } +> + > var result = azure_ad.mail; + > var index = result.IndexOf('@'); + > if(index >=0) + > { + > result = result.Substring(0, index); + > } +> + > return result;" /> +> + > ```` +> > + > The aspect's identifier must be the same as the one generated by the scaffolding. Then the aspect ```Directory_UserRecord_UniqueValue_Email``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the unicity check rule written manually here. + > ```` + + - Set to `Update`, the XML item written manually replaces all parent properties, while keeping +the child elements defined in the scaffolding. + + > For example, the `OptimizeDisplayTable` scaffolding generates the `Directory_User` display + > entity type (among other things) with a specific set of properties. We could choose to + > change just the parent properties of the display entity type without changing its child + > properties: +> + > ``` +> + > +> + > ```` +> > + > The display entity type's identifier must be the same as the one generated by the scaffolding. Then the display entity type ```Directory_User``` is defined by the `````` properties written manually here, as well as the `````` child elements written in the scaffolding. + > ```` + + - Set to `Delete`, the XML item generated by the scaffolding is deleted, including its child +elements. + + > For example, the `AssignProfileAccessControlRules` scaffolding generates the + > `Administrator_Category_AccessControl_AssignedProfile` access control rule (among other + > things) with possibly child elements. We could choose to remove the whole access control + > rule: +> + > ``` +> + > +> + > ```` +> > + > The access control rule's identifier must be the same as the one generated by the scaffolding. Then the access control rule ```Administrator_Category_AccessControl_AssignedProfile``` is completely removed. + > ```` + +4. Deploy the Configuration again. See +the[ Usercube-Deploy Configuration](../../integration-guide/executables/references/deploy-configuration.md) for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/bindings.md b/docs/identitymanager/6.3/integration-guide/toolkit/bindings.md new file mode 100644 index 0000000000..3e2c97c6e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/bindings.md @@ -0,0 +1,29 @@ +--- +title: "Bindings" +description: "Bindings" +sidebar_position: 30 +--- + +# Bindings + +Some configuration's XML attribute must respect the Identity Manager's binding syntax. This syntax allow to specify a _path_ in the entity model. + +Binding expression starts by the starting entity type name followed by the `:` character and a sequence of property references separated by a `.` character. + +``` +type:propertyA.propertyB.propertyC +``` + +For exemple, to bind to the manager's first name of a user, the binding expression will be: + +``` +User:Manager.FirstName +``` + +In the case of type inheritance, we must specify the type owning the property. + +``` +AssignedResourceType:Owner.User:FirstName +``` + +In this sample, the property `Owner` of `AssignedResourceType` targets the base type `Resource`. Type `User` inherits of `Resource` and owns the `FirstName` property. So, the `FirstName` section of the binding expression must be prefixed by `User:`. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/deploy-configuration.md b/docs/identitymanager/6.3/integration-guide/toolkit/deploy-configuration.md new file mode 100644 index 0000000000..a8f58938eb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/deploy-configuration.md @@ -0,0 +1,98 @@ +--- +title: "Deploy the Configuration" +description: "Deploy the Configuration" +sidebar_position: 90 +--- + +# Deploy the Configuration + +This guide shows how to deploy the XML configuration, in order to build and use the Identity Manager application. + +## Overview + +The process for configuration deployment varies according to the situation: + +- when working on-premise, the configuration must be deployed locally; +- when working SaaS, the configuration must be deployed remotely. + +## Deploy the Configuration Locally + +Deploy a local XML configuration by using the[ Usercube-Deploy Configuration](../../integration-guide/executables/references/deploy-configuration.md) executable and declaring at least: + +- the configuration directory; +- the connection string of the database. + +> ``` +> +> ./Usercube-Deploy-Configuration.exe -d "C:\Usercube\Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +> +> ``` + +## Deploy the Configuration Remotely + +Deploy a SaaS XML configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the +[Usercube-Login](../../integration-guide/executables/references/login.md) executable. + +Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure strong security, visibility and ease of use. + +NETWRIX recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage authentication yourself. + +When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id tokens. + + > For example, when using Identity Manager's IDP: +> + > ``` +> + > ./Usercube-Login.exe +> + > ``` +> + > ``` + + > For example, when using another IDP: +> + > ``` +> + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 +> + > ``` +> + > ``` + +Either method will open your default browser to `http://localhost:5005` where you will be redirected to the specified IDP and will be prompted to log in. + +Specify `--port ` if you want the login page to use another local port. + +If you have already successfully deployed or exported your SaaS configuration at least once, then there is no need to communicate the authentication information again. Go directly to step 4. + +However, if, since then, there has been a change in the identity deploying/exporting the configuration or in the Identity Provider used to log in at step 1, then go through the whole process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) + +Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + +The administrator will add the identity information to the configuration of your Identity Manager instance, to allow the configuration deployment/export. + +4. Deploy the configuration by using +the[ Usercube-Deploy Configuration](../../integration-guide/executables/references/deploy-configuration.md) executable and declaring at least: + + - the configuration directory; + - the deployment environment; + - the API URL of your Identity Manager instance. + > ``` +> + > ./Usercube-Deploy-Configuration.exe -d "C:\Usercube\Conf" --api-url https://my_usercube_instance.com --deployment-slot Development +> + > ``` + +You can deploy the configuration by launching only the `Deploy-Configuration` executable until the authentication token expires. Then, the token must be refreshed via the `Login` executable before deploying again. + +The token served by Identity Manager's IDP expires after one hour. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/export-configuration.md b/docs/identitymanager/6.3/integration-guide/toolkit/export-configuration.md new file mode 100644 index 0000000000..1748b67fb4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/export-configuration.md @@ -0,0 +1,97 @@ +--- +title: "Export the Configuration" +description: "Export the Configuration" +sidebar_position: 100 +--- + +# Export the Configuration + +This guide shows how to export the configuration as XML files to a given folder. + +## Overview + +The process for configuration export varies according to the situation: + +- when working on-premise, the configuration must be exported locally; +- when working SaaS, the configuration must be exported remotely; + +See the [Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration.md) topic for additional information. + +## Export the Configuration Locally + +Export your configuration by using the [Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration.md) executable and declaring at least: + +- the directory where the configuration is to be exported to; +- the connection string of the database. + +> ```shell +> ./Usercube-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/Usercube/ExportedConf" +> ``` + +## Export the Configuration Remotely + +Export a SaaS configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the +[Usercube-Login](../../integration-guide/executables/references/login.md) executable. + +Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure strong security, visibility and ease of use. + +Netwrix Identity Manager (formerly Usercube) recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage authentication yourself. + +When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id tokens. + + > For example, when using Identity Manager's IDP: +> + > ``` +> + > ./Usercube-Login.exe +> + > ``` +> + > ``` + + > For example, when using another IDP: +> + > ``` +> + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 +> + > ``` +> + > ``` + +Either method will open your default browser to `http://localhost:5005` where you will be redirected to the specified IDP and will be prompted to log in. + +Specify `--port ` if you want the login page to use another local port. + +If you have already successfully deployed or exported your SaaS configuration at least once, then there is no need to communicate the authentication information again. Go directly to step 4. + +However, if, since then, there has been a change in the identity deploying/exporting the configuration or in the Identity Provider used to log in at step 1, then go through the whole process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) + +Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + +The administrator will add the identity information to the configuration of your Identity Manager instance, to allow the configuration deployment/export. + +4. Export the configuration by using the +[Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration.md) and declaring at least: + + - the configuration directory; + - the API URL of your Identity Manager instance. + > ``` +> + > ./Usercube-Export-Configuration.exe -d "C:\Usercube\ExportedConf" --api-url https://my_usercube_instance.com +> + > ``` + +You can export the configuration by launching only the `Export-Configuration` executable until the authentication token expires. Then, the token must be refreshed via the `Login` executable before exporting again. + +The token served by Identity Manager's IDP expires after one hour. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/expressions/csharp-utility-functions.md b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/csharp-utility-functions.md new file mode 100644 index 0000000000..4650b0bb91 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/csharp-utility-functions.md @@ -0,0 +1,66 @@ +--- +title: "C# utility functions" +description: "C# utility functions" +sidebar_position: 10 +--- + +# C# utility functions + +These functions can be called in any C# expression specified in the configuration. See the [Expressions](../../../integration-guide/toolkit/expressions/index.md) topic for additional information. + +These are static functions defined in the class `Usercube.Expressions.Functions.UtilExpressions`. + +The way these functions are configured, they require the `UtilExpressions` prefix, but not necessarily the rest (`Usercube.Expressions.Functions`). However, using the full namespace would also work. + +For example, you could use `UtilExpressions.BuildUsername(...)` as shown in the example below. + +[LinQ methods](https://docs.microsoft.com/en-us/dotnet/api/system.linq.enumerable?view=net-8.0) can be used, without needing to add a prefix. + +## BuildUsername + +Builds a username by concatenating a first name, a separator, a last name and a possible suffix. + +First name and last name are simplified using the Simplify function. See the [Predefined functions](../../../integration-guide/toolkit/expressions/predefined-functions.md)topic for additional information. + +``` +string? BuildUsername(string? firstName, string? lastName, string? separator, string? suffix, int? iteration) +``` + +The iteration argument is usually used with the help of [Build Unique Value Aspect](../../../integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md). If the iteration number is greater than 0, it is inserted after the last name. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` + +## BuildUsernameWithInitials + +Builds a username by concatenating a first name initials, a separator, a last name and a possible suffix. + +Hyphenated first names are accepted (In this case, we consider the initial of each first name). + +``` +string? BuildUsernameWithInitials(string? firstName, string? lastName, string? separator, string? suffix, int? maxLength, int? iteration) +``` + +The `maxLength` argument limits the length of the username. + +The iteration argument is usually used with the help of [Build Unique Value Aspect](../../../integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md). If it is greater than 0, we use several letters of the first name avoiding as much as possible to insert a number in the built username. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/index.md new file mode 100644 index 0000000000..6d7a0d7c89 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/index.md @@ -0,0 +1,283 @@ +--- +title: "Expressions" +description: "Expressions" +sidebar_position: 40 +--- + +# Expressions + +Expressions are a way to define the attributes whose values must be computed based on other attributes. + +## Overview + +In Identity Manager's XML configuration, some attributes are defined with expressions. Expression attributes do not take a plain string value, but rather an expression that computes a value based on a given input. See the [Entity Property Expression](../../../integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression.md) and [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md) topics for additional information. + +Every expression must be passed at least one argument and return at least one value. + +The expression can either be provided as a built-in function or as a full-fledged C# expression. See the list of available C# utility functions and functions predefined by Identity Manager. See the [Predefined functions](../../../integration-guide/toolkit/expressions/predefined-functions.md) topic for additional information. + +:::note + When changing the value of a property that is part of some expressions in the configuration, do not expect to see all expressions recomputed right away. +::: +In order to ensure the recomputation of all expressions based on the recent change, wait for the next run of Update Expressions in the complete job or through the corresponding connector's overview page. + +### Expressions in the UI + +In the UI, the attributes that can be defined with an expression show two fields: Property Path and Expression. + +For example, the source object of a scalar rule based on user records is displayed: + +![Property Path and Expression](/images/identitymanager/expression-propertypath_v602.webp) + +The field Property Path is usually filled in with the + button only when the rule involves one single attribute. If the object involves more than one attribute, then the attributes are to be written in Expression (C#), with the help of predefined simple transformations. See the [Predefined functions](../../../integration-guide/toolkit/expressions/predefined-functions.md) topic for additional information. + +The first example defines the source object as simply the user record's Login property, while the second defines the source object with an expression based on the user record's first and last names: + +![Property Path Example](/images/identitymanager/expression-propertypath-example1_v602.webp) + +![Expression Example](/images/identitymanager/expression-propertypath-example2_v602.webp) + +### Expressions in XML + +In XML, inside the C# expressions, make sure to escape `"` characters by writing them as `"`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +### Nullability checks + +Nullability checks constitute a common area for improvement in C# expressions, rather easy to implement. + +See Microsoft documentation on [nullable reference types](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/nullable-reference-types) and more precisely on [nullable operators](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#nullable-operators). + +For example, the following scalar rule computes the value of users' email addresses via a C# expression. The `` characters cut the operations short by returning null when one of the chain members returns null, thus preventing errors. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +## Built-in Functions + +Identity Manager provides a set of built-in function that implement basic expressions. They can be used as-is or be included in a C# expression. + +Identity Manager's engine automatically passes the main argument to the function during the computation, but extra arguments can be provided using the following syntax: + +`function name : arg2 | arg3 | ...` + +### Example + +Plain built-in function: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +// transform string to uppercase +Expression="ToUpper" +``` + +Built-in function with parameters: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +// add 1440 minutes to a date formated as dd/MM/yyyy +Expression="ParseLocalDateThenAddMinutes:Romance Standard Time|dd/MM/yyyy|1440" +``` + +## C# Expressions + +More complex expressions can be written as ad-hoc C# code according to the following rules: + +- The expression is prefixed by C#:ParameterName: where ParameterName is the variable name pointing +to the input value. +- The expression has to return a value + +For example: + +``` +// user full name +C#:user:return user.FirstName+" "+user.LastName; +``` + +### QueryHandler + +Expression can includes squeries, using the QueryHandler service. + +For example, to query the employee type whose Identifier is CDI: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +C#:user: +var resources = queryHandler.Select("Select Id Where Identifier=\"CDI\""); +return resources.FirstOrDefault()?.Id; +``` + +Another example, to query the organization whose Identifier is `<23040>`: + +``` +C#:return queryHandler.Select("Select Identifier Where Id=23040").FirstOrDefault()?.Identifier; +``` + +### Logger service + +Identity Manager provides a logger service called "logger" to debug C# expressions. + +For example: + +``` +C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name; +``` + +### White list + +The following .NET libraries from the white list can be used. + +**Authorized Namespaces** + +Every class and function from the following namespaces is allowed: + +- `System.Linq` +- `System.Text.RegularExpressions` + +**Authorized Classes** + +Beyond the authorized namespaces, the following classes can be used: + +- `System.Convert` +- `System.Reflection.AssemblyFileVersionAttribute` +- `System.Reflection.AssemblyVersionAttribute` +- `System.Reflection.AssemblyCopyrightAttribute` +- `System.Reflection.AssemblyProductAttribute` +- `System.Reflection.AssemblyCompanyAttribute` +- `System.Reflection.AssemblyTitleAttribute` +- `System.Char` +- `Usercube.Expressions.Functions.UtilExpressions` +- `System.Nullable` +- `System.String` +- `System.Int32` +- `System.Random` + +**Authorized Methods** + +Beyond the authorized classes, the following methods can be used: + +- `System.Convert` +- `Microsoft.Extensions.Logging.LoggerExtensions.LogDebug` +- `System.DateTime.Add` +- `System.DateTime.AddDays` +- `System.DateTime.AddHours` +- `System.DateTime.AddMicroseconds` +- `System.DateTime.AddMilliseconds` +- `System.DateTime.AddMinutes` +- `System.DateTime.AddMonths` +- `System.DateTime.AddSeconds` +- `System.DateTime.AddTicks` +- `System.DateTime.AddYears` +- `System.DateTime.Compare` +- `System.DateTime.CompareTo` +- `System.DateTime.DaysInMonth` +- `System.DateTime.Equals` +- `System.DateTime.GetDateTimeFormats` +- `System.DateTime.ToUniversalTime` +- `System.DateTime.ToString` + +Trying to use code from outside this white list would yield the following error during computation: + +`the Method Name : ... Parent Class : ... NameSpace : ... used are not authorized` + +Method ... cannot be called with entities as arguments. + +However, here is a whitelist of methods that can be called with these kinds of arguments: + +- `System.Linq.Enumerable.Max()` +- `System.Linq.Enumerable.Min()` +- `System.Linq.Enumerable.Count(IEnumerable(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable, int count)` +- `System.Linq.Enumerable.SkipLast(IEnumerable, int count)` +- `System.Linq.Enumerable.ThenBy(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, Func(IEnumerable` need to be replaced with a custom value before entering the script in the command line. + +``` + + + + +``` + +Literal expressions targeting String properties can accept any value, since it is already a string in the configuration. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/expressions/predefined-functions.md b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/predefined-functions.md new file mode 100644 index 0000000000..beab380016 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/expressions/predefined-functions.md @@ -0,0 +1,45 @@ +--- +title: "Predefined functions" +description: "Predefined functions" +sidebar_position: 20 +--- + +# Predefined functions + +Identity Manager provides a set of predefined functions that simplify the configuration of entity property expressions and scalar rules. See the [Entity Type](../../../integration-guide/toolkit/xml-configuration/metadata/entitytype.md) and[Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md) topics for additional information. + +Unlike C# expressions, Identity Manager's predefined functions do not need any prefix. They can be used as such. See the [C# utility functions](../../../integration-guide/toolkit/expressions/csharp-utility-functions.md) topic for additional information. + +### Examples + +The following example shows two predefined functions. The first function normalizes the HR_Person FirstName. The other one converts the end date into a UTC date and adds 1440 minutes. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +         +         +``` + +The following table summarizes existing predefined functions: + + | Name | Description | Parameters | Return type | + | --- | --- | --- | --- | + | ToUpper | Returns the input string converted to uppercase, using the current culture. | None | String | + | ToLower | Returns the input string converted to lowercase, using the current culture. | None | String | + | Simplify | Returns the input string converted to uppercase, removing all whitespace and special characters, and replacing diacritics. | None | String | + | Trim | Removes all leading and trailing white-space characters from the current string. | None | String | + | TrimStart | Removes all leading white-space characters from the current string. | None | String | + | TrimEnd | Removes all trailing white-space characters from the current string. | None | String | +| RemoveDiacritics | Replaces accented characters with ASCII equivalents: é/è/ê → e, ç → c, à → a, ù → u, ä → ae, Ä → AE, ö → oe, Ö → OE, ü → ue, Ü → UE, č → c, Č → C, ø → o, Ø → O, ł → l, Ł → L, ß → ss, æ → ae, Æ → AE, œ → oe, Œ → OE, š → sh, Š → SH. | None | String | + | ToDoubleMetaphone | An implementation of Double Metaphone phonetic algorithm. | None | String | + | ToSoundex | An implementation of Soundex phonetic algorithm. | None | String | + | ToFirstName | Normalizes a first name (first character of each word in uppercase) separated with space, hyphen, or apostrophe and the right accents. | None | String | + | ToTitle | Puts the first character in uppercase. | None | String | + | ToFormatedDN | Returns the input string converted to Distinguished Name format. | None | String | + | ParseLocalDate | Converts the specified string representation of a date and time to its DateTime equivalent using the specified parameters. | Time zone identifier | Input string format. | DateTime | + | ParseLocalDateThenAddMinutes | Converts the input string into a DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | + | ParseUniversalDate | Converts the specified string representation of a date and time to its Coordinated Universal Time (UTC). | Input string format. | DateTime | + | ParseUniversalDateThenAddMinutes | Converts the input string into an UTC DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | + | FormatLocalDate | Converts the specified string into a local DateTime. | Time zone identifier | Input string format. | DateTime | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/file-hierarchy.md b/docs/identitymanager/6.3/integration-guide/toolkit/file-hierarchy.md new file mode 100644 index 0000000000..1272649385 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/file-hierarchy.md @@ -0,0 +1,27 @@ +--- +title: "Hierarchy in Configuration Files" +description: "Hierarchy in Configuration Files" +sidebar_position: 20 +--- + +# Hierarchy in Configuration Files + +Every configuration's element falls under the ` urn:schemas-usercube-com:configuration` namespace. Element `` is the root element of each configuration file. + +``` + ... + +``` + +Each configuration element matches to an entry in the database. Detailed description of the element can be found in the Data model. See the [XML Configuration Schema](../../integration-guide/toolkit/xml-configuration/index.md) topic for additional information. + +For example, the structure of the `` element can be found in the [Connectors](../../integration-guide/connectors/index.md) topic. + +In some case, the element name will not match directly the data model type name. + +For example, the element `` in the following XML fragment is a [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md) item in the database. + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/adjust-scaffoldings.md b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/adjust-scaffoldings.md new file mode 100644 index 0000000000..ad77649a11 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/adjust-scaffoldings.md @@ -0,0 +1,163 @@ +# Adjust Scaffolded Configuration + +This guide shows how to adjust the XML configuration elements created by scaffoldings. + +## Overview + +A scaffolding is an XML element that will generate a complex XML fragment. It is like a configuration shortcut that helps configure easily a set of XML elements that are usually configured together. + +See the list of all existing [Scaffoldings](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md). + +In most situations, scaffoldings are enough to generate the configuration required to meet the functional needs. + +However, in some cases, scaffoldings do not meet the exact needs and must be adjusted to generate the right XML configuration. + +NETWRIX recommends writing XML configuration by first using scaffoldings, adjusting it if needed, and as a last resort, when no scaffolding meets the needs, writing the configuration manually. + +## Adjust Scaffolded Configuration + +Adjust XML configuration generated by a scaffolding by proceeding as follows: + +1. When working via the UI, start by exporting UI +[Usercube-Export-Configuration](../../../integration-guide/executables/references/export-configuration.md) elements. +2. Write an XML element whose identifier is the same as the one generated by the scaffolding. + +Any identifier can be found in the [Scaffoldings](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic, in the section displaying the generated XML fragment. + +3. Add `ConsolidationMode` to the element's properties. + + - **By default**, the XML item written manually completely replaces the one generated by the +scaffolding. + +The default behavior should be used when needing to rewrite one or a few of the items generated by a scaffolding, not all of them. + +When needing to rewrite the scaffolding's whole output, just remove the scaffolding and write the item(s) manually. + + > For example, the `ViewTemplateAdaptable` scaffolding generates, for the `LDAP_Entry` + > entity type, a default display name for all LDAP resources, a display table to view the + > resources, and the corresponding permissions to access the table. Supposing that the + > resulting display table does not fit the needs, we could need to write a customized + > display table from scratch: +> + > ``` +> + > Identifier="LDAP_Entry" EntityType="LDAP_Entry" DisplayTableDesignElement="resourcetable" IsEntityTypeDefault="true"> + > + > + > + > +> + > ```` +> > + > The display table's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display table ```LDAP_Entry``` is defined by the `````` properties **written manually here**, as well as its `````` child elements **written manually here**. + > ```` + + > Still from the `ViewTemplateAdaptable` scaffolding, suppose now that the default display + > name does not fit the needs, then we could write a customized display name from scratch: +> + > ``` +> + > Identifier="LDAP_Entry_InternalDisplayName" Expression="C#:resource:return Usercube.Expressions.Functions.UtilExpressions.ToFormatedDN(resource.dn);" EntityType="LDAP_Entry" Property="InternalDisplayName" /> +> + > ```` +> > + > The entity property expression's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display name ```LDAP_Entry_InternalDisplayName``` is defined by the `````` properties **written manually here**. + > ```` + + - Set to `Merge`, the XML item generated by the scaffolding is completed with additional parent +properties and/or child elements written manually, while keeping the parent properties and the child elements defined in the scaffolding. + + > For example, the `WorkforceModule` scaffolding generates the `Directory_User` entity type + > (among other things) with a specific set of properties. We could choose to add some + > properties in the entity type: +> + > ``` +> + > Identifier="Directory_User" ConsolidationMode="Merge"> + > + > + > +> + > ```` +> > + > The entity type's identifier must be the same as the one generated by the scaffolding. Then the entity type ```Directory_User``` is defined by the `````` properties **of the scaffolding**, as well as its `````` child elements **written in the scaffolding**, and we add the properties **written manually here**. + > ```` + + > The `WorkforceModule` scaffolding also generates the + > `Directory_UserRecord_UniqueValue_Email` aspect (among other things) that uses unicity + > check rules to generate a unique email address for each new user. We could choose to add a + > unicity check rule in the aspect to compare the new email address to the existing ones + > from Microsoft Entra ID (formerly Microsoft Azure AD): +> + > ``` +> + > Identifier="Directory_UserRecord_UniqueValue_Email" ConsolidationMode="Merge"> + > SourceExpression="C#:record:var firstName = + > record.FirstName.Simplify()?.ToLowerInvariant(); var lastName = + > record.LastName.Simplify()?.ToLowerInvariant(); if (string.IsNullOrEmpty(firstName) || + > string.IsNullOrEmpty(lastName)) { /_ Data missing _/ return null; } +> + > var result = firstName + "." + lastName; + > if (iteration > 0) + > { + > result += iteration.ToString(); + > } +> + > return result;" TargetEntityType="AzureAD_DirectoryObject" TargetExpression="C#:azure_ad: + > if(string.IsNullOrEmpty(azure_ad.mail)) + > { + > return null; + > } +> + > var result = azure_ad.mail; + > var index = result.IndexOf('@'); + > if(index >=0) + > { + > result = result.Substring(0, index); + > } +> + > return result;" /> +> + > ```` +> > + > The aspect's identifier must be the same as the one generated by the scaffolding. Then the aspect ```Directory_UserRecord_UniqueValue_Email``` is defined by the `````` properties **of the scaffolding**, as well as its `````` child elements **written in the scaffolding**, and we add the unicity check rule **written manually here**. + > ```` + + - Set to `Update`, the XML item written manually replaces all parent properties, while keeping +the child elements defined in the scaffolding. + + > For example, the `OptimizeDisplayTable` scaffolding generates the `Directory_User` display + > entity type (among other things) with a specific set of properties. We could choose to + > change just the parent properties of the display entity type without changing its child + > properties: +> + > ``` +> + > Identifier="Directory_User" ConsolidationMode="Update" Color="#95c18b" D0IsActive="true" D1IsActive="true" D2IsActive="true" D3IsActive="true" IconCode="People" PluralDisplayName_L1="Users" Priority="0" /> +> + > ```` +> > + > The display entity type's identifier must be the same as the one generated by the scaffolding. Then the display entity type ```Directory_User``` is defined by the `````` properties **written manually here**, as well as the `````` child elements **written in the scaffolding**. + > ```` + + - Set to `Delete`, the XML item generated by the scaffolding is deleted, including its child +elements. + + > For example, the `AssignProfileAccessControlRules` scaffolding generates the + > `Administrator_Category_AccessControl_AssignedProfile` access control rule (among other + > things) with possibly child elements. We could choose to remove the whole access control + > rule: +> + > ``` +> + > Identifier="Administrator_Category_AccessControl_AssignedProfile" ConsolidationMode="Delete" /> +> + > ```` +> > + > The access control rule's identifier must be the same as the one generated by the scaffolding. Then the access control rule ```Administrator_Category_AccessControl_AssignedProfile``` is completely removed. + > ```` + +4. [ Usercube-Deploy Configuration](../../../integration-guide/executables/references/deploy-configuration.md) +again. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/deploy-configuration.md b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/deploy-configuration.md new file mode 100644 index 0000000000..99e1c9f899 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/deploy-configuration.md @@ -0,0 +1,92 @@ +# Identity Manager Deploy the Configuration + +This guide shows how to deploy the XML configuration, in order to build and use the Identity Manager application. + +## Overview + +The process for configuration deployment varies according to the situation: + +- when working **on-premise**, the configuration must be deployed locally; +- when working **SaaS**, the configuration must be deployed remotely. + +## Deploy the Configuration Locally + +Deploy a local XML configuration by using the [ Usercube-Deploy Configuration](../../../integration-guide/executables/references/deploy-configuration.md) and declaring at least: + +- the configuration directory; +- the connection string of the database. + +> ``` +> +> ./Usercube-Deploy-Configuration.exe -d "C:\Usercube\Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +> +> ``` + +## Deploy the Configuration Remotely + +Deploy a **SaaS** XML configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the +[Usercube-Login](../../../integration-guide/executables/references/login.md). + +Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure strong security, visibility and ease of use. + +NETWRIX recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage authentication yourself. + +When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id tokens. + + > For example, when using Identity Manager's IDP: +> + > ``` +> + > ./Usercube-Login.exe +> + > ``` +> + > ``` + + > For example, when using another IDP: +> + > ``` +> + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 +> + > ``` +> + > ``` + +Either method will open your default browser to `http://localhost:5005` where you will be redirected to the specified IDP and will be prompted to log in. + +Specify `--port ` if you want the login page to use another local port. + +If you have already successfully deployed or exported your **SaaS** configuration at least once, then there is no need to communicate the authentication information again. Go directly to step 4. + +However, if, since then, there has been a change in the identity deploying/exporting the configuration or in the Identity Provider used to log in at step 1, then go through the whole process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) + +Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + +The administrator will add the identity information to the configuration of your Identity Manager instance, to allow the configuration deployment/export. + +4. Deploy the configuration by using +the[ Usercube-Deploy Configuration](../../../integration-guide/executables/references/deploy-configuration.md) and declaring at least: + + - the configuration directory; + - the deployment environment; + - the API URL of your Identity Manager instance. + > ``` +> + > ./Usercube-Deploy-Configuration.exe -d "C:\Usercube\Conf" --api-url https://my_usercube_instance.com --deployment-slot Development +> + > ``` + +You can deploy the configuration by launching only the `Deploy-Configuration` executable until the authentication token expires. Then, the token must be refreshed via the `Login` executable before deploying again. + +The token served by Identity Manager's IDP expires after one hour. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/export-configuration.md b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/export-configuration.md new file mode 100644 index 0000000000..9dad7820cf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/how-tos/export-configuration.md @@ -0,0 +1,93 @@ +# Export the Configuration + +This guide shows how to export the configuration as XML files to a given folder. + +## Overview + +The process for configuration export varies according to the situation: + +- when working **on-premise**, the configuration must be exported locally; +- when working **SaaS**, the configuration must be exported remotely; + +See the [Usercube-Export-Configuration](../../../integration-guide/executables/references/export-configuration.md) topic for additional information. + +## Export the Configuration Locally + +Export your configuration by using the [Usercube-Export-Configuration](../../../integration-guide/executables/references/export-configuration.md) executable and declaring at least: + +- the directory where the configuration is to be exported to; +- the connection string of the database. + +> ```shell +> +> ./Usercube-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/Usercube/ExportedConf" +> +> ``` + +## Export the Configuration Remotely + +Export a **SaaS** configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the +[Usercube-Login](../../../integration-guide/executables/references/login.md). + +Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure strong security, visibility and ease of use. + +Netwrix Identity Manager (formerly Usercube)recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage authentication yourself. + +When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id tokens. + + > For example, when using Identity Manager's IDP: +> + > ``` +> + > ./Usercube-Login.exe +> + > ``` +> + > ``` + + > For example, when using another IDP: +> + > ``` +> + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 +> + > ``` +> + > ``` + +Either method will open your default browser to `http://localhost:5005` where you will be redirected to the specified IDP and will be prompted to log in. + +Specify `--port ` if you want the login page to use another local port. + +If you have already successfully deployed or exported your **SaaS** configuration at least once, then there is no need to communicate the authentication information again. Go directly to step 4. + +However, if, since then, there has been a change in the identity deploying/exporting the configuration or in the Identity Provider used to log in at step 1, then go through the whole process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) + +Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + +The administrator will add the identity information to the configuration of your Identity Manager instance, to allow the configuration deployment/export. + +4. Export the configuration by using the +[Usercube-Export-Configuration](../../../integration-guide/executables/references/export-configuration.md) and declaring at least: + + - the configuration directory; + - the API URL of your Identity Manager instance. + > ``` +> + > ./Usercube-Export-Configuration.exe -d "C:\Usercube\ExportedConf" --api-url https://my_usercube_instance.com +> + > ``` + +You can export the configuration by launching only the `Export-Configuration` executable until the authentication token expires. Then, the token must be refreshed via the `Login` executable before exporting again. + +The token served by Identity Manager's IDP expires after one hour. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/index.md new file mode 100644 index 0000000000..b91b323024 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/index.md @@ -0,0 +1,18 @@ +--- +title: "Toolkit for XML Configuration" +description: "Toolkit for XML Configuration" +sidebar_position: 210 +--- + +# Toolkit for XML Configuration + +The Netwrix Identity Manager (formerly Usercube) configuration is a set of XML files edited according the Identity Manager schema. The [Recommendations](../../integration-guide/toolkit/recommendations.md) part of this section explains how to set up an editing environment for the configuration. + +Regardless of the editing space, the configuration persists in the Netwrix Identity Manager (formerly Usercube) database. It's this stored configuration that is used at runtime. + +The [Deploy Configuration Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask.md) tool is used to **import** a new version of the configuration (from the XML files set). The[Usercube-Export-Configuration](../../integration-guide/executables/references/export-configuration.md) can be used to **export** the current configuration (to a XML files set). + +The Identity Manager project's integration cycle consists in developing a configuration by successive imports in a test instance. + +![Integration cycle](/images/identitymanager/configurationcycle.webp) + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/languages.md b/docs/identitymanager/6.3/integration-guide/toolkit/languages.md new file mode 100644 index 0000000000..68fe7d2e2f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/languages.md @@ -0,0 +1,23 @@ +--- +title: "Languages" +description: "Languages" +sidebar_position: 50 +--- + +# Languages + +Some configuration string must be specified in multiple languages. For this, the name of the corresponding XML attribute is suffixed by `_L1`, `_L2`,... `_L8`. For example, the property _DisplayName_ of an [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype.md) can be specified in English and French: + +``` + ... + +``` + +Languages list must be specified by [Language](../../integration-guide/toolkit/xml-configuration/metadata/language.md) elements. + +``` +** ** +``` + +The code is a combination of an ISO 639 two-letter lowercase culture code associated with a language and an ISO 3166 two-letter uppercase subculture code associated with a country or region. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/parameter-names.md b/docs/identitymanager/6.3/integration-guide/toolkit/parameter-names.md new file mode 100644 index 0000000000..7703f8fb93 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/parameter-names.md @@ -0,0 +1,67 @@ +--- +title: "Base32 Parameter Names" +description: "Base32 Parameter Names" +sidebar_position: 70 +--- + +# Base32 Parameter Names + +## Base32 Parameter Names + +Some attributes names in the applicative configuration, such a those related to dimensions identification, are written using a [Base32 representation of numbers](https://en.wikipedia.org/wiki/Base32). + +Identity Manager uses flavor of base32 known as **base32hex** described in the [RFC4648](https://tools.ietf.org/html/rfc4648#rfc4648). + +It uses 10 digits from 0 to 9 and 22 letters from A to V to represent numbers. + +The following table shows the decimal - base32hex equivalent for the first 127 numbers. + + | base32hex | decimal | + | --- | --- | + | 0 | 0 | + | 1 | 1 | + | 2 | 2 | + | 3 | 3 | + | 4 | 4 | + | 5 | 5 | + | 6 | 6 | + | 7 | 7 | + | 8 | 8 | + | 9 | 9 | + | a | 10 | + | b | 11 | + | c | 12 | + | d | 13 | + | e | 14 | + | f | 15 | + | g | 16 | + | h | 17 | + | i | 18 | + | j | 19 | + | k | 20 | + | l | 21 | + | m | 22 | + | n | 23 | + | o | 24 | + | p | 25 | + | q | 26 | + | r | 27 | + | s | 28 | + | t | 29 | + | u | 30 | + | v | 31 | + | 10 | 32 | + | 11 | 33 | + | ... | ... | + | 1A | 42 | + | ... | ... | + | 20 | 64 | + | ... | ... | + | 2A | 74 | + | ... | ... | + | 3V | 127 | + +For example, dimensions are identified by a number going from 0 to 127 in decimal representation and 0 to 3V in base32hex representation. + +The [Context Rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule.md) support _128_ dimension parameters going from `B0` to `B3V` using the **base32hex**`0` to `3V` numbers to identify a dimension. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/recommendations.md b/docs/identitymanager/6.3/integration-guide/toolkit/recommendations.md new file mode 100644 index 0000000000..78621f7e6c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/recommendations.md @@ -0,0 +1,65 @@ +--- +title: "Recommendations" +description: "Recommendations" +sidebar_position: 10 +--- + +# Recommendations + +## Editor + +[Visual Studio Code](https://code.visualstudio.com/) is the recommended editor for configuration. Its extensions can highly benefit the configuration experience. Netwrix Identity Manager (formerly Usercube) recommends the following extensions: + +- [Project Manager](https://marketplace.visualstudio.com/items?itemName=alefragnani.project-manager) +for file organization; +- [Xml Tools](https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml) for XML +formatting; +- [XML](https://marketplace.visualstudio.com/items?itemName=rogalmic.vscode-xml-complete) by RedHat +to provide auto-completion of XML configuration based on an XSD file; +- [Powershell](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell) for +Powershell formatting; +- [Rainbow CSV](https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv) for CSV +formatting; +- [GitLens](https://marketplace.visualstudio.com/items?itemName=eamodio.gitlens) for file history +features. + +### Configure auto-completion + +RedHat's XML extension provides auto-completion based on an XSD file. It opens an auto-completion popup when you start to edit an element or attribute name. You can open the popup by typing `Ctrl-Space`. + +![Auto-complete](/images/identitymanager/autocomplete.webp) + +Configure auto-completion by proceeding as follows: + +1. Retrieve from the SDK artifact the `usercube-configuration.xsd` and +`Usercube.Demo.code-workspace` files. +2. Make sure that these files are in the working directory (for example `C:/identitymanagerDemo`). +3. In `Usercube.Demo.code-workspace`, declare the following setting, replacing the path +`C:/identitymanagerDemo/identitymanager-configuration.xsd` by the path of your XSD file: + +``` +"settings": { "xml.fileAssociations": [{ "systemId": "file:///C:/identitymanagerDemo/identitymanager-configuration.xsd", "pattern": "**/*.xml" }] } +``` + +## Version Control System + +A version control system (like Git) is also recommended so files and configuration history could be tracked. + +## File Hierarchy + +Some folders in the XML configuration contain files that are generated by Identity Manager and that must not be modified manually: + +- `Runtime/Workforce` +- `Runtime/Bootstrap` + +For the configuration to be more readable it is recommended to classify configuration by Connector or Application Entity. For each Connector or Application Entity create a folder in which will put: + +- **_Connector.xml_** file containing the definition of the Connector, the EntityTypes,the +EntityAssociations and their mappings. +- **_Administrator.xml_** file containing all the ACE for the administrator profile. +- **_Role Model.xml_** file containing the role model configuration. +- **_UI.xml_** file containing the User Interface configuration. +- **_Jobs.xml_** file containing the jobs configuration. +- **_Workflows.xml_** file containing the Workflows configuration for the given connector. + +![Recommendation](/images/identitymanager/recommendation.webp) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/reservedidentifiers.md b/docs/identitymanager/6.3/integration-guide/toolkit/reservedidentifiers.md new file mode 100644 index 0000000000..5f1b53f8e8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/reservedidentifiers.md @@ -0,0 +1,54 @@ +--- +title: "Reserved identifiers" +description: "Reserved identifiers" +sidebar_position: 60 +--- + +# Reserved identifiers + +Identifiers of [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype.md) and [Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype.md)cannot be one of the following words: + +These words can't be written in any case, example: id, Id, iD and ID are forbidden. + +- Id +- if +- for +- while +- return +- break +- else +- continue +- ref +- out +- class +- interface +- struct +- foreach +- do +- char +- byte +- string +- int +- long +- null +- public +- private +- protected +- static +- const +- abstract +- try +- catch +- sealed +- void +- true +- false +- finally +- throw +- Exception +- override +- readonly +- return +- enum +- delegate + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy.md new file mode 100644 index 0000000000..0741111626 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy.md @@ -0,0 +1,14 @@ +--- +title: "AccessCertificationCampaignPolicy" +description: "" +sidebar_position: 1 +--- + +This object defines sets of reviewers. Campaigns are created for one of the defined set only. The default policy always exists. + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the campaign policy in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Policy identifier | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter.md new file mode 100644 index 0000000000..d31a3e260c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter.md @@ -0,0 +1,34 @@ +--- +title: "AccessCertificationDataFilter" +description: "" +sidebar_position: 2 +--- + +When running an Access Certification Campaign, this object defines the scope of assignments of entitlements to certify for a given Access Certification Campaign. It filters based on the specific entitlements attributes. + +## Properties + +|Property|Details| +|---|---| +| Campaign required | **Type:** Int64 **Description:** The associated campaign. | +| Category optional | **Type:** Int64 **Description:** Specifies the category targeted by the filter. | +| IncludeCompositeRoles default value: false | **Type:** Boolean **Description:** `true` to include the composite roles in the certification. | +| IncludeDeniedPermissions default value: true | **Type:** Boolean **Description:** Filters items with denied permissions from Access Certification Campaign. | +| IncludeDoubleValidation default value: true | **Type:** Boolean **Description:** `true` to include the assignments of entitlements with two validations in the certification. | +| IncludeManualAssignmentNotAllowed default value: true | **Type:** Boolean **Description:** `true` to include in the certification the resources that cannot be requested manually, i.e. those from [resource types](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#properties) with `ApprovalWorkflowType` set to `ManualAssignmentNotAllowed`. | +| IncludeNestedCategories default value: false | **Type:** Boolean **Description:** When a category is used as filter, all its nested categories are also included in the campaign. | +| IncludeNoValidation default value: true | **Type:** Boolean **Description:** `true` to include the assignments of entitlements without validation in the certification. | +| IncludeResourceNavigations default value: false | **Type:** Boolean **Description:** `true` to include the resource navigations in the certification. | +| IncludeResourceScalars default value: false | **Type:** Boolean **Description:** `true` to include the resource scalars in the certification. | +| IncludeResourceTypes default value: false | **Type:** Boolean **Description:** `true` to include the resource types in the certification. | +| IncludeSimpleValidation default value: true | **Type:** Boolean **Description:** `true` to include the assignments of entitlements with one validation in the certification. | +| IncludeSingleRoles default value: false | **Type:** Boolean **Description:** `true` to include the single roles in the certification. | +| IncludeTripleValidation default value: true | **Type:** Boolean **Description:** `true` to include the assignments of entitlements with three validations in the certification. | +| IncludeWorkflowStateApproved default value: true | **Type:** Boolean **Description:** `true` to include the manually approved assignments of entitlements in the certification. | +| IncludeWorkflowStateFound default value: true | **Type:** Boolean **Description:** `true` to include the reconciled assignments of entitlements in the certification. | +| IncludeWorkflowStateHistory default value: true | **Type:** Boolean **Description:** `true` to include the preexisting approved assignments of entitlements in the certification. | +| IncludeWorkflowStatePolicyApproved default value: true | **Type:** Boolean **Description:** `true` to include the automatically approved assignments of entitlements in the certification. | +| LatestCertifiedLimitDate optional | **Type:** DateTime **Description:** If specified, only assignments of entitlements not certified since. | +| ResourceType optional | **Type:** Int64 **Description:** Specifies the resource type targeted by the filter. | +| Tags optional | **Type:** String **Description:** Tags of the roles targeted by the campaign filter. The tag separator is `¤`. | +| TargetedRisk optional | **Type:** Int64 **Description:** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter.md new file mode 100644 index 0000000000..f78378833a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter.md @@ -0,0 +1,20 @@ +--- +title: "AccessCertificationOwnerFilter" +description: "" +sidebar_position: 3 +--- + +When running an Access Certification Campaign, this object defines the scope of assignments of entitlements to certify for a given Access Certification Campaign. It filters based on the attributes of entitlements owner. + +## Properties + +|Property|Details| +|---|---| +| Campaign required | **Type:** Int64 **Description:** The associated campaign. | +| D0 optional | **Type:** Int64 **Description:** Identifier of the dimension 0 (up to 3V in [base32hex](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)) that filters the owners targeted by the access certification campaign. | +| IndividualOwner optional | **Type:** Int64 **Description:** If set, filters on the owner. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to include all the hierarchy beneath the dimension 0. **Note:** this setting can be used only if the corresponding [dimension](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/dimension) was declared with `IsHierarchical` set to `true` and with a `ParentProperty`. | +| MinimalRiskScore optional | **Type:** Int32 **Description:** If set, filters only owners above given risk. | +| OwnerLastModificationDate optional | **Type:** DateTime **Description:** Date such that the identities to be certified will be those for which the value of the `OwnerLastModificationDateBinding` property was modified since then. **Note:** must be set together with `OwnerLastModificationDateBinding`. | +| OwnerLastModificationDateBinding optional | **Type:** Int64 **Description:** Binding of the property whose owner will be part of the campaign's targets, if the property's value was modified since `OwnerLastModificationDate`. **Note:** must be set together with `OwnerLastModificationDate`. **Note:** the properties calculated by Identity Manager cannot be used. | +| TargetedRisk optional | **Type:** Int64 **Description:** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/index.md new file mode 100644 index 0000000000..889acb2939 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-certification/index.md @@ -0,0 +1,10 @@ +--- +title: "Access Certification" +description: "Access Certification" +sidebar_position: 10 +--- + +# Access Certification +- [Accesscertificationcampaignpolicy](accesscertificationcampaignpolicy) +- [Accesscertificationdatafilter](accesscertificationdatafilter) +- [Accesscertificationownerfilter](accesscertificationownerfilter) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission.md new file mode 100644 index 0000000000..7ccd81ecb3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission.md @@ -0,0 +1,23 @@ +--- +title: "AccessControlPermission" +description: "" +sidebar_position: 1 +--- + +AccessControlPermission identifies the access permissions to a specific Identity Manager feature. + +The permissions have a filesystem like structure. The **/** is the root permission. +There can be nested permissions like */a/b/c*. Like for files, access rights can be inherited from the parent permissions. + +The available permissions are built automatically by the product. +There are predefined permissions for all the features provided with the product. +The other permissions are generated from the configured Entity Types, Workflows and Reports. + +Each connected user has access to all the permissions from the Profile Rules he belongs to. + +## Properties + +|Property|Details| +|---|---| +| BlockInheritance default value: false | **Type:** Boolean **Description:** Disable the possibility to inherit descendants permissions. | +| Identifier required | **Type:** String **Description:** Identifier of the permission. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup.md new file mode 100644 index 0000000000..caeff9abe7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup.md @@ -0,0 +1,61 @@ +--- +title: "AccessControlPropertyGroup" +description: "" +sidebar_position: 2 +--- + +AccessControlPropertyGroup is used to hide properties based on the connected users profiles and scopes of responsibility. +It allows applying visibility rules on groups of entity properties. + +The AccessControlPropertyGroup on itself is only a marker. The groups are assigned to properties by using Access Control Entity Type and Access Control Entity Property. + +A group can contain properties from several entity types by adding as many AccessControlEntityType as needed. + +An Access Control Rule can then define the profiles and the scopes of responsibility allowed to view the properties in the two groups. + +When an API call is performed on a resource, the values of the properties that belong to AccessControlPropertyGroup will not be returned unless the calling user has the right permissions. + + +## Examples +The following example shows two property groups. The first one for HR sensitive properties like the start and exit dates. The other one contains administration properties like the login or the compliance grace period. + +```xml + + + + + + + + + + + + + +``` + +Here, the Administrator profile is given access to all the properties. The Manager profile can view all the HR sensitive fields for people in his department. + +```xml + + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the group in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Identifier of the group. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md new file mode 100644 index 0000000000..9966b77346 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md @@ -0,0 +1,182 @@ +--- +title: "AccessControlRule" +description: "" +sidebar_position: 3 +--- + +An access control rule gives to a profile a set of permissions on a data set represented by an entity type. + +The rule contains filters to restrict its application, and entries to grant or deny the permissions. + + +## Examples +```xml + + + + + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the access control rule in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type that forms the data set on which the rule's permissions are applied. **Note:** the entity type can be part of the custom entity model, e.g. `Directory_User` or `AD_Entry`, or part of the built-in entity model, e.g. `AssignedSingleRole` or `Workflows` or `AccessCertificationItem`. | +| Identifier required | **Type:** String **Description:** Unique identifier of the access control. | +| Profile required | **Type:** Int64 **Description:** The id of the profile to which the permissions will be given. | + +## Child Element: Entry +AccessControlEntry grants or denies a permission to a user. Access Control Entries are part of an Access Control Rule that defines the users scope of responsibility in the Identity Manager UI/Workflows. + +:::warning +If your configuration contains an access control entry with `Permission="/"` and `CanExecute="true"` then an **error** will occur during the configuration deployment, as a profile should not possess such a big permission. +::: + +### Properties + +|Property|Details| +|---|---| +| CanExecute default value: false | **Type:** Boolean **Description:** Gives permission to execute permission. | +| FullAccessProperties default value: false | **Type:** Boolean **Description:** Gives full access to all properties. | +| IsPostCondition default value: true | **Type:** Boolean **Description:** If true, the rule is evaluated on the entity after modification. | +| IsPreCondition default value: true | **Type:** Boolean **Description:** If true, the rule is evaluated on the entity before modification. | +| Notify default value: true | **Type:** Boolean **Description:** `true` to send notification emails to the rule's recipient profile when executing tasks related to the specified `Permission`. | +| Permission required | **Type:** Int64 **Description:** Linked Permission. | +| Priority default value: 0 | **Type:** Int32 **Description:** When a user has several contexts giving him access to the same right, the one with the highest priority is elected. | +| PropertyGroup optional | **Type:** Int64 **Description:** Gives the right to read for the PropertyGroup. | + +## Child Element: Filter +An access control filter restricts the application of the access control rule to a given subset of the data set. The rule will give the specified permissions to the profile only on the parts of the rule's data set for which the filter's condition is met. + +This condition is actually a comparison expression between two elements: +1. the value of a property which is originating from an entity targeted by the rule; +2. a comparison value that can be constant, or originating from the user profile. + +![Access Control Filter Schema](/images/identitymanager/accesscontrolfilter_schema.webp) + + +### Examples +#### Filter on a constant value + +The following example gives to the `Administrator` profile certain permissions on user data, but only concerning users working in the marketing department. + +```xml + + + + ... + +``` + +:::note +Technically speaking, the filter here says that the rule's permissions apply only on users from `Directory_User` whose `Code` of `MainOrganization` is `Marketing`. +::: + +#### Filter on the account of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only concerning users from the team managed by the current user. + +```xml + + + + ... + +``` + +:::note +Technically speaking, the filter here says that the rule's permissions apply only on the users' records from `Directory_UserRecord` whose `Id` of `Manager` is the identifier of the account used by the current user to authenticate to Identity Manager. +::: + +#### Filter on the context(s) of the assigned profile(s) of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only concerning users working in the same department as the current user. + +```xml + + + + ... + + + +``` + +:::note +Technically speaking, the filter here says that the rule's permissions apply only on the users from `Directory_User` whose `Id` of `MainDepartment` is the same identifier as the value set for the `Department` dimension of the current user, in at least one of their assigned profiles. +::: + +> For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension set to `Treasury/Chief Economist`. +> ![Matching Assigned Profile](/images/identitymanager/assignedprofile_example_v603.webp) +> Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users whose main department is `Treasury/Chief Economist`. + +The following example gives to the `RoleOfficerByCategory` profile certain permissions on assigned single roles, but only concerning the roles of a category assigned to the current user. + +```xml + + + + ... + +``` + +:::note +Technically speaking, the filter here says that the rule's permissions apply only on the assigned single roles whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value set for the `Category` property of the current user, in at least one of their assigned profiles. +::: + +#### Multiple filters + +The following example gives to the `RoleOfficerByCategory` profile the permission to review the roles of users from `Directory_User`, but only the roles of a category assigned to the current user, and whose assignment is stated as pending the first approval out of 1, 2 or 3. + +```xml + + + + + + + + + + + + + + + +``` + +:::note +Technically speaking, the filter here says that the rule's permissions apply only on the assigned single roles: +- whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value set for the `Category` property of the current user, in at least one of their assigned profiles; +- and whose `WorkflowState` is set to `8` or `9` or `11`, which mean respectively pending approval 1/1, 1/2 and 1/3. +::: + + +### Properties + +|Property|Details| +|---|---| +| Binding required | **Type:** Int64 **Description:** Binding of the property whose value is to be checked to restrict the application of the rule's permissions. **Note:** the binding must be based on the entity type defined in the access control rule. | +| Category default value: false | **Type:** Boolean **Description:** `true` to compare the value specified by the binding to the categories of the current user's [assigned profiles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/assignedprofile). | +| CompositeRole default value: false | **Type:** Boolean **Description:** `true` to compare the value specified by the binding to the composite roles of the current user's [assigned profiles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/assignedprofile). | +| CurrentUser default value: false | **Type:** Boolean **Description:** `true` to compare the value specified by the binding to the identifier of the account used by the current user to authenticate to Identity Manager. **Note:** the current user is the owner of the profile, allowed by the access control rule to perform an action and/or receive a notification. **Info:** `CurrentUser` is tightly linked to the configuration of the [`SelectUserByIdentityQueryHandlerSetting`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting). | +| Dimension optional | **Type:** Int64 **Description:** Identifier of the [dimension](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/dimension) whose value(s), from the user's [assigned profiles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/assignedprofile), are to be compared to the value specified by the binding. | +| Group optional | **Type:** String **Description:** Group that the filter is part of. The access control rule filters the permissions by using the union (OR) of all filter groups, and the intersection (AND) of all filters within a group. **Note:** when not specified, the filter is part of the default group. | +| Operator default value: 0 | **Type:** AccessControlFilterOperator **Description:** Comparison operator. `0` - Equals. `1` - NotEquals. | +| ResourceType default value: false | **Type:** Boolean **Description:** `true` to compare the value specified by the binding to the resource types of the current user's [assigned profiles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/assignedprofile). | +| SingleRole default value: false | **Type:** Boolean **Description:** `true` to compare the value specified by the binding to the single roles of the current user's [assigned profiles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/assignedprofile). | +| Value optional | **Type:** String **Description:** Hard coded value to be compared to the value specified by the binding. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/assignedprofile.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/assignedprofile.md new file mode 100644 index 0000000000..24ddbb508a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/assignedprofile.md @@ -0,0 +1,26 @@ +--- +title: "AssignedProfile" +description: "" +sidebar_position: 4 +--- + +An assigned profile allows or denies to a user a scope of responsibility in Identity Manager. + +Each assigned profile gives one profile and one profile context to a user. A user can have up to 10 assigned profiles. + +For a given user, all the assigned profiles are matched against all the configured access control rules to compute the user's permissions in Identity Manager. + +An assigned profile can be assigned explicitly to someone, or generated automatically based on users' data via profile rules. + +## Properties + +|Property|Details| +|---|---| +| AccessState default value: 0 | **Type:** AccessState **Description:** Access state ("None"=0, "Requested"=4, "PendingApproval"=8, "PendingApproval1"=9, "PendingApproval2"=10, "Approved"=16, "Declined"=17 and "PolicyApproved"=18). | +| Context required | **Type:** Int64 **Description:** Identifier of the context. | +| Email optional | **Type:** String **Description:** If specified, email address used for notification instead of the user's address. | +| EndDate default value: 20790606 | **Type:** DateTime **Description:** Assignment end date. | +| IsDenied default value: false | **Type:** Boolean **Description:** Profile denied to the user. | +| Profile required | **Type:** Int64 **Description:** Identifier of the profile. | +| StartDate default value: 19000101 | **Type:** DateTime **Description:** Assignment start date. | +| User required | **Type:** Int64 **Description:** Identifier of the user. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/index.md new file mode 100644 index 0000000000..0e18a477fc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/index.md @@ -0,0 +1,15 @@ +--- +title: "Access Control" +description: "Access Control" +sidebar_position: 10 +--- + +# Access Control +- [Accesscontrolpermission](accesscontrolpermission) +- [Accesscontrolpropertygroup](accesscontrolpropertygroup) +- [Accesscontrolrule](accesscontrolrule) +- [Assignedprofile](assignedprofile) +- [Openidclient](openidclient) +- [Profile](profile) +- [Profilecontext](profilecontext) +- [Profilerulecontext](profilerulecontext) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/openidclient.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/openidclient.md new file mode 100644 index 0000000000..4d9763f285 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/openidclient.md @@ -0,0 +1,45 @@ +--- +title: "OpenIdClient" +description: "" +sidebar_position: 5 +--- + +OpenIdClient declares an OpenID Connect clientId/secret to call the Identity Manager API. +All the configurations need at least one clientId used by all the jobs on the agent side to call the server. + +Only the hashed secret is kept in the configuration. The clear version is only known by the API callers. + +:::warning +The secret must be strong enough to protect access to the API. +::: + + +The good practice is generating a random secret, for example a 32 characters string, from a tool like KeePass. Each clientId must have it's own secret. +The tool [Usercube-New-OpenIDSecret](/docs/identitymanager/current/integration-guide/executables/references/new-openidsecret) can be used to generate secrets and their hashes. + +Each clientId must have a scope of responsibility. The *Profile* and *ContextId* properties assign a required Profile and an optional Profile Context. + + +## Examples +The following code declares a clientId with the Administrator profile. +```xml + +``` + +The following code example declares a clientId with the RoleOfficerByCategory profile, restricted to the profile context defined below. The ContextId property must reference the Id of an existing Profile Context. Profile contexts don't have identifiers, so to avoid recalculation of the ProfileContext's Id property on configuration deployment, the Id should be declared manually as below. To be valid, it must be lower or equal to -2. +```xml + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Context optional | **Type:** Int64 **Description:** Id of the ProfileContext used to further restrict the client scope of responsibility | +| DisplayName_L1 required | **Type:** String **Description:** Name that will be Displayed on the screen | +| ExpirationDate optional | **Type:** DateTime **Description:** After this date, the client is no longer usable | +| HashedSecret required | **Type:** String **Description:** HashedPassword of client | +| Identifier required | **Type:** String **Description:** Client login name and name | +| Profile required | **Type:** Int64 **Description:** Profile linked with the client | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profile.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profile.md new file mode 100644 index 0000000000..f037bfde7f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profile.md @@ -0,0 +1,22 @@ +--- +title: "Profile" +description: "" +sidebar_position: 6 +--- + +Profile defines a user profile linked to permissions in Identity Manager. Profiles work with Access Control Rule and Profile Rule to describe who can do what. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the profile in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Profile identifier | +| IsComponent default value: false | **Type:** Boolean **Description:** If true, assess the profile as being a component profile. That means it can be used to build a new profile through the composite profile method. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilecontext.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilecontext.md new file mode 100644 index 0000000000..ee28c29418 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilecontext.md @@ -0,0 +1,27 @@ +--- +title: "ProfileContext" +description: "" +sidebar_position: 7 +--- + +ProfileContext contains the dimensions values used to define the connected users scope of responsibility. +They are stored as part of Assigned Profiles and are evaluated within Access Control Rule filters. + + +## Examples +The following code example declares a new profile context based on a category and a dimension. Profile contexts don't have identifiers, so to avoid recalculation of the ProfileContext Id property on configuration deployment, the Id should be declared manually as below. To be valid, it must be lower or equal to -2. +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Category optional | **Type:** Int64 **Description:** Category in which the assignment is restricted. | +| CompositeRole optional | **Type:** Int64 **Description:** CompositeRole in which the assignment is restricted. | +| D0 optional | **Type:** Int64 **Description:** Dimension 0 Id, specifies the scope in which the assignment is restricted. Going from 0 to 127. | +| IsAutomatic default value: false | **Type:** Boolean **Description:** Context automatically created by task Usercube-Set-InternalUserProfiles. | +| ResourceType optional | **Type:** Int64 **Description:** ResourceType in which the assignment is restricted. | +| SingleRole optional | **Type:** Int64 **Description:** SingleRole in which the assignment is restricted. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext.md new file mode 100644 index 0000000000..648c3854a1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext.md @@ -0,0 +1,48 @@ +--- +title: "ProfileRuleContext" +description: "" +sidebar_position: 8 +--- + +Defines the context in which the rule will be evaluated. + + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** Int64 **Description:** When `ResourceType` is not used, identifier of the entity type from which the expressions are evaluated. | +| IsAppliedToRoot default value: true | **Type:** Boolean **Description:** Are the dimensions queried from user informations? | +| ResourceType optional | **Type:** Int64 **Description:** The resourceType of the assignedResourcetypes on which the rule is going to be applied on. | +| RootBinding optional | **Type:** Int64 **Description:** Binding to apply on the user resource before excuting the root expression(cf Profile Rule). | +| SubBinding optional | **Type:** Int64 **Description:** Binding to apply on the user resource before excuting the sub expression(cf Profile Rule). | + +## Child Element: ProfileRule +Defines the rule to assign a profile to user when matched. + + +### Examples +```xml + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| B0 optional | **Type:** Int64 **Description:** Represents the first dimension binding definition. The 127 other dimension bindings can be referred to by 127 more parameters from B1 to B3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names). | +| IsDenied default value: false | **Type:** Boolean **Description:** Profile denied to the user when matched. | +| Profile required | **Type:** Int64 **Description:** Identifier of the profile rule. | +| RootExpression optional | **Type:** String **Description:** C# expression to apply on the source entity type of the context resource type. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| SubExpression optional | **Type:** String **Description:** C# expression to apply on the target entity type of the context resource type. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/index.md new file mode 100644 index 0000000000..d217686978 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/index.md @@ -0,0 +1,8 @@ +--- +title: "Business Intelligence" +description: "Business Intelligence" +sidebar_position: 10 +--- + +# Business Intelligence +- [Universe](universe) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md new file mode 100644 index 0000000000..d41238983c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md @@ -0,0 +1,87 @@ +--- +title: "Universe" +description: "" +sidebar_position: 1 +--- + +Universes constitute the basis for the configuration of a new model that we will call universe model. Users can then exploit it, through the Query module and/or Power BI, to generate graphic reports. + + +## Examples +##### Basic universe + +The following example builds a universe called `Universe1`: + +```xml + + + + + + + + +``` + +![Universe - Basic Example](/images/identitymanager/bi_universeexampledisplaynames.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Display Names)](/images/identitymanager/universe_columnnamedisplayname.webp) + +##### Basic universe with identifiers instead of display names + +The following example builds a universe called `Universe1` with identifiers as labels instead of display names: + +```xml +<Universe Identifier="Universe1" DisplayName_L1="Universe 1" ColumnNamesMode="Identifier" > + + <EntityInstance Identifier="Directory_User" EntityType="Directory_User" DisplayName_L1="Users" /> + <EntityInstance Identifier="Directory_UserRecord" EntityType="Directory_UserRecord" DisplayName_L1="UserRecords" /> + + <AssociationInstance Association="Directory_UserRecord_User_Records" Instance1="Directory_User" Instance2="Directory_UserRecord" Direction="From1To2" /> + + </Universe> +``` + +![Universe - Basic Example](/images/identitymanager/bi_universeexample.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Identifiers)](/images/identitymanager/universe_columnnameidentifier.webp) + + +## Properties + +|Property|Details| +|---|---| +| ColumnNamesMode default value: DisplayName | **Type:** UniverseColumnNamesMode **Description:** Type of label to be displayed as the column names in Power BI, for this universe. `0` - DisplayName: display name of entity instances. `1` - Identifier: identifier of entity instances. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the universe in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Identifier of the universe. | + +## Child Element: AssociationInstance +An association instance represents, within a [universe](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe), the occurrence in the model of an [entity association](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entityassociation). + +### Properties + +|Property|Details| +|---|---| +| Association required | **Type:** Int64 **Description:** Identifier of the entity association, in Identity Manager's entity model, that corresponds to the association instance. | +| Direction default value: 0 | **Type:** Direction **Description:** Direction of the association between the two entity instances. It must be the same direction as between the two entity types specified in these entity instances. `0` - Both directions. `1` - From the instance 1 to 2. `2` - From the instance 2 to 1. | +| Instance1 required | **Type:** Int64 **Description:** Identifier of the entity instance number one. | +| Instance2 required | **Type:** Int64 **Description:** Identifier of the entity instance number two. | + +## Child Element: EntityInstance +An entity instance represents, within a [universe](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe), the occurrence in the model of an [entity type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype). + +### Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the entity instance in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type, in Identity Manager's entity model, that corresponds to the entity instance. | +| FilterEntityProperty optional | **Type:** Int64 **Description:** Entity property used as filter (FilterProperty must be a navigation property to EntityProperty) | +| FilterEntityType optional | **Type:** Int64 **Description:** Entity type used as filter (FilterProperty must be a navigation property to EntityType) | +| FilterProperty optional | **Type:** Int64 **Description:** Property used to filter entity type's instance. | +| FilterResourceType optional | **Type:** Int64 **Description:** Resource type used as filter (FilterProperty must be a navigation property to ResourceType) | +| FilterValue optional | **Type:** String **Description:** Constant value used as filter. | +| Identifier required | **Type:** String **Description:** Identifier of the entity instance. | +| IsHidden default value: false | **Type:** Boolean **Description:** `true` if the entity instance is to be hidden in Power BI. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/index.md new file mode 100644 index 0000000000..e07cf56334 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/index.md @@ -0,0 +1,8 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 10 +--- + +# Configuration +- [Scaffoldings](scaffoldings) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..9c29cf61ae --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md @@ -0,0 +1,181 @@ +--- +title: "AccessReviewAdministrationAccessControlRules" +description: "Generates the permissions to administrate campaign creation." +sidebar_position: 1 +--- + +Scaffolding to generate the rights to administrate campaign creation. + +Gives access to a shortcut on the dashboard to access this page. + +![Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md new file mode 100644 index 0000000000..b69a9a093f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md @@ -0,0 +1,10 @@ +--- +title: "Access Reviews" +description: "Access Reviews" +sidebar_position: 10 +--- + +# Access Reviews +- [AccessReviewAdministrationAccessControlRules](./accessreviewadministrationaccesscontrolrules) + +Generates the permissions to administrate campaign creation. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol.md new file mode 100644 index 0000000000..398725bbdc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol.md @@ -0,0 +1,66 @@ +--- +title: "ConnectorResourceTypeAccessControl" +description: "Gives the rights to create and update resource types, generate provisioning orders and fulfill from the connector screen." +sidebar_position: 1 +--- + +Generates the access control rules which give to a profile the permission to create and update resource types, and launch generate provisioning orders and fulfillment from the connector screen. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md new file mode 100644 index 0000000000..40bc70a1f5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md @@ -0,0 +1,13 @@ +--- +title: "Connectors" +description: "Connectors" +sidebar_position: 10 +--- + +# Connectors +- [ConnectorResourceTypeAccessControl](./connectorresourcetypeaccesscontrol) + +Gives the rights to create and update resource types, generate provisioning orders and fulfill from the connector screen. +- [SettingsAccessControlRules](./settingsaccesscontrolrules) + +Generates the permissions to configure the Workforce Core Solution module and connector settings. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules.md new file mode 100644 index 0000000000..6b427a11a2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules.md @@ -0,0 +1,45 @@ +--- +title: "SettingsAccessControlRules" +description: "Generates the permissions to configure the Workforce Core Solution module and connector settings." +sidebar_position: 2 +--- + +Generates the permissions to configure the Workforce Core Solution module and connector settings. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md new file mode 100644 index 0000000000..214e476454 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md @@ -0,0 +1,18 @@ +--- +title: "Access Control Rules" +description: "Access Control Rules" +sidebar_position: 10 +--- + +# Access Control Rules +- [Access Reviews](./accessreviews) +- [Connectors](./connectors) +- [Jobs](./jobs) +- [Monitoring](./monitoring) +- [Profiles](./profiles) +- [Queries](./queries) +- [Resources](./resources) +- [Role Models](./rolemodels) +- [Simulations](./simulations) +- [User Interfaces](./userinterfaces) +- [Workflows](./workflows) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..4b1443c3ba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules.md @@ -0,0 +1,40 @@ +--- +title: "GetJobLogAdministrationAccessControlRules" +description: "Generates the permissions to read task and job instances logs in UI for a given profile." +sidebar_position: 1 +--- + +This scaffolding creates, within a universe, entity instances and association instances based on a predefined template. + +The entity instances generated by the scaffolding will have: +* as a display name, the display name of the corresponding navigation property, for example `Main Record`; +* as an identifier, the identifier of the corresponding navigation which is made of `_`, for example `Directory_User_MainRecord`. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md new file mode 100644 index 0000000000..a5edfcbe30 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md @@ -0,0 +1,52 @@ +--- +title: "Jobs" +description: "Jobs" +sidebar_position: 10 +--- + +# Jobs +- [GetJobLogAdministrationAccessControlRules](./getjoblogadministrationaccesscontrolrules) + +Generates the permissions to read task and job instances logs in UI for a given profile. +- [JobAdministrationAccessControlRules](./jobadministrationaccesscontrolrules) + +Scaffolding to access the job administration page. +- [JobTaskAdministrationAccessControlRules](./jobtaskadministrationaccesscontrolrules) + +Generates all permissions for JobStep entity. +- [PendingAssignedResourceTypesAccessControlRules](./pendingassignedresourcetypesaccesscontrolrules) + +Generates the access control rules which give to a profile the permissions to call the API Pending AssignedResourceTypes. +- [ProvisioningAccessControlRules](./provisioningaccesscontrolrules) + +Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. +- [ResourceChangesViewAccessControlRules](./resourcechangesviewaccesscontrolrules) + +Generates the access control rules which gives to a profile the permissions to call the API ResourceChange, ResourceFileChange and ResourceLinkChange. +- [ResourceTypeMappingControlRules](./resourcetypemappingcontrolrules) + +Generate rights to launch agent fulfillment. +- [RunJobAdministrationAccessControlRules](./runjobadministrationaccesscontrolrules) + +Generates the permissions to launch jobs from UI for a given profile. +- [RunJobNotificationAccessControlRules](./runjobnotificationaccesscontrolrules) + +Generates access control to send notification when job finish with an error state. +- [RunJobRepairAdministrationAccessControlRules](./runjobrepairadministrationaccesscontrolrules) + +Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile. +- [RunJobRepairNotificationAccessControlRules](./runjobrepairnotificationaccesscontrolrules) + +Generates access control to send notification when a relaunch job finish with an error state. +- [SynchronizationAccessControlRules](./synchronizationaccesscontrolrules) + +Generates rights to launch synchronization task. +- [TaskAdministrationAccessControlRules](./taskadministrationaccesscontrolrules) + +Generates all rights to have the access to job administration page. +- [TaskInstanceAdministrationAccessControlRules](./taskinstanceadministrationaccesscontrolrules) + +Generates access control to update the task instances. +- [WorkflowFulfillmentControlRules](./workflowfulfillmentcontrolrules) + +Generates the execution rights to launch Fulfillment workflow for a given profile. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..c148f88daa --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md @@ -0,0 +1,39 @@ +--- +title: "JobAdministrationAccessControlRules" +description: "Scaffolding to access the job administration page." +sidebar_position: 2 +--- + +Scaffolding to access the job administration page. This page is accessible from the administration part in dashboard of the user interface. + +![Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..38346dc278 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules.md @@ -0,0 +1,15 @@ +--- +title: "JobTaskAdministrationAccessControlRules" +description: "Generates all permissions for JobStep entity." +sidebar_position: 3 +--- + +Generates all permissions for JobStep entity. + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules.md new file mode 100644 index 0000000000..29615942b0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules.md @@ -0,0 +1,144 @@ +--- +title: "PendingAssignedResourceTypesAccessControlRules" +description: "Generates the access control rules which give to a profile the permissions to call the API Pending AssignedResourceTypes." +sidebar_position: 4 +--- + +Generates the access control rules which give to a profile the permissions to call the API Pending AssignedResourceTypes. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules.md new file mode 100644 index 0000000000..e04243875a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules.md @@ -0,0 +1,52 @@ +--- +title: "ProvisioningAccessControlRules" +description: "Generates the execution rights for Provisioning and Fulfillment tasks for a given profile." +sidebar_position: 5 +--- + +This scaffolding creates, within a universe, entity instances and association instances based on a predefined template. + +The entity instances generated by the scaffolding will have: +* as a display name, the display name of the corresponding navigation property, for example `Main Record`; +* as an identifier, the identifier of the corresponding navigation which is made of `_`, for example `Directory_User_MainRecord`. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules.md new file mode 100644 index 0000000000..863f5ee5b5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules.md @@ -0,0 +1,264 @@ +--- +title: "ResourceChangesViewAccessControlRules" +description: "Generates the access control rules which gives to a profile the permissions to call the API ResourceChange, ResourceFileChange and ResourceLinkChange." +sidebar_position: 6 +--- + +Generates the access control rules which gives to a profile the permissions to call the API `ResourceChange`, `ResourceFileChange` and `ResourceLinkChange`. + +Data from `UR_ResourceChanges`, `UR_ResourceFileChanges` and `UR_ResourceLinkChanges` tables can be retrieved by these APIs. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules.md new file mode 100644 index 0000000000..b5e66ca773 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "ResourceTypeMappingControlRules" +description: "Generate rights to launch agent fulfillment." +sidebar_position: 7 +--- + +Scaffolding to create the right for a profile to start the Fulfillment to an external system (LDAP, MicrosoftEntraID...). This right corresponds to the permission to use ResourceTypeMapping elements (`/Connectors/FulfillLDAP`). + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..2bc2a08950 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules.md @@ -0,0 +1,38 @@ +--- +title: "RunJobAdministrationAccessControlRules" +description: "Generates the permissions to launch jobs from UI for a given profile." +sidebar_position: 8 +--- + +Generates the rights to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules.md new file mode 100644 index 0000000000..50fb7dc2ec --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "RunJobNotificationAccessControlRules" +description: "Generates access control to send notification when job finish with an error state." +sidebar_position: 9 +--- + +Generates access control to send notification when job finish with an error state. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..3b6e9043fc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules.md @@ -0,0 +1,35 @@ +--- +title: "RunJobRepairAdministrationAccessControlRules" +description: "Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile." +sidebar_position: 10 +--- + +Generates the rights to read task and job instances logs in UI for a given profile. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules.md new file mode 100644 index 0000000000..5d17bd07a6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "RunJobRepairNotificationAccessControlRules" +description: "Generates access control to send notification when a relaunch job finish with an error state." +sidebar_position: 11 +--- + +Generates access control to send notification when a relaunch job finish with an error state. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules.md new file mode 100644 index 0000000000..a1f3e9e851 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules.md @@ -0,0 +1,41 @@ +--- +title: "SynchronizationAccessControlRules" +description: "Generates rights to launch synchronization task." +sidebar_position: 12 +--- + +Generates the execution rights for Prepare-Synchronization and synchronization tasks for a given profile. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..6a0c3c21ce --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules.md @@ -0,0 +1,69 @@ +--- +title: "TaskAdministrationAccessControlRules" +description: "Generates all rights to have the access to job administration page." +sidebar_position: 13 +--- + +Generates all rights to have the access to job administration page. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..e7f7adddd1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules.md @@ -0,0 +1,15 @@ +--- +title: "TaskInstanceAdministrationAccessControlRules" +description: "Generates access control to update the task instances." +sidebar_position: 14 +--- + +Generates access control to update the task instances. + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules.md new file mode 100644 index 0000000000..ed58c6d72f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules.md @@ -0,0 +1,38 @@ +--- +title: "WorkflowFulfillmentControlRules" +description: "Generates the execution rights to launch Fulfillment workflow for a given profile." +sidebar_position: 15 +--- + +Generates the execution rights to launch Fulfillment workflow for a given profile. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md new file mode 100644 index 0000000000..256851942e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md @@ -0,0 +1,10 @@ +--- +title: "Monitoring" +description: "Monitoring" +sidebar_position: 10 +--- + +# Monitoring +- [MonitoringAdministrationAccessControlRules](./monitoringadministrationaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the monitoring screen. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..27ff1470ae --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "MonitoringAdministrationAccessControlRules" +description: "Generates the access control rule which gives to a profile the permission to query the monitoring screen." +sidebar_position: 1 +--- + +Generates the access control rule which gives to a profile the permission to query the monitoring screen. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md new file mode 100644 index 0000000000..8c6531906b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md @@ -0,0 +1,95 @@ +--- +title: "AssignProfileAccessControlRules" +description: "Gives to a given profile the rights to create, update, delete and query any assigned profile." +sidebar_position: 1 +--- + +Gives to a given profile the rights to create, update, delete and query any assigned profile, from the **Assigned Profiles** screen. + +![Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) + + + +## Examples +The following example gives to the `Administrator` profile the rights to create, update, delete and query assigned profiles. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md new file mode 100644 index 0000000000..e13915103d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md @@ -0,0 +1,16 @@ +--- +title: "Profiles" +description: "Profiles" +sidebar_position: 10 +--- + +# Profiles +- [AssignProfileAccessControlRules](./assignprofileaccesscontrolrules) + +Gives to a given profile the rights to create, update, delete and query any assigned profile. +- [OpenIdClientAdministrationAccessControlRules](./openidclientadministrationaccesscontrolrules) + + +- [ProfileAdministrationAccessControlRules](./profileadministrationaccesscontrolrules) + +Gives to a given profile the rights to create, update and delete profiles. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..1ea9fa8e4d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules.md @@ -0,0 +1,15 @@ +--- +title: "OpenIdClientAdministrationAccessControlRules" +description: " " +sidebar_position: 2 +--- + + + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..117c8a6d6a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md @@ -0,0 +1,46 @@ +--- +title: "ProfileAdministrationAccessControlRules" +description: "Gives to a given profile the rights to create, update and delete profiles." +sidebar_position: 3 +--- + +Gives to a given profile the rights to create, update and delete profiles. + +Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. + +![Settings](/images/identitymanager/home_settings_v523.webp) + +![Profiles](/images/identitymanager/AccessControl_Profiles_V603.webp) + +[See more details on profiles' APIs](/docs/identitymanager/current/integration-guide/api/server/accesscontrol). + + + +## Examples +The following example gives to the `Administrator` profile the rights to create, update and delete profiles. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md new file mode 100644 index 0000000000..04e2e9c61c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md @@ -0,0 +1,19 @@ +--- +title: "Queries" +description: "Queries" +sidebar_position: 10 +--- + +# Queries +- [ManageSettingAccessControlRule](./managesettingaccesscontrolrule) + +Generates the access control rule which gives to a profile the permission to query, create, update and delete settings from the UM_Settings table. +- [ReportAccessControlRules](./reportaccesscontrolrules) + +Generates the permissions to access the report view. +- [TargetResourceReportAccessControlRules](./targetresourcereportaccesscontrolrules) + +Generates the permissions to apply a report for a profile on a given entity. +- [UniverseAccessControlRules](./universeaccesscontrolrules) + +Generates an access control rule which gives a profile the permission to access the query page and run queries. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule.md new file mode 100644 index 0000000000..bac93cd8b2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule.md @@ -0,0 +1,15 @@ +--- +title: "ManageSettingAccessControlRule" +description: "Generates the access control rule which gives to a profile the permission to query, create, update and delete settings from the UM_Settings table." +sidebar_position: 1 +--- + +Generates the access control rule which gives to a profile the permission to query, create, update and delete settings from the UM_Settings table. + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md new file mode 100644 index 0000000000..8cfac39c41 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md @@ -0,0 +1,40 @@ +--- +title: "ReportAccessControlRules" +description: "Generates the permissions to access the report view." +sidebar_position: 2 +--- + +Generates the rights to access the report view. + +Gives access to a shortcut on the navigation to access this page. + +![Reports](/images/identitymanager/home_reports_v602.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules.md new file mode 100644 index 0000000000..ae4d3c7935 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules.md @@ -0,0 +1,42 @@ +--- +title: "TargetResourceReportAccessControlRules" +description: "Generates the permissions to apply a report for a profile on a given entity." +sidebar_position: 3 +--- + +Generates the right to apply a report for a profile on a given entity. + +:::warning +The existence of a report for this entity must exist in order to use this scaffolding. +A scaffolding allows to generate a default report for an entity: [Entity reports](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus) +::: + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules.md new file mode 100644 index 0000000000..5cf14c0f7b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "UniverseAccessControlRules" +description: "Generates an access control rule which gives a profile the permission to access the query page and run queries." +sidebar_position: 4 +--- + +Generates an access control rule which gives a profile the permission to access the query page and run queries. + + + +## Examples +The following example gives the permission to access the query page to the administrator profile. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules.md new file mode 100644 index 0000000000..962e6ce37f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "CreateResourceIncrementalAccessControlRules" +description: "Generates the access control rule which gives to a profile the permission to query the resources modified incrementally" +sidebar_position: 1 +--- + +Generates the access control rule which gives to a profile the permission to query the resources modified incrementally + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md new file mode 100644 index 0000000000..253cff18c6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md @@ -0,0 +1,22 @@ +--- +title: "Resources" +description: "Resources" +sidebar_position: 10 +--- + +# Resources +- [CreateResourceIncrementalAccessControlRules](./createresourceincrementalaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the resources modified incrementally +- [ResourceApiAdministration](./resourceapiadministration) + +Generates the permissions to create/update/delete/query resources from a given entity type, for a given profile. +- [ResourcePickerControlRules](./resourcepickercontrolrules) + +Creates the reading right of the resource picker. +- [ViewAccessControlRules](./viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. +- [ViewHistoryResourceTemplate](./viewhistoryresourcetemplate) + +Generates an access control rule giving to the specified profile the permission to browse the resources history of the specified entity type. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration.md new file mode 100644 index 0000000000..ca4f375706 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration.md @@ -0,0 +1,40 @@ +--- +title: "ResourceApiAdministration" +description: "Generates the permissions to create/update/delete/query resources from a given entity type, for a given profile." +sidebar_position: 2 +--- + +Generates the permissions to create/update/delete/query resources from a given entity type, for a given profile. + + + +## Examples +The following example gives the `Administrator` profile the rights to create, update, delete and query resources from `Directory_User`. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules.md new file mode 100644 index 0000000000..50c21488f9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules.md @@ -0,0 +1,36 @@ +--- +title: "ResourcePickerControlRules" +description: "Creates the reading right of the resource picker." +sidebar_position: 3 +--- + +Creates the reading right of the resource picker. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules.md new file mode 100644 index 0000000000..b904063d47 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules.md @@ -0,0 +1,68 @@ +--- +title: "ViewAccessControlRules" +description: "Generates the permissions to view an entity type's resources." +sidebar_position: 4 +--- + +Generates the permissions to view an entity type's resources. + + +## Examples +The following example gives to the `Administrator` profile the permissions to access the page that displays the resources of the `Directory_UserType` entity type, as well as its source resources. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate.md new file mode 100644 index 0000000000..e67bc8ded5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate.md @@ -0,0 +1,37 @@ +--- +title: "ViewHistoryResourceTemplate" +description: "Generates an access control rule giving to the specified profile the permission to browse the resources history of the specified entity type." +sidebar_position: 5 +--- + +Generates an access control rule giving to the specified profile the permission to browse the resources history of the specified entity type. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules.md new file mode 100644 index 0000000000..b5d7028074 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules.md @@ -0,0 +1,46 @@ +--- +title: "AssignedRolesAccessControlRules" +description: "Generates the permissions to access the assigned roles page for a given entity type and profile." +sidebar_position: 1 +--- + +Generates the rights to access the assigned roles page for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules.md new file mode 100644 index 0000000000..306aba3e0a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules.md @@ -0,0 +1,69 @@ +--- +title: "BasketRulesControlRules" +description: "Generates the permissions to execute the different requests to display the information in the rights basket." +sidebar_position: 2 +--- + +Generates the permissions to execute the different requests to display the information in the rights basket. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules.md new file mode 100644 index 0000000000..9ead3520d9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules.md @@ -0,0 +1,41 @@ +--- +title: "BulkPerformManualProvisioningAccessControlRules" +description: "Generates the permissions to perform bulk validations on the **Perform Manual Provisioning** page." +sidebar_position: 3 +--- + + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous review of multiple manual provisioning items for the `Directory_User` entity type. + +```xml + +``` + + +The scaffolding generates the following scaffoldings: + +- [Perform Manual Provisioning Access Control Rules](../../accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules) + +Generates the permissions to access the manual provisioning pages for a given entity type and profile. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules.md new file mode 100644 index 0000000000..82809e3ba0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules.md @@ -0,0 +1,41 @@ +--- +title: "BulkResourceReconciliationAccessControlRules" +description: "Generates the permissions to perform bulk validations on the **Resource Reconciliation** page." +sidebar_position: 4 +--- + + +The following example assigns to the `Administrator` profile the rights to reconcile simultaneously several resources from the `Directory_User` entity type. + +```xml + +``` + + +The scaffolding generates the following scaffoldings: + +- [Reconciliate Resources Access Control Rules](../../accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules) + +Generates the permissions to access the resource reconciliation pages for a given entity type and profile. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules.md new file mode 100644 index 0000000000..18f6045c18 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules.md @@ -0,0 +1,41 @@ +--- +title: "BulkReviewProvisioningAccessControlRules" +description: "Generates the permissions to perform bulk validations on the **Provisioning Review** page (only for errored orders)." +sidebar_position: 5 +--- + + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous review of multiple pending provisioning orders for the `Directory_User` entity type. + +```xml + +``` + + +The scaffolding generates the following scaffoldings: + +- [Review Provisioning Access Control Rules](../../accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules) + +Generates the permissions to access the provisioning review pages for a given entity type and profile. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules.md new file mode 100644 index 0000000000..66eb56fb0f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules.md @@ -0,0 +1,22 @@ +--- +title: "BulkRoleReconciliationAccessControlRules" +description: "Generates the permissions to perform bulk validations on the **Role Reconciliation** page." +sidebar_position: 6 +--- + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. + + +The scaffolding generates the following scaffoldings: + +- [Reconciliate Roles Access Control Rules](../../accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules) + +Generates the permissions to access the role reconciliation pages for a given entity type and profile. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md new file mode 100644 index 0000000000..928ead9fe2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md @@ -0,0 +1,20 @@ +--- +title: "GovernanceRolesAccessControlRules" +description: "Generates the permissions to access the governance review pages for a given entity type and profile." +sidebar_position: 7 +--- + +Generates the rights to access the role review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/images/identitymanager/home_rolereview_v523.webp) + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md new file mode 100644 index 0000000000..72c5c4dcdc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md @@ -0,0 +1,55 @@ +--- +title: "Role Models" +description: "Role Models" +sidebar_position: 10 +--- + +# Role Models +- [AssignedRolesAccessControlRules](./assignedrolesaccesscontrolrules) + +Generates the permissions to access the assigned roles page for a given entity type and profile. +- [BasketRulesControlRules](./basketrulescontrolrules) + +Generates the permissions to execute the different requests to display the information in the rights basket. +- [BulkPerformManualProvisioningAccessControlRules](./bulkperformmanualprovisioningaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Perform Manual Provisioning** page. +- [BulkResourceReconciliationAccessControlRules](./bulkresourcereconciliationaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Resource Reconciliation** page. +- [BulkReviewProvisioningAccessControlRules](./bulkreviewprovisioningaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Provisioning Review** page (only for errored orders). +- [BulkRoleReconciliationAccessControlRules](./bulkrolereconciliationaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. +- [GovernanceRolesAccessControlRules](./governancerolesaccesscontrolrules) + +Generates the permissions to access the governance review pages for a given entity type and profile. +- [PerformManualProvisioningAccessControlRules](./performmanualprovisioningaccesscontrolrules) + +Generates the permissions to access the manual provisioning pages for a given entity type and profile. +- [ReconciliateResourcesAccessControlRules](./reconciliateresourcesaccesscontrolrules) + +Generates the permissions to access the resource reconciliation pages for a given entity type and profile. +- [ReconciliateRolesAccessControlRules](./reconciliaterolesaccesscontrolrules) + +Generates the permissions to access the role reconciliation pages for a given entity type and profile. +- [RedundantAssignmentAccessControlRule](./redundantassignmentaccesscontrolrule) + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments. +- [ReviewProvisioningAccessControlRules](./reviewprovisioningaccesscontrolrules) + +Generates the permissions to access the provisioning review pages for a given entity type and profile. +- [ReviewRolesAccessControlRules](./reviewrolesaccesscontrolrules) + +Generates the permissions to access the role review pages for a given entity type and profile. +- [RisksAdministrationAccessControlRules](./risksadministrationaccesscontrolrules) + + +- [RoleAdministrationAccessControlRules](./roleadministrationaccesscontrolrules) + +Generates the permissions to access the configuration pages and create, update, delete the elements of the role model. +- [RoleNamingAccessControlRules](./rolenamingaccesscontrolrules) + +Generates the permissions to configure and launch the automatic creation of roles and rules based on naming conventions. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md new file mode 100644 index 0000000000..f147bf9c3f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md @@ -0,0 +1,78 @@ +--- +title: "PerformManualProvisioningAccessControlRules" +description: "Generates the permissions to access the manual provisioning pages for a given entity type and profile." +sidebar_position: 8 +--- + +Generates the rights to access the access manual provisioning pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) + +:::warning +The connector connected to the entity type must have the manual type as the provisioning type, otherwise the information of the entity type cannot be displayed on this screen. +::: + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md new file mode 100644 index 0000000000..246a2b674c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md @@ -0,0 +1,107 @@ +--- +title: "ReconciliateResourcesAccessControlRules" +description: "Generates the permissions to access the resource reconciliation pages for a given entity type and profile." +sidebar_position: 9 +--- + +Generates the right to access the reconcile resources pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the EntityType to be filled in the Scaffolding. + +![Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md new file mode 100644 index 0000000000..b25b65b863 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md @@ -0,0 +1,70 @@ +--- +title: "ReconciliateRolesAccessControlRules" +description: "Generates the permissions to access the role reconciliation pages for a given entity type and profile." +sidebar_position: 10 +--- + +Generates the rights to access the access reconcile roles pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md new file mode 100644 index 0000000000..a489166ad9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md @@ -0,0 +1,39 @@ +--- +title: "RedundantAssignmentAccessControlRule" +description: "Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments." +sidebar_position: 11 +--- + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments. + +Gives access to a shortcut on the dashboard to access this page. + +![Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) + + + +## Examples +The following example gives to the `Administrator` profile the permissions to access the **Redundant Assignment** page and perform redundant-assignment related actions. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md new file mode 100644 index 0000000000..e948707db2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md @@ -0,0 +1,107 @@ +--- +title: "ReviewProvisioningAccessControlRules" +description: "Generates the permissions to access the provisioning review pages for a given entity type and profile." +sidebar_position: 12 +--- + +Generates the right to access the review provisioning pages for a given entity type and profile. +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the EntityType to be filled in the Scaffolding. + +Gives access to a shortcut on the dashboard to access this page. + +![Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md new file mode 100644 index 0000000000..d21cc923e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md @@ -0,0 +1,67 @@ +--- +title: "ReviewRolesAccessControlRules" +description: "Generates the permissions to access the role review pages for a given entity type and profile." +sidebar_position: 13 +--- + +Generates the rights to access the access roles review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/images/identitymanager/home_rolereview_v523.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..2f0e361c3e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules.md @@ -0,0 +1,67 @@ +--- +title: "RisksAdministrationAccessControlRules" +description: " " +sidebar_position: 14 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md new file mode 100644 index 0000000000..f949beb970 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md @@ -0,0 +1,545 @@ +--- +title: "RoleAdministrationAccessControlRules" +description: "Generates the permissions to access the configuration pages and create, update, delete the elements of the role model." +sidebar_position: 15 +--- + +Generates the rights to access the access configuration pages and create, update, delete for: + +- Policies +- ResourceTypes +- SingleRoles +- CompositeRoles +- ResourceNavigationRules +- ResourceScalarRule +- ResourceCorrelationRule +- CompositeRoleRule +- ResourceTypeRule +- SingleRoleRule +- ContextRule +- Categories + +Gives access to a shortcut on the dashboard to access this page. + +![Configuration Section](/images/identitymanager/home_configuration_v603.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules.md new file mode 100644 index 0000000000..0fb9ee855f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules.md @@ -0,0 +1,59 @@ +--- +title: "RoleNamingAccessControlRules" +description: "Generates the permissions to configure and launch the automatic creation of roles and rules based on naming conventions." +sidebar_position: 16 +--- + +Generates the permissions to configure and launch the automatic creation of roles and rules based on naming conventions. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md new file mode 100644 index 0000000000..d717e6c708 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md @@ -0,0 +1,13 @@ +--- +title: "Simulations" +description: "Simulations" +sidebar_position: 10 +--- + +# Simulations +- [PolicySimulationControlRules](./policysimulationcontrolrules) + + +- [RoleAndSimulationControlRules](./roleandsimulationcontrolrules) + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules.md new file mode 100644 index 0000000000..6faf2d338b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules.md @@ -0,0 +1,110 @@ +--- +title: "PolicySimulationControlRules" +description: " " +sidebar_position: 1 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules.md new file mode 100644 index 0000000000..5d8cfb2754 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules.md @@ -0,0 +1,131 @@ +--- +title: "RoleAndSimulationControlRules" +description: " " +sidebar_position: 2 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md new file mode 100644 index 0000000000..5666f66ef7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md @@ -0,0 +1,13 @@ +--- +title: "User Interfaces" +description: "User Interfaces" +sidebar_position: 10 +--- + +# User Interfaces +- [ManageAccounts](./manageaccounts) + + +- [SearchBarPageAccessControl](./searchbarpageaccesscontrol) + +Gives access rights to the different navigation elements of the SearchBars of the pages of the role model. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md new file mode 100644 index 0000000000..c6b698e3ae --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md @@ -0,0 +1,52 @@ +--- +title: "ManageAccounts" +description: " " +sidebar_position: 1 +--- + +Gives access to the **Manage Accounts** buttons for the users of a given entity type. + +![ManageAccounts Button](/images/identitymanager/accesscontrol_manageaccounts_v603.webp) + +:::note +The scaffolding gives access to the button, but you need to get the permissions on said accounts in order to see anything once you click on the button. +::: + + + +## Examples +The following example gives the `Administrator` profile access to the **Manage Accounts** button for users from `Directory_User`. + +```xml + + +In order to see AD accounts once clicking on the button: + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol.md new file mode 100644 index 0000000000..5755420d1f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol.md @@ -0,0 +1,29 @@ +--- +title: "SearchBarPageAccessControl" +description: "Gives access rights to the different navigation elements of the SearchBars of the pages of the role model." +sidebar_position: 2 +--- + +The Scaffolding giving access to the different views of the pages of the role model do not give access rights to the different navigation elements of the SearchBars of these pages. +This Scaffolding allows you to give these rights per page, profile and EntityType. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Child Elements +* [SearchBarPage](#searchbarpage) (optional) Adds right for a search bar in a specific page + +### SearchBarPage + + +|Property|Details| +|---|---| +| SearchBarPage default value: None | **Type:** SearchBarPageType **Description:** For the scaffolding arguments `SearchBarPage` and `SearchBarPageAccessControl`, location of the search bar.`0` - None.`1` - ReviewRoles.`2` - ReconciliateRoles.`3` - ReviewProvisioning.`4` - PerformManualProvisioning.`5` - ReconciliateResources.`6` - WorkflowOverview. | + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules.md new file mode 100644 index 0000000000..1bfca3b66d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules.md @@ -0,0 +1,53 @@ +--- +title: "CreateUpdateDeleteAccessControlRules" +description: "Generates execution rights for the create, update, delete workflows." +sidebar_position: 1 +--- + +Generates execution rights for the create, update, delete workflows. + +:::warning +Some prerequisites are necessary to be able to launch this scaffolding. +A entity type must be created with the following naming convention: "Worfklow_" + idenfitier type entity. +Three workflows must be created with the following names: + - entity type identifier + "_Create"; + - entity type identifier + "_Update"; + - entity type identifier + "_Delete"; +::: + +The scaffolding generates the following scaffoldings: + +- [View Access Control Rules](../../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md new file mode 100644 index 0000000000..87d6f9e4e9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md @@ -0,0 +1,25 @@ +--- +title: "Workflows" +description: "Workflows" +sidebar_position: 10 +--- + +# Workflows +- [CreateUpdateDeleteAccessControlRules](./createupdatedeleteaccesscontrolrules) + +Generates execution rights for the create, update, delete workflows. +- [UpdateResourcesAccessControlRules](./updateresourcesaccesscontrolrules) + + +- [WorkflowAccessControlRules](./workflowaccesscontrolrules) + +Generates the permissions to access the task page and visualize the workflows to be executed for a given entity type and profile. +- [WorkflowAspect](./workflowaspect) + + +- [WorkflowConfigurationControlRules](./workflowconfigurationcontrolrules) + + +- [WorkflowOverviewControlRules](./workflowoverviewcontrolrules) + +Generates the permissions to access the workflow supervision page. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules.md new file mode 100644 index 0000000000..9f7f1d6a74 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules.md @@ -0,0 +1,37 @@ +--- +title: "UpdateResourcesAccessControlRules" +description: " " +sidebar_position: 2 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md new file mode 100644 index 0000000000..a43cff2805 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md @@ -0,0 +1,114 @@ +--- +title: "WorkflowAccessControlRules" +description: "Generates the permissions to access the task page and visualize the workflows to be executed for a given entity type and profile." +sidebar_position: 3 +--- + +Generates the rights to access the task page and visualize the different workflows to be executed for a given entity type and profile. + +Gives access to a shortcut on the dashboard and on the top bar to access this page. + +Top bar shortcut: ![Tasks in Top Bar](/images/identitymanager/home_topbar_v601.webp) + +DashBoard shortcut: ![](/images/identitymanager/home_topbar_v601.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaspect.md new file mode 100644 index 0000000000..4f509ef9a0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaspect.md @@ -0,0 +1,36 @@ +--- +title: "WorkflowAspect" +description: " " +sidebar_position: 4 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules.md new file mode 100644 index 0000000000..68d3efae5a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules.md @@ -0,0 +1,38 @@ +--- +title: "WorkflowConfigurationControlRules" +description: " " +sidebar_position: 5 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md new file mode 100644 index 0000000000..d195a980f7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md @@ -0,0 +1,85 @@ +--- +title: "WorkflowOverviewControlRules" +description: "Generates the permissions to access the workflow supervision page." +sidebar_position: 6 +--- + +Generates the rights to access the workflow supervision page. + +Gives access to a shortcut on the dashboard to access this page. + +![Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md new file mode 100644 index 0000000000..2b0cbbc4a4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md @@ -0,0 +1,111 @@ +--- +title: "ConnectorMappings" +description: "Generates the mapping of an entity in a given connector." +sidebar_position: 1 +--- + +This scaffolding allows the user to generate the mapping of an entity in a given connector. + +The identifiers of the connector and the entity type must be provided to the scaffolding through the attributes `Connector` and `EntityType` to make the link between these two elements and create the mapping. +This scaffolding needs to have an argument to know the location of the file to be retrieved during the collection. This file must be a CSV file with "Command" as the first column and then the rest of the columns for scalar and mono-navigation properties. This file must be named after the entity type. If there are multi-valued navigation properties, it is necessary to create a file with "Command" as first property and the key of the two entities to link. This file must be named after the identifier of the starting entity type + "_" + the identifier of the navigation property. + +If you are using a CSV connector with files in incremental mode, you must specify the attribute `IsIncremental` to `true`. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connector required | **Type:** String **Description:** Identifier of the connector involved in the job to be generated. | +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| IsIncremental optional | **Type:** Boolean **Description:** `true` to perform an incremental synchronization. | +| Package optional | **Type:** ConnectionPackage **Description:** For a `ConnectorMappings` scaffolding, identifier of the package for the connection to be generated. | + + + +## Child Elements +* [ExcludedProperty](#excludedproperty) (optional) to ignore a given property of the specified entity type. +* [MappingPath](#mappingpath) (optional) Define the path for csv EntityType mapping + +### ExcludedProperty + + +|Property|Details| +|---|---| +| Property required | **Type:** String **Description:** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + + + +:::info +A scaffolding does not use filters, but a part of the entity model can be excluded with the `ExcludedProperty` argument. +::: + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, like our U1 but without the `Guests` property: + +```xml + + + + +``` + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) + +### MappingPath + + +|Property|Details| +|---|---| +| IsIncremental default value: false | **Type:** Boolean **Description:** Defines if the CSV connector files uses the incremental mode | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname.md new file mode 100644 index 0000000000..27c8e3139c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname.md @@ -0,0 +1,43 @@ +--- +title: "EntityTypeDisplayName" +description: "Computes a default value for resources' internal display names." +sidebar_position: 2 +--- + +Creates a default expression to compute the display names of an entity type's resources. + + +## Examples +The following example assigns a default display name to each resource in `Directory_Country`, when no display name is defined. + +```xml + +``` + +### Property + +The following example assigns the `DisplayName` property as a default display name to each resource in `Directory_Country`, when no display name is defined. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Property of the specified entity type, that will be used as display name for the entity type's resources.**Note:** when not specified, the display name is the first string property of the entity type that contains "name" (case insensitively), in ascending order of `TargetColumnIndex`.When there is no such property, the display name is the first string property of the entity type that is a key property, i.e. `isKey` set to `true`.When there is no key property either, the display name is the first property of the entity type. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable.md new file mode 100644 index 0000000000..36829fbc2a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable.md @@ -0,0 +1,41 @@ +--- +title: "EntityTypeDisplayTable" +description: "Creates a display table for the given entity." +sidebar_position: 3 +--- + +Displays all resources of a given entity type in a table. + +:::note +When the entity type contains fewer than 4 scalar properties, all properties will be displayed in the table. Otherwise, the only scalar property displayed in the table is the internal display name. +::: + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable.md new file mode 100644 index 0000000000..2bb6619a13 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable.md @@ -0,0 +1,41 @@ +--- +title: "EntityTypeDisplayTableAdaptable" +description: "Creates an adaptable display table for a given entity type." +sidebar_position: 4 +--- + +Displays all resources of a given entity type in an adaptable table. + +:::note +When the entity type contains fewer than 4 scalar properties, all properties will be displayed in the table. Otherwise, the only scalar property displayed in the table is the internal display name. +::: + + + +## Examples +The following example displays the resources of the `Directory_Country` entity type in an adaptable table. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable.md new file mode 100644 index 0000000000..c0cf7c7b69 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable.md @@ -0,0 +1,36 @@ +--- +title: "EntityTypeDisplayTargetResourceTable" +description: "Creates a displaytable for the given entity." +sidebar_position: 5 +--- + +Creates a displaytable for the given entity. If there are less than 4 scalar properties, the scaffolding adds all the properties in the table otherwise there is only the internaldisplayname. The design element for this displaytable is resourcetable. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem.md new file mode 100644 index 0000000000..f1c1edac37 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem.md @@ -0,0 +1,39 @@ +--- +title: "EntityTypeMenuItem" +description: "Creates a menu item for the entity type, and for its connector if the entity type has an entity type mapping." +sidebar_position: 6 +--- + +Creates a menu item for the entity type, and for its connector if the entity type has an entity type mapping. + +You can create menu items this way in the menu items `Nav`, `Top` and `Dashboard`. + +When choosing `Nav`, it creates the connector's menu item under the `Nav_Connectors` menu item if you have it, otherwise it creates the connector's menu item under `Nav`. +When choosing `Top`, no menu item is created for the entity type's connector. + +:::warning +If the entity type already has a menu item in the given section (`Nav`, `Top` or `Dashboard`), the scaffolding does not create any more menu item in this section. +If the entity type has no menu item in the given section, but the connector's menu item already exists in this section, the scaffolding creates only a menu item for the entity type, under the menu item of its connector. +::: + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Child Elements +* [MenuItemLocalization](#menuitemlocalization) (optional) Localization for the created menu items. + +### MenuItemLocalization + + +|Property|Details| +|---|---| +| OnDashboard default value: false | **Type:** Boolean **Description:** Generic column used to store information for internal use. | +| OnNav default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| OnTop default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar.md new file mode 100644 index 0000000000..283d6d4db0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar.md @@ -0,0 +1,34 @@ +--- +title: "EntityTypeSearchBar" +description: "Creates the search bar for the entity without criteria." +sidebar_position: 7 +--- + +Creates the search bar for the entity without criteria. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md new file mode 100644 index 0000000000..adad16736c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md @@ -0,0 +1,31 @@ +--- +title: "Entity Types" +description: "Entity Types" +sidebar_position: 10 +--- + +# Entity Types +- [ConnectorMappings](./connectormappings) + +Generates the mapping of an entity in a given connector. +- [EntityTypeDisplayName](./entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [EntityTypeDisplayTable](./entitytypedisplaytable) + +Creates a display table for the given entity. +- [EntityTypeDisplayTableAdaptable](./entitytypedisplaytableadaptable) + +Creates an adaptable display table for a given entity type. +- [EntityTypeDisplayTargetResourceTable](./entitytypedisplaytargetresourcetable) + +Creates a displaytable for the given entity. +- [EntityTypeMenuItem](./entitytypemenuitem) + +Creates a menu item for the entity type, and for its connector if the entity type has an entity type mapping. +- [EntityTypeSearchBar](./entitytypesearchbar) + +Creates the search bar for the entity without criteria. +- [TargetResourceReportMenus](./targetresourcereportmenus) + +Creates the Item menu for the entity's report so that it is displayed in the report view. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus.md new file mode 100644 index 0000000000..55ebbcedbf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus.md @@ -0,0 +1,34 @@ +--- +title: "TargetResourceReportMenus" +description: "Creates the Item menu for the entity's report so that it is displayed in the report view." +sidebar_position: 8 +--- + +Creates the Item menu for the entity's report so that it is displayed in the report view. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md new file mode 100644 index 0000000000..c38968d54c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md @@ -0,0 +1,9 @@ +--- +title: "Entity Types" +description: "Entity Types" +sidebar_position: 10 +--- + +# Entity Types +- [Entity Types](./entitytypes) +- [Workflows](./workflows) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus.md new file mode 100644 index 0000000000..7f3ab8f682 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus.md @@ -0,0 +1,48 @@ +--- +title: "CreateUpdateDeleteMenus" +description: "Creates creation, update and delete menus for an entity." +sidebar_position: 1 +--- + +Creates creation, update and delete menus for an entity. Read these menuItems again on the main menuItems of the entity with the following naming rule: +"Search_" + Identifier of entity type. +if this menuItem does not exist, create it in the database. + +:::warning +The workflows for adding, deleting and modifying the entity must be created beforehand. For this scaffolding, the names of these 3 workflows must comply with the following standard: +- entity type identifier + "_Create" +- entity type identifier + "_Update" +- entity type identifier + "_Delete" +::: + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows.md new file mode 100644 index 0000000000..f4f88c8f40 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows.md @@ -0,0 +1,45 @@ +--- +title: "CreateUpdateDeleteWorkflows" +description: " " +sidebar_position: 2 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md new file mode 100644 index 0000000000..3b4ece051d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md @@ -0,0 +1,37 @@ +--- +title: "Workflows" +description: "Workflows" +sidebar_position: 10 +--- + +# Workflows +- [CreateUpdateDeleteMenus](./createupdatedeletemenus) + +Creates creation, update and delete menus for an entity. +- [CreateUpdateDeleteWorkflows](./createupdatedeleteworkflows) + + +- [UpdateResourcesMenus](./updateresourcesmenus) + + +- [UpdateResourcesWorkflows](./updateresourcesworkflows) + + +- [WorkflowActorsNotification](./workflowactorsnotification) + + +- [WorkflowEntityType](./workflowentitytype) + +Creates an entity that will be the source of all workflows that manipulate the given entity. +- [WorkflowEntityTypeDisplayEntityType](./workflowentitytypedisplayentitytype) + + +- [WorkflowEntityTypeDisplayTable](./workflowentitytypedisplaytable) + +Creates the display table of the workflow entity of the starting entity. +- [WorkflowEntityTypeSearchBar](./workflowentitytypesearchbar) + +Creates the search bar of the workflow entity of the starting entity. +- [WorkflowPerformerNotification](./workflowperformernotification) + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus.md new file mode 100644 index 0000000000..5e9f714a4e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus.md @@ -0,0 +1,36 @@ +--- +title: "UpdateResourcesMenus" +description: " " +sidebar_position: 3 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows.md new file mode 100644 index 0000000000..5ce52d4169 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows.md @@ -0,0 +1,37 @@ +--- +title: "UpdateResourcesWorkflows" +description: " " +sidebar_position: 4 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification.md new file mode 100644 index 0000000000..0a4ee7398b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification.md @@ -0,0 +1,413 @@ +--- +title: "WorkflowActorsNotification" +description: " " +sidebar_position: 5 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Workflow optional | **Type:** String **Description:** Identifier of the workflow involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype.md new file mode 100644 index 0000000000..a456d04a9c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype.md @@ -0,0 +1,40 @@ +--- +title: "WorkflowEntityType" +description: "Creates an entity that will be the source of all workflows that manipulate the given entity." +sidebar_position: 6 +--- + +Creates an entity that will be the source of all workflows that manipulate the given entity. Also create the association between this new entity and the starting entity. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype.md new file mode 100644 index 0000000000..07cf5e591d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype.md @@ -0,0 +1,34 @@ +--- +title: "WorkflowEntityTypeDisplayEntityType" +description: " " +sidebar_position: 7 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable.md new file mode 100644 index 0000000000..a99761a05d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable.md @@ -0,0 +1,51 @@ +--- +title: "WorkflowEntityTypeDisplayTable" +description: "Creates the display table of the workflow entity of the starting entity." +sidebar_position: 8 +--- + +Creates the display table of the workflow entity of the starting entity. + +:::warning +The starting entity must have a Display table and create the workflow entity type to be able to launch this scaffolding. +::: + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar.md new file mode 100644 index 0000000000..cc55e494a0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar.md @@ -0,0 +1,46 @@ +--- +title: "WorkflowEntityTypeSearchBar" +description: "Creates the search bar of the workflow entity of the starting entity." +sidebar_position: 9 +--- + +Creates the search bar of the workflow entity of the starting entity. + +:::warning +The starting entity must have a search bar and create the workflow entity type to be able to launch this scaffolding. +::: + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification.md new file mode 100644 index 0000000000..9f2fe5f253 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification.md @@ -0,0 +1,411 @@ +--- +title: "WorkflowPerformerNotification" +description: " " +sidebar_position: 10 +--- + + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Workflow optional | **Type:** String **Description:** Identifier of the workflow involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md new file mode 100644 index 0000000000..3546c8c92f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md @@ -0,0 +1,462 @@ +--- +title: "Scaffoldings" +description: "Scaffoldings" +sidebar_position: 10 +--- + +# Scaffoldings + +Identity Manager provides a list of scaffoldings to act as configuration shortcuts: a scaffolding is an XML element that will generate a complex XML fragment. + +Available scaffoldings are described below. + +To understand scaffoldings' generated configuration, Identity Manager's executable [Usercube-Export-Configuration](../../../../../integration-guide/executables/references/export-configuration.md) can be launched with the `--export-scaffolding` option to export into XML files the configuration items generated by scaffoldings. + +Remember that these exported files are meant for viewing and understanding purposes, not for using their content in your own configuration. + +## References + +- [Access Control Rules](accesscontrolrules) + +- [Access Reviews](accesscontrolrules/accessreviews) + +- [Access Review Administration Access Control Rules](accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules) + +Generates the permissions to administrate campaign creation. + +- [Connectors](accesscontrolrules/connectors) + +- [Connector Resource Type Access Control](accesscontrolrules/connectors/connectorresourcetypeaccesscontrol) + +Gives the rights to create and update resource types, generate provisioning orders and fulfill from the connector screen. + +- [Settings Access Control Rules](accesscontrolrules/connectors/settingsaccesscontrolrules) + +Generates the permissions to configure the Workforce Core Solution module and connector settings. + +- [Jobs](accesscontrolrules/jobs) + +- [Get Job Log Administration Access Control Rules](accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules) + +Generates the permissions to read task and job instances logs in UI for a given profile. + +- [Job Administration Access Control Rules](accesscontrolrules/jobs/jobadministrationaccesscontrolrules) + +Scaffolding to access the job administration page. + +- [Job Task Administration Access Control Rules](accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules) + +Generates all permissions for JobStep entity. + +- [Pending Assigned Resource Types Access Control Rules](accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules) + +Generates the access control rules which give to a profile the permissions to call the API Pending AssignedResourceTypes. + +- [Provisioning Access Control Rules](accesscontrolrules/jobs/provisioningaccesscontrolrules) + +Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. + +- [Resource Changes View Access Control Rules](accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules) + +Generates the access control rules which gives to a profile the permissions to call the API ResourceChange, ResourceFileChange and ResourceLinkChange. + +- [Resource Type Mapping Control Rules](accesscontrolrules/jobs/resourcetypemappingcontrolrules) + +Generate rights to launch agent fulfillment. + +- [Run Job Administration Access Control Rules](accesscontrolrules/jobs/runjobadministrationaccesscontrolrules) + +Generates the permissions to launch jobs from UI for a given profile. + +- [Run Job Notification Access Control Rules](accesscontrolrules/jobs/runjobnotificationaccesscontrolrules) + +Generates access control to send notification when job finish with an error state. + +- [Run Job Repair Administration Access Control Rules](accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules) + +Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile. + +- [Run Job Repair Notification Access Control Rules](accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules) + +Generates access control to send notification when a relaunch job finish with an error state. + +- [Synchronization Access Control Rules](accesscontrolrules/jobs/synchronizationaccesscontrolrules) + +Generates rights to launch synchronization task. + +- [Task Administration Access Control Rules](accesscontrolrules/jobs/taskadministrationaccesscontrolrules) + +Generates all rights to have the access to job administration page. + +- [Task Instance Administration Access Control Rules](accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules) + +Generates access control to update the task instances. + +- [Workflow Fulfillment Control Rules](accesscontrolrules/jobs/workflowfulfillmentcontrolrules) + +Generates the execution rights to launch Fulfillment workflow for a given profile. + +- [Monitoring](accesscontrolrules/monitoring) + +- [Monitoring Administration Access Control Rules](accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the monitoring screen. + +- [Profiles](accesscontrolrules/profiles) + +- [Assign Profile Access Control Rules](accesscontrolrules/profiles/assignprofileaccesscontrolrules) + +Gives to a given profile the rights to create, update, delete and query any assigned profile. + +- [Open Id Client Administration Access Control Rules](accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules) + + + +- [Profile Administration Access Control Rules](accesscontrolrules/profiles/profileadministrationaccesscontrolrules) + +Gives to a given profile the rights to create, update and delete profiles. + +- [Queries](accesscontrolrules/queries) + +- [Manage Setting Access Control Rule](accesscontrolrules/queries/managesettingaccesscontrolrule) + +Generates the access control rule which gives to a profile the permission to query, create, update and delete settings from the UM_Settings table. + +- [Report Access Control Rules](accesscontrolrules/queries/reportaccesscontrolrules) + +Generates the permissions to access the report view. + +- [Target Resource Report Access Control Rules](accesscontrolrules/queries/targetresourcereportaccesscontrolrules) + +Generates the permissions to apply a report for a profile on a given entity. + +- [Universe Access Control Rules](accesscontrolrules/queries/universeaccesscontrolrules) + +Generates an access control rule which gives a profile the permission to access the query page and run queries. + +- [Resources](accesscontrolrules/resources) + +- [Create Resource Incremental Access Control Rules](accesscontrolrules/resources/createresourceincrementalaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the resources modified incrementally + +- [Resource Api Administration](accesscontrolrules/resources/resourceapiadministration) + +Generates the permissions to create/update/delete/query resources from a given entity type, for a given profile. + +- [Resource Picker Control Rules](accesscontrolrules/resources/resourcepickercontrolrules) + +Creates the reading right of the resource picker. + +- [View Access Control Rules](accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. + +- [View History Resource Template](accesscontrolrules/resources/viewhistoryresourcetemplate) + +Generates an access control rule giving to the specified profile the permission to browse the resources history of the specified entity type. + +- [Role Models](accesscontrolrules/rolemodels) + +- [Assigned Roles Access Control Rules](accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules) + +Generates the permissions to access the assigned roles page for a given entity type and profile. + +- [Basket Rules Control Rules](accesscontrolrules/rolemodels/basketrulescontrolrules) + +Generates the permissions to execute the different requests to display the information in the rights basket. + +- [Bulk Perform Manual Provisioning Access Control Rules](accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Perform Manual Provisioning** page. + +- [Bulk Resource Reconciliation Access Control Rules](accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Resource Reconciliation** page. + +- [Bulk Review Provisioning Access Control Rules](accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Provisioning Review** page (only for errored orders). + +- [Bulk Role Reconciliation Access Control Rules](accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules) + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. + +- [Governance Roles Access Control Rules](accesscontrolrules/rolemodels/governancerolesaccesscontrolrules) + +Generates the permissions to access the governance review pages for a given entity type and profile. + +- [Perform Manual Provisioning Access Control Rules](accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules) + +Generates the permissions to access the manual provisioning pages for a given entity type and profile. + +- [Reconciliate Resources Access Control Rules](accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules) + +Generates the permissions to access the resource reconciliation pages for a given entity type and profile. + +- [Reconciliate Roles Access Control Rules](accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules) + +Generates the permissions to access the role reconciliation pages for a given entity type and profile. + +- [Redundant Assignment Access Control Rule](accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule) + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments. + +- [Review Provisioning Access Control Rules](accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules) + +Generates the permissions to access the provisioning review pages for a given entity type and profile. + +- [Review Roles Access Control Rules](accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules) + +Generates the permissions to access the role review pages for a given entity type and profile. + +- [Risks Administration Access Control Rules](accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules) + + + +- [Role Administration Access Control Rules](accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules) + +Generates the permissions to access the configuration pages and create, update, delete the elements of the role model. + +- [Role Naming Access Control Rules](accesscontrolrules/rolemodels/rolenamingaccesscontrolrules) + +Generates the permissions to configure and launch the automatic creation of roles and rules based on naming conventions. + +- [Simulations](accesscontrolrules/simulations) + +- [Policy Simulation Control Rules](accesscontrolrules/simulations/policysimulationcontrolrules) + + + +- [Role And Simulation Control Rules](accesscontrolrules/simulations/roleandsimulationcontrolrules) + + + +- [User Interfaces](accesscontrolrules/userinterfaces) + +- [Manage Accounts](accesscontrolrules/userinterfaces/manageaccounts) + + + +- [Search Bar Page Access Control](accesscontrolrules/userinterfaces/searchbarpageaccesscontrol) + +Gives access rights to the different navigation elements of the SearchBars of the pages of the role model. + +- [Workflows](accesscontrolrules/workflows) + +- [Create Update Delete Access Control Rules](accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules) + +Generates execution rights for the create, update, delete workflows. + +- [Update Resources Access Control Rules](accesscontrolrules/workflows/updateresourcesaccesscontrolrules) + + + +- [Workflow Access Control Rules](accesscontrolrules/workflows/workflowaccesscontrolrules) + +Generates the permissions to access the task page and visualize the workflows to be executed for a given entity type and profile. + +- [Workflow Aspect](accesscontrolrules/workflows/workflowaspect) + + + +- [Workflow Configuration Control Rules](accesscontrolrules/workflows/workflowconfigurationcontrolrules) + + + +- [Workflow Overview Control Rules](accesscontrolrules/workflows/workflowoverviewcontrolrules) + +Generates the permissions to access the workflow supervision page. + +- [Entity Types](entitytypes) + +- [Entity Types](entitytypes/entitytypes) + +- [Connector Mappings](entitytypes/entitytypes/connectormappings) + +Generates the mapping of an entity in a given connector. + +- [Entity Type Display Name](entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. + +- [Entity Type Display Table](entitytypes/entitytypes/entitytypedisplaytable) + +Creates a display table for the given entity. + +- [Entity Type Display Table Adaptable](entitytypes/entitytypes/entitytypedisplaytableadaptable) + +Creates an adaptable display table for a given entity type. + +- [Entity Type Display Target Resource Table](entitytypes/entitytypes/entitytypedisplaytargetresourcetable) + +Creates a displaytable for the given entity. + +- [Entity Type Menu Item](entitytypes/entitytypes/entitytypemenuitem) + +Creates a menu item for the entity type, and for its connector if the entity type has an entity type mapping. + +- [Entity Type Search Bar](entitytypes/entitytypes/entitytypesearchbar) + +Creates the search bar for the entity without criteria. + +- [Target Resource Report Menus](entitytypes/entitytypes/targetresourcereportmenus) + +Creates the Item menu for the entity's report so that it is displayed in the report view. + +- [Workflows](entitytypes/workflows) + +- [Create Update Delete Menus](entitytypes/workflows/createupdatedeletemenus) + +Creates creation, update and delete menus for an entity. + +- [Create Update Delete Workflows](entitytypes/workflows/createupdatedeleteworkflows) + + + +- [Update Resources Menus](entitytypes/workflows/updateresourcesmenus) + + + +- [Update Resources Workflows](entitytypes/workflows/updateresourcesworkflows) + + + +- [Workflow Actors Notification](entitytypes/workflows/workflowactorsnotification) + + + +- [Workflow Entity Type](entitytypes/workflows/workflowentitytype) + +Creates an entity that will be the source of all workflows that manipulate the given entity. + +- [Workflow Entity Type Display Entity Type](entitytypes/workflows/workflowentitytypedisplayentitytype) + + + +- [Workflow Entity Type Display Table](entitytypes/workflows/workflowentitytypedisplaytable) + +Creates the display table of the workflow entity of the starting entity. + +- [Workflow Entity Type Search Bar](entitytypes/workflows/workflowentitytypesearchbar) + +Creates the search bar of the workflow entity of the starting entity. + +- [Workflow Performer Notification](entitytypes/workflows/workflowperformernotification) + + + +- [Jobs](jobs) + +- [Clean Database Job](jobs/cleandatabasejob) + +Creates the job to clean old tasks and jobs instances with state InProgress + +- [Create Access Certification Job](jobs/createaccesscertificationjob) + +Creates the AccessCertification Job. + +- [Create Agent Synchro Complete](jobs/createagentsynchrocomplete) + +Creates for the given agent the synchronization job of all connectors present in the agent in Complete mode. + +- [Create Agent Synchro Incremental](jobs/createagentsynchroincremental) + +Creates for the given agent the synchronization job of all connectors present in the agent in incremental mode. + +- [Create Connectors Jobs](jobs/createconnectorsjobs) + +Creates all jobs by connector to launched task in the connector page. + +- [Create Connector Synchro Complete](jobs/createconnectorsynchrocomplete) + +Creates for the given connector the synchronization in complete mode. + +- [Create Connector Synchro Incremental](jobs/createconnectorsynchroincremental) + +Creates for the given connector the synchronization job in incremental mode. + +- [Create Initialization Job](jobs/createinitializationjob) + +Creates the Initialization Job for the given agent. + +- [Optimizations](optimizations) + +- [Optimize Display Table](optimizations/optimizedisplaytable) + +Optimizes all elements found in the given displayTable. + +- [Queries](queries) + +- [Target Resource Report](queries/targetresourcereport) + +Creates a ReportQuery with default Query taking all the properties of the entity. + +- [Universe Data Model](queries/universedatamodel) + +Creates, within a universe, entity instances and association instances based on a predefined template. + +- [Templates](templates) + +- [Connectors Access Control Rules](templates/connectorsaccesscontrolrules) + +Gives the permissions to manage the connector pages. + +- [Create Administrator Profile](templates/createadministratorprofile) + +Creates the profile administrator and all default access control rules. + +- [Create Update Delete Template](templates/createupdatedeletetemplate) + +Creates the three types of workflow for the given entity as well as the execution rights for the given profile. + +- [Entity Report Default](templates/entityreportdefault) + +Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- [Job Execution Access Control Rules](templates/jobexecutionaccesscontrolrules) + +Assigns a set of rights to a given profile to execute any job, and view all job instances, task instances and logs. + +- [Job View Access Control Rules](templates/jobviewaccesscontrolrules) + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- [Simulation Access Control Rules](templates/simulationaccesscontrolrules) + +Generates the permissions to configure and launch simulations. + +- [Update Resources Template](templates/updateresourcestemplate) + + + +- [View Source Resource Template](templates/viewsourceresourcetemplate) + +Creates the display table, fills in the internal display name of the entity, and gives the rights to see the permissions and sources of the entity for a given profile. + +- [View Target Resource Template](templates/viewtargetresourcetemplate) + +Creates the entity view (designElement = resourceTable), the report and the rights for a given profile. + +- [View Template](templates/viewtemplate) + +Creates the view for the given entity as well as the rights for the given profile. + +- [View Template Adaptable](templates/viewtemplateadaptable) + +Implements a default display name for the resources of a given entity type, displays the resources in an adaptable table, and give the permissions to view the resources. + +- [Workforce](workforce) + +- [Bootstrap Module](workforce/bootstrapmodule) + +Generates the default settings required to start using Usercube and the Workforce Core Solution module. + +- [Profile Module](workforce/profilemodule) + +Generates access control rules by aggregating composite profiles. + +- [Workforce Module](workforce/workforcemodule) + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob.md new file mode 100644 index 0000000000..29cac77786 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob.md @@ -0,0 +1,29 @@ +--- +title: "CleanDatabaseJob" +description: "Creates the job to clean old tasks and jobs instances with state InProgress" +sidebar_position: 1 +--- + +Creates the job to clean old tasks and jobs instances with state InProgress + + + +## Examples + + +```xml + +``` + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob.md new file mode 100644 index 0000000000..1383d944f3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob.md @@ -0,0 +1,73 @@ +--- +title: "CreateAccessCertificationJob" +description: "Creates the AccessCertification Job." +sidebar_position: 2 +--- + +Creates the AccessCertification Job. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [CronTabExpression](#crontabexpression) (optional) Schedule the job +* [DoNotCreateJob](#donotcreatejob) (optional) Create only the tasks without the job + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### CronTabExpression + + +|Property|Details| +|---|---| +| CronTab required | **Type:** String **Description:** Represents the argument value. | +| CronTimeZone optional | **Type:** CronTimeZone **Description:** For Argument AddTask, Occurence of the TaskToCompare after or before which the task will be added. | + + + +### DoNotCreateJob + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete.md new file mode 100644 index 0000000000..66d45869b6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete.md @@ -0,0 +1,275 @@ +--- +title: "CreateAgentSynchroComplete" +description: "Creates for the given agent the synchronization job of all connectors present in the agent in Complete mode." +sidebar_position: 3 +--- + +This Scaffolding generates a synchronization job (in complete mode) for all connectors. + +The tasks created in the Scaffoldings are sorted by level. The levels are visible via the tools: Usercube-Get-JobSteps.exe + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent optional | **Type:** String **Description:** For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type:** Boolean **Description:** Internal use. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [CronTabExpression](#crontabexpression) (optional) Schedule the job +* [DoNotCreateJob](#donotcreatejob) (optional) Create only the tasks without the job +* [FulfillInternalWorkflowsPath](#fulfillinternalworkflowspath) (optional) Add the path of the json configuration for a connector with IsWorkflowProvisioning set to true +* [LinkDependTask](#linkdependtask) (optional) Link a child Task with a parent to not launch the child if the parent has finish with state warning +* [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### CronTabExpression + + +|Property|Details| +|---|---| +| CronTab required | **Type:** String **Description:** Represents the argument value. | +| CronTimeZone optional | **Type:** CronTimeZone **Description:** For Argument AddTask, Occurence of the TaskToCompare after or before which the task will be added. | + + + +### DoNotCreateJob + + +### FulfillInternalWorkflowsPath + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | +| Path required | **Type:** String **Description:** Represents the argument value. | + + + +### LinkDependTask + + +|Property|Details| +|---|---| +| DependOn required | **Type:** String **Description:** identifier of parent Task | +| Task required | **Type:** String **Description:** Identifier of child Task | +| ChildOccurence default value: 0 | **Type:** Int32 **Description:** search the occurence x to link with the parent. | +| ParentOccurence default value: 0 | **Type:** Int32 **Description:** Occurence of the parentTask which the task will be linked | + + + +### OpenIdIdentifier + + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Identifier of the OpenId | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental.md new file mode 100644 index 0000000000..631d2c893d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental.md @@ -0,0 +1,218 @@ +--- +title: "CreateAgentSynchroIncremental" +description: "Creates for the given agent the synchronization job of all connectors present in the agent in incremental mode." +sidebar_position: 4 +--- + +This scaffolding generates a synchronization job in incremental mode for all connectors supporting incremental synchronization. + +The tasks created in the Scaffoldings are sorted by level. The levels are visible via the tools: Usercube-Get-JobSteps.exe + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent optional | **Type:** String **Description:** For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type:** Boolean **Description:** Internal use. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [CronTabExpression](#crontabexpression) (optional) Schedule the job +* [DoNotCreateJob](#donotcreatejob) (optional) Create only the tasks without the job +* [FulfillInternalWorkflowsPath](#fulfillinternalworkflowspath) (optional) Add the path of the json configuration for a connector with IsWorkflowProvisioning set to true +* [LinkDependTask](#linkdependtask) (optional) Link a child Task with a parent to not launch the child if the parent has finish with state warning +* [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### CronTabExpression + + +|Property|Details| +|---|---| +| CronTab required | **Type:** String **Description:** Represents the argument value. | +| CronTimeZone optional | **Type:** CronTimeZone **Description:** For Argument AddTask, Occurence of the TaskToCompare after or before which the task will be added. | + + + +### DoNotCreateJob + + +### FulfillInternalWorkflowsPath + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | +| Path required | **Type:** String **Description:** Represents the argument value. | + + + +### LinkDependTask + + +|Property|Details| +|---|---| +| DependOn required | **Type:** String **Description:** identifier of parent Task | +| Task required | **Type:** String **Description:** Identifier of child Task | +| ChildOccurence default value: 0 | **Type:** Int32 **Description:** search the occurence x to link with the parent. | +| ParentOccurence default value: 0 | **Type:** Int32 **Description:** Occurence of the parentTask which the task will be linked | + + + +### OpenIdIdentifier + + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Identifier of the OpenId | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs.md new file mode 100644 index 0000000000..676de7e9f6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs.md @@ -0,0 +1,290 @@ +--- +title: "CreateConnectorsJobs" +description: "Creates all jobs by connector to launched task in the connector page." +sidebar_position: 5 +--- + +Creates all jobs by connector to launched task in the connector page. + + + +## Examples + + +```xml + +``` + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete.md new file mode 100644 index 0000000000..1e8d4395d9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete.md @@ -0,0 +1,155 @@ +--- +title: "CreateConnectorSynchroComplete" +description: "Creates for the given connector the synchronization in complete mode." +sidebar_position: 6 +--- + +This scaffolding generates a synchronization job (in Complete mode) for the given connector. + +The tasks created in the Scaffoldings are sorted by level. The levels are visible via the tools: Usercube-Get-JobSteps.exe + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connector required | **Type:** String **Description:** Identifier of the connector involved in the job to be generated. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type:** Boolean **Description:** Internal use. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [CronTabExpression](#crontabexpression) (optional) Schedule the job +* [DoNotCreateJob](#donotcreatejob) (optional) Create only the tasks without the job +* [FulfillInternalWorkflowsPath](#fulfillinternalworkflowspath) (optional) Add the path of the json configuration for a connector with IsWorkflowProvisioning set to true +* [LinkDependTask](#linkdependtask) (optional) Link a child Task with a parent to not launch the child if the parent has finish with state warning +* [NoProvisioning](#noprovisioning) (optional) Avoid provisioning +* [NoSynchronization](#nosynchronization) (optional) Avoid collect +* [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### CronTabExpression + + +|Property|Details| +|---|---| +| CronTab required | **Type:** String **Description:** Represents the argument value. | +| CronTimeZone optional | **Type:** CronTimeZone **Description:** For Argument AddTask, Occurence of the TaskToCompare after or before which the task will be added. | + + + +### DoNotCreateJob + + +### FulfillInternalWorkflowsPath + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | +| Path required | **Type:** String **Description:** Represents the argument value. | + + + +### LinkDependTask + + +|Property|Details| +|---|---| +| DependOn required | **Type:** String **Description:** identifier of parent Task | +| Task required | **Type:** String **Description:** Identifier of child Task | +| ChildOccurence default value: 0 | **Type:** Int32 **Description:** search the occurence x to link with the parent. | +| ParentOccurence default value: 0 | **Type:** Int32 **Description:** Occurence of the parentTask which the task will be linked | + + + +### NoProvisioning + + +### NoSynchronization + + +### OpenIdIdentifier + + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Identifier of the OpenId | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental.md new file mode 100644 index 0000000000..d8bdaf5638 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental.md @@ -0,0 +1,149 @@ +--- +title: "CreateConnectorSynchroIncremental" +description: "Creates for the given connector the synchronization job in incremental mode." +sidebar_position: 7 +--- + +This scaffolding generates a synchronization job (in Incremental mode) for the given connector. + +The tasks created in the Scaffoldings are sorted by level. The levels are visible via the tools: Usercube-Get-JobSteps.exe + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connector required | **Type:** String **Description:** Identifier of the connector involved in the job to be generated. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type:** Boolean **Description:** Internal use. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [CronTabExpression](#crontabexpression) (optional) Schedule the job +* [DoNotCreateJob](#donotcreatejob) (optional) Create only the tasks without the job +* [FulfillInternalWorkflowsPath](#fulfillinternalworkflowspath) (optional) Add the path of the json configuration for a connector with IsWorkflowProvisioning set to true +* [LinkDependTask](#linkdependtask) (optional) Link a child Task with a parent to not launch the child if the parent has finish with state warning +* [NoProvisioning](#noprovisioning) (optional) Avoid provisioning +* [NoSynchronization](#nosynchronization) (optional) Avoid collect +* [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### CronTabExpression + + +|Property|Details| +|---|---| +| CronTab required | **Type:** String **Description:** Represents the argument value. | +| CronTimeZone optional | **Type:** CronTimeZone **Description:** For Argument AddTask, Occurence of the TaskToCompare after or before which the task will be added. | + + + +### DoNotCreateJob + + +### FulfillInternalWorkflowsPath + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | +| Path required | **Type:** String **Description:** Represents the argument value. | + + + +### LinkDependTask + + +|Property|Details| +|---|---| +| DependOn required | **Type:** String **Description:** identifier of parent Task | +| Task required | **Type:** String **Description:** Identifier of child Task | +| ChildOccurence default value: 0 | **Type:** Int32 **Description:** search the occurence x to link with the parent. | +| ParentOccurence default value: 0 | **Type:** Int32 **Description:** Occurence of the parentTask which the task will be linked | + + + +### NoProvisioning + + +### NoSynchronization + + +### OpenIdIdentifier + + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Identifier of the OpenId | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob.md new file mode 100644 index 0000000000..eee7d5f451 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob.md @@ -0,0 +1,526 @@ +--- +title: "CreateInitializationJob" +description: "Creates the Initialization Job for the given agent." +sidebar_position: 8 +--- + +Creates the Initialization Job for the given agent. + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent optional | **Type:** String **Description:** For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type:** String **Description:** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type:** Boolean **Description:** Internal use. | + + + +## Child Elements +* [AddTask](#addtask) (optional) Add a task before or after another in the job +* [Configuration](#configuration) (optional) Add the path of the configuration folder if a configuration task is in the job +* [NoConnectorProvisioning](#noconnectorprovisioning) (optional) Avoid provisioning for a connector +* [NoConnectorSynchronization](#noconnectorsynchronization) (optional) Avoid collect for a connector +* [NotUsed](#notused) (optional) Avoid collect and provisioning for a connector +* [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks +* [PrincipalDataConnector](#principaldataconnector) (optional) Specifies the connector that contains the data for the fulfillment of external systems. + +### AddTask + + +|Property|Details| +|---|---| +| Task required | **Type:** String **Description:** Identifier of the task to add | +| TaskToCompareWith required | **Type:** String **Description:** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type:** Int32 **Description:** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type:** Int32 **Description:** Occurence of the TaskToCompare after or before which the task will be added | + + + +### Configuration + + +|Property|Details| +|---|---| +| Path required | **Type:** String **Description:** Represents the argument value. | + + + +### NoConnectorProvisioning + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + + + +### NoConnectorSynchronization + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + + + +### NotUsed + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + + + +### OpenIdIdentifier + + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Identifier of the OpenId | + + + +### PrincipalDataConnector + + +|Property|Details| +|---|---| +| ConnectorIdentifier required | **Type:** String **Description:** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md new file mode 100644 index 0000000000..a0f0bdce4b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md @@ -0,0 +1,31 @@ +--- +title: "Jobs" +description: "Jobs" +sidebar_position: 10 +--- + +# Jobs +- [CleanDatabaseJob](./cleandatabasejob) + +Creates the job to clean old tasks and jobs instances with state InProgress +- [CreateAccessCertificationJob](./createaccesscertificationjob) + +Creates the AccessCertification Job. +- [CreateAgentSynchroComplete](./createagentsynchrocomplete) + +Creates for the given agent the synchronization job of all connectors present in the agent in Complete mode. +- [CreateAgentSynchroIncremental](./createagentsynchroincremental) + +Creates for the given agent the synchronization job of all connectors present in the agent in incremental mode. +- [CreateConnectorsJobs](./createconnectorsjobs) + +Creates all jobs by connector to launched task in the connector page. +- [CreateConnectorSynchroComplete](./createconnectorsynchrocomplete) + +Creates for the given connector the synchronization in complete mode. +- [CreateConnectorSynchroIncremental](./createconnectorsynchroincremental) + +Creates for the given connector the synchronization job in incremental mode. +- [CreateInitializationJob](./createinitializationjob) + +Creates the Initialization Job for the given agent. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md new file mode 100644 index 0000000000..ffc9a42c28 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md @@ -0,0 +1,10 @@ +--- +title: "Optimizations" +description: "Optimizations" +sidebar_position: 10 +--- + +# Optimizations +- [OptimizeDisplayTable](./optimizedisplaytable) + +Optimizes all elements found in the given displayTable. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable.md new file mode 100644 index 0000000000..5a9d8b690c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable.md @@ -0,0 +1,142 @@ +--- +title: "OptimizeDisplayTable" +description: "Optimizes all elements found in the given displayTable." +sidebar_position: 1 +--- + +This scaffolding optimizes the given display table by replacing its tiles navigation properties by scalar (pre-computed, via expressions) properties. This ultimately improves the performances of the SQL queries used to fetch the data displayed in the corresponding table. + +In order to optimize the display table, this scaffolding will create the following elements if they don't exist. + +- An [Entity Property](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype#child-element-property) for each tile item that uses a navigation binding. This will be used to hold the computed expression. +- An [Entity Property Expression](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression) to evaluate the binding expression used by the optimizable tile item. + +Then, the scaffolding will link the display table tile elements to the newly created scalar properties. + +This scaffolding has a downside which is that the displayed data is less dynamic than a normal display table, since it requires computing the expression (via jobs) ahead of time. + + + +## Examples +The following example optimized the DisplayTable `Directory_User` + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayTableIdentifier required | **Type:** String **Description:** The identifier of the display table to optimize | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md new file mode 100644 index 0000000000..6aafeeaca1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md @@ -0,0 +1,13 @@ +--- +title: "Queries" +description: "Queries" +sidebar_position: 10 +--- + +# Queries +- [TargetResourceReport](./targetresourcereport) + +Creates a ReportQuery with default Query taking all the properties of the entity. +- [UniverseDataModel](./universedatamodel) + +Creates, within a universe, entity instances and association instances based on a predefined template. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport.md new file mode 100644 index 0000000000..4b8f960d60 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport.md @@ -0,0 +1,37 @@ +--- +title: "TargetResourceReport" +description: "Creates a ReportQuery with default Query taking all the properties of the entity." +sidebar_position: 1 +--- + +Creates a ReportQuery with default Query taking all the properties of the entity. + +:::warning +The entity must have a displayTable to be able to use this scaffolding. +::: + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md new file mode 100644 index 0000000000..6db10ef744 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md @@ -0,0 +1,306 @@ +--- +title: "UniverseDataModel" +description: "Creates, within a universe, entity instances and association instances based on a predefined template." +sidebar_position: 2 +--- + +This scaffolding creates, within a universe, entity instances and association instances based on a predefined template. + +The entity instances generated by the scaffolding will have: +* as a display name, the display name of the corresponding navigation property, for example `Main Record`; +* as an identifier, the identifier of the corresponding navigation which is made of `_`, for example `Directory_User_MainRecord`. + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type that we want to represent in the universe (as an entity instance) with all its navigations. | +| Universe required | **Type:** String **Description:** Identifier of the universe in which the instances to be generated are going to exist. | + + + +## Child Elements +* [ExcludedProperty](#excludedproperty) (optional) to ignore a given property of the specified entity type. +* [RootInstance](#rootinstance) (optional) to rename the core entity instance that is to be generated, and to avoid data duplication when using several scaffoldings in one universe. +* [SourceEntityType](#sourceentitytype) (optional) Define the source EntityType +* [UniverseTemplate](#universetemplate) (optional) to use a template different from the default one. + +### ExcludedProperty + + +|Property|Details| +|---|---| +| Property required | **Type:** String **Description:** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + + + +:::info +A scaffolding does not use filters, but a part of the entity model can be excluded with the `ExcludedProperty` argument. +::: + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, like our U1 but without the `Guests` property: + +```xml + + + + +``` + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) + +### RootInstance + + +|Property|Details| +|---|---| +| Instance required | **Type:** String **Description:** Identifier of the entity instance generated based on the EntityType property of the universe scaffolding. If not specified, the identifier of the entity instance is the identifier of the entity type. | + +The following example generates a universe `U2_UserRecords` based on the entity type `Directory_UserRecord`, naming the entity instance `REC`: + +```xml + + + + +``` + +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) + +#### RootInstance for several scaffoldings together + +:::info +A universe can be made of several scaffoldings which need to be grouped together a specific way. One universe made of two scaffoldings will generate the two entity instances corresponding to the two specified entity types, with the entity and association instances corresponding to their navigation properties. To avoid data duplication in the universe model, we use `RootInstance` to rename one of the entity instances and follow the existing naming rule explained in the introduction. +::: + + +```xml +<Universe Identifier="U3_UserRecords" DisplayName_L1="U3 - User Records" ColumnNamesMode="Identifier" /> +<UniverseDataModel Universe="U3_UserRecords" EntityType="Directory_User" /> +<UniverseDataModel Universe="U3_UserRecords" EntityType="Directory_UserRecord" /> +``` + +![Universe Schema (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplicationSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplication.webp) +We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity instances. + +**The following example** generates a better version of the universe `U3_UserRecords` based on the entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_UserRecord` as `Directory_User_Records` to follow the naming rule, thus building the universe model with `Directory_User` as the core entity instance: + +```xml +<Universe Identifier="U3_UserRecords" DisplayName_L1="U3 - User Records" ColumnNamesMode="Identifier" /> +<UniverseDataModel Universe="U3_UserRecords" EntityType="Directory_User" /> +<UniverseDataModel Universe="U3_UserRecords" EntityType="Directory_UserRecord" > + <RootInstance Instance="Directory_User_Records" /> +</UniverseDataModel> +``` + +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplicationSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplication.webp) +Thus we removed the duplicated data, and we understand easily the navigations of the model. + +### SourceEntityType + + +|Property|Details| +|---|---| +| Identifier optional | **Type:** String **Description:** The identifier's SourceEntityType | + + + +### UniverseTemplate + + +|Property|Details| +|---|---| +| Template required | **Type:** String **Description:** Represents the argument value. | + +#### Default Template + +When no template is specified, the scaffolding generates: +* an entity instance based on a given entity type; +* an association instance and an entity instance for each navigation property of the entity type. + +**The following example** generates a universe `U1_Users` based on the entity type `Directory_User`: + +```xml + + +``` + +It generates: + +```xml + + + One entity instance for the entity type Directory_User: + + + One association instance and one entity instance per navigation property: + + + ... + + +``` + +![Universe (No Template)](/images/identitymanager/universe_notemplateschema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (No Template)](/images/identitymanager/Universe_noTemplate.webp) + +:::info +We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. +::: + +#### OwnedResourceTypes + +The following example generates a universe `U4_User` based on the entity type `Directory_User` and the resources assigned to users: + +```xml +<Universe Identifier="U4_User" DisplayName_L1="U4 - User" ColumnNamesMode="Identifier"/> +<UniverseDataModel Universe="U4_User" EntityType="Directory_User"> + <UniverseTemplate Template="OwnedResourceTypes"/> +</UniverseDataModel> +``` + +It generates: + +```xml +<Universe Identifier="U4_User" DisplayName_L1="U4 - User" ColumnNamesMode="Identifier"> + + One entity instance for the entity type Directory_User. + <EntityInstance Identifier="Directory_User" DisplayName_L1="User" EntityType="Directory_User" /> + + Association instances and entity instances about the AD_Entry_NominativeUser resource type: + + <EntityInstance Identifier="Directory_User_OwnedAssignedResourceTypes_AD_Entry_NominativeUser" DisplayName_L1="Assigned AD User (nominative)" EntityType="AssignedResourceType" FilterProperty="RoleId" FilterResourceType="AD_Entry_NominativeUser" /> + <EntityInstance Identifier="Directory_User_OwnedAssignedResourceTypes_AD_Entry_NominativeUser_Resource" DisplayName_L1="AD User (nominative)" EntityType="AD_Entry" /> + + <AssociationInstance Association="AssignedResourceType.Resource" Direction="From1To2" Instance1="Directory_User_OwnedAssignedResourceTypes_AD_Entry_NominativeUser" Instance2="Directory_User_OwnedAssignedResourceTypes_AD_Entry_NominativeUser_Resource" /> + <AssociationInstance Association="AssignedResourceType.Owner" Direction="From2To1" Instance1="Directory_User_OwnedAssignedResourceTypes_AD_Entry_NominativeUser" Instance2="Directory_User" /> + + Same for all resource types. + ... + +</Universe> +``` + +![Universe (Template Schema: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypesSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Template: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypes.webp) + +#### ResourceResourceTypes + +The following example generates a universe `U5_AD` based on the entity type `AD_Entry` and the owners of AD resources: + +```xml +<Universe Identifier="U5_AD" DisplayName_L1="U5 AD" ColumnNamesMode="Identifier"/> +<UniverseDataModel Universe="U5_AD" EntityType="AD_Entry"> + <UniverseTemplate Template="ResourceResourceTypes"/> +</UniverseDataModel> +``` + +The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. + +![Universe (Template Schema: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypesSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Template: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypes.webp) + +#### OwnedSingleRoles + +The following example generates a universe `U6_User` based on the entity type `Directory_User` and the single roles assigned to users: + +```xml +<Universe Identifier="U6_User" DisplayName_L1="U6 - User" ColumnNamesMode="Identifier"/> +<UniverseDataModel Universe="U6_User" EntityType="Directory_User"> + <UniverseTemplate Template="OwnedSingleRoles"/> +</UniverseDataModel> +``` + +It generates: + +```xml +<Universe Identifier="U6_User" DisplayName_L1="U6 - User" ColumnNamesMode="Identifier"> + + One entity instance for the entity type Directory_User. + <EntityInstance Identifier="Directory_User" DisplayName_L1="User" EntityType="Directory_User" /> + + One entity instance containing data about role assignments, and one association instance linking it to Directory_User: + <EntityInstance Identifier="Directory_User_OwnedAssignedSingleRoles" DisplayName_L1="Assigned Composite Roles" EntityType="AssignedSingleRole" /> + <AssociationInstance Association="AssignedSingleRole.Owner" Direction="From1To2" Instance1="Directory_User" Instance2="Directory_User_OwnedAssignedSingleRoles" /> + + One entity instance containing the single roles, and one association instance linking it to the role assignment data: + <EntityInstance Identifier="Directory_User_OwnedAssignedSingleRoles_Role" DisplayName_L1="Composite Role" EntityType="SingleRole" /> + <AssociationInstance Association="AssignedSingleRole.Role" Direction="From1To2" Instance1="Directory_User_OwnedAssignedSingleRoles" Instance2="Directory_User_OwnedAssignedSingleRoles_Role" /> + +</Universe> +``` + +![Universe (Template Schema: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRolesSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Template: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRoles.webp) + +#### OwnedCompositeRoles + +The following example generates a universe `U7_User` based on the entity type `Directory_User` and the composite roles assigned to users: + +```xml +<Universe Identifier="U7_User" DisplayName_L1="U7 - User" ColumnNamesMode="Identifier"/> +<UniverseDataModel Universe="U7_User" EntityType="Directory_User"> + <UniverseTemplate Template="OwnedCompositeRoles"/> +</UniverseDataModel> +``` + +The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. + +![Universe (Template Schema: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRolesSchema.webp) + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Template: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRoles.webp) + + +## Mixed Example +Scaffoldings can be adjusted with [universe configuration](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence). + +The following example generates a universe `U9_AccessControl` aiming to create reports displaying users and their profiles. In our situation, profiles are assigned to AD accounts based on a given context. This is why we base our universe on the entity types `AD_Entry`, `AssignedProfile` and `ProfileContext`. Plus, there are 10 dimensions in contexts, but only dimensions 0 and 1 are used, so we exclude the others. We exclude also resource types and single roles that are of no use for us here. + +```xml + + + + + + + + + + + + + + + + + + + + + + + +``` + +When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: +![Universe (Mixed Example)](/images/identitymanager/universe_mixedexample.webp) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md new file mode 100644 index 0000000000..4000776df6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md @@ -0,0 +1,210 @@ +--- +title: "ConnectorsAccessControlRules" +description: "Gives the permissions to manage the connector pages." +sidebar_position: 1 +--- + +Gives the permissions to manage the connector pages. + +Generates the permissions to access the connectors pages, the policies page, the access roles page, the access rules page and the job execution page. + +Gives access to shortcuts on the dashboard to access these pages. + +![Connectors](/images/identitymanager/home_connectors_v602.webp) + + +The scaffolding generates the following scaffoldings: + +- [Connector Resource Type Access Control](../accesscontrolrules/connectors/connectorresourcetypeaccesscontrol) + +Gives the rights to create and update resource types, generate provisioning orders and fulfill from the connector screen. +- [Job View Access Control Rules](../templates/jobviewaccesscontrolrules) + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +- [Resource Type Mapping Control Rules](../accesscontrolrules/jobs/resourcetypemappingcontrolrules) + +Generate rights to launch agent fulfillment. +- [Role Administration Access Control Rules](../accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules) + +Generates the permissions to access the configuration pages and create, update, delete the elements of the role model. +- [Run Job Repair Administration Access Control Rules](../accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules) + +Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile. +- [Task Administration Access Control Rules](../accesscontrolrules/jobs/taskadministrationaccesscontrolrules) + +Generates all rights to have the access to job administration page. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile.md new file mode 100644 index 0000000000..695d465d0f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile.md @@ -0,0 +1,196 @@ +--- +title: "CreateAdministratorProfile" +description: "Creates the profile administrator and all default access control rules." +sidebar_position: 2 +--- + +This scaffolding creates the administrator profile with a predefined set of rights. + +To create the rights for this profile, a scaffolding list is launched inside the creation of the administrator profile. + +The scaffolding generates the following scaffoldings: + +- [Access Review Administration Access Control Rules](../accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules) + +Generates the permissions to administrate campaign creation. +- [Assigned Roles Access Control Rules](../accesscontrolrules/rolemodels/assignedrolesaccesscontrolrules) + +Generates the permissions to access the assigned roles page for a given entity type and profile. +- [Assign Profile Access Control Rules](../accesscontrolrules/profiles/assignprofileaccesscontrolrules) + +Gives to a given profile the rights to create, update, delete and query any assigned profile. +- [Basket Rules Control Rules](../accesscontrolrules/rolemodels/basketrulescontrolrules) + +Generates the permissions to execute the different requests to display the information in the rights basket. +- [Connector Resource Type Access Control](../accesscontrolrules/connectors/connectorresourcetypeaccesscontrol) + +Gives the rights to create and update resource types, generate provisioning orders and fulfill from the connector screen. +- [Connectors Access Control Rules](../templates/connectorsaccesscontrolrules) + +Gives the permissions to manage the connector pages. +- [Create Connectors Jobs](../jobs/createconnectorsjobs) + +Creates all jobs by connector to launched task in the connector page. +- [Create Resource Incremental Access Control Rules](../accesscontrolrules/resources/createresourceincrementalaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the resources modified incrementally +- [Job Execution Access Control Rules](../templates/jobexecutionaccesscontrolrules) + +Assigns a set of rights to a given profile to execute any job, and view all job instances, task instances and logs. +- [Manage Accounts](../accesscontrolrules/userinterfaces/manageaccounts) + + +- [Manage Setting Access Control Rule](../accesscontrolrules/queries/managesettingaccesscontrolrule) + +Generates the access control rule which gives to a profile the permission to query, create, update and delete settings from the UM_Settings table. +- [Monitoring Administration Access Control Rules](../accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules) + +Generates the access control rule which gives to a profile the permission to query the monitoring screen. +- [Perform Manual Provisioning Access Control Rules](../accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules) + +Generates the permissions to access the manual provisioning pages for a given entity type and profile. +- [Profile Administration Access Control Rules](../accesscontrolrules/profiles/profileadministrationaccesscontrolrules) + +Gives to a given profile the rights to create, update and delete profiles. +- [Provisioning Access Control Rules](../accesscontrolrules/jobs/provisioningaccesscontrolrules) + +Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. +- [Reconciliate Resources Access Control Rules](../accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules) + +Generates the permissions to access the resource reconciliation pages for a given entity type and profile. +- [Reconciliate Roles Access Control Rules](../accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules) + +Generates the permissions to access the role reconciliation pages for a given entity type and profile. +- [Redundant Assignment Access Control Rule](../accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule) + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments. +- [Report Access Control Rules](../accesscontrolrules/queries/reportaccesscontrolrules) + +Generates the permissions to access the report view. +- [Resource Api Administration](../accesscontrolrules/resources/resourceapiadministration) + +Generates the permissions to create/update/delete/query resources from a given entity type, for a given profile. +- [Resource Picker Control Rules](../accesscontrolrules/resources/resourcepickercontrolrules) + +Creates the reading right of the resource picker. +- [Resource Type Mapping Control Rules](../accesscontrolrules/jobs/resourcetypemappingcontrolrules) + +Generate rights to launch agent fulfillment. +- [Review Provisioning Access Control Rules](../accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules) + +Generates the permissions to access the provisioning review pages for a given entity type and profile. +- [Review Roles Access Control Rules](../accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules) + +Generates the permissions to access the role review pages for a given entity type and profile. +- [Risks Administration Access Control Rules](../accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules) + + +- [Role Administration Access Control Rules](../accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules) + +Generates the permissions to access the configuration pages and create, update, delete the elements of the role model. +- [Role Naming Access Control Rules](../accesscontrolrules/rolemodels/rolenamingaccesscontrolrules) + +Generates the permissions to configure and launch the automatic creation of roles and rules based on naming conventions. +- [Settings Access Control Rules](../accesscontrolrules/connectors/settingsaccesscontrolrules) + +Generates the permissions to configure the Workforce Core Solution module and connector settings. +- [Simulation Access Control Rules](../templates/simulationaccesscontrolrules) + +Generates the permissions to configure and launch simulations. +- [Synchronization Access Control Rules](../accesscontrolrules/jobs/synchronizationaccesscontrolrules) + +Generates rights to launch synchronization task. +- [Task Administration Access Control Rules](../accesscontrolrules/jobs/taskadministrationaccesscontrolrules) + +Generates all rights to have the access to job administration page. +- [Universe Access Control Rules](../accesscontrolrules/queries/universeaccesscontrolrules) + +Generates an access control rule which gives a profile the permission to access the query page and run queries. +- [View History Resource Template](../accesscontrolrules/resources/viewhistoryresourcetemplate) + +Generates an access control rule giving to the specified profile the permission to browse the resources history of the specified entity type. +- [Workflow Aspect](../accesscontrolrules/workflows/workflowaspect) + + +- [Workflow Configuration Control Rules](../accesscontrolrules/workflows/workflowconfigurationcontrolrules) + + +- [Workflow Fulfillment Control Rules](../accesscontrolrules/jobs/workflowfulfillmentcontrolrules) + +Generates the execution rights to launch Fulfillment workflow for a given profile. +- [Workflow Overview Control Rules](../accesscontrolrules/workflows/workflowoverviewcontrolrules) + +Generates the permissions to access the workflow supervision page. + + +## Examples + + +```xml + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | + + + +## Child Elements +* [DisplayNameProfile](#displaynameprofile) (optional) defines a display name for the administrator profile for a given language. + +### DisplayNameProfile + + +|Property|Details| +|---|---| +| DisplayName required | **Type:** String **Description:** Display name of the profile in the related language. | +| Identifier required | **Type:** String **Description:** Code of the language for the display name. | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate.md new file mode 100644 index 0000000000..e4adb7167b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate.md @@ -0,0 +1,70 @@ +--- +title: "CreateUpdateDeleteTemplate" +description: "Creates the three types of workflow for the given entity as well as the execution rights for the given profile." +sidebar_position: 3 +--- + +Creates the three types of workflow for the given entity as well as the execution rights for the given profile. + + +The scaffolding generates the following scaffoldings: + +- [Create Update Delete Access Control Rules](../accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules) + +Generates execution rights for the create, update, delete workflows. +- [Create Update Delete Menus](../entitytypes/workflows/createupdatedeletemenus) + +Creates creation, update and delete menus for an entity. +- [Create Update Delete Workflows](../entitytypes/workflows/createupdatedeleteworkflows) + + +- [Entity Type Display Name](../entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [Entity Type Display Table](../entitytypes/entitytypes/entitytypedisplaytable) + +Creates a display table for the given entity. +- [Entity Type Search Bar](../entitytypes/entitytypes/entitytypesearchbar) + +Creates the search bar for the entity without criteria. +- [View Access Control Rules](../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. +- [Workflow Entity Type](../entitytypes/workflows/workflowentitytype) + +Creates an entity that will be the source of all workflows that manipulate the given entity. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault.md new file mode 100644 index 0000000000..5a51916dc6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault.md @@ -0,0 +1,30 @@ +--- +title: "EntityReportDefault" +description: "Creates all configuration items to add a ReportQuery for an EntityType and profile." +sidebar_position: 4 +--- + +Creates all configuration items to add a ReportQuery for an EntityType and profile. + +The scaffolding generates the following scaffoldings: + +- [Report Access Control Rules](../accesscontrolrules/queries/reportaccesscontrolrules) + +Generates the permissions to access the report view. +- [Target Resource Report](../queries/targetresourcereport) + +Creates a ReportQuery with default Query taking all the properties of the entity. +- [Target Resource Report Access Control Rules](../accesscontrolrules/queries/targetresourcereportaccesscontrolrules) + +Generates the permissions to apply a report for a profile on a given entity. +- [Target Resource Report Menus](../entitytypes/entitytypes/targetresourcereportmenus) + +Creates the Item menu for the entity's report so that it is displayed in the report view. + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md new file mode 100644 index 0000000000..bd76fe3c2e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md @@ -0,0 +1,43 @@ +--- +title: "Templates" +description: "Templates" +sidebar_position: 10 +--- + +# Templates +- [ConnectorsAccessControlRules](./connectorsaccesscontrolrules) + +Gives the permissions to manage the connector pages. +- [CreateAdministratorProfile](./createadministratorprofile) + +Creates the profile administrator and all default access control rules. +- [CreateUpdateDeleteTemplate](./createupdatedeletetemplate) + +Creates the three types of workflow for the given entity as well as the execution rights for the given profile. +- [EntityReportDefault](./entityreportdefault) + +Creates all configuration items to add a ReportQuery for an EntityType and profile. +- [JobExecutionAccessControlRules](./jobexecutionaccesscontrolrules) + +Assigns a set of rights to a given profile to execute any job, and view all job instances, task instances and logs. +- [JobViewAccessControlRules](./jobviewaccesscontrolrules) + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +- [SimulationAccessControlRules](./simulationaccesscontrolrules) + +Generates the permissions to configure and launch simulations. +- [UpdateResourcesTemplate](./updateresourcestemplate) + + +- [ViewSourceResourceTemplate](./viewsourceresourcetemplate) + +Creates the display table, fills in the internal display name of the entity, and gives the rights to see the permissions and sources of the entity for a given profile. +- [ViewTargetResourceTemplate](./viewtargetresourcetemplate) + +Creates the entity view (designElement = resourceTable), the report and the rights for a given profile. +- [ViewTemplate](./viewtemplate) + +Creates the view for the given entity as well as the rights for the given profile. +- [ViewTemplateAdaptable](./viewtemplateadaptable) + +Implements a default display name for the resources of a given entity type, displays the resources in an adaptable table, and give the permissions to view the resources. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules.md new file mode 100644 index 0000000000..d5f6c53694 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules.md @@ -0,0 +1,55 @@ +--- +title: "JobExecutionAccessControlRules" +description: "Assigns a set of rights to a given profile to execute any job, and view all job instances, task instances and logs." +sidebar_position: 5 +--- + +This scaffolding assigns a set of rights to a given profile to execute any job, and view all job instances, task instances and logs. + +The scaffolding generates the following scaffoldings: + +- [Job View Access Control Rules](../templates/jobviewaccesscontrolrules) + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +- [Run Job Administration Access Control Rules](../accesscontrolrules/jobs/runjobadministrationaccesscontrolrules) + +Generates the permissions to launch jobs from UI for a given profile. +- [Run Job Notification Access Control Rules](../accesscontrolrules/jobs/runjobnotificationaccesscontrolrules) + +Generates access control to send notification when job finish with an error state. +- [Run Job Repair Administration Access Control Rules](../accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules) + +Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or a synchronization for a given profile. +- [Run Job Repair Notification Access Control Rules](../accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules) + +Generates access control to send notification when a relaunch job finish with an error state. + + +## Examples +The following example assigns to the `Administrator` profile the rights to execute all jobs and view job instances, task instances and logs: + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules.md new file mode 100644 index 0000000000..b70e6ee5c6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules.md @@ -0,0 +1,63 @@ +--- +title: "JobViewAccessControlRules" +description: "Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs." +sidebar_position: 6 +--- + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +This Scaffolding performs a set of scaffolding rights for Jobs and Tasks. + +The scaffolding generates the following scaffoldings: + +- [Get Job Log Administration Access Control Rules](../accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules) + +Generates the permissions to read task and job instances logs in UI for a given profile. +- [Job Administration Access Control Rules](../accesscontrolrules/jobs/jobadministrationaccesscontrolrules) + +Scaffolding to access the job administration page. +- [Pending Assigned Resource Types Access Control Rules](../accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules) + +Generates the access control rules which give to a profile the permissions to call the API Pending AssignedResourceTypes. +- [Resource Changes View Access Control Rules](../accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules) + +Generates the access control rules which gives to a profile the permissions to call the API ResourceChange, ResourceFileChange and ResourceLinkChange. + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules.md new file mode 100644 index 0000000000..2a720c6894 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules.md @@ -0,0 +1,45 @@ +--- +title: "SimulationAccessControlRules" +description: "Generates the permissions to configure and launch simulations." +sidebar_position: 7 +--- + +This scaffolding generates the rights to configure and launch simulations. + +It also gives access to a shortcut on the dashboard allowing to enter the simulation screen. Through this screen, simulations can be launched and results can be visualized. + +The scaffolding generates the following scaffoldings: + +- [Policy Simulation Control Rules](../accesscontrolrules/simulations/policysimulationcontrolrules) + + +- [Role And Simulation Control Rules](../accesscontrolrules/simulations/roleandsimulationcontrolrules) + + + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Profile required | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate.md new file mode 100644 index 0000000000..ae060c6948 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate.md @@ -0,0 +1,66 @@ +--- +title: "UpdateResourcesTemplate" +description: " " +sidebar_position: 8 +--- + + + + +The scaffolding generates the following scaffoldings: + +- [Entity Type Display Name](../entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [Entity Type Display Table](../entitytypes/entitytypes/entitytypedisplaytable) + +Creates a display table for the given entity. +- [Update Resources Access Control Rules](../accesscontrolrules/workflows/updateresourcesaccesscontrolrules) + + +- [Update Resources Menus](../entitytypes/workflows/updateresourcesmenus) + + +- [Update Resources Workflows](../entitytypes/workflows/updateresourcesworkflows) + + +- [View Access Control Rules](../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. +- [Workflow Entity Type](../entitytypes/workflows/workflowentitytype) + +Creates an entity that will be the source of all workflows that manipulate the given entity. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate.md new file mode 100644 index 0000000000..31f4b1b953 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate.md @@ -0,0 +1,17 @@ +--- +title: "ViewSourceResourceTemplate" +description: "Creates the display table, fills in the internal display name of the entity, and gives the rights to see the permissions and sources of the entity for a given profile." +sidebar_position: 9 +--- + +Creates the display table, fills in the internal display name of the entity, and gives the rights to see the permissions and sources of the entity for a given profile. + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate.md new file mode 100644 index 0000000000..f4d1b88cc9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate.md @@ -0,0 +1,62 @@ +--- +title: "ViewTargetResourceTemplate" +description: "Creates the entity view (designElement = resourceTable), the report and the rights for a given profile." +sidebar_position: 10 +--- + +Creates the entity view (designElement = resourceTable), the report and the rights for a given profile. + + +The scaffolding generates the following scaffoldings: + +- [Entity Type Display Name](../entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [Entity Type Display Target Resource Table](../entitytypes/entitytypes/entitytypedisplaytargetresourcetable) + +Creates a displaytable for the given entity. +- [Target Resource Report](../queries/targetresourcereport) + +Creates a ReportQuery with default Query taking all the properties of the entity. +- [Target Resource Report Access Control Rules](../accesscontrolrules/queries/targetresourcereportaccesscontrolrules) + +Generates the permissions to apply a report for a profile on a given entity. +- [Target Resource Report Menus](../entitytypes/entitytypes/targetresourcereportmenus) + +Creates the Item menu for the entity's report so that it is displayed in the report view. +- [View Access Control Rules](../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. + + +## Examples + + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate.md new file mode 100644 index 0000000000..62c70a79f0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate.md @@ -0,0 +1,50 @@ +--- +title: "ViewTemplate" +description: "Creates the view for the given entity as well as the rights for the given profile." +sidebar_position: 11 +--- + +Creates the view for the given entity as well as the rights for the given profile. + + +The scaffolding generates the following scaffoldings: + +- [Entity Type Display Name](../entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [Entity Type Display Table](../entitytypes/entitytypes/entitytypedisplaytable) + +Creates a display table for the given entity. +- [View Access Control Rules](../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. + + +## Examples +The following example implements a default display name for resources from the `Directory_PresenceState` entity type, displays the resources in a table, and gives to the `Administrator` profile the permissions to view the resources. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable.md new file mode 100644 index 0000000000..3befa07d3b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable.md @@ -0,0 +1,49 @@ +--- +title: "ViewTemplateAdaptable" +description: "Implements a default display name for the resources of a given entity type, displays the resources in an adaptable table, and give the permissions to view the resources." +sidebar_position: 12 +--- + +Implements a default display name for the resources of a given entity type, displays the resources in an adaptable table, and give the permissions to view the resources. + + +The scaffolding generates the following scaffoldings: + +- [Entity Type Display Name](../entitytypes/entitytypes/entitytypedisplayname) + +Computes a default value for resources' internal display names. +- [Entity Type Display Table Adaptable](../entitytypes/entitytypes/entitytypedisplaytableadaptable) + +Creates an adaptable display table for a given entity type. +- [View Access Control Rules](../accesscontrolrules/resources/viewaccesscontrolrules) + +Generates the permissions to view an entity type's resources. + + +## Examples +The following example implements a default display name for resources from the `Directory_PresenceState` entity type, displays the resources in an adaptable table, and gives to the `Administrator` profile the permissions to view the resources. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType optional | **Type:** String **Description:** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type:** String **Description:** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type:** String **Description:** Identifier of the property involved in the scaffolding. | + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule.md new file mode 100644 index 0000000000..3b7fb88da6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule.md @@ -0,0 +1,8 @@ +--- +title: "BootstrapModule" +description: "Generates the default settings required to start using Usercube and the Workforce Core Solution module." +sidebar_position: 1 +--- + +Generates the default settings required to start using Usercube and the Workforce Core Solution module. + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md new file mode 100644 index 0000000000..e17c730288 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md @@ -0,0 +1,16 @@ +--- +title: "Workforce" +description: "Workforce" +sidebar_position: 10 +--- + +# Workforce +- [BootstrapModule](./bootstrapmodule) + +Generates the default settings required to start using Usercube and the Workforce Core Solution module. +- [ProfileModule](./profilemodule) + +Generates access control rules by aggregating composite profiles. +- [WorkforceModule](./workforcemodule) + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/profilemodule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/profilemodule.md new file mode 100644 index 0000000000..9321d259ce --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/profilemodule.md @@ -0,0 +1,24 @@ +--- +title: "ProfileModule" +description: "Generates access control rules by aggregating composite profiles." +sidebar_position: 2 +--- + +Generates access control rules by aggregating composite profiles. + + + +## Child Elements +* [CompositeProfile](#compositeprofile) (optional) Defines the users profiles. + +### CompositeProfile + + +|Property|Details| +|---|---| +| ProfileIdentifier required | **Type:** String **Description:** Generic column used to store information for internal use. | +| TargetProfile required | **Type:** String **Description:** Generic column used to store information for internal use. | +| AreaOfResponsibility optional | **Type:** String **Description:** Represents the argument value. | +| ProfileDisplayName optional | **Type:** String **Description:** Generic column used to store information for internal use. | + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule.md new file mode 100644 index 0000000000..5278944965 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule.md @@ -0,0 +1,6378 @@ +--- +title: "WorkforceModule" +description: "Generates the workforce repository based on the data filled in the Workforce Core Solution module." +sidebar_position: 3 +--- + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. + + + +## Examples +The following example generates the **Workforce** module in the application: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| IsEnabled default value: true | **Type:** Boolean **Description:** `true` to enable the Worforce module. If set to false, Identity Manager deletes all existing items computed by the Workforce Core Solution module. | + + + +## Child Elements +* [CompositeProfile](#compositeprofile) (optional) Defines the users profiles. +* [EmailGeneration](#emailgeneration) (optional) Defines the email generation policy. +* [HomonymEntityLinkOptions](#homonymentitylinkoptions) (optional) Updates/Modifies the HomonymEntityLink of the Directory_UserRecord entity of the workforce configuration. +* [LoginGeneration](#logingeneration) (optional) Defines the login generation policy. +* [ModelUsage](#modelusage) (optional) Defines the entity types/properties that must be ignored from the model and customize the pickers for the kept ones. +* [NewExternalWorkflow](#newexternalworkflow) (optional) Enable/disable the review step for the new internal workflow. +* [NewInternalWorkflow](#newinternalworkflow) (optional) Enable/disable the review step for the new internal workflow. +* [UniqueIdentifierGeneration](#uniqueidentifiergeneration) (optional) Defines the unique identifier generation policy. + +### CompositeProfile + + +|Property|Details| +|---|---| +| ProfileIdentifier required | **Type:** String **Description:** Generic column used to store information for internal use. | +| TargetProfile required | **Type:** String **Description:** Generic column used to store information for internal use. | +| AreaOfResponsibility optional | **Type:** String **Description:** Represents the argument value. | +| ProfileDisplayName optional | **Type:** String **Description:** Generic column used to store information for internal use. | + + + +### EmailGeneration + + +|Property|Details| +|---|---| +| Strategy required | **Type:** String **Description:** Represents the argument value. | +| Domain optional | **Type:** String **Description:** Generic column used to store information for internal use. | +| NameSeparator optional | **Type:** String **Description:** Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | + + + +### HomonymEntityLinkOptions + + +|Property|Details| +|---|---| +| ActivatePhoneticComparison default value: false | **Type:** Boolean **Description:** Adds 3 filters in the HomonymEntityLink comparing the first and last names (current workflow) to the phonetic properties corresponding to the first and last names (existing records). | +| DisableBirthNameComparison default value: false | **Type:** Boolean **Description:** Deletes the filter in the HomonymEntityLink comparing the last name (current workflow) with the birth name (existing records). | +| DisableInversion default value: false | **Type:** Boolean **Description:** Deletes the filters in the HomonymEntityLink comparing the first name (current workflow) with the last name (existing records) and the last name (current workflow) with the first name (existing records). | + + + +### LoginGeneration + + +|Property|Details| +|---|---| +| Strategy required | **Type:** String **Description:** Represents the argument value. | +| MaxLength optional | **Type:** Int32 **Description:** Generic column used to store information for internal use. | +| Prefix optional | **Type:** String **Description:** Generic column used to store information for internal use. | + + + +### ModelUsage + + +|Property|Details| +|---|---| +| Binding required | **Type:** String **Description:** Generic column used to store information for internal use. | +| Count optional | **Type:** Int32 **Description:** Generic column used to store information for internal use. | +| ForcedCount optional | **Type:** Int32 **Description:** Number of entries for a given entity or entity's property in the workforce data model. The `ForcedCount` value overwrites the count computed by Identity Manager. | + + + +### NewExternalWorkflow + + +|Property|Details| +|---|---| +| IsReviewRequired default value: false | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + + + +### NewInternalWorkflow + + +|Property|Details| +|---|---| +| IsReviewRequired default value: true | **Type:** Boolean **Description:** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + + + +### UniqueIdentifierGeneration + + +|Property|Details| +|---|---| +| Strategy required | **Type:** String **Description:** Represents the argument value. | +| Max optional | **Type:** Int32 **Description:** Upper limit of the range used for the generation of unique identifiers. | +| Min optional | **Type:** Int32 **Description:** Lower limit of the range used for the generation of unique identifiers. | +| NameSeparator optional | **Type:** String **Description:** Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | +| Prefix optional | **Type:** String **Description:** Prefix used for the generation of unique identifiers. | + + + + +## Generated XML + +Our example generates the following configuration: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + +
+ + +
+ + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + +
+ + + + +
+ + + + + + + + + + + +
+ + +
+ + + + + + + + + + + + + + + + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/agent.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/agent.md new file mode 100644 index 0000000000..7ce32829a0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/agent.md @@ -0,0 +1,16 @@ +--- +title: "Agent" +description: "" +sidebar_position: 1 +--- + +Contains all the running agents. + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the agent in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Agent Identifier. | +| State default value: 0 | **Type:** Int32 **Description:** Agent Status ("Unknown"=0, "Online"=1 and "Offline"=2). | +| URI optional | **Type:** String **Description:** Agent URI. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connection.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connection.md new file mode 100644 index 0000000000..5636ef8a9e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connection.md @@ -0,0 +1,127 @@ +--- +title: "Connection" +description: "" +sidebar_position: 2 +--- + +A connection represents a link between a [connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) and a connection package. + + +## Examples +The following example creates a connection for the previously created connector `AD`, using the package `Usercube.AD@0000001` with only the export task and not the fulfill task. + +```xml + +``` + +We will need to configure the connection settings in the `appsettings.agent.json` file, by adding a `ADExportFulfillment` part in the `Connections` section, for example: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADExportFulfillment": { + "Servers": [ + { + "Server": "contoso.server.com", + "BaseDN": "DC=contoso,DC=com" + } + ], + "AuthType": "Basic", + "Login": "Contoso", + "Password": "ContOso$123456789", + "Filter": "(objectclass=*)", + "EnableSSL": "true" + }, + ... + } +} +``` + +Details about these settings can be found in Identity Manager's [connector references](/docs/identitymanager/current/integration-guide/connectors/references-connectors). + + +## Properties + +|Property|Details| +|---|---| +| Connector required | **Type:** Int64 **Description:** Identifier of the linked connector. **Note:** a connection can be used by one and only one connector. | +| DeactivationExportFulfill default value: 0 | **Type:** DeactivationExportFulfill **Description:** For a connection having a package which implements both export and fulfill, this option can deactivate either the export or the fulfill part. `0` - **None**: keeps both parts. `1` - **Export**: deactivates export. `2` - **Fulfill**: deactivates fulfill. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the connection in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the connection. It must start with a letter followed by up to 441 characters, chosen from the following set: point, dash, letter, or number. **Warning:** identifiers are case insensitive, for example the identifiers `adexport` and `ADEXPORT` cannot exist simultaneously. | +| Package required | **Type:** Enumeration **Description:** Identifier of the linked connection package which defines the connection's capabilities and technologies to export and/or fulfill data. | + +## Child Element: Transformation +A connection transformation is optional, but can be needed to adjust the Excel files, output of [export tasks](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask) from Excel export connections, before [prepare-synchronization tasks](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask). The following operations are possible: +* filtering out given rows; +* adding/removing days from specific date properties; +* merging columns together. + + +### Examples +#### Edit dates + +The following example sets all users' end dates to the end of the day instead of the morning. This way, the end dates of users' permissions will be managed more easily. + +Technically speaking, Identity Manager implements a sort of extra-task between the export and prepare-synchronization tasks of HR synchronization. The CSV files produced by the export task of the connection `Directory` are to be transformed: Identity Manager will add 1 day to all dates between 1900 and 2100, contained in the `ContractEndDate`, `PositionEndDate` and `EndDate` columns of the `Directory_UserRecord` table. + +:::info +This date edition goes the other way around when loading data back to your systems: if Identity Manager adds a few days when synchronizing, then it removes the same few days when using the synchronized data. +::: + +```xml + + + + + +``` + +#### Filter out rows + +The following example filters the CSV files produced by the export of the `Directory` connection, in order to keep only German sites, i.e. the rows where `Identifier` starts with `DE_`. + +```xml + + + +``` + +#### Merge columns together + +Consider the situation where users' organizations are defined in 4 levels. + +The following example merges the `Company`, `Subsidiary`, `Department` and `Team` columns of the `Directory_UserRecord` table, output of the export of the `Directory` connection, in order to concatenate the 4 properties into a single `FullOrganization` property. + +Setting `RemoveEmpty` to `true` means that rather than having an organization such as `Contoso//HR/Payroll`, we will have `Contoso/HR/Payroll`. + +Setting `RemoveDuplicates` to `true` means that rather than having an organization such as `Contoso/Contoso/HR/Payroll`, we will have `Contoso/HR/Payroll`. + +```xml + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| AddedDays optional | **Type:** Float **Description:** Number of days to add to the date column to be transformed, specified in `Column`, when the transformation type is `TransformDate`. The value can be negative, for example `-0.5` removes 12 hours from the date. | +| Column optional | **Type:** String **Description:** Column (case-sensitive) used as input of the filtering and the date editing transformations, and as output of the merging transformation. When defining an output, `Column` can be an existing column or a column to be created. | +| ConcatSeparator optional | **Type:** String **Description:** Separator used between the concatenated values, when the transformation type is `ConcatColumns`. | +| DatePattern optional | **Type:** String **Description:** Format of the transformed dates to be stored when the original object is not a date, when the transformation type is `TransformDate`. **Note:** for example we could need this property when using CSV files which store everything as strings, including dates. | +| InputColumn optional | **Type:** String **Description:** Column (case-sensitive) used as input when the transformation type is `TransformDate`, and as part of the input when the transformation type is `ConcatColumns`. **Note:** required for `ConcatColumns`. **Note:** when not specified for `TransformDate`, `Column` is used as input. | +| InputColumn2 optional | **Type:** String **Description:** Second (up to fifth) input column (case-sensitive) when the transformation type is `ConcatColumns`. | +| MaxYear optional | **Type:** Int32 **Description:** Year after which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| MinYear optional | **Type:** Int32 **Description:** Year before which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| RemoveDuplicates optional | **Type:** Boolean **Description:** `true` to keep only one of two identical and successive values, when the transformation type is `ConcatColumns`. | +| RemoveEmpty optional | **Type:** Boolean **Description:** `true` to ignore empty values, when the transformation type is `ConcatColumns`. | +| SortValues optional | **Type:** Boolean **Description:** `true` to sort the concatenated values by alphabetical order, when the transformation type is `ConcatColumns`. **Note:** concatenated values are sorted after duplicates are removed, when relevant. | +| Table optional | **Type:** String **Description:** Table on which the transformation is to be applied. **Note:** must be of the format `_` (case-sensitive). | +| Type required | **Type:** ConnectionTransformationType **Description:** Type of the transformation: **ConcatColumns**: concatenates `InputColumn` columns into `Column` with a separator defined in `ConcatSeparator`, potentially with additional transformation options among `RemoveDuplicates`, `RemoveEmpty`, `SortValues`. **TransformDate**: adds or removes a given number of days defined in `AddedDays` to/from the date stored in `InputColumn` or `Column`, only for dates between `MinYear` and `MaxYear`, in order to be stored in `Column` in the format defined by `DatePattern`. **WhereValue**: filters the rows based on a comparison with the `WhereOperator` and `WhereValue` arguments. | +| WhereOperator optional | **Type:** ConnectionTransformationWhereValueOperator **Description:** Operator of the comparison that filters out rows from the CSV file(s), when the transformation type is `WhereValue`: `Equals`; `NotEquals`; `Contains`; `CotContains`; `StartsWith`; `EndsWith`; `Regex`. | +| WhereValue optional | **Type:** String **Description:** Value (case-sensitive) that the content of `Column` will be compared to, when the transformation type is `WhereValue`. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connectiontable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connectiontable.md new file mode 100644 index 0000000000..b6bd21ec6f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connectiontable.md @@ -0,0 +1,33 @@ +--- +title: "ConnectionTable" +description: "" +sidebar_position: 3 +--- + +A ConnectionTable, linked to its ConnectionColumns, represents a potential Export output. + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** Int64 **Description:** The Id of the Connection having the ConnectionTable. | +| DisplayName optional | **Type:** String **Description:** The name displayed for the ConnectionTable. | +| Identifier required | **Type:** String **Description:** The identifier of the ConnectionTable. | +| Path optional | **Type:** String **Description:** Path to the schema of the ConnectionTable. | + +## Child Element: Column +Connection columns correspond to the attributes existing in a specific external system and retrieved through its schema. They are linked to a connection table which can hold several connection columns. +Connection columns provide an assistance to the input of properties in entity types to ensure that the attribute names are valid. + +### Properties + +|Property|Details| +|---|---| +| DisplayName optional | **Type:** String **Description:** Name displayed for the column. | +| ForeignColumn optional | **Type:** Int64 **Description:** Defines the id of the foreign key if provided by the system. | +| Identifier required | **Type:** String **Description:** Identifier of the column. | +| IsMultivalued default value: false | **Type:** Boolean **Description:** Defines if the attribute is multi-valued. | +| KeyType default value: 0 | **Type:** ConnectionColumnKeyType **Description:** Defines the key type of the column. - 0: not a key - 1: primary key - 2: unique key | +| Path optional | **Type:** String **Description:** Allows to regroup columns based on a criteria. For example, for an LDAP system, the path is the value of the attribute objectClass. | +| ValueLength default value: 0 | **Type:** Int32 **Description:** Maximum length of the attribute value. | +| ValueType default value: 0 | **Type:** ConnectionColumnValueType **Description:** Defines the format of the attribute value. - 0: String - 1: Bytes - 2: Int32 - 3: Int64 - 4: DateTime - 5: Bool - 6: Guid - 7: Double - 8: Binary - 9: Byte - 10: Int16 | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connector.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connector.md new file mode 100644 index 0000000000..3daa3144a1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/connector.md @@ -0,0 +1,122 @@ +--- +title: "Connector" +description: "" +sidebar_position: 4 +--- + +Connectors provide the means by which Identity Manager communicates with managed platforms, applications and systems. They describe how the data from these systems are mapped to the [entity model](/docs/identitymanager/current/integration-guide/entity-model). + +A connector in most case represents an application model. It is composed of entities and associations. + +> For example we can define an HR connector, with the following entities: Person, Department, Function, Location, etc. and with the following associations: Person-Department, Person-Site, Person-Manager(Person), etc. + +A connector is used to synchronize each of its entities and associations in Identity Manager's physical model. A connector is defined with: +* [entity types](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype); +* [entity associations](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entityassociation); +* [entity type mappings](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) and [entity association mappings](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) to link the entity types and associations to the corresponding files and columns containing the exported data from the managed system. + + +## Examples +The following example creates a `HR` connector on the agent called `Local` previously declared by [an `` element](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/agent). + +We create the right [connections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connection) to use the connector as a [CSV connector](/docs/identitymanager/current/integration-guide/connectors/references-connectors/csv) aiming to export HR CSV files into new CSV files in Identity Manager's format. + +The [entity types](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype) model the resources as `HR_Person` or `HR_Organization`, defining properties. + +The [entity type mappings](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) link the entity types to the source files. + +The [entity association](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entityassociation) creates a link between the two entity types. + +The [entity association mapping](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) links the association to the source files. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent optional | **Type:** Int64 **Description:** Identifier of the agent where the connector's tasks are launched. | +| CompleteJob default value: 0 | **Type:** JobIntegrationRule **Description:** Indicates how the connector should be used in the complete job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the complete job, setting that connector to `Used` for the complete job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| DisplayName_L1 required | **Type:** String **Description:** Connector DisplayName. | +| Identifier required | **Type:** String **Description:** Connector Identifier. | +| IncrementalJob default value: 0 | **Type:** JobIntegrationRule **Description:** Indicates how the connector should be used in the incremental job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the incremental job, setting that connector to `Used` for the incremental job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| IsDeactivated default value: false | **Type:** Boolean **Description:** Indicates that the export and the provisioning are deactivated for this connector. | +| MaximumDeletedLines default value: 100 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | +| MaximumInsertedLines default value: 100 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | +| MaximumLinkDeletedLines default value: 1000 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | +| MaximumLinkInsertedLines default value: 1000 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | +| MaximumUpdatedLines default value: 100 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | +| MaxLinkPercentageDeletedLines default value: 5 | **Type:** Int32 **Description:** Deleted association links threshold in percent. | +| MaxLinkPercentageInsertedLines default value: 5 | **Type:** Int32 **Description:** Inserted association links threshold in percent. | +| MaxPercentageDeletedLines default value: 5 | **Type:** Int32 **Description:** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 5 | **Type:** Int32 **Description:** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 5 | **Type:** Int32 **Description:** Updated lines threshold in percent. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md new file mode 100644 index 0000000000..67d882f8c7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md @@ -0,0 +1,25 @@ +--- +title: "EntityAssociationMapping" +description: "" +sidebar_position: 5 +--- + +Contains all the [Entity Association](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entityassociation) that can be materialized in the Identity Manager physical model. +An association mapping can be established between two properties of the same entity type mapping or between two properties of different entity type mappings having the same connector. +See [Connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) to see how to configure an EntityAssociationMapping. + +## Properties + +|Property|Details| +|---|---| +| C0 optional | **Type:** String **Description:** In a ServiceNow connector, generic column used during provisioning to map the property to be provisioned (target property from the entity association mapping). This column stores the name of the table in ServiceNow in which the property exists. | +| Column1 required | **Type:** String **Description:** The column of EntityPropertyMapping1 in the association data source. | +| Column2 required | **Type:** String **Description:** The column of EntityPropertyMapping2 in the association data source. | +| ConnectionTable optional | **Type:** String **Description:** Association data source containing Column1 and Column2. Example: ConnectionTable="datasource" | +| Connector required | **Type:** Int64 **Description:** Id of the connector to which it is linked. | +| EntityPropertyMapping1 required | **Type:** Int64 **Description:** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| EntityPropertyMapping2 required | **Type:** Int64 **Description:** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted association links threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted association links threshold in percent. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md new file mode 100644 index 0000000000..44cc25b1c9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md @@ -0,0 +1,39 @@ +--- +title: "EntityTypeMapping" +description: "" +sidebar_position: 6 +--- + +An entity type mapping links a given [entity type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype)'s properties with the source columns of the corresponding managed system. The entity type mapping specifies the related [connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) and the path to the CSV source file which contains, or will contain, the data exported from the managed system. Each of its [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping#child-element-property) will define the corresponding source column and specific options. + +:::info +An entity type mapping shares the same identifier as its related entity type. +::: + +[See the example of a whole connector containing an entity type mapping](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector). + +## Properties + +|Property|Details| +|---|---| +| C0 optional | **Type:** String **Description:** In a Microsoft Entra ID connector (formerly Azure Active Directory), generic column used to map the entities to be exported. By default, Identity Manager exports: `user`; `group`; `directoryRole`; `servicePrincipal`. | +| ConnectionTable optional | **Type:** String **Description:** Name of the CSV file which contains, or will contain, the exported data from the corresponding entity type. | +| Connector optional | **Type:** Int64 **Description:** Identifier of the related connector. | +| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | +| MaximumUpdatedLines default value: 0 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 0 | **Type:** Int32 **Description:** Updated lines threshold in percent. | + +## Child Element: Property +Contains all the [entity properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype#child-element-property) of an [entity type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype) that can be synchronized into Identity Manager physical model. Each mapping share the same id as its corresponding property in the entity type. + +### Properties + +|Property|Details| +|---|---| +| ConnectionColumn optional | **Type:** String **Description:** Specifies the corresponding column in the entity type data source. | +| Format optional | **Type:** String **Description:** The format of the attribute in the external system. Ex: 1601date for LDAP Date. | +| IsPrimaryKey default value: false | **Type:** Boolean **Description:** `true` if the property is designated to be the unique and immutable key that uniquely identifies any resource from the entity type, during synchronization. Each entity type mapping must have a primary key. It prevents duplicates and null resources. | +| IsUniqueKey default value: false | **Type:** Boolean **Description:** `true` if the property is designated to be one of the unique keys that uniquely identify any resource from the entity type in an association/navigation, during synchronization. Each entity type mapping can have up to three unique keys, in addition to the mapping key that already acts as such. **Note:** AD synchronization requires the `dn` property to have either `IsUniqueKey` or `EntityType` > `Property` > `IsKey` set to `true` (key property in the UI). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/index.md new file mode 100644 index 0000000000..296892183e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/index.md @@ -0,0 +1,15 @@ +--- +title: "Connectors" +description: "Connectors" +sidebar_position: 10 +--- + +# Connectors +- [Agent](agent) +- [Connection](connection) +- [Connectiontable](connectiontable) +- [Connector](connector) +- [Entityassociationmapping](entityassociationmapping) +- [Entitytypemapping](entitytypemapping) +- [Passwordresetsettings](passwordresetsettings) +- [Resourcetypemappings](resourcetypemappings) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings.md new file mode 100644 index 0000000000..29490a23d7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings.md @@ -0,0 +1,70 @@ +--- +title: "PasswordResetSettings" +description: "" +sidebar_position: 7 +--- + +This set of password reset settings contains the configuration to perform password reset operations such as change, reset, etc. + + +## Examples +The following example declares a password reset settings. +```xml + +``` + +### Password length and counts + +The following example makes Identity Manager generate a password with at least 12 characters in total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +```xml + +``` + +:::note +As the total of all counts (16) is greater than the length (12), the password length will be the count total (16). +::: + +The following example makes Identity Manager generate a password with at least 12 characters in total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +```xml + +``` + +:::note +As the total of all counts (4) is lower than the length (8), the password will be generated with 8 characters, among them 1 lowercase character, 1 uppercase character, 1 digit, 1 symbol, and 4 more random characters. +::: + +The generated password's strength can also be checked via a regular expression (regex) through `StrengthCheck`. Thus, the following example makes Identity Manager generate a password with at least 9 characters including at least one digit, one lowercase letter, one uppercase and one special character. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| AutoGenerate default value: false | **Type:** Boolean **Description:** `true` to make Identity Manager generate the password automatically. | +| BeneficiaryEmailBinding optional | **Type:** Int64 **Description:** Binding to the email address property whose password is to be reset. | +| BeneficiaryFullNameBinding optional | **Type:** Int64 **Description:** Binding to the full name property of the user(s) whose password is to be reset. | +| DefaultPassword optional | **Type:** String **Description:** Default password to set when `AutoGenerate` is set to `false`. | +| DisableNotifications default value: false | **Type:** Boolean **Description:** `true` to disable the mailing of notifications concerning password reset. | +| GeneratedDigitCharsCount default value: 2 | **Type:** Int32 **Description:** Number of digit characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLength default value: 12 | **Type:** Int32 **Description:** Length of the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLowerCaseCharsCount default value: 6 | **Type:** Int32 **Description:** Number of lower case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedSymbolCharsCount default value: 2 | **Type:** Int32 **Description:** Number of symbol characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedUpperCaseCharsCount default value: 2 | **Type:** Int32 **Description:** Number of upper case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| Identifier required | **Type:** String **Description:** Identifier of the set of password reset settings. | +| Mode default value: 0 | **Type:** Int64 **Description:** Mode used by the password reset service. `0` - Disabled. `1` - One-Way. `2` - Two-Way. | +| MustChange default value: false | **Type:** Boolean **Description:** `true` to force users to modify their passwords on the first login. | +| NotificationCC optional | **Type:** String **Description:** Email address to set as CC recipient of all password reset notifications. | +| NotifiedEmailBinding optional | **Type:** Int64 **Description:** Binding to the email address property of the person to be notified. | +| NotifiedFullNameBinding optional | **Type:** Int64 **Description:** Binding to the full name property of the person to be notified. | +| StrengthCheck optional | **Type:** String **Description:** Regular expression (regex) that generated passwords must match, when `AutoGenerate` is set to `true`. **Note:** the strength of passwords set manually by users can be configured via [`PasswordTestsSetting`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping.mdx new file mode 100644 index 0000000000..e3b54d6163 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping.mdx @@ -0,0 +1,33 @@ +--- +title: "AzureADResourceTypeMapping" +description: " " +sidebar_position: 1 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass required | **Type:** String **Description:** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc.**Note:** multiple default object classes are separated with ` `. | +| InvitationCustomizedMessageBody optional | **Type:** String **Description:** Message that will replace Azure's default message in the invitation.**Note:** only used when `InvitationMode` is set to `MicrosoftInvitation`. | +| InvitationMessageLanguage optional | **Type:** String **Description:** Language of the invitation's message.**Note:** when not specified, the message is in English.**Note:** only used when `InvitationMode` is set to `MicrosoftInvitation`. | +| InvitationMode default value: None | **Type:** InvitationMode **Description:** Mode of the invitation email sent during the creation of a guest Microsoft Entra ID account.- **None**: nothing is sent.- **MicrosoftInvitation**: an invitation email is sent to another person to initiate the external user's guest account in Microsoft Entra ID according to the related password reset setting (one-way, two-way, etc.). | +| InvitationRedirectUrl optional | **Type:** String **Description:** URL that will be displayed in the invitation email.**Note:** required when `InvitationMode` is set to `MicrosoftInvitation`. | +| PasswordResetSetting optional | **Type:** String **Description:** Identifier of the corresponding password reset setting.**Note:** required when `InvitationMode` is set to `None` and `DefaultObjectClass` set to `users`. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping.mdx new file mode 100644 index 0000000000..155184f1dc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping.mdx @@ -0,0 +1,30 @@ +--- +title: "EasyVistaResourceTypeMapping" +description: "To create a ticket in EasyVista, some information need to be provided to the external system and are configured through the XML configuration in the resource type mappings" +sidebar_position: 2 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| CatalogCode required | **Type:** String **Description:** Code of the catalog. It is possible to define three catalog codes, one for each provisioning action (add, modify, delete) by separating them with `¤`, for example `42¤25¤43`. | +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| RecipientId required | **Type:** String **Description:** Identifier of the ticket's recipient. | +| Description optional | **Type:** String **Description:** File path of the template used for the generation of the ticket description. | +| ImpactId optional | **Type:** String **Description:** [Impact](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#Impact) of the ticket. | +| SeverityId optional | **Type:** String **Description:** [Severity level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#Gravities) of the ticket. | +| TicketSynchroIsNotAvailable default value: false | **Type:** Boolean **Description:** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`.**Note:** only used with the [package for tickets](/docs/identitymanager/current/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| Title optional | **Type:** String **Description:** File path of the template used for the generation of the ticket title. | +| UrgencyId optional | **Type:** String **Description:** [Urgency level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#Urgency) of the ticket. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistauserresourcetypemapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistauserresourcetypemapping.md new file mode 100644 index 0000000000..80bc942982 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistauserresourcetypemapping.md @@ -0,0 +1,14 @@ +--- +title: "EasyVistaUserResourceTypeMapping" +description: "Mapping to manipulate the users in EasyVista." +sidebar_position: 3 +--- + +Mapping to manipulate the users in EasyVista. + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md new file mode 100644 index 0000000000..eeb1b91001 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md @@ -0,0 +1,40 @@ +--- +title: "Resource Type Mappings" +description: "Resource Type Mappings" +sidebar_position: 10 +--- + +# Resource Type Mappings +- [Azure ADResource Type Mapping](./azureadresourcetypemapping) + + +- [Easy Vista Resource Type Mapping](./easyvistaresourcetypemapping) + +To create a ticket in EasyVista, some information need to be provided to the external system and are configured through the XML configuration in the resource type mappings +- [Easy Vista User Resource Type Mapping](./easyvistauserresourcetypemapping) + +Mapping to manipulate the users in EasyVista. +- [Ldap Resource Type Mapping](./ldapresourcetypemapping) + + +- [Manual Provisioning Resource Type Mapping](./manualprovisioningresourcetypemapping) + + +- [Nim Resource Type Mapping](./nimresourcetypemapping) + + +- [Okta Resource Type Mapping](./oktaresourcetypemapping) + + +- [Sap Resource Type Mapping](./sapresourcetypemapping) + + +- [Scim Resource Type Mapping](./scimresourcetypemapping) + + +- [Service Now Resource Type Mapping](./servicenowresourcetypemapping) + + +- [Share Point Resource Type Mapping](./sharepointresourcetypemapping) + + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping.mdx new file mode 100644 index 0000000000..4305b55aee --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping.mdx @@ -0,0 +1,42 @@ +--- +title: "LdapResourceTypeMapping" +description: " " +sidebar_position: 4 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + + + + + + + + +``` + +### Multiple default object classes + +The following example configures a whole set of settings for the `LDAP_Entry_NominativeUser` resource type, including several default object classes. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass required | **Type:** String **Description:** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc.**Note:** multiple default object classes are separated with ` `. | +| RDNAttributeIdentifier required | **Type:** String **Description:** Identifier of the RDN attribute used by the provisioner. | +| PasswordResetSetting optional | **Type:** String **Description:** Identifier of the corresponding password reset setting. | +| UsePermissiveModify default value: false | **Type:** Boolean **Description:** `true` to use [LDAP's permissive modify control](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-permissive-modify-oid). | +| UseTreeDelete default value: false | **Type:** Boolean **Description:** `true` to use the control option that enables deleting all the sub-trees within a directory via a single deletion request. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping.mdx new file mode 100644 index 0000000000..009db5d6c7 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping.mdx @@ -0,0 +1,23 @@ +--- +title: "ManualProvisioningResourceTypeMapping" +description: " " +sidebar_position: 5 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| TicketSynchroIsNotAvailable optional | **Type:** Boolean **Description:** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`.**Note:** only used with the [package for tickets](/docs/identitymanager/current/integration-guide/connectors/references-packages/ServiceNow Ticket). | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping.md new file mode 100644 index 0000000000..8fd7b21013 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping.md @@ -0,0 +1,29 @@ +--- +title: "Microsoft EntraID Resource Type Mapping" +description: "Microsoft EntraID Resource Type Mapping" +sidebar_position: 10 +--- + +# Microsoft EntraID Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                 +``` + +## Properties + + | Property | Type | Description | + | --- | --- | --- | + | Connection required | String | Identifier of the corresponding connection. | + | DefaultObjectClass required | String | Default object class used by the provisioner, for example: person, organizationalPerson, or user, etc. Multiple default object classes are separated by: . | + | InvitationCustomizedMessageBody optional | String | Message that will replace Azure's default message in the invitation. Only used when InvitationMode is set to MicrosoftInvitation. | + | InvitationMessageLanguage optional | String | Language of the invitation's message. When not specified, the message is in English. Only used when InvitationMode is set to MicrosoftInvitation. | + | InvitationMode default value: None | InvitationMode | Mode of the invitation email sent during the creation of a guest Microsoft Entra ID account. None : nothing is sent. MicrosoftInvitation : an invitation email is sent to another person to initiate the external user's guest account in Microsoft Entra ID according to the related password reset setting (one-way, two-way, etc.). | + | InvitationRedirectUrl optional | String | URL that will be displayed in the invitation email. Required when InvitationMode is set to MicrosoftInvitation. | + | PasswordResetSetting optional | String | Identifier of the corresponding password reset setting. Required when InvitationMode is set to None and DefaultObjectClass set to users. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/nimresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/nimresourcetypemapping.mdx new file mode 100644 index 0000000000..2b5455868c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/nimresourcetypemapping.mdx @@ -0,0 +1,35 @@ +--- +title: "NimResourceTypeMapping" +description: " " +sidebar_position: 6 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +The `NimResourceTypeMapping` element is used exclusively with the **NIM (Netwrix Identity Manager) Connector Template** feature. This element is **automatically generated** by the NIM template wizard and should not be created manually. + +When you configure a NIM connector and click the "Apply Template" button, the system generates a complete connector configuration. As part of this generation, one `NimResourceTypeMapping` is created for each ResourceType that manages Profile assignments. This mapping links the ResourceType to the NimProfile connection, enabling Identity Manager to provision Profile assignments to the target Identity Manager instance (either the same instance in Local mode or a different instance in Remote mode). + +Each generated ResourceType for Profile assignments requires its corresponding `NimResourceTypeMapping` to function correctly. The mapping ensures that provisioning operations route through the appropriate NimProfile connection package. + + +## Examples +```xml + +``` + +In this example: +- `Identifier`: References a ResourceType generated for the FinanceAnalyst Profile (naming follows the pattern `Nim{ProfileName}_RT_*`) +- `Connection`: References the NimProfiles connection that was created when configuring the NIM connector + +The NIM template wizard automatically creates one `NimResourceTypeMapping` element for each Profile defined in the target Identity Manager instance. + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping.md new file mode 100644 index 0000000000..20ef7942aa --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping.md @@ -0,0 +1,16 @@ +--- +title: "OktaResourceTypeMapping" +description: " " +sidebar_position: 7 +--- + + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass optional | **Type:** String **Description:** Default object class used by the provisioner, for example `users`, `groups`, etc. | +| PasswordResetSetting optional | **Type:** String **Description:** Identifier of the corresponding password reset setting. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping.mdx new file mode 100644 index 0000000000..7f27998826 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping.mdx @@ -0,0 +1,27 @@ +--- +title: "SapResourceTypeMapping" +description: " " +sidebar_position: 8 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass optional | **Type:** String **Description:** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc.**Note:** multiple default object classes are separated with ` `. | +| PasswordResetSetting optional | **Type:** String **Description:** Identifier of the corresponding password reset setting. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping.mdx new file mode 100644 index 0000000000..546741814e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping.mdx @@ -0,0 +1,25 @@ +--- +title: "ScimResourceTypeMapping" +description: " " +sidebar_position: 9 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass optional | **Type:** String **Description:** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc.**Note:** multiple default object classes are separated with ` `. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx new file mode 100644 index 0000000000..82b30fb334 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx @@ -0,0 +1,40 @@ +--- +title: "ServiceNowResourceTypeMapping" +description: " " +sidebar_position: 10 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +Any resource type linked to a ServiceNow connection must be configured with a set of parameters to map the properties in Identity Manager with those in ServiceNow, for provisioning purposes. + +Below is an example of an incident ticket in ServiceNow, where relevant properties (from Identity Manager's perspective) are emphasized: + +![ServiceNow Ticket Example](/images/identitymanager/ServiceNow_example.webp) + + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connection required | **Type:** String **Description:** Identifier of the corresponding connection. | +| DefaultObjectClass optional | **Type:** String **Description:** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc.**Note:** multiple default object classes are separated with ` `. | +| PasswordResetSetting optional | **Type:** String **Description:** Identifier of the corresponding password reset setting. | +| TicketAdditionalInformation optional | **Type:** String **Description:** Information to add at the end of the description for all tickets created for this resource type.**Note:** only used with the [package for tickets](/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketCallerId optional | **Type:** String **Description:** Attribute that corresponds to the identifier of the "caller" person in ServiceNow.**Note:** required when using the [package for tickets](/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketCategory optional | **Type:** String **Description:** Category in which new tickets will be created in ServiceNow for this resource type.**Note:** only used with the [package for tickets](/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketImpact default value: Low | **Type:** TicketImpact **Description:** Impact of the ticket in ServiceNow: `Low`; `Medium`; `High`.**Note:** only used with the [package for tickets](/docs/identitymanager/current/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketSubCategory optional | **Type:** String **Description:** Subcategory in which new tickets will be created in ServiceNow for this resource type.**Note:** only used with the [package for tickets](/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketSynchroIsNotAvailable default value: false | **Type:** Boolean **Description:** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`.**Note:** only used with the [package for tickets](/docs/identitymanager/current/integration-guide/connectors/references-packages/ServiceNow Ticket). | +| TicketUrgency default value: Low | **Type:** TicketUrgency **Description:** Urgency of the ticket in ServiceNow: `Low`; `Medium`; `High`.**Note:** only used with the [package for tickets](/docs/identitymanager/current/integration-guide/connectors/references-packages/ServiceNow Ticket). | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping.mdx b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping.mdx new file mode 100644 index 0000000000..f79d699bfe --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping.mdx @@ -0,0 +1,18 @@ +--- +title: "SharePointResourceTypeMapping" +description: " " +sidebar_position: 11 +--- + +import ResourcetypemappingIdentifier from '@site/docs/identitymanager/current/_partials/resourcetypemapping-identifier.mdx'; + + + +## Examples +```xml + + + + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/index.md new file mode 100644 index 0000000000..c48cac0813 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/index.md @@ -0,0 +1,20 @@ +--- +title: "Xml Configuration" +description: "Xml Configuration" +sidebar_position: 10 +--- + +# Xml Configuration +- [Access Certification](access-certification) +- [Access Control](access-control) +- [Business Intelligence](business-intelligence) +- [Configuration](configuration) +- [Connectors](connectors) +- [Jobs](jobs) +- [Metadata](metadata) +- [Notifications](notifications) +- [Provisioning](provisioning) +- [Reporting](reporting) +- [Resources](resources) +- [User Interface](user-interface) +- [Workflows](workflows) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/index.md new file mode 100644 index 0000000000..c314dfe1c8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/index.md @@ -0,0 +1,9 @@ +--- +title: "Jobs" +description: "Jobs" +sidebar_position: 10 +--- + +# Jobs +- [Job](job) +- [Tasks](tasks) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/job.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/job.md new file mode 100644 index 0000000000..cbe05829cf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/job.md @@ -0,0 +1,144 @@ +--- +title: "Job" +description: "" +sidebar_position: 1 +--- + +A job is a succession of tasks, to be launched and potentially scheduled. + +After launching a job, its progress information will be inserted in the `UJ_JobInstances` table. + + +## Examples +The following example creates a job made of two tasks that apply role mappings, the first for the AD connector, the second for SAP. Launching this job means launching both tasks successively. + +:::note +The launch order is induced by the reading from top to bottom of all tasks in the job. +::: + +```xml + + + + +``` + +### Task override + +:::info +An existing task can be called with an `Override` suffix in order to launch the task, but with slight changes in its properties. Then the override task must be configured with the identifier of the original task and the properties that differ from the original task. +::: + +Suppose that after configuring a synchronization job in complete mode, we want to configure the exact same one in incremental mode. + +As the incremental mode is configured via `Dirty` set to `1`, this property is the only one to change to switch from complete mode to incremental mode. + +The following example creates a task `UpdateClassification` to be used in the AD synchronization job in complete mode. Then, instead of creating a second task for the incremental mode, we choose to configure the incremental job as follows. + +```xml + + + + + + ... + + +``` + +### Dependent tasks + +The following example creates a job where the task `Microsoft Entra ID - Data Collect` is launched after `Microsoft Entra ID - Extraction` only if `Microsoft Entra ID - Extraction` produces an output and does not end up blocked or in an error state. + +```xml + + + + + + ... + +``` + +:::info +Most synchronization tasks are dependant on one another like this. This way, an error in a synchronization task will cut short the rest of the synchronization tasks. But it does not stop the other tasks in the job, for example the synchronization of another connector, or tasks that are independent from synchronization. +::: + +### Complete job + +The following example shows a typical configuration of the complete job. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent optional | **Type:** Int64 **Description:** Identifier of the agent on which the job will be launched. **Note:** when not specified, the job is to be launched on the server. **Warning:** all tasks in the job must be launched on the same agent or on the server. | +| CronTabExpression optional | **Type:** String **Description:** Scheduling expressed using the [crontab syntax](https://docs.microsoft.com/azure/azure-functions/functions-bindings-timer?tabs=csharp#ncrontab-expressions). | +| CronTimeZone default value: 0 | **Type:** CronTimeZone **Description:** Time zone used to compute the next occurrences according to the given cron expression. `0` - UTC `1` - ServerTime | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the job in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the job. | +| IsConnectorJob default value: false | **Type:** Boolean **Description:** Indicates that the job is specific to the connector configuration screen. | +| IsIncremental default value: false | **Type:** Boolean **Description:** Defines if a job is in incremental mode. | +| IsInitializationJob default value: false | **Type:** Boolean **Description:** Indicates that the job is an initialization job. | +| LogLevel default value: None | **Type:** LogLevel **Description:** Level of details that will be displayed in the logger. Possible values are: `0` - Trace `1` - Debug `2` - Information `3` - Warning `4` - Error `5` - Critical `6` - None | +| UserStartDenied default value: false | **Type:** Boolean **Description:** `true` to deny the manual launch of the job. | + +## Child Element: Step +A step is simply an easy way to use an existing task in a job. + +A job can be configured with as many steps as needed. + + +### Examples +The [basic example](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/job#examples) of a job is equivalent to the following: + +```xml + + + + + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| Level default value: -1 | **Type:** Int32 **Description:** Grouping level of the tasks within the job. When executing a job, Identity Manager will launch simultaneously the tasks of a same `Level`. Level-2 tasks are not launched before all level-1 tasks are achieved. | +| Task required | **Type:** Int64 **Description:** Id of the task | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask.md new file mode 100644 index 0000000000..e26f0c13c9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask.md @@ -0,0 +1,27 @@ +--- +title: "ActivityInstanceActorTask" +description: "Update the Actors for the workflows instances" +sidebar_position: 1 +--- + +Update all the actors of the workflows instances. + +:::warning +An activity Instance can have at most 20 actors. +::: + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask.md new file mode 100644 index 0000000000..b273586687 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask.md @@ -0,0 +1,25 @@ +--- +title: "CreateDatabaseViewsTask" +description: "Generates entity model SQL views in the Usercube database." +sidebar_position: 2 +--- + +Generates entity model SQL views in the Identity Manager database. All views are prefixed by `zz_`. This tool deletes all views starting by `zz_` and creates views from the entity model described in the running configuration. + +For every **EntityType**, a matching SQL view is created from the UR_Resource table. + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask.md new file mode 100644 index 0000000000..acd3f82422 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask.md @@ -0,0 +1,28 @@ +--- +title: "ExportTask" +description: "Runs the specified connection's export." +sidebar_position: 3 +--- + +Runs the specified connection's export. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| Connection optional | **Type:** String **Description:** Identifier of the Connection in the appsettings.agent.json. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IgnoreCookieFile default value: false | **Type:** Boolean **Description:** Ignore the Cookie Files | +| InitMode default value: false | **Type:** Boolean **Description:** `true` to prevent Identity Manager from archiving the changes (resource creation, update, deletion) performed by the task. Impacted tables are: `UP_AssignedSingleRoles`, `UP_AssignedCompositeRoles`, `UP_AssignedResourceTypes`, `UP_AssignedResourceScalars`, `UP_AssignedResourceNavigations`, `UP_AssignedResourceBinaries` for `ComputeRoleModelTask` and only `UR_Resources` for `FulfillTask`. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask.md new file mode 100644 index 0000000000..5e74f3b6f9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask.md @@ -0,0 +1,60 @@ +--- +title: "FulfillTask" +description: "Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes." +sidebar_position: 4 +--- + +Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes. + + +## Examples +import IgnoreHistorizationIntro from '@site/docs/identitymanager/current/_partials/ignoreHistorization-intro.mdx'; + +The following example reads all provisioning order concerning the `ServiceNow` connector to make the changes in ServiceNow. + +```xml + +``` + +The following example reads all provisioning order concerning the `ServiceNow_Entry_NominativeUser` resource type to make the changes in ServiceNow. + +```xml + + + +``` + +### Ignore Archiving + + + +The following example reads all provisioning orders concerning the `InternalResources` connector to open manual provisioning tickets in Identity Manager, without archiving the values prior to the changes on resources. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Connection optional | **Type:** String **Description:** Identifier of the Connection in the appsettings.agent.json. | +| Connector optional | **Type:** String **Description:** Identifier of the connector involved in the task. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Dirty optional | **Type:** Boolean **Description:** Option to tag resources inserted or updated by the internalResource with Dirty=true. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type:** Boolean **Description:** `true` to prevent Usercube from archiving the changes (resource creation, update, deletion) performed by the task for the `InternalResources` connector. The impacted table is `UR_Resources`. | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | + + +## Child Element: TaskResourceType +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + + +|Property|Details| +|---|---| +|ResourceType
required|

**Type**
Int64

**Description**
Linked resourceType id.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md new file mode 100644 index 0000000000..4c060ad9fb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md @@ -0,0 +1,34 @@ +--- +title: "Agent" +description: "Agent" +sidebar_position: 10 +--- + +# Agent +- [Activity Instance Actor Task](./activityinstanceactortask) + +Update the Actors for the workflows instances +- [Create Database Views Task](./createdatabaseviewstask) + +Generates entity model SQL views in the Usercube database. +- [Export Task](./exporttask) + +Runs the specified connection's export. +- [Fulfill Task](./fulfilltask) + +Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes. +- [Invoke Api Task](./invokeapitask) + +Tool to launch any Usercube API. +- [Invoke Aspects Task](./invokeaspectstask) + +Call specific api in Usercube. +- [Invoke Expression Task](./invokeexpressiontask) + +Launches on agent side a powershell script given as input. +- [Invoke Sql Command Task](./invokesqlcommandtask) + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection. +- [Prepare Synchronization Task](./preparesynchronizationtask) + +Cleanses exported CSV files. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask.md new file mode 100644 index 0000000000..5c51be2662 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask.md @@ -0,0 +1,27 @@ +--- +title: "InvokeApiTask" +description: "Tool to launch any Usercube API." +sidebar_position: 5 +--- + +Tool to launch any Usercube API. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| ApiUrl required | **Type:** String **Description:** The Identity Manager Api relative url.*Alternative definition*: If *TaskType* is:- SqlCmdTask: Connection string to the Database | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| HttpCommand required | **Type:** HttpCommand **Description:** Defines the ApiCommand (*Get*, *Put*, *Post*, or *Delete*) | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| Body optional | **Type:** String **Description:** Path of the SQL file | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask.md new file mode 100644 index 0000000000..54bc58c252 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask.md @@ -0,0 +1,18 @@ +--- +title: "InvokeAspectsTask" +description: "Call specific api in Usercube." +sidebar_position: 6 +--- + +Call specific api in Usercube. + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| OutputPath optional | **Type:** String **Description:** Path to save file.*Alternative definition*: If *TaskType* is:- ProvisioningPolicyTask: Path to save the LDIF file,- CollectorTask: Path of the working directory,- CollectorChangesTask: Path of the working directory,- CollectorADDirSyncTask: Path of the working directory,- ProvisionerDownloadTask: Path of the destination directory, | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask.md new file mode 100644 index 0000000000..e2585ab5da --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask.md @@ -0,0 +1,26 @@ +--- +title: "InvokeExpressionTask" +description: "Launches on agent side a powershell script given as input." +sidebar_position: 7 +--- + +Launches on agent side a powershell script given as input. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| InputPath optional | **Type:** String **Description:** Defines the input path.Alternative definition: If *TaskType* is:- ProvisionerWorkflowTask: Path of the JSON file,- ConfigurationTask: Directory of the configuration to import,- ApiCallTask: Path of the JSON file,- SqlCmdTask: Path of the SQL file, | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask.md new file mode 100644 index 0000000000..fa4ad82c7a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask.md @@ -0,0 +1,35 @@ +--- +title: "InvokeSqlCommandTask" +description: "Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection." +sidebar_position: 8 +--- + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| DatabaseIdentifier optional | **Type:** String **Description:** Identifier of the Database to connect to | +| Encoding optional | **Type:** String **Description:** Encoding for the output files. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#list-of-encodings). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IsNotAQuery default value: false | **Type:** Boolean **Description:** To know if the SQL command is a query or not | +| IsolationLevel optional | **Type:** String **Description:** Specifies the transaction locking behavior for the database connection. | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | +| OutputPath optional | **Type:** String **Description:** Path to save file.*Alternative definition*: If *TaskType* is:- ProvisioningPolicyTask: Path to save the LDIF file,- CollectorTask: Path of the working directory,- CollectorChangesTask: Path of the working directory,- CollectorADDirSyncTask: Path of the working directory,- ProvisionerDownloadTask: Path of the destination directory, | +| Provider optional | **Type:** String **Description:** Database provider | +| ProviderAssemblyQualifiedName optional | **Type:** String **Description:** Database provider assembly qualified name | +| SQLCommand optional | **Type:** String **Description:** SQL Command to execute | +| SQLInputFile optional | **Type:** String **Description:** Path of the SQL file | +| Timeout default value: 0 | **Type:** Int32 **Description:** Specify the timeout if the query need more 30 sec | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask.md new file mode 100644 index 0000000000..cdfa748082 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask.md @@ -0,0 +1,102 @@ +--- +title: "PrepareSynchronizationTask" +description: "Cleanses exported CSV files." +sidebar_position: 9 +--- + +## View Behavior Details + +The task reads files from the source directory, usually the [temp folder > ExportOutput](/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/general-purpose) folder. + +### Cleanse data + +The following actions are performed on the *CSV source files*: + +1. Remove columns that are not used in [``](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or [``](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the *Prepare-Synchronization* is stored in the [*export directory*](/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings) as three files: + +- For every entity type of the relevant *Connector* involved in an [``](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) or an [``](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping) , a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. + +- Duplicates are kept in a separate `.duplicates.csv` file. + +- Null primary key entries are kept in a separate `.nullpk.csv` file. + + +:::note +All files produced by the task are in the [work folder > Collect](/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/general-purpose) directory. +::: + +### Compute changes + +In *incremental* mode, changes might need to be computed by the *Agent*: + +- If the Export step has provided computed changes, no further process is required. The changes will be sent as-is to the server. + +- If the Export step has provided a full extract of the managed systems, the *Prepare-Synchronization* step computes changes. This computation is based on the result of the last data cleansing, generated by the previous *Prepare-Synchronization*, and stored in the `previous` folder in the [*export directory*](/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings). + + +:::note +For *incremental* mode, it is recommended, whenever possible, to use managed systems to compute changes. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with performance that Identity Manager can't match. Using managed systems for these operations avoids generating heavy files and alleviates Identity Manager's processing load. +::: + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a *command* column. The *command* column can take the following values: + +- *insert* +- *update* +- *delete* +- *merge* + +These values are instructions for the *Synchronization* step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in the `previous` folder inside the [*export directory*](/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings). It will be used as a reference for the next *incremental* Prepare-Synchronization to compute the changes, if needed. + +Tampering with the `previous` folder content would result in false changes leading to false computation. It would result in data corruption in the Identity Manager database. To restore the Identity Manager database and reflect the managed system data updates, a *complete* *Sync Up* would be required. + +### Prepare the server + +At the beginning of every *Prepare-Synchronization* process, the *Server* is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an *incremental* database update to happen more than once. + +This means that several *Export* and *Prepare-Synchronization* tasks can be executed simultaneously. These tasks will be processed by the server one at a time, in the right order. + +Any notification of a *complete* Prepare-Synchronization would cancel the previous non-processed *incremental* Prepare-Synchronizations. As a *complete* Prepare-Synchronization reloads the whole database, it renders *incremental* changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the *Server* for the last step. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Agent required | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| Connector required | **Type:** String **Description:** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type:** String **Description:** Connection client for the task. | +| SynchronizationMode required | **Type:** DataCollectType **Description:** Synchronization mode for collect and synchronization Task.List of Modes:- Initial = 0,- Complete = 1,- Incremental = 2 | +| ColumnName optional | **Type:** String **Description:** If there is a delta in the synchronization, specifies the column name which stores the command | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| Type default value: None | **Type:** PrepareSynchronizationType **Description:** Define the type of PrepareSynchronization to launch the correct executable in job. | +| WorkingDirectory optional | **Type:** String **Description:** Path of the working directory | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md new file mode 100644 index 0000000000..d8e97110c1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md @@ -0,0 +1,9 @@ +--- +title: "Tasks" +description: "Tasks" +sidebar_position: 10 +--- + +# Tasks +- [Agent](agent) +- [Server](server) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask.md new file mode 100644 index 0000000000..672fab5f7e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask.md @@ -0,0 +1,27 @@ +--- +title: "BuildRoleModelTask" +description: "Applies the role naming rules, i.e. generates single roles and navigation rules based on resources matching a given pattern." +sidebar_position: 1 +--- + +Applies the [role mappings](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/rolemapping), also named [role naming rules](/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation), i.e. generates single roles and navigation rules based on resources matching a given pattern. + +> For example, this task can transform AD groups with a special naming convention into roles. + + +## Examples +The following example applies all role naming rules linked to the AD connector. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Connector optional | **Type:** String **Description:** Identifier of the connector whose role mappings / role naming rules are to be applied. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask.md new file mode 100644 index 0000000000..ba964f27bb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask.md @@ -0,0 +1,35 @@ +--- +title: "ComputeCorrelationKeysTask" +description: "The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute Role Model to match the resources." +sidebar_position: 2 +--- + +The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute Role Model to match the resources. +If the resource or property does not exist or needs to change, the task insert a new line in this table: + +- Resource correlation keys + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| AllEntityType default value: false | **Type:** Boolean **Description:** Launch to all entityTypes for the expression task.*Alternative definition*: If *TaskType* is:- TreeDimensionsRefreshTask: Refresh all dimensions. | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Dirty default value: false | **Type:** Boolean **Description:** Initiate use only dirty resources. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask.md new file mode 100644 index 0000000000..4857d42dd3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask.md @@ -0,0 +1,25 @@ +--- +title: "ComputeRiskScoresTask" +description: "Update risk score with the risk settings." +sidebar_position: 3 +--- + +Update risk score with the risk settings. + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Dirty default value: false | **Type:** Boolean **Description:** Initiate use only dirty resources. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask.md new file mode 100644 index 0000000000..74b5335b18 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask.md @@ -0,0 +1,82 @@ +--- +title: "ComputeRoleModelTask" +description: "The Compute Role Model will calculate the role model of all whose EntityTypes sources are included in the list of EntityTypes given in the start of this job." +sidebar_position: 4 +--- + +This task applies all rules in the role model of all [resource types](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype) whose source entity types are specified as child elements of the task. + +## Behavior Details + +### Property creation/update + +If the resource or property needs to be created or changed, the policy inserts a new line in one of the following 3 tables: + +- Assigned resource types] +- Assigned resource scalars +- Assigned resource navigation + +Their provisioning state will therefore increase to either 1 or 5. + +If the resource already exists in the database, then the policy checks whether the existing value is the same as the computed value. If the existing value is the same as the computed value, then the provisioning state goes to 4. + +### Notifications + +Executing the `ComputeRoleModelTask` will modify some roles' workflow states, and it will send a notification for each of these roles being: +* pending approval (1/1, 1/2, 2/2, 1/3, 2/3, 3/3); +* blocked because of a risk. + + +## Examples +import IgnoreHistorizationIntro from '@site/docs/identitymanager/current/_partials/ignoreHistorization-intro.mdx'; + +The following example applies all rules in the role model concerning the entity types `HR_Service`, `HR_Category`, `HR_Site` and `HR_Person`. + +```xml + + + + + + +``` + +### Ignore Archiving + + + +The following example is similar to the previous one, except that the values prior to the changes on assigned single roles, composite roles, resource types, scalar or navigation properties, or binaries, will not be stored in the database. + +```xml + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type:** Int32 **Description:** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type:** Int32 **Description:** Defines the batch select size. | +| BlockAllResourceTypeProvisioning default value: false | **Type:** Boolean **Description:** `true` to force an additional mandatory review (on the **Provisioning Review** screen) of all provisioning orders for all resource types, no matter whether the resource types' `BlockProvisioning` boolean is set to `true` or `false`. | +| BlockProvisioning default value: false | **Type:** Boolean **Description:** `true` to block the provisioning policy orders. | +| Dirty default value: false | **Type:** Boolean **Description:** Initiate use only dirty resources. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type:** Boolean **Description:** `true` to prevent Usercube from archiving the changes (resource creation, update, deletion) performed by the task. Impacted tables are: `UP_AssignedSingleRoles`, `UP_AssignedCompositeRoles`, `UP_AssignedResourceTypes`, `UP_AssignedResourceScalars`, `UP_AssignedResourceNavigations`, `UP_AssignedResourceBinaries`. | +| LdifFilePath optional | **Type:** String **Description:** Path to save the ldif file | +| UseLdif default value: false | **Type:** Boolean **Description:** to simulate or not into a ldif file | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask.md new file mode 100644 index 0000000000..13b02d9754 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask.md @@ -0,0 +1,26 @@ +--- +title: "DeployConfigurationTask" +description: "From a folder, retrieves all configuration xml files to calculate the configuration items to insert, update or delete." +sidebar_position: 5 +--- + +From a folder, retrieves all configuration xml files to calculate the configuration items to insert, update or delete. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| ConfigurationDirectory required | **Type:** String **Description:** Directory of the configuration to import | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| GeneratedCodeNamespace optional | **Type:** String **Description:** The namespace of the generated code (entities + writer). | +| GeneratedCodePath optional | **Type:** String **Description:** The path of the generated code (entities + writer). | +| GeneratedFile optional | **Type:** String **Description:** The path of the xml file in which all the configuration is generated by the scaffoldings. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask.md new file mode 100644 index 0000000000..13e4d05ccb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask.md @@ -0,0 +1,60 @@ +--- +title: "FulfillTask" +description: "Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes." +sidebar_position: 6 +--- + +Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes. + + +## Examples +import IgnoreHistorizationIntro from '@site/docs/identitymanager/current/_partials/ignoreHistorization-intro.mdx'; + +The following example reads all provisioning order concerning the `ServiceNow` connector to make the changes in ServiceNow. + +```xml + +``` + +The following example reads all provisioning order concerning the `ServiceNow_Entry_NominativeUser` resource type to make the changes in ServiceNow. + +```xml + + + +``` + +### Ignore Archiving + + + +The following example reads all provisioning orders concerning the `InternalResources` connector to open manual provisioning tickets in Identity Manager, without archiving the values prior to the changes on resources. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Connection optional | **Type:** String **Description:** Identifier of the Connection in the appsettings.agent.json. | +| Connector optional | **Type:** String **Description:** Identifier of the connector involved in the task. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Dirty optional | **Type:** Boolean **Description:** Option to tag resources inserted or updated by the internalResource with Dirty=true. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type:** Boolean **Description:** `true` to prevent Usercube from archiving the changes (resource creation, update, deletion) performed by the task for the `InternalResources` connector. The impacted table is `UR_Resources`. | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | + + +## Child Element: TaskResourceType +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + + +|Property|Details| +|---|---| +|ResourceType
required|

**Type**
Int64

**Description**
Linked resourceType id.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask.md new file mode 100644 index 0000000000..33f78e05cd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask.md @@ -0,0 +1,43 @@ +--- +title: "GenerateProvisioningOrdersTask" +description: "The provisioning task will recover all resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning orders." +sidebar_position: 7 +--- + +In the following 3 tables: + +- Assigned resource types +- Assigned resource scalars +- Assigned resource navigation + +The provisioning task will recover all resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning orders. +This task can be started either with a connector or with a resourceType list. +Then changes the provisioningState of the resources concerned to 2. + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type:** Int32 **Description:** Specifies the number of orders by file. | +| BatchSelectSize default value: 0 | **Type:** Int32 **Description:** Defines the batch select size. | +| Connector optional | **Type:** String **Description:** Identifier of the connector involved in the task. | +| ForceProvisioning default value: false | **Type:** Boolean **Description:** `true` to block the provisioning policy orders. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskResourceType +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + + +|Property|Details| +|---|---| +|ResourceType
required|

**Type**
Int64

**Description**
Linked resourceType id.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask.md new file mode 100644 index 0000000000..3c62ac0c3b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask.md @@ -0,0 +1,35 @@ +--- +title: "GetRoleMiningTask" +description: "Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise. In a business setting, roles are defined according to job competency, authority and responsibility." +sidebar_position: 8 +--- + +Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise. In a business setting, roles are defined according to job competency, authority and responsibility. The ultimate intent of role mining is to achieve optimal security administration based on the role each individual plays within the organization. +This executable allows to highlight the RoleMining table as well as the different rules to be applied in the role model so that it is optimal at the time T. +The xml file contains 2 sql requests to link roles, dimensions and Owners to extract a table containing the grouping of SingleRoles and CompositesRoles and set it up in the system. + +## Examples + ```xml + + + + ``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| AllEntities default value: false | **Type:** Boolean **Description:** Apply role mining on all entities (otherwise list the entity types with the TaskEntityType) | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IsSimulated default value: false | **Type:** Boolean **Description:** Apply results of role mining in simulation or not | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md new file mode 100644 index 0000000000..1990de89da --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md @@ -0,0 +1,82 @@ +--- +title: "Server" +description: "Server" +sidebar_position: 10 +--- + +# Server +- [Build Role Model Task](./buildrolemodeltask) + +Applies the role naming rules, i.e. generates single roles and navigation rules based on resources matching a given pattern. +- [Compute Correlation Keys Task](./computecorrelationkeystask) + +The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute Role Model to match the resources. +- [Compute Risk Scores Task](./computeriskscorestask) + +Update risk score with the risk settings. +- [Compute Role Model Task](./computerolemodeltask) + +The Compute Role Model will calculate the role model of all whose EntityTypes sources are included in the list of EntityTypes given in the start of this job. +- [Deploy Configuration Task](./deployconfigurationtask) + +From a folder, retrieves all configuration xml files to calculate the configuration items to insert, update or delete. +- [Fulfill Task](./fulfilltask) + +Retrieves provisioning orders from the informed connector generated by GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is possible to launch it with a list of TaskResourceTypes. +- [Generate Provisioning Orders Task](./generateprovisioningorderstask) + +The provisioning task will recover all resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning orders. +- [Get Role Mining Task](./getroleminingtask) + +Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise. In a business setting, roles are defined according to job competency, authority and responsibility. +- [Invoke Expression Task](./invokeexpressiontask) + +Launches on agent side a powershell script given as input. +- [Invoke Sql Command Task](./invokesqlcommandtask) + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection. +- [Maintain Indexes Task](./maintainindexestask) + +Index maintenance and statistics update for all database tables. +- [Manage Configuration Indexes Task](./manageconfigurationindexestask) + +Manage indexes for items from configuration. +- [Process Access Certification Items Task](./processaccesscertificationitemstask) + +Process decisions on access certification items. +- [Reset Valid From Task](./resetvalidfromtask) + +Initialize historization tables by setting each entity's first record `ValidFrom` value to 0001-01-01 00:00:00.00. +- [Save Pre Existing Access Rights Task](./savepreexistingaccessrightstask) + +During an initial installation of Usercube, data normally provided by Usercube or through a derogation in the User Interface is already present in the application system. +- [Send Access Certification Notification Task](./sendaccesscertificationnotificationtask) + +Notify assigned users having pending access certification items in campaign marked with `NotificationNeeded`. +- [Send Notifications Task](./sendnotificationstask) + +Task that sends a notification to each configured recipient. +- [Send Role Model Notifications Task](./sendrolemodelnotificationstask) + +Task that sends a notification to all users who have pending roles to review, only for roles with a simple approval workflow, i.e. pending the validation 1 out of 1. +- [Set Access Certification Reviewer Task](./setaccesscertificationreviewertask) + +Assign access certification items to users according to their profiles and the access control rules. +- [Set Internal User Profiles Task](./setinternaluserprofilestask) + +Will execute the profile rules of the different resource types given in parameters to create, modify or delete profiles in automatic mode. +- [Set Recently Modified Flag Task](./setrecentlymodifiedflagtask) + +When synchronizing in full or incremental mode, it is possible to optimize the compute performance of the role model by taking into account only the changes made by the synchronization. +- [Synchronize Task](./synchronizetask) + +Retrieves the files generated by the prepare-synchronization task to insert the data into the Usercube database. +- [Update Access Certification Campaign Task](./updateaccesscertificationcampaigntask) + +Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. +- [Update Classification Task](./updateclassificationtask) + +Classifies a list of resources that are part of the resourceType data targets as an argument to this job. +- [Update Entity Property Expressions Task](./updateentitypropertyexpressionstask) + +Calculates either for all entities or for a list of entities the expressions and inserts the values in the database. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask.md new file mode 100644 index 0000000000..9f2459be46 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask.md @@ -0,0 +1,26 @@ +--- +title: "InvokeExpressionTask" +description: "Launches on agent side a powershell script given as input." +sidebar_position: 9 +--- + +Launches on agent side a powershell script given as input. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| InputPath optional | **Type:** String **Description:** Defines the input path.Alternative definition: If *TaskType* is:- ProvisionerWorkflowTask: Path of the JSON file,- ConfigurationTask: Directory of the configuration to import,- ApiCallTask: Path of the JSON file,- SqlCmdTask: Path of the SQL file, | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask.md new file mode 100644 index 0000000000..40141ba93b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask.md @@ -0,0 +1,35 @@ +--- +title: "InvokeSqlCommandTask" +description: "Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection." +sidebar_position: 10 +--- + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the collection. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Agent optional | **Type:** String **Description:** Identifier of the agent on which the job will be launched.**Note:** when not specified, the task is to be launched on the server.**Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| DatabaseIdentifier optional | **Type:** String **Description:** Identifier of the Database to connect to | +| Encoding optional | **Type:** String **Description:** Encoding for the output files. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#list-of-encodings). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| IsNotAQuery default value: false | **Type:** Boolean **Description:** To know if the SQL command is a query or not | +| IsolationLevel optional | **Type:** String **Description:** Specifies the transaction locking behavior for the database connection. | +| OpenIdClient optional | **Type:** String **Description:** Connection client for the task. | +| OutputPath optional | **Type:** String **Description:** Path to save file.*Alternative definition*: If *TaskType* is:- ProvisioningPolicyTask: Path to save the LDIF file,- CollectorTask: Path of the working directory,- CollectorChangesTask: Path of the working directory,- CollectorADDirSyncTask: Path of the working directory,- ProvisionerDownloadTask: Path of the destination directory, | +| Provider optional | **Type:** String **Description:** Database provider | +| ProviderAssemblyQualifiedName optional | **Type:** String **Description:** Database provider assembly qualified name | +| SQLCommand optional | **Type:** String **Description:** SQL Command to execute | +| SQLInputFile optional | **Type:** String **Description:** Path of the SQL file | +| Timeout default value: 0 | **Type:** Int32 **Description:** Specify the timeout if the query need more 30 sec | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask.md new file mode 100644 index 0000000000..cd30492389 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask.md @@ -0,0 +1,29 @@ +--- +title: "MaintainIndexesTask" +description: "Index maintenance and statistics update for all database tables." +sidebar_position: 11 +--- + +Maintain indexes and update statistics for all database tables. Also cleans up data inconsistencies. + +## Examples +```xml + default value: false | **Type:** Boolean **Description:** Defines whether all indexes should be rebuilt without checking average fragmentation percent. | +| ContinueOnError default value: false | **Type:** Boolean **Description:** `true` if the execution of the Task returning an error should not stop the job machine state. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| NoNormalizationCheck default value: false | **Type:** Boolean **Description:** Prevent the cleanup of the database inconsistencies (foreign keys, forbidden values...). | +| Offline default value: false | **Type:** Boolean **Description:** Defines whether the indexes should be rebuilt offline. | +| PageCount default value: 0 | **Type:** Int32 **Description:** Defines the min page count that an index should have to be maintained. Below this threshold the index will be ignored. Default value is 1000. | +| RebuildThreshold default value: 0 | **Type:** Int32 **Description:** Defines the min index fragmentation threshold for which an index rebuild is triggered otherwise the index will simply be reorganized. Must be between 30 and 90 percent. Default value is 30. | +| ReorganizeThreshold default value: 0 | **Type:** Int32 **Description:** Defines the min average fragmentation that an index should have to be maintained. Below this threshold the index will be ignored. Default value is 5. | +| UpdateStatsThreshold default value: 0 | **Type:** Int32 **Description:** Specifies the minimum percentage of modification that should trigger an index statistic update. Default value is 10% | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask.md new file mode 100644 index 0000000000..803200b3a5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask.md @@ -0,0 +1,21 @@ +--- +title: "ManageConfigurationIndexesTask" +description: "Manage indexes for items from configuration." +sidebar_position: 12 +--- + +Manage indexes for configuration items with the tool [Usercube-Manage-ConfigurationDependantIndexes](/docs/identitymanager/current/integration-guide/executables/references/manage-configurationdependantindexes). + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask.md new file mode 100644 index 0000000000..de511729d0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask.md @@ -0,0 +1,21 @@ +--- +title: "ProcessAccessCertificationItemsTask" +description: "Process decisions on access certification items." +sidebar_position: 13 +--- + +Launch the deprovisioning of declined entitlement assignments for all AccessCertificationItems having a state of *PendingProcessing* (3). Once completed, the new state of all processed items is *Applied* (4). + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask.md new file mode 100644 index 0000000000..3e25ac4282 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask.md @@ -0,0 +1,22 @@ +--- +title: "ResetValidFromTask" +description: "Initialize historization tables by setting each entity's first record `ValidFrom` value to 0001-01-01 00:00:00.00." +sidebar_position: 14 +--- + +Initialize historization tables by setting each entity's first record `ValidFrom` value to 0001-01-01 00:00:00.00. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask.md new file mode 100644 index 0000000000..d0a9efb8da --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask.md @@ -0,0 +1,32 @@ +--- +title: "SavePreExistingAccessRightsTask" +description: "During an initial installation of Usercube, data normally provided by Usercube or through a derogation in the User Interface is already present in the application system." +sidebar_position: 15 +--- + +During an initial installation of Identity Manager, data normally provided by Identity Manager or through a derogation in the User Interface is already present in the application system. +Loaded during initialization, this data has the automatic flag and is all with provisioningstate to blocked or to pending. This Tool updates the data that are in this case and that are in the present or in the past. This update affects the following properties: + +- Workflowstate +- consolidatedworkflowfoundstate +- consolidatedworkflowblockedstate +- consolidatedworkflowblockedcount +- consolidatedworkflowfoundcount +- provisioningState + +## Examples + ```xml + + ``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| AssignedResourceNavigationSQL optional | **Type:** String **Description:** The sql to find all AssignedResourceNavigation for update.*Alternative definition*: If *TaskType* is:- SqlCmdTask: Database provider | +| AssignedResourceScalarSQL optional | **Type:** String **Description:** The sql to find all AssignedResourceScalar for update.*Alternative definition*: If *TaskType* is:- SqlCmdTask: SQL Command to execute | +| AssignedResourceTypeSQL optional | **Type:** String **Description:** The sql to find all AssignedResourceType for update.*Alternative definition*: If *TaskType* is:- SqlCmdTask: Database provider assembly qualified name | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask.md new file mode 100644 index 0000000000..dc0655b994 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask.md @@ -0,0 +1,22 @@ +--- +title: "SendAccessCertificationNotificationTask" +description: "Notify assigned users having pending access certification items in campaign marked with `NotificationNeeded`." +sidebar_position: 16 +--- + +Notify assigned users having pending access certification items in campaign marked with `NotificationNeeded`. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask.md new file mode 100644 index 0000000000..27000d12b0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask.md @@ -0,0 +1,38 @@ +--- +title: "SendNotificationsTask" +description: "Task that sends a notification to each configured recipient." +sidebar_position: 17 +--- + +Task that sends all the custom notifications defined by the [`Notification`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notification) XML tag. + + +## Examples +The following example, included in a job potentially scheduled periodically, will send all custom notifications defined via `Notification` such as the example below. The task will send the notifications concerning the `Directory_User` entity type. + +```xml + + + + +Knowing that we have for example: + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md new file mode 100644 index 0000000000..74039b2391 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md @@ -0,0 +1,220 @@ +--- +title: "SendRoleModelNotificationsTask" +description: "Task that sends a notification to all users who have pending roles to review, only for roles with a simple approval workflow, i.e. pending the validation 1 out of 1." +sidebar_position: 18 +--- + +# Migration Guide: SendRoleModelNotificationsTask to SendNotificationsTask + +:::warning Deprecated +The `SendRoleModelNotificationsTask` is deprecated and will be removed in a future version. This guide explains how to migrate to the new approach using `SendNotificationsTask` with notification configuration elements. +::: + +## Overview + +The `SendRoleModelNotificationsTask` should been replaced by `SendNotificationsTask` combined with `RolePolicyNotification` and `RoleReviewNotification` XML configuration elements. The new implementation introduces: + +- Reminder interval control to prevent duplicate notifications when multiple jobs execute +- Unified notification system for all notification types +- Notification sending logic that respects the configured reminder interval + +## What Changed + +### Before (Deprecated) + +```xml + + + +``` + +**Limitations:** +- Sent notifications every time the task ran, without reminder interval control +- Only handled roles with simple approval workflows (1 out of 1 validation) +- Could result in duplicate emails when multiple jobs in complete mode were executed + +### After (Current Implementation) + +```xml + + + + + + + + + +``` + +**Technical Changes:** +- The `ReminderInterval` property (in minutes) controls notification frequency +- Notification types are handled through a single task implementation +- Duplicate notification issue resolved through interval tracking + +## Scaffolding Changes + +If possible, the following scaffoldings now automatically generate `SendNotificationsTask` instead of `SendRoleModelNotificationsTask`: + +- **CreateAgentSynchroComplete**: Complete synchronization job for all connectors in an agent. See [CreateAgentSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete). +- **CreateConnectorSynchroComplete**: Complete synchronization job for a specific connector. See [CreateConnectorSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete). + +### Scaffolding Behavior + +The scaffolding determines which task to generate based on configuration: + +**Generates SendNotificationsTask** when: +- `RolePolicyNotification` and/or `RoleReviewNotification` elements are present in the configuration +- AND the corresponding mail settings are enabled (see note below) + +**Generates SendRoleModelNotificationsTask (deprecated)** when: +- These notification elements are NOT present in the configuration +- Displays a deprecation warning during deployment + +:::note Mail Settings +The `RolePolicyNotification` and `RoleReviewNotification` attributes on the `MailSetting` element are **enabled by default** (`true`). You typically don't need to configure these unless you want to disable them: + +```xml + +``` +::: + +## What Happens If You Don't Migrate + +### Functional Impact + +Continuing to use `SendRoleModelNotificationsTask` without migrating results in: + +**Configuration Deployment:** +- Deployment completes successfully without errors +- Deprecation warning is logged: + ``` + The Task 'SendRoleModelNotification' is deprecated and will be removed in a future version. + Please use 'SendNotificationsTask' instead. + ``` + +**Runtime Behavior:** +- Duplicate emails sent when multiple complete-mode jobs execute +- No reminder interval control (notifications sent on every task execution) +- Limited to simple approval workflows (1/1 validation only) + +**Future Compatibility:** +- `SendRoleModelNotificationsTask` scheduled for removal in a future release + +### After Migration + +**Configuration Deployment:** +- No deprecation warnings logged + +**Runtime Behavior:** +- Duplicate notification issue resolved +- ReminderInterval property controls notification frequency +- Compatible with all approval workflow types + +**Future Compatibility:** +- Uses current task implementation + +## Migration Steps + +### Step 1: Add Notification Configuration Elements + +Add `RolePolicyNotification` and/or `RoleReviewNotification` elements to your configuration: + +```xml + + + + + + +``` +See the [RoleReviewNotification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification) and [RolePolicyNotification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification) documentation for complete property details. + +### Step 2: Replace Task in Manually Defined Job Definitions + +If you have manually defined `SendRoleModelNotificationsTask` instances in your jobs (not generated by scaffolding), replace them with `SendNotificationsTask`: + +**Before:** +```xml + + + +``` + +**After:** +```xml + + + +``` + +:::note +**For Scaffolded Jobs:** +If your job is generated by `CreateAgentSynchroComplete` or `CreateConnectorSynchroComplete`, manual job definition edits are not required. Add the notification elements (Step 1) and the scaffolding will automatically generate `SendNotificationsTask`. +::: + +### Step 3: Deploy and Verify + +Deploy your configuration. After deployment: + +1. **Check job structure**: Use `Usercube-Get-JobSteps.exe` to verify that `SendNotificationsTask` appears in your jobs (not `SendRoleModelNotificationsTask`) + +2. **Verify notification behavior**: + - Trigger scenarios that should send notifications (e.g., pending role reviews) + - Confirm notifications are sent + - Re-run the job immediately and verify that duplicate notifications are NOT sent (ReminderInterval is working) + +3. **Check deployment logs**: Verify no deprecation warnings appear + +4. **Monitor notification timing**: After the ReminderInterval elapses, verify reminder notifications are sent as expected + +## Additional Resources + +- [SendNotificationsTask](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask) - Documentation for the replacement task +- [RolePolicyNotification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification) - Configuration element for role policy notifications +- [RoleReviewNotification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification) - Configuration element for role review notifications +- [Notification](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notification) - General notification configuration +- [CreateAgentSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete) - Scaffolding documentation +- [CreateConnectorSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) - Scaffolding documentation + + +Task that sends a notification to all users who have pending roles to review, only for roles with a simple approval workflow, i.e. pending the validation 1 out of 1. + + +## Examples +The following example sends a notification to all users who have pending roles to review, whose owners are part of `Directory_User`. This is only about roles that need one (and only one) validation. + +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask.md new file mode 100644 index 0000000000..77efb77c74 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask.md @@ -0,0 +1,22 @@ +--- +title: "SetAccessCertificationReviewerTask" +description: "Assign access certification items to users according to their profiles and the access control rules." +sidebar_position: 19 +--- + +Assign access certification items to users according to their profiles and the access control rules. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask.md new file mode 100644 index 0000000000..38e38256f0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask.md @@ -0,0 +1,47 @@ +--- +title: "SetInternalUserProfilesTask" +description: "Will execute the profile rules of the different resource types given in parameters to create, modify or delete profiles in automatic mode." +sidebar_position: 20 +--- + +Will execute the profile rules of the different resource types given in parameters to create, modify or delete profiles in automatic mode. + +:::warning +It is necessary to set up [ProfileRuleContext](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/profilecontext) as well as [profileRules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext) to be able to use this job. +::: + + +## Examples +```xml + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type:** Int32 **Description:** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type:** Int32 **Description:** Defines the batch select size. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| + +## Child Element: TaskResourceType +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + + +|Property|Details| +|---|---| +|ResourceType
required|

**Type**
Int64

**Description**
Linked resourceType id.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask.md new file mode 100644 index 0000000000..7e5425cbbd --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask.md @@ -0,0 +1,28 @@ +--- +title: "SetRecentlyModifiedFlagTask" +description: "When synchronizing in full or incremental mode, it is possible to optimize the compute performance of the role model by taking into account only the changes made by the synchronization." +sidebar_position: 21 +--- + +When synchronizing in full or incremental mode, it is possible to optimize the compute performance of the role model by taking into account only the changes made by the synchronization. This optimization is based on the `dirty` property of the entity [Resource](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/resources/resource). The task [Usercube-Compute-RoleModel](./computerolemodeltask) with option `dirty` set to `true` will treat only resources marked as dirty. + +This task is used to set the `dirty` flag on all resources based on [ResourceChange, ResourceLinkChange and ResourceFileChange entities](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/resources). After this, it clears this changes tables. + +:::warning +This task works correctly only if **previous synchronization tasks have not cleared the change tables** (option `DoNotDeleteChanges` set to `true`). +::: + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask.md new file mode 100644 index 0000000000..b3858a9b35 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask.md @@ -0,0 +1,32 @@ +--- +title: "SynchronizeTask" +description: "Retrieves the files generated by the prepare-synchronization task to insert the data into the Usercube database." +sidebar_position: 22 +--- + +Retrieves the files generated by the [prepare-synchronization](/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync) to insert the data into the Identity Manager database. + +For more information on how the Synchronization works, see [Sync Up](/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync). + +:::warning +Collection must be done by the [PrepareSynchronizationTask](../agent/preparesynchronizationtask). +::: + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Connector required | **Type:** String **Description:** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| DoNotDeleteChanges default value: false | **Type:** Boolean **Description:** Do not delete change in the change tables. | +| ForceSynchronization default value: false | **Type:** Boolean **Description:** Force the synchronization | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | +| Orphans default value: false | **Type:** Boolean **Description:** Save orphans in a CSV output file | +| Type default value: None | **Type:** PrepareSynchronizationType **Description:** Define type of prepare synchronization. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask.md new file mode 100644 index 0000000000..97b0336341 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask.md @@ -0,0 +1,22 @@ +--- +title: "UpdateAccessCertificationCampaignTask" +description: "Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`." +sidebar_position: 23 +--- + +Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. The task also computes the Access Certification Items to certify (applying [Access Certification Data Filter](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter) and [Access Certification Owner Filter](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter)), and fill the database with them. + + +## Examples +```xml + < +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask.md new file mode 100644 index 0000000000..8c0c995994 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask.md @@ -0,0 +1,38 @@ +--- +title: "UpdateClassificationTask" +description: "Classifies a list of resources that are part of the resourceType data targets as an argument to this job." +sidebar_position: 24 +--- + +Classifies a list of resources that are part of the resourceType data targets as an argument to this job. + +:::warning +You must set up the ResourceClassificationRule on resourceTypes to be able to use this job. +::: + + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type:** Int32 **Description:** Block size for batch calculation. | +| Dirty default value: false | **Type:** Boolean **Description:** Initiate use only dirty resources. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask.md new file mode 100644 index 0000000000..b35719b5f3 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask.md @@ -0,0 +1,34 @@ +--- +title: "UpdateEntityPropertyExpressionsTask" +description: "Calculates either for all entities or for a list of entities the expressions and inserts the values in the database." +sidebar_position: 25 +--- + +Calculates either for all entities or for a list of entities the expressions and inserts the values in the database. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the task in language 1 (up to 16). | +| AllEntityType default value: false | **Type:** Boolean **Description:** Launch to all entityTypes for the expression task.*Alternative definition*: If *TaskType* is:- TreeDimensionsRefreshTask: Refresh all dimensions. | +| BatchSelectSize default value: 0 | **Type:** Int32 **Description:** Defines the batch select size. | +| BatchUpdateSize default value: 0 | **Type:** Int32 **Description:** Defines the batch update size. | +| Dirty default value: false | **Type:** Boolean **Description:** Initiate use only dirty resources. | +| Identifier optional | **Type:** String **Description:** Unique identifier of the task. | + + +## Child Element: TaskEntityType +A task entity type defines the entity type on which the task is applied. + + +|Property|Details| +|---|---| +|EntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type that the task is to be applied on.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype.md new file mode 100644 index 0000000000..d5263d3bab --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype.md @@ -0,0 +1,17 @@ +--- +title: "AccessControlEntityType" +description: "" +sidebar_position: 1 +--- + +TODO + +## Child Element: Property +An AccessControlEntityProperty assigns an entity property to a visibility group. +See Access Control Property Group for more details. + +### Properties + +|Property|Details| +|---|---| +| VisibilityGroup optional | **Type:** Int64 **Description:** The VisibilityGroup that controls access to the property. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/binding.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/binding.md new file mode 100644 index 0000000000..027f22255f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/binding.md @@ -0,0 +1,10 @@ +--- +title: "Binding" +description: "" +sidebar_position: 2 +--- + +Identity Manager metadata provides a simple and consistent way to present and interact with metadata. A binding is a path of scalar/navigation properties used to configure a set of property keys. + +## Child Element: Property + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md new file mode 100644 index 0000000000..cdf4bb316c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/dimension.md @@ -0,0 +1,43 @@ +--- +title: "Dimension" +description: "" +sidebar_position: 3 +--- + +A dimension is an [Entity Type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype) used to define an organizational filter for the Identity Manager role model. + + +## Examples +The following XML fragment defines the dimension `Organization0`. The dimension values are of `Directory_Organization` type. The `ColumnMapping` attribute specifies the column (0 to 127) used to store the dimension value in the assignment rule tables. + +```xml + +``` + +Some types of entities can be organized in a hierarchical tree structure. Thus, for example, organizational units form a tree structure modeled by a `Parent` navigation property that links the entity type to itself. It is possible to use the hierarchical aspect of a dimension in an assignment rule criterion. For example, the assignment must be extended to the whole subunits of a department. Such a dimension must be declared as a hierarchical dimension by specifying the attribute `IsHierarchical="true"`. + +```xml + + + +... + + +... + +``` + +The attribute `ParentProperty` specifies the navigational property defining the hierarchy (`Parent` is the navigation property that links the `Directory_Organization` type to itself). + + +## Properties + +|Property|Details| +|---|---| +| ColumnMapping required | **Type:** Int32 **Description:** Specifies the corresponding column in the role model rules. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the dimension in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** References the linked entity type. | +| Identifier required | **Type:** String **Description:** Unique identifier of the dimension. | +| IsExcludedFromRoleMining default value: false | **Type:** Boolean **Description:** `true` to exclude the dimension from role mining. It means that the dimension is not used as a criteria in the generated rules. | +| IsHierarchical default value: false | **Type:** Boolean **Description:** `true` to define a hierarchical dimension. **Note:** Cannot be used without `ParentProperty`. | +| ParentProperty optional | **Type:** Int64 **Description:** Specifies the navigational property defining the hierarchy. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entityassociation.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entityassociation.md new file mode 100644 index 0000000000..8faa017d02 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entityassociation.md @@ -0,0 +1,36 @@ +--- +title: "EntityAssociation" +description: "" +sidebar_position: 4 +--- + +An entity association is used to model an association in Identity Manager's metadata. See the [example of a whole connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) with its entity properties and associations. + + +## Examples +The following example associates one title (as a property from the entity type `Directory_UserRecord`) with several user records (as a property from the entity type `Directory_Title`). + +```xml + +``` + +### Many-to-many association + +The following example associates SAB users with groups, with the possibility to link one group to several users, and one user to several groups. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the association in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the association. It must be unique to the entity model scope. | +| IsProperty1Collection default value: false | **Type:** Boolean **Description:** `true` to define a many-to-one association. | +| IsProperty2Collection default value: false | **Type:** Boolean **Description:** `true` to define a one-to-many association. | +| Property1 required | **Type:** Int64 **Description:** Defines the first navigation property. A navigation property can be mono-valued or multi-valued (with its corresponding `IsPropertyCollection` set to `true`). Mono-valued navigation properties may be optimized (with a `TargetColumnIndex`) or not (without `TargetColumnIndex`). See more details under the TargetColumnIndex section of the [entity type property](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype#properties-1)'s page. | +| Property2 required | **Type:** Int64 **Description:** Defines the second navigation property. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression.md new file mode 100644 index 0000000000..2872eef4d6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression.md @@ -0,0 +1,28 @@ +--- +title: "EntityPropertyExpression" +description: "" +sidebar_position: 5 +--- + +An entity property expression is a property computed from a binding and/or [C#](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions) or [literal](/docs/identitymanager/current/integration-guide/toolkit/expressions#literal-expression) expressions. + + +## Examples +The following example computes the record display name. +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding optional | **Type:** Int64 **Description:** References the binding used to compute the result. | +| EntityType required | **Type:** Int64 **Description:** Identifier of the referenced entity type | +| Expression optional | **Type:** String **Description:** References the C# or literal expression used to compute the result. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Identifier required | **Type:** String **Description:** Unique identifier of the expression. | +| Priority default value: 0 | **Type:** Int32 **Description:** Specifies the execution priority. | +| Property required | **Type:** Int64 **Description:** Identifier of the referenced entity property | +| PropertyCriteria optional | **Type:** Int64 **Description:** References the property criteria used to compute navigation properties. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitytype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitytype.md new file mode 100644 index 0000000000..47f780e990 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/entitytype.md @@ -0,0 +1,91 @@ +--- +title: "EntityType" +description: "" +sidebar_position: 6 +--- + +Represents a conceptual model of a business object, such as a person entity or an organization entity. See [Connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) on how to configure define an EntityType. + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the entity type in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the entity type. It must is be unique to the *entity model* scope. Cannot be a [reserved identifier](/docs/identitymanager/current/integration-guide/toolkit/reservedidentifiers). | +| LicenseTag optional | **Type:** String **Description:** Value of the `Tag` parameter of the license key (in `appsettings.json`) linked to the entity type. All the features allowed by the license key are enabled for this entity type, otherwise only default features are available. | +| TableName optional | **Type:** String **Description:** Represents the table name of hard coded entity types. Exclusively reserved to Identity Manager connector for Power BI. | + +## Child Element: Property +An entity property represents a property of an [Entity Type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype). +See [Connector](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector) on how to configure/define an EntityProperty. + + +### Examples +#### Populate navigational property from non primary key + +Some configuration elements will be linked to an entity whose id is not known at configuration time. In this case, another key must be used. On each entity type property, the `IsKey` attribute specifies that the property can be used as a key during configuration import. + +For example, the *Code* property of the *Title* entity type is marked as a key. + +```xml + + + ... + +``` + +All *Title* instances will be replicated from a managed system. So, at configuration time, Identity Manager's internal primary key for this *Title* is not known. + +We hence cannot write a *SingleRoleRule* with a Dimension criteria based on *Title* as the primary key. + +We can however, use a non-primary key, that is known in advance, because it depends on the managed system's data and not on Identity Manager. + +For example, the below `Dimension1` attribute references a *Title* entity by its *Code* value. + +```xml + +``` + +#### Using Date Only type + +The `DateOnly` type (displayed as "Date Only" in the UI) is used for properties that represent calendar dates without time or timezone information. This is particularly useful for fields like birth dates, where the specific calendar date matters regardless of timezone. + +The `DateOnly` type uses the `yyyyMMdd` format for data exchange (e.g., `20240315` for March 15, 2024). + +**Example:** Defining DateOnly property for birth date + +```xml + + + + + +``` + +**When to use DateOnly vs DateTime:** +- Use `DateOnly` for calendar dates where timezone is not relevant (birth dates, anniversary dates, holiday dates) +- Use `DateTime` for timestamps or events where time and timezone matter (contract start/end times, last login) + +**Note:** The `AddedMinutes` configuration in display properties is not applicable to `DateOnly` properties. If a property is changed from `DateTime` to `DateOnly`, any existing `AddedMinutes` configuration will be automatically ignored during import and removed during export, with warnings displayed to the user. + +#### Changing the multiplicity of a property + +It is sometimes necessary to change the multiplicity of a property (Scalar property to Navigation property or vice-versa). +As long as the property was not used in any workflow, this can be properly handled by `Deploy-Configuration.exe`. If it *was* used in one or more workflows, foreign key conflicts (in UW_Changes database table) may occur, preventing the configuration from being deployed. +To solve this problem, references to this property must be manually cleaned up with SQL queries directly in the database before deploying the configuration. + + +### Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the property in language 1 (up to 16). **Note:** cannot be "Id". | +| FlexibleComparisonExpression optional | **Type:** String **Description:** Expression used to transform the query input value for comparison using a flexible operator. | +| GroupByProperty optional | **Type:** Int64 **Description:** Property used to regroup navigation resources (resources used in navigation rules) by value. When defined, the Evaluate policy will enforce that one and only one item of a group can be assigned to an identity on a given date range. **Warning:** whenever the value of this property changes for a resource used in the defined navigation rules, the server needs to be restarted in order for the changes to be taken into account. | +| HistoryPrecision default value: 0 | **Type:** Int32 **Description:** Defines the number of minutes to wait, after a property change, before triggering the record history mechanism. | +| Identifier required | **Type:** String **Description:** Unique identifier of the property. It must be unique to the parent entity type scope. Cannot be a [reserved identifier](/docs/identitymanager/current/integration-guide/toolkit/reservedidentifiers) and can only contain numbers (except the first character) and letters without accents. **Note:** cannot be "Id". | +| IsKey default value: false | **Type:** Boolean **Description:** `true` if the property is designated to be one of the keys that uniquely identify any resource from the entity type in the configuration. Each entity type must have at least one key. **Note:** AD synchronization requires the `dn` property to have either `IsKey` or `EntityTypeMapping` > `Property` > `IsUniqueKey` set to `true` (key property in the UI). | +| Language optional | **Type:** Int64 **Description:** Language associated to the property if it is localized (optional). | +| NeutralProperty optional | **Type:** Int64 **Description:** Neutral property associated to the property if it is localized (optional). | +| TargetColumnIndex default value: -1 | **Type:** Int32 **Description:** Specifies the corresponding column in the resource entity. `0` to `3`: scalar property whose value exceeds 443 characters. `4` to `127`: scalar property whose value does not exceed 443 characters (or optimized mono-valued navigation property : see note). `128` to `152`: optimized mono-valued navigation property only. `-1`: non-optimized mono or multi-valued navigation property (stored in `UR_ResourceLink`), or binary (stored in `UR_ResourceLink`). **Note:** optimized mono-valued navigation properties should have their `TargetColumnIndex` between 128 and 152 included to be fully optimized. However, if all are already taken, `TargetColumnIndex` from 0 to 127 included (usually for scalar properties) may also be used. In this case the first available `TargetColumnIndex` in ascending order should be used. | +| Type default value: 0 | **Type:** EntityPropertyType **Description:** Property type. `0` - **String**. `1` - **Bytes**. `2` - **Int32**. `3` - **Int64**. `4` - **DateTime**. `5` - **Bool**. `6` - **Guid**. `7` - **Double**. `8` - **Binary**. `9` - **Byte**. `10` - **Int16**. `12` - **ForeignKey**: indicates a navigation property, i.e. a property related to an association between entities. `13` - **DateOnly**: Date without Time. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/index.md new file mode 100644 index 0000000000..4a38566c05 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/index.md @@ -0,0 +1,15 @@ +--- +title: "Metadata" +description: "Metadata" +sidebar_position: 10 +--- + +# Metadata +- [Accesscontrolentitytype](accesscontrolentitytype) +- [Binding](binding) +- [Dimension](dimension) +- [Entityassociation](entityassociation) +- [Entitypropertyexpression](entitypropertyexpression) +- [Entitytype](entitytype) +- [Language](language) +- [Settings](settings) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/language.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/language.md new file mode 100644 index 0000000000..8155e7c5ec --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/language.md @@ -0,0 +1,23 @@ +--- +title: "Language" +description: "" +sidebar_position: 7 +--- + +Represents a configuration entity used to create multilingual application. + + +## Examples +The following example declares a new language. +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Code required | **Type:** String **Description:** Unique identifier of the language (fr-FR, en-US...). | +| IndicatorNumber required | **Type:** Int32 **Description:** Defines the default language. | +| JsonPath optional | **Type:** String **Description:** The original translations file path | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md new file mode 100644 index 0000000000..aac3d05187 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md @@ -0,0 +1,61 @@ +--- +title: "AppDisplaySetting" +description: "This setting is used to customize the application display." +sidebar_position: 1 +--- + +This setting is used to customize the application display. + + +## Examples +### Set colors, logos and names + +The following example sets: +* "Netwrix Identity Manager" as name of the application visible on the tabs; +* the logo to be displayed in the top left corner; +* the favicon to be displayed on the tabs; +* the **banner color**, **banner gradient color**, **banner selected tab color**, **banner text color**, **primary color** and **secondary color**. + +```xml + +``` + +![AppDisplay - Tab](/images/identitymanager/AppDisplaySetting_tab_V603.webp) + +![Appdisplaysetting Tab V603](/images/identitymanager/AppDisplaySetting_tab_V603.webp) + +![AppDisplay - Authentication](/images/identitymanager/appdisplaysetting_screen1_v603.webp) + +### Disable counters + +The following example disables the counters that are usually visible on the dashboard: + +> ![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_counters_v603.webp) + +```xml + +``` + +![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_nocounters_v603.webp) + + +## Properties + +|Property|Details| +|---|---| +| ApplicationName optional | **Type:** String **Description:** Name of the application, visible on the application's tabs. | +| BannerColor optional | **Type:** String **Description:** HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerGradientColor optional | **Type:** String **Description:** HEX code of the color for the banner's gradient to be visible at the middle of the banner. | +| BannerSelectedTabColor optional | **Type:** String **Description:** HEX code of the color for the line that emphasizes the selected tab. | +| BannerTextColor optional | **Type:** String **Description:** HEX code of the color for the banner's text. | +| DisableProvisioningCounters default value: false | **Type:** String **Description:** `true` to disable the counters related to the administration screens: **Role Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and **Manual Provisioning**. | +| FaviconFile optional | **Type:** String **Description:** Path of the favicon to be displayed in the application's tabs. | +| FaviconMimeType optional | **Type:** String **Description:** Mime type of the favicon. | +| FullNameSeparator default value: ¤ | **Type:** String **Description:** Separator of the full name. | +| Identifier default value: AppDisplay | **Type:** String **Description:** Unique identifier of the setting. | +| LogoFile optional | **Type:** String **Description:** Path of the logo to be displayed in the top left corner. | +| LogoMimeType optional | **Type:** String **Description:** Mime type of the logo. | +| Preview optional | **Type:** String **Description:** Documentation unavailable. | +| PrimaryColor optional | **Type:** String **Description:** HEX code of the color for the highlighted buttons. | +| SecondaryColor optional | **Type:** String **Description:** HEX code of the color for the background of the authentication screen. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting.md new file mode 100644 index 0000000000..505bb0e683 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting.md @@ -0,0 +1,24 @@ +--- +title: "ConfigurationVersionSetting" +description: "Used to track the current configuration version." +sidebar_position: 2 +--- + +This setting is used to track the current configuration version. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Description optional | **Type:** String **Description:** Detailed description of the version. | +| Identifier default value: ConfigurationVersion | **Type:** String **Description:** Unique identifier of the setting. | +| Misc optional | **Type:** String **Description:** Misc. | +| Version optional | **Type:** String **Description:** Version of the configuration. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting.md new file mode 100644 index 0000000000..68d7977f86 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting.md @@ -0,0 +1,16 @@ +--- +title: "CustomLink1Setting" +description: "Used to display a given static HTML file to a custom URL address." +sidebar_position: 3 +--- + +Used to display a given static HTML file to a custom URL address. + +## Properties + +|Property|Details| +|---|---| +| Path_L1 required | **Type:** String **Description:** The path (relative to the configuration root) to the HTML file for language L1. | +| Url required | **Type:** String **Description:** The URL from which the custom HTML should be displayed. Must start with an '/'. | +| Identifier default value: CustomLink1 | **Type:** String **Description:** Unique identifier of the setting. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting.md new file mode 100644 index 0000000000..0d8dc4360b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting.md @@ -0,0 +1,16 @@ +--- +title: "CustomLink2Setting" +description: "Used to display a given static HTML file to a custom URL address." +sidebar_position: 4 +--- + +Used to display a given static HTML file to a custom URL address. + +## Properties + +|Property|Details| +|---|---| +| Path_L1 required | **Type:** String **Description:** The path (relative to the configuration root) to the HTML file for language L1. | +| Url required | **Type:** String **Description:** The url from which the custom HTML should be displayed. Must start with an '/'. | +| Identifier default value: CustomLink2 | **Type:** String **Description:** Unique identifier of the setting. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting.md new file mode 100644 index 0000000000..ac8608557e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting.md @@ -0,0 +1,21 @@ +--- +title: "DashboardItemNumberSetting" +description: "Used to customize the number of links to display on each section on the Dashboard. If no value is defined, the default value is 3. The value must be greater than 0 and less than or equal to 5." +sidebar_position: 5 +--- + +Used to customize the number of links to display on each section on the Dashboard. If no value is defined, the default value is 3. The value must be greater than 0 and less than or equal to 5. + +## Properties + +|Property|Details| +|---|---| +| AssignedRolesSection optional | **Type:** String **Description:** Number of links to display in the Assigned Roles section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| Identifier default value: DashboardItemNumber | **Type:** String **Description:** Unique identifier of the setting. | +| ManualProvisioningSection optional | **Type:** String **Description:** Number of links to display in the Manual Provisioning section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| MyTasksSection optional | **Type:** String **Description:** Number of links to display in the My Tasks section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| ProvisioningReviewSection optional | **Type:** String **Description:** Number of links to display in the Provisioning Review section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| ResourceReconciliationSection optional | **Type:** String **Description:** Number of links to display in the Reconciliation Review section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| RoleReconciliationSection optional | **Type:** String **Description:** Number of links to display in the Role Reconciliation section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | +| RoleReviewSection optional | **Type:** String **Description:** Number of links to display in the Role Review section. The default value is 3. The value must be greater than 0 and less than or equal to 5. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/index.md new file mode 100644 index 0000000000..6bed1cb6b8 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/index.md @@ -0,0 +1,43 @@ +--- +title: "Settings" +description: "Settings" +sidebar_position: 10 +--- + +# Settings +- [App Display Setting](./appdisplaysetting) + +This setting is used to customize the application display. +- [Configuration Version Setting](./configurationversionsetting) + +Used to track the current configuration version. +- [Custom Link1Setting](./customlink1setting) + +Used to display a given static HTML file to a custom URL address. +- [Custom Link2Setting](./customlink2setting) + +Used to display a given static HTML file to a custom URL address. +- [Dashboard Item Number Setting](./dashboarditemnumbersetting) + +Used to customize the number of links to display on each section on the Dashboard. If no value is defined, the default value is 3. The value must be greater than 0 and less than or equal to 5. +- [Mail Setting](./mailsetting) + + +- [Password Generation Setting](./passwordgenerationsetting) + + +- [Password Tests Setting](./passwordtestssetting) + +This setting enables a check on the passwords set manually by users. +- [Scheduling Clean Data Base Setting](./schedulingcleandatabasesetting) + +If the default value for the Task CleanDataBase needs to be overridden. +- [Select All Performed By Association Query Handler Setting](./selectallperformedbyassociationqueryhandlersetting) + +This setting enables task delegation to a group of people. +- [Select Personas By Filter Query Handler Setting](./selectpersonasbyfilterqueryhandlersetting) + +This setting is used to filter the entity type used by authentication mechanism. +- [Select User By Identity Query Handler Setting](./selectuserbyidentityqueryhandlersetting) + +This attribute matches an end-user with a resource from the unified resource repository. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting.md new file mode 100644 index 0000000000..0647343d64 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting.md @@ -0,0 +1,25 @@ +--- +title: "MailSetting" +description: " " +sidebar_position: 6 +--- + + + + +## Examples +The following example indicates that notifications for users from `Directory_User` are to be sent to the email addresses contained by the `Email` property. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Identifier default value: MailSettings | **Type:** String **Description:** Unique identifier of the setting. | +| LanguageCode optional | **Type:** String **Description:** Language code for the notifications sent by server-side tasks, using the ISO 639-1 standard. For example, "en-US" represents American English. | +| MailProperty optional | **Type:** String **Description:** Property whose values are to be used by Usercube to send emails. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting.md new file mode 100644 index 0000000000..c162e81e28 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting.md @@ -0,0 +1,15 @@ +--- +title: "PasswordGenerationSetting" +description: " " +sidebar_position: 7 +--- + + + +## Properties + +|Property|Details| +|---|---| +| AllowedSymbolChars required | **Type:** String **Description:** The documentation is not yet available. | +| Identifier default value: PasswordGenerationSetting | **Type:** String **Description:** Unique identifier of the setting. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting.md new file mode 100644 index 0000000000..b56c021bf1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting.md @@ -0,0 +1,28 @@ +--- +title: "PasswordTestsSetting" +description: "This setting enables a check on the passwords set manually by users." +sidebar_position: 8 +--- + +This setting enables a check on the passwords set manually by users. + +:::info +The strength of passwords generated by Identity Manager can be configured via [`PasswordResetSettings`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings)'s `StrengthCheck`. +::: + + +## Examples +The following example encourages users to choose a strong password with at least 9 characters including at least one digit, one lowercase letter, one uppercase and one special character. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Identifier default value: PasswordTests | **Type:** String **Description:** Unique identifier of the setting. | +| PasswordRegex optional | **Type:** String **Description:** Regular expression(s) (regex) that users' passwords must match to be acceptable when set manually. When setting several regex, passwords must match all of them to be considered strong, and 70% to be considered average. Below that, a password is considered weak and cannot be confirmed.**Default value:** `'^..*$', '^...*$', '^....*$', '^.....*$', '^......*$', '^.......*$', '^........*$', '^.........*$', '^..........*$', '^.*[0-9].*$', '^.*[a-z].*$', '^.*[A-Z].*$', '^.*[^A-Za-z0-9].*$'` | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting.md new file mode 100644 index 0000000000..2c201291be --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting.md @@ -0,0 +1,23 @@ +--- +title: "SchedulingCleanDataBaseSetting" +description: "If the default value for the Task CleanDataBase needs to be overridden." +sidebar_position: 9 +--- + +If the default value for the Task CleanDataBase needs to be overridden. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| CronTabExpression optional | **Type:** String **Description:** Define the cron to launch the CleanDatabase Job. | +| Identifier default value: SchedulingCleanDataBase | **Type:** String **Description:** Unique identifier of the setting. | +| Timeout optional | **Type:** String **Description:** Defines the maximum time a Job or Task can wait after the last run. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting.md new file mode 100644 index 0000000000..1f01cd5be4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting.md @@ -0,0 +1,24 @@ +--- +title: "SelectAllPerformedByAssociationQueryHandlerSetting" +description: "This setting enables task delegation to a group of people." +sidebar_position: 10 +--- + +This setting enables task delegation to a group of people. + + +## Examples +```xml + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding optional | **Type:** String **Description:** Defines the binding used to get the list of identities to delegate to. | +| Identifier default value: SelectAllPerformedByAssociationQueryHandler | **Type:** String **Description:** Unique identifier of the setting. | +| RootEntityType optional | **Type:** String **Description:** Indicates the entity type on which the delegation is applied. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting.md new file mode 100644 index 0000000000..dfa5037c11 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting.md @@ -0,0 +1,27 @@ +--- +title: "SelectPersonasByFilterQueryHandlerSetting" +description: "This setting is used to filter the entity type used by authentication mechanism." +sidebar_position: 11 +--- + +This setting is used to filter the entity type used by authentication mechanism. + + +## Examples +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Identifier default value: SelectPersonasByFilterQueryHandler | **Type:** String **Description:** Unique identifier of the setting. | +| MailProperty optional | **Type:** String **Description:** Defines the mail property.**Note:** required to receive the email for two-way password reset, when relevant. | +| OwnerPhotoTagProperty optional | **Type:** String **Description:** Defines the photo tag property. | +| PersonTypeFilter optional | **Type:** String **Description:** The documentation is not yet available. | +| PersonTypeFilterProperty optional | **Type:** String **Description:** Defines the filter property | +| PhotoProperty optional | **Type:** String **Description:** The documentation is not yet available. | +| ResourceDisplayNameProperty optional | **Type:** String **Description:** Represents the display property. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting.md new file mode 100644 index 0000000000..2599dabf69 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting.md @@ -0,0 +1,55 @@ +--- +title: "SelectUserByIdentityQueryHandlerSetting" +description: "This attribute matches an end-user with a resource from the unified resource repository." +sidebar_position: 12 +--- + +This attribute matches an end-user with a resource from the central repository. + +Authorization mechanisms within Identity Manager rely on assigning a profile to a resource that stands for the end-user digital identity. + +To that end, end-user authentication credentials are linked to such an identity using the following pattern: + +1. authentication credentials are retrieved; +2. authentication credentials are trimmed using the `AfterToken` and/or `BeforeToken` attributes; +3. the trimmed result is matched against the `ResourceIdentityProperty` of resources with the entity type specified by `OwnerEntityType`; +4. the matching resource is used to find a profile and authorization for that digital identity. + +:::warning +After modifying the authentication mode via `SelectUserByIdentityQueryHandlerSetting`, Identity Manager server must be restarted. On a SaaS environment, contact your Identity Manager administrator. +::: + + +## Examples +The following example links the authentication credentials of an end-user to its matching resource of EntityType **Directory_User**. + +In this example, authentication has been set up using [Integrated Windows Authentication](/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/end-users-authentication#set-up-integrated-windows-authentication-iwa). In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of **Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity within Identity Manager. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| AfterToken optional | **Type:** String **Description:** Second character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| BeforeToken optional | **Type:** String **Description:** First character used to trim the authentication login.The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| Identifier default value: SelectUserByIdentityQueryHandler | **Type:** String **Description:** Unique identifier of the setting. | +| OwnerEntityType optional | **Type:** String **Description:** Entity type of the resources used to store digital identities within Usercube. | +| OwnerPhotoTagProperty optional | **Type:** String **Description:** Photo property for Usercube users. | +| ResourceDisplayNameProperty optional | **Type:** String **Description:** Property used for displaying login data at the top right of the application. | +| ResourceIdentityProperty optional | **Type:** String **Description:** Identity-resource property supposed to match the authentication login used by the end-user. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/index.md new file mode 100644 index 0000000000..2e43278f5b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/index.md @@ -0,0 +1,10 @@ +--- +title: "Notifications" +description: "Notifications" +sidebar_position: 10 +--- + +# Notifications +- [Notification](notification) +- [Notificationtemplate](notificationtemplate) +- [Notifications](notifications) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notification.md new file mode 100644 index 0000000000..63aab6131b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notification.md @@ -0,0 +1,38 @@ +--- +title: "Notification" +description: "" +sidebar_position: 1 +--- + +A notification can be configured to be sent to a given user on a regular basis at specified times, through the [`SendNotificationsTask`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask) as part of a job. + + +## Examples +The following example defines a notification to inform/remind managers of the arrival of new employees in their team. + +The notification is built based on: +* the template `Notification.cshtml`; +* the styles `Notification.css`; +* the subject defined by `TitleExpression`. + +The notification is sent for each new user, i.e. each user whose contract start date is in the future. The notification is sent to the new user's manager(s). + +The notification will be sent again as a reminder after 7 days, by the next `SendNotificationsTask`. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| Identifier required | **Type:** String **Description:** Unique identifier of the notification. | +| OwnerEntityType required | **Type:** Int64 **Description:** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression` and `QueryFilterExpression`. | +| QueryFilterExpression optional | **Type:** String **Description:** C# expression that returns a Identity Manager Squery in order to define the sending condition of the notification. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| RecipientMailBinding optional | **Type:** Int64 **Description:** Binding of the property that corresponds to the email addresses that will receive the notification. | +| ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type:** String **Description:** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. **Note:** This property is only supported for custom notifications. Typed notifications (such as AccessCertificationNotification, RoleReviewNotification, ProvisioningReviewNotification, and ManualProvisioningNotification) use predefined templates and do not support title customization via this property. Use [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) for customizing typed notifications instead. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md new file mode 100644 index 0000000000..a4aa5265d2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md @@ -0,0 +1,35 @@ +--- +title: "AccessCertificationNotification" +description: "Reminder notification concerning access certification." +sidebar_position: 1 +--- + +Reminder notification concerning access certification. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified by the native notification for access certification (on resources from `Directory_User`) and have not yet performed the action. + +```xml + +``` + +The following example sends the exact same notification as the previous example, but with different templates for the content and the styles. + +```xml + +``` + +:::note +The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. +::: + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the notification. | +| OwnerEntityType required | **Type:** String **Description:** Identifier of the entity type that represents the population affected by the notification. | +| CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md new file mode 100644 index 0000000000..aa5998210c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md @@ -0,0 +1,22 @@ +--- +title: "Notifications" +description: "Notifications" +sidebar_position: 10 +--- + +# Notifications +- [Access Certification Notification](./accesscertificationnotification) + +Reminder notification concerning access certification. +- [Manual Provisioning Notification](./manualprovisioningnotification) + +Reminder notification concerning manual provisioning. +- [Provisioning Review Notification](./provisioningreviewnotification) + +Reminder notification concerning provisioning review. +- [Role Policy Notification](./rolepolicynotification) + +Reminder notification concerning role model tasks. +- [Role Review Notification](./rolereviewnotification) + +Reminder notification concerning role review. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md new file mode 100644 index 0000000000..350f54a76a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md @@ -0,0 +1,35 @@ +--- +title: "ManualProvisioningNotification" +description: "Reminder notification concerning manual provisioning." +sidebar_position: 2 +--- + +Reminder notification concerning manual provisioning. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified by the native notification for manual provisioning (on resources from `Directory_User`) and have not yet performed the action. + +```xml + +``` + +The following example sends the exact same notification as the previous example, but with different templates for the content and the styles. + +```xml + +``` + +:::note +The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. +::: + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the notification. | +| OwnerEntityType required | **Type:** String **Description:** Identifier of the entity type that represents the population affected by the notification. | +| CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md new file mode 100644 index 0000000000..a0a1b9ec6c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md @@ -0,0 +1,35 @@ +--- +title: "ProvisioningReviewNotification" +description: "Reminder notification concerning provisioning review." +sidebar_position: 3 +--- + +Reminder notification concerning provisioning review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified by the native notification for provisioning review (on resources from `Directory_User`) and have not yet performed the action. + +```xml + +``` + +The following example sends the exact same notification as the previous example, but with different templates for the content and the styles. + +```xml + +``` + +:::note +The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. +::: + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the notification. | +| OwnerEntityType required | **Type:** String **Description:** Identifier of the entity type that represents the population affected by the notification. | +| CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification.md new file mode 100644 index 0000000000..6bbf6f4247 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification.md @@ -0,0 +1,14 @@ +--- +title: "RolePolicyNotification" +description: "Reminder notification concerning role model tasks." +sidebar_position: 4 +--- + +Reminder notification concerning role model tasks. + +## Properties + +|Property|Details| +|---|---| +| Identifier optional | **Type:** String **Description:** Unique identifier of the notification. | + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md new file mode 100644 index 0000000000..d7c8715500 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md @@ -0,0 +1,35 @@ +--- +title: "RoleReviewNotification" +description: "Reminder notification concerning role review." +sidebar_position: 5 +--- + +Reminder notification concerning role review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified by the native notification for role review (on resources from `Directory_User`) and have not yet performed the action. + +```xml + +``` + +The following example sends the exact same notification as the previous example, but with different templates for the content and the styles. + +```xml + +``` + +:::note +The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. +::: + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the notification. | +| OwnerEntityType required | **Type:** String **Description:** Identifier of the entity type that represents the population affected by the notification. | +| CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md new file mode 100644 index 0000000000..f66f941135 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md @@ -0,0 +1,34 @@ +--- +title: "NotificationTemplate" +description: "" +sidebar_position: 2 +--- + +A notification template is used to overwrite the subject and/or body of a [native notification](/docs/identitymanager/current/integration-guide/notifications/native) with personalized templates. + + +## Examples +The following example overwrites the template of the notification provided by Identity Manager for role review. + +```xml + +``` + +The following example defines a template for the notification's subject. + +``` +// WorkflowReviewRolesSummary_Subject.cshtml +@using Usercube.Application.DeltaProvisioning.Notification +@model WorkflowReviewRolesSummary + +Review Roles - @(@Model.AssignedCompositeRoles.Any() ? @Model.AssignedCompositeRoles.FirstOrDefault().Owner.FullName : @Model.AssignedSingleRoles.FirstOrDefault().Owner.FullName) +``` + + +## Properties + +|Property|Details| +|---|---| +| BodyTemplate_L1 optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| Identifier required | **Type:** String **Description:** Identifier of the native notification to adjust, among: - `BlockedProvisioningInformations` - `OneWayPasswordReset` - `PendingAccessCertificationModel` - `PerformManualProvisioningSummary` - `RolePolicySummary` - `RunJobNotification` - `TwoWayPasswordReset` - `WorkflowReviewProvisioningSummary` - `WorkflowReviewRolesSummary` | +| SubjectTemplate_L1 optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's subject template in language 1 (up to 16). **Note:** the path must be relative to the configuration folder, and the file must be inside it. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md new file mode 100644 index 0000000000..01a1dae94f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md @@ -0,0 +1,90 @@ +--- +title: "AutomationRule" +description: "" +sidebar_position: 1 +--- + +Automation rules make automatic decisions instead of the reviewer on assignments that still need to be reviewed after a given waiting period. + +There are distinct types of automation rules: + +* a composite role automation rule targets the assigned composite roles corresponding to a given composite role. + + `CompositeRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `CompositeRole`, and requires specifying the `CompositeRole` property; + +* a single role automation rule targets the assigned single roles corresponding to a given single role. + + `SingleRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `SingleRole`, and requires specifying the `SingleRole` property; + +* a resource type automation rule targets the assigned resource types corresponding to a given resource type. + + `ResourceTypeAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `ResourceType`, and requires specifying the `ResourceType` property; + +* a category automation rule targets the assigned roles and resource types corresponding to a given category and a given entity type. + + `CategoryAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Category`, and requires specifying the `Category` and `EntityType` properties; + +* a policy automation rule targets the assigned roles and resource types corresponding to a given policy and a given entity type. + + `PolicyAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Policy`, and requires specifying the `Policy` and `EntityType` properties. + +:::note +NETWRIX recommends always using the typed syntax. + +For example, you should always use `SingleRoleAutomationRule`, rather than `AutomationRule` with `Type` set to `CompositeRole`. +::: + +All these rules target the assignments which have a specific workflow state which is specified in the rule. + +Automation rules can also specify dimensions. + +One assignment should be involved in the decision of only one automation rule. However, one assignment can easily be targeted by several automation rules. In this case, the Provisioning Policy algorithm prioritizes the most specific rule. + +> For example, considering an assigned composite role, Identity Manager's algorithm prioritizes a composite role automation rule, before a category automation rule, before a policy automation rule. + +After this prioritization, when an assignment is still targeted by several rules due to dimensions, then Identity Manager prioritizes a rule implying a decline decision. + + +## Examples +In the following example, the two first rules are equivalent (except for the workflow state's value), but the second one shows the preferred syntax. + +```xml + This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the first of two required approvals for more than one hour: + + + This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the second of two required approvals for more than one hour: + + + This rule approves all the assignments of the "BO028" single role, which are waiting for their required approval for more than one hour: + + + This rule approves all the assignments of the "SAB_User_NominativeUser" resource type, which are waiting for their required approval for more than one hour: + + + This rule declines all the assignments to the entity type "Directory_User" concerning the "IT Administration" category, which are waiting for the first of two required approvals for more than one hour: + + + This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during a synchronization without a linked automatic rule, for more than one hour: + + + This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during the first synchronization without a linked automatic rule, for more than one hour: + +``` + + +## Properties + +|Property|Details| +|---|---| +| Category optional | **Type:** Int64 **Description:** Identifier of the category targeted by the rule. | +| CompositeRole optional | **Type:** Int64 **Description:** Identifier of the composite role targeted by the rule. | +| D0 optional | **Type:** Int64 **Description:** Value of the dimension 0 (up to 127) that filters the assignments targeted by the rule. | +| Decision default value: 0 | **Type:** AutomationRuleDecision **Description:** Decision to apply on the targeted assignments. `0` - Approve. `1` - Decline. | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type targeted by the rule. This property should not be specified when writing an automation rule among the following: composite role automation rule; single role automation rule; resource type automation rule. These rules imply the entity type. | +| HoursToWait default value: -1 | **Type:** Int32 **Description:** Waiting period (in hours) from the most recent change in the workflow state of the assignments, before the decision can be applied. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to indicate that the rules targets the assignments with not only the dimension 0 (up to 127), but also this dimension's child elements. | +| Policy optional | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| ResourceType optional | **Type:** Int64 **Description:** Identifier of the resource type targeted by the rule. | +| SingleRole optional | **Type:** Int64 **Description:** Identifier of the single role targeted by the rule. | +| Type required | **Type:** AutomationRuleType **Description:** Object type targeted by the rule. `0` - CompositeRole. `1` - SingleRole. `2` - ResourceType. `4` - Category. `5` - Policy. | +| WorkflowState default value: 0 | **Type:** WorkflowState **Description:** Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added.**Note:** usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/images/identitymanager/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/images/identitymanager/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined or an automatic rule is now outdated. [See more details](/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation#property-reconciliation-with-role-reconciliation). ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). ![Workflow State: Suggested](/images/identitymanager/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). **Info:** the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#discardmanualassignments). ![Workflow State: Approved - Questioned](/images/identitymanager/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/images/identitymanager/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. ![Workflow State: Prolonged](/images/identitymanager/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/images/identitymanager/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/images/identitymanager/118_givenbyarole_v603.webp) | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/category.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/category.md new file mode 100644 index 0000000000..3825458a24 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/category.md @@ -0,0 +1,26 @@ +--- +title: "Category" +description: "" +sidebar_position: 2 +--- + +A category is a classification of Composite Roles, [Single Roles or/and [Resource Types](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype). It can be used to group multiple roles of the same context. + + +## Examples +The following example declares a new category called "Shares - Public". +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Description_L1 optional | **Type:** String **Description:** Describe this category in detail. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the category in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the category. | +| IsCollapsed default value: false | **Type:** Boolean **Description:** Defines if the category must be collapsed by default in the permission list of a resource (View Permissions popup and roles basket). | +| Parent optional | **Type:** Int64 **Description:** Represents the parent category definition. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the category is part of. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerole.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerole.md new file mode 100644 index 0000000000..0e98131c86 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerole.md @@ -0,0 +1,49 @@ +--- +title: "CompositeRole" +description: "" +sidebar_position: 3 +--- + +Defines basic information about a composite role. +Composite roles identify affiliations or job functions by which users can be grouped. +A composite role is a business role comprehensible by managers. It provides a layer of abstraction above existing entitlements, technical roles and single roles. + +Roles can be used to: +- Grant various types and levels of access. +- Restrict access to sensitive information assets by grouping entitlements in a form that is meaningful to the business. +- Grant the minimum privileges required by an individual to perform his/her job. + +Roles can be requested manually, or they can be configured to be assigned automatically via a [Composite Role Rule](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule). +To further control access, roles can be related via required, inherited, or permitted relationships. + + +## Examples +The following example declares a new composite role. +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| ApprovalWorkflowType default value: 0 | **Type:** ProvisioningPolicyApprovalWorkflow **Description:** Number of validations required to assign manually the composite role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | **Type:** Int64 **Description:** Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| Description_L1 optional | **Type:** String **Description:** Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the composite role in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type whose resources can receive the composite role. | +| GracePeriod optional | **Type:** Int32 **Description:** Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | **Type:** Boolean **Description:** `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type:** String **Description:** Unique identifier of the composite role. | +| ImplicitApproval default value: 0 | **Type:** Byte **Description:** Indicates if the validation steps of the composite role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: Inherited | **Type:** RoleManualAssignmentEndDateLockedToContextMode **Description:** Inherited (default value): Use the policy's ManualAssignmentEndDateLockedToContextMode value. ExplicitNotContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is not automatically locked. ExplicitContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is automatically locked. Never: The manual assignments' end date needs to be specified. Always: The manual assignments' end date cannot be modified. They are computed by the policy to match the end date specified by context rules. | +| MaxDuration optional | **Type:** Int32 **Description:** Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the role is part of. | +| ProlongationWithoutApproval default value: 0 | **Type:** ProlongationWithoutApproval **Description:** Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | **Type:** Boolean **Description:** `true` to set the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)) as a required parameter when assigning the role. | +| Tags optional | **Type:** String **Description:** Tags of the roles targeted by the campaign filter. The tag separator is `¤`. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule.md new file mode 100644 index 0000000000..473aa7134e --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule.md @@ -0,0 +1,29 @@ +--- +title: "CompositeRoleRule" +description: "" +sidebar_position: 4 +--- + +A composite role rule assigns a composite role to users who match given criteria. + + +## Examples +The following example declares a new rule to give the composite role "HR_Accounting" to all the "FCT0008" users. +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| D0 optional | **Type:** Int64 **Description:** Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the composite role to users whose country is `France`. | +| IsDenied default value: false | **Type:** Boolean **Description:** `true` to forbid the assignment instead of applying it. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to activate inheritance for `D0` (up to 127). | +| ParentRole optional | **Type:** Int64 **Description:** Identifier of a composite role that users must have to trigger the rule. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Role required | **Type:** Int64 **Description:** Identifier of the composite role to be assigned. | +| Type default value: 0 | **Type:** RuleType **Description:** Type of the rule. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers, these assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/context.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/context.md new file mode 100644 index 0000000000..72dbf07c93 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/context.md @@ -0,0 +1,18 @@ +--- +title: "Context" +description: "" +sidebar_position: 5 +--- + +A context is the result of the combination of all identity-related entities, for example personal data, contracts or positions, so that all dimension values contained in a given context are valid for a given user on a given period of time. + +Contexts define the resources' scopes of responsibility. They are used during provisioning to simplify the application of the role model's rules based on dimensions. + +[See more information about context generation](/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change#contexts). + +## Properties + +|Property|Details| +|---|---| +| Automatic default value: false | **Type:** Boolean **Description:** Specifies the automatic assignments. | +| D0 optional | **Type:** Int64 **Description:** Dimension0 identifier, specifies the scope in which the assignment is restricted. Going from 0 to 127. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md new file mode 100644 index 0000000000..52e6a35c4a --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md @@ -0,0 +1,159 @@ +--- +title: "ContextRule" +description: "" +sidebar_position: 6 +--- + +A context rule configures, for the identities of a given entity type, the generation of contexts which are used in provisioning to simplify the application of the role model's rules. + +A context rule should be created for each entity type for which we want to assign entitlements automatically based on users' attributes. + +Without a context rule, automatic entitlements (assigned via the role model's rules): +* cannot be assigned based on users' attributes; +* don't have specific start and end dates, so they are valid from the resource creation until its deletion. + +[See more information about context generation](/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change#contexts). + +:::note +A context rule can be configured with [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection) in situations where a user needs to be modeled by several contexts over time or simultaneously. + +Without record sections, a context rule can generate only one context per user. This means that users cannot have more than one contract, or position, at a time, and that data changes cannot be anticipated. +::: + + +## Examples +The following example generates contexts, i.e. sets of dimension-value pairs, for users from `Directory_User` as resources of `Directory_User:Records`. + +Both the start and end dates of the future contexts are defined with C# expressions based on users' contract and position start/end dates. + +All contexts are to be made of the properties specified by the bindings `B0` to `B7`. + +```xml + +``` + +### ExcludeExpression + +The following example is similar to the previous one, except that we choose to exclude users declared as "draft" from the role model and provisioning calculations. + +```xml + +``` + +:::info +This option can exclude workers who are not validated yet, or who have left the company, for example. +::: + +### RiskFactorType + +The following example is similar to the previous one, except that we force the final risk score of a user to be the maximum value of all their risk scores. + + +```xml + +``` + +### Role mining + +Context rules also contain some parameters for [role mining](/docs/identitymanager/current/user-guide/optimize/assignment-automation/role-mining). + +Users are distributed in a hypercube made of all dimensions, like in the following table (left) when we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' possible locations, and `A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension and sorting the dimension values per user percentage, we get the following table (right). + +![Role Mining Tables](/images/identitymanager/contextrules_rolemining.webp) + +The tables here represent a simple situation with few dimensions. But the higher the number of dimensions, the more complex are role mining's computations. This is known as the curse of dimensionality. + +The following example is similar to the first one, except that we customize some role mining parameters which help tackle the curse of dimensionality: +* `MinIdentitiesCount` establishes that the role mining's engine will generate a role assignment rule only when the rule is applicable to at least 5 users; +* `ReductionOutlierPercentage` establishes that the role mining's engine will consider the last 2.0% dimension values (from `Y` to `Z` in the table above) to be grouped together in a single category "Others". + :::info + The definition of the outlier percentage is particularly useful when managing, for example a services company with thousands of distinct organizations, where many organizations contain only one or two users. We can safely choose to group into a single fictitious organization the 2% of all users that involve the smallest organizations. + ::: + +```xml + +``` + +### Certification items + +:::info +Unlike `ResourcesStartBinding` and `ResourcesEndBinding`, `ResourcesStartExpression` and `ResourcesEndExpression` cannot be used to define the resources to include in the related certification campaigns. Thus, when needing to define which resources to include with more than start/end bindings, add a comparison based on `ResourceCertificationComparisonBinding`, `ResourceCertificationComparisonOperator` and `ResourceCertificationComparisonValue`. +::: + +The following example includes in certification campaigns only the resources that have their `IsActivePosition` property set to `1`. + +```xml + +``` + +**Note:** must be configured together with the other `ResourceCertificationComparison` properties. +**Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, TODO: + + +## Properties + +|Property|Details| +|---|---| +| B0 optional | **Type:** Int64 **Description:** Binding of the dimension 0 (up to 3V in [base32hex](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)). The dimension can then be used in rules to filter the rules' targets. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the context rule in language 1 (up to 16). | +| ExcludeExpression optional | **Type:** String **Description:** C# expression that defines the resources to exclude from context generation, because they should not be part of the role model and provisioning calculations. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Identifier required | **Type:** String **Description:** Unique identifier of the context rule. | +| MinIdentitiesCount default value: 0 | **Type:** Int32 **Description:** Minimum number of identities to take into account to generate a rule by the role mining engine. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| ReductionOutlierPercentage default value: 0.0 | **Type:** Float **Description:** Proportion of identities that are grouped together by role mining to aggregate all the small entities in one "other" category. This is used to speed up the mining process as the number of groups can be greatly reduced. | +| ResourceCertificationComparisonBinding optional | **Type:** Int64 **Description:** import ContextruleCertification from '@site/docs/identitymanager/current/_partials/contextrule-certification.mdx'; Binding of the property whose value is to be compared to `ResourceCertificationComparisonValue` in order to specify the resources to include in the related certification campaigns. | +| ResourceCertificationComparisonOperator optional | **Type:** QueryComparisonOperator **Description:** import ContextruleCertification from '@site/docs/identitymanager/current/_partials/contextrule-certification.mdx'; Operator of the comparison that specifies the resources to include in the related certification campaigns. | +| ResourceCertificationComparisonValue optional | **Type:** String **Description:** import ContextruleCertification from '@site/docs/identitymanager/current/_partials/contextrule-certification.mdx'; Value to be compared to the value of `ResourcesCertificationComparisonBinding` in order to specify the resources to include in the related certification campaigns. | +| ResourcesBinding optional | **Type:** Int64 **Description:** Binding that represents the entity type of the contexts to be created from the `SourceEntityType`. It can also be defined via `ResourcesExpression`. | +| ResourcesEndBinding optional | **Type:** Int64 **Description:** Binding of the date property among those from `ResourcesBinding` which specifies the end of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the context. It can also be defined via `ResourcesEndExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection). | +| ResourcesEndExpression optional | **Type:** String **Description:** Expression based on the `ResourcesBinding` entity type that defines the end of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the context. It can also be defined via `ResourcesEndBinding`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection). | +| ResourcesExpression optional | **Type:** String **Description:** Expression based on `SourceEntityType` that defines the entity type of the contexts to be created. It can also be defined via `ResourcesBinding`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| ResourcesStartBinding optional | **Type:** Int64 **Description:** Binding of the date property among those from `ResourcesBinding` which specifies the beginning of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the context. It can also be defined via `ResourcesStartExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection). | +| ResourcesStartExpression optional | **Type:** String **Description:** Expression based on the `ResourcesBinding` entity type that defines the beginning of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the context. It can also be defined via `ResourcesStartBinding`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection). | +| RiskFactorType optional | **Type:** RiskFactorType **Description:** Operator used to aggregate a user's risk scores together to compute the user's global risk score. `0` - **None**. `1` - **Max**: a user's final risk score is the maximum value among all their risk scores. `2` - **Average**: a user's final risk score is the average value of all their risk scores. | +| SourceEntityType required | **Type:** Int64 **Description:** Identifier of the entity type of the parent resource. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/index.md new file mode 100644 index 0000000000..f48b338035 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/index.md @@ -0,0 +1,24 @@ +--- +title: "Provisioning" +description: "Provisioning" +sidebar_position: 10 +--- + +# Provisioning +- [Automationrule](automationrule) +- [Category](category) +- [Compositerole](compositerole) +- [Compositerolerule](compositerolerule) +- [Context](context) +- [Contextrule](contextrule) +- [Indirectresourcerule](indirectresourcerule) +- [Miningrule](miningrule) +- [Policy](policy) +- [Recordsection](recordsection) +- [Resourceclassificationrule](resourceclassificationrule) +- [Resourcecorrelationrule](resourcecorrelationrule) +- [Resourcetype](resourcetype) +- [Risk](risk) +- [Rolemapping](rolemapping) +- [Singlerole](singlerole) +- [Singlerolerule](singlerolerule) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule.md new file mode 100644 index 0000000000..b1e6bb07f2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule.md @@ -0,0 +1,31 @@ +--- +title: "IndirectResourceRule" +description: "" +sidebar_position: 7 +--- + +An indirect resource rule is a link between a resource and its indirect groups, equivalent in another system and the indirect groups of the equivalent in the other system. + + +## Examples +For example: +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Correspondence optional | **Type:** Int64 **Description:** Property used to link the resource with an associated resource in another system, like Microsoft Entra ID (formerly Azure Active Directory) or SharePoint groups. | +| CorrespondenceMembershipProperty optional | **Type:** Int64 **Description:** Same as Property but for the associated resource found in the external system. | +| Entitlement optional | **Type:** Int64 **Description:** Property used if the assignment is not given by the property in the external system. In the example, the assignment that we are looking for is not whether a user is in a group. Instead, it is the entitlement(s) given by the groups of which the user is a member. | +| Property required | **Type:** Int64 **Description:** Resource property for membership. Example: if our entity is a group, the group(s) it belongs to. | +| ResourceType required | **Type:** Int64 **Description:** Represents the Id of the ResourceType you want to use the rule on. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/miningrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/miningrule.md new file mode 100644 index 0000000000..c0cadf7847 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/miningrule.md @@ -0,0 +1,64 @@ +--- +title: "MiningRule" +description: "" +sidebar_position: 8 +--- + +After roles are assigned to users, Identity Manager can use mining rules to perform role mining. Role mining means that Identity Manager analyzes existing assignments in order to suggest [single role rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) which will assign [single roles](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerole) to certain users matching given criteria. + +:::info +The [role mining task](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask) replaces the existing single role rules in the specified rule policy with the new generated ones. +::: + + +## Examples +The following example set of mining rules targets the roles owned by users from `Directory_User`. These mining rules are part of the `Default` policy while the role assignment rules are to be generated to be part of the `Mining` policy. + +:::note +The following rules have a different impact whether they are applied individually, or all together. Indeed, during role mining, the first mining rule of type `Required` applies to given roles with a given precision, then the second mining rule applies to a larger group of roles but only to those still with no linked single role rules. +::: + +* The first rule will generate required rules (i.e. automatic assignments) for sensitive assignments that require 2 or 3 validations, with a high precision (via `PrecisionMinPercentage` and `FalsePositiveMaxPercentage`). + + ```xml + + ``` + +* The second rule will generate required rules (i.e. automatic assignments) for all assignments, with a lower precision. + + ```xml + + ``` + +* The third rule will generate suggested rules (i.e. assignments listed as suggested in users' permission baskets) for all assignments, with an even lower precision. + + ```xml + + ``` + + + + +## Properties + +|Property|Details| +|---|---| +| Category optional | **Type:** Int64 **Description:** Identifier of the category containing the roles targeted by role mining's analysis. | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type that represents the owners of the roles targeted by role mining's entitlement analysis. | +| ExcludeRole default value: false | **Type:** Boolean **Description:** `true` to ignore the specified roles during the mining process triggered by the next mining rules (in terms of priority). | +| FalsePositiveMaxPercentage default value: 0.0 | **Type:** Float **Description:** Maximum authorized percentage of false positive assignments, i.e. roles that are assigned to users who should not have them. NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| IncludeDoubleValidation default value: true | **Type:** Boolean **Description:** `true` to include in role mining's analysis the roles requiring two validations. | +| IncludeNoValidation default value: true | **Type:** Boolean **Description:** `true` to include in role mining's analysis the roles requiring zero validations. | +| IncludeSimpleValidation default value: true | **Type:** Boolean **Description:** `true` to include in role mining's analysis the roles requiring one validation. | +| IncludeTripleValidation default value: true | **Type:** Boolean **Description:** `true` to include in role mining's analysis the roles requiring three validations. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the mining rule is part of. | +| PrecisionMinPercentage default value: 100.0 | **Type:** Float **Description:** Minimum authorized percentage of correct role assignments, considering both the roles that are assigned to users who should have them, and the roles that are not assigned to users who should not have them. NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| Priority default value: 0 | **Type:** Int32 **Description:** Priority order of the mining rule. Identity Manager applies mining rules one after the other in descending order. **Info:** a mining rule can generate single role rules only for the single roles that were not already associated with a single role rule by another mining rule during the same role mining task. | +| RulePolicy optional | **Type:** Int64 **Description:** Identifier of the policy that the generated single role rules are to be part of. **Note:** NETWRIX recommends using a policy dedicated to role mining in order not to remove existing assignment rules. | +| RuleType default value: 0 | **Type:** Int32 **Description:** Represents the type of the generated single role rules. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/policy.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/policy.md new file mode 100644 index 0000000000..9693e5618b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/policy.md @@ -0,0 +1,43 @@ +--- +title: "Policy" +description: "" +sidebar_position: 9 +--- + +A policy is a role-based access control (RBAC) which works by assigning permissions to users based on their roles within an organization. A policy is a sub-group of the role model, containing roles and rules, that allows an administrator to manage the access specific to their application. + +:::info +At least one policy must be declared. +::: + +## Examples +```xml + +``` + +All `ResourceType`, `SingleRole`, `CompositeRole` and `Category` must belong to a Policy. This is done by specifying the `Policy` attribute. + +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| CommentActivationOnApproveInReview default value: Optional | **Type:** CommentActivation **Description:** Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to approve it. `0` - Disabled. `1` - Optional. `2` - Required. | +| CommentActivationOnDeclineInReview default value: Required | **Type:** CommentActivation **Description:** Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to refuse it. `0` - Disabled. `1` - Optional. `2` - Required. | +| CommentActivationOnDeleteGapInReconciliation default value: Optional | **Type:** CommentActivation **Description:** Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to delete it. `0` - Disabled. `1` - Optional. `2` - Required. | +| CommentActivationOnKeepGapInReconciliation default value: Required | **Type:** CommentActivation **Description:** Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to keep it. `0` - Disabled. `1` - Optional. `2` - Required. | +| D0 optional | **Type:** Int64 **Description:** Value of the dimension 0 (up to 127) that filters the access to the policy and its roles. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the policy in language 1 (up to 16). | +| GracePeriod default value: 0 | **Type:** Int32 **Description:** Duration (in minutes) for which a lost automatic entitlement associated with this policy is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. This value can be overwritten for each composite role and single role. | +| HasImplicitApproval default value: false | **Type:** Boolean **Description:** `true` to skip the approval circuit when the requester has the appropriate review permissions. This value can be overwritten for each policy object (composite role, single role, resource type). | +| Identifier required | **Type:** String **Description:** Unique identifier of the policy. | +| IsExternal default value: false | **Type:** Boolean **Description:** `true` to indicate that the policy's roles are outside Identity Manager's scope. The roles are managed by an external source, and Identity Manager cannot add, update nor delete any role. | +| IsProvisioningEnabled default value: false | **Type:** Boolean **Description:** `true` to enable the provisioning policy. | +| IsSimulationEnabled default value: false | **Type:** Boolean **Description:** `true` to enable the provisioning policy simulation. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | **Type:** PolicyManualAssignmentEndDateLockedToContextMode **Description:** Explicit (default value): The manual assignments' EndDate can be specified by the user or can be locked to match the end date specified by context rules. Never: The manual assignments' EndDate needs to be specified. Always: The manual assignments' EndDate cannot be modified. They are computed by the policy to match the end date specified by context rules. | +| MaxDuration default value: 0 | **Type:** Int32 **Description:** Duration (in minutes) after which the assignments induced by the policy will be automatically revoked, if no earlier end date is specified. It impacts only the assignments which are performed after the maximum duration is set. Pre-existing assignments are not impacted. | +| ProlongationWithoutApproval default value: false | **Type:** Boolean **Description:** `true` to allow the policy's roles to be extended without any validation. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md new file mode 100644 index 0000000000..459b401d37 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md @@ -0,0 +1,180 @@ +--- +title: "RecordSection" +description: "" +sidebar_position: 10 +--- + +Record sections shape identity data for a given entity type, by grouping properties into sections, for example personal data, contract or position. + +Record sections impact the generation of identities' contexts which contain users' dimension values valid on a given period of time. The aim is to simplify the application of the role model' rules for provisioning. + +Thanks to this data organization in sections, the identities of a given entity type can be modeled by more than one context over time, even simultaneously. This means that users can have more than one contract, or position, at a time, and that data changes can be anticipated. + +[See more details about identity modeling](/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change#a-model-for-identity-changes). + +:::info +**Configuration recommendations:** + +As record sections cannot be configured without a [context rule](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule), NETWRIX recommends starting with the configuration of the context rule before configuring record sections. + +NETWRIX recommends defining at least two record sections: a default section for the properties shared by all records, and another section for a given set of properties which differentiate between records. The default section must contain zero properties, the shared properties are those that are not defined in the other section(s). + +For example, to model several positions for a single user, we configure the default record section to contain the properties shared by all positions such as personal data, and we configure the position section to contain the properties specific to each position. Similar to the position section, we can also typically configure a section for contracts. +::: + + +## Examples +The following example models users from the `Directory_User` entity type with three sets of properties: user properties, contract properties and position properties. All created records will be resources from the `Directory_UserRecord` entity type. + +The properties from the contract (or position) section are the properties specific to each contract (or position). The properties from `Directory_User` that are not specified in the record sections are the properties shared between all records, here user properties. + +Each section must be defined with start and end dates, so that Identity Manager's engine is able to combine all periods of validity and apply the rules with the right input at any time. + +```xml +Default section: + ... + + +Contract section: + ... + + + + + +Position section: + ... + + + + + + + + + + + + +``` + +### InstanceKeyExpression + +The following example computes a unique key for each record section instance. This way, we can distinguish between contracts thanks to their identifiers, same for positions, and between user property sets thanks to a C# expression based on the start date. + +```xml +Default section: + + + +Contract section: + + + ... + + +Position section: + + + ... + +``` + +:::info +An instance key is required when we need to uniquely identify a context, i.e. when we may have several simultaneous contexts. + +For example, an instance key is required for the position section when users can have overlapping positions. +::: + +### IsDefaultBoundariesSection + +The following example uses the contract start/end dates as default boundaries in users' [validity period](/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding#period-of-validity), instead of those from the default section. It may be because, for example, HR services do not enter an end date for the personal data of users on permanent contracts. So we prefer to use the start and end dates of their contracts. + +```xml +Contract section: + + + ... + +``` + +### Context extension + +There can be some time gap where no context is defined, for example a time gap with a position but no contract or vice versa. Identity Manager offers the possibility to choose whether an existing context is to be extended to the period without context. And in case we decide to use another context and extend its values, which context should it be? + +![Schema - ExtensionKind](/images/identitymanager/recordsection_extensionkind.webp) + +Here, we decide to extend an existing contract to the gap, for example because users' email addresses are built using the contract type to add `-ext` for external users. And we decide to not extend the position. + +In the following example, the contract section uses `SortKeyExpression` to establish between existing contracts a priority order that will determine which contract should be extended to the gap. Based on this C# expression that returns a value `A`, `B` or `C`, the `ExtendedSortKey` considers as extendable only the contract(s) whose expression returns `C`. + +The position section uses `ExtensionKind` set to `None` to block the extension mechanism. + +```xml +Contract section: + + + ... + + +Position section: + + + ... + +``` + +:::warning +When not specifying any sort key nor extended sort key, Identity Manager will select a context to extend to the gap. However, it may not be functionally the most meaningful context. +::: + + +## Properties + +|Property|Details| +|---|---| +| BoundaryKind default value: 0 | **Type:** RecordBoundaryKind **Description:** Defines how the section dates are computed for a resource, when the current start/end dates are null. `0` - None: start date and end date are equal respectively to the minimum value of `StartProperty` and maximum value of `EndProperty` when comparing the default sections of all records. `1` - Kept: start and end dates are equal respectively to the default start date (1900/01/01 00:00:00) and end date (2079/06/06 00:00:00). **Info:** the boundary has no effect on the default section which is the reference to compute the default dates in other sections. When the default section's start/end dates are null, then they equal the default start/end dates. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the section in language 1 (up to 16). | +| EndProperty optional | **Type:** Int64 **Description:** Date property among those from the `ResourceEntityType` which specifies the end of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the section. It cannot be a property computed by an `EntityPropertyExpression`. | +| ExtendedSortKey optional | **Type:** String **Description:** Value used as a threshold for `SortKeyExpression` values to determine whether the [property](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) values of a given record section can be extended from a context where the values are defined to another context where no properties from the section are defined. This extension is enabled only when the value of `SortKeyExpression` of the section is higher (with an ordinal comparison) than `ExtendedSortKey`. | +| ExtensionKind default value: 0 | **Type:** RecordExtensionKind **Description:** Defines whether the section's property values can be extended (copied) from a context where the properties are defined to another context where no properties from the section are defined. `0` - Default: the section's property values can be extended. `4` - None: the section's property values cannot be extended. | +| Identifier required | **Type:** String **Description:** Unique identifier of the section. | +| InstanceKeyExpression optional | **Type:** String **Description:** Expression returning a key to uniquely identify a context, i.e. distinguish between job positions for example when users can have several concurrent positions, or between contracts. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| IsDefaultBoundariesSection default value: false | **Type:** Boolean **Description:** `true` to use the start/end dates of this section as the default boundaries, i.e. the start/end dates of users' [validity period](/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding#period-of-validity). When no section has `IsDefaultBoundaries` set to `true`, the default section (the one without properties) is automatically selected. | +| ResourceEntityType required | **Type:** Int64 **Description:** Identifier of the entity type of the multiple records to be created. | +| SortKeyExpression optional | **Type:** String **Description:** C# expression used to compute a value for each record, to be used as a priority, following an ordinal comparison. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). When a record section has `ExtensionKind` set to `Default` and a priority value higher than `ExtendedSortKey`, then the record property values can be extended from a context where the values are defined to another context where no properties from the section are defined. | +| SourceEntityType required | **Type:** Int64 **Description:** Identifier of the entity type of the parent resource. | +| StartProperty optional | **Type:** Int64 **Description:** Date property among those from the `ResourceEntityType` which specifies the beginning of validity for all [properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection#child-element-property) of the section. It cannot be a property computed by an `EntityPropertyExpression`. | + +## Child Element: Property +A record section is a set of record properties which belong to the resource entity type. + + +### Examples +In the following example, the position section gathers the properties `Organization`, `Location` and `Title`, while the default section gathers all the other properties from `Directory_UserRecord`. + +The property `Location` can be extended from a context where the location is defined to a context where it is not. The two other properties cannot be extended. + +See more details about record extension. + +```xml +Default section: + + + +Position section: + + + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| ExtensionKind default value: 0 | **Type:** RecordExtensionKind **Description:** Defines whether the property value can be extended (copied) from a context where the section properties are defined to another context where no properties from the section are defined. `0` - Default: the property value can be extended. `4` - None: the property value cannot be extended. **Note:** a property value can be extended only if the section is extendable too. | +| IsExcluded default value: false | **Type:** Boolean **Description:** Excludes the given property from the section. This is used only in the default section to remove properties such as the RecordIdentifier that are always different between all the records and that are thus not interesting for the provisioning rules. | +| Property required | **Type:** Int64 **Description:** Identifier of the property from the record section's `ResourceEntityType` that is to be part of the section. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule.md new file mode 100644 index 0000000000..b2b7eaac81 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule.md @@ -0,0 +1,26 @@ +--- +title: "ResourceClassificationRule" +description: "" +sidebar_position: 11 +--- + +In Identity Manager, this type of rule is used to classify the resources based on a C# expression. + + +## Examples +The following example declares a rule to classify the Active Directory accounts based on the dn values. +```xml + +``` + + +## Properties + +|Property|Details| +|---|---| +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type:** Int64 **Description:** Represents the resource type definition. | +| ResourceTypeIdentificationConfidenceLevel default value: 0 | **Type:** Int32 **Description:** Defines the confidence level used to match the resources. | +| SourceMatchedConfidenceLevel default value: false | **Type:** Boolean **Description:** Defines the confidence level used to match the sources. | +| TargetExpression optional | **Type:** String **Description:** Defines the C# expression used to classify the resources. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule.md new file mode 100644 index 0000000000..dc9b83199c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule.md @@ -0,0 +1,52 @@ +--- +title: "ResourceCorrelationRule" +description: "" +sidebar_position: 12 +--- + +A correlation rule is used to [correlate](/docs/identitymanager/current/introduction-guide/overview/entitlement-management) the resources, i.e. link resources to their owners. + + +## Examples +#### Correlation based on unchanged attributes + +The following example creates an Active Directory correlation rule based on the mail property: + +```xml + +``` + +#### Correlation based on attributes changed by a function + +The following example copies the previous example (based on unchanged attributes), but using a predefined function (`ToLower`) in source and target bindings' expressions, to compare the email attributes: + +```xml + +``` + +:::note +A [list of predefined functions](/docs/identitymanager/current/integration-guide/toolkit/expressions/predefined-functions) is available. +::: + +#### Correlation based on attributes within a C# expression + +The following example creates an Active Directory correlation rule based on the comparison between the AD's simplified display name and an expression from the external system: + +```xml + +``` + +This example also uses a confidence rate equals to 80%. + + +## Properties + +|Property|Details| +|---|---| +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type:** Int64 **Description:** Identifier of the resource type. | +| SourceBinding optional | **Type:** Int64 **Description:** Binding property from the source system. | +| SourceExpression optional | **Type:** String **Description:** Binding expression based on properties from the source system. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| SourceMatchedConfidenceLevel default value: 0 | **Type:** Int32 **Description:** Defines the correlation confidence rate of this rule. If the value is less than 100, we process a manual review step to confirm the choice. | +| TargetBinding optional | **Type:** Int64 **Description:** Binding property from the target system. | +| TargetExpression optional | **Type:** String **Description:** Binding expression based on properties from the target system. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md new file mode 100644 index 0000000000..1ef7ef9d29 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md @@ -0,0 +1,461 @@ +--- +title: "ResourceType" +description: "" +sidebar_position: 13 +--- + +In Identity Manager, a resource type is a conceptual model used to categorize resources. It groups together, with a meaningful name, resources sharing the same intent and the same authorization system. Resource types are assigned directly to a resource rather than mapped to a role. +A resource type can be assigned manually, or configured to be assigned automatically via a [resource type rule](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#child-element-typerule). + + +## Examples +import Argumentsexpression from '@site/docs/identitymanager/current/_partials/argumentsexpression.mdx'; + +The following example declares a new resource type to provision the LDAP service accounts: + +```xml + +``` + +### ArgumentsExpression + + + +### DependsOn + +This option is used to configure another resource type as prerequisite for this resource type. + +For example, a Microsoft Exchange account requires the email address of a related Active Directory account. + +In this case, we want to configure the `Exchange Account` resource type so that a user cannot own an Exchange account when they do not own an AD account. + +The following example is meant to perform an automatic check to prevent the execution of any provisioning order for the creation of an Exchange account when the user does not own an AD nominative account. + +```xml + +``` + +### DependsOnOwnerProperty + +This option is used to configure a property as prerequisite for the resource type. + +Consider an Active Directory administrator account which should be able to perform manual provisioning to ServiceNow. Then it requires the random identifier computed by ServiceNow. + +In this case, we want to configure the `AD_Entry_AdministrationUser` resource type so that a user cannot own an AD administrator account when they do not have an identifier in ServiceNow. + +The following example is meant to perform an automatic check to prevent the execution of any provisioning order for the creation of an AD administrator account when the user does not have an identifier in ServiceNow. + +```xml + +``` + +### DiscardManualAssignments + +This option is used to set Identity Manager as authoritative following a manual change in a managed system. + +Suppose a resource type managing the provisioning of Active Directory nominative accounts based on users data in Identity Manager (`Directory_User`). Suppose a scalar rule that provisions the AD's `sn` property based on users' last names. + +The following scenario is about a user named Cedric Blanc, whose AD's `sn` property is set by the scalar rule to `Blanc`. + +![Example - State 0](/images/identitymanager/DiscardManualAssignments_state0_V602.webp) + +Let's see what happens when the user's name is changed manually directly in the AD. + +Suppose that we change in the AD the last name to `White`. As the scalar rule computes the `sn` value based on the user's data which still states the last name `Blanc`, such a change induces a difference between the value calculated by the rule and the actual value in the AD. This difference is spotted by the next synchronization, triggering a non-conforming assignment on the **Resource Reconciliation** page. + +![Example - State 1](/images/identitymanager/DiscardManualAssignments_state1_V602.webp) + +![Example - Step 1](/images/identitymanager/DiscardManualAssignments_step1_V602.webp) + +![Example - Step 2](/images/identitymanager/DiscardManualAssignments_step2_V602.webp) + +Once this manual new value is confirmed, the property is stated as `Approved`. + +![Example - State 2](/images/identitymanager/DiscardManualAssignments_state2_V602.webp) + +Now suppose that the user's last name is changed to `Black` via Identity Manager's workflows. As the source data is changed, the scalar rule computes a new value for `sn`. There are two options: + +* The default configuration (`DiscardManualAssignments` set to `false`) considers manual assignments, i.e. changes made directly in the managed system, as authoritative. So there will be no provisioning of the newly computed value for `sn`. The current `sn` value that was written manually in the AD stays as is, no matter the changes in the source data (here the user's last name). Identity Manager only states the property's value as `Questioned`. + + ![Example - State 3](/images/identitymanager/DiscardManualAssignments_state3_V602.webp) + + :::note + No change in the source data can affect the property's value. However, any manual change made in the managed system will trigger a non-conforming assignment. Then, reconciling the property by choosing to keep Identity Manager's suggested value will make the property's value go back to `Calculated` and thus follow the changes in the source data. + ::: + +* If `DiscardManualAssignments` is set to `true`, then the state of the property's value does not matter. Identity Manager applies the rules of the role model, and generates a provisioning order to overwrite the manual change `White` with the newly computed value `Black`. + + ![Example - State 4](/images/identitymanager/DiscardManualAssignments_state4_V602.webp) + +In this scenario for Cedric Blanc, these behaviors can be summed up like the following: +![Discardmanualassignments State0 V602](/images/identitymanager/DiscardManualAssignments_state0_V602.webp) + + +## Properties + +|Property|Details| +|---|---| +| AllowAdd default value: true | **Type:** Boolean **Description:** Enables Identity Manager to automatically create new resources in the managed system when their owners are given the right entitlements. Otherwise, resource managers must create resources manually directly in the managed system. | +| AllowRemove default value: true | **Type:** Boolean **Description:** Enables Identity Manager to automatically deprovision resources in the managed system when their owners are deprived of the right entitlements. Otherwise, Identity Manager is able to delete resources in the managed system only with a manual approval on the **Resource Reconciliation** screen. | +| ApprovalWorkflowType default value: 0 | **Type:** ProvisioningPolicyApprovalWorkflow **Description:** Indicates the number of validation to give to a role given manually (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. **Note:** NETWRIX recommends using `ManualAssignmentNotAllowed` for all resource types. | +| ArgumentsExpression optional | **Type:** String **Description:** C# expression used to compute the arguments of provisioning orders, for example a workflow identifier, in a situation where it is not obvious. The aim is to enable an `InternalWorkflow` connector to fulfill correctly a virtual managed system by launching the right workflows based on a given provisioning order. This expression must return a dictionary of string. **Note:** `ArgumentsExpression` is useful only when provisioning via the following packages: [Active Directory](/docs/identitymanager/current/integration-guide/connectors/references-packages/Active Directory); [Apache Directory](/docs/identitymanager/current/integration-guide/connectors/references-packages/Apache Directory); [Generic LDAP](/docs/identitymanager/current/integration-guide/connectors/references-packages/Generic LDAP); [Open LDAP](/docs/identitymanager/current/integration-guide/connectors/references-packages/Open LDAP); [Oracle LDAP](/docs/identitymanager/current/integration-guide/connectors/references-packages/Oracle LDAP); [Red Hat Directory Server](/docs/identitymanager/current/integration-guide/connectors/references-packages/Red Hat Directory Server); [Workflow](/docs/identitymanager/current/integration-guide/connectors/references-packages/workflow). | +| BlockProvisioning default value: true | **Type:** Boolean **Description:** `true` to block the provisioning policy orders. | +| Category optional | **Type:** Int64 **Description:** Resource type category. | +| CorrelateMultipleResources default value: false | **Type:** Boolean **Description:** `true` to extend the QueryRule/CorrelationRule to match as many target resources as possible (no blocking like this is normally the case). | +| DependsOn optional | **Type:** Int64 **Description:** Identifier of another resource type that must be provisioned for a given identity before the current resource type can be provisioned for said identity. | +| DependsOnOwnerProperty optional | **Type:** Int64 **Description:** Identifier of one of the owner properties that must be filled before the current resource type can be provisioned for said identity. | +| Description_L1 optional | **Type:** String **Description:** Describe this resource type in detail. | +| DiscardManualAssignments default value: false | **Type:** Boolean **Description:** `true` to always allow the provisioning of a new property value, i.e. re-computed by a provisioning rule after a change in the source data, no matter the property's current workflow state. Set to `false`, any manual change of a property's value made directly in the target system will be "protected" (only after the change is approved in Identity Manager in **Resource Reconciliation**). It means that a future change in the source data will not trigger the provisioning of the new value to the target system. Instead, Identity Manager will keep the value of the manual change, and state the value as `Questioned`. This option should be set to `true` when: * using multiple authoritative sources and the latest value should be provisioned; * a source system is not often synchronized to Identity Manager but should stay the authoritative source. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the resource type in language 1 (up to 16). | +| FulfillHoursAheadOfTime default value: 0 | **Type:** Int32 **Description:** Anticipate resource fulfill order hours ahead of they start time. It is helpful for manual fulfillment and/or long fulfillment process. It differs from TimeOffset because the start date of the resource to fulfill is not impacted. | +| HideOnSimplifiedView default value: false | **Type:** Boolean **Description:** `true` to hide this resource type in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type:** String **Description:** Unique identifier of the resource type. | +| ImplicitApproval default value: 0 | **Type:** Byte **Description:** Indicates if the validation steps of the resource type can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: Inherited | **Type:** RoleManualAssignmentEndDateLockedToContextMode **Description:** Inherited (default value): Use the policy's ManualAssignmentEndDateLockedToContextMode value. ExplicitNotContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is not automatically locked. ExplicitContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is automatically locked. Never: The manual assignments' end date needs to be specified. Always: The manual assignments' end date cannot be modified. They are computed by the policy to match the end date specified by context rules. | +| MaximumDelete default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the resource type when running the provisioning job. | +| MaximumDeletePercent default value: 30 | **Type:** Int32 **Description:** Deleted lines threshold in percent. | +| MaximumInsert default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the resource type when running the provisioning job. | +| MaximumInsertPercent default value: 30 | **Type:** Int32 **Description:** Inserted lines threshold in percent. | +| MaximumUpdate default value: 0 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the resource type when running the provisioning job. | +| MaximumUpdatePercent default value: 30 | **Type:** Int32 **Description:** Updated lines threshold in percent. | +| P0 default value: false | **Type:** Boolean **Description:** `true` to indicate that the resource type is parameterized, i.e. there is at least one type rule configured to assign the resource type based on the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)). | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the resource type is part of. | +| ProlongationWithoutApproval default value: 0 | **Type:** ProlongationWithoutApproval **Description:** Indicates whether the resource type can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | **Type:** Boolean **Description:** `true` to set the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)) as a required parameter when assigning the resource type. | +| RemoveOrphans default value: false | **Type:** Boolean **Description:** `true` to authorize the deprovisioning of this resource when it does not have an owner. Can only be `true` when AllowRemove property is also true. | +| SourceEntityType required | **Type:** Int64 **Description:** Identifier of the source entity type. | +| SuggestAllCorrelations default value: false | **Type:** Boolean **Description:** Suggest all correlations, whatever the confidence rate of the correlation rule. | +| TargetEntityType required | **Type:** Int64 **Description:** Identifier of the target entity type. | +| TransmittedStateValidityPeriod default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which fulfillment orders in Transmitted/Executed states are automatically set in Error state. **Recommendations:** - When provisioning automatically, then set 1, 2 or 3 times the period between two synchronizations. - When provisioning manually and synchronizing regularly, then set around 15 days. - When provisioning manually with few synchronizations, then don't set it. | + +## Child Element: BinaryRule +A *ResourceBinaryRule* allows to specify the file that must be set to an assigned resource **binary property**. It is defined by a child element `` of the `` element. The source file should already be synchronized and stored inside and reference as an EntityType property. + + +### Examples +```xml + + ... + + +``` + +#### TimeOffset + +[See more information about time offsets](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#timeoffset-3). + + +### Properties + +|Property|Details| +|---|---| +| Binding optional | **Type:** Int64 **Description:** Defines the binding expression to get the file property. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Property required | **Type:** Int64 **Description:** Identifier of the property used to represent the file on the target EntityType. | +| SingleRole optional | **Type:** Int64 **Description:** Identifier of the [single role](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerole). The single role must be assigned to the owner so that the file can be provisioned on the resource. | +| TimeOffsetAfterReference default value: 0 | **Type:** Int32 **Description:** Defines the offset after reference (in minutes). | +| TimeOffsetBeforeReference default value: 0 | **Type:** Int32 **Description:** Defines the offset before reference (in minutes). | +| TimeOffsetReference default value: 0 | **Type:** TimeOffsetReference **Description:** Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. `0` - **Default**: the offset inherited from the type rule. `1` - **Around**: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. `2` - **Before**: the offset before and after reference are both applied from the start date of the resource. `3` - **After**: the offset before and after reference are both applied from the end date of the resource. **Note:** in a situation with several binary rules, the order of application is: `After`, then `Before`, then `Around`, then `Default`. Each rule is able to overwrite those previously applied in case they overlap. **Warning**: two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: NavigationRule +A navigation rule computes the value of a given navigation property for target resources, based on the properties of their owners (source resources and entitlements). These properties are to be provisioned, i.e. written to the managed system. Contrary to [query rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#child-element-queryrule), navigation rules assign resources regardless of the attributes of source resources. + +A navigation rule is defined by the child element `` of the `` element. + +:::note +Both navigation and query rules compute navigation properties. The value of one navigation property should be computed by either navigation or query rules, not both. +::: + +[See more information about navigation rules' configuration guidelines](/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation#guidelines). + + +### Examples +import ParameterizedRole from '@site/docs/identitymanager/current/_partials/parameterized-role.mdx'; + +#### Computation based on other properties + +The following example declares a new rule to give the `SG_APP_SharePoint_HR_Owner` group to all users who had the `SharePoint_HR_Owner` role. + +```xml + +``` + +The following rule will set users' Active Directory nominative account in the `CN=SG_APP_DL-INTERNET-Restricted,OU=Applications,DC=acme,DC=internal` group for people having the `DL-INTERNET-Restricted` role. + +```xml + + ... + + +``` + +#### Using ResourceFromDimension + +The `ResourceFromDimension` property creates behavior equivalent to having separate navigation rules for each resource in a dimension. This reduces the number of configuration entries when you need the same rule logic for multiple resources. + +```xml + +``` + +The `ResourceFromDimension` rule above behaves as if you had created individual rules for each resource in the dimension: + +```xml + + + + +``` + +**Configuration requirements**: + +- Either `Resource` or `ResourceFromDimension` must be specified, not both +- `SingleRole` is required when using `ResourceFromDimension` +- The dimension's entity type must match the target entity type of the navigation property +- Do not specify dimension criteria (D0, D1, etc.) when using `ResourceFromDimension` - they are set automatically + +#### TimeOffset + +[See more information about time offsets](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#timeoffset-3). + +#### Parameterized roles + + + +### Properties + +|Property|Details| +|---|---| +| D0 optional | **Type:** Int64 **Description:** Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to compute the navigation property for users whose country is `France`. **Note:** specifying at least one dimension makes the linked role parameterized. | +| IsDenied default value: false | **Type:** Boolean **Description:** `true` to forbid the resource assignment instead of applying it. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to activate inheritance for `D0` (up to 127). | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Property required | **Type:** Int64 **Description:** Identifier of the navigation property to be computed. | +| Resource optional | **Type:** Int64 **Description:** Identifier of the resource to be assigned as a value of the impacted navigation property. Said resource must be part of the entity type that the navigation property points to. | +| ResourceFromDimension optional | **Type:** Int64 **Description:** The `ResourceFromDimension` property is a special configuration option for `ResourceNavigationRule` that simulates having as many navigation rules as there are resources in the specified dimension, without actually creating multiple rule entries. **Purpose** When you configure a `ResourceNavigationRule` with `ResourceFromDimension`, the system behaves as if you had created a separate navigation rule for each resource that belongs to the specified dimension. This provides a powerful way to avoid repetitive configuration and maintain consistency across related resources. **Example Scenario** If you have a dimension "Departments" containing 50 department resources, setting `ResourceFromDimension="Departments"` on a single navigation rule is equivalent to creating 50 individual navigation rules, one for each department resource. **Configuration Rules** **Mutually Exclusive Properties** You must choose one approach for defining resources: - Use `Resource` to specify a single, explicit resource - Use `ResourceFromDimension` to dynamically reference all resources in a dimension These two properties cannot be used together on the same navigation rule. **Valid Configuration Examples** ```xml ``` **Required SingleRole Property** When using `ResourceFromDimension`, the `SingleRole` property is mandatory. **Entity Type Compatibility** The dimension specified in `ResourceFromDimension` must have the same entity type as the target entity type of the navigation property. This ensures type safety and consistency. | +| SingleRole optional | **Type:** Int64 **Description:** Identifier of a single role, which users must have to trigger the property computation. | +| TimeOffsetAfterReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | **Type:** TimeOffsetReference **Description:** Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. `0` - **Default**: the offset inherited from the type rule. `1` - **Around**: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. `2` - **Before**: the offset before and after reference are both applied from the start date of the resource. `3` - **After**: the offset before and after reference are both applied from the end date of the resource. In a situation with several navigation rules, the order of application is descending (`After`-`Before`-`Around`-`Default`). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. **Warning**: two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: QueryRule +A query rule computes the value of a given navigation property for target resources, based on the properties of their owners (source resources and entitlements). These properties are to be provisioned, i.e. written to the managed system. Contrary to [navigation rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#child-element-navigationrule), query rules assign resources to target resources according to a query via a C# [expression](/docs/identitymanager/current/integration-guide/toolkit/expressions) with conditions, based on the attributes of the source resources. + +A query rule is defined by the child element `` of the `` element. + +:::note +Both navigation and query rules compute navigation properties. The value of one navigation property should be computed by either navigation or query rules, not both. +::: + +[See more information about query rules' configuration guidelines](/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation#guidelines). + + +### Examples +#### Computation based on other properties + +The following example declares a new rule to compute the parent distinguished name for guest users. Here we do not use source properties, but a literal expression for all guest users. + +```xml + + ... + + +``` + +#### TimeOffset + +[See more information about time offsets](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#timeoffset-3). + + +### Properties + +|Property|Details| +|---|---| +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Property required | **Type:** Int64 **Description:** Identifier of the navigation property to be computed. | +| SourceBinding optional | **Type:** Int64 **Description:** Binding of the property from the source entity type to be compared with the target binding/expression, in order to find a matching resource to be the value of `Property`. | +| SourceExpression optional | **Type:** String **Description:** C# expression to compare with the target binding/expression in order to compute the value of `Property` with the matching resource. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| TargetBinding optional | **Type:** Int64 **Description:** Binding of the property from the entity type pointed by `Property`, which will be the value of `Property` if it matches the source binding/expression. | +| TargetExpression optional | **Type:** String **Description:** C# expression to compare with the source binding/expression in order to compute the value of `Property` with the matching resource. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). **Warning**: it must contain at least one target property, it cannot be a literal expression. | +| TargetMatchedConfidenceLevel default value: 0 | **Type:** Int32 **Description:** Percentage rate expressing the confidence in the rule according to data quality and sensitivity. Identity Manager considers the rules in descending order of confidence rate, the first matching rule is applied. `0` to `99`: imposes that a resource manager reviews the property computation on the **Resource Reconciliation** page. `100` to `150`: computes the property automatically. | +| TimeOffsetAfterReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | **Type:** TimeOffsetReference **Description:** Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. `0` - **Default**: the offset inherited from the type rule. `1` - **Around**: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. `2` - **Before**: the offset before and after reference are both applied from the start date of the resource. `3` - **After**: the offset before and after reference are both applied from the end date of the resource. In a situation with several query rules, the order of application is descending (`After`-`Before`-`Around`-`Default`). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. **Warning**: two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: ScalarRule +A scalar rule computes the value of a given scalar property for target resources, based on the properties of their owners (source resources and entitlements). These properties are to be provisioned, i.e. written to the managed system. + +A scalar rule is defined by the child element `` of the `` element. + +[See more information about scalar rules' configuration guidelines](/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/scalar-property-computation#guidelines). + +### Examples +#### Computation based on other properties + +The following example shows two scalar rules. The first one computes users' emails based on AD values. The other one contains a C# expression to compute `accountExpires`. + +```xml + + ... + + + +``` + +The next example computes the `firstName` property of a `App1_Account` from the resource type `App1_Standard_Account`, indicating that it must be equal to the `firstName` of the source resource. + +```xml + + ... + + +``` + +#### Computation via a literal expression + +The following example translates to "the `userAccountControl` property of a `App1_Account` of resource type `App1_Standard_Account` must be equal to 66048. It uses a [literal](/docs/identitymanager/current/integration-guide/toolkit/expressions/#literal-expression) expression. + +```xml + + ... + + +``` + +#### Binding + +The `Binding` attribute complies with the [binding expression syntax](/docs/identitymanager/current/integration-guide/toolkit/bindings) or the [calculation expression syntax](/docs/identitymanager/current/integration-guide/toolkit/expressions). So, it can use the C# language to specify a more complex binding. + +```xml + +``` + +#### IsMapped + +:::info +Consider a system that we want to connect to Identity Manager (let's call it `SYST`) using a `title` property. Consider also that `SYST` needs to be provisioned with the value of `title`, but does not allow any other system to retrieve said value. + +In this case, we set `IsMapped` to false so that Identity Manager sends the adequate provisioning order when needed, and then is able to change the [provisioning state](/docs/identitymanager/current/user-guide/administrate/provisioning#provisioning-states) to `Verified` without [synchronization](/docs/identitymanager/current/user-guide/set-up/synchronization). +::: + +The following example computes users' title in a given managed system, based on Identity Manager's `PersonalTitle` property without ever retrieving the value: + +```xml + +``` + +#### TimeOffset + +:::info +A scalar rule is applied according to reference start and end dates (configured through [record sections](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection) and [context rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule)), usually users' arrival and departure days. It means that, for a user matching the rule's criteria, a property is to be computed, by default, from the user's arrival day until their departure day. + +A time offset adjusts the period for which the rule applies and computes a property's value. +::: + +![Schema - Default Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp) + +The following example impacts the property for the activation of nominative AD accounts: +* the first rule deactivates the account from its creation, i.e. 1 month before the user's arrival day, until the arrival day; +* the second rule activates the account from the user's arrival day until their departure; +* the third rule deactivates the account from the user's departure day and until its deletion, i.e. 6 months after the departure day. + +```xml +<ResourceType Identifier="AD_Entry_NominativeUser" Policy="Default" TargetEntityType="AD_Entry" Category="Accounts" SourceEntityType="Directory_User" ApprovalWorkflowType="None"> + <ScalarRule Property="accountEnabled" Expression="C#:person:return &quot;false&quot;;" TimeOffsetReference="Before" TimeOffsetBeforeReference="-43200" TimeOffsetAfterReference="0" /> + <ScalarRule Property="accountEnabled" Expression="C#:person:return person.Leave.GetValueOrDefault() ? &quot;false&quot; : &quot;true&quot;;" TimeOffsetReference="Around" TimeOffsetBeforeReference="0" TimeOffsetAfterReference="0" /> + <ScalarRule Property="accountEnabled" Expression="C#:person:return &quot;false&quot;;" TimeOffsetReference="After" TimeOffsetBeforeReference="0" TimeOffsetAfterReference="259200" /> + ... +</ResourceType> +``` + +![Schema - Default Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp) + +:::info +If the time period of property computation exceeds the limits of the period of resource type assignment, then the period of resource type assignment is extended accordingly. +::: + +Note that the rules are applied in a specific order according to their offset reference: `After`, `Before`, `Around` and `Default`. Each rule overwrites pre-existing values. Thus in case of overlapping rules, `Default`-offset rules overwrite the values of `Around`-offset rules, which overwrite the values of `Before`-offset rules, which overwrite the values of `After`-offset rules. We could have the following: + +![Schema - Overlapping Offsets](/images/identitymanager/datamodel_scalarrule_timeoffsetoverlap.webp) + + +### Properties + +|Property|Details| +|---|---| +| Binding optional | **Type:** Int64 **Description:** Defines the binding expression. | +| ComparisonType default value: 0 | **Type:** ComparisonType **Description:** Defines the comparison type for the computed value, when Identity Manager retrieves it from the managed system during synchronization, and compares it to the value stored in Identity Manager's database. `0` - **CaseSensitive**: compares words exactly as they are. `1` - **IgnoreCase**: ignores the difference between upper and lower case. `2` - **IgnoreDiacritics**: considers all letters with diacritics (é, à, ç...) to be equivalent to their base letters (e, a, c...). `3` - **Simplified**: ignores diacritics, case and characters which are not letters. `4` - **Approximate**: does the same as `Simplified` but also ignores some spelling mistakes. Some letters are considered equivalent (Z and S, Y and I, W and V, K and C, SS and C). All H can be missing. A T, D or S can be missing at the very end. Finally, it ignores all duplicate letters (other than SS). `5` - **Trim**: does the same as `CaseSensitive` but ignores all leading and trailing white-space characters. There is no comparison for unmapped properties (`IsMapped` set to `false`). | +| Expression optional | **Type:** String **Description:** Expression used to compute the target property specified in `Property`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). **Note:** for C# expressions, Identity Manager provides an implicit variable called "assignment" that contains basic information about the linked assigned resource type, i.e. StartDate, EndDate and ParametersValues. | +| IsMapped default value: true | **Type:** Boolean **Description:** `true` to use the scalar rule's computation to both provision the managed system and synchronize the property back to Identity Manager, thus both create and update. Otherwise, the scalar rule's computation is used only to provision the managed system and the property will be ignored during synchronization, thus create only. This way the property can never be displayed as non-conforming. `IsMapped` is usually set to false in order to adapt the configuration to the constraints of the managed system, when Identity Manager does not retrieve and/or update the property value. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Property required | **Type:** Int64 **Description:** Identifier of the scalar property to be computed. | +| SingleRole optional | **Type:** Int64 **Description:** Identifier of a single role that users must have to trigger the property computation. **Warning**: scalar rules must not be dependent on dimensions or role as far as possible as, according to Identity Manager, a good rights policy must be based on group membership and not on mono-valued properties. | +| TimeOffsetAfterReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | **Type:** TimeOffsetReference **Description:** Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. `0` - **Default**: the offset inherited from the type rule. `1` - **Around**: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. `2` - **Before**: the offset before and after reference are both applied from the start date of the resource. `3` - **After**: the offset before and after reference are both applied from the end date of the resource. **Note:** in a situation with several scalar rules, the order of application is: `After`, then `Before`, then `Around`, then `Default`. Each rule is able to overwrite those previously applied in case they overlap. **Warning**: two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: TypeRule +A resource type rule assigns resources to given users if they match specific criteria. These resources are to be provisioned, i.e. written to the managed system. + +A resource type rule is defined by the child element `` of the `` element. + +:::note +The specification of several resource type rules for one resource type implies the union of all rules, i.e. the combination of all rules (and all sets of criteria) with an **OR** operator. +::: + + +### Examples +##### With a dimension criterion + +The following rule will assign an `App1_Standard_Account` resource (resource of type `App1_Account`) to any `User` whose organization dimension (dimension binded to column 0) identifier is `Marketing`. + +```xml + + + ... + +``` + +##### With a single role criterion + +In addition to dimensions, a single role can be used as a criterion for a rule. + +The following rule will assign an `App1_Standard_Account` resource to all `User` whose organization dimension identifier is *Marketing* **and** having the single role *Multimedia_Designer*. + +```xml + + + ... + +``` + +##### Without any criterion + +`Di` and `SingleRole` conditions are not mandatory. A type rule with no condition entails the creation of an AssignedResourceType, and hence of a target resource (from the target entity type), for every source resource (from the source entity type). + +The following example declares a new rule to give the resource type "AD_Entry_NominativeUser" to all users. + +```xml + + + ... + +``` + +##### TimeOffset + +[See more information about time offsets](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#timeoffset-3). + + +### Properties + +|Property|Details| +|---|---| +| D0 optional | **Type:** Int64 **Description:** Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the resource type to users whose country is `France`. **Note:** specifying at least one dimension makes the linked resource type parameterized. | +| IsDenied default value: false | **Type:** Boolean **Description:** `true` to forbid the assignment instead of applying it. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to activate inheritance for `D0` (up to 127). | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| SingleRole optional | **Type:** Int64 **Description:** Identifier of a single role, which users must have to trigger the resource type assignment. | +| TimeOffsetAfterReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | **Type:** TimeOffsetReference **Description:** Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. `0` - **Default**: no offset. `1` - **Around**: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. `2` - **Before**: the offset before and after reference are both applied from the start date of the resource. `3` - **After**: the offset before and after reference are both applied from the end date of the resource. In a situation with several resource type rules, the order of application is descending (`After`-`Before`-`Around`-`Default`). Thus each time offset is able to overwrite those previously applied in case they overlap. **Warning**: two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | +| Type default value: 0 | **Type:** RuleType **Description:** Represents the type of the rule. `0` - **Required**: the resource type is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the resource type is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the resource type is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/risk.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/risk.md new file mode 100644 index 0000000000..fe045c3248 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/risk.md @@ -0,0 +1,35 @@ +--- +title: "Risk" +description: "" +sidebar_position: 14 +--- + +A risk defines a security threat triggered by the assignment of one or more entitlements to an identity. A risk is linked to [risk rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/risk#child-element-rule), each of which can trigger the risk. + +## Properties + +|Property|Details| +|---|---| +| Description_L1 optional | **Type:** String **Description:** Message that describes the risk. It will be displayed during the manual request of a risk-triggering entitlement. | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the risk in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type targeted by the risk. | +| ExemptionPolicy default value: Warning | **Type:** RiskExemptionPolicy **Description:** Behavior of Identity Manager during the manual request of a risk-triggering entitlement. `0` - Warning: a message is displayed and the request can be continued or cancelled. `1` - Blocking: a message is displayed and the whole request must be cancelled. `2` - Approval required: the request will need an additional approval. A message is displayed and the request can be continued or cancelled. | +| Identifier required | **Type:** String **Description:** Identifier of the risk. | +| Level default value: 0 | **Type:** Byte **Description:** Risk score on a scale from 0 to 100. The higher the level, the higher the risk. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy in which the risk exists. | +| Remediation_L1 optional | **Type:** String **Description:** Message that describes the way to solve the risk. It will be displayed during the manual request of a risk-triggering entitlement. | +| RiskType default value: SoD | **Type:** RiskType **Description:** Nature of the situation described by the risk. `0` - Segregation of Duties: threat due to the conjunction of two or more entitlements for an identity. A risk rule must contain at least two rule items. `1` - High Privileges: threat due to the assignment of one or more highly sensitive entitlements. A risk rule must contain at least one rule item. | + +## Child Element: Rule +A risk rule is a set of [risk rule items](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/risk#child-element-item). The intersection of all rule items triggers the assignment of a [risk](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/risk) to an identity, depending on the identity's entitlements. + +## Child Element: Item +A risk rule item is a filter that identify risk-triggering resources. The intersection of all rule items in a [risk rule](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/risk#child-element-rule) triggers the associated [risk](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/risk). + +### Properties + +|Property|Details| +|---|---| +| Property required | **Type:** Int64 **Description:** Property (scalar or navigation) that represents the risk-triggering entitlement. | +| Resource optional | **Type:** Int64 **Description:** Identifier of the resource assigned to `Property`, if navigation, that triggers the risk. | +| ResourceType required | **Type:** Int64 **Description:** Identifier of the resource type targeted by the risk analysis. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/rolemapping.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/rolemapping.md new file mode 100644 index 0000000000..bd9767245b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/rolemapping.md @@ -0,0 +1,73 @@ +--- +title: "RoleMapping" +description: "" +sidebar_position: 15 +--- + +Defines a naming rule to create a single role in a specific category based on a property. +A navigation rule will also be created by the naming rule, giving the property to the target user when the created single role is assigned to this user. + + +## Examples +### Additional condition + +The following example uses `WhereExpression` to condition the application of the rule. + +:::info +NETWRIX recommends using this property only when the properties from the rule items do not suffice. +::: + +Here the naming convention says that we should create a single role for each group (`memberOf` value) whose `dn` starts with `SG_` and whose dn's second part (between two `_`) is made of three characters. + +```xml + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| ApprovalRequired default value: false | **Type:** Boolean **Description:** Indicates that the generated role must be approved before being used by a policy. | +| ApprovalWorkflowType default value: None | **Type:** ProvisioningPolicyApprovalWorkflow **Description:** Indicates the number of validation to give to a manual role (from 0 to 3 inclusive). The value 4 is used when a manual assignment cannot be performed. | +| Category optional | **Type:** Int64 **Description:** Identifier of the category. | +| CategoryDisplayNameBinding optional | **Type:** Int64 **Description:** Defines the binding used to compute the category display name. | +| CategoryDisplayNameExpression optional | **Type:** String **Description:** References the C# or literal expression used to compute the category display name. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| CategoryIdentifierBinding optional | **Type:** Int64 **Description:** Binding used to compute the category identifier. | +| CategoryIdentifierExpression optional | **Type:** String **Description:** C# or literal expression used to compute the category identifier. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| CommentActivationOnApproveInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| DisplayNameBinding optional | **Type:** Int64 **Description:** Defines the binding used to compute the role display name. | +| DisplayNameExpression optional | **Type:** String **Description:** References the C# or literal expression used to compute the role display name. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| HideOnSimplifiedView default value: false | **Type:** Boolean **Description:** `true` to hide this role in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type:** String **Description:** Identifier of the role mapping. | +| IdentifierBinding optional | **Type:** Int64 **Description:** Binding used to compute the role identifier. | +| IdentifierExpression optional | **Type:** String **Description:** C# or literal expression used to compute the role identifier. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| ImplicitApproval default value: 0 | **Type:** Byte **Description:** Indicates if the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ParentCategoryIdentifierBinding optional | **Type:** Int64 **Description:** Defines the binding used to compute the parent category. | +| ParentCategoryIdentifierExpression optional | **Type:** String **Description:** References the C# or literal expression used to compute the parent category. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Property required | **Type:** Int64 **Description:** Property on which the naming rule will be applied. | +| ResourceType required | **Type:** Int64 **Description:** Resource type on which the naming rule will be applied. | +| RolePolicy optional | **Type:** Int64 **Description:** Identifier of the policy used for the roles created by the naming rule. | +| WhereExpression optional | **Type:** String **Description:** C# expression returning a boolean, used to condition the application of the naming convention. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | + +## Child Element: Rule +Represent the sets of conditions which will determine the enforcement of the naming rule. + +## Child Element: Item +Represents one of the conditions used to determine the enforcement of the naming rule. + +### Properties + +|Property|Details| +|---|---| +| Operator default value: 0 | **Type:** QueryComparisonOperator **Description:** Operator used in the condition for the naming rule enforcement. | +| Property required | **Type:** Int64 **Description:** Property on which the condition for the naming rule enforcement is based. | +| Value optional | **Type:** String **Description:** Value used in the condition for the naming rule enforcement. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerole.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerole.md new file mode 100644 index 0000000000..751a126622 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerole.md @@ -0,0 +1,55 @@ +--- +title: "SingleRole" +description: "" +sidebar_position: 16 +--- + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings a layer of abstraction through a user-friendly name, close to the business view. + +Roles can be used to: +- grant accesses of various types and levels; +- restrict access to sensitive information assets, by grouping entitlements in a form that is meaningful from a business point of view; +- grant the minimum privileges required by an individual to perform his/her job. + +Roles can be requested manually, or they can be configured to be assigned automatically via [single role rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) depending on identities' attributes. + + +## Examples +import ParameterizedRole from '@site/docs/identitymanager/current/_partials/parameterized-role.mdx'; + +The following example declares a new single role in the default policy; in the category `Internet`; for resources from `Directory_User`; with one approval needed. + +```xml + +``` + +### Parameterized roles + + + +## Properties + +|Property|Details| +|---|---| +| ApprovalWorkflowType default value: 0 | **Type:** ProvisioningPolicyApprovalWorkflow **Description:** Number of validations required to assign manually the single role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | **Type:** Int64 **Description:** Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type:** CommentActivationWithInherited **Description:** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| D0 optional | **Type:** Int64 **Description:** Value that will be set for the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)) for all users with the role. | +| Description_L1 optional | **Type:** String **Description:** Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | **Type:** String **Description:** Display name of the single role in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type whose resources can receive the single role. | +| GracePeriod optional | **Type:** Int32 **Description:** Duration (in minutes) for which a lost automatic single role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | **Type:** Boolean **Description:** `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type:** String **Description:** Identifier of the single role. | +| ImplicitApproval default value: 0 | **Type:** Byte **Description:** Indicates whether the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value from the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: Inherited | **Type:** RoleManualAssignmentEndDateLockedToContextMode **Description:** Inherited (default value): Use the policy's ManualAssignmentEndDateLockedToContextMode value. ExplicitNotContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is not automatically locked. ExplicitContextBoundByDefault: The manual assignments' end date can be specified by the user or can be locked to match the end date specified by context rules. By default, in the UI, it is automatically locked. Never: The manual assignments' end date needs to be specified. Always: The manual assignments' end date cannot be modified. They are computed by the policy to match the end date specified by context rules. | +| MaxDuration optional | **Type:** Int32 **Description:** Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy in which the role exists. | +| ProlongationWithoutApproval default value: 0 | **Type:** ProlongationWithoutApproval **Description:** Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | **Type:** Boolean **Description:** `true` to set the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names)) as a required parameter when assigning the role. | +| State default value: Manual | **Type:** RoleState **Description:** Mark that differentiates the roles analyzed in the role mining process. `0` - Manual: the role was created manually. `1` - Generated: the role was generated by a role mapping rule. | +| Tags optional | **Type:** String **Description:** Label(s) that can later be used to filter the target roles of access certification campaigns. The tag separator is `¤`. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule.md new file mode 100644 index 0000000000..5d479e0055 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule.md @@ -0,0 +1,29 @@ +--- +title: "SingleRoleRule" +description: "" +sidebar_position: 17 +--- + +A single role rule assigns a single role to users who match given criteria. + + +## Examples +The following example declares a new rule to give the single role to all the "FCT0000" users. +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| CompositeRole optional | **Type:** Int64 **Description:** Identifier of a [composite role](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/compositerole) that users must have to trigger the rule. | +| D0 optional | **Type:** Int64 **Description:** Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the single role to users whose country is `France`. | +| IsDenied default value: false | **Type:** Boolean **Description:** `true` to forbid the assignment instead of applying it. | +| L0 default value: false | **Type:** Boolean **Description:** `true` to activate inheritance for `D0` (up to 127). | +| Policy required | **Type:** Int64 **Description:** Identifier of the policy that the rule is part of. | +| Role required | **Type:** Int64 **Description:** Identifier of the single role to be assigned. | +| Type default value: 0 | **Type:** RuleType **Description:** Type of the rule. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers, these assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/index.md new file mode 100644 index 0000000000..6a80425729 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/index.md @@ -0,0 +1,8 @@ +--- +title: "Reporting" +description: "Reporting" +sidebar_position: 10 +--- + +# Reporting +- [Reportquery](reportquery) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/reportquery.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/reportquery.md new file mode 100644 index 0000000000..7efa4488a1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/reporting/reportquery.md @@ -0,0 +1,33 @@ +--- +title: "ReportQuery" +description: "" +sidebar_position: 1 +--- + +Allows the user to define queries to generate a report in a CSV file. When creating a new ReportQuery it is recommended to also create the linked [MenuItem](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/menuitem). + + +## Examples +```xml + + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the report query in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Report query Identifier. | +| Query required | **Type:** String **Description:** The report query written following Identity Manager EBNF Grammar rules. | +| ReturnedEntityType required | **Type:** Int64 **Description:** Returned Entity Type ID. The entity type can be seen as the FROM of a sql query. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/index.md new file mode 100644 index 0000000000..f7195376a4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/index.md @@ -0,0 +1,8 @@ +--- +title: "Resources" +description: "Resources" +sidebar_position: 10 +--- + +# Resources +- [Resource](resource) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/resource.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/resource.md new file mode 100644 index 0000000000..8815145018 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/resources/resource.md @@ -0,0 +1,58 @@ +--- +title: "Resource" +description: "" +sidebar_position: 1 +--- + +The `` element also allows the definition of a resource entity directly from within the configuration. Such element must specify: + +- the entity type using the `Type` attribute +- a unique `Id` +- property values using corresponding column names as attributes + +:::note +When inserting resource-identity in the resource table this way, the Id attribute must be a positive integer. Negative Ids are reserved for Identity Manager's engine. +::: + +## Examples +The following sample inserts two entities of type `User`: John Smith and Anthony Baker. John Smith is the manager of Anthony Baker. + +The `User` **Entity Type** is defined as follows: + +```xml + + + + + +``` + +The two new resources are inserted in the database using the `` tag. + +They are assigned the ids `300` and `301`, they are positive integers (since User type resources are resource-identity) and not yet used in the **UR_Resource** table. + +The `User` resource properties (FirstName, LastName and Manager) are matched to a **UR_Resource** table column, such as `C4`, `C5` or `I40` according to their data column index, in the above **Entity Type** definition. + +* FirstName: index 4 => column C4 +* LastName: index 5 => column C5 +* Manager: index 128 => column I40 + +```xml + + +``` + +:::tip +Most encountered use cases in real life is populating very tiny datasets like employee categories (Internal, External) or personal titles (Mr, Ms). Identities are almost never insert this way. This contrived example aims at illustrating the method. +::: + + +## Properties + +|Property|Details| +|---|---| +| C0 optional | **Type:** String **Description:** A column of storage. Going from 0 to 127. | +| Dirty default value: false | **Type:** Boolean **Description:** Flag set by the Usercube-Set-RecentlyModifiedFlag task. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the resource in language 1 (up to 16). | +| I40 optional | **Type:** Int64 **Description:** This columns are used to store the id of an linked entity. When an entity type has a mono-valued association we usually use this columns to store the information. By default there are 10 columns for the storage of the mono-valued associations. | +| Type required | **Type:** Int64 **Description:** The type of the resource. References the internal id of an EntityType. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation.md new file mode 100644 index 0000000000..166d8c5768 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation.md @@ -0,0 +1,13 @@ +--- +title: "DisplayEntityAssociation" +description: "" +sidebar_position: 1 +--- + +Entity referencing the Entity Association that can be displayed in the Identity Manager interface. An association can be established between two properties of the same display entity type. + +## Properties + +|Property|Details| +|---|---| +| IsHierarchical default value: false | **Type:** Boolean **Description:** Is hierarchical entity association. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md new file mode 100644 index 0000000000..398a43de47 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md @@ -0,0 +1,137 @@ +--- +title: "DisplayEntityType" +description: "" +sidebar_position: 2 +--- + +The `` element sets information about how an entity type is to be displayed by the UI. + + +## Examples +```xml + + + + + + +``` + +### Zoom on Priority + +The Priority property controls the order in which entity types are displayed in the entity type selection dropdown of the following administration screens: + +* Role Review +* Provisioning Review +* Role Reconciliation +* Resource Reconciliation +* My Tasks (also known as Workflow Management) +* Workflow Overview +* Access Rules + +By default, the entity type with the highest priority is selected first. The end user can later change the selection using the top-left dropdown. + +![Change Selection](/images/identitymanager/ui_displaypriorities_changeselection_v521beta.webp) + +Priorities are integer values, positive or negative. The most important priority is assigned to the lowest value. + +Entity Types with the same priority are sorted by `Identifier`, in the alphabetical order, where relevant. + +Entity Types for which a priority isn't set by a `` configuration element are assigned an equally less important priority than the least important priority set by a `` element. + +**Example** + +This example shows how to define priorities between the main Entity Types of the organizational model. The highest priority is assigned to `Directory_User` and the lowest priority to `Directory_Application`. All other entity types are assigned an equally low priority, below `Directory_Application`. In the dropdown they will be sorted by alphabetical order. + +```xmldashboard.xml + + + + +``` + + +#### Priorities for workflows + +The dropdown in My Tasks (also known as Workflow Management) and Workflow Overview screens is related to workflows, not to entity types per se. + +In Identity Manager, each workflow is associated with a workflow-entity type. + +To configure the priority order for elements in the dropdown in these screens, the user should remember to take the workflow-entity types in the ` + +``` + +But the order in which "Workflow for Directory_User" and "Workflow for Directory_Guest" appear in the My Tasks screen is configured like this. + +```xmldashboard.xml + + +``` + +### AddedMinutes property and Date Only compatibility + +The `AddedMinutes` property on display properties allows adding or subtracting minutes from `DateTime` fields for timezone adjustments or display purposes. + +**Important:** `AddedMinutes` is only applicable to properties of type `DateTime`. It is not compatible with properties of type `DateOnly`. + +When a property uses the `DateOnly` type, any `AddedMinutes` configuration will be ignored because date-only fields do not have a time component to adjust. + +**Behavior during configuration import/export:** + +- **On Import:** If `AddedMinutes` is specified for a `DateOnly` property, the setting will be ignored and a warning will be displayed indicating that it is not applicable to Date Only properties. +- **On Export:** If `AddedMinutes` exists on a `DateOnly` property, it will be removed from the exported configuration and a warning will notify you of the removal. + + +## Properties + +|Property|Details| +|---|---| +| AutocompleteBinding optional | **Type:** Int64 **Description:** Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker). | +| Color optional | **Type:** String **Description:** Defines the color used when displaying this entity type (it must be a 6 digit hexadecimal value, preceded by a '#'). | +| D0IsActive default value: false | **Type:** Boolean **Description:** Is dimension0 active for this entity type (D0IsActive to D3VIsActive following the [base32hex convention](/docs/identitymanager/current/integration-guide/toolkit/parameter-names). | +| HideRoles default value: false | **Type:** Boolean **Description:** `true` to skip the **Access Permissions** step (the one containing the roles) in the default forms for this entity type. | +| IconCode optional | **Type:** String **Description:** Defines the icode code ("People", "MapPin", "Suitcase"...). | +| IsHierarchical default value: false | **Type:** Boolean **Description:** Is hierarchical entity type. | +| MinSearchLength optional | **Type:** Int32 **Description:** Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the AutocompleteBinding must be defined). | +| PluralDisplayName_L1 optional | **Type:** String **Description:** Display name of the entity type in plural in language 1 (up to 16). | +| Priority default value: 2147483647 | **Type:** Int32 **Description:** Sets the display priority of the Entity Type in the administration screens dropdown and the dashboard. A priority is an integer value, positive or negative. The highest priority is assigned to the lowest number. See the Priority section above. | + +## Child Element: Property +Entity referencing the Entity properties (with which it share the same ID) that can be displayed in the Identity Manager interface. + +### Properties + +|Property|Details| +|---|---| +| AddedMinutes optional | **Type:** Int32 **Description:** Add minutes to the date field with this property. Can be overwritten in every form control, display table column or tile item that displays the property. | +| AutocompleteBinding optional | **Type:** Int64 **Description:** Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker if the input type of the display property is a picker). | +| DisplayOrder default value: 0 | **Type:** Int32 **Description:** Defines the property display order. | +| DisplayTable optional | **Type:** Int64 **Description:** Identifier of the display table. | +| Format optional | **Type:** String **Description:** Defines a formating method on the property values ("ParseSince1601Date", "ToStringUserAccountControl", "FormatDate" and "ParseBoolean"). | +| Group optional | **Type:** Int64 **Description:** Identifier of the display property group, i.e. the fieldset, that the property is part of in the default UI form. | +| IconCode optional | **Type:** String **Description:** Defines the icode code. | +| InputType default value: Auto | **Type:** Enumeration **Description:** Identifier of the input type. | +| IsHidden default value: false | **Type:** Boolean **Description:** Property is hidden. | +| IsReadOnly default value: false | **Type:** Boolean **Description:** Property is readOnly. | +| IsRequired default value: false | **Type:** Boolean **Description:** Property is required. | +| MinSearchLength optional | **Type:** Int32 **Description:** Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the input type of the display property must be a picker and the AutocompleteBinding must be defined). | +| NavigationBinding optional | **Type:** Int64 **Description:** Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. | +| OutputType default value: Auto | **Type:** Enumeration **Description:** Identifier of the output type. | +| PlaceHolderText_L1 optional | **Type:** String **Description:** Property place holder text. | +| Tile optional | **Type:** Int64 **Description:** Identifier of the tile. | +| ToolTipText_L1 optional | **Type:** String **Description:** Property tool tip text. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md new file mode 100644 index 0000000000..c1269f1893 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md @@ -0,0 +1,43 @@ +--- +title: "DisplayPropertyGroup" +description: "" +sidebar_position: 3 +--- + +A display property group bundles a list of entity properties together in a fieldset in the UI. + + +## Examples +The following example will group a specific set of properties together, when displaying AD entries. + +```xml + + +Knowing that we have the following properties: + + + + + + + + + + + ... + +``` + +![Display Property Group - Example](/images/identitymanager/displaypropertygroup_example_v603.webp) + +:::info +Any property without a value is not displayed. +::: + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the fieldset in language 1 (up to 16). | +| Identifier required | **Type:** String **Description:** Unique identifier of the property group. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md new file mode 100644 index 0000000000..95c23fbaf2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md @@ -0,0 +1,100 @@ +--- +title: "DisplayTable" +description: "" +sidebar_position: 4 +--- + +A table displays a collections of entity type data grouped into rows. + +[Read more about how to customize display tables](/docs/identitymanager/current/integration-guide/ui/how-tos/custom-display-table). + + +## Examples +### DisplayTableDesignElement + +#### table + +The following example displays sites as a table. + +```xml + + + + + +``` + +![Example - DisplayTableDesignElement Set to Table](/images/identitymanager/DisplayTableDesignElement_table_V602.webp) + +#### list + +The following example displays users as a list. + +![DisplayTableDesignElement_table_V602](/images/identitymanager/DisplayTableDesignElement_table_V602.webp) + +:::note +For resources to be displayed as a list, the display table must also be configured with **tiles**. +::: + +#### resourcetable + +The following example displays AD entries as a table, with an "Owner/Type" column. + +```xml + + + + + + +``` + +![Example - DisplayTableDesignElement Set to ResourceTable](/images/identitymanager/displaytabledesignelement_resourcetable_v602.webp) + + +## Properties + +|Property|Details| +|---|---| +| DisplayTableDesignElement required | **Type:** Enumeration **Description:** Design of the display table. `-1` - **table**: resources are displayed in a table. `-2` - **list**: resources are displayed in a list. `-3` - **resourcetable**: resources are displayed in a table containing an "Owner/Type" column. `-4` - **adaptable**: resources are displayed in a table with an "Owner/Type" column only if the entity type is the target of a resource type, otherwise the table is without said column. | +| EntityType required | **Type:** Int64 **Description:** Represents the linked entity type. | +| HomonymEntityLink optional | **Type:** Int64 **Description:** Defines the homonym display table. | +| Identifier required | **Type:** String **Description:** Unique identifier of the table. | +| IsEntityTypeDefault default value: false | **Type:** Boolean **Description:** Default display table used in the application. | +| LinesPerPage default value: 15 | **Type:** Int32 **Description:** Defines the maximum lines per page. | +| ParentProperty optional | **Type:** Int64 **Description:** Property to navigate to the parent level when the table displays a tree of values (for example `Organization.ParentOrganization`). | + +## Child Element: Column +Contains all the display table columns. + + +### Examples +```xml + + + + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| AddedMinutes optional | **Type:** Int32 **Description:** Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| CanBeFiltered default value: false | **Type:** Boolean **Description:** Can filter the column data. | +| ColumnSize default value: 1 | **Type:** Int32 **Description:** Defines the column size. | +| DefaultSortPriority optional | **Type:** Int32 **Description:** Defines the default sort priority. | +| DisplayBinding optional | **Type:** Int64 **Description:** Represents the linked binding path to a scalar property. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the column in language 1 (up to 16). | +| IsDisplayInDropDownList default value: false | **Type:** Boolean **Description:** Is a drop down list column. | +| IsDisplayInSummaryView default value: false | **Type:** Boolean **Description:** Is a summary view column. | +| IsResizable default value: false | **Type:** Boolean **Description:** Is resizable column. | +| IsSortable default value: false | **Type:** Boolean **Description:** Is sortable column. | +| OptimizedDisplayBinding optional | **Type:** Int64 **Description:** Optimized Binding allows DisplayTables to be faster displayed. If it is filled in, it takes priority over the DisplayBinding located in the DisplayTableColumn. | +| OptimizedSortBinding optional | **Type:** Int64 **Description:** An optimized sort binding allows display tables to be faster displayed. If it is filled in, it takes priority over the sort binding located in the display table column. | +| SearchOperator default value: 0 | **Type:** QueryComparisonOperator **Description:** Defines the search operator (Equal, NotEqual, Contain, StartWith...). | +| SortBinding optional | **Type:** Int64 **Description:** Represents the sort binding path to a scalar property. | +| Tile optional | **Type:** Int64 **Description:** Identifier of the tile. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/form.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/form.md new file mode 100644 index 0000000000..d63e0d48a2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/form.md @@ -0,0 +1,141 @@ +--- +title: "Form" +description: "" +sidebar_position: 5 +--- + +A form contains a set of input fields (called [controls](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form)) to be filled by a user, in a structured way. A form must have a form type to be displayed and used in the UI. A form without a type can be called in another form. + + +## Examples +The following example shows a form called `Directory_UserRecord_View` that involves resources from the entity type `Directory_UserRecord` to collect personal data and contract information via some structured fields to fill. + +```xml +
+ + + + + + + + + + + + + ... + + + +``` + +### Display settings + +#### Hide the "Access Permissions" tab + +When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. + +![Access Permissions](/images/identitymanager/Form_hideRoles_V603.webp) + +#### Adjust the request type + +When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: +![Form Hideroles V603](/images/identitymanager/Form_hideRoles_V603.webp) + +When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: +![WorkflowRequestType = Helpdesk](/images/identitymanager/Form_requestTypeHelpdesk_V603.webp) + +#### Display records in a table + +![Form Requesttypehelpdesk V603](/images/identitymanager/Form_requestTypeHelpdesk_V603.webp) + + +## Properties + +|Property|Details| +|---|---| +| Activity optional | **Type:** Int64 **Description:** Defines the linked activity template. | +| ActivityState optional | **Type:** Enumeration **Description:** Defines the linked activity state template. | +| AddRowLabel_L1 optional | **Type:** String **Description:** Defines the "add row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| EntityType required | **Type:** Int64 **Description:** Represents the linked entity type. | +| FormTitle_L1 optional | **Type:** String **Description:** Title of the form in language 1 (up to 16). | +| FormType default value: Auto | **Type:** FormType **Description:** Represents the linked form type. | +| HideRecordAddButton default value: false | **Type:** Boolean **Description:** `true` to hide the button used to add a new record. | +| HideRecordRemoveButton default value: false | **Type:** Boolean **Description:** `true` to hide the button used to remove an existing record. | +| HideRoles default value: false | **Type:** Boolean **Description:** `true` to hide the **Access Permissions** tab. | +| Identifier required | **Type:** String **Description:** Unique identifier of the form. | +| IsDefaultSelfForm default value: false | **Type:** Boolean **Description:** Entity type default self form. | +| IsDefaultViewForm default value: false | **Type:** Boolean **Description:** Entity type default view form. | +| IsDeleteForm default value: false | **Type:** Boolean **Description:** Is a delete form. | +| MainProperty optional | **Type:** Int64 **Description:** Represents the form main property. | +| MainPropertyLabel_L1 optional | **Type:** String **Description:** Defines the main property label text. | +| Menu optional | **Type:** Int64 **Description:** Defines the linked menu item. | +| RecordEndProperty optional | **Type:** Int64 **Description:** Defines the workflow end date property. If not specified, the property 'EndDate' of the record entity type is considered as RecordEndProperty. | +| RecordFilter default value: CurrentAndFuture | **Type:** RecordFilter **Description:** Defines the record display option. `0` - Current: shows current positions. `1` - CurrentAndFuture: shows current and future positions. Recommended. `2` - All: shows past, present and future positions. Not recommended for clarity issues. | +| RecordProperty optional | **Type:** Int64 **Description:** Defines the workflow record property. | +| RecordSortProperty optional | **Type:** Int64 **Description:** Defines the workflow sort property. | +| RecordStartProperty optional | **Type:** Int64 **Description:** Defines the workflow start date property. If not specified, the property 'StartDate' of the record entity type is considered as RecordStartProperty. | +| RecordTable optional | **Type:** Int64 **Description:** Identifier of the display table to be used to display resources' records in a workflow. | +| RemoveRowLabel_L1 optional | **Type:** String **Description:** Defines the "remove row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| TableTitle_L1 optional | **Type:** String **Description:** Defines the table title when using WorkflowUpdateSeveralRecordsEntityForm. | +| WorkflowRequestType default value: 0 | **Type:** WorkflowRequestType **Description:** Type of the request of the related workflow. `0` - None. `1` - Self. `2` - Helpdesk. `3` - Administration. | + +## Child Element: Control +A form control is an input field to be filled by a user. Controls can be inserted in other controls in order to display the form fields in a structured way. + + +### Examples +The following example shows a form called `Directory_UserRecord_View` that collects first personal data via some controls, and then calls another form `Workflow_Directory_User_AddRecord_Base` to collect record information. +In this example is a tree control which defines the relationships between a worker and their managers (N+1 to N+3). The aim is to display in the form (in the UI) the organization chart made of the worker and their managers. + +```xml +
+ + + + + + + + + + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| AddedMinutes optional | **Type:** Int32 **Description:** Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| Binding optional | **Type:** Int64 **Description:** Identifier of the binding property. **Note:** when displaying an organization chart, this binding is meant to represent the first manager level (N+1). In this case, it must be a mono-valued navigation. | +| Binding2 optional | **Type:** Int64 **Description:** Identifier of the binding property used to represent the second manager level (N+2) in the organization chart. It must be a mono-valued navigation. Cannot be used when `Binding` is not defined. | +| Binding3 optional | **Type:** Int64 **Description:** Identifier of the binding property used to represent the third manager level (N+3) in the organization chart. It must be a mono-valued navigation. Cannot be used when `Binding2` is not defined. | +| ColumnSize optional | **Type:** Int32 **Description:** Defines the control column size. | +| DefaultValueBinding optional | **Type:** Int64 **Description:** Automatically sets the value in the control depending on this binding and the selected value in another corresponding picker. It's only available for controls with picker. _For example: `` After a selection of an organization in another picker in the form, the field location will be automatically set by the main location of the manager of the selected organization._ | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the control in language 1 (up to 16). | +| DisplayTable optional | **Type:** Int64 **Description:** Identifier of the table. | +| EmbeddedForm optional | **Type:** Int64 **Description:** Identifier of the form to insert in the control. With this method, one form can be imported to several forms. **Warning:** can be used only with `OutputType` set to `TransformImport`. | +| EntityType optional | **Type:** Int64 **Description:** Represents the linked entity type. | +| ExtensionIdentifier optional | **Type:** String **Description:** This property is used to extend the Identity Manager UI. | +| FilterBinding1 optional | **Type:** Int64 **Description:** Coupled with LinkedBinding1, it allows filtering on a list of items. FilterBinding1 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| FilterBinding2 optional | **Type:** Int64 **Description:** Coupled with LinkedBinding2, it allows filtering on a list of items. FilterBinding2 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| HomonymEntityLink optional | **Type:** Int64 **Description:** Defines the homonym form control. | +| InputType default value: Inherited | **Type:** Enumeration **Description:** Input type of the control. | +| IsReadOnly optional | **Type:** Boolean **Description:** Is a readonly form control. | +| IsRequired optional | **Type:** Boolean **Description:** Is a required form control. | +| LinkedBinding1 optional | **Type:** Int64 **Description:** Coupled with FilterBinding1, it allows filtering on a list of items. LinkedBinding1 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| LinkedBinding2 optional | **Type:** Int64 **Description:** Coupled with FilterBinding2, it allows filtering a list of items. LinkedBinding2 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| Name optional | **Type:** String **Description:** Identifies the control inside the Form. This is used for translation files when a control cannot be identified by its binding such as for FieldSet. | +| NavigationBinding optional | **Type:** Int64 **Description:** Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. If not defined, the one defined in DisplayEntityProperty is used. | +| OutputType default value: Inherited | **Type:** Enumeration **Description:** Output type of the control. | +| ParentControl optional | **Type:** Int64 **Description:** Defines the parent form control. | +| PlaceHolderText_L1 optional | **Type:** String **Description:** Defines the place holder text. | +| Tile optional | **Type:** Int64 **Description:** Identifier of the tile. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/index.md new file mode 100644 index 0000000000..253e49160f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/index.md @@ -0,0 +1,16 @@ +--- +title: "User Interface" +description: "User Interface" +sidebar_position: 10 +--- + +# User Interface +- [Displayentityassociation](displayentityassociation) +- [Displayentitytype](displayentitytype) +- [Displaypropertygroup](displaypropertygroup) +- [Displaytable](displaytable) +- [Form](form) +- [Indicator](indicator) +- [Menuitem](menuitem) +- [Searchbar](searchbar) +- [Tile](tile) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/indicator.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/indicator.md new file mode 100644 index 0000000000..29131f1e5d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/indicator.md @@ -0,0 +1,67 @@ +--- +title: "Indicator" +description: "" +sidebar_position: 6 +--- + +An Indicator displays a banner alongside the resource information whenever it meets a specific criteria. + +More precisely, an indicator displays the appropriate banner whenever the *Binding* matches the *Item Value* according to the *Comparison operator*, as can be seen on the example below. + +The banner is displayed wherever the associated resource appears. + +For example, if we create an indicator pointing out the risk score of a user, the banner will show on the left-side of the user [tile](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/tile) and the user [form](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form). If we create an indicator pointing out whether an AD account is unused or disabled, the banner will show on the left-side of the AD Entries tile and form. + +One entity can show several banners, one for several different properties. They appear one above the other if there are four banners or less, one next to the other if there are more. + +One indicator can posess several items, that define the information for the banner to be displayed. The indicators order is important because the banner will get the information of the first item matching the observed property. + +## Examples +The following example entails the display of a red banner for a user with a high risk score and an orange banner for a user with a medium risk. + +The XML file below states that if the risk score is greater than 75, only the indicator "High risk" will be displayed and not "Medium risk". If it is lower than 75 and greater than 30, the indicator will be "Medium risk". If it is lower than 30, there will be no indicator. + +```xml + + + + +``` +Note that if you write the "Medium risk" item before the "High risk" one, even if the score if greater than 75, the banner will be orange according to the first item: + +```xml + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding optional | **Type:** Int64 **Description:** Defines the binding path to a scalar property. | +| ComparisonOperator required | **Type:** QueryComparisonOperator **Description:** Defines how to compare the given binding to an indicator item value. All possible values: - Auto: The SearchOperator is calculated by the engine according to the type of element. - NotEqual: finds the elements that are not equal to the desired value. - Equal: finds the elements that are strictly equal to the desired value. - Contain: finds the elements that contain the desired value. - StartWith: finds the elements that start with the desired value. - EndWith: finds the elements that end with the desired value. - NotContain: finds the elements that do not contain the desired value. - NotStartWith: finds the elements that do not start with the desired value. - NotEndWith: finds the elements that do not end with the desired value. - GreaterThan: finds the elements that are greater than the desired value. - LessThan: finds the elements that are less than the desired value. - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. - LessThanOrEqual: finds the elements that are less than or equal to the desired value. - Flexible*: The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual. - FlexibleContain. - FlexibleStartWith. - FlexibleEndWith. | +| EntityType required | **Type:** Int64 **Description:** Represents the linked entity type. | +| OptimizedBinding optional | **Type:** Int64 **Description:** Optimized Binding allows Indicators to be faster displayed. If it is filled in, it takes priority over the Binding located in the Indicator. | +| Order required | **Type:** Int32 **Description:** Defines the order in which the banners are displayed. If there is no order needed, its value is zero for all indicators. | + +## Child Element: Item +Defines the banner to be displayed informations. See Indicator for more details. + + +### Examples +```xml + + +``` + + +### Properties + +|Property|Details| +|---|---| +| Color required | **Type:** String **Description:** Defines the color of the item. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the banner in language 1 (up to 16). | +| Value optional | **Type:** String **Description:** Defines the value with which the indicator binding will be compared to. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md new file mode 100644 index 0000000000..b1bac7a752 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md @@ -0,0 +1,31 @@ +--- +title: "MenuItem" +description: "" +sidebar_position: 7 +--- + +A menu item displays grouped navigation actions. + + +## Examples +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the menu item in language 1 (up to 16). | +| EntityType optional | **Type:** Int64 **Description:** Represents the linked entity type. | +| IconCode optional | **Type:** String **Description:** Code of one of [Microsoft's fabric icons](https://uifabricicons.azurewebsites.net/) to be displayed with the menu item. **Note:** on Microsoft page, see the icons' codes by moving the mouse over the icons, or using the detailed view. | +| Identifier required | **Type:** String **Description:** Unique identifier of the item. | +| IsExpandedByDefault default value: true | **Type:** Boolean **Description:** Is an expanded by default menu item. | +| IsSelfForm default value: false | **Type:** Boolean **Description:** Is a self form menu item. | +| ParentMenuItem optional | **Type:** Int64 **Description:** Defines the parent menu item. Five ParentMenuItem are hard coded: - Dashboard: Allow to display MenuItem in dashboard (Home page) - Nav: Allow to display MenuItem in navigation section (the left part in dashboard) - UserMenu: Allow to display MenuItem in links list on click on user account in the top right corner - Reports: Define all the reports downloadable in the application - Top: Allow to display MenuItem in top bar of the application, between "Home" and "My tasks" | +| ReportQuery optional | **Type:** Int64 **Description:** Represents the linked report query. | +| URI optional | **Type:** String **Description:** Represents the menu URI. | +| Workflow optional | **Type:** Int64 **Description:** Represents the linked workflow. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/searchbar.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/searchbar.md new file mode 100644 index 0000000000..2afbe57b7f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/searchbar.md @@ -0,0 +1,47 @@ +--- +title: "SearchBar" +description: "" +sidebar_position: 8 +--- + +The SearchBar is an element of the user interface that allows you to search from a list of properties of an EntityType. + + +## Examples +```xml + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| EntityType required | **Type:** Int64 **Description:** References the linked entity type. | +| Menu optional | **Type:** Int64 **Description:** References the linked Menu. Each MenuItem of this Menu is a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list. | +| SearchBarDesignElement required | **Type:** Enumeration **Description:** Defines the type of the searchBar(Block,Inline). | +| SearchedBinding optional | **Type:** Int64 **Description:** Defines the binding on which the search will be applied. | +| SearchedEntityType required | **Type:** Int64 **Description:** Defines the entity type on which the search will be applied. | + +## Child Element: Criterion +A SearchBarCriteria defines a search criterion on a given property. +See SearchBar for more details. + +### Properties + +|Property|Details| +|---|---| +| ColumnSize required | **Type:** Int32 **Description:** Size of the insertion or selection element of the property. | +| DefaultValue optional | **Type:** String **Description:** Basic filter on the properties on the value or values entered in parameters. | +| DisplayName_L1 optional | **Type:** String **Description:** Display name of the criteria in language 1 (up to 16). | +| InputType required | **Type:** Enumeration **Description:** Type of the research property. (Auto: takes by default the type of the EntityType property.) | +| IsVisibleInAdvancedView default value: false | **Type:** Boolean **Description:** `true` to make the property visible in the advanced search but not in the main search properties. | +| Operator default value: 0 | **Type:** QueryComparisonOperator **Description:** Defines how to do the research. All possible values: - Auto: The SearchOperator is calculated by the engine according to the type of element - NotEqual: finds the elements that are not equal to the desired value - Equal: finds the elements that are strictly equal to the desired value - Contain: finds the elements that contain the desired value - StartWith: finds the elements that start with the desired value - EndWith: finds the elements that end with the desired value - NotContain: finds the elements that do not contain the desired value - NotStartWith: finds the elements that do not start with the desired value - NotEndWith: finds the elements that do not end with the desired value - GreaterThan: finds the elements that are greater than the desired value - LessThan: finds the elements that are less than the desired value - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value - LessThanOrEqual: finds the elements that are less than or equal to the desired value - Flexible*: The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual - FlexibleContain - FlexibleStartWith - FlexibleEndWith | +| OptimizedBinding1 optional | **Type:** Int64 **Description:** Represents the first optimized binding definition. An optimized binding allows searches to be faster displayed. If it is filled in, it takes priority over the binding located in the search bar criterion column. | +| PlaceHolderText_L1 optional | **Type:** String **Description:** Overloads the DisplayName of the search property with this string. | +| ToolTipText_L1 optional | **Type:** String **Description:** Text displayed in the tool tip. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/tile.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/tile.md new file mode 100644 index 0000000000..8519e60995 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/user-interface/tile.md @@ -0,0 +1,54 @@ +--- +title: "Tile" +description: "" +sidebar_position: 9 +--- + +A tile displays customizable data in one block. This block is displayed in display table. There are two types of tiles: multilines with optional icons and multilines with photo (or failing this, the initials of a defined data). + + +## Examples +```xml + + + + + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Display name of the tile in language 1 (up to 16). | +| EntityType required | **Type:** Int64 **Description:** Identifier of the entity type. | +| Identifier required | **Type:** String **Description:** Unique identifier of the tile. | +| TileDesignElement required | **Type:** Enumeration **Description:** Defines the design element ("inline data-icon" or "picture-text"). | + +## Child Element: Item +One data to display in a tile. + + +### Examples +```xml + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| AddedMinutes optional | **Type:** Int32 **Description:** Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| Binding required | **Type:** Int64 **Description:** Defines the binding path to a scalar property. | +| LineDisplayOrderIndicator required | **Type:** Int32 **Description:** Defines the display position of the data in the row. | +| LineNumber required | **Type:** Int32 **Description:** Defines the number of the line in which the data is displayed. When the tileDesignElement of the tile is "picture-text", four lines are customizable, and 2 lines are hard coded: - 5: id of the resource to navigate on click - 6: photoTag | +| OptimizedBinding optional | **Type:** Int64 **Description:** Optimized Binding allows DisplayTables to be faster displayed. If it is filled in, it takes priority over the binding located in the TileItem. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md new file mode 100644 index 0000000000..cecb19447d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md @@ -0,0 +1,61 @@ +--- +title: "AddChangeAspect" +description: "Modifies a given property value." +sidebar_position: 1 +--- + +Modifies a given property value. + + +## Examples +The following example computes a new value for the property `IsDraft` from the `Directory_User` entity type. The new value is always `true`. The pointcuts define when the value change must happen. + +```xml + + + + +``` + +### Accept Null Value + +The following example computes a new value for the `Card` property in users' records, considering `null` as a value. Instead of being ignored, a `null` value returned by `Expression` will replace the old value. + +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding required | **Type:** String **Description:** Binding whose difference with `ExpressionBinding` defines the property to be changed. | +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| AcceptNullValueExpression optional | **Type:** String **Description:** C# expression returning a boolean, `true` to consider `null` for the new value returned by `Expression`. By default, `null` values are ignored. | +| Expression optional | **Type:** String **Description:** C# expression returning a new value for the property to be changed. **Note:** this property can also be defined by a binding via `ExpressionBinding`. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md new file mode 100644 index 0000000000..24b4b895ba --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md @@ -0,0 +1,81 @@ +--- +title: "AssertValueAspect" +description: "Checks whether the value of a given property satisfies a given condition." +sidebar_position: 2 +--- + +Checks whether the value of a given property satisfies a given condition. + + +## Examples +The following example makes sure that, when creating a new employee, the contract end date is after the contract start date. The pointcuts define when the value assertion must happen. + +```xml + + + + +``` + +### Assert a multi-valued object + +:::info +When asserting a multi-valued object, said object must not be called through a binding that goes back and forth between entities. + +For example, to manage records, using the `ExpressionBinding` set to `Workflow_Directory_User:Directory_User.Records` and the `Expression` using `C#:record:return record.Directory_User.Records...` will not work. + +Instead, the `ExpressionBinding` should be set to `Workflow_Directory_User:Directory_User` and the `Expression` should use `C#:user:return user.Records...` +::: + +The following example makes sure that a user's positions do not overlap. + +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding required | **Type:** String **Description:** Binding whose difference with `ExpressionBinding` defines the property to be validated by the aspect. | +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| Expression optional | **Type:** String **Description:** C# expression returning a boolean, `true` to invalidate the property value. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Message_L1 optional | **Type:** String **Description:** Message in language 1 (up to 16) to be displayed when the property is invalidated by the condition specified in `Expression`. | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md new file mode 100644 index 0000000000..e688344cdb --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md @@ -0,0 +1,47 @@ +--- +title: "AssertValueRequiredAspect" +description: "Checks whether a given property has a non-null value." +sidebar_position: 3 +--- + +Checks whether a given property has a non-null value. + + +## Examples +The following example makes sure that the contract start date is specified for any new worker. The pointcuts define when the value assertion must happen. + +```xml + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding required | **Type:** String **Description:** Binding whose difference with `ExpressionBinding` defines the property to be validated by the aspect. | +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Message_L1 optional | **Type:** String **Description:** Message in language 1 (up to 16) to be displayed when the property is empty. | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md new file mode 100644 index 0000000000..6fc4032d66 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md @@ -0,0 +1,199 @@ +--- +title: "BuildUniqueValueAspect" +description: "Computes a unique value for a given property." +sidebar_position: 4 +--- + +Computes a unique value for a given property. + + +## Examples +The following example generates bots' logins during their creation. + +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Binding required | **Type:** String **Description:** Binding whose difference with `ExpressionBinding` defines the property to be computed. | +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| Expression optional | **Type:** String **Description:** C# expression that computes the unique value.**Note:** the computation can be configured in SQL instead of C# via `SqlBuildExpression`. Decide whether to use either `Expression` or `SqlBuildExpression`, not both. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| HistorizeBinding optional | **Type:** String **Description:** Binding that stores all the old values computed by the aspect. | +| HistorizeSeparator default value: ¤ | **Type:** String **Description:** Defines the character used as a separator in the `HistorizeBinding` property. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| IterationsCount default value: 0 | **Type:** String **Description:** Maximum number of computation attempts without finding a unique value.**Note:** a variable named `iteration` is available to use the attempt number in the expressions of the aspect and/or of the potential unicity check rules, for example to help manage homonyms. Hence, a custom variable cannot be declared with the name `iteration`. | +| Message_L1 default value: | **Type:** String **Description:** Message in language 1 (up to 16) to be displayed when the value generation failed, i.e. when `IterationsCount` is exceeded. | +| OnlyIfNew default value: false | **Type:** String **Description:** `true` to trigger the aspect only for the creation of new resources. | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | +| SimulationExpression optional | **Type:** String **Description:** Expression used instead of the `Expression` parameter when previewing the workflow result before its implementation. | +| SqlBuildExpression optional | **Type:** String **Description:** SQL command that computes the unique value.**Note:** the computation can be configured in C# instead of SQL via `Expression`. Decide whether to use either `SqlBuildExpression` or `Expression`, not both. | +| SqlCheckExpression optional | **Type:** String **Description:** SQL request that checks whether the value computed with the binding/expression is unique, i.e. not yet used by another resource.**Note:** required if zero [unicity check rules](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect#child-element-unicitycheckrule) are linked to the aspect.**Warning:** the SQL request must be efficient because a potential timeout may block the progress of the workflow. For example, when the database's state and indexes are not well known, prefer to use views rather than the whole tables, because views store way fewer elements than tables, which makes them faster to use in a request. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| + +## Child Element: UnicityCheckRule +A unicity check rule ensures that the expression computed by a [`BuildUniqueValue`aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect) for a given property is unique, i.e. not yet used by another resource, in a given entity type. + +:::info +The comparison performed by these rules to check unicity can be configured in SQL instead of C# via the [`SqlCheckExpression`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect) property of the aspect. +::: + +The value of the source binding/expression is computed based on the properties of the source resource which is the resource whose property we compute via the `BuildUniqueValue` aspect. + +The rule compares the return value of the source binding/expression with the existing values of the target binding/expression in the target entity type. + +![Schema: Unicity Check](/images/identitymanager/aspects_unicitycheck.webp) + + +> For example, we need to generate an email address for any new user joining the company. We configure in a `BuildUniqueValue` aspect that users' emails are computed with `{firstName}.{lastName}@{EmailDomain}`. +> +> Consider a new user called John Doe. We need to link to the aspect a unicity check rule that is going to compare the email core `john.doe` with the email cores of existing resources in a given entity type. Thus Identity Manager can ensure that the email core is unique, and finally build the unique email address. + +Both source and target bindings/expressions must be consistent with the binding/expression used in [the corresponding aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect) which must not use a `SqlCheckExpression`. + +:::info +One `BuildUniqueValue` aspect can be linked to many unicity check rules, but should not be linked to more than one rule per target entity type. + +The unicity check rules linked to a same aspect are combined with the AND operator. It means that the aspect's iteration goes up when at least one of the rules detects non-unicity. +::: + +:::warning +When creating or updating a unicity check rule, launch the [`ComputeCorrelationKeysTask`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask) before applying the role model and launching workflows. + +**For information:** Identity Manager needs to store the correlation keys linked to the expressions defined in the unicity check rule, such as the return value, the entity type, etc. That's why the task mentioned above must be launched before launching any workflow using a unicity check rule. +::: + + +### Examples +#### Basic example + +The following example checks the unicity of the login of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> ```xml +> +> +> +> ``` + +We want to check the unicity of the new user's login, compared with the logins of existing users: + +```xml + +``` + +:::note +Here the source binding and expression are those from the aspect. +::: + +#### Multiple unicity checks + +With the same aspect as the previous example, we might want to compare the login of the new user with the list of reserved logins too: + +```xml + + +``` + +#### Sophisticated example + +The following example checks the unicity of the email address of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> ```xml +> +> // We want an email address such as {firstName}.{lastName}@{EmailDomain}. +> +> Expression="C#:record:var firstName = record.FirstName.Simplify()?.ToLowerInvariant(); +> var lastName = record.LastName.Simplify()?.ToLowerInvariant(); +> if (string.IsNullOrEmpty(firstName) || string.IsNullOrEmpty(lastName)) +> { +> // Missing data +> return null; +> } +> +> var result = firstName + &quot;.&quot; + lastName; +> +> // If the email core, i.e. {firstName}.{lastName}, is already used, then we try with {firstName}.{lastName}2, etc. +> if (iteration &gt; 0) +> { +> result += iteration.ToString(); +> } +> +> result = result + '@' + record.Subsidiary?.EmailDomain; +> return result;" IterationsCount="10" /> +> ``` + +We want to include in the unicity check only the email's core `firstName.lastName` without the `@EmailDomain` part. This is why the source expression starts like the aspect's expression but does not add the domain part, and the target expression removes the domain part from existing values: + +```xml + +``` + + + +|Property|Details| +|---|---| +|SourceBinding
optional|

**Type**
Int64

**Description**
Binding property (from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression.

**Note:** when not specified, the unicity check rule uses the binding from the aspect.

| +|SourceExpression
optional|

**Type**
String

**Description**
Binding expression (based on properties from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions).

**Note:** when not specified, the unicity check rule uses the expression from the aspect.

| +|TargetBinding
optional|

**Type**
Int64

**Description**
Binding property (from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression.

| +|TargetEntityType
required|

**Type**
Int64

**Description**
Identifier of the entity type for which the rule checks the property's unicity.

| +|TargetExpression
optional|

**Type**
String

**Description**
Binding expression (based on properties from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions).

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md new file mode 100644 index 0000000000..591f54c077 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md @@ -0,0 +1,28 @@ +--- +title: "Aspects" +description: "Aspects" +sidebar_position: 10 +--- + +# Aspects +- [Add Change](./addchangeaspect) + +Modifies a given property value. +- [Assert Value](./assertvalueaspect) + +Checks whether the value of a given property satisfies a given condition. +- [Assert Value Required](./assertvaluerequiredaspect) + +Checks whether a given property has a non-null value. +- [Build Unique Value](./builduniquevalueaspect) + +Computes a unique value for a given property. +- [Invoke Script](./invokescriptaspect) + +Executes a customized script. +- [Invoke Workflow](./invokeworkflowaspect) + +Launches a workflow. +- [Notification](./notificationaspect) + +Sends a notification email to one or several users. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md new file mode 100644 index 0000000000..172137ba4c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md @@ -0,0 +1,45 @@ +--- +title: "InvokeScriptAspect" +description: "Executes a customized script." +sidebar_position: 5 +--- + +Executes a customized script. + + +## Examples +The following example executes the script `aspect.ps1` on the local agent, when creating a new user. + +```xml + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| Agent optional | **Type:** String **Description:** Agent on which the script will be launched. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | +| ScriptFile optional | **Type:** String **Description:** Path of the script file to be executed by the aspect. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md new file mode 100644 index 0000000000..697d83cd30 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md @@ -0,0 +1,43 @@ +--- +title: "InvokeWorkflowAspect" +description: "Launches a workflow." +sidebar_position: 6 +--- + +Launches a workflow. + + +## Examples +The following example launches the workflow `Directory_User_VehicleRequest` when a vehicle is requested for a new internal user. + +```xml + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| Workflow required | **Type:** String **Description:** Identifier of the workflow to be launched. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type:** String **Description:** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md new file mode 100644 index 0000000000..5e29f92bc6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md @@ -0,0 +1,123 @@ +--- +title: "NotificationAspect" +description: "Sends a notification email to one or several users." +sidebar_position: 7 +--- + +Sends a notification email to one or several users. + + +## Examples +The following example sends a notification email based on the template `Notification_Directory_Guest.cshtml` and the subject computed by `SubjectExpression_L1`, which both use data from `Workflow_Directory_Guest:Directory_Guest`, and on the styles from `Notification_Directory_Guest.css`. + +```xml + + + + +``` + +:::info +The notification will be sent after the `Request` activity of the `Directory_Guest_AdvancedStart` workflow is executed. See pointcuts for more details. + +The notification will be sent to all email addresses defined by `Directory_Guest:Mail`. See recipients for more details. +::: + + +## Properties + +|Property|Details| +|---|---| +| Identifier required | **Type:** String **Description:** Unique identifier of the aspect. | +| Binding optional | **Type:** String **Description:** Binding whose difference with `ExpressionBinding` defines the property that corresponds to identities' email addresses, when `Type` is set to `Binding`. | +| CssFile optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| ExpressionBinding optional | **Type:** String **Description:** Binding:- that defines the variable type used in the potential expressions specified in the aspect;- whose difference with `Binding` defines the property involved in the aspect.**Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| Priority default value: 0 | **Type:** Int32 **Description:** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first.**Note:** the priority can be a negative value. | +| RazorFile_L1 optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16).**Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| SubjectExpression_L1 optional | **Type:** String **Description:** C# expression that defines the email's subject in language 1 (up to 16). The expression's variable type is defined in `ExpressionBinding`. | + + +## Child Element: PointCut +A pointcut is a mechanism telling Identity Manager when to execute the linked [aspect](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/images/identitymanager/pointcut.webp) + + +|Property|Details| +|---|---| +|Activity
required|

**Type**
Int64

**Description**
Identifier of the activity whose specified state triggers the aspect.

| +|ActivityState
required|

**Type**
Enumeration

**Description**
Identifier of the activity state that triggers the aspect.

| +|Mode
default value: 0|

**Type**
PointCutMode

**Description**
Mode defining when exactly the aspect is triggered around the specified workflow's activity state.
`0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used.
`1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used.

| + +## Child Element: Recipient +A recipient defines one or several identities who will receive a notification from `NotificationAspect`. + + +### Examples +The following example sends a notification email to the actors of the next step of the workflow. + +```xml + + + + +``` + +The following example sends a notification email to the performers of the `Request` activity of the `Directory_User_StartInternal` workflow when the state is `Executed`. + +```xml + + + + +``` + +The following example sends a notification email to the email address, stored in `Mail`, of the user(s) from `Directory_User` targeted by the workflow, so here the new user created by the `Directory_User_StartInternal` workflow. + +```xml + + + + +``` + +The following example sends a notification email to all identities whose email addresses are defined as `{lastName}@company.com`. + +```xml + + + + +``` + +The following example sends a notification to all identities with a profile that includes the right permission. + +```xml + + + + + + +Knowing that we also have: + + + + + + +``` + + + +|Property|Details| +|---|---| +|Activity
optional|

**Type**
Int64

**Description**
Identifier of the activity whose last performers are to be notified, when `Type` is set to `Performer`.

**Note:** must be set together with `ActivityState`.

| +|ActivityState
optional|

**Type**
Enumeration

**Description**
Identifier of the activity state whose last performers are to be notified, when `Type` is set to `Performer`.

**Note:** must be set together with `Activity`.

| +|Binding
optional|

**Type**
Int64

**Description**
Binding of the property that represents the notification's recipients, when `Type` is set to `Binding`.

| +|EmailAddresses
optional|

**Type**
String

**Description**
Email addresses of the notification's recipients, when `Type` is set to `Hardcoded`.

| +|Expression
optional|

**Type**
String

**Description**
C# expression that returns the email addresses of the notification's recipients, as strings or IEnumerable\, when `Type` is set to `Expression`. The expression's variable type is defined in `ExpressionBinding` in the associated `NotificationAspect`. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions).

| +|IsCC
default value: false|

**Type**
Boolean

**Description**
`true` to send the notification email to the recipient(s) as a carbon copy (CC).

| +|Type
required|

**Type**
RecipientType

**Description**
Type of recipients for the email notification.

**Actor**: the identities with the permissions to act on the next step of the workflow specified in the pointcut.
**Performer**: the actors of a past workflow step specified in `Activity` and `ActivityState`.
**Binding**: the identities whose email addresses are designated by the property specified in `Binding`.
**Hardcoded**: the identities whose email addresses are specified explicitly in `EmailAddresses`.
**Expression**: the identities whose email addresses match the C# expression specified in `Expression`.
**Profile**: the identities with the permission `/Custom/WorkflowsNotifications/{workflow_identifier}/`
`{activity_identifier}/{activityTemplateState_shortIdentifier}`.

| diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/index.md new file mode 100644 index 0000000000..b651d71b13 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/index.md @@ -0,0 +1,34 @@ +--- +title: "Forms" +description: "Forms" +sidebar_position: 10 +--- + +# Forms +- [Workflow Add And End Record Entity Form](./workflowaddandendrecordentityform) + +Displays a form to define the end date of an existing record, and replace it with a new record at said date, by duplicating and adjusting the old record. +- [Workflow Add Record Entity Form](./workflowaddrecordentityform) + +Displays a form to add a new record for an existing resource, by duplicating and adjusting an existing record. +- [Workflow Create Entity Form](./workflowcreateentityform) + +Displays a form to create a new resource, without a record. +- [Workflow Create Record Entity Form](./workflowcreaterecordentityform) + +Displays a form to create a new resource with a record. +- [Workflow Create Several Records Entity Form](./workflowcreateseveralrecordsentityform) + +Displays a form to create a new resource with one or several records. +- [Workflow Edit Entity Form](./workfloweditentityform) + +Displays a form to update or delete an existing resource, without a record. +- [Workflow Update Record Entities Form](./workflowupdaterecordentitiesform) + +Displays a form to update data for several resources simultaneously. +- [Workflow Update Record Entity Form](./workflowupdaterecordentityform) + +Displays a form to select an existing record and update it. +- [Workflow Update Several Records Entity Form](./workflowupdateseveralrecordsentityform) + +Displays a form to create, update or delete one or several records. diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md new file mode 100644 index 0000000000..b8e5076994 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md @@ -0,0 +1,98 @@ +--- +title: "WorkflowAddAndEndRecordEntityForm" +description: "Displays a form to define the end date of an existing record, and replace it with a new record at said date, by duplicating and adjusting the old record." +sidebar_position: 1 +--- + +Displays a form to define the end date of an existing record, and replace it with a new record at said date, by duplicating and adjusting the old record. + + +## Examples +The following example is a form to update a position. + +```xml + + + + + + + + +With the following form for the resource data's content and summary: +
+ + + + +And with the following form for the record data's content and summary, and for the data that groups records together: +
+ + + + + + + + + + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: +![Form Example - Update Position](/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp) + +:::note +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. +::: + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: +![Formexample Workflowaddandendrecordentityform V603](/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp) + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data about the resource's record. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. + + +|Property|Details| +|---|---| + + +## Child Element: MainSummaryControl +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSummaryControl +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md new file mode 100644 index 0000000000..309224677d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md @@ -0,0 +1,103 @@ +--- +title: "WorkflowAddRecordEntityForm" +description: "Displays a form to add a new record for an existing resource, by duplicating and adjusting an existing record." +sidebar_position: 2 +--- + +Displays a form to add a new record for an existing resource, by duplicating and adjusting an existing record. + + +## Examples +The following example is a form to request a computer. + +```xml + + + + + + + + +With the following form for the resource data's content and summary: +
+ + + + +And with the following form for the record data's content and summary: +
+ + + + + + + + + + + + +And with the following form for the data that groups records together: +
+ + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: +![Form Example - Computer Request](/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp) + +:::note +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. +::: + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: +![Formexample Workflowaddrecordentityform V603](/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp) + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data about the resource's record. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. + + +|Property|Details| +|---|---| + + +## Child Element: MainSummaryControl +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSummaryControl +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md new file mode 100644 index 0000000000..5cc41f9f41 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md @@ -0,0 +1,84 @@ +--- +title: "WorkflowCreateEntityForm" +description: "Displays a form to create a new resource, without a record." +sidebar_position: 3 +--- + +Displays a form to create a new resource, without a record. + + +## Examples +The following example is a form to create a new site. + +```xml + + + + + +With the following form for the workflow's content: +
+ + + + + + + + + + + + + + + + + + + + +And with the following form for the workflow's summary: +
+ + + + + + + + + + + + +``` + +The content of `MainControl` is visible during the workflow's execution: +![Form Example - Site Creation] + +The content of `SummaryControl` is visible after the workflow's execution: +![Formexample Workflowcreateentityform V603](/images/identitymanager/formexample_workflowcreateentityform_v603.webp) + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: SummaryControl +Set of fields to sum up the collected data after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md new file mode 100644 index 0000000000..6df898fc4c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md @@ -0,0 +1,97 @@ +--- +title: "WorkflowCreateRecordEntityForm" +description: "Displays a form to create a new resource with a record." +sidebar_position: 4 +--- + +Displays a form to create a new resource with a record. + + +## Examples +The following example is a form to create a new user from HR. + +```xml + + + + + + + +With the following form for the workflow's content and summary about resource data: +
+ + + + + +And with the following form for the workflow's content about record data: +
+ + + + + + + + + + + + +And with the following form for the workflow's summary on record data: +
+ + + + + + + + +``` + +The content of `MainControl` is visible during the workflow's execution: +![Form Example - New User from HR](/images/identitymanager/formexample_workflowcreaterecordentityform_v603.webp) + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution. + + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data about the resource's record. + + +|Property|Details| +|---|---| + + +## Child Element: MainSummaryControl +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSummaryControl +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md new file mode 100644 index 0000000000..e70299d636 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md @@ -0,0 +1,105 @@ +--- +title: "WorkflowCreateSeveralRecordsEntityForm" +description: "Displays a form to create a new resource with one or several records." +sidebar_position: 5 +--- + +Displays a form to create a new resource with one or several records. + + +## Examples +The following example is a form to request a computer. + +```xml + + + + + + +With the following form for the resource's data: +
+ + + + + + +And with the following form for the data shared with all records: +
+ + + + + + + + + + + + +And with the following form for the data specific to each record: +
+ + + + + + + + + + + + + + + + + + + + + + + + +``` + +The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the workflow's execution: +![Form Example - New User from Helpdesk](/images/identitymanager/formexample_workflowcreateseveralrecordsentityform_v603.webp) + + + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data shared between all the resource's records. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields to collect data specific to each record. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md new file mode 100644 index 0000000000..197a34334d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md @@ -0,0 +1,52 @@ +--- +title: "WorkflowEditEntityForm" +description: "Displays a form to update or delete an existing resource, without a record." +sidebar_position: 6 +--- + +Displays a form to update or delete an existing resource, without a record. + + +## Examples +The following example is a form to request a computer. + +```xml + + + + + +With the following form for the workflow's content and summary: +
+ + +``` + +The content of `MainControl` is visible during the workflow's execution: +![Form Example - Computer Request](/images/identitymanager/formexample_workfloweditentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: +![Formexample Workfloweditentityform V603](/images/identitymanager/formexample_workfloweditentityform_v603.webp) + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: SummaryControl +Set of fields to sum up the collected data after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md new file mode 100644 index 0000000000..74c79fc858 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md @@ -0,0 +1,102 @@ +--- +title: "WorkflowUpdateRecordEntitiesForm" +description: "Displays a form to update data for several resources simultaneously." +sidebar_position: 7 +--- + +Displays a form to update data for several resources simultaneously. + + +## Examples +The following example is a form to update users' positions in bulk. + +```xml + + + + + + + + +With the following form for the workflow's content and summary about resource data: +
+ + + +And with the following form for the workflow's content and summary about record data: +
+ + + + + + + + + + + + +And with the following form for the data that groups records together: +
+ + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: +![Form Example - Mass Update](/images/identitymanager/formexample_workflowupdaterecordentitiesform_v603.webp) + +:::note +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be modified as one. +::: + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: + + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data about the resource's record. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. + + +|Property|Details| +|---|---| + + +## Child Element: MainSummaryControl +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSummaryControl +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md new file mode 100644 index 0000000000..082471b3bc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md @@ -0,0 +1,127 @@ +--- +title: "WorkflowUpdateRecordEntityForm" +description: "Displays a form to select an existing record and update it." +sidebar_position: 8 +--- + +Displays a form to select an existing record and update it. + + +## Examples +The following example is a form to update a user's record from helpdesk. + +```xml + + + + + + + + +With the following form for the resource's data and summary: +
+ + + + +And with the following form for the data shared with all records and for the summary: +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +And with the following form for the data that groups records together: +
+ + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: +![Form Example - Update Data](/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp) + +:::note +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. +::: + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: +![Formexample Workflowupdaterecordentityform V603](/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp) + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data about the resource's record. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. + + +|Property|Details| +|---|---| + + +## Child Element: MainSummaryControl +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSummaryControl +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md new file mode 100644 index 0000000000..cdda78c9d9 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md @@ -0,0 +1,130 @@ +--- +title: "WorkflowUpdateSeveralRecordsEntityForm" +description: "Displays a form to create, update or delete one or several records." +sidebar_position: 9 +--- + +Displays a form to create, update or delete one or several records. + + +## Examples +The following example is a form to create, update and/or delete one or several positions for a given user. + +```xml + + + + + + + + +With the following form for the resource's data: +
+ + + + +And with the following form for the data shared with all records: +
+ + + + + + + +And with the following form for the data used to update existing records: +
+ + + + + + + + + + + +And with the following form for the data used to add new records: +
+ + + + + + + + + + + + +And with the following form for the data that groups records together: +
+ + +``` + +The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and `RecordSlaveControl` are visible during the workflow's execution: +![Form Example - Manage a User's Positions](/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp) + +When adding a new position, we decide to make `Title` available, in addition to the fields used to update existing records: +![Formexample Workflowupdateseveralrecordsentityform V603](/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp) + +:::note +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. +::: + + + + + + +## Properties + +|Property|Details| +|---|---| + + +## Child Element: MainControl +Set of fields to collect data about the main resource. + + +|Property|Details| +|---|---| + + +## Child Element: RecordControl +Set of fields to collect data when adding new records. + + +|Property|Details| +|---|---| + + +## Child Element: RecordUniqueItemControl +Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSlaveUniqueItemControl +Set of fields to collect the data shared with all the resource's records, for example contract information when managing positions. + + +|Property|Details| +|---|---| + + +## Child Element: RecordSlaveControl +Set of fields to collect data when updating existing records. + + +|Property|Details| +|---|---| + diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink.md new file mode 100644 index 0000000000..b719562ae2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink.md @@ -0,0 +1,45 @@ +--- +title: "HomonymEntityLink" +description: "" +sidebar_position: 1 +--- + +This entity is used to configure the homonym workflow. + + +## Examples +```xml + +``` + +In this example the homonym is linked to a [Control](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form#child-element-control) and it will be applied for the [Binding]( included in the [Control](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form#child-element-control) where the homonym is located. Read more about [how to configure homonym filters](. +```xml +
+ + + + + + + +``` + + +## Properties + +|Property|Details| +|---|---| +| FormEntityType required | **Type:** Int64 **Description:** In a [Form](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form), an [EntityType](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype) is defined and the [Binding](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/binding) of this Form will be loaded from this EntityType. The FormEntityType property represents this EntityType. | +| Identifier required | **Type:** String **Description:** Unique identifier of the HomonymEntityLink. | + +## Child Element: Filter +Defines combination of property comparison to use to find homonyms. + +### Properties + +|Property|Details| +|---|---| +| ComparisonProperty1 optional | **Type:** Int64 **Description:** Defines the property used to compare with the form control `Property`. It should not be defined if it the same as the property in the attribute `Property`. Going from 1 to 5. | +| Expression1 optional | **Type:** String **Description:** Defines the C# expression to apply on the homonymy form controls. The result of the expression evaluation will be compared with the corresponding `ComparisonProperty` using the defined `Operator`. If the `ComparisonProperty` is a computed property, no need to define the expression if it is the same as the one for the computed property. It will be automatically used when finding homonyms. Going from 1 to 5. [See more details on C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#c-expressions). | +| Operator1 default value: 2 | **Type:** QueryComparisonOperator **Description:** Defines the operator to use to compare between the `ComparisonProperty` and the `Property` or the `Expression` evaluation result. By default the `Equal` operator is used. Going from 1 to 5. All possible values: `0` - Auto: The `Operator` is calculated by the engine according to the type of element. `1` - NotEqual: finds the elements that are not equal to the desired value. `2` - Equal: finds the elements that are strictly equal to the desired value. `3` - Contain: finds the elements that contain the desired value. `4` - StartWith: finds the elements that start with the desired value. `5` - EndWith: finds the elements that end with the desired value. `6` - NotContain: finds the elements that do not contain the desired value. `7` - NotStartWith: finds the elements that do not start with the desired value. `8` - NotEndWith: finds the elements that do not end with the desired value. `9` - GreaterThan: finds the elements that are greater than the desired value. `10` - LessThan: finds the elements that are less than the desired value. `11` - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. `12` - LessThanOrEqual: finds the elements that are less than or equal to the desired value. `*`- Flexible: The `Flexible` operators transform the desired value according to the `FlexibleComparisonExpression` defined in the `EntityProperty` then search. The flexible operators are: `13` - FlexibleEqual `14` - FlexibleContain `15` - FlexibleStartWith `16` - FlexibleEndWith | +| Property1 optional | **Type:** Int64 **Description:** Defines the form control property to use to compare with `ComparisonOperator` using the defined `Operator`. Going from 1 to 5. | diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/index.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/index.md new file mode 100644 index 0000000000..72bbe346f2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/index.md @@ -0,0 +1,11 @@ +--- +title: "Workflows" +description: "Workflows" +sidebar_position: 10 +--- + +# Workflows +- [Homonymentitylink](homonymentitylink) +- [Workflow](workflow) +- [Aspects](aspects) +- [Forms](forms) diff --git a/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/workflow.md b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/workflow.md new file mode 100644 index 0000000000..91aeaabc7c --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/toolkit/xml-configuration/workflows/workflow.md @@ -0,0 +1,56 @@ +--- +title: "Workflow" +description: "" +sidebar_position: 2 +--- + +In Identity Manager, a workflow is a set of elemental units called activities that are stored as a model to describe a real-world process. A workflow provides a mechanism for automating multi-step processes across the application. It can be depicted as a sequence of operations, declared as work of a person or group, an organization of staff, or one or more simple or complex mechanisms. + + +## Examples +The following example declares a simple workflow called `Directory_User_StartInternal` that involves resources from the entity type `Directory_User`. + +```xml + + + ... + +``` + + +## Properties + +|Property|Details| +|---|---| +| DisplayName_L1 required | **Type:** String **Description:** Workflow' name displayed in the UI. This column is used for the first language. | +| Identifier required | **Type:** String **Description:** Unique identifier of the workflow. | +| IdentifierPrefix optional | **Type:** String **Description:** Workflow's identifier prefix, used to prefix the workflow's activity instances. | +| VariablesType required | **Type:** Int64 **Description:** Entity type of the resources involved by the workflow. Must follow the naming convention `Workflow_`. | + +## Child Element: Activity +In Identity Manager, an activity is a elemental unit used to model a workflow's steps, such as the request of new records, the mailing of notifications to users about pending approvals, or the approval/decline of modifications. A workflow is made of a series of successive activities. + + +### Examples +The following workflow is made of four activities to add a new worker in the system. + +``` + + + + + + +``` + + +### Properties + +|Property|Details| +|---|---| +| ArgumentBlockProvisioning default value: false | **Type:** Boolean **Description:** `true` to block provisioning orders (argument used only for an activity following the template `Persist` or `PersistOnlyResources`). | +| ArgumentCalledWorkflow optional | **Type:** Int64 **Description:** Workflow to call (argument used only for an activity following the template `ContinueWith`). | +| DisplayName_L1 required | **Type:** String **Description:** Activity's name to display in the UI. This column is used for the first language. | +| Identifier required | **Type:** String **Description:** Unique identifier of the activity. | +| Template required | **Type:** Enumeration **Description:** Identifier of the activity template. All possible values: - `Action`: awaits user modifications without another user's intervention. - `ActionWithRefine`: awaits user modifications with the possibility to delegate the action to another user. - `Review`: awaits user approval without another user's intervention. - `ReviewWithFeedback`: awaits user approval with the possibility of getting feedback from another user before taking the action. - `Persist`: saves the workflow's collected data to the repository and triggers dependant processes (i.e. provisioning). - `PersistOnlyResources`: saves the workflow's collected data to the repository and without triggering dependant processes (i.e. provisioning). - `ContinueWith`: Gets the previous activities of the workflow and continues starting from a given activity of another workflow. | +| WorkflowOverviewDisable default value: false | **Type:** Boolean **Description:** `true` to disable the activity's appearance on the **Workflow Overview** screen. | diff --git a/docs/identitymanager/6.3/integration-guide/ui/create-menu-items.md b/docs/identitymanager/6.3/integration-guide/ui/create-menu-items.md new file mode 100644 index 0000000000..6e464f06c5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/create-menu-items.md @@ -0,0 +1,43 @@ +--- +title: "Create Menu Items" +description: "Create Menu Items" +sidebar_position: 20 +--- + +# Create Menu Items + +After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the Navigation to this Workflow. + +### Create menu items for a workflow in a resource entity list + +To add a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list you need to create a menu containing the different workflows and put a link to the entity's searchBar as below. + +[See available icons](https://uifabricicons.azurewebsites.net/). + +The first MenuItem is the main action displayed on the right. + +The other MenuItems are displayed from left to right. + +```text + +``` + +This XML element gives the following result: + +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) + +### Create menu items for a workflow in a resource view + +In the resource view it is also possible to create links to different workflows. + +These workflows will manipulate the selected resource in the view. + +```text + +``` + +This XML element gives the following result: + +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) + +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.3/integration-guide/ui/custom-display-table.md b/docs/identitymanager/6.3/integration-guide/ui/custom-display-table.md new file mode 100644 index 0000000000..849cfa2054 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/custom-display-table.md @@ -0,0 +1,63 @@ +--- +title: "Customize Display Tables" +description: "Customize Display Tables" +sidebar_position: 30 +--- + +# Customize Display Tables + +This part shows how to define a custom way to display entity types' data. + +## Table + +This display table with DisplayTableDesignElement set to table will display the list of resources as a simple table filled with several columns. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                                     +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument. + +## Resource Table + +The property DisplayTableDesignElement set to resourcetable allows you to create a table similar to the display table with DisplayTableDesignElement set to table but adds a column containing the owner of the resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                           +``` + +Here is the visualization of this resource table on the interface: + +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) + +## Display Table with Tiles + +. + +Instead of creating a table, it is possible to create tiles to give another rendering of the user interface. It is therefore necessary to create the different tiles first. After creating the tiles, they must be imported into the display table with `` set to ``. Display tables with other values of `` cannot display tiles. + +See the[Tile](../../integration-guide/toolkit/xml-configuration/user-interface/tile) topic for additional information. + +:::tip + Remember, if the display table uses tiles, then you can't use bindings. +::: +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                                                               +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) + +See the [Display Table](../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/ui/custom-forms.md b/docs/identitymanager/6.3/integration-guide/ui/custom-forms.md new file mode 100644 index 0000000000..bc472cb00d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/custom-forms.md @@ -0,0 +1,68 @@ +--- +title: "Customize Forms" +description: "Customize Forms" +sidebar_position: 50 +--- + +# Customize Forms + +This guide shows how to define a custom way to display the input fields to be filled in a given workflow. + +See the [Form](../../integration-guide/toolkit/xml-configuration/user-interface/form) topic for additional information. + +## Create a View Template for Entities Using Scaffoldings + +Two scaffoldings generate the view, the display table and the rights to access the entity's resources. + +- [View Template](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate): +Creates the display table, the default view and access rights to the entity. +- [View Template Adaptable](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable): +Creates the entity view (designElement = ResourceTable), the report and the rights for a given profile. + +These scaffoldings are not enough to access resources. You must add a menu item to define the navigation in the view in the user interface. + +## Create an Entity View + +To create the entity view, you must manipulate a [Form](../../integration-guide/toolkit/xml-configuration/user-interface/form). + +The view form doesn't give access to the view in the interface or the rights to access the interface. + +The following elements must be in place: + +- [Create Menu Items](../../integration-guide/ui/create-menu-items) +- [View Access Control Rules](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) + +To create the view, you can manipulate one or more forms. The example below shows how to create a view from several different forms. This will allow you to reuse some forms in workflows. + +```text +
+``` + +It is also possible to create only one form that contains all the information: + +```text +
+``` + +### Create an Entity View Using Records + +Some entities may have entity records. To view the entity in question with all the records attached to it, it is necessary to fill in forms that will load the record data as well as forms for the parent entity. + +The view form doesn't give access to the view in the interface or the rights to access it. + +The following elements must be in place: + +- [Create Menu Items](../../integration-guide/ui/create-menu-items) +- [View Access Control Rules](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) + +In the example below, the view form will display all records. To change the filter on the record display, you must change the [Form](../../integration-guide/toolkit/xml-configuration/user-interface/form). + +```text +
+``` + +The record filter not only changes the display options of the record, but also changes the display of the rights associated with this record. + diff --git a/docs/identitymanager/6.3/integration-guide/ui/custom-search-bar.md b/docs/identitymanager/6.3/integration-guide/ui/custom-search-bar.md new file mode 100644 index 0000000000..647303a6c2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/custom-search-bar.md @@ -0,0 +1,47 @@ +--- +title: "Customize Search Bars" +description: "Customize Search Bars" +sidebar_position: 40 +--- + +# Customize Search Bars + +This guide shows how to define a custom way to search from a list of a given entity type's properties. + +See the [Search Bar](../../integration-guide/toolkit/xml-configuration/user-interface/searchbar) topic for additional information. + +## Default Search Bar + +To search on a resource list for an entity, you must enter a SearchBar tag for the given entity. + +```text + +``` + +Here is the visualization of this searchbar on the interface: + +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument in the display table. + +## Create Default Filters + +To add a default filter, you must add both of the following properties to a criterion: + +- DefaultValue +- Operator + +```text +**** +``` + +Here is the visualization of this criterion on the interface: + +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) + +## Search Bar Menu + +Each menu item is a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list. + +**See the [Create Menu Items](../../integration-guide/ui/create-menu-items)topic for additional information** + diff --git a/docs/identitymanager/6.3/integration-guide/ui/how-tos/create-menu-items.md b/docs/identitymanager/6.3/integration-guide/ui/how-tos/create-menu-items.md new file mode 100644 index 0000000000..f08c5dcd8f --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/how-tos/create-menu-items.md @@ -0,0 +1,37 @@ +# Create Menu Items + +After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the Navigation to this Workflow. + +### Create menu items for a workflow in a resource entity list + +To add a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list you need to create a menu containing the different workflows and put a link to the entity's searchBar as below. + +[See available icons](https://uifabricicons.azurewebsites.net/). + +The first MenuItem is the main action displayed on the right. + +The other MenuItems are displayed from left to right. + +```text + +``` + +This XML element gives the following result: + +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) + +### Create menu items for a workflow in a resource view + +In the resource view it is also possible to create links to different workflows. + +These workflows will manipulate the selected resource in the view. + +```text + +``` + +This XML element gives the following result: + +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) + +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-display-table.md b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-display-table.md new file mode 100644 index 0000000000..b797e6c62b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-display-table.md @@ -0,0 +1,57 @@ +# Customize Display Tables + +This part shows how to define a custom way to display entity types' data. + +## Table + +This display table with DisplayTableDesignElement set to table will display the list of resources as a simple table filled with several columns. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                                     +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids filter duplication. Thus, the `CanBeFiltered` property can be deleted in the `Column` argument. + +## Resource Table + +The property DisplayTableDesignElement set to resourcetable allows you to create a table similar to the display table with DisplayTableDesignElement set to table but adds a column containing the owner of the resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                           +``` + +Here is the visualization of this resource table on the interface: + +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) + +## Display Table with Tiles + +. + +Instead of creating a table, it is possible to create tiles to give another rendering of the user interface. It is therefore necessary to create the different tiles first. After creating the tiles, they must be imported into the display table with `DisplayTableDesignElement` set to `list`. Display tables with other values of `DisplayTableDesignElement` cannot display tiles. + +See the[Tile](../../../integration-guide/toolkit/xml-configuration/user-interface/tile) topic for additional information. + +:::tip + Remember, if the display table uses tiles, then you can't use bindings. +::: +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml +                                                               +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) + +See the [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-forms.md b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-forms.md new file mode 100644 index 0000000000..ebab1ba36d --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-forms.md @@ -0,0 +1,62 @@ +# Customize Forms + +This guide shows how to define a custom way to display the input fields to be filled in a given workflow. + +See the [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) topic for additional information. + +## Create a View Template for Entities Using Scaffoldings + +Two scaffoldings generate the view, the display table and the rights to access the entity's resources. + +- [View Template](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate): +Creates the display table, the default view and access rights to the entity. +- [View Template Adaptable](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable): +Creates the entity view (designElement = ResourceTable), the report and the rights for a given profile. + +These scaffoldings are not enough to access resources. You must add a menu item to define the navigation in the view in the user interface. + +## Create an Entity View + +To create the entity view, you must manipulate a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form). + +The view form doesn't give access to the view in the interface or the rights to access the interface. + +The following elements must be in place: + +- [Create Menu Items](../../../integration-guide/ui/how-tos/create-menu-items) +- [View Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) + +To create the view, you can manipulate one or more forms. The example below shows how to create a view from several different forms. This will allow you to reuse some forms in workflows. + +```text +
+``` + +It is also possible to create only one form that contains all the information: + +```text +
+``` + +### Create an Entity View Using Records + +Some entities may have entity records. To view the entity in question with all the records attached to it, it is necessary to fill in forms that will load the record data as well as forms for the parent entity. + +The view form doesn't give access to the view in the interface or the rights to access it. + +The following elements must be in place: + +- [Create Menu Items](../../../integration-guide/ui/how-tos/create-menu-items) +- [View Access Control Rules](../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) + +In the example below, the view form will display all records. To change the filter on the record display, you must change the [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form). + +```text +
+``` + +The record filter not only changes the display options of the record, but also changes the display of the rights associated with this record. + diff --git a/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-search-bar.md b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-search-bar.md new file mode 100644 index 0000000000..1222c726a5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/how-tos/custom-search-bar.md @@ -0,0 +1,41 @@ +# Customize Search Bars + +This guide shows how to define a custom way to search from a list of a given entity type's properties. + +See the [Search Bar](../../../integration-guide/toolkit/xml-configuration/user-interface/searchbar) topic for additional information. + +## Default Search Bar + +To search on a resource list for an entity, you must enter a SearchBar tag for the given entity. + +```text + +``` + +Here is the visualization of this searchbar on the interface: + +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument in the display table. + +## Create Default Filters + +To add a default filter, you must add both of the following properties to a [Search Bar](../../../integration-guide/toolkit/xml-configuration/user-interface/searchbar): + +- DefaultValue +- Operator + +```text +**** +``` + +Here is the visualization of this criterion on the interface: + +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) + +## Search Bar Menu + +Each menu item is a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list. + +**See the [Create Menu Items](../../../integration-guide/ui/how-tos/create-menu-items)topic for additional information** + diff --git a/docs/identitymanager/6.3/integration-guide/ui/how-tos/producttranslations.md b/docs/identitymanager/6.3/integration-guide/ui/how-tos/producttranslations.md new file mode 100644 index 0000000000..5c36eb2c21 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/how-tos/producttranslations.md @@ -0,0 +1,69 @@ +# Import Product Translations into Identity Manager + +This topic shows how to import product translations into Identity Manager. A product translation means a translation of a Identity Manager's component, for example a button display message, **not the translation of a configured component**. + +## JSON Translation File + +The translations are given to Identity Manager in a JSON file, through the configuration deployment tool. This section first explains how to write the JSON file, then how to use it with the deployment tool. + +**JSON translation file format** + +Example with the translation keys`accessCertificationReview.recommendation.manuallyAuthorized`, `app.common.button.create.label` and `app.common.labels.whenCreated`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +{ +        "accessCertificationReview.recommendation.manuallyAuthorized": "", +        "app.common.button.create.label": "", +        "app.common.labels.whenCreated": "" +} +``` + +The JSON file must only contain string properties: no object, array or number. + +The properties' name must match the wanted translation keys. + +**Find the translation keys** + +A translation key is an identifier for a given translation: Identity Manager uses those keys to find the translation it needs in the interface. + +To find these keys, go on [Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) , download the SDK of your product version and unzip the folder. + +The Translations folder contains two JSON files: en-US.json and fr-FR.json. These files both contain all the translation keys and respectively contain English (US) and french translations. + +The configuration tool throws an error only when the format is wrong, not the keys: if you do not write correct keys, the file will be imported anyway without a warning. Netwrix strongly recommends to copy paste the keys from the JSON files in Translations. + +### Key overriding + +There is no need to rewrite all the keys if you do not want to modify all the translations: in your JSON file, put only the keys of the translations you need to modify. + +For languages other than french and English (US), when you do not override a given translation, Identity Manager uses the English (US) one. + +### JSON translation file name + +Product translations must be linked to a defined Language in the configuration. For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +A translation file must be named: translation.`language code`.json. + +For example, for en-US, the translation file must be named translation.en-US.json. + +## Use the Configuration Tool to Import the JSON Translation File + +Place the JSON file described in the previous part in your XML configuration folder: you can place it anywhere in it, but the root is recommended. + +Deploy your configuration as usual but add the --product-translation argument to your command line. + +The custom product translations are now imported and usable by Identity Manager. + +## Export the Translation File + +If you need to export the custom product translations of your languages, export your configuration as usual but add the `--export-translation` argument to your command line. + +It will generate the translation files at the root of your XML configuration folder. diff --git a/docs/identitymanager/6.3/integration-guide/ui/index.md b/docs/identitymanager/6.3/integration-guide/ui/index.md new file mode 100644 index 0000000000..675724cabf --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/index.md @@ -0,0 +1,9 @@ +--- +title: "User Interface" +description: "User Interface" +sidebar_position: 160 +--- + +# User Interface + +See how-to customize Identity Manager's User Interface. diff --git a/docs/identitymanager/6.3/integration-guide/ui/producttranslations.md b/docs/identitymanager/6.3/integration-guide/ui/producttranslations.md new file mode 100644 index 0000000000..0e1cac68e4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/ui/producttranslations.md @@ -0,0 +1,77 @@ +--- +title: "Import Product Translations into Identity Manager" +description: "Import Product Translations into Identity Manager" +sidebar_position: 10 +--- + +# Import Product Translations into Identity Manager + +This topic shows how to import product translations into Identity Manager. A product translation means a translation of a Identity Manager's component, for example a button display message, not the translation of a configured component. + +Currently in preview mode, Identity Manager supports both left to right and right to left languages. Use the toggle on the Settings Page to activate right to left languages. + +## JSON Translation File + +The translations are given to Identity Manager in a JSON file, through the configuration deployment tool. This section first explains how to write the JSON file, then how to use it with the deployment tool. + +**JSON translation file format** + +Example with the translation keys`accessCertificationReview.recommendation.manuallyAuthorized`, `app.common.button.create.label` and `app.common.labels.whenCreated`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json +{ +        "accessCertificationReview.recommendation.manuallyAuthorized": "", +        "app.common.button.create.label": "", +        "app.common.labels.whenCreated": "" +} +``` + +The JSON file must only contain string properties: no object, array or number. + +The properties' name must match the wanted translation keys. + +**Find the translation keys** + +A translation key is an identifier for a given translation: Identity Manager uses those keys to find the translation it needs in the interface. + +To find these keys, go on [Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) , download the SDK of your product version and unzip the folder. + +The Translations folder contains two JSON files: en-US.json and fr-FR.json. These files both contain all the translation keys and respectively contain English (US) and french translations. + +The configuration tool throws an error only when the format is wrong, not the keys: if you do not write correct keys, the file will be imported anyway without a warning. Netwrix strongly recommends to copy paste the keys from the JSON files in Translations. + +### Key overriding + +There is no need to rewrite all the keys if you do not want to modify all the translations: in your JSON file, put only the keys of the translations you need to modify. + +For languages other than french and English (US), when you do not override a given translation, Identity Manager uses the English (US) one. + +### JSON translation file name + +Product translations must be linked to a defined Language in the configuration. For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```json + +``` + +A translation file must be named: translation.``.json. + +For example, for en-US, the translation file must be named translation.en-US.json. + +## Use the Configuration Tool to Import the JSON Translation File + +Place the JSON file described in the previous part in your XML configuration folder: you can place it anywhere in it, but the root is recommended. + +Deploy your configuration as usual but add the --product-translation argument to your command line. + +The custom product translations are now imported and usable by Identity Manager. + +## Export the Translation File + +If you need to export the custom product translations of your languages, export your configuration as usual but add the `--export-translation` argument to your command line. + +It will generate the translation files at the root of your XML configuration folder. diff --git a/docs/identitymanager/6.3/integration-guide/workflows/activity-templates.md b/docs/identitymanager/6.3/integration-guide/workflows/activity-templates.md new file mode 100644 index 0000000000..7948162145 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/activity-templates.md @@ -0,0 +1,134 @@ +--- +title: "Activity Templates" +description: "Activity Templates" +sidebar_position: 10 +--- + +# Activity Templates + +This section describes the activities that constitute and model a [Workflow](../../integration-guide/toolkit/xml-configuration/workflows/workflow). Each activity is assigned a template, made of states and transitions. + +## Overview + +Going through an activity means going through states and transitions. + +![Activity Template - Example](/images/identitymanager/activitytemplates_example.webp) + +By default, Identity Manager's workflow engine implements the following activity templates: + +- `Action` +- `Action **with** Refine` +- `Review` +- `Review **with** Feedback` +- `Continue **with**` +- `Persist` +- `Persist OnlyResources` + +## Activity Templates + +### Action + +Awaits user modifications **without** another user's intervention. + +![Activity Template - Action](/images/identitymanager/activitytemplates_action.webp) + +### ActionWithRefine + +Awaits user modifications **with** the possibility to delegate the action to another user. + +![Activity Template - ActionWithRefine](/images/identitymanager/activitytemplates_actionwithrefine.webp) + +The `ActionWithRefine` activity can be translated into the following form: + +![ActionWithRefine in the UI](/images/identitymanager/activity_actionwithrefine_v602.webp) + +### Review + +Awaits user approval **without** another user's intervention. + +![Activity Template - Review](/images/identitymanager/activitytemplates_review.webp) + +### ReviewWithFeedback + +Awaits user approval **with** the possiblity of getting feedback from another user before taking the action. + +![Activity Template - ReviewWithFeedback](/images/identitymanager/activitytemplates_reviewwithfeedback.webp) + +The `ReviewWithFeedback` activity can be translated into the following form: + +![ReviewWithFeedback in the UI](/images/identitymanager/activity_reviewwithfeedback_v602.webp) + +### Persist + +Saves the workflow's collected data to the repository and triggers dependent processes (i.e. computation of the role model and provisioning). This activity has only the transition `Persist-Invoked-Invoke` and the state `Persist-Invoked`. It has no user interaction, and hence no need for permissions. + +### PersistOnlyResources + +Saves the workflow's collected data to the repository **without** triggering the dependent processes (i.e. computation of the role model and provisioning). This activity has only the transition `PersistOnlyResources-Invoked-Invoke` and the state `PersistOnlyResources-Invoked`. It has no user interaction, and hence no need for permissions. + +> For example, `PersistOnlyResources` can be used in a workflow to add a new user, as we first +> create a user sheet but **without** any account, etc. + +## States + +By default, Identity Manager's workflow engine implements the following state templates: + +- `Action-ActionPending` +- `Action-Executed` +- `Action-Aborted` +- `Action-Purged` +- `ActionWithRefine-ActionPending` +- `ActionWithRefine-Executed` +- `ActionWithRefine-RefinePending` +- `ActionWithRefine-Aborted` +- `ActionWithRefine-Purged` +- `Review-ReviewPending` +- `Review-Declined` +- `Review-Approved` +- `Review-Aborted` +- `Review-Purged` +- `ReviewWithFeedback-ReviewPending` +- `ReviewWithFeedback-Approved` +- `ReviewWithFeedback-Declined` +- `ReviewWithFeedback-RefinePending` +- `ReviewWithFeedback-Aborted` +- `ReviewWithFeedback-Purged` +- `ContinueWith-Invoked` +- `Persist-Invoked` +- `PersistOnlyResources-Invoked` + +## Transitions + +By default, Identity Manager's workflow engine implements the following transition templates: + +- `Action-ActionPending-Save` +- `Action-ActionPending-Execute` +- `Action-ActionPending-Abort` +- `Action-Aborted-Purge` +- `ActionWithRefine-ActionPending-Save` +- `ActionWithRefine-ActionPending-Execute` +- `ActionWithRefine-ActionPending-Delegate` +- `ActionWithRefine-ActionPending-Abort` +- `ActionWithRefine-RefinePending-Save` +- `ActionWithRefine-RefinePending-Delegate` +- `ActionWithRefine-RefinePending-Execute` +- `ActionWithRefine-RefinePending-Abort` +- `ActionWithRefine-Aborted-Purge` +- `Review-ReviewPending-Save` +- `Review-ReviewPending-Approve` +- `Review-ReviewPending-Decline` +- `Review-ReviewPending-Abort` +- `Review-Aborted-Purge` +- `ReviewWithFeedback-ReviewPending-Save` +- `ReviewWithFeedback-ReviewPending-Approve` +- `ReviewWithFeedback-ReviewPending-Decline` +- `ReviewWithFeedback-ReviewPending-Refine` +- `ReviewWithFeedback-ReviewPending-Abort` +- `ReviewWithFeedback-Aborted-Purge` +- `ReviewWithFeedback-RefinePending-Save` +- `ReviewWithFeedback-RefinePending-Delegate` +- `ReviewWithFeedback-RefinePending-Execute` +- `ContinueWith-Invoked-Invoke` +- `Persist-Invoked-Invoke` +- `PersistOnlyResources-Invoked-Invoke` + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/configure-homonym-test.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/configure-homonym-test.md new file mode 100644 index 0000000000..47fb82bb9b --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/configure-homonym-test.md @@ -0,0 +1,116 @@ +--- +title: "Configure a Homonym Detection" +description: "Configure a Homonym Detection" +sidebar_position: 60 +--- + +# Configure a Homonym Detection + +In this section we configure the homonym search that checks if a resource already exists in the system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [Homonym Entity Link](../../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink) defines a new homonym search to be performed in a workflow form. It can be defined in different ways. + +### With a default filter + +``` + +``` + +When no filter is defined for the homonym entity link, the search for homonyms is performed according to the homonym control form. See the Configure a Homonym Detection topic for additional information. + +### With customized filters + +[Homonym Entity Link](../../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink)filters allow to define customized filters for a homonym search. + +#### Simple filter + +``` + +``` + +Here, since the default operator is `Equal`, the search for homonyms is performed by comparing the values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control example in the section below._ + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input search value is retrieved directly from the property value + +``` +``` + +Here, `Property1` is set, so the search for homonyms is performed by comparing the `LastName` value, entered by the user in the workflow form, with the phonetic value of existing resources stored as the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to the input value. + +2. When the input search value is deducted + +``` +``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the search value is computed by +applying the expression defined for `ComparisonProperty1` from the input values, eg. `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the search value is computed by applying the +`Expression1` from the input values. This filter allows checking the homonyms on the reversed full name (to manage the case where the user reverses the first and last name for example). + +The search for homonyms is performed by comparing the search values computed based on each filter with the values stored in the database and retrieves all resources that match any of the filters. + +#### Filter on a language property + +If a filter is set on a language property, the search for homonyms is performed on the property associated to the main language. + +``` + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` and `Name_fr`. + +If English is the main language, the search for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) is used to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + +``` + +See the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) for additional information. + +## Define the Homonym Control in the Workflow Form + +The [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) where the homonyms are to be checked must contain a layout fieldset control where: + +- the properties to check are represented; +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. Indeed, a filter can only be defined on up to 5 properties. + +``` +
+ +``` + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/index.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/index.md new file mode 100644 index 0000000000..77596e65b0 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/index.md @@ -0,0 +1,52 @@ +--- +title: "How To Create a Workflow" +description: "How To Create a Workflow" +sidebar_position: 20 +--- + +# How To Create a Workflow + +This guide shows how to create a [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) through the XML configuration. + +## Process + +1. Declare a new [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) with +given activities following Identity Manager's activity templates. +2. Configure the input [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) with the +right output type according to the purpose of the workflow. +3. Assign the adequate permissions via an +[Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule). +4. Add [Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem). +5. Add [Aspects](../../../integration-guide/toolkit/xml-configuration/workflows/aspects), according to the +purpose of the workflow. +6. Add optional elements if needed: [Workflows](../../../integration-guide/workflows); a +[Configure a Homonym Detection](../../../integration-guide/workflows/create-workflow/configure-homonym-test); [Customize Display Tables](../../../integration-guide/ui/custom-display-table)different from Identity Manager's default one. + +## Examples + +You can also find configuration examples for several types of workflow: + +- [For Resource Creation (Mono Record)](../../../integration-guide/workflows/create-workflow/workflow-create-mono) + +How to create a workflow to create a new resource with a unique record. + +- [For Resource Creation (Multi Records)](../../../integration-guide/workflows/create-workflow/workflow-create-multi) + +How to create a workflow to create a new resource with several records. + +- [For Resource Update (No Record)](../../../integration-guide/workflows/create-workflow/workflow-update-resource) + +How to create a workflow to update an existing simple resource, i.e. to update, within a given existing resource, properties that do not involve records. + +- [For Resource Update (Mono Record)](../../../integration-guide/workflows/create-workflow/workflow-update-mono) + +How to create a workflow to schedule the replacement of the unique record of an existing resource with a new one. + +- [For Resource Update (Multi Records)](../../../integration-guide/workflows/create-workflow/workflow-update-multi) + +Create a workflow to update an existing resource through its several records. + +- [Configure a Homonym Detection](../../../integration-guide/workflows/create-workflow/workflow-update-multi) + +How to configure the homonym search that checks if a resource already exists in the system, preventing duplicates. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-mono.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-mono.md new file mode 100644 index 0000000000..e4243c10f4 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-mono.md @@ -0,0 +1,167 @@ +--- +title: "For Resource Creation (Mono Record)" +description: "For Resource Creation (Mono Record)" +sidebar_position: 10 +--- + +# For Resource Creation (Mono Record) + +This section guides you through the procedure for the creation of a [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) to create a new resource with a unique record. + +## Declare a Workflow + +This [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) is made of four activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering +provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback +from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [Activity Templates](../../../integration-guide/workflows/activity-templates) topic for additional information. + +The example below creates a workflow to create a new worker. + +``` + +``` + +## Create Forms + +The XML configuration below represents the creation of a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) that defines the elements to display in the workflow. + +Here we create two structured forms: the preliminary one is called inside the main one, and the main one is to be called in our final workflow form. + +``` +Preliminary form for user data: +
+ +Preliminary form for user's contract data: + + +Preliminary form for user's position data: +
+ +Main form for all data: +
+ Section calling the preliminary form for user data: + + Section calling the preliminary form for contract data: + + Section calling the preliminary form for position data: + +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed when launching the workflow. It has the type corresponding to a resource's creation with one record, i.e. `WorkflowCreateRecordEntityForm` and it must specify the workflow's context (the entity type of the involved resources, the main property, the activity when the form is called, etc): + +``` + +``` + +A `WorkflowCreateRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + +``` + +The `MainControl` attribute is here an empty container because we configure all personal data, contracts and positions as records to be able to anticipate changes for example. The line with the empty `MainControl` is not mandatory. See the [Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change)topic for additional information. + +- `RecordControl` that defines record data, and calls the form created previously. See the For +Resource Creation (Mono Record) topic for additional information. + +``` + + + +``` + +![UI Form](/images/identitymanager/howto_resourcecreationmono_form_v602.webp) + +### Add a summary (Optional) + +Another child element `RecordSummaryControl` can be added to insert a summary part, i.e. the form used after the workflow execution to show some values, most of the time those affected by the workflow, typically the properties editable in the workflow or generated properties. So in our situation, it displays the `EmployeeId` and `Mail` attributes that the workflow just computed: + +``` +Summary form: +
+ + +``` + +![UI Summary](/images/identitymanager/howto_resourcecreationmono_summary_v602.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right users. See the [Workflows](../../../integration-guide/workflows) topic for additional information. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions for the whole creation request and review from the previously created workflow: + +``` +**** + + Permissions for the Request activity: + + + Permissions for the Review activity: + +``` + +## Create Menu Items in the UI + +[Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem)must be defined to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: + +``` + ... + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the [Configure a Homonym Detection](../../../integration-guide/workflows/create-workflow/workflow-update-multi) topic for additional information. + +When using records, the homonym detection displays the list of records and not just the list of users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow form: + +``` +Homonym detection: + + + +Partial form for user data: +... + ... +``` + +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-multi.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-multi.md new file mode 100644 index 0000000000..2b41338114 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-create-multi.md @@ -0,0 +1,179 @@ +--- +title: "For Resource Creation (Multi Records)" +description: "For Resource Creation (Multi Records)" +sidebar_position: 20 +--- + +# For Resource Creation (Multi Records) + +This section guides you through the procedure for the creation of a workflow to create a new resource with several records. + +## Declare a Workflow + +This [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) is made of four activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering +provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback +from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [Activity Templates](../../../integration-guide/workflows/activity-templates) topic for additional information. + +The example below creates a workflow to create a new helpdesk worker, with the possibility to create several records at once for said worker. + +``` + +``` + +## Create Forms + +The XML configuration below represents the creation of a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) that defines the elements to display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form. + +``` +First form for the user's identification data: +
+ +Second form for the user's data shared with all records: +
+ + Section for user's personal data, here their name and phone numbers: + + + Section for user's contract data, here their contract's type, start and end dates: + + +Third form for the user's data specific to each record individually, so here position information: +
+``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed when launching the workflow. It has the type corresponding to a resource's creation with several records, i.e. `WorkflowCreateSeveralRecordEntityForm` and it must specify the workflow's context (the entity type of the involved resources, the main property, the activity when the form is called, etc): + +``` + +``` + +A `WorkflowCreateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines the user's data that never changes so identification data, and calls +the firstform created previously; + +``` + + + +``` + +- `RecordControl` that defines the record data shared with all records, and calls the secondform +created previously; + +``` + + + +``` + +In a situation where users can have several positions but also several contracts, then contract data would be part of the form called by `RecordUniqueItemControl` instead of `RecordControl`. + +In a situation where positions, contracts and personal data are all configured as records because we want to be able to anticipate changes for example, then there would not be any data shared by all records. Then `RecordControl` would be empty. See the [Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change) topic for additional information. + +> ``` +> +> ... +> +> ... +> +> +> ``` + +- `RecordUniqueItemControl` (optional but recommended) that defines the record data specific to each +record individually, and calls the thirdform created previously. + +``` + + + +``` + +![UI Form](/images/identitymanager/howto_resourcecreationmulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right users. Read about [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow)s permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions for the whole creation request and review from the previously created workflow: + +``` +**** + + Permissions for the Request activity: + + + Permissions for the Review activity: + +``` + +## Create Menu Items in the UI + +[Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) must be defined to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: + +``` + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the [Configure a Homonym Detection](../../../integration-guide/workflows/create-workflow/configure-homonym-test) topic for additional information. + +When using records, the homonym detection displays the list of records and not just the list of users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow form: + +``` +Homonym detection: + + + +Partial form for user data: +... + ... +``` + +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) topic for additional information. + +Below is an example of a display table for our situation: + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-mono.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-mono.md new file mode 100644 index 0000000000..5d80d9fac2 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-mono.md @@ -0,0 +1,110 @@ +--- +title: "For Resource Update (Mono Record)" +description: "For Resource Update (Mono Record)" +sidebar_position: 40 +--- + +# For Resource Update (Mono Record) + +This section guides you through the procedure for the creation of a workflow to schedule the replacement of the unique record of an existing resource with a new one. + +## Declare a Workflow + +This [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) is made of two activities: + +1. `Action With Refine`: sends the resource's record update request with a possibility of +delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [Activity Templates](../../../integration-guide/workflows/activity-templates) topic for additional information. + +The example below creates a workflow to update only the user's name. + +``` + +``` + +For now, our workflow works with an immediate validation and an immediate effect. + +## Create Forms + +The XML configuration below represents the creation of a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) that defines the elements to display in the workflow. + +Here we just have the full name field to update the corresponding attributes for a given user: + +``` +
+``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed when launching the workflow. It has the type corresponding to a (unique) record's replacement, i.e. `WorkflowAddAndEndRecordEntityForm` and it must specify the workflow's context (the entity type of the involved resources, the main property, the activity when the form is called, etc): + +``` + +``` + +A `WorkflowAddAndEndRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is not involved in the changes of this workflow. + +- `RecordControl` that defines record data, and call the form created previously. + +``` + + + +``` + +![UI Form](/images/identitymanager/howto_resourceupdatemono_form_v603.webp) + +`End of transition` sets the date for the change of records scheduled by this form. + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right users. Read about [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow)s permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions for the whole update request from the previously created workflow: + +``` + +``` + +## Create Menu Items in the UI + +[Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: + +``` + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, see the [Configure a Homonym Detection ](../../../integration-guide/workflows/create-workflow/configure-homonym-test) topic for additional information. + +When using records, the homonym detection displays the list of records and not just the list of users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-multi.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-multi.md new file mode 100644 index 0000000000..b2dad5cae5 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-multi.md @@ -0,0 +1,144 @@ +--- +title: "For Resource Update (Multi Records)" +description: "For Resource Update (Multi Records)" +sidebar_position: 50 +--- + +# For Resource Update (Multi Records) + +This section guides you through the procedure for the creation of a workflow to update an existing resource through its several records. + +## Declare a Workflow + +This [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) is made of three activities: + +1. `Action With Refine`: sends the resource's records update request with a possibility of +delegation. +2. `Review With Feedback`: reviews the update request with the possibility of getting feedback from +another user. +3. `Persist`: saves the collected data and triggers provisioning. + +See the [Activity Templates](../../../integration-guide/workflows/activity-templates) topic for additional information. + +The example below creates a workflow to update the records of an existing user: + +``` + +``` + +## Create Forms + +The XML configuration below represents the creation of a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) that defines the elements to display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form: + +``` +First form for the user's record data, shared with all records: +
+ +Second form for the user's record data, specific to each record individually: +
+``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed when launching the workflow. It has the type corresponding to a resource's update with several records, i.e. `WorkflowUpdateSeveralRecordEntityForm` and it must specify the workflow's context (the entity type of the involved resources, the main property, the activity when the form is called, etc): + +``` + +``` + +`WorkflowUpdateSeveralRecordEntityForm` displays a date picker for the end of transition, to schedule the record replacement. + +A `WorkflowUpdateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is not involved in the changes of this workflow. + +- `RecordControl` that defines the record data shared with all records and calls the firstform +created previously; + +``` + + + +``` + +- `RecordUniqueItemControl` that defines the record data specific to each record individually, and +calls the secondform created previously; + +``` + + + +``` + +- `RecordSlaveControl` that copies an existing record to be the base, i.e. pre-fill the fields, for +the update of record data specific to each record individually. Thus it calls the same form as `RecordUniqueItemControl`. + +``` + + + +``` + +- `RecordSlaveUniqueItemControl` that copies an existing record to be the base, i.e. pre-fill the +fields, for the update of record data shared with all records. Thus it calls the same form as `RecordControl`. + +``` + + + +``` + +The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it copies part of the main record to pre-fill the fields of `RecordUniqueControl`. + +![UI Form](/images/identitymanager/howto_resourceupdatemulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right users. Read about [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow)s permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions for the whole update request from the previously created workflow: + +``` + +``` + +## Create Menu Items in the UI + +[Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: + +``` + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates,see the [Configure a Homonym Detection](../../../integration-guide/workflows/create-workflow/configure-homonym-test) topic for additional information. + +When using records, the homonym detection displays the list of records and not just the list of users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-resource.md b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-resource.md new file mode 100644 index 0000000000..d38958a3d1 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/create-workflow/workflow-update-resource.md @@ -0,0 +1,99 @@ +--- +title: "For Resource Update (No Record)" +description: "For Resource Update (No Record)" +sidebar_position: 30 +--- + +# For Resource Update (No Record) + +This section guides you through the procedure for the creation of a workflow to update a simple resource, i.e. to update, within a given resource, properties that do not involve records. + +## Declare a Workflow + +This [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) is made of two activities: + +1. `Action With Refine`: sends the resource's update request with a possibility of delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [Activity Templates](../../../integration-guide/workflows/activity-templates) topic for additional information. + +The example below creates a workflow to update only the user's `IsDraft` attribute. + +``` + +``` + +## Create Forms + +The XML configuration below represents the creation of a [Form](../../../integration-guide/toolkit/xml-configuration/user-interface/form) that defines the elements to display in the workflow. + +Here we just have one field called `IsDraft` to update the corresponding boolean attribute for a given user: + +``` +
+``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed when launching the workflow. It has the type corresponding to a resource's update, i.e. `WorkflowEditEntityForm` and it must specify the workflow's context (the entity type of the involved resources, the main property, the activity when the form is called, etc): + +``` + +``` + +A `WorkflowEditEntityForm` requires one child element `MainControl` that defines the actual content of the workflow's form and calls the form created previously: + +``` + + + +``` + +![UI Form](/images/identitymanager/howto_resourceupdateno_form_v603.webp) + +### Add a summary (Optional) + +Another child element `SummaryControl` can be added to insert a summary part, i.e. the form used after the workflow execution to show some values, most of the time those affected by the workflow, typically the properties editable in the workflow or generated properties. So in our situation, it displays the `IsDraft` attribute that the user just changed: + +``` + + + +``` + +![UI Summary](/images/identitymanager/howto_resourceupdateno_summary_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right users. Read about the [Workflow](../../../integration-guide/toolkit/xml-configuration/workflows/workflow) permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions for the whole update request from the previously created workflow: + +``` + +``` + +## Create Menu Items in the UI + +[Menu Item](../../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: + +``` + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the [Customize Display Tables](../../../integration-guide/ui/custom-display-table) topic for additional information. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/index.md b/docs/identitymanager/6.3/integration-guide/workflows/index.md new file mode 100644 index 0000000000..25cecf2303 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/index.md @@ -0,0 +1,135 @@ +--- +title: "Workflows" +description: "Workflows" +sidebar_position: 140 +--- + +# Workflows + +In software business, a [Workflow](../../integration-guide/toolkit/xml-configuration/workflows/workflow) is a series of specific actions taken by specific people to accomplish specific tasks. For Identity Manager, workflows are models of business workflows, processes or procedures. + +## Overview + +Workflows model business processes and update data within Identity Manager, they handle managed systems only indirectly through Identity Manager. They are engaged in order to complete a task, assigning rights for instance. It is a way of getting work done, a series of steps that are required to be completed sequentially. Most of the time, Identity Manager's workflows are made for: + +1. manual entitlement requests = request / send notification(s) / approve / assign entitlement. +2. addition/update/deletion of resources (used in practice for identities) = create / give basic +entitlements / review / apply changes. + +Workflows are very configurable objects with many available options. However, the most efficient way to use workflows in IGA is to keep them simple. Identity Manager's demo workflows constitute effective examples. + +A workflow is made of several elements: + +- a series of activities that constitutes the workflow; +- a form that collects input data; +- permissions required to realize the workflow's activities; +- menu items that make the workflow and its activities accessible; +- aspects that allow specific actions to be performed; +- a summary (optional) of the workflow's results; +- a homonym detection (optional) that prevents duplicates in resources; +- a display table (optional) that replaces Identity Manager's default table displaying the data of +the created/modified resource. + +### Technical principles + +- A workflow is linked to +one[Entity Type](../../integration-guide/toolkit/xml-configuration/metadata/entitytype) and concerns only resources from said entity type. For example, a workflow can be linked to `Directory_User` or `Directory_Department` according to the workflow's purpose, but not both together. +- The aim of a workflow is to get input data (either a form or just an approval) from users involved +in the workflow, then build a change set, and finally apply said change set to the relevant resource. +- Starting a workflow means starting its first activity. + +## Activities + +A workflow is made of successive activities, each of which is assigned an [Activity Templates](../../integration-guide/workflows/activity-templates)that defines how transitions occur from a workflow step to another. + +Activities never run in parallel in a workflow. Each activity can start once the previous one reached its final state. + +## Forms + +Workflows use [Form](../../integration-guide/toolkit/xml-configuration/user-interface/form) to collect input data through the UI. + +A form is a set of fields, configured with controls. A control can define a field to fill, a fields set, call an existing form, etc. depending on its output type. To be displayed in the UI, and potentially filled by a given user with the appropriate data, a form must have a type. + +Forms without a type can be created in order to be called in other forms with a type. It can be useful to structure your forms, and to avoid rewriting a part of form that is needed in most forms for example. + +### Form types + +Identity Manager provides a few form types. Each form type implies the necessity of specific controls as child elements with specific purposes. + +The following table presents the required child controls required for each form type applicable to a workflow's input form: + +- **M** for `MainControl`(required) groups resource data apart from record data; +- **Su** for `SummaryControl`(optional when no/mono record) sums up resource data, mostly computed +properties, after the workflow's execution; +- **R** for `RecordControl`(required when handling records) groups the record data shared with all +records; +- **RUI** for `RecordUniqueItemControl`(recommended when handling records) groups the record data +specific to each record individually; +- **RSUI** for `RecordSlaveUniqueItemControl`(optional when updating multi records) appoints an +existing record to be the base of the fields' pre-filling, before the update of the record data shared with all records; +- **RS** for `RecordSlaveControl`(recommended when updating multi records) appoints an existing +record to be the base of the fields' pre-filling, before the update of the record data specific to each record individually; +- **RSu** for `RecordSummaryControl`(optional when handling mono record) sums up record data, mostly +computed properties, after the workflow's execution. + + | Form Type | M | Su | R | RUI | RSUI | RS | RSu | + | --- | --- | --- | --- | --- | --- | --- | --- | + | Workflow**Create**Entity Form | Req. | Opt. | | | | | | + | Workflow**Edit**Entity Form | Req. | Opt. | | | | | | + | Workflow**UpdateRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | + | Workflow**AddRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | + | Workflow**AddAndEndRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | + | Workflow**CreateRecord**Entity Form | Req. | Opt. | Req. | | | | Opt. | + | Workflow**CreateSeveralRecord**Entity Form | Req. | | Req. | Reco. | | | | + | Workflow**UpdateSeveralRecord**Entity Form | Req. | | Req. | Reco. | Reco. | Opt. | | + | Workflow**UpdateRecord**Entities Form | Req. | Opt. | Req. | Reco. | | | Opt. | + +## Permissions + +For each workflow, some permissions must be assigned to specific [Profile](../../integration-guide/toolkit/xml-configuration/access-control/profile) so that said profiles are entitled to realize the workflow's actions. + +While assigning the specific permissions of a workflow, it is necessary to assign the involved profiles a few essential rights via the [Workflow Access Control Rules](../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules) scaffolding. + +A workflow needs a permission for each of all its activity states involving user interaction. This means that, for example, the activities following the templates `Persist` and `Persist Only Resources` do not require any permission. This also means that, in the example of the `Action` template, a workflow would need permissions for the states `ActionPending`, `Aborted` and `Purged` (because deletion requires an authorization), but not for the state `Executed` that does not involve user interaction or special authorization. See the [Activity Templates](../../integration-guide/workflows/activity-templates) topic for additional information. + +All these permissions can be shared and distributed among several profiles, according to the purpose of the workflow. + +Identity Manager's permissions are assigned through [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) and follow the naming rule: `/Custom/workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}`. + +> For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request/ActionPending"` +> gives the right to act from the state `ActionPending` (so save, execute, etc.), inside a +> previously created activity `Request`, inside the workflow `Directory_User_StartInternal`. + +A permission specifying the activity without the activity state gives the permissions for all activity states in this activity. + +For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request"` **Caution**: this way of writing permissions is unsafe in case of a modification in the activity. So use it only for a "super admin" kind of profile if you are certain you want to give all rights. + +## Menu Items + +[Menu Item](../../integration-guide/toolkit/xml-configuration/user-interface/menuitem) make workflows accessible from the UI. + +Identity Manager's UI is configured so that workflows are accesible from: + +- the list of users accessible from the **Directory** section on the home page; +- the view page of a given user. In this case, the workflows manipulate the selected user. + +## Aspects + +An [Aspects](../../integration-guide/toolkit/xml-configuration/workflows/aspects) definition allows an action to be performed at a specific point in a workflow. Identity Manager provides a few [Aspects](../../integration-guide/toolkit/xml-configuration/workflows/aspects) templates that give the opportunity to delegate administration, to notify people of a request's progress and to compute special values like unique logins or email addresses. + +## Summaries (Optional) + +A summary can be displayed at the end of a workflow to sum up the collected information. The displayed data is configured through the `SummaryControl` or `RecordSummaryControl` introduced previously. A summary is particularly useful for workflows that compute properties like the `EmployeeId` or the email address. Thus calculated fields can be displayed after the workflow's execution. + +## Homonym Detections (Optional) + +A homonym search checks if a resource already exists in the system before creating/modifying it, preventing duplicates. It is configured through a [Homonym Entity Link](../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink). + +See the [Configure a Homonym Detection](../../integration-guide/workflows/create-workflow/configure-homonym-test) topic for additional information. + +## Display Tables (Optional) + +Identity Manager provides a default display table to show the created/modified resource's data, but you can configure your own. + +See the [Display Table](../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) topic for additional informatrion. + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/workflow-uses.md b/docs/identitymanager/6.3/integration-guide/workflows/workflow-uses.md new file mode 100644 index 0000000000..c9eec2edbc --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/workflow-uses.md @@ -0,0 +1,51 @@ +--- +title: "Workflow Uses" +description: "Workflow Uses" +sidebar_position: 30 +--- + +# Workflow Uses + +An Identity Manager [Workflow](../../integration-guide/toolkit/xml-configuration/workflows/workflow) is the sequence of processes that a company has established to manage identities across the organization. Workflows makes an approval business process more efficient by managing and tracking all of the human tasks involved with the process and by providing a record of the process after it is completed. + +The identity management [Workflow](../../integration-guide/toolkit/xml-configuration/workflows/workflow) can be broken into four key areas: + +## 1. Onboarding + +The initial creation of the user. This can occur manually within the identity management system or it could be triggered from an HR system. Here is the xml configuration to create the user onboarding Workflow in Identity Manager : + +``` + +``` + +The _"User_Onboarding"_ Workflow is composed of the following activities: + +- _"Request"_ to initialize the creation of an user in Identity Manager. +- _"PersistDraft"_ to save a preliminary version of the user object. +- _"Review"_ to validate or not the requested item. +- _"Persist"_ to take into account the requested item. + +## 2. User Modifications + +After the initial setup of access, there are ongoing changes. Those changes can center in on a user's rights. These rights may need to be expanded or contracted. The user's information may need to be modified. Here is an example to create the user change name Workflow in Identity Manager : + +``` + +``` + +## 3. IT Resource Modifications + +The other area of on-going changes is the addition and removal of various IT resources. These resources can include devices, applications, and networks. Here is the xml configuration to create the resource modifications Workflow in Identity Manager : + +``` + +``` + +## 4. Offboarding + +The end of the identity lifecycle is the offboarding of a user. Credentials are terminated and the user's account access is terminated everywhere. Here is the xml configuration to create the user offboarding Workflow in Identity Manager: + +``` + +``` + diff --git a/docs/identitymanager/6.3/integration-guide/workflows/workflowhomonym.md b/docs/identitymanager/6.3/integration-guide/workflows/workflowhomonym.md new file mode 100644 index 0000000000..53d6d865b6 --- /dev/null +++ b/docs/identitymanager/6.3/integration-guide/workflows/workflowhomonym.md @@ -0,0 +1,148 @@ +--- +title: "Workflow Homonym" +description: "Workflow Homonym" +sidebar_position: 40 +--- + +# Workflow Homonym + +In this section we configure the homonym detection that checks if a resource already exists in the system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [Homonym Entity Link](../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink) defines a new homonym detection to be performed in a workflow form. It can be defined in different ways. + +### With a default filter + +``` + +``` + +When no filter is defined for the homonym entity link, the detection for homonyms is performed according to the homonym control form. See section below. + +### With customized filters + +[Homonym Entity Link](../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink)filters allow to define customized filters for a homonym detection. + +#### Simple filter + +``` + +``` + +Here, since the default operator is `Equal`, the detection for homonyms is performed by comparing the values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control example in the section below._ + +#### Filters on several entities + +A homonym entity link can contain filters on the properties from several distinct entity types. + +> The following example searches for homonyms among usual workers (from `Directory_UserRecord`) but +> also the guests (from `Directory_Guest`): +> +> ``` +> +> Property1="LastName" +> Property2="FirstName" +> /> +> Property1="LastName" ComparisonProperty1="Directory_Guest:LastName" +> Property2="FirstName" ComparisonProperty2="Directory_Guest:FirstName" +> /> +> +> +> ``` + +In this case, a display table is required for the additional entity. + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input detection value is retrieved directly from the property value + +``` +``` + +Here, `Property1` is set, so the detection for homonyms is performed by comparing the `LastName` value, entered by the user in the workflow form, with the phonetic value of existing resources stored as the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to the input value. + +2. When the input detection value is deducted + +``` +``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the detection value is computed +by applying the expression defined for `ComparisonProperty1` from the input values, eg. `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the detection value is computed by applying the +`Expression1` from the input values. This filter allows checking the homonyms on the **reversed** full name (to manage the case where the user reverses the first and last name for example). + +The detection for homonyms is performed by comparing the detection values computed based on each filter with the values stored in the database and retrieves all resources that match any of the filters. + +#### Filter on a language property + +If a filter is set on a language property, the detection for homonyms is performed on the property associated to the main language. + +``` + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` and `Name_fr`. + +If English is the main language, the detection for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) is used to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + +``` + +## Define the Homonym Control in the Workflow Form + +The [Form](../../integration-guide/toolkit/xml-configuration/user-interface/form) where the homonyms are to be checked must contain a layout fieldset control where: + +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. +- the properties to check (defined in the homonym filters) are represented in the control bindings. +- the bindings are all represented in the homonym filters. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. Indeed, a filter can only be defined on up to 5 properties, see filter definition in [Homonym Entity Link](../../integration-guide/toolkit/xml-configuration/workflows/homonymentitylink). + +``` +
+ +``` + +If a filter is declared with a `ComparisonProperty` attribute (and so without a `Property`), then the properties used in the `Expression` (whether defined in the filter or elsewhere in the configuration) to compute the `ComparisonProperty` must also be represented in the control bindings. + +In the example below, the properties used in the `Expression1` attribute that must be represented in the control bindings are `LastName` and `FirstName`. + +``` + +``` + diff --git a/docs/identitymanager/6.3/introduction-guide/architecture.md b/docs/identitymanager/6.3/introduction-guide/architecture.md new file mode 100644 index 0000000000..a8c080c28c --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/architecture.md @@ -0,0 +1,44 @@ +--- +title: "Architecture" +description: "Architecture" +sidebar_position: 20 +--- + +# Architecture + +Identity Manager is built to work via a specific architecture made of a **server**, an **agent** and a **database**. + +## Server, Agent, and Database + +Identity Manager works via: + +- a **server** which operates computation, stores all applicative data in the **database**, and serves a web +User Interface; +- at least one **agent** which operates data flows to/from the managed systems. + +The managed systems' credentials are used only by the **agent** and are never disclosed to the **server**. + +The **agent** can call the **server**, but the **server** **cannot** call the **agent**. The data flows' initiatives are always from the **agent**. + +## Installation Types + +Identity Manager can be installed: + +- **SaaS** so that the **server** dwells in the cloud and is provided as a service; + + ![Architecture: **SaaS**](/images/identitymanager/architecture_saas.webp) + +- **on-premises** so that the **server** is installed on an isolated network within the company. + + ![Architecture: **on-premises**](/images/identitymanager/architecture_onprem.webp) + +## Next Steps + +Let's learn about Identity Manager [Configuration](../introduction-guide/configuration). + +## Learn More + +Learn more on Identity Manager's Architecture. + +See the [Network Configuration](../integration-guide/network-configuration) topic for additional information. + diff --git a/docs/identitymanager/6.3/introduction-guide/configuration.md b/docs/identitymanager/6.3/introduction-guide/configuration.md new file mode 100644 index 0000000000..be8e02dc94 --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/configuration.md @@ -0,0 +1,53 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 30 +--- + +# Configuration + +There are several options for configuring Identity Manager. + +## Application Configuration + +### User Interface + +Netwrix Identity Manager (formerly Usercube) strongly recommends that Identity Manager be configured, as much as possible, via the UI. + +### XML files + +For advanced users, if the UI is not enough, Identity Manager can also be configured via XML files. These XML files should be placed in a `Conf` folder directly inside the working directory. + +### Database + +Identity Manager's application configuration, whether it is made from the UI or the XML files, is stored in a database which should never be modified manually. + +## Network Configuration + +Identity Manager's server and agent(s) are configured via JSON files, mainly `appsettings.json` and `appsettings.agent.json`. + +## Next Steps + +This is the end of the introduction guide, so you should now be able to dive into: + +- The [User Guide](../user-guide) to configure Identity Manager from scratch via the UI, +following the step-by-step procedures; +- The [Integration Guide](../integration-guide) to complete Identity Manager's +configuration in XML according to your needs; +- The [Installation Guide](../installation-guide) to install Identity Manager in a +production environment. + +## Learn More + +Learn more on how to [Create a Working Directory](../installation-guide/production-ready/working-directory). + +See the [User Guide](../user-guide) topic to learn how to configure Identity Manager from scratch via the UI. + +See how to [Export the Configuration](../integration-guide/toolkit/export-configuration) to XML files. + +See how to [Deploy the Configuration](../integration-guide/toolkit/deploy-configuration). + +Learn more about the [XML Configuration Schema](../integration-guide/toolkit/xml-configuration). + +Learn more about the [Network Configuration](../integration-guide/network-configuration). + diff --git a/docs/identitymanager/6.3/introduction-guide/index.md b/docs/identitymanager/6.3/introduction-guide/index.md new file mode 100644 index 0000000000..2c17409c72 --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/index.md @@ -0,0 +1,27 @@ +--- +title: "Introduction Guide" +description: "Introduction Guide" +sidebar_position: 10 +--- + +# Introduction Guide + +This guide is designed to give a complete overview of Identity Manager's principles, main objectives and capabilities. + +Netwrix Identity Manager (formerly Usercube) strongly recommends starting here to fully benefit from the [Integration Guide](../integration-guide)'s or the [User Guide](../user-guide)'s contents. + +## Target Audience + +This guide is meant to be read by: + +- **Integrators** who configure Identity Manager to match their projects' needs; +- **IGA project managers** who want to get a better understanding of Identity Manager. + +## Prior Knowledge + +A basic knowledge of **Identity and Access Management** (IAM) and overview (IGA) is required to understand this guide. + +## First Steps + +Let's dive in with an [IGA and Netwrix Identity Manager](../introduction-guide/overview) of IGA and Identity Manager. + diff --git a/docs/identitymanager/6.3/introduction-guide/overview/entitlement-management.md b/docs/identitymanager/6.3/introduction-guide/overview/entitlement-management.md new file mode 100644 index 0000000000..5421acbbf1 --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/overview/entitlement-management.md @@ -0,0 +1,158 @@ +--- +title: "Entitlement Management" +description: "Entitlement Management" +sidebar_position: 20 +--- + +# Entitlement Management + +Managing identities' entitlements requires managing entitlements and assigning them to identities. This page is about the role model. + +## Role Model Overview + +A managed system's entitlements can have many forms. They authorize identities to access certain data on a given system, or a physical location. + +> For example, entitlements in the Active Directory are usually group memberships. For example, to +> have administrator rights in the Iris application, a user must be part of the members of the group +> `SG_APP_IT/Development/Iris/Administrator`. + +Identity Manager is designed to help establish an exhaustive and reliable catalog of the entitlements available in the managed systems, and assign the right entitlements to the right users. + +![Role Catalog and Users](/images/identitymanager/entitlements_rolecatalogusers.webp) + +Thus, the role model contains: + +- the entitlements, as **roles**, for all managed systems; +- the **rules** that trigger the assignment of entitlements to identities, and more broadly manage the +systems' resources. Some of them act as link between Identity Manager's **roles** and the systems' accounts and permissions. Some of them are linked to, and thus apply only to, specific **resource types**. + +![Role Model](/images/identitymanager/entitlements_rolemodel.webp) + +The role model is a subset of a **policy** that also includes [Governance](../../introduction-guide/overview/governance) data such as risk definition. So, at a higher level, distinct policies can be used to implement distinct behaviors. + +## A Role Catalog + +Identity Manager intends to represent IGA-related access right mechanisms by a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) model. The goal of the role catalog is contain an exhaustive list of entitlements from all managed systems. + +Entitlements from the managed systems are modeled by **roles**. For each entitlement, NETWRIX advises creating a **single role**, with an easily understandable name, more functional than technical, so that everyone knows what the role is for. + +![Single **roles**](/images/identitymanager/singlerolescatalog_schemarole.webp) + +Each individual entitlement should usually be modeled by a **single role**, and single **roles** can be grouped together into composite **roles** to be closer to real job positions. + +![Composite **roles**](/images/identitymanager/entitlements_compositeroles.webp) + +## A Rule Set + +**roles** alone are not enough to give identities the systems' technical entitlements. We need **rules** to have Identity Manager write users' entitlements in the managed systems. **rules** are further used to automatically assign **roles** to users, or to categorize users and accounts, etc. + +### Provisioning **rules** + +Just like identities, accounts are represented in Identity Manager by an [Identity Management](../../introduction-guide/overview/identity-management) entity-relationship model. So Identity Manager manages entitlements as resources' attribute values. + +> For example, giving specific Active Directory permissions to a new user means not only creating a +> new AD account, but also setting values for certain account properties like `cn`, +> `sAMaccountName`, `userAccountControl` or `dn`, etc. + +Provisioning **rules** write the actual entitlements to the managed systems, most often based on users' **roles**. + +> For example, to give an AD entitlement to a user, we usually need to give them a group membership. +> Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the +> member list of a specific AD group. + +![Provisioning **rules**](/images/identitymanager/entitlements_provisioningrules.webp) + +Even when a role is manually assigned, provisioning **rules** will determine which account (and permission groups) are given as entitlements. + +Identity Manager's provisioning **rules** are: + +- scalar **rules** to compute simple string properties; +- navigation **rules** and query **rules** to compute properties that act as foreign keys in a database; +- resource type **rules** to automatically create resources. + +### Assignment **rules** + +While the role catalog and provisioning **rules** are together enough to manually give users their access rights, we often want Identity Manager to do this automatically. Assignment **rules** automatically assign **roles** to identities based on specific criteria. + +> For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title +> is benefits manager and whose location is in France. + +![Assignment **rules**](/images/identitymanager/entitlements_assignmentrules.webp) + +Once all assignment **rules** are created, Identity Manager is able to spot existing assignments that are not supported by any rule, marking them as non-conforming. + +Identity Manager's assignment **rules** are: + +- **single role** **rules** and composite role **rules** to assign single and composite **roles**; +- resource type **rules** to assign accounts. + +### Categorization **rules** + +Different resources can be managed through different **rules**, by being part of different **resource types**. So a resource type is a group a resources that have the same IGA-related purposes. Categorization **rules** categorize resources into **resource types** and link identities to the accounts they own. + +> For example, we might need to differentiate AD's standard accounts from administration accounts. +> This way, we can configure different email addresses for privileged accounts, for example +> [adm.john.smith@contoso.com](mailto:adm.john.smith@contoso.com). We can also add more approval +> steps in the workflows related to privileged accounts, for more security than for standard +> accounts. + +![Categorization **rules**](/images/identitymanager/entitlements_categorizationrules.webp) + +Identity Manager's categorization **rules** are: + +- correlation **rules** to link identities to the accounts they own; +- classification **rules** to categorize resources into **resource types**. + +### More **rules** + +Identity Manager provides more kinds of **rules** for optimization purposes, for example **role naming conventions** to help build the role catalog by generating **roles** and navigation **rules** based on the entitlements' names, or automation **rules** to help with governance by automating the review of the assignments that do not comply with the configured **rules**. + +### **dimensions** + +**rules** can be triggered based on users' assigned **roles**, but also based on user data. + +The [Identity Management](../../introduction-guide/overview/identity-management) model can be refined by configuring **dimensions**: criteria from among resources' [attributes](https://en.wikipedia.org/wiki/Attribute-based_access_control) that will trigger the application of the **rules**. Then Identity Manager applies the rule for any resource whose value for a given attribute matches the reference value specified in the rule. + +> For example, a user can be assigned the role `Benefits Manager - FR` only if their job title is +> benefits manager and their location is in France. In this case, users' attributes "job title" and +> "location" are the **dimensions** that trigger the assignment rule. + +In a nutshell, **dimensions** determine who should be assigned the entitlements. + +Identity Manager's name and logo are based on this dimension concept: entitlement assignment is governed by users' attributes defined as **dimensions**. Let's schematize users around these **dimensions**: + +- The schema for this with one dimension would be a line with all available values for the +dimension, and identities are distributed along the line. +- The schema with two **dimensions** would be a table, a square. +- The schema with three **dimensions** would be a 3D **cube**. And you can imagine 4D or 5D hypercubes, etc. + +![**dimensions** - 1D](/images/identitymanager/entitlements_dimension1.webp) + +#### 1D + +![**dimensions** - 2D](/images/identitymanager/entitlements_dimension2.webp) + +#### 2D + +![**dimensions** - 3D](/images/identitymanager/entitlements_dimension3.webp) + +## Next Steps + +See the [Governance](../../introduction-guide/overview/governance) topic for additional information. + +## Learn More + +Learn more on the [Role Model](../../integration-guide/role-model). + +Learn how to [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation). + +Learn more on how to [Create a Composite Role](../../user-guide/optimize/composite-role-creation). + +Learn more on [Role Assignment](../../integration-guide/role-assignment). + +Learn more on [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation). + +Learn more on [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) **rules**. + +Learn more on the **rules** of [Categorize Resource ](../../user-guide/set-up/categorization). + diff --git a/docs/identitymanager/6.3/introduction-guide/overview/governance.md b/docs/identitymanager/6.3/introduction-guide/overview/governance.md new file mode 100644 index 0000000000..c7c5ea6ffc --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/overview/governance.md @@ -0,0 +1,42 @@ +--- +title: "Governance" +description: "Governance" +sidebar_position: 30 +--- + +# Governance + +Identity Manager not only gives the right entitlements to the right identities, but also makes sure that, over time, every assignment still complies with the configured policy. + +## Enforcing the Policy + +By reading entitlement data from the managed systems, Identity Manager builds an exhaustive list of **existing** assignments for all identities in all managed systems. + +Rules and roles define a policy. By definition, assignments not supported by a rule do not comply with the policy. These assignments are identified as **non-conforming** in order to be acted upon by knowledgeable users who can decide whether the assignment is warranted, such as security officers. + +![**non-conforming** Assignments](/images/identitymanager/governance_nonconforming.webp) + +A **non-conforming** assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: + +- either removed if Identity Manager correctly spotted it and the owner should indeed not possess +this permission; +- or kept as an **exception** if the configured rules do not apply to this particular case. + +## Other Governance Tools + +Identity Manager provides a set of governance tools to help enforce the policy, like access certification campaigns, risk management or reporting. + +## Next Steps + +Let's read some [Use Case Stories](../../introduction-guide/overview/use-cases). + +## Learn More + +Learn more on [Governance](../../integration-guide/governance). + +Learn more on how to [Generate Reports](../../user-guide/administrate/reporting). + +Learn more on [Perform Access Certification](../../user-guide/administrate/access-certification). + +Learn more on how to [Manage Risks](../../user-guide/optimize/risk-management). + diff --git a/docs/identitymanager/6.3/introduction-guide/overview/identity-management.md b/docs/identitymanager/6.3/introduction-guide/overview/identity-management.md new file mode 100644 index 0000000000..02759762cf --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/overview/identity-management.md @@ -0,0 +1,107 @@ +--- +title: "Identity Management" +description: "Identity Management" +sidebar_position: 10 +--- + +# Identity Management + +Managing identities' entitlements requires starting by managing identities themselves. + +## A **central repository** + +A company involves many sorts of identities: obviously employees, but also external workers like contractors who are usually not tracked in the company's systems except for billing purposes, bots, softwares, etc. All identity types that need to be assigned entitlements to work within the company must be represented. + +Companies often use about one system for each identity type. Identity Manager capitalizes on information from several source systems in order to build a **central repository** meant to contain all the data necessary to **manage all identities throughout their whole lifecycle**. + +![Usercube's Repository](/images/identitymanager/identities_repository.webp) + +Identity Manager's **central repository** acts as an intermediary between the systems that provide data, for example the HR system, and those that receive data, for example the Active Directory. This greatly reduces the complexity in the links between all systems. + +Without an intermediary, adding one system to a set of n systems requires up to n sets of **rules**, one for each reading/writing relationship that this system has with the others. The complexity is quadratic. + +Now with the **central repository** as an intermediary, implementing a new system requires only one more set of **rules**. The complexity becomes linear. + +![quadratic-linear-complexity](/images/identitymanager/quadratic-linear-complexity.webp) + +## An Entity Relationship Model + +Identities, along with any IGA-related data, are modeled in Identity Manager by an [entity-relationship model](https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model?featherlight=true). + +All this data is organized and modeled by **entities**. This concept is quite similar to a database: an entity is a set of properties, some are scalar so "simple" properties, and others are navigation properties which make links between **entities**, quite like foreign keys in a database. + +> For example, consider an entity `Directory_User` with properties like `Name`, `Email`, `JobTitle`, +> `Department`. +> +> Another entity could be `Directory_Department`, linked to `Directory_User` through a navigation +> property. +> +> Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The +> accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. + +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) + +These **entities**' instances are called **resources** in Identity Manager. A resource can be the digital identity of a user (human or bot), or an AD account or any other account, or an entry from the HR system, or the representation of a department of the company, etc. + +> Consider once more the `Directory_User` entity with properties like `Name`, `Email`, `JobTitle`, +> `Department`. Then a resource could be the digital identity of an employee whose name is John +> Smith, with the email address [john.smith@contoso.com](mailto:john.smith@contoso.com) and working +> as an assistant manager in the accounting department. + +While Identity Manager provides a predefined model that should fit most organizations, it can still be adjusted to your exact needs. Thus, Identity Manager provides a customizable model to organize a company's data according to its IGA-related needs, which is also most reliable because it is kept up-to-date. + +## **connectors** + +Each entity is related to a managed system, for example the Active Directory or SAB or ServiceNow, etc. The reading/writing data between the system and Identity Manager are ensured by **connectors**. So Identity Manager can be configured with one connector for each managed system. + +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) + +For a given system, a connector contains: + +- the technology which enables data flows between the system and Identity Manager; +- the related **entities** which model the system's **resources**; +- the categories which group the system's **resources** together according to the **rules** that we want to +apply to manage entitlement assignment for this system. + +Thus, a connector enables **synchronization**, i.e. Identity Manager reading from a managed system via an [extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. + +![**synchronization**](/images/identitymanager/overview_synchronization.webp) + +> A typical example is the **synchronization** of the HR system's data to retrieve employees' personal > information. + +It also enables **provisioning**, i.e. Identity Manager writing to a managed system, but that is something we will dig into later. + +![**provisioning**](/images/identitymanager/overview_provisioning.webp) + +## Repository Updates + +Once Identity Manager is configured, with not only **connectors** but also roles and **rules**, etc. (which constitute a different topic), changes can be made to the repository through: + +- **synchronization**, when changes were made in the managed systems and then synchronized, so copied, +to Identity Manager; +- **manual input**, mostly used for a few **resources**/properties that rarely change such as contractors' +identities; +- **workflows** which contain approval steps to complete before the changes are actually applied; +- the policy's **rules** that trigger changes to the repository directly, and those that trigger changes +to managed systems and impact the repository indirectly after the next **synchronization**. + +See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +## Next Steps + +Let's learn about [Entitlement Management](../../introduction-guide/overview/entitlement-management). + +## Learn More + +Learn more on Identity Management. + +See how to [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading). + +Learn more on [**connectors**](../../integration-guide/connectors). + +See how to create a [Connect to a Managed System](../../user-guide/set-up/connect-system). + +Learn more on [**synchronization**](../../integration-guide/synchronization). + +Learn more on [**workflows**](../../integration-guide/workflows). + diff --git a/docs/identitymanager/6.3/introduction-guide/overview/index.md b/docs/identitymanager/6.3/introduction-guide/overview/index.md new file mode 100644 index 0000000000..0eedd0163e --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/overview/index.md @@ -0,0 +1,67 @@ +--- +title: "IGA and Netwrix Identity Manager" +description: "IGA and Netwrix Identity Manager" +sidebar_position: 10 +--- + +# IGA and Netwrix Identity Manager + +Identity Manager is a powerful tool for Identity Governance and Administration (IGA) automation. + +## Identity Governance and Administration (IGA) + +Identity Governance and Administration (IGA) is a combination of Identity Access Management (IAM) and Identity Access Governance (IAG). + +- IAM is about allowing the right identities to have the right permissions at the right time for the right reasons. +- IAG is about providing visibility regarding identities, user access, and for monitoring compliance. + +[See Gartner's documentation on IGA](https://www.gartner.com/en/documents/3885381). + +## Why Identity Manager + +We could explain Identity Manager's purpose like this: + +Typically, Identity Manager manages entitlements automatically according to a user's needs, for example Active Directory group memberships. + +**First, we need to manage identities.** + +To do so, Identity Manager capitalizes on information from several source systems in order to build a central repository. This repository should contain all the organizational data relevant for access management for all users, meaning not only employees but also contractors, bots, or any kind of identity. + +![Synchronization](/images/identitymanager/overview_synchronization.webp) + +**This implies involving external systems.** + +Access management requires reading/writing data to/from varied systems and applications, like the Active Directory. Identity Manager provides an expanded set of connectors which contain the technology required for IGA-related data flows. + +![Connectors](/images/identitymanager/overview_connectors.webp) + +See more details on [Identity Management](../../introduction-guide/overview/identity-management) and connection between systems. + +**Then, we need to manage entitlements, in other words access rights, or permissions.** + +Identity Manager helps you build a role catalog that lists all entitlements from all managed systems. The technical entitlements can then associated with new, functional names that more clearly represent a business-oriented view point. + +In addition, Identity Manager helps you determine identities' expected entitlements by building a role model. This model contains different kinds of rules that will suggest entitlement assignments, or even assign them directly, based on the imported organizational data. + +As each working environment has its own particularities, you will be able to refine the identity model by defining dimensions, i.e. criteria from among organizational data that will trigger the rules. + +![Calculation](/images/identitymanager/overview_calculation.webp) + +**Finally, we need to actually give identities their entitlements and then govern them.** + +Identity Manager can be configured to provision the managed systems in order to apply the changes dictated by the role model. This provisioning can be done either directly, with automatic provisioning, or by notifying system administrators of the needed changes. Thus, identities finally get their entitlements. + +![Provisioning](/images/identitymanager/overview_provisioning.webp) + +Furthermore, Identity Manager provides a few workflows for entitlement request or user data modification, which often include approval from a third party, hence identities get their entitlements securely. + +See the [Entitlement Management](../../introduction-guide/overview/entitlement-management) topic for additional information. + +Thanks to the role model and data flows between Identity Manager and the managed systems, Identity Manager ensures the compliance of existing permission assignments with the policy, pointing out non-conforming assignments. + +See the [Governance](../../introduction-guide/overview/governance) topic for additional information. + +## Examples + +Let's read some [Use Case Stories](../../introduction-guide/overview/use-cases). + diff --git a/docs/identitymanager/6.3/introduction-guide/overview/use-cases.md b/docs/identitymanager/6.3/introduction-guide/overview/use-cases.md new file mode 100644 index 0000000000..1f045a200a --- /dev/null +++ b/docs/identitymanager/6.3/introduction-guide/overview/use-cases.md @@ -0,0 +1,49 @@ +--- +title: "Use Case Stories" +description: "Use Case Stories" +sidebar_position: 40 +--- + +# Use Case Stories + +Here is a basic use case story to explain how Identity Manager manages IGA. + +## Use Case + +Mr. James was just hired to join the Contoso company as a mechanical engineer. He will need access to some of the company's most sensitive data, such as confidential blueprints, mechanical design software licenses, and source files. + +### Identity management + +The **central repository** already exists, containing all workers, all departments, etc. + +Mr. James' manager uses one of Identity Manager's **workflows** to add Mr. James as a new employee, filling in his first name, last name, job title ("Mechanical Engineer"), his contract type ("permanent") and his start date. + +The rest of Mr. James' personal information, such as his birth date, etc., can be filled later by someone from the HR department. + +### Entitlement management + +As Mr. James is not the first mechanical engineer in Contoso, Identity Manager already contains a **composite role** named "R&D Mechanical Engineer". This role is meant to give its owners access to the company's sensitive data useful for mechanical engineers. Assigning this role will trigger the assignment of several **single roles**, each one giving one access right. + +Technically speaking, each access right is granted via a membership to a specific Active Directory group. Thus Identity Manager also contains a **navigation rule** that gives this group membership to any user owning this single role. + +In our example, each access right corresponds to an AD group membership, but it could be any entitlement in any external system. + +For Mr. James to get the access rights that he needs, there are several options: + +- either Mr. James' manager manually assigns the "R&D Mechanical Engineer" role to him via a +**workflow** before his arrival, for example setting the start date to two weeks after Mr. James' first day as he will be in training before then; +- or there may be an **assignment rule** that automatically assigns the role to any user with the job +title "Mechanical Engineer", so Mr. James will get the role on his first day. + +As the needed access rights involve the AD, Mr. James also needs to own an AD account which will be linked to its identity in Identity Manager via **correlation rules**. + +Once the requests for the role and the account are approved, Identity Manager can **connect** to the Active Directory and create Mr. James' account and add it to the proper groups, via **provisioning rules**. + +### Governance + +Once the role model is well underway, Identity Manager can compare **existing** access rights to **expected** access rights. Thus, Identity Manager makes sure that Mr. James always has all the entitlements he needs in order to work, but not more to prevent security breaches. + +## Next Steps + +Let's learn about Identity Manager [Architecture](../../introduction-guide/architecture). + diff --git a/docs/identitymanager/6.3/migration-guide/index.md b/docs/identitymanager/6.3/migration-guide/index.md new file mode 100644 index 0000000000..2a1a31a8da --- /dev/null +++ b/docs/identitymanager/6.3/migration-guide/index.md @@ -0,0 +1,49 @@ +--- +title: "Migration Guide" +description: "Migration Guide" +sidebar_position: 50 +--- + +# Migration Guide + +This guide is designed to provide step-by-step procedures in order to migrate Identity Manager from your current version to the latest one. + +:::note + For the latest SaaS versions, if you are using the administrator scaffolding the necessary permissions for the update are added to the administrator scaffolding and they will be taken into account the next time the configuration is deployed. +::: +## General Upgrade Instructions for the Server with Integrated Agent + +**Step 1 -** Download the `usercube-server-runtime` from the expected version from [Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 -** Stop the existing server. + +**Step 3 -** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 -** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a new `Runtime` folder. + +**Step 5 -** Copy the original `appsettings.json` and `appsettings-agent.json` files from `RuntimeOld` to the new `Runtime`. + +**Step 6 -** Restart the server. + +## General Upgrade Instructions for the Agent + +**Step 1 -** Download the `usercube-agent-runtime` from the expected version from [Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 -** Stop the existing agent. + +**Step 3 -** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 -** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a new `Runtime` folder. + +**Step 5 -** Copy the original `web.config, appsettings.json` and `appsettings-agent.json` files from `RuntimeOld` to the new `Runtime`. + +**Step 6 -** Restart the agent. + +## Specific Information to Migrate from v6.1 to vsaas + +If you are looking to upgrade the Netwrix Identity Manager version from 6.1 to saas you will not need to take any action because the database will automatically be upgraded. If you have problems importing your configuration into saas related to C# expressions, please run the Identity Usercube-Check-ExpressionsConsistency tool. See the [Usercube-Check-ExpressionsConsistency](../integration-guide/executables/references/check-expressionsconsistency) topic for additional information. + +## Specific Information to Migrate from v6.0 to v6.1 + +If you are looking to upgrade the Netwrix Identity Manager version from 6.0 to 6.1 you will not need to take any action because the database will automatically be upgraded. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-execution.md b/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-execution.md new file mode 100644 index 0000000000..b962eb99fc --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-execution.md @@ -0,0 +1,99 @@ +--- +title: "Execute a Certification Campaign" +description: "Execute a Certification Campaign" +sidebar_position: 20 +--- + +# Execute a Certification Campaign + +How to execute access certification campaigns, i.e. review specific entitlement assignments and deprovision inappropriate access. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for specific identities, in order to certify them and express an audit opinion that justifies their necessity. + +Once certification campaigns are scheduled, the assigned reviewers must decide for all relevant assignments if they ought to be deleted or not. + +## Participants and Artifacts + +The execution part should be performed in cooperation with the staff ***who review access in the campaign scheduling***. + +The monitoring part should be performed in cooperation with the staff in charge of campaign scheduling. + + | Input | Output | + | --- | --- | + | [Schedule a Certification Campaign](../../../user-guide/administrate/access-certification/certification-campaign-scheduling) (required) | Certified access | + +## Execute Certification + +Execute certification by proceeding as follows: + +1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home page. + +![Home - Access Certification](/images/identitymanager/home_accesscertification_v523.webp) + +On this page, all assignments to be reviewed are listed. + +![Access Certification](/images/identitymanager/certifcampaign_accesscertification_v602.webp) + +Each assignment can be commented by clicking on the corresponding icon. + +![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) + +2. Choose one of the three possibilities to verify all assignments one by one: + +:::note + In order to help reviewers in the decision-making process, each assignment shows a recommendation icon, indicating whether said assignment complies with the role model. + +See the icons below this note. + +The **Recommended** icon indicates that the entitlement has been automatically granted according to the security policy. You can approve it because it is compliant. The Not **Recommended** icon indicates that the entitlement does not comply with the security policy. It is **Recommended** to refuse it, unless the user really needs it. + +An absence of any icon indicates that the entitlement does not comply with the security policy. However, it has been manually granted or denied. Thus there is no recommendation, please review this entitlement **carefully**. +::: +![Recommendation Icon](/images/identitymanager/certifcampaign_iconrecommendation_v522.svg) + +![Discouragement Icon](/images/identitymanager/certifcampaign_icondiscouragement_v522.svg) + +- Either click on the approval icon to confirm that this entitlement **is necessary** for this identity. + +![Approval Icon](/images/identitymanager/certifcampaign_iconapproval_v522.svg) + +- Or click on the decline icon to confirm that this entitlement **is not necessary** for this identity. + +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) + +- Or click on the three dots icon to highlight that this entitlement **is not part of your scope of responsibility **and forward it to the adequate person. + +![Forward Icon](/images/identitymanager/certifcampaign_iconforward_v522.svg) + +3. Click on **Confirm Decisions** on the left of the page. + +If you've made an erroneous decision, exiting the page **before** confirming offers the possibility to quit without saving and start over from the last confirm. + +## Monitor a Certification Campaign + +Existing certification campaigns are listed on the page accessible via the **Access Certification Campaigns** button on the home page in the **Administration** section. + +![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) + +![Campaigns Page](/images/identitymanager/certifcampaign_campaigns_v602.webp) + +### Get reports + +A **Download** button is available for each campaign. It downloads a CSV report that lists all the entitlement assignments to be reviewed, the corresponding reviewers and their decisions. + +![Report Example](/images/identitymanager/certifcampaign_decisions_v522.webp) + +### Send notifications + +The notification icon on the line of a given campaign offers the possibility to send reminder notifications to the staff who has not finished processing the campaign. + +### Generate provisioning orders + +Once entitlement assignments have been reviewed, the final step is to apply these decisions. + +An **Apply Decisions** button is available for each campaign. It shows all the decisions made in the campaign. The campaign administrator can then decide to actually apply said decisions and generate the appropriate provisioning orders for **deprovisioning** unjustified entitlements. Said orders will be considered during the next provisioning job. + +![Apply Decisions](/images/identitymanager/certifcampaign_applydecisions_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-scheduling.md b/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-scheduling.md new file mode 100644 index 0000000000..b8827ad35c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/access-certification/certification-campaign-scheduling.md @@ -0,0 +1,97 @@ +--- +title: "Schedule a Certification Campaign" +description: "Schedule a Certification Campaign" +sidebar_position: 10 +--- + +# Schedule a Certification Campaign + +How to create and schedule access certification campaigns, defining their scope. + +## Overview + +The aim of an access certification campaign is to review specific access and entitlements for specific identities, in order to certify them and express an audit opinion that justifies their necessity. + +Here, you will learn how to create and schedule a certification campaign, defining its scope via the filters specifying the reviewers and items to be reviewed. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing, because they know what entitlements need to be reviewed. + + | Input | Output | + | --- | --- | + | Identity Repository (required) [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation)
(optional) [Manage Risks](../../../user-guide/optimize/risk-management) | Scheduled certification campaign(s) | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Create a Certification Campaign + +Create an access certification campaign by proceeding as follows: + +1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. + + ![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + + ![New Certification Campaign](/images/identitymanager/certifcampaign_newcertificationcampaign_v602.webp) + + - `Identifier`: Must be unique among certification campaigns and must not contain whitespace. + - `Name`: Will be displayed in the UI to identify the campaign. + - `Start Date`: Date when the campaign begins and becomes visible on the reviewers' **Access +Certification** screen. The campaign will review access existing at this date; changes after this date are not included. + - `End Date`: Date when the campaign ends. + - `Target Entity Type`: Entity type targeted by the campaign. + - `Target Reviewers`: Set of identities responsible for the access review. Available reviewers +are configured via the [Access Certification](../../../integration-guide/governance/accesscertification) policies. + - `Target Specificities`: +[AccessCertificationDataFilter](../../../integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter) defines the campaign scope (e.g., by object type, category, approval state). The campaign uses the union of all specificities. + + ![Target Specificities](/images/identitymanager/certifcampaign_targetspecificities_v602.webp) + +The campaign will target permissions that meet the **intersection (AND)** of all criteria. + +When listing role tags, roles with **any matching tag (OR)** will be included. + + - `Target Owners`: Filters based on identity attributes for those whose access is being +reviewed. All filters are combined using **intersection (AND)** logic. + + ![Target Owner Filters](/images/identitymanager/certifcampaign_targetowners_v602.webp) + +Additional filters may be available depending on the target entity type. + + ![Target Owner Additional Filters](/images/identitymanager/certifcampaign_targetownersadditional_v603.webp) + + - `Individual Owner`: A single identity whose access is to be certified. + - `Active Target`: Identities with a specific property (from `Directory_UserRecord`) +modified since a given date. + + > Only properties not calculated by Identity Manager can be used to filter the target + > owners of the certification campaign. + + > The following campaign targets all assigned single roles for two specific users: +> + > ![Campaign Example](/images/identitymanager/certifcampaign_example_v602.webp) + +3. Click **Create** to add the campaign to the list. + + ![Campaigns Page](/images/identitymanager/certifcampaign_newlycreated_v603.webp) + +4. Apply changes by clicking **Launch** to run the access certification job. + +The job's logs are available via the **Job Results** button. + + > Example: +> + > ![Execute Access Reviews Job](/images/identitymanager/certifcampaign_job_v522.webp) + +## Impact of Modifications + +You may modify any field of a certification campaign before its start date. After it starts, only the name, identifier, and end date can be changed. Campaigns can be deleted at any time. + +## Verify Campaign Scheduling + +To verify the process, check the **Access Certification Campaigns** page to confirm the campaign"​™s parameters are correct. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/access-certification/index.md b/docs/identitymanager/6.3/user-guide/administrate/access-certification/index.md new file mode 100644 index 0000000000..8ed8c5e6fd --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/access-certification/index.md @@ -0,0 +1,40 @@ +--- +title: "Perform Access Certification" +description: "Perform Access Certification" +sidebar_position: 50 +--- + +# Perform Access Certification + +How to certify existing access by reviewing a specific range of assigned permissions for auditing purposes. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for specific identities, in order to certify them and express an audit opinion that justifies their necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters you can choose to focus on: + +- a certain category of roles; +- a certain type of assignment; +- assignments not certified since a certain date; +- assignments presenting a certain level of risk. + +Certification campaigns can be [Access Certification](../../../integration-guide/governance/accesscertification) but the UI described in this guide can be enough on its own. See the [Access Certification](../../../integration-guide/governance/accesscertification) topic for additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing because they know which entitlements need to be reviewed. + + | Input | Output | + | --- | --- | + | Identity repository (required) [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation)(optional) [Manage Risks](../../../user-guide/optimize/risk-management)(optional) | Certified access | + +See the[Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading)topic for additional information. + +## Perform Access Certification + +Perform access certification by proceeding as follows: + +1. [Schedule a Certification Campaign](../../../user-guide/administrate/access-certification/certification-campaign-scheduling). +2. [Execute a Certification Campaign](../../../user-guide/administrate/access-certification/certification-campaign-execution). + diff --git a/docs/identitymanager/6.3/user-guide/administrate/assigned-roles.md b/docs/identitymanager/6.3/user-guide/administrate/assigned-roles.md new file mode 100644 index 0000000000..5af3ff83ae --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/assigned-roles.md @@ -0,0 +1,176 @@ +--- +title: "Review and Modify Assigned Roles" +description: "Review and Modify Assigned Roles" +sidebar_position: 70 +--- + +# Review and Modify Assigned Roles + +How to review and modify user permissions grouped by categories. + +## Overview + +The **Assigned Roles** page displays all user permissions organized by category. Users with appropriate permissions can view, assign, edit, and remove role assignments from this page. + +**Access Control:** All role assignments displayed and operations available are governed by [Access Control Rules](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) (ACR). Users can only view and manage roles and identities within their configured area of responsibility. Proper ACR configuration is required for delegated administration scenarios. + +## Participants and Artifacts + +This operation should be performed by a user with the appropriate permissions. See the [Configure a User Profile](../../user-guide/set-up/user-profile-configuration) topic for additional information. + +Users require the `/Custom/ProvisioningPolicy/AssignedRoles/{EntityType}` permission to access the Assigned Roles page. + +The following example provides the rights for the Administrator profile to access the Assigned Roles page on the **Entity Type** `Directory_User`. See the [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation) and [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +```xml + +``` + +## Default Filters + +When you open the Assigned Roles page, several filters are available, based on your configuration, to help you narrow down and focus on specific role assignments. + +For information about configuring custom search bars, see [Custom Search Bar](../../integration-guide/ui/how-tos/custom-search-bar/#default-search-bar). + +The default filters include: + +* **Policy** — Filter by the governing policy associated with a role +* **Role** — Filter by a specific role to see all users who hold that assignment +* **Assignments ending before** — Filter by end date using a date picker to find expiring assignments +* **Workflow State** — Filter by the current state within a workflow (e.g., Approved, Calculated, Pre-existing) +* **Category Filtering:** Use the category selector in the left sidebar to view assignments organized by role category (e.g., Career Management, Payroll). + +Multiple filters can be combined simultaneously. Use filters to isolate specific assignments before multi-select operations. + +## Review Assigned Roles + +Review the Assigned Roles by proceeding as follows: + +![assignedroles](/images/identitymanager/assignedroles.webp) + +**Step 1 –** On the home page, in the Administration section of the UI click on Assigned Roles. + +![assignedrolesscreen](/images/identitymanager/assignedrolesscreen.webp) + +**Step 2 –** View the list of users with different assigned roles and filter them by **Entity Type**, **Workflow State**, **Policy**, **Role** or by using a custom filter. + +:::note Role Display +Roles display their category hierarchy based on the selected category (e.g., Haunes > Administrator). The page shows both manual and automatic role assignments, including parameterized roles, with assignment metadata (workflow state, dates). +::: + +## Edit Assignments + +To edit dates and comments for multiple assignments simultaneously: + +1. Use filters to display the assignments you want to modify. +2. Click the **Edit** button in the action bar. +3. Select the assignments by clicking their checkboxes. +4. In the "Update assigned roles" panel: + - Review the selected owners and roles + - Edit start/end dates + - Add comments if needed + - Update parameters if the selected roles are parameterized +5. Review and confirm your changes. + +Changes take effect immediately and apply to all selected assignments. + +:::tip +When editing multiple assignments, ensure they share compatible characteristics (same role, similar dates) to avoid conflicts. +::: + +:::tip +Use multi-select editing when you need to extend expiration dates for a group of temporary assignments, or to add comments to multiple related permissions at once. +::: + + +**Note:** Some assignments may display a lock icon instead of a checkbox, indicating they cannot be selected due to permissions or workflow constraints. + +## Remove Assignments + +To remove multiple role assignments at once: + +1. Apply filters to display the assignments you want to remove (e.g., filter by a specific role or department). +2. Click the **Remove** button in the bottom action bar. +3. Select the assignments using checkboxes. The selection count updates as you select more rows. +4. A success notification will confirm the removal, and the assignment list will refresh automatically. If any removals fail, an error notification will provide details. + +:::caution Important Considerations +- **Cannot be undone**: Removal operations cannot be reversed from this screen. If you remove assignments in error, they must be re-requested through the assignment workflow. +- **Permission impact**: Ensure that removing a role does not unintentionally revoke permissions users require for their day-to-day responsibilities. +- **Locked assignments**: Assignments with lock icons cannot be selected or removed due to workflow constraints. +::: + +:::tip Best Practice +Before removing multiple assignments, use specific filters to narrow the list to only the assignments you intend to remove. Double-check the selection count and review the confirmation message carefully before proceeding. +::: + +## Assign Roles + +Use the Assign Roles workflow to assign one or more roles to one or more users simultaneously. + +### Starting the Assignment Workflow + +1. Click the **+ Assign roles** button at the top left of the page. +2. The "Assign roles" panel opens on the right side, showing **Step 1: Select owner and role**. + +### Step 1: Select Owners and Roles + +**Selecting Users (Owners):** + +1. In the **Owner** search field, begin typing a user's information. +2. Click a user to select them. The selected user appears as a chip (removable tag) above the search field. +3. **To select multiple users**: Continue typing and selecting additional users. Each selected user is added as a chip. + +:::info +When selecting users, the AutocompleteBinding of the DisplayEntityType is taken into consideration. The configuration should be modified to correspond to the correct binding. + +One should note that an evolution will be made in a future release to add several autocomplete bindings. + +**Owner Filtering:** The list of available owners is filtered by the criteria applied on the main Assigned Roles page. Click **Remove filters** if you need to access users outside the current filter scope. +::: + +**Selecting Roles:** + +1. Below the owner section, browse the **Roles** list organized by category hierarchy. +2. Use the **Role** search field to filter roles by name if needed. +3. Click the radio button circle next to a role to select it. +4. **To select multiple roles**: Click additional role radio buttons. Selected roles are indicated with blue filled circles. +5. The selection counter at the bottom shows how many roles are selected (e.g., "2 rows selected"). + +Roles are displayed with their hierarchy path (e.g., "Career Management > Larissa > Administrator") and are filtered based on the category of the main Assigned Roles page. + +### Step 2: Configure Assignment Details + +1. Click **Next** to proceed to the next step of the workflow. +2. Specify assignment dates: + - **Start Date**: Adjust when the role assignment becomes effective + - **End Date**: Optionally set an expiration date for the assignment +3. Add any comments to document the business justification for the assignment. +4. Specify role parameters, if at least one of the roles is parameterized. + +### Step 3: Confirm and Complete + +1. Review all assignment details carefully. +2. Click **Confirm** to create the role assignments. +3. The system creates the assignments and displays a success notification. +4. The newly assigned roles appear in the Assigned Roles list once the operation completes. + +:::warning Risk Behavior +If assigning a role would introduce a blocking risk violation (e.g., segregation of duties conflict), that specific role assignment will not be created. No notification is provided for blocked assignments. + +Similarly, if assigning a role would introduce a warning, it will be added without a warning being raised. + +A future release will include a summary indicating which role assignments were blocked due to risk violations and which assignments present a warning. +::: + +## Download Report + +The Assigned Roles page includes a **download button** in the upper-right corner. Click this button to export the current view as an Excel (**.xlsx**) file. + +To download the report: + +1. Apply filters to narrow the list of assigned roles. +2. Click the **download button** in the upper-right corner. +3. The file downloads automatically as an **.xlsx** file containing all role assignments visible in the current filtered view. diff --git a/docs/identitymanager/6.3/user-guide/administrate/index.md b/docs/identitymanager/6.3/user-guide/administrate/index.md new file mode 100644 index 0000000000..55ebbfb6b9 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/index.md @@ -0,0 +1,70 @@ +--- +title: "Administrate" +description: "Administrate" +sidebar_position: 30 +--- + +# Administrate + +In the Admin section you can do the following: + +- [Generate Reports](../../user-guide/administrate/reporting) + +How to use Identity Manager's reporting modules to produce IGA reports for auditing and governance purposes. + +- [Review Orphaned and Unused Accounts](../../user-guide/administrate/orphan-unused-account-review) + +How to remediate license and security issues caused by orphaned and/or unused accounts. + +- [Provision](../../user-guide/administrate/provisioning) + +How to write to a managed system. + +- [Review Provisioning](../../user-guide/administrate/provisioning/provisioning-review) + +How to review provisioning orders before generation. + +- [Provision Manually](../../user-guide/administrate/provisioning/manual-provisioning) + +How to use Identity Managerto manually write to the managed systems. + +- [Provision Automatically](../../user-guide/administrate/provisioning/automatic-provisioning) + +How to use Identity Manager to automatically write to the managed systems. + +- [Review Non-conforming Assignments](../../user-guide/administrate/non-conforming-assignment-review) + +How to review non-conforming assignments, i.e. approve or decline the suggestions made by Identity Manager after every synchronization. The aim is to handle the differences between the values from the managed systems and those computed by Identity Manager's role model. + +- [Reconcile a Role](../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation) + +How to review non-conforming permissions, i.e. approve or decline the role suggestions made by Identity Manager after every synchronization. The aim is to handle the differences between the navigation values from the managed systems and those computed by Identity Manager according to the role catalog. + +- [Reconcile a Property](../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) + +How to review unreconciled properties. The aim is to handle the differences between the property values from the managed systems and those computed by Identity Manager according to provisioning rules. + +- [Review an Unauthorized Account](../../user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review) + +How to remediate unauthorized accounts. The aim is to review the accounts whose assignments don't comply with the rules of the role model. + +- [Perform Access Certification](../../user-guide/administrate/access-certification) + +How to certify existing access by reviewing a specific range of assigned permissions for auditing purposes. + +- [Schedule a Certification Campaign](../../user-guide/administrate/access-certification/certification-campaign-scheduling) + +How to create and schedule access certification campaigns, defining their scope. + +- [Execute a Certification Campaign](../../user-guide/administrate/access-certification/certification-campaign-execution) + +How to execute access certification campaigns, i.e. review specific entitlement assignments and deprovision inappropriate access. + +- [Request Entitlement Assignment](../../user-guide/administrate/manual-assignment-request) + +How to send a manual request to add, update or remove an entitlement for an identity. + +- [Review and Modify Assigned Roles](../../user-guide/administrate/assigned-roles) + +How to review and modify user permissions grouped by roles, including multi-select operations. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/manual-assignment-request.md b/docs/identitymanager/6.3/user-guide/administrate/manual-assignment-request.md new file mode 100644 index 0000000000..739bd4a666 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/manual-assignment-request.md @@ -0,0 +1,83 @@ +--- +title: "Request Entitlement Assignment" +description: "Request Entitlement Assignment" +sidebar_position: 60 +--- + +# Request Entitlement Assignment + +How to send a manual request to add, update or remove an entitlement for an identity. + +## Overview + +Changes in an identity's entitlements can be handled using Identity **manager**'s predefined workflows to: + +- View the list of the identity's entitlements with Identity **manager**'s suggestions according to the +identity's position; +- Modify the identity's entitlements (add, update, remove). + +## Participants and Artifacts + +An assignment can be requested for a **user** sometimes by said **user** themselves, most often by their **manager**, and on some occasions by the involved **application owner**. + + | Input | Output | + | --- | --- | + | Identity repository (required) Role Catalog (required) | Updated entitlements | + +See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) and [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topics for additional information. + +## View Identity's Entitlements + +View the identity's entitlements by proceeding as follows: + +1. Access the **user** directory from the home page. + + ![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) + +2. Click on the **user** to be checked. + + ![Workflow - **user**](/images/identitymanager/datamodif_user_v602.webp) + +3. Click on **View Permissions** to access the entitlement list. + + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +## Modify Identity's Entitlements + +Act on an existing identity by proceeding as follows: + +1. Access the **user** directory from the home page. + + ![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) + +2. Click on the **user** to be modified. + + ![Workflow - **user**](/images/identitymanager/datamodif_user_v602.webp) + +3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement +request. + + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions to select entitlements and the action to be performed. You +can: + + - select entitlements to add; + - modify the potential options of the entitlements you are adding; + - delete entitlements which were assigned or declined manually; + - deny entitlements which were assigned automatically; + - allow denied entitlements by assigning them back manually. + +If the request is about assigning an entitlement via a role which requires at least one approval, then sending the request triggers the display of said request on the **Role Review** screen. + +```` Home Page - Role Review +```In this case, the requested entitlement will be displayed in the **user**'s \*\*View Permissions\*\* tab only after the request is reviewed. ```` + +## Verify Entitlement Request + +In order to verify the process, check that the change you made in the **user**'s entitlements is displayed in their **View Permissions** tab in the directory. + +![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/index.md b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/index.md new file mode 100644 index 0000000000..9412b922a7 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/index.md @@ -0,0 +1,54 @@ +--- +title: "Review Non-conforming Assignments" +description: "Review Non-conforming Assignments" +sidebar_position: 40 +--- + +# Review Non-conforming Assignments + +How to review non-conforming assignments, i.e. approve or decline the suggestions made by Identity Manager after every synchronization. The aim is to handle the differences between the values from the managed systems and those computed by Identity Manager's role model. + +## Overview + +Integrators must review three main types of non-conforming entitlement assignments: + +- **Non-conforming roles**: Identity Manager finds roles assigned to users in the managed systems that +no rule in the role model can justify. +- **Unreconciled properties**: Identity Manager's role model computes property values that are different +from the values in the managed systems. +- **Unauthorized accounts**: no rule from the role model can justify their actual assignment to an +identity. + +**Unreconciled properties**, **Unauthorized accounts** and **Non-conforming roles** are part of [Non-Conforming Assignments](../../../integration-guide/role-assignment/nonconformingdetection). The global aim of the review is to handle the gaps between the [Existing Assignments](../../../integration-guide/role-assignment/existingassignmentsdeduction) (real values) and the [Conforming Assignments](../../../integration-guide/role-assignment/conformingassignmentcomputation) (theoretical values computed by Identity Manager from the role model rules). + +A high number of non-conforming assignments can come from an issue in configuration rules. + +**Non-conforming roles** and **Unauthorized accounts** can be mass reviewed through [Automate the Review of Non-conforming Assignments](../../../user-guide/optimize/non-conforming-assignment-review-automation). See the [Automate the Review of Non-conforming Assignments](../../../user-guide/optimize/non-conforming-assignment-review-automation) topic for additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners who are in charge of applications' entitlements (technical side), and/or managers who know their team's entitlements (functional side). + + | Input | Output | + | --- | --- | + | [Provision](../../../user-guide/administrate/provisioning) (required) | Complying assignments | + +### **pre-existing** assignments vs. non-conforming assignments + +The assignments specified as non-conforming during the very first execution of the role model are called **pre-existing** assignments. **pre-existing** assignments are tagged differently from other non-conforming assignments by the [Save **pre-existing** Access Rights Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask) because they can indicate that: + +- The rules are not optimal yet. +- Data in the managed system needs more cleanup. + +Obviously, **pre-existing** assignments can also prove to be exceptions to the rules, like non-conforming assignments, and need to be validated as such. + +## Review Non-conforming Assignments + +While there can be dependencies between the review of **Non-conforming roles** and **Unreconciled properties**, there are no absolute requirements regarding the sequential order of the non-conforming assignment review: + +- Review [Reconcile a Role](../../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation). +- Review [Reconcile a Property](../../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation). +- [Review an Unauthorized Account](../../../user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review). + +[Manage Risks](../../../user-guide/optimize/risk-management) can be defined to highlight the most sensitive accounts/permissions, in order to establish a priority order in the review of non-conforming assignments. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md new file mode 100644 index 0000000000..5290f1cd82 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md @@ -0,0 +1,154 @@ +--- +title: "Reconcile a Property" +description: "Reconcile a Property" +sidebar_position: 20 +--- + +# Reconcile a Property + +How to review unreconciled properties. The aim is to handle the differences between the property values from the managed systems **and** those computed by Identity Manager according to [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation). + +## Overview + +Unreconciled properties are considered as non-conforming assignments because Identity Manager's role model has computed property values that are different from the values in the managed systems. + +### Property reconciliation with role reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups for various applications, **and** a role is assigned through a group > membership. An entitlement can be assigned to an identity by adding said identity's DN to the `member` property of the appropriate group. Identity Manager translates it by editing the identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies the role, then new items appear on the **Role Reconciliation****and** the **Resource Reconciliation** screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD **and** add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, **and** the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles **and** navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically +reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically +reviewed too, its workflow state transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` **and** +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, **and** one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) + +## Participants **and** Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' entitlements. + + | Input | Output | + | --- | --- | + | [Provision](../../../user-guide/administrate/provisioning) (required) | Complying properties | + +## Review an Unreconciled Property + +Review an unreconciled property by proceeding as follows: + +1. Ensure that the task for the computation of the role model was launched recently, through the +complete job on the **Job Execution** page + + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the +home page. + + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) + +3. Select `Unreconciled properties` as a `Workflow State`. + + ![Unreconciled Property](/images/identitymanager/reviewprop_unreconciled_v522.webp) + +4. Choose the default resource view or the property view with the top right toggle. See the +Reconcile a Property topic for additional information. +5. Select a property to review. + + > In the following example, the user `Nicolas Faure` is the owner of a given resource, here a + > nominative SAB account associated with his email address. In the **Resource Properties to be + > Verified** frame, there is one unreconciled property that happens to be `Group`. +> + > ![Unreconciled Property Example](/images/identitymanager/reviewprop_example_v602.webp) + + - `Name`: unreconciled property name. + - `Proposed Value`: value proposed by Identity Manager. + - `Current Value`: value currently in the managed system. + - `Provisioning State`: provisioning state. + - `Start Date`: date for the beginning of the property value existence. + - `End Date`: date for the end of the property value existence. + +The **Other Resource Properties** frame shows the complying properties associated with the resource. + +6. Choose one of the three possibilities to verify the property: + +Decisions must be made with caution as they cannot be undone. + + - Either click on the approval icon to update the property with the proposed value. It discards +the whole property history. + + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) + +Automatic changes are essential for frequently-changing attributes. However, saving history information can sometimes be important for some attributes such as logins **and** emails. + + - Or click on the decline icon to not update the property **and** keep the resource value. In the +future, this property will no longer be changed automatically. + + ![Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) + +Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of interest. Identity Manager won't be able to change this data **and** the service account manager will avoid authentication errors. It can be interesting to keep manual some sensitive data changes like `SAMAccountName` for example, so that Identity Manager does not change it **and** the service account manager does not risk problems in authentication. + + - Or click on the postponement icon to delay the decision. An unreconciled property is ignored +by Identity Manager, **and** therefore cannot be modified. + + ![Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) + +7. Click on **Confirm Property Values**. +8. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > +**Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource **and** then access the list of all unreconciled properties for said resource. + +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type **and** property. + +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. + +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) + +## Verify Property Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding user's page in the directory. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md new file mode 100644 index 0000000000..d13a3bde05 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md @@ -0,0 +1,114 @@ +--- +title: "Reconcile a Role" +description: "Reconcile a Role" +sidebar_position: 10 +--- + +# Reconcile a Role + +How to review non-conforming permissions, i.e. approve or decline the role suggestions made by Identity Manager after every synchronization. The aim is to handle the differences between the navigation values from the managed systems **and** those computed by Identity Manager according to the role catalog. + +## Overview + +Non-conforming roles are considered as non-conforming assignments because no rule from Identity Manager's model can justify their actual assignment to an identity. + +### Role reconciliation with property reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups dedicated to various applications, **and** a role is assigned through +> group membership. An entitlement can be assigned to an identity by adding said identity's DN to +> the `member` property of the appropriate group. Identity Manager translates it by editing the +> identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies the role, then new items appear on the **Role Reconciliation****and** the **Resource Reconciliation** screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD **and** add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, **and** the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles **and** navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically +reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically +reviewed too, its [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) workflow state transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` **and** +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, **and** one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) + +## Participants **and** Artifacts + +This operation should be performed in cooperation with managers who know their team's expected entitlements. + + | Input | Output | + | --- | --- | + | [Provision](../../../user-guide/administrate/provisioning) (required) | Complying roles | + +## Review a Non-conforming Permission + +Review a non-conforming permission by proceeding as follows: + +1. Ensure that the +[Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) was launched recently, through the complete job on the **Job Execution** page + + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** +section, to get to the non-conforming permissions page. + + ![Home Page - Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) + + ![Role Reconciliation Page](/images/identitymanager/reviewrole_rolereconciliation_v603.webp) + +Each non-conforming permission can be commented by clicking on the corresponding icon. + + ![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) + +3. Choose one of the two possibilities to verify the permission: + +Contrary to resources, reviewed roles are then displayed on the **Role Review** page accessible from the home page, **and** can be reviewed again. + + - Either click on the approval icon to keep the non-conforming permission. + + ![Approval Icon](/images/identitymanager/orphan_iconapprove_v602.svg) + + - Or click on the decline icon to delete the non-conforming permission. + + ![Decline Icon](/images/identitymanager/orphan_icondecline_v522.svg) + +4. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > +**Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. See the [Provision](../../../user-guide/administrate/provisioning) topic for additional information. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +### Use bulk provisioning + +Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. + +![Bulk Reconcile Roles](/images/identitymanager/reviewrole_rolereconciliationbulk_v603.webp) + +## Verify Role Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md new file mode 100644 index 0000000000..34631b2842 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md @@ -0,0 +1,92 @@ +--- +title: "Review an Unauthorized Account" +description: "Review an Unauthorized Account" +sidebar_position: 30 +--- + +# Review an Unauthorized Account + +How to remediate unauthorized accounts. The aim is to review the accounts whose assignments don't comply with the rules of the role model. + +## Overview + +Unauthorized accounts are considered as non-conforming assignments because no rule from Identity Manager's model can justify their actual assignment to an identity. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' entitlements. + + | Input | Output | + | --- | --- | + | [Provision](../../../user-guide/administrate/provisioning) (required) | Complying accounts | + +## Review an Unauthorized Account + +Review an unauthorized account by proceeding as follows: + +1. Ensure that the [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) was launched recently, through the complete job on the **Job Execution** page: + + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +Or through the connector's overview page **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the +home page. + + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) + +3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. + + ![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) + +4. Choose the default resource view or the property view with the top right toggle. +5. Click on the line of an account with an owner. + +In the following example, the nominative LDAP account linked to the resource `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence rate. + + ![Select Decision](/images/identitymanager/unauth_reviewunauthorized_v602.webp) + +The displayed confidence rate means that a rule actually assigned the account to the identity, but with a confidence rate too low to imply full automatic assignment. Approval will be required. See the [Classify Resources](../../../user-guide/set-up/categorization/classification) topic for additional information. + +The **Resource Properties** frame shows all the properties of the resources. They can be updated by clicking on the edit button. See the [Reconcile a Property](../../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) topic for additional information. + + ![Edit Button](/images/identitymanager/unauth_updateprop_v522.webp) + +6. Select the appropriate decision. + +Decisions must be made with caution as they cannot be undone. + +7. Click on **Confirm Account Deletion** or **Authorize Account** according to the previous decision. +8. Trigger the [Provision](../../../user-guide/administrate/provisioning) by launching, on the appropriate connector's overview page **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, +**Jobs** > **Fulfill**. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. + +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. + +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. + +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) + +Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current Values**, does not approve their unreconciled properties which will still be displayed on this screen. + +## Verify Review + +In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/administrate/orphan-unused-account-review.md b/docs/identitymanager/6.3/user-guide/administrate/orphan-unused-account-review.md new file mode 100644 index 0000000000..38ef452d1b --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/orphan-unused-account-review.md @@ -0,0 +1,165 @@ +--- +title: "Review Orphaned and Unused Accounts" +description: "Review Orphaned and Unused Accounts" +sidebar_position: 20 +--- + +# Review Orphaned and Unused Accounts + +How to remediate license and security issues caused by orphaned and/or **unused** accounts. + +## Overview + +The review of **unused** and orphaned accounts is essential to solve security and license management issues. **Orphan** accounts are without an owner, while **unused** accounts remain open without any activity. + +### Orphaned accounts list + +A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed through the menu items on the left of the home page, in the **Connectors** section. + +![Home - Entity Types](/images/identitymanager/home_entitytypes_v602.webp) + +These entity type pages can be configured via XML to customize all displayed columns and available filters, especially the ****Orphan**** filter that spots uncorrelated resources, and the **Owner / Resource Type** column that shows the owner of each resource. See the[Create Menu Items](../../integration-guide/ui/create-menu-items) topic for additional information on customization. + +![Owner / Resource Type Column](/images/identitymanager/orphan_entitytype_v523.webp) + +In the ****Orphan**** field, select **Yes** to see all existing resources without an owner. + +In addition, filters can be configured in the reporting module to list orphaned accounts. See the [Generate Reports](../../user-guide/administrate/reporting) topic for additional information. Choose to display **User** and **AD User** (nominative) with a filter on void user's display names. + +:::note + Some accounts are considered orphaned because of an error in the account data or assignment rule. For an entity that is never the target of a resource type, the concept of an **Orphan** does not apply because the **Owner / Resource Type** column will be hidden. When using a display table to display these entities, use DisplayTableDesignElement``(/integration-guide/toolkit/xml-configuration/user-interface/displaytable#properties) `"table"`` or `"adaptable"`. +::: +### **unused** accounts list + +The way to identify activity in a managed system is highly dependent on said system. Thus, activity identification cannot be generalized, and the absence of activity in accounts isn't recognizable with the configuration as is. Integrators must configure a specific property fulfilling this purpose. + +For example in the AD, we can compute a Boolean property **isUnused** based on other AD accounts' properties. Below is an example that you can use and adjust to your specific configuration: + +Here we write an expression for isUnused based on the bits of userAccountControl, the value of **accountExpires** and the value of LastLogonTimeStamp: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +Once this "**unused**" property is created, a list of all **unused** accounts can be displayed thanks to the filters in the query module, based on said property. See the [Generate Reports](../../user-guide/administrate/reporting) topic for additional information. + +The previous example about the AD's **isUnused** property can be complemented in the query module by displaying this property alongside users' **EmployeeId**. + +![Query of Unused Accounts](/images/identitymanager/orphan_unusedquery_v602.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate as indicated in the table below. + + | Input | Output | + | --- | --- | + | [Categorize Resources](../../user-guide/set-up/categorization) (required) | Removed orphaned and **unused** accounts | + +## Review an Orphaned Account + +Review an orphaned account by proceeding as follows: + +![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) + +**Step 1 –** Go to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. + +![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) + +**Step 2 –** Select **Unauthorized account** as the **Workflow State**. Orphaned accounts are those appearing with no owner. + +**Step 3 –** Choose the default resource view or the property view with the top right toggle. + +**Step 4 –** Click on the line of an account without an owner. + +![Select Owner](/images/identitymanager/orphan_revieworphans_v602.webp) + +In the following example, the nominative AD account linked to the email address nathan.smith@acme.com has no owner. + +You can **Select owner** from the list by clicking on the check box. + +![Owners List](/images/identitymanager/orphan_revieworphans-owners_v602.webp) + +**Step 5 –** Answer the following questions in order to understand the situation. + +- Has the account been used recently? +- Why is it **Orphan**? +- Who is it supposed to belong to? +- If it is a service account, is it useful? Has it been used recently? + + - A used account must be connected to its rightful owner + - An **unused** account must be deleted + +- If this account belongs to a person, is the user still in the organization or did they leave? + + - If the owner has left for more than XXX (time period defined by the security officer's rules), +the account must be deleted + - If the owner has left for less than XXX, the account must be connected to its owner and +deactivated. + - If the owner is still in the organization, the account must be connected to its owner. Is +there a rule to change? + +:::note + We said that useful service accounts must be connected to their owners due to the fact that an orphaned account cannot be certified. See the [Perform Access Certification](../../user-guide/administrate/access-certification) topic for additional information. But a service account must not be linked to a person, for the departure of said person from the company may trigger the loss of the service account. This is why we create identities with **Application** as their **UserType**, each application-identity linked to a person supposed to manage it. Thus,**service accounts must be connected to application identities, themselves owned by people**. That way, if the owner of the application leaves, the application-identity is not deleted, and the service accounts it owns are not deprovisioned. +::: +See the schema below this note. + +![Schema - Service Accounts](/images/identitymanager/orphan_serviceaccounts.webp) + +**Step 6 –** Select the appropriate owner or no owner at all, according to the previous analysis. + +:::tip + Remember, decisions must be made with caution as they cannot be undone. +::: +:::note + When binding an orphaned account to an existing owner, properties might need to be reconciled. +::: +**Step 7 –** Click on **Confirm Account Deletion** or **Authorize Account** according to the previous decision. + +By taking the necessary steps the **Orphan** account will be delete or authorized. + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. + +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the **Property View** toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. + +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. + +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. + +## Verify Review + +In order to verify the process, check that the line for your reviewed item has been removed from the **Resource Reconciliation** screen. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +In addition, if you reconciled an orphaned account with an owner, check the user's permissions to see said account. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/provisioning/automatic-provisioning.md b/docs/identitymanager/6.3/user-guide/administrate/provisioning/automatic-provisioning.md new file mode 100644 index 0000000000..c4e219b441 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/provisioning/automatic-provisioning.md @@ -0,0 +1,53 @@ +--- +title: "Provision Automatically" +description: "Provision Automatically" +sidebar_position: 30 +--- + +# Provision Automatically + +How to make Identity Manager automatically write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), automated provisioning is used to minimize human intervention and trust Identity Manager with role model enforcement in external systems. + +### Provisioning states + +In an assignment request's lifecycle, provisioning automation implies skipping the `Transmitted` state as Identity Manager no longer waits for a user to make changes anymore. For this reason, an assignment request goes through the following provisioning states: + +![Provisioning State Schema](/images/identitymanager/provauto_states_v523.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + + | Input | Output | + | --- | --- | + | [Review Provisioning](../../../user-guide/administrate/provisioning/provisioning-review) (required) Automated provisioning to [Create a Connection](../../../user-guide/set-up/connect-system/connection-creation) (required) | Updated managed systems | + +## Implement Automated Provisioning + +automated provisioning is performed through a connection using a [References: Packages](../../../integration-guide/connectors/references-packages) for fulfilling external systems. + +## Perform Automated Provisioning + +There is no procedure to perform automated provisioning, for it is automatic and thus handled by Identity Manager in daily jobs. + +Make sure that the task used to compute and generate provisioning orders was launched after the request (or the provisioning review, if any), through the complete job in the **Job Execution** page. + +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +## Verify Automated Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Follow the manual assignment workflow through +[Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) to make a change in one of their permissions, which involves automated provisioning. +3. Perform automated provisioning and check in Identity Manager that the change was effectively +made. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/provisioning/index.md b/docs/identitymanager/6.3/user-guide/administrate/provisioning/index.md new file mode 100644 index 0000000000..97f46d97fe --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/provisioning/index.md @@ -0,0 +1,84 @@ +--- +title: "Provision" +description: "Provision" +sidebar_position: 30 +--- + +# Provision + +How to write to an externally managed system. + +**A word about terminology** : Let's clarify the concept of writing to a managed system. + +There are two notions involved: + +- Fulfillment : writing to a managed system, manually or automatically +- Provisioning : writing automatically as provisioning is automated fulfillment + +But in everyday conversation, in the interface and in this documentation, we use the term provisioning instead of fulfillment. + +## Overview + +When modeling your connectors, you had to decide what data you wanted Identity Manager to manage within the external systems. You configured your connectors, and among other things you chose the appropriate connections and packages, to manage identities and their entitlements by writing directly to the managed systems. This is done through said connectors' provisioning capabilities. See the [Model the Data](../../../user-guide/set-up/connect-system/connector-modeling) and [Create a Connection](../../../user-guide/set-up/connect-system/connection-creation) topics for additional information. + +When changes are performed on identity data, entitlements or the role model inside Identity Manager, provisioning orders are generated in order to actually write said changes to the external systems. These changes can be written automatically or manually. Manual provisioning is used to involve humans and make them act on the external systems, instead of Identity Manager. Automatic provisioning is used to minimize human intervention and trust Identity Manager with role model enforcement in external systems. See the [Provision Manually](../../../user-guide/administrate/provisioning/manual-provisioning) and [Provision Automatically](../../../user-guide/administrate/provisioning/automatic-provisioning) topics for additional information. + +### Provisioning states + +Identity Manager handles provisioning by assigning a provisioning state to assignment requests. + +Here is the list of provisioning states and their description: + + | Provisioning state | Description | + | --- | --- | + | 0:None | Used for Identity Manager's internal computation. | + | 1:Pending | The order is ready for provisioning but not sent to the agent. | + | 2:Transmitted | The agent has collected this order but no feedback has been received yet. | + | 3:Errored | The agent returned errors. | + | 4:Verified | The order is provisioned in the synchronized data. | + | 5:Awaiting Approval | The order is blocked until a review is performed. | + | 6:Inactive | The order is blocked as it is considered as useless (order in the past). | + | 7:Error | The role model threw an exception while evaluating the order. | + | 8:Executed | The agent returned OK. | + +These states are detailed with their transitions on the individual pages specific to provisioning review, manual provisioning and automated provisioning. See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) and [Review Provisioning](../../../user-guide/administrate/provisioning/provisioning-review) topics for additional information. + +### Provisioning review + +For security purposes, provisioning orders sometimes need to be reviewed before being propagated to the managed system. Then, a user with the right entitlements accesses the **Provisioning Review** page. Users can either approve provisioning orders that will then be unblocked and finally propagated, or they can decline orders that will subsequently be ignored. See the [Configure a User Profile](../../../user-guide/set-up/user-profile-configuration) topic for additional information. + +The review prior to the provisioning of entitlement assignments is usually performed based on the resource type of given identities. For example, the assignment of sensitive entitlements will require a review before being provisioned, whereas basic rights can be assigned at once. Therefore, resources must be carefully classified beforehand. See the [Classify Resources](../../../user-guide/set-up/categorization/classification) topic for additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + + | Input | Output | + | --- | --- | + | [Connector's data model](../../../user-guide/set-up/connect-system/connector-modeling) (required) [Classified resources](../../../user-guide/set-up/categorization/classification) (required) [Provisioning Rules](../../../user-guide/set-up/provisioning-rule-creation) (required) [Role catalog](../../../user-guide/set-up/single-roles-catalog-creation) (required) | Provisioned system | + +## Perform Provisioning + +In order to perform the provisioning you have to: + +- Choose whether to adjust your resource types to implement provisioning review +- Choose whether to adjust your connections to implement manual and/or automated provisioning + +## Verify Provisioning + +In order to verify the process: + +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +**Step 1 :** Select a test user in the directory, accessible from the home page. + +**Step 2 :** Follow the manual assignment workflow to make a change in one of their entitlements, which involves the type of provisioning that you want to test. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +**Step 3 :** Check the provisioning state of the requested entitlement at every step, in the user's **View Permissions** tab. + +![Provisioning State Schema](/images/identitymanager/prov_stateschema_v523.webp) + +Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or automated provisioning, below is the global state schema. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/provisioning/manual-provisioning.md b/docs/identitymanager/6.3/user-guide/administrate/provisioning/manual-provisioning.md new file mode 100644 index 0000000000..4fe42de365 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/provisioning/manual-provisioning.md @@ -0,0 +1,81 @@ +--- +title: "Provision Manually" +description: "Provision Manually" +sidebar_position: 20 +--- + +# Provision Manually + +How to use Identity Manager to manually write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), manual provisioning is used to make humans intervene and act on the external systems, instead of Identity Manager. + +### Provisioning states + +In its lifecycle, an assignment request goes through the following provisioning states: + +![Provisioning State Schema](/images/identitymanager/provmanual_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems as write permissions are required. + + | Input | Output | + | --- | --- | + | [Review Provisioning](../../../user-guide/administrate/provisioning/provisioning-review) (required) Manual provisioning through [Create a Connection](../../../user-guide/set-up/connect-system/connection-creation) (required) | Updated managed systems | + +## Implement Manual Provisioning + +Manual provisioning is performed through a connection using the [Manual Ticket](../../../integration-guide/connectors/references-packages/manual-ticket). Besides, for a resource to be manually provisioned, the corresponding resource type must be configured with the manual connection set to `Provisioning Connection` in the **Fulfill Settings**. + +## Perform Manual Provisioning + +Perform manual provisioning by proceeding as follows: + +1. Ensure that the task to compute or generate provisioning orders was launched after the request +(or the provisioning review, if any), through the complete job in the **Job Execution** page. + + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + + ![Manual Provisioning Screen](/images/identitymanager/provmanual_page_v603.webp) + +2. Access the manual provisioning orders page by clicking on the entity type that you want to manage +in the **Manual Provisioning** section. + + ![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) + +3. Choose a line to handle the corresponding provisioning order. +4. Creation, edition and deletion orders follow the same process: read Identity Manager's +suggestions and create, edit or delete the appropriate resource directly in the managed system (outside Identity Manager). + + ![Creation Provisioning Order](/images/identitymanager/provmanual_createresource_v522.webp) + + ![Creation Provisioning Order](/images/identitymanager/provmanual_editresource_v522.webp) + +5. Choose to confirm or report an error. + +### Use bulk provisioning + +Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. + +![Bulk Provisioning](/images/identitymanager/provmanual_bulk_v603.webp) + +## Verify Manual Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Follow the workflow through +[Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) to make a change in one of their permissions, which involves manual provisioning. +3. Perform manual provisioning and check the provisioning state of the requested entitlement at +every step, in the user's **View Permissions** tab. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +4. Check in your managed system that the change was effectively made. + diff --git a/docs/identitymanager/6.3/user-guide/administrate/provisioning/provisioning-review.md b/docs/identitymanager/6.3/user-guide/administrate/provisioning/provisioning-review.md new file mode 100644 index 0000000000..9e72c48e6c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/provisioning/provisioning-review.md @@ -0,0 +1,213 @@ +--- +title: "Review Provisioning" +description: "Review Provisioning" +sidebar_position: 10 +--- + +# Review Provisioning + +How to review provisioning orders before generation. + +## Overview + +For security purposes, provisioning orders sometimes need to be reviewed before being computed and actually generated. Then, a user with the right permissions accesses the **Provisioning Review** page. They can either approve provisioning orders that will then be computed, generated and finally ready for actual provisioning, or they can decline orders that will subsequently be ignored. See the [Configure a User Profile](../../../user-guide/set-up/user-profile-configuration) topic for additional information. + +### Provisioning states + +In an assignment request's lifecycle, provisioning review adds a few steps between the moment when the request is issued and when provisioning orders are computed: + +![Provisioning State Schema](/images/identitymanager/provreview_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + + | Input | Output | + | --- | --- | + | [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) (required) [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) (required) | Provisioning orders | + +## Implement Provisioning Review + +Provisioning review is configured for a given resource type. Therefore, you can decide to force the review of provisioning orders when you [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation). You can choose to: + +- Set the number of required approvals via the `Approval Workflow` option. +- Enable a technical approval by the application owner, via the `Block provisioning orders` option. + +Provisioning review can also be triggered when a fulfillment error occurs. See the [Identity Management](../../../introduction-guide/overview/identity-management) topic for additional information. + +## Review Provisioning Orders + +Review provisioning orders by proceeding as follows: + +1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** +section. + + ![Home Page - Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) + + ![Provisioning Review](/images/identitymanager/provmanual_provreview_v602.webp) + +2. Click on a line to access details and handle addition, association, update or deletion orders. + +Once reviewed, provisioning orders are to be executed by Identity Manager during the next **Fulfill** task, accessible from the corresponding connector's overview page, in the **Resource Types** frame. + +Automatic provisioning orders are directly executed, while manual provisioning orders are listed on the **Manual Provisioning** page. + + ![Fulfill Task](/images/identitymanager/synchro_resourcetype_v602.webp) + +### Handle an addition order + +Identity Manager shows all the properties of the new resource to be created: + +![Addition Order Review](/images/identitymanager/provmanual_reviewaddition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) and [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) topics for additional information. + +Handle an addition order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property creation with the proposed value. + + ![Addition - Approval Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) + + - Or click on the decline icon to refuse the property creation. + + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or ignore the creation. + +### Handle an association order + +Identity Manager displays a given owner and a given resource to be associated with a given [Classify Resources](../../../user-guide/set-up/categorization/classification)and all resource properties to be verified: + +![Association Order Review](/images/identitymanager/provmanual_reviewassociation_v602.webp) + +- `Confidence rate of proposed resource`: rate expressing the confidence in this [Correlate Resources](../../../user-guide/set-up/categorization/correlation). +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) and [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) topics for additional information. + +Handle an association order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to validate the proposed property value. + + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) + + - Or click on the decline icon to refuse the property association. + + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or deny the association. + +### Handle an update order + +Identity Manager shows a given resource and all resource properties to be verified: + +![Edition Order Review](/images/identitymanager/provmanual_reviewedition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) and [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) topics for additional information. + +Handle an update order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property update with the proposed value. + + ![Edition - Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) + + - Or click on the decline icon to refuse the property update. + + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) + +2. Click on **Confirm Property Values**. + +### Handle a deletion order + +Identity Manager shows a given owner and their resources to be deleted: + +![Deletion Order Review](/images/identitymanager/provmanual_reviewdeletion_v602.webp) + +Handle a deletion order by choosing either to confirm the deletion or to keep the resource. + +### Use property view + +By default, provisioning orders are listed by resource. It is possible to click on a resource and then access the list of all provisioning orders for that resource. + +![Resource View](/images/identitymanager/provreview_resourceview_v603.webp) + +In addition, using resource view enables **bulk unblocking** for provisioning orders with errors. + +![Bulk Unblock](/images/identitymanager/provreview_bulkunblock_v603.webp) + +It can be helpful to have the provisioning orders regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all provisioning orders linked to that resource type. In addition, select a property to display only the provisioning orders linked to these resource type and property. + +![Property View](/images/identitymanager/provreview_propertyview_v603.webp) + +The review process is similar on both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. + +## Verify Provisioning Review + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Follow the [Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) workflow to make a change in one of their permissions, which involves provisioning review. +3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. + + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource +Types** frame, to execute the provisioning orders. + + ![Home Page - Job Execution](/images/identitymanager/synchro_resourcetype_v602.webp) + +5. The orders using automated provisioning should be automatically handled with their state +switching to `Executed`, while those using manual provisioning should appear on the **Manual Provisioning** page with their state switching to `Transmitted`. + +![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) + diff --git a/docs/identitymanager/6.3/user-guide/administrate/reporting.md b/docs/identitymanager/6.3/user-guide/administrate/reporting.md new file mode 100644 index 0000000000..59535220d2 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/administrate/reporting.md @@ -0,0 +1,106 @@ +--- +title: "Generate Reports" +description: "Generate Reports" +sidebar_position: 10 +--- + +# Generate Reports + +How to use Identity Manager's reporting modules to produce IGA reports for auditing and governance purposes. + +## Overview + +Reporting features help users produce reports for auditing and performance evaluation. The aim is to be aware of the whole assignment landscape, display it for analysis, and act upon it if needed. Governance also helps produce audit-ready reports. You can start to set up governance features relatively early in your Identity Manager journey and measure your progress from the very start. + +A few reporting tools are already available in Identity Manager, used in other parts of your IGA project, for example: + +- the list of entitlements for a given user in their **View Permissions** tab; + + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +- the list of all requests that you are authorized to see in **Workflow Overview** accessible from +the home page in the **Administration** section; + + ![Home - Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) + +- the list of [Review Orphaned and Unused Accounts](../../user-guide/administrate/orphan-unused-account-review). + + ![Orphaned Account List](/images/identitymanager/orphan_entitytype_v523.webp) + +Identity Manager puts users in control of their reporting. Rich features help produce customizable reports that can be used to check the assignment policy results, or gather information for an audit. + +Identity Manager provides several different levels of reporting according to your needs and technical tools. You can: + +- download predefined reports for simple needs; +- add new reports to the predefined ones through XML configuration, for recurring needs that aren't +met by available reports (this requires XML configuration knowledge); +- create customized reports with the Query module and its universes configured beforehand, to meet +specific needs (this requires certain technical knowledge); +- create customized graphic reports with PowerBI, to meet specific needs (this requires certain +technical knowledge). + +## Participants and Artifacts + +This operation can be performed by any user interested in producing IGA reports. + + | Input | Output | + | --- | --- | + | Entries (required) | Reports | + +## Download Predefined Reports + +Identity Manager provides a selection of predefined reports available in the solution. They represent the most common use cases. + +The accessibility of these predefined reports was configured during profile configuration. See the [Configure a User Profile](../../user-guide/set-up/user-profile-configuration)topic for additional information. + +Download predefined reports by proceeding as follows: + +1. Click on **Reports** on the left of the home page to access the list of predefined reports. + + ![Home Page - Reports](/images/identitymanager/home_reports_v602.webp) + + ![Reports](/images/identitymanager/reporting_predefinedreports_v602.webp) + +2. Choose the appropriate report and click on **Download** to get an Excel report. The +downward-pointing arrow provides additional report formats. + +## Add New Reports to the List + +When facing frequent reporting requirements outside the scope of predefined reports, new reports can be configured with XML via `Report Query` and specific query grammar. See the [API query grammar](../../integration-guide/api/squery) topic for additional information. + +## Create Customized Reports + +When facing a one-time need for producing specific reports, Identity Manager's Query module helps display attributes chosen from the data which is already synchronized and classified. See the [Synchronize Data](../../user-guide/set-up/synchronization) and [Classify Resources](../../user-guide/set-up/categorization/classification) topics for additional information. This module offers the possibility to customize reports and download them. + +The Query module is based on predefined [Universe](../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) that can be adjusted later on in XML configuration, just like the list of available query models. + +Create a custom report by proceeding as follows: + +1. Click on **Query** in the **Administration** section on the home page. + + ![Home Page - Query](/images/identitymanager/home_query_v602.webp) + + ![Query Page](/images/identitymanager/reporting_querypage_v602.webp) + +2. Choose a query model from among the list. +3. Click on **Fields to Display** and select the appropriate fields from among the database +[Universe](../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) and click on **Confirm**. + + ![Fields to Display](/images/identitymanager/reporting_fieldstodisplay_v522.webp) + +In cases where Identity Manager doesn't display correctly the information you need, you must try to understand the entity instances and association instances that constitute the [Universe](../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) that you are working with. Perhaps the fields that you chose cannot be properly correlated. + +4. Click on **Filters**, write the appropriate condition and click on **Confirm**. + + ![Filters](/images/identitymanager/reporting_filters_v602.webp) + +For example, a report could list user names and identifiers but only those with their `Contract end date` less than today's date, so that we will see all the workers who have left the organization and are still stored in Identity Manager. + +5. Once all report settings are defined, click on **Download** to get a CSV report. + +## Create Customized Graphic Reports with Power BI + +When facing a periodic need for producing specific reports, especially when a visual presentation is required, Identity Manager offers the possibility to connect to the [Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will allow you to create customized reports with a vast range of display options (such as graphs, charts, matrixes, etc.) using Identity Manager's universes. + +See the [Connect Power BI to Identity Manager](../../integration-guide/governance/reporting/how-tos/connect-powerbi) topic for additional information on how to analyze Identity Manager's data with Power BI. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/authentication.md b/docs/identitymanager/6.3/user-guide/deploy/authentication.md new file mode 100644 index 0000000000..5be5ffb74a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/authentication.md @@ -0,0 +1,10 @@ +--- +title: "Set Up User Authentication" +description: "Set Up User Authentication" +sidebar_position: 30 +--- + +# Set Up User Authentication + +How to allow end-users to authenticate and use the Identity Manager application. See the [ End-User Authentication](../../integration-guide/network-configuration/server-configuration/end-users-authentication) topic for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/change-management.md b/docs/identitymanager/6.3/user-guide/deploy/change-management.md new file mode 100644 index 0000000000..7a2ed52d79 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/change-management.md @@ -0,0 +1,97 @@ +--- +title: "Plan Change Management" +description: "Plan Change Management" +sidebar_position: 10 +--- + +# Plan Change Management + +How to anticipate the deep changes in the organization's applications and processes due to Identity Manager installation as a new IGA tool. + +Change management is not only part of any IGA project. It is a full project in itself that requires its own project officer, objectives, success indicators, etc. It starts on the very first day with the project kickoff, and runs alongside the technical project. + +## Overview + +The applications and processes of the organization are about to change deeply. Change management is crucial because it determines the future proper use of the solution and the gain that can be achieved by the organization. It requires an upstream impact analysis in order to define the strategy to adopt. + +### Process + +A digital project follows two parallel processes: + +- The **organizational and digital process** used to design, build and deploy the solution. +- The **human process** urging staff to accept the solution, familiarize themselves with it, join and +interact with the project. + +Change management aims to support the teams throughout the **human process**. + +![Process of Change Management](/images/identitymanager/changemanagement_process.webp) + +These processes include mandatory steps that all staff members have to go through, but not necessarily at the same pace. For that reason, change managers can benefit from the use of personas, i.e. creating characters that represent key populations. + +## Participants and Artifacts + +![Actors of Change Management](/images/identitymanager/changemanagement_actors.webp) + +The aim of a Project Management Officer concerning critical stakeholders is to enable: + +- **Decision makers to trigger holistic change** in response to recurring factors in daily issues. This +can be translated into promoting efforts towards the broader enterprise strategy, focusing on recurring challenges, identifying common denominators, not exceeding Project Management Office's capacity and promoting PMO's shifting value proposition. +- **Managers to grow maturity and confidence in change management** because they allow responsibility +distribution throughout the organization. They need support in self-assessment and change management at varying degrees according to the strategic importance and complexity level of change. This can be translated into DIY change supports like templates, change coaches for tailored guidance, or change drivers for end-to-end execution. +- The **employees impacted by change to enter the decision-making process at an early stage**, thus +improving change absorption. They must be engaged as active participants in shaping change decisions, in order to avoid extreme leader-dictated or consensus-based strategies. + + | Input | Output | + | --- | --- | + | Upstream impact analysis (required) | Business ready to change | + +## Run Change Management for Identity Manager + +In order to profitably handle change management, any project should start with the question: **in three years from now, what will be the (three to five) main facts attesting the success of this project?** The answer will shape the strategy. + +Whether Identity Manager replaces manual processes or an existing IGA tool, change management methods are going to be the same. Only the analysis of impacted populations and the effort made to onboard them can define the appropriate response. + +IGA impact is based on data quality. Therefore, change management must encompass everything and everyone that consumes and/or feeds data. All three population segments (decision makers, managers and employees) are involved in data quality in one way or another. Hence, it is essential that they understand IGA as an advantage instead of a constraint. + +Run change management by proceeding as follows: + +1. Identify the populations impacted by change. Below is an example of impacted populations that can +vary enormously. + + ![Usual Populations](/images/identitymanager/changemanagement_populations.webp) + +2. For all listed populations, estimate their size and the expected impact on them, through +indicators like the frequency of their future use of the solution. Use personas to represent key population members, such as VIP users that don't use the application much, or users not feeling comfortable with computers. +3. According to the previous impact analysis, implement adjusted change management methods. You can +get inspiration from the following examples. + + | | Population | Size | Impact | Possible Actions | + | --- | --- | --- | --- | --- | + | 1 | All | 500 | Low | Introduction email Public video Information article | + | 2 | End-Users | 50 | High | Coffee corner: coffee break with the local support team offering tutorials and exercises on Identity Manager | + | 3a | HR/Managers | 10 | High (daily use) | Tutorials and exercises with a support team to get started quickly with Identity Manager | + | 3b | HR/Managers | 10 | Medium (bimonthly use) | Step-by-step procedure video or flyer | + +##### Example 1 + +Informing relevant populations is essential. For large populations (ex.: 500 employees), an introduction email can be sent to everyone or a video published on a public website or played on screens visible in the workplace. + +##### Example 2 + +A medium or large population (i.e. the size of a department in your organization) might be receptive to informal meetings such as a coffee break with the local support team offering tutorials and exercises on Identity Manager. + +##### Example 3 + +Let us consider HR teams and managers which have a change impact depending on their frequency of use of the application. + +###### Example 3a + +If they frequently use the application (i.e. daily use), they will benefit from tutorials and exercises with a support team to get started quickly with Identity Manager. + +###### Example 3b + +If they infrequently use the application (i.e. bimonthly use), they may rather benefit from training materials such as a step-by-step procedure video or flyer. + +## Verify Change Management + +In order to verify the process, change managers can rely on implemented indicators, in the same way as for any project management situation. diff --git a/docs/identitymanager/6.3/user-guide/deploy/index.md b/docs/identitymanager/6.3/user-guide/deploy/index.md new file mode 100644 index 0000000000..a31c6a0fe8 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/index.md @@ -0,0 +1,40 @@ +--- +title: "Deploy" +description: "Deploy" +sidebar_position: 50 +--- + +# Deploy + +- [Plan Change Management](../../user-guide/deploy/change-management) + +How to anticipate the deep changes in the organization's applications and processes due to Identity Manager installation as a new IGA tool. + +- [Install the Production Agent](../../user-guide/deploy/production-agent-installation) + +How to install a local agent for production environment. + +- [Configure the Agent's Settings](../../user-guide/deploy/production-agent-installation/settings-files) + +How to configure the agent's application settings via the `web.config`, `appsettings.json` and `appsettings.agent.json` files. + +- [Install IIS via Server Manager](../../user-guide/deploy/production-agent-installation/iis-installation) + +How to configure the local server to install IIS via Server Manager. + +- [Configure the Pool and Site](../../user-guide/deploy/production-agent-installation/iis-configuration) + +How to configure the application pool and website via IIS. + +- [Set the Working Directory's Permissions](../../user-guide/deploy/production-agent-installation/directory-permissions) + +How to assign to the pool the right permissions on the working directory. + +- [Finalize the Installation](../../user-guide/deploy/production-agent-installation/finalization) + +How to finalize the installation of the agent. + +- [Set Up User Authentication](../../user-guide/deploy/authentication) + +How to actually implement Identity Manager solution. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation.md new file mode 100644 index 0000000000..e9d39f3473 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation.md @@ -0,0 +1,61 @@ +--- +title: "Install the Production Agent" +description: "Install the Production Agent" +sidebar_position: 20 +--- + +# Install the Production Agent + +This guide shows how to install an agent separated from the server, for production environment. See the [Architecture](/docs/identitymanager/current/introduction-guide/architecture) topic for additional information. + +## Overview + +Like all agents, the production agent aims to extract data from a given managed system, and transmit said data to the Identity Manager server. If necessary, the agent also enables the managed system's provisioning according to the orders computed by the Identity Manager server. See the [Architecture](/docs/identitymanager/current/introduction-guide/architecture) topic for additional information. + +Identity Manager solution can use several agents, each of them manages a given system. This section is about installing the agent managing the production environment. + +Once agents are configured in addition to the default one provided by SaaS, you need to think about what agent to choose during each [Create the Connector](/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration) declaration. The appropriate agent has access to the managed system. + +## Requirements + +Ensure that all [Agent](/docs/identitymanager/current/installation-guide/requirements/agent-requirements) requirements can be met before starting the installation of the production agent. + +Requirements for the agent installation can change over the course of the project, according to the project purpose. + +### Encryption certificates + +Ensure that your encryption certificates are valid by checking their: expiration date; signatory; key size exceeding 2048; sha256 and not sha-1. + +### Server Manager + +Ensure that the device used for the installation has the Server Manager program. + +## Participants and Artifacts + +Integrators should have all the elements they need to operate. + + | Input | Output | + | --- | --- | + | [Agent](/docs/identitymanager/current/installation-guide/requirements/agent-requirements) prerequisites (required) | Production agent | + +## Install the Production Agent + +Install the production agent by proceeding as follows: + +1. [Create a Working Directory](/docs/identitymanager/current/installation-guide/production-ready/working-directory) and make sure it contains the folders: `Mails`; `Sources`; `Temp`; `Work`. +2. [Configure the Agent's Settings](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files) via the `web.config`, `appsettings.json` and `appsettings.agent.json` files. +3. Configure the local server to [Install IIS via Server Manager](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation). +4. [Configure the Pool and Site](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration) via IIS. +5. [Set the Working Directory's Permissions](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions). +6. [Finalize the Installation](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/finalization). + +## Verify Agent Installation + +In order to verify the process: + +- make sure the website is accessible from IIS by clicking on **Browse** (in the menu on the right), +and from your browser; +- if logs are enabled, then stop the pool to make sure that no error is thrown; +- perform from a local device agent-side actions such as sending test emails, reading and/or writing +inside working folders, or launching/scheduling agent-side tasks. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/directory-permissions.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/directory-permissions.md new file mode 100644 index 0000000000..dfc324ed73 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/directory-permissions.md @@ -0,0 +1,60 @@ +--- +title: "Set the Working Directory's Permissions" +description: "Set the Working Directory's Permissions" +sidebar_position: 40 +--- + +# Set the Working Directory's Permissions + +This guide shows how to assign to the pool the right permissions on the working directory. + +## Overview + +For Identity Manager to work correctly, the pool of the production agent must be configured with specific permissions on the working directory. + +This page describes the optimal configuration of the pool's permissions on the working directory to prepare the production agent's installation. + +## Set the Working Directory's Permissions + +Set the working directory's permissions by proceeding as follows: + +1. Right-click on the working directory, for example `C:/identitymanager`, to select **Properties**, and in +the **Security** tab, click on **Advanced**. + + ![Working Directory Properties: Step 1](/images/identitymanager/prodagent_directoryproperties1.webp) + +2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a +principal**. + + ![Working Directory Properties: Step 2](/images/identitymanager/prodagent_directoryproperties2.webp) + +3. Click on **Locations** to choose the current computer, and in the text area enter +`iis apppool/identitymanager` (`Usercube` being the name of the previously created pool). + + ![Working Directory Properties: Step 3](/images/identitymanager/prodagent_directoryproperties3.webp) + +An error at this point should come either from a mistake in the pool's name or in the selected location. + +4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and +**Read** permissions are selected. + + ![Working Directory Properties: Step 4](/images/identitymanager/prodagent_directoryproperties4.webp) + +5. Click on **OK** in the windows until they are all closed. +6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on +**Edit**. + + ![Temp Folder Properties: Step 1](/images/identitymanager/prodagent_foldersproperties1.webp) + +7. Select the user corresponding to the pool and give them `Full control`. + + ![Temp Folder Properties: Step 2](/images/identitymanager/prodagent_foldersproperties2.webp) + +8. Click on **OK** in the windows until they are all closed. +9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and +`Mails` folders. + +## Next Steps + +To continue, [Finalize the Installation](../../../user-guide/deploy/production-agent-installation/finalization)in a few steps. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/finalization.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/finalization.md new file mode 100644 index 0000000000..5aa9a4ac2c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/finalization.md @@ -0,0 +1,30 @@ +--- +title: "Finalize the Installation" +description: "Finalize the Installation" +sidebar_position: 50 +--- + +# Finalize the Installation + +This guide shows how finalize the installation of the agent. + +## Overview + +This page describes the last few steps that the production agent needs for Identity Manager to run correctly. + +## Finalize the Installation + +Finalize the installation of the agent by proceeding as follows: + +1. Install +[Windows' hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +If the bundle was installed before [Configure the Pool and Site](../../../user-guide/deploy/production-agent-installation/iis-configuration), then IIS might not display the AspNetCore module and Identity Manager will not run. In this case, relaunch the bundle's installation executable to perform a repair. + +2. When using a proxy, adjust the configuration accordingly. See the +[Reverse Proxy](../../../installation-guide/reverse-proxy)topic for additional information. + +## Next Steps + +To continue, follow the instructions to verify the agent's installation. See the [Install the Production Agent](../../../user-guide/deploy/production-agent-installation) topic for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-configuration.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-configuration.md new file mode 100644 index 0000000000..d405a67dfc --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-configuration.md @@ -0,0 +1,68 @@ +--- +title: "Configure the Pool and Site" +description: "Configure the Pool and Site" +sidebar_position: 30 +--- + +# Configure the Pool and Site + +This guide shows how to configure the application pool and website via IIS. + +## Overview + +IIS provides a platform for hosting and managing websites. [See more details](https://learn.microsoft.com/fr-fr/iis/get-started/introduction-to-iis/introduction-to-iis-architecture). + +To install the production agent, a website must be created and configured correctly, as part of an application pool. + +This page describes the optimal configuration in IIS to prepare the production agent's installation. + +## Configure the Application Pool and Site + +Configure the application pool and site by proceeding as follows: + +1. Open IIS and remove the default site and pool. + +IIS can usually be found in Windows' search menu, or from Server Manager by accessing the **Tools** menu. + + ![IIS: Step 1](/images/identitymanager/prodagent_iis1.webp) + +2. Right-click on **Application Pools** to add a new pool named `Usercube`. + + ![IIS: Step 2](/images/identitymanager/prodagent_iis2.webp) + +3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the +selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. + + ![IIS: Step 3](/images/identitymanager/prodagent_iis3.webp) + +4. Right-click on the application pool to open its advanced settings and make sure that the +following parameters are set as such: + + ![IIS: Step 4](/images/identitymanager/prodagent_iis4.webp) + + ![IIS: Step 5](/images/identitymanager/prodagent_iis5.webp) + +5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and +double-clicking on **Server Certificates**. + +If the certificate is not ready yet, generate an auto-signed certificate. + + ![IIS Server Certificate: Step 1](/images/identitymanager/prodagent_servercertificate1.webp) + +If the certificate is not there yet, import it by clicking on **Import** in the right-side menu, and specify the certificate's path and password. + + ![IIS Server Certificate: Step 2](/images/identitymanager/prodagent_servercertificate2.webp) + +6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings** +and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's URL (without the `https` part) as host name, and finally selecting the server certificate. + + ![IIS Server Certificate: Step 3](/images/identitymanager/prodagent_servercertificate3.webp) + +Click on **OK**. + +If the server's certificate is not available at this point, then make sure it was correctly imported in the previous step. + +## Next Steps + +To continue, [Set the Working Directory's Permissions](../../../user-guide/deploy/production-agent-installation/directory-permissions). + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-installation.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-installation.md new file mode 100644 index 0000000000..a650ec176b --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/iis-installation.md @@ -0,0 +1,50 @@ +--- +title: "Install IIS via Server Manager" +description: "Install IIS via Server Manager" +sidebar_position: 20 +--- + +# Install IIS via Server Manager + +This guide shows how to configure the local server to install IIS via Server Manager. + +## Overview + +When running on Windows Server, Server Manager makes available parameters to configure the local server at will. [See more details](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/manage-the-local-server-and-the-server-manager-console). + +This page describes the optimal configuration of the local server to install IIS in order to prepare the production agent's installation. + +## Install IIS via Server Manager + +Install IIS via Server Manager by proceeding as follows: + +1. Open the Server Manager program and click on **Add roles and features**. + + ![Server Manager: Step 1](/images/identitymanager/prodagent_servermanager1.webp) + +2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based +installation** is selected and click on **Next**. + + ![Server Manager: Step 2](/images/identitymanager/prodagent_servermanager2.webp) + +3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. + + ![Server Manager: Step 3](/images/identitymanager/prodagent_servermanager3.webp) + +4. In **Server Roles** tick **Web Server (IIS)**. + + ![Server Manager: Step 4](/images/identitymanager/prodagent_servermanager4.webp) + +5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > +**AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. + + ![Server Manager: Step 5](/images/identitymanager/prodagent_servermanager5.webp) + +6. In **Confirmation** click on **Install**. + + ![Server Manager: Step 6](/images/identitymanager/prodagent_servermanager6.webp) + +## Next Steps + +To continue,[Configure the Pool and Site](../../../user-guide/deploy/production-agent-installation/iis-configuration)and website via IIS. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/index.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/index.md new file mode 100644 index 0000000000..9f1142a67f --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/index.md @@ -0,0 +1,64 @@ +--- +title: "Install the Production Agent" +description: "Install the Production Agent" +sidebar_position: 20 +--- + +# Install the Production Agent + +This guide shows how to install an agent separated from the server, for production environment. See the [Architecture](/docs/identitymanager/current/introduction-guide/architecture) topic for additional information. + +## Overview + +Like all agents, the production agent aims to extract data from a given managed system, **and** transmit said data to the Identity Manager server. If necessary, the agent also enables the managed system's provisioning according to the orders computed by the Identity Manager server. See the [Architecture](/docs/identitymanager/current/introduction-guide/architecture) topic for additional information. + +Identity Manager solution can use several agents, each of them manages a given system. This section is about installing the agent managing the production environment. + +:::note +Once agents are configured in addition to the default one provided by SaaS, you need to think about what agent to choose during each [Create the Connector](/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration) declaration. The appropriate agent has access to the managed system. +::: + +## Requirements + +Ensure that all [Agent](/docs/identitymanager/current/installation-guide/requirements/agent-requirements) requirements can be met before starting the installation of the production agent. + +:::note +Requirements for the agent installation can change over the course of the project, according to the +project purpose. +::: + +### Encryption certificates + +Ensure that your encryption certificates are valid by checking their: expiration date; signatory; key size exceeding 2048; sha256 **and** not sha-1. + +### Server Manager + +Ensure that the device used for the installation has the Server Manager program. + +## Participants **and** Artifacts + +Integrators should have all the elements they need to operate. + + | Input | Output | + | --- | --- | +| [Agent](/docs/identitymanager/current/installation-guide/requirements/agent-requirements) prerequisites (required) | Production agent | + +## Install the Production Agent + +Install the production agent by proceeding as follows: + +1. [Create a Working Directory](/docs/identitymanager/current/installation-guide/production-ready/working-directory) and make sure it contains the folders: `Mails`; `Sources`; `Temp`; `Work`. +2. [Configure the Agent's Settings](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files) via the `web.config`, `appsettings.json` and `appsettings.agent.json` files. +3. Configure the local server to [install IIS via Server Manager](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation). +4. [Configure the Pool and Site](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration) via IIS. +5. [Set the Working Directory's Permissions](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions). +6. [Finalize the Installation](/docs/identitymanager/current/user-guide/deploy/production-agent-installation/finalization). + +## Verify Agent Installation + +In order to verify the process: + +- make sure the website is accessible from IIS by clicking on **Browse** (in the menu on the right), **and** from your browser; +- if logs are enabled, then stop the pool to make sure that no error is thrown; +- perform from a local device agent-side actions such as sending test emails, reading **and**/or writing inside working folders, or launching/scheduling agent-side tasks. + diff --git a/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/settings-files.md b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/settings-files.md new file mode 100644 index 0000000000..70b7332bf7 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/deploy/production-agent-installation/settings-files.md @@ -0,0 +1,121 @@ +--- +title: "Configure the Agent's Settings" +description: "Configure the Agent's Settings" +sidebar_position: 10 +--- + +# Configure the Agent's Settings + +This guide shows how to configure the agent's application settings via the `*web.config*`, `*appsettings.json*` and `*appsettings.agent.json*` files. + +## Overview + +Identity Manager provides JSON files to configure varied application settings, named appsettings json and *appsettings.agent.json*. See the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings) and [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topics for additional information. + +This page describes the optimal configuration of the production agent's application settings. + +## Configure the Agent's Settings + +Configure the agent's settings by proceeding as follows: + +1. From the `Runtime/Agent` folder, copy the files `*appsettings.json*`, `*appsettings.agent.json*` and +`*web.config*` and paste them in the `Runtime` folder, thus replacing the pre-existing ones. +2. Open `*web.config*` and make sure that, in the `aspNetCore` tag, the value of `arguments` is set to +`./Usercube-Agent.dll`. + +When needing to get the agent's logs, set also `stdoutLogEnabled` to `true`. See more details in [Microsoft's documentation](https://learn.microsoft.com/fr-fr/aspnet/core/host-and-deploy/iis/logging-and-diagnostics?view=aspnetcore-7.0). + +``` +***web.config*** + +... ... ... +``` + +3. Open `*appsettings.json*` and make sure that: + + - **License** contains a valid license; + - **IdentityServer** contains the encryption certificate's path and password provided by Netwrix +Identity Manager (formerly Usercube) team, in order to secure agent/server identification; + +For example (in `*appsettings.json*`): + +```json "IdentityServer": { "X509KeyFilePath": "./identitymanager.pfx", "X509KeyFilePassword": "secret" } ``` + - you get an encryption certificate which will be used to encrypt specific files such as logs or +temporary files, and that **EncryptionCertificate** contains its path and password; + +For example (in `*appsettings.json*`): +```json "EncryptionCertificate": { "File": "./Usercube-Files.pfx", "Password": "secret", "EncryptFile": true } ``` + +**EncryptFile** can stay set to `false` while verifying the agent installation, **but** for security reasons it **must** be set to `true` afterwards. + +If the certificates' passwords contain `@`, then they **must** be escaped via the `@` as first character of the strings. + + - **ApplicationUri** contains the server's address, provided by Netwrix Identity Manager +(formerly Usercube) team when working in a SaaS environment; + +For example (in `*appsettings.json*`): + +```json "ApplicationUri": "http://localhost:5000" ``` +Do not write a `/` character at the end of the string. + + - **Cors** > **AllowAnyHeader**, **AllowAnyMethod** and **AllowCredentials** are set to `true`; + +For example (in `*appsettings.json*`): +```json "Cors": { "AllowAnyHeader": "true", "AllowAnyMethod": "true", "AllowCredentials": "true" } ``` + +4. Open `*appsettings.agent.json*` and make sure that: + + - **OpenId** > **AgentIdentifier** specifies the agent's name which **must** match the XML +configuration. See the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent) topic for additional information.. + +For example (in `*appsettings.agent.json*`): + +```json "OpenId": { "AgentIdentifier": "MyAgent" } ``` +With the following configuration: + +For example (in XML): +```xml ``` + + - **OpenId** > **OpenIdClients** > **Job** contains the non-hashed value of the password of +"Job-Remote" provided by NETWRIX' team + +For example (in `*appsettings.agent.json*`): + +```json "OpenId": { "AgentIdentifier": "MyAgent", "OpenIdClients": { "Job": "secret" } } ``` +and add the hashed value of this password to the `OpenIdClient` named `Job` from the XML configuration; + +For example (in XML): +```xml ``` + + - **OpenId** > **DefaultOpenIdClient** is set to `Job`; + +For example (in `*appsettings.agent.json*`): + +```json "OpenId": { "AgentIdentifier": "MyAgent", "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } ``` + - **PasswordResetSettings** > **TwoFactorSettings** > **ApplicationUri** contains the server's +address, provided by NETWRIX' team when working in a SaaS environment; + +For example (in `*appsettings.agent.json*`): +```json "PasswordResetSettings": { "TwoFactorSettings": { "ApplicationUri": "http://localhost:5000" } } ``` + + - **PasswordResetSettings** > **EncryptionCertificate** contains contains the path and password +of the certificate used to secure password tokens; + +For example (in `*appsettings.agent.json*`): + +```json "PasswordResetSettings": { "TwoFactorSettings": { "ApplicationUri": "http://localhost:5000" }, "EncryptionCertificate": { "File": "../identitymanager.pfx", "Password": "secret" } } ``` + - **PasswordResetSettings** > **MailSettings** > **PickupDirectory** is set to the `Mails` +folder and **FromAddress** to `no-reply@.com`; + +For example (in `*appsettings.agent.json*`): +```json "PasswordResetSettings": { "TwoFactorSettings": { "ApplicationUri": "http://localhost:5000" }, "EncryptionCertificate": { "File": "../identitymanager.pfx", "Password": "secret" }, "MailSettings": { "PickupDirectory": "../Mails", "FromAddress": "no-reply@contoso.com" } } ``` + + - **SourcesRootPaths** contains the path to the `Sources` folder. + +For example (in `*appsettings.agent.json*`): + +```json "SourcesRootPaths": [ "C:/identitymanager/Sources" ] ``` +## Next Steps + +To continue,see the local server to [Install IIS via Server Manager](../../../user-guide/deploy/production-agent-installation/iis-installation). + diff --git a/docs/identitymanager/6.3/user-guide/global-process/howto-maintaindirectory.md b/docs/identitymanager/6.3/user-guide/global-process/howto-maintaindirectory.md new file mode 100644 index 0000000000..9a589b72e3 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/global-process/howto-maintaindirectory.md @@ -0,0 +1,18 @@ +--- +title: "How to Maintain the Workforce Directory" +description: "How to Maintain the Workforce Directory" +sidebar_position: 20 +--- + +# How to Maintain the Workforce Directory + +How to keep the workforce directory up to date. + +## Overview + +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemamaintain.webp) + +## Process Details + +Be aware that the integration of an IGA tool is an iterative process. Thus, after following the [How to Start](../../user-guide/global-process/howto-start) process and creating the workforce directory, you can come back at any time and complete the directory that you started [Update Identity Data](../../user-guide/maintain/identity-data-modification). + diff --git a/docs/identitymanager/6.3/user-guide/global-process/howto-newsystem.md b/docs/identitymanager/6.3/user-guide/global-process/howto-newsystem.md new file mode 100644 index 0000000000..d8b737e85a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/global-process/howto-newsystem.md @@ -0,0 +1,58 @@ +--- +title: "How to Implement a New System" +description: "How to Implement a New System" +sidebar_position: 30 +--- + +# How to Implement a New System + +How to add a new system to the solution. + +## Overview + +When connecting Identity Manager to a new system, several process paths can be taken according to your strategy. There is no option fundamentally better than the others, your decision must depend on your needs. + +The **option A** leads quickly to the implementation in production environment, i.e. a new application in Identity Manager's scope. With this, you can [Review Orphaned and Unused Accounts](../../user-guide/administrate/orphan-unused-account-review), [Provision](../../user-guide/administrate/provisioning) the AD, [Reconcile a Property](../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation), and [Generate Reports](../../user-guide/administrate/reporting), for example the list of profiles assigned to users. + +The **option B** takes more time as it goes through the creation of the role model based on the system's entitlements, but it leads to even more gain as you can also [Reconcile a Role](../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation), [Perform Access Certification](../../user-guide/administrate/access-certification) access certification and [Request Entitlement Assignment](../../user-guide/administrate/manual-assignment-request), and also [Generate Reports](../../user-guide/administrate/reporting), for example the list of assigned single roles. + +The option B is more complicated and time-consuming than the option A, but leads to more gain. Be aware that **you can go through the process options simultaneously**. + +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemaconnectsyst.webp) + +## Process Details + +### Common starting steps + +1. [Connect to a Managed System](../../user-guide/set-up/connect-system): create the appropriate +connector with its connections and entity types. +2. [Synchronize Data](../../user-guide/set-up/synchronization) into Identity Manager. + +Based on this, you can [Generate Reports](../../user-guide/administrate/reporting), for example the list of resources in the system. A few predefined reports are available from the start, you can generate any report from this list as soon as it makes sense according to the integration progress. + +3. [Categorize Resources](../../user-guide/set-up/categorization) in order to classify them +according to their intent, and correlate these resources with their owners. +4. [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation) to write to the system in order to update the resources' properties directly in the system. +5. Adjust the rules by [Reconcile a Property](../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) resources, i.e. analyze the differences spotted between the reality of resources' properties and those computed by the previously established rules. Especially, verify that accounts are +correlated to the right owners and that their properties have the right values. + +Either the integrator handles the customization of the rules and the review of non-conforming resources, or they can assign an application administrator profile to a given user to perform it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according to your needs: either aim directly to the implementation in production environment, or first build the role model in order to enable more administration activities. Both options can be started simultaneously. + +### Option A: Straight to production implementation + +Go directly to the common final steps (step 8). + +### Option B: First build the role model + +6. [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) for +applications managed by the system. +7. [Automate Assignments](../../user-guide/optimize/assignment-automation) if needed: use Role +Mining to create single role rules in bulk; adjust the generated rules individually and manually. + +### Common final steps + +8. Perform tests. +9. Deploy the pre-production configuration to the production environment. + diff --git a/docs/identitymanager/6.3/user-guide/global-process/howto-start.md b/docs/identitymanager/6.3/user-guide/global-process/howto-start.md new file mode 100644 index 0000000000..6e01c0264c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/global-process/howto-start.md @@ -0,0 +1,83 @@ +--- +title: "How to Start" +description: "How to Start" +sidebar_position: 10 +--- + +# How to Start + +How to start integrating Identity Manager with your own needs. + +## Overview + +When starting with Identity Manager, several process paths can be taken according to your strategy. There is no option fundamentally better than the others, your decision must depend on your needs. + +The **option 1** leads quickly to identity management, i.e. users' on-boarding/movement/off-boarding without needing a periodic synchronization. See the [Update Identity Data](../../user-guide/maintain/identity-data-modification) topic for additional information. + +The **option 2A** takes more time as it requires the installation of an agent on your network in order to connect Identity Manager to the system and use the AD's data, but it leads to more gain as you can also [Review Orphaned and Unused Accounts](../../user-guide/administrate/orphan-unused-account-review), [Provision](../../user-guide/administrate/provisioning) the AD, [Reconcile a Property](../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation)properties, and [Generate Reports](../../user-guide/administrate/reporting), for example the list of profiles assigned to users. + +The **option 2B** takes even more time as it goes through the creation of the role model based on the system's entitlements, but it leads to even more gain as you can also [Reconcile a Role](../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation), [Perform Access Certification](../../user-guide/administrate/access-certification) and [Request Entitlement Assignment](../../user-guide/administrate/manual-assignment-request), and also [Generate Reports](../../user-guide/administrate/reporting), for example the list of assigned single roles. + +The options 2A and 2B are more complicated and time-consuming than the option 1, but lead to more gain. Be aware that **you can go through the process options simultaneously**. + +Netwrix Identity Manager (formerly Usercube) recommends the option 1 to be able to start IGA without waiting for the installation of an agent in your network, and go through the option 2 simultaneously. + +![Process Schema - How to Start with Usercube](/images/identitymanager/globalprocess_schemastart.webp) + +## Process Details + +### Common starting steps + +1. [Install the Development Environment](../../user-guide/set-up/development-environment-installation). +2. [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading): configure +the generation of unique properties; load workforce identities to Identity Manager; adjust the data model. + +After these first steps, two process options are available according to your needs: either aim directly to identity management and the opening of Identity Manager to end-users, or first connect Identity Manager to an external system in order to enable more administration activities. Both options can be started simultaneously. + +### Option 1: Based on the workforce directory + +Starting with the workforce directory **does not** require the installation of a local agent. + +Go directly to the common final steps (step 10). + +### Option 2: Based on an external system + +Starting with an external system requires the installation of a local agent. + +3. Connect Identity Manager to the system by creating a connector. See the +[Connect to a Managed System](../../user-guide/set-up/connect-system) topic for additional information. +4. [Synchronize Data](../../user-guide/set-up/synchronization)the system's data into Identity +Manager. + +Based on this, you can [Generate Reports](../../user-guide/administrate/reporting), for example the list of resources in the system. A few predefined reports are available from the start, you can generate any report from this list as soon as it makes sense according to the integration progress. + +5. [Categorize Resources](../../user-guide/set-up/categorization) in order to classify them +according to their intent, and correlate these resources with their owners. +6. [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation) to write to the +system in order to update the resources' properties directly in the system. +7. Adjust the rules by reconciling resources, i.e. analyze the differences spotted between the +reality of resources' properties and those computed by the previously established rules. Especially, verify that accounts are correlated to the right owners and that their properties have the right values. See the [Reconcile a Property](../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) topic for additional information. + +Either the integrator handles the customization of the rules and the review of non-conforming resources, or they can assign an application administrator profile to a given user to perform it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according to your needs: either aim directly to identity management and the opening of Identity Manager to end-users, or first build the role model in order to enable more administration activities. Both options can be started simultaneously. + +### Option 2A: Straight to identity management + +Go directly to the common final steps (step 10). + +### Option 2B: First build the role model + +8. [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) for +applications managed by the system. +9. [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) +if needed: use Role Mining to create single role rules in bulk; adjust the generated rules individually and manually. + +### Common final steps + +10. Adjust HR workflows to keep the workforce directory updated (only in XML configuration). +11. Define the permissions for your user profiles. See the +[Configure a User Profile](../../user-guide/set-up/user-profile-configuration) topic for additional information. +12. Define the authentication mode by configuring `SelectUserByIdentityQueryHandlerSetting` (only in +XML configuration), and [Assign Users a Profile](../../user-guide/set-up/user-profile-assignment) to open the application to end-users. + diff --git a/docs/identitymanager/6.3/user-guide/global-process/index.md b/docs/identitymanager/6.3/user-guide/global-process/index.md new file mode 100644 index 0000000000..a211f4646b --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/global-process/index.md @@ -0,0 +1,26 @@ +--- +title: "Global Process" +description: "Global Process" +sidebar_position: 10 +--- + +# Global Process + +How do the process activities success each other. + +NETWRIX recommends working with a SaaS installation and with the User Interface as long as possible, because identity management is optimized by mastering identities inside Identity Manager. + +Be aware that the integration of an IGA tool is an iterative process. There is no simple linear process. This user guide provides the following processes that can follow one another and intertwine. + +- [How to Start](../../user-guide/global-process/howto-start) + +How to start integrating Identity Manager with your own needs. + +- [How to Maintain the Workforce Directory](../../user-guide/global-process/howto-maintaindirectory) + +How to keep the workforce directory up to date. + +- [How to Implement a New System](../../user-guide/global-process/howto-newsystem) + +How to add a new system to the solution. + diff --git a/docs/identitymanager/6.3/user-guide/index.md b/docs/identitymanager/6.3/user-guide/index.md new file mode 100644 index 0000000000..d0132ff7a6 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/index.md @@ -0,0 +1,81 @@ +--- +title: "User Guide" +description: "User Guide" +sidebar_position: 20 +--- + +# User Guide + +Identity Manager's User Guide leads the reader through all the necessary steps to autonomously build an IGA solution based on Identity Manager, either from scratch or using Identity Manager's IGA Core Solution, with the aim of quickly delivering value. + +## Target Audience + +This guide is intended to be read by Identity Manager **administrators**, i.e. power users who configure Identity Manager to match their company's needs. + +## Prior Knowledge + +This guide presumes some knowledge of Identity Manager on the part of the reader who should have previously read the [Introduction Guide](../introduction-guide) in order to be aware of the main purposes, principles and capabilities of Identity Manager. + +Using this guide does not require any advanced IT skills. All the configuration steps take place through Identity Manager's UI or MS Excel files. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the [Introduction Guide](../introduction-guide) to fully benefit from the User Guide's content. + +## Overview + +This guide is made of step-by-step procedures that take the reader through setting up Identity Manager from scratch and creating IGA value as quickly as possible. + +The procedures are meant to guide the reader through a **standard setup**, based on Identity Manager's IGA Core Solution, and with Netwrix Identity Manager (formerly Usercube) suggestions and recommendations. Any advanced configuration can be performed later using the content of the [Integration Guide](../integration-guide). + +Thus, even when having very specific needs, Netwrix Identity Manager (formerly Usercube) still recommends starting the project with the basics presented in this guide. The IGA solution can be enhanced later on with the help of our experts. This way, IGA value can already be delivered while the project continues for optimization purposes. + +## Content + +This guide is organized into activities, each activity containing an overview, the input, output, and participants as well as step-by-step procedures and a way to verify the outcome. + +Some activities are grouped together when they depend on each other to create value or when they contribute to a same goal. + +While some activities must be carried out before others for technical and/or functional reasons, the order is not absolute. Please follow the instructions and recommendations detailed with the [Global Process](../user-guide/global-process). + +All activities are organized into bigger sections which are distinguishable by their functional intent: set up; administrate; optimize; deploy and maintain. + +### Set up + +Learn how to configure a working environment, how to set up identity lifecycles, and how to build a catalog of roles for entitlement management, in order to configure the Minimum Viable Product. + +### Administrate + +Learn how to enforce your security policies through access certification, or resource/role reconciliation, provisioning review, etc. + +### Optimize + +Learn how to enhance the IGA solution through automation and model optimization. + +> For example, learn how to adjust the identity model and the role model in order to make them +> resemble the company's reality, learn how to improve the data quality by automating entitlement +> assignment decisions, or by automatically provisioning assignments to the managed systems. Learn +> how to push the automation wall thanks to Identity Manager's AI with role mining. + +### Deploy + +Learn how to deploy the solution to a production environment. + +### Maintain + +Learn how to maintain the solution, because the project is iterative. Learn how to keep the data model up to date according to the company's changes, or how to add new systems to the loop, while Identity Manager is already running in production. + +## How to Use this Guide + +Start by studying the [Global Process](../user-guide/global-process) that details every activity in their respective sections and how they relate to one another. You will get a good view of the steps to take from start to finish. + +Follow the path, stop at each activity, and go check out the details on the matching page of the guide, in the corresponding section. There you will find recommendations and practical steps to complete the activity and test it. Then you can resume following the path. + +At any step along the way, once you feel comfortable, you can decide to take another direction than the recommended process, as long as you take into account the input artifacts specified in each activity page, which represent actual technical dependencies. You can start an activity only if all the previous technical dependencies are met. + +Keep in mind that completing sections one by one is the quickest way to deliver value. Nevertheless, they are not rigorously dependent on each other. You do not have to complete one entirely in order to go to the next. But they are not rigorously independent either. There are some activities in the first one that are required for activities in the second. Read the input artifacts to choose the correct order. + +> For example, if you are looking forward to fixing non authorized account (from the +> **Administrate** section) you do not have to complete the **Set Up** section entirely. You just +> have to complete the **Categorize Resources** activity, and all the activities connected to it +> upstream . You do not have to complete other activities such as the **Create Roles in the Role +> Catalog** activity. + diff --git a/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/index.md b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/index.md new file mode 100644 index 0000000000..95252aa270 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/index.md @@ -0,0 +1,45 @@ +--- +title: "Update Identity Data" +description: "Update Identity Data" +sidebar_position: 10 +--- + +# Update Identity Data + +How to perform modifications in the identity repository, to manage onboarding, offboarding and position changes. + +This part is not about changing the data model, but data itself. + +## Overview + +After the identity repository is initiated, you will need to modify it for many possible reasons. Among them: + +- update all identities with new attributes because you didn't have the required information during +the repository creation, or because it wasn't a priority for you then; +- perform onboarding: add new identities as new workers arrive in the company; +- modify identities' attributes to fix existing errors, or to reflect a real change in users' data, +or model a position change; +- remove identities' attributes, as they are no longer required to manage entitlements; +- perform offboarding: remove identities with all their attributes, as users leave the company. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data. + + | Input | Output | + | --- | --- | + | Identity repository (required) New identity data (required) | Updated identity repository | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Modify Identity Data + +Modify identity data by proceeding as follows, according to the changes to be made: + +- either update data individually by using predefined workflows in the UI; See the +[Update an Individual Identity](../../../user-guide/maintain/identity-data-modification/individual-update) topic for additional information. +- or perform a same change on several identities simultaneously by using Identity Manager's +predefined workflow in the UI; See the [Update Identities in Bulk](../../../user-guide/maintain/identity-data-modification/mass-update) topic for additional information. +- or update data on a massive scale by uploading an external file into Identity Manager, as an +incremental version of the identity repository. + diff --git a/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/individual-update.md b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/individual-update.md new file mode 100644 index 0000000000..36518c49eb --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/individual-update.md @@ -0,0 +1,73 @@ +--- +title: "Update an Individual Identity" +description: "Update an Individual Identity" +sidebar_position: 10 +--- + +# Update an Individual Identity + +How to manage onboarding, position changes and offboarding through the UI, for a single identity. + +This part is not about changing the data model, but data itself. + +## Overview + +Individual changes in identity data can be handled using Identity Manager's predefined workflows to: + +- declare a new identity (for an internal as well as an external worker); +- act on existing identities, including modify their data, manage their contract and/or positions, +suspend all accounts linked to them, or reactivate them, repair some data, or delete these identities. + +## Participants and Artifacts + +A given user's data can be updated occasionally by their manager, but most often by the HR department. + + | Input | Output | + | --- | --- | + | Identity repository (required) New identity data (required) | Updated identity repository | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Declare a New Identity + +Declare a new worker by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. According to the type of the user to be declared, click on the corresponding button. + + ![Workflow - New User](/images/identitymanager/datamodif_newuser_v602.webp) + +3. Follow the workflow's instructions to fill the form with the user's data, choose the user's +entitlements from your role catalog and send the request. See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Act on an Existing Identity + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/images/identitymanager/datamodif_user_v602.webp) + +3. Click on **Actions** or **Helpdesk** to select the action to perform. + + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions. + +If the workflow has been configured in this way, the update request may require a review. In this case, sending the request triggers the display of said request on the **My Tasks** screen for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process, check that the right data is displayed in the directory for the involved user. + +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + diff --git a/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/mass-update.md b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/mass-update.md new file mode 100644 index 0000000000..8a31b331aa --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/mass-update.md @@ -0,0 +1,128 @@ +--- +title: "Update Identities in Bulk" +description: "Update Identities in Bulk" +sidebar_position: 30 +--- + +# Update Identities in Bulk + +How to perform a mass change in identity data, by uploading an incremental version of the identity repository. + +This part is not about changing the data model, but data itself. + +Here we describe the incremental update of identities, but the update of any other File/CSV works the same. + +## Overview + +When the number of changes gets high, identity data update through the UI becomes tedious. Therefore, Identity Manager offers the possibility to fill a predefined file with data to be modified, in order to perform all changes simultaneously. + +Data update can be performed in complete mode or incremental mode. + +## Participants and Artifacts + +Identity data can be updated most often in cooperation with the HR department. + + | Input | Output | + | --- | --- | + | Identity repository (required) New identity data (required) | Updated identity repository | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Update Data in Complete Mode + +Mass update identity data (in complete mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** +section. + + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the Excel template full of the data from your database. + + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplatedata_v602.webp) + +4. Update the data that needs change. +5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/images/identitymanager/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the +[Synchronize Data](../../../user-guide/set-up/synchronization) topic for additional information. + +Be cautious about thresholds. + +## Update Data in Incremental Mode + +Mass update identity data (in incremental mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** +section. + + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the empty Excel template. + + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplateempty_v602.webp) + +4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation +purposes), and fill the column `Command`, which can take a few available inputs: + + - `Add` to incorporate new attributes; + - `Modify` to change existing attributes; + +Attributes can be emptied using the value `NULL_NULL`. + + - `Delete` to remove attributes from the datamodel; + +Instead of using `Delete`, you can scan the data model to exclude unused attributes. See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + + - `Merge` to input an identity's data and modify the corresponding attributes if said identity +already exists, create a new identity otherwise. + > For example, if a few users switch working sites, then the modification is performed by + > filling the file only with said users' identifiers and new sites. Fill the column + > `Command` with `Modify`. The rest will not be changed. + +5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/images/identitymanager/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the +[Synchronize Data](../../../user-guide/set-up/synchronization) topic for additional information. + +Be cautious about thresholds. + +## Verify Data Update + +In order to verify the process: + +- **Check manually a sample** in the `User` directory accessible from the home page. You should verify +at least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +- Check that **every organization still has a manager**. Organizations are accessible in the +`Department` directory accessible from the home page. + + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) + + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) + +If the system contains many organizations, then it is also possible to list them with their managers through the Query module. + +- Create reports with indicators on the workers number per type or per organization for example +(through Identity Manager' predefined reports, the Query module or Power BI), in order to ensure that Identity Manager's content sticks to reality. See the [Generate Reports](../../../user-guide/administrate/reporting) topic for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/multiple-update.md b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/multiple-update.md new file mode 100644 index 0000000000..7f898e3210 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/identity-data-modification/multiple-update.md @@ -0,0 +1,67 @@ +--- +title: "Update Multiple Identities" +description: "Update Multiple Identities" +sidebar_position: 20 +--- + +# Update Multiple Identities + +How to perform a same change in data for several identities simultaneously. + +This part is not about changing the data model, but data itself. + +## Overview + +When a same change is needed by a high number of users, then Identity Manager provides a UI workflow to perform this change for all selected identities simultaneously. + +> For example, if a whole department in the company is moved to a new working site, then all users +> working in said department must have their `Site` attribute updated. + +## Participants and Artifacts + +Given users' data can be updated occasionally by their managers, but most often by the HR department. + + | Input | Output | + | --- | --- | + | Identity repository (required) New identity data (required) | Updated identity repository | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Update + +Perform multiple updates by proceeding as follows: + +1. Click on **Multiple Updates**, accessible from the directory on the home page. + + ![Home Page - Multiple Updates](/images/identitymanager/home_multipleupdates_v523.webp) + +2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and +send the request. + + ![Multiple Updates Form](/images/identitymanager/datamodif_multipleform_v602.webp) + +If the workflow has been configured in this way, the update request may require a review. In this case, sending the request triggers the display of said request on the **My Tasks** screen for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process: + +- **Check manually a sample** in the `User` directory accessible from the home page. You should verify +at least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +- Check that **every organization still has a manager**. Organizations are accessible in the +`Department` directory on the home page. + + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) + + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) + +If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. + +- Create reports with indicators, for example, on the number of workers per type or per organization +(through Identity Manager's predefined reports, the Query module or Power BI), to ensure that Identity Manager's content sticks to reality. See the [Generate Reports](../../../user-guide/administrate/reporting) topic for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/maintain/index.md b/docs/identitymanager/6.3/user-guide/maintain/index.md new file mode 100644 index 0000000000..7600505827 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/index.md @@ -0,0 +1,28 @@ +--- +title: "Maintain" +description: "Maintain" +sidebar_position: 60 +--- + +# Maintain + +- [Update Identity Data](../../user-guide/maintain/identity-data-modification) + +How to perform modifications in the identity repository, to manage onboarding, offboarding and position changes. + + - [Update an Individual Identity](../../user-guide/maintain/identity-data-modification/individual-update) + +How to perform changes in data for a single identity, through the UI. + + - [Update Multiple Identities](../../user-guide/maintain/identity-data-modification/multiple-update) + +How to perform a same change in data for several identities simultaneously, through the UI. + + - [Update Identities in Bulk](../../user-guide/maintain/identity-data-modification/mass-update) + +How to perform a mass change in identity data, by uploading a complete or incremental version of the identity repository. + +- [Troubleshoot](../../user-guide/maintain/troubleshooting) + +How to troubleshoot Identity Manager when facing technical issues. + diff --git a/docs/identitymanager/6.3/user-guide/maintain/troubleshooting.md b/docs/identitymanager/6.3/user-guide/maintain/troubleshooting.md new file mode 100644 index 0000000000..e022fabc00 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/maintain/troubleshooting.md @@ -0,0 +1,116 @@ +--- +title: "Troubleshoot" +description: "Troubleshoot" +sidebar_position: 20 +--- + +# Troubleshoot + +How to troubleshoot Identity Manager when facing technical issues. + +## Overview + +Daily technical issues can lead to some unexpected results in Identity Manager. This page is meant to give some clues and use cases in order to solve usual issues. + +> For example, the issues described below can happen when there is a network cut, or an application +> IP address is being changed, or an important password is being modified. + +See the [Troubleshoot Connector Jobs](../../integration-guide/tasks-jobs/troubleshoot-connector-jobs) troubleshooting instructions concerning connector jobs. + +### Prerequisites + +In order to troubleshoot Identity Manager efficiently, the user, usually an application administrator, must have access to: + +- the connector screens, especially the jobs available there; + + ![Connector Jobs](/images/identitymanager/troubleshooting_connectorjobs_v603.webp) + +- the resource screens (identities, accounts, etc.) with their data, and especially their history +and sources; + + ![User Data](/images/identitymanager/troubleshooting_userdata_v603.webp) + +- basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements +and enable data modification and repair. + + ![Helpdesk Workflow](/images/identitymanager/troubleshooting_helpdesk_v603.webp) + +## Troubleshoot Synchronization Issues + +### Errored export task + +If the export task ends with an error, then you should: + +- check the task's logs; +- check the export files' dates in the `Temp/ExportOutput` folder; +- if there was an external problem, then relaunch the export in complete mode. + +### Missing data after incremental synchronization + +If the data is incomplete after incremental synchronization, then you should relaunch synchronization in complete mode. + +Netwrix Identity Manager (formerly Usercube) recommends scheduling an incremental synchronization approximately every 15 minutes, and a complete synchronization once a day. + +### Exceeded thresholds + +If a synchronization threshold is exceeded, then check whether the threshold is legitimate. If not, it means that the warning comes from a change in the managed system, so you should fix the data directly in the managed system. + +See more details on [Synchronize Data](../../user-guide/set-up/synchronization) thresholds. + +## Troubleshoot Provisioning Issues + +### Blocked provisioning orders + +If provisioning orders are blocked while expected to be automatic, it can come from: + +- the **Require Provisioning Review** option being enabled in the related resource type; +- the role model being computed through the +[Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) or the corresponding executable, with the block provisioning option; +- a provisioning order being already blocked for the same resource due to a prior operation; +- a correlation/classification rule with a confidence rate below 100%, which means that either +important data is missing or the rule is not right. + +**Verify:** After debugging the blocked-order situation, the related blocked orders must be reviewed on the **Provisioning Review** screen to be unblocked. + +### Errored provisioning orders + +> For example, consider a provisioning task supposed to delete 150 accounts, while the relevant +> service account does not have the relevant writing rights. Thus it ends up with 150 errored +> provisioning orders. + +If provisioning orders end up with an error, then you should check the errors' details in **Provisioning Review** to determine where the error comes from. + +**Verify:** After debugging the errored-order situation, unblock one provisioning order and relaunch provisioning to make sure the fix gives the expected result. Only then, unblock all related errored orders and relaunch provisioning. + +If the error comes from miscalculated properties, for example missing parent dn or duplicated logins, then you should review scalar and/or query rules. + +**Verify:** After debugging the situation, recompute the role model for only one user to make sure the fix gives the expected result. Only then, recompute the role model for all users through the **Compute Role Model** job of connector screens. + +To recompute the role model for only one user, you can use the helpdesk workflow. It will give you access to the user's entitlements via the workflow's **Access Permissions** step, where you can check the changes without having to validate. + +### Incorrect provisioned values + +If provisioning orders produce incorrect values, then it can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to +see which sources contributed to the data, and click on **View History** to see when the data changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + +**Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check the changes for only one user to make sure the fix gives the expected result. Only then, recompute the role model for all users through the **Compute Role Model** job of connector screens. See more details on how to use the Troubleshoot workflow for debug purposes. + +> For example, if identity data has changed and HR data has not, then it must come from the rules. + +### Exceeded thresholds + +If a provisioning threshold is exceeded, then check whether the threshold is legitimate. If not, it means that the warning can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to +see which sources contributed to the data, and click on **View History** to see when the data changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + +**Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check the changes for only one user to make sure the fix gives the expected result. Only then, recompute the role model for all users through the **Compute Role Model** job of connector screens. See more details on how to use the helpdesk Troubleshoot workflow for debug purposes. + +## Troubleshoot Entitlement Issues + +If users have unexpected entitlements, then you should click on an entitlement and/or access **Workflow Overview** to see the entitlements' details, for example who requested them, etc. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/automate-role-assignment.md b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/automate-role-assignment.md new file mode 100644 index 0000000000..cadad7d236 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/automate-role-assignment.md @@ -0,0 +1,97 @@ +--- +title: "Automate Role Assignments" +description: "Automate Role Assignments" +sidebar_position: 10 +--- + +# Automate Role Assignments + +How to manually build rules to automate the assignment of roles to identities. See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Overview + +**Single role rules** and **composite role rules** are **assignment rules**. **assignment rules** are designed to automatically assign respectively single roles and composite roles (based on specific criteria) to identities. One rule must be created for every role to assign. See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Role Catalog (required) | Role **assignment rules** | + +See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Create a Role Assignment Rule + +Create a role assignment rule by proceeding as follows: + +1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** +section. + + ![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top +right corner. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create an Assignment Rule](/images/identitymanager/assignmentrules_newsrolerule_v602.webp) + + - `Single Role`: single role to be automatically assigned in a single role rule. +`Composite Role` for a composite role rule. + - `Type`: assignment type that can be: `Suggested` so that the role is listed among suggested +permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested; or `Automatic` so that the role is automatically assigned to users matching the criteria; or `Automatic but with validation` so that the role is listed in the permission basket of **new** workers, these assignments can still be modified. + +The rule's type can be `Suggested` only if the related role is allowed to be requested manually. + + - `Single role denied`: option that forbids the assignment instead of applying it. + - **Criteria**: conditions that, if met, trigger the single role automatic assignment. + +Role **assignment rules** can be based on identity dimensions. Moreover, **Single role rules** can be based on composite roles. + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a role assignment rule is taken into account when the next [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) runs to compute **new** assignments. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a role was assigned automatically to an identity by a role assignment rule, and if this assignment doesn't comply with the **new** version of the rule, then the corresponding role is automatically removed. + +A modification in a role assignment rule can trigger the removal of a role only on the Identity Manager side. There are several barriers to cross before said role is removed from the managed system. + +> For example, consider a single role rule that assigns the single role +> `Business role: electronic banking` to all users in the `Tours` department. Let's say that we +> replace `Tours` with `Orleans`. Then, after the next launch of the complete job, all users in the +> `Orleans` department get said role, while the users in the `Tours` department are deprived of said +> role. + +[Perform a Simulation](../../../user-guide/optimize/simulation) is available in order to anticipate the changes induced by a creation/modification/deletion in role **assignment rules**. + +**assignment rules** can sometimes give to users an entitlement that they had already received manually. Hence, **new** **assignment rules** can imply redundancies between the entitlements assigned manually and approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends removing redundant assignments after any assignment rule is created or updated. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Create a role assignment rule for a role that said user doesn't already have, and based on +criteria which the selected user satisfies. +3. Trigger the computation of the role model through the complete job on the **Job Execution** page +in the **Administration** section. + + ![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +4. See the **new** permission in the user's **View Permissions** tab. + + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/index.md new file mode 100644 index 0000000000..76cb2cc2ee --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/index.md @@ -0,0 +1,164 @@ +--- +title: "Automate Assignments" +description: "Automate Assignments" +sidebar_position: 60 +--- + +# Automate Assignments + +How to automate entitlement assignment. + +## Overview + +Once you are able to assign manually the right entitlements to the right identities for the right reasons, you realize how tedious and error-prone entitlement assignment is, and you want to automate it. + +The strategy for the automation of entitlement assignment lies in the automatic making of assignment decisions, based on several automation levels provided by Identity Manager: + +1. Automation of the creation of the role model, i.e. both roles and navigation rules that represent +entitlements in the managed systems, through [Create Roles in Bulk](../../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) based on resources' naming conventions in the managed systems. +2. Automation of entitlement assignment through assignment rules, which use identity criteria (called dimensions, like identities' department or work location, etc.) to decide what entitlements to assign automatically to identities. See the +[Conforming Assignments](../../../integration-guide/role-assignment/conformingassignmentcomputation) topic for additional information. +3. Automation of the creation of said assignment rules through [Perform Role Mining](../../../user-guide/optimize/assignment-automation/role-mining), based on existing data analysis. + +![Automation Concept](/images/identitymanager/automation_schema.webp) + +Assignment rules can sometimes give to users an entitlement that they had already received manually. Hence, new assignment rules can imply redundancies between the entitlements assigned manually and approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends [Remove Redundant Assignments](../../../user-guide/optimize/assignment-automation/remove-redundant-assignments) after any assignment rule is created or updated. + +The main goal of automation is to reach the optimal cost, playing on assignment efficiency, quality and quantity. + +### Assessment of manual assignment + +So far, Identity Manager's configuration has enabled users to use workflows to add and remove entitlements to/from identities. These assignments can be fulfilled manually or automatically, but the decision-making process that defines who gets what entitlement is still manual. Manual assignment poses the following risks: + +- Delay can happen: on the day a worker joins an organization, they rely on a manual action to get +all the entitlements required for them to start working. Even with roles aiming to help managers to understand actual entitlements, delay happens. See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information.Errors can happen: human mistakes are expected in role distribution, even though largely mitigated by the role review process and [Perform Access Certification](../../../user-guide/administrate/access-certification). See the [Reconcile a Role](../../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation) topic for additional information. +- It is time-consuming. + +The entitlement management cost mainly varies according to the number of managed entitlements. Manual processing for entitlement requests implies a linear growth of the management cost according to the number of managed entitlements. + +![Optimal Cost Chart - Manual Assignments](/images/identitymanager/automation_optimalcost_manual.webp) + +### Automation benefits + +There is a high potential gain coming with the automation of assignment decisions: + +- Machine Learning masters the error rate, as it is used as a parameter for Role Mining, i.e. +masters false positive assignments (entitlements assigned to a user while they ought not to) which constitute a security breach, and false negative assignments (entitlements not assigned to a user who needs it) which are functionnaly blocking; +- Machine Learning achieves lower error rates than people; +- Machine Learning can compute the role model way faster than a person. Consequently, the model can +be computed more frequently and thus sticks closer to reality. + +![Optimal Cost Chart - Automation Benefits](/images/identitymanager/automation_optimalcost_automationbenefits.webp) + +Automation helps integrators find basic assignment rules and face the previous risks, thus reducing cost. + +### Automation precautions + +Assignments do not have to be automated all at once. + +On the one hand, before being automatically assigned, entitlements can be merely suggested by Identity Manager and assigned manually. + +On the other hand, a distinction can be made between assignments according to their sensitivity, for example using different error rates, or using simulation, or automating the assignment of basic entitlements while suggesting sensitive entitlements, etc. + +This way, security can be improved for example by making certification target only the sensitive entitlements that cannot be processed by Machine Learning. There is no need anymore to certify automatic assignments. + +Plus, you can also use attributes as additional precautions, such as a grace period during which, after the application of a rule revoking a resource/entitlement, managers can decide for each user individually whether they need to keep said entitlement. + +In a way, maturity with Machine Learning in IGA is much like a GPS: once we traveled using only paper maps, before the first navigation tools were commercialized. Then we learned how to use these tools, while keeping a map to be able to verify the GPS instructions. We found secure methods to navigate through all GPS evolutions, until we trusted GPS enough to guide us completely. + +### Automation limits + +However, automation implies an increasing number of rules. And a high number of rules implies a certain complexity in rule model understanding, and consequently hiring expensive expert contractors to write the right rules. It drives up costs considerably and draws you near the automation wall. + +![Optimal Cost Chart - Automation Limits](/images/identitymanager/automation_optimalcost_automationlimits.webp) + +The automation wall represents the automation threshold that cannot be overcome. It mostly comes from the fact that with limited data, automation capabilities are also limited. Everything cannot be automated. + +### Automation strategy + +The idea is to stop automation when the automatic cost curve increases faster than the manual cost curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix of automatic and manual assignments. + +![Optimal Cost Chart](/images/identitymanager/automation_optimalcost.webp) + +Automation strategy consists in using Machine Learning through Role Mining to get closer to the automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the wall further away by improving data quality and quantity. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + + | Input | Output | + | --- | --- | + | Role Catalog (required) | Ideally automated role model | + +See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Automate Entitlement Assignment + +The process of assignment automation is the following: + +1. [Perform Role Mining](../../../user-guide/optimize/assignment-automation/role-mining) to approach the automation wall. + +Role Mining covers more use cases than writing assignment rules manually. It diminishes the error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to the automation wall. + + ![Optimal Cost Chart - Role Mining](/images/identitymanager/automation_optimalcost_rolemining.webp) + +**Enlarge the number of managed entitlements by tolerating errors:** + +Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving inappropriate entitlements, thus creating security issues. However, experience shows that a slight error tolerance in Role Mining can highly benefit automation. + +NETWRIX recommends trying Role Mining with **1%** tolerated false positives, and **99.5%** expected precision. Then adapt to your situation according to the reports. + +For example, suppose an organization working with many distinct departments. If you see that the automation rate skyrockets when the error rate reaches the number of workers in one department, then it probably means that Identity Manager misses data concerning one of the departments. Thus the error rate allows Identity Manager to "ignore" one of the departments in the organization, and optimize automation. + +2. [Generate Reports](../../../user-guide/administrate/reporting)and analyze them with tools like Power +BI to assess the automation wall and identify improvement areas. + + > For example in the following Power BI chart, automation is, on average, highly implemented + > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers + > about their respective projects. This is a typical area for improvement in data quality. +> + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex.webp) + + > For example, if charts show a high number of identities in the category `No Position`, + > integrators understand that the data model must be completed for role mining to be efficient. +> + > ![Data Quantity Example](/images/identitymanager/automation_dataquality_ex2.webp) + + > For example, if charts show a high number of unused roles, integrators understand that the + > role model needs further improvement because roles are not adequate. +> + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex3.webp) + + > For example, if charts show low automation rate per department, integrators will understand + > that many identities may have switched departments while keeping their previous entitlements. +> + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex4.webp) + +3. Improve data quality and quantity to move the automation wall. + +Whether automatic or manual, assignment decisions are based on existing data analysis. Data quantity and quality therefore define the position of the wall. + +Improvement in existing data quantity and quality entails the possibility of managing a higher number of entitlements. + + ![Optimal Cost Chart - Improved Data](/images/identitymanager/automation_optimalcost_data.webp) + +A high quantity of data simplifies data analysis and inferences in assignment rules. + +A high quality of data also simplifies data analysis and enables better accuracy in assignment rules. + + > For example, contractors' data is often less familiar to HR departments. Efforts can be made + > in this direction to enhance automation. + +Moreover, focus must be directed on actual and correct entitlements, using Identity Manager's [Perform Access Certification](../../../user-guide/administrate/access-certification). + +Data reliability prevents integrators from easy extrapolation mistakes. + + > For example, consider the Netwrix Identity Manager (formerly Usercube) team in Marseilles + > mostly composed of R&D workers. If integrators miss information, they might inadvertently + > create a rule giving `R&D` group membership to all workers in Marseilles, while there are also + > workers from other departments. + +4. Repeat. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/remove-redundant-assignments.md b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/remove-redundant-assignments.md new file mode 100644 index 0000000000..dc33d4dcf8 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/remove-redundant-assignments.md @@ -0,0 +1,104 @@ +--- +title: "Remove Redundant Assignments" +description: "Remove Redundant Assignments" +sidebar_position: 30 +--- + +# Remove Redundant Assignments + +How to remove redundant assignments, i.e. manual assignments of roles and resource types that are assigned by a rule too. See the [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) topic for additional information. + +## Overview + +Assignment rules can sometimes give to users an entitlement that they had already received manually. Hence, new assignment rules can imply redundancies between the entitlements assigned manually and **approved**, and those **calculated** by a rule and assigned automatically. See the [Automate Role Assignments](../../../user-guide/optimize/assignment-automation/automate-role-assignment) topic for additional information. + +Netwrix recommends **removing redundant assignments** after any assignment rule is created or updated. + +This guide is about switching the manual assignments, which are allowed by the role model, into **calculated** automatic entitlements **handled** by the role model. Once automatic, an entitlement is fully part of the role model and stops constituting an exception. + +### Assignment validity period + +All entitlements are assigned on a given validity period, i.e. from a given start date to a given end date: + +- When assigning an entitlement to a user manually, the start and end dates are specified explicitly +unless the end date is locked. See the [Create a Role Manually](../../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. +- When assigning entitlements to users via assignment rules, the start and end dates are based on +the owner's data, for example their contract or position start/end dates. These assignments are automatic. + +Netwrix recommends always preferring **calculated** assignments over manual ones, because **calculated** assignments follow the changes in their owners' data and are consequently more secure. + +For example, consider a user Helen who starts working as an architect with a given role. When assigning the role manually, when Helen changes her job, her manager will have to remove the role manually. When assigning the role via a rule, when Helen changes a job, the role will be removed automatically. + +### Process + +This process is an optimization of the role model. It is part of the "compute role model" process where all rules of the role model are applied. + +The **classic behavior** gives priority to **approved** manual entitlements over **calculated** automatic ones. A manual assignment stays as is, even if the entitlement is also assigned by a rule. + +For example, consider a user who has a given entitlement which was assigned to them manually on several distinct time periods. When creating a rule that assigns the same entitlement to them automatically on a given time period, then we have: + +![Schema - Compute Role Model](/images/identitymanager/redundantassignments_examplewithout.webp) + +The **redundant assignment analysis** gives priority to the rules inside the role model and the policy. When an entitlement is assigned via a rule, it is stated as **calculated**, even if it is also assigned manually. Thus, manual assignments whose start and end dates overlap with the validity period are to be truncated or deleted. + +For example, consider the same situation as before. Using the redundant assignments analysis, then we have: + +![Schema - **redundant assignment analysis**](/images/identitymanager/redundantassignments_examplewith.webp) + +Redundant assignments can be removed by Identity Manager only when the corresponding assigned items are tagged as redundant and displayed in the most recent report. The manual assigned items that are not tagged are still kept as discretionary entitlements and will not be removed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Role catalog (required) Role assignment rules (required) Role mining (optional) | Minimized derogation's | + +See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation), [Automate Role Assignments](../../../user-guide/optimize/assignment-automation/automate-role-assignment), and [Perform Role Mining](../../../user-guide/optimize/assignment-automation/role-mining) topics for additional information. + +## Remove Redundant Assignments + +Remove redundant assignments by proceeding as follows: + +![Home Page - Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) + +**Step 1 –** Click on **Redundant Assignments** on the home page in the **Administration** section. + +![Redundant Assignments - Buttons](/images/identitymanager/redundantassignments_buttons_v602.webp) + +**Step 2 –** Click on **Analyze** to tag the manual roles and resource types from all policies eligible for conversion to an automatic state. + +:::note + Previous tags are cleared at each instance of this tagging process. +::: +**Step 3 –** Click on **Download Excel** to download a dedicated XLSX report which contains one tab per entity type representing identities. + +![Redundant Assignments - Report Example](/images/identitymanager/redundantassignments_reportexample_v602.webp) + +The example states that in the entity type Directory_User, the user Nicholas Acosta had the single role Banking/Sales/Eunomia/Administrator starting from February 28th 2023 (dateA) until May 16th (dateD). A new single role rule assigns him this role from April 14th (dateB) until 25th 2023 (dateC). + +It means that Nicholas Acosta will have the role in the ****calculated**** state from dateB to dateC, and he will keep the role in the ****approved**** state from dateA to dateB and from dateC to dateD. + +**Step 4 –** If the report's content is satisfying, then click on **Apply** to actually switch eligible manual roles to **calculated**. + +## Verify Redundant Assignment Removal + +In order to verify the process: + +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +**Step 1 –** Access the user directory from the home page. + +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +**Step 2 –** For one of the users mentioned in the report, access their permissions. + +**Step 3 –** Check that their roles (mentioned in the report) have actually switched from **approved** to **calculated**. + +![Redundant Assignments - Result](/images/identitymanager/redundantassignments_reportexampleverif_v602.webp) + +When **removing redundant assignments** based on the previous report example the setting will be as above. + +Once the steps above completed, the state changes to ****approved****. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/role-mining.md b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/role-mining.md new file mode 100644 index 0000000000..2c0cf0be2f --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/assignment-automation/role-mining.md @@ -0,0 +1,133 @@ +--- +title: "Perform Role Mining" +description: "Perform Role Mining" +sidebar_position: 20 +--- + +# Perform Role Mining + +How to use role mining to suggest role assignment rules based on existing assignments, in order to push the [Automate Assignments](../../../user-guide/optimize/assignment-automation) wall further. + +## Overview + +After the role catalog is established, the Compute Role Model Task task is able to assign single roles to users according to their attributes which are used as assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a > navigation rule to assign each group to the users who have the corresponding single role. Then, the [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) is able to assign single roles to users according to their existing group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) that constitute the key criteria for existing role assignments. It detects the most probable links between identities dimensions and their roles in order to suggest the appropriate entitlement assignment rules. + +> For example, suppose that 80% of NETWRIX workers in Marseilles have access to an application "App". Then, role mining is most likely to recognize the working site as a relevant dimension, and suggest to create a rule that gives the "App" access to users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the Role Catalog. See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +### Technical Principles + +Role mining works through [Mining Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/miningrule) that Identity Manager applies with the [Get Role Mining Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. **automatic rules**, i.e. rules which assign roles automatically with or without a validation; +2. **suggested rules**, i.e. rules which don't assign roles directly, but suggest them during an entitlement request for a user. + + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) + +You can generate both automatic and **suggested rules** for the same role, with different precision levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision settings, we can create a mining rule to generate automatic assignment rules when the ratio is above 95% and a second mining rule to generate suggested assignment rules when the ratio is between 75% and 95%. +> +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for **automatic rules** as they are stricter precision-wise. Thus, **automatic rules** should always have priority over **suggested rules** (via the `Priority` setting). + +See more details about role mining. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + + | Input | Output | + | --- | --- | + | Role Catalog (required) | Single role rules | + +See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Create a Mining Rule + +Create a mining rule by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Role Mining** button. + + ![Home page - Connectors](/images/identitymanager/home_rolemining_v60.webp) + +You will see all existing mining rules. + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + + ![**new** Mining Rule](/images/identitymanager/rolemining_miningrule_v602.webp) + + - `Policy`: [Create a Policy](../../../user-guide/optimize/policy-creation) in which the mining rule exists. + - `Entity Type`: +[Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation) on which the mining rule is applied, i.e. the entity type targeted by role mining's entitlement analysis. + - `Category`: +[Create a Category](../../../user-guide/set-up/single-roles-catalog-creation/category-creation) containing the roles targeted by role mining's analysis. + - `Include roles with specific validations`: includes in role mining's analysis the roles requiring zero and/or one and/or two and/or three validations. + - `Exclude Role from Mining`: ignores the specified roles during the mining process triggered by the next mining rules (in terms of priority). + - `Rule Policy`: [Create a Policy](../../../user-guide/optimize/policy-creation) in which the single role rules will be generated. + +:::info + Netwrix Identity Manager (formerly Usercube) recommends using a policy dedicated to role mining in order not to remove existing assignment rules. +::: + - `Rule Type`: type of the generated single role rules, which defines the type of role +assignment that can be: `Suggested` so that the resource type is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested; or `Automatic` so that the resource type is automatically assigned to users matching the criteria; or `Automatic but with validation` so that the resource type is listed in the permission basket of **new** workers, these assignments can still be modified. + - `Priority`: priority order of the mining rule. Identity Manager applies mining rules one after +the other in descending order. + - `Minimum Precision`: minimum authorized percentage of correct role assignments, considering +both the roles that are assigned to users who should have them, and the roles that are not assigned to users who should not have them. :::info + NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. +::: + - `Maximum Allowed False Positives`: maximum authorized percentage of false positive +assignments, i.e. roles that are assigned to users who should not have them. + +:::info + NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. ::: **Enlarge the number of managed entitlements by tolerating errors:** + +Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving inappropriate entitlements, and thus creating security issues. However, experience shows that a slight **error tolerance in role mining can highly benefit automation**. +1. Click on **Create** and see a line added on the rules page. +2. Click on **Simulate** to perfom role mining in a simulation. See the[Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + + ![Role Mining Jobs](/images/identitymanager/rolemining_launchjob_v602.webp) + +:::info + If you need to bypass the simulation process, clicking on **Launch** will perform role mining and apply its results directly. NETWRIX recommends always performing role mining in simulation. +::: +## Impact of Modifications + +Assignment rules can sometimes give to users an entitlement that they had already received manually. Hence, **new** assignment rules can imply redundancies between the entitlements assigned manually and approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends [Removing Redundant Assignments](../../../user-guide/optimize/assignment-automation/remove-redundant-assignments) after any assignment rule is created or updated. + +## Verify Role Mining + +In order to verify the process, access the rule list from the home page. + +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + +Select **Single Roles** and check that the single role rules are created with the right parameters. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/composite-role-creation.md b/docs/identitymanager/6.3/user-guide/optimize/composite-role-creation.md new file mode 100644 index 0000000000..a3af676618 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/composite-role-creation.md @@ -0,0 +1,99 @@ +--- +title: "Create a Composite Role" +description: "Create a Composite Role" +sidebar_position: 70 +--- + +# Create a Composite Role + +How to define composite **roles** in order to create sets of single **roles** easy to assign. See the [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) and [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation)topics for additional information. + +## Overview + +A composite role is a set of single **roles** that are usually assigned together, because they revolve around the same application, or the same job, etc. Composite **roles** are aggregates of single **roles**, they can help organize the role catalog. See the [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) topic for additional information. + +![Schema](/images/identitymanager/compositeroles_applicativeroles.webp) + +A composite role is a business role comprehensible by managers. It provides an additional layer of abstraction above existing entitlements and single **roles**. We can say that if a single role allows a user to perform a task, a composite role allows them to perform a job. + +### Composite **roles** and Role Mining + +Composite **roles** can also be created based on the **rules** provided by Role Mining. **rules** link **roles** to dimensions. See the [Perform Role Mining](../../user-guide/optimize/assignment-automation/role-mining) topic for additional information. + +The following example shows single **roles** from A to F. Role Mining suggested the **rules** on the schema, linking these single **roles** to the organizations R&D and Project as well as to the functions developer, writer, contractor and project manager. The idea is to use these **rules** to create composite **roles**. Here, we clearly have one role for R&D-developer, one for R&D-writer, Project-contractor and Project-project manager. Thus, it is clear here that composite **roles** add an abstraction layer. + +![Example](/images/identitymanager/compositeroles_schema.webp) + +Single role **rules** link composite **roles** to single **roles**: a single role rule states that specific single **roles** are assigned according to specific criteria, particularly composite **roles**. See the [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) and [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation)topics for additional information. Thus, a composite role assignment can imply specific single role assignments. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owners** who know the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Role catalog (required) | Composite **roles** | + +See the [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Create a Composite Role + +Create a composite role by proceeding as follows: + +**Step 1 :** On the home page in the **Configuration** section, click on **Access **roles**** to access the **roles** page. + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +**Step 2 :** On the **roles** page, click on the adequate category and create a role by clicking on **+ New** at the top right corner. + +**Step 3 :** Fill in the fields. + +![singlerolescatalog_createcompositerole_v62](/images/identitymanager/singlerolescatalog_createcompositerole_v62.webp) + +- **Identifier**: must be unique among **roles** and without any whitespace. +- **Name**: will be displayed in the UI to identify the single role. +- **Policy**: policy in which the role exists. +- **Entity Type**: entity type targeted by the role. +- **Category**: category assigned to the role. +- **Secondary Categories**: other potential categories assigned to the role. +- **Approval Workflow**: represents the number of validations required to assign the role. +- Lock the end date: locks manual permission at the end date. Has four options: + + - Inherited: the policy's setting will be used. + - Explicit: at the time of assignment, the end date can be specified manually or can be locked +to the applicable context rule. + - **Never**: the end date will never be locked and needs to be specified manually. + - **Always**: the end date is always locked according to the applicable context rule. + +- **Approve Role Implicitly**: needs at least a simple approval workflow. **Implicit** mode bypasses +the approval step(s) if the person who issues the role request is also the role officer. **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve **roles** implicitly or not. +- **Hide in Simplified View**: hides the role from the users' **Simplified View** in **View +Permissions** dialog. This setting does not apply to **roles** which are either inferred or have workflow states which require manual action. +- **Comment Management on Permission Review**: to change if different from the role policy. +- **Maximum Duration**: duration (in minutes) after which the role will be automatically revoked, if +no earlier end date is specified. It impacts only the **roles** which are manually assigned after the maximum duration is set. Pre-assigned **roles** are not impacted. If no duration is set on the role, the **MaxDuration** of the associated policy is applied. If the **MaxDuration** is set to 0 on the role, it prevents the associated policy from applying its **MaxDuration** to it. + +**Step 4 :** Click on **Create** and see a line added on the **roles** page. + +**Step 5 :** Create at least one single role rule with the composite role as a criterion. + +## Impact of Modifications + +When deleting a composite role, caution must be used when deleting the corresponding single role **rules**. Indeed, these **rules** thus lose their criteria and may be applied to far too many people after that. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in **roles** and single role **rules**. See the [Perform a Simulation](../../user-guide/optimize/simulation)topic for additional information. + +## Verify Composite Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +Select composite **roles** and find the role you created inside the right category and with the right parameters. + +![Access Composite **roles**](/images/identitymanager/compositeroles_testroles_v602.webp) + +For **rules**, follow the instructions about assignment **rules**. See the [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) + diff --git a/docs/identitymanager/6.3/user-guide/optimize/hr-connector-creation.md b/docs/identitymanager/6.3/user-guide/optimize/hr-connector-creation.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docs/identitymanager/6.3/user-guide/optimize/identity-datamodel-modification.md b/docs/identitymanager/6.3/user-guide/optimize/identity-datamodel-modification.md new file mode 100644 index 0000000000..a2e822cd05 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/identity-datamodel-modification.md @@ -0,0 +1,106 @@ +--- +title: "Modify the Identity Data Model" +description: "Modify the Identity Data Model" +sidebar_position: 10 +--- + +# Modify the Identity Data Model + +How to make data model properties evolve according to the organization's needs. + +## Overview + +The identity data model must contain all the information needed to manage identities and their permissions, and only the information strictly required for this purpose. + +You already considered the data needed for identity management during: + +- The initial identities loading and the creation of the identity repository; See the +[Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) topic for additional information. +- [Model the Data](../../user-guide/set-up/connect-system/connector-modeling)through connector +modeling which is the analysis phase before connector creation; +- [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) which is the +technical implementation of the connector model. + +The data model established during these steps might change to evolve alongside the needs of the connected systems, the management strategy, and any change in the organization such as a change of structure, a new division, etc. + +This part is about integrating these changes in the existing data model. + +### **dimensions** + +Identity Manager calls **dimensions** the attributes that assignment rules rely on. They are essential criteria that differentiate users in order to give them the appropriate roles. See the [Conforming Assignments](../../integration-guide/role-assignment/conformingassignmentcomputation) topic for additional information. + +### Personal data security + +Only professional data should be used in the identity data model, not personal data. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data model. + + | Input | Output | + | --- | --- | + | Initial identities loading (required) New identity data model (required) | Updated identity data model | + +See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Add or Modify Properties + +The data model can be updated in the UI via a feature scanning the data model. This scan performs an analysis on the data previously imported through the Excel file. It detects properties which are always empty and suggests to remove them from the data model, for clarity purposes. + +> For example, some systems don't store phone numbers. Then, scanning the data model will allow +> Identity Manager to suggest removing the property about phone numbers. Note that Identity Manager +> only provides suggestions but makes no decision. You could choose to keep the phone number +> property anyway in order to fill it later. + +**NETWRIX recommends updating the data model through the scan feature**, as this feature is driven by Identity Manager's suggestions. + +However, the identity data model can also be updated through the directory's entity types, following the previously given [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation). + +### Through a data model scan + +Add or modify properties within the identity data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) + +2. Access the data model on the **Workforce** > **Data Model** page. +3. Change the display option to show or hide properties in the identity repository. + + ![Scan Data Model - Display Option](/images/identitymanager/datamodelmodif_scan_v600.webp) + +4. After your changes are complete, click on the Save icon at the top. + + ![Save Icon](/images/identitymanager/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/images/identitymanager/reload_v603.webp) + +## Delete Properties + +Integrators should keep in mind that the fields that they want to delete might be used in connectors or other places they didn't think about. Existing assignments might be impacted. + +Identity Manager suggests the removal only of empty fields. In this case, there is nothing to worry about. + +## Verify Data Model Modification + +In order to verify the process: + +- **Check manually a sample** in the user directory accessible from the home page. You should verify at +least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +- Check that **every organization still has a manager**. Organizations are accessible in the department +directory accessible from the home page. + + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) + + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) + +If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. See the[Generate Reports](../../user-guide/administrate/reporting) topic for additional information. + +- [Generate Reports](../../user-guide/administrate/reporting) with indicators, for example, on the +number of workers per type or per organization (through Identity Manager's predefined reports, the Query module or Power BI), to ensure that Identity Manager's content sticks to reality. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/index.md b/docs/identitymanager/6.3/user-guide/optimize/index.md new file mode 100644 index 0000000000..610c2bb7a2 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/index.md @@ -0,0 +1,56 @@ +--- +title: "Optimize" +description: "Optimize" +sidebar_position: 40 +--- + +# Optimize + +- [Modify the Identity Data Model](../../user-guide/optimize/identity-datamodel-modification) + +How to make data model properties evolve according to the organization's needs. + +- [Create an HR Connector](../../user-guide/optimize/hr-connector-creation) + +How to create a connector dedicated to the automation of identity management (creation, update, deletion), via the synchronization of HR data into Identity Manager and internal provisioning. + +- [Manage Risks](../../user-guide/optimize/risk-management) + +How to use the risk management module to identify entitlement assignments that pose a security risk, especially about segregation of duties and high privileges. + +- [Create a Policy](../../user-guide/optimize/policy-creation) + +How to define policies to organize roles and rules. + +- [Automate the Review of Non-conforming Assignments](../../user-guide/optimize/non-conforming-assignment-review-automation) + +How to automate the review of non-conforming assignments through automation rules. + +- [Automate Assignments](../../user-guide/optimize/assignment-automation) + +How to automate entitlement assignment. + +- [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) + +How to manually build rules to automate the assignment of roles to identities. + +- [Perform Role Mining](../../user-guide/optimize/assignment-automation/role-mining) + +How to use role mining to suggest role assignment rules based on existing assignments, in order to push the automation wall further. + +- [Remove Redundant Assignments](../../user-guide/optimize/assignment-automation/remove-redundant-assignments) + +How to remove redundant assignments, i.e. manual assignments of roles and resource types that are assigned by a rule too. + +- [Create a Composite Role](../../user-guide/optimize/composite-role-creation) + +How to define composite roles in order to create sets of single roles easy to assign. + +- [Configure a Parametrized Role](../../user-guide/optimize/parameterized-role) + +How to reduce the number of roles in the model by configuring roles with parameters. + +- [Perform a Simulation](../../user-guide/optimize/simulation) + +How to assess the impact of a modification on the role model, including the role catalog, role assignment rules and resource correlation rules, using a dedicated policy. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/non-conforming-assignment-review-automation.md b/docs/identitymanager/6.3/user-guide/optimize/non-conforming-assignment-review-automation.md new file mode 100644 index 0000000000..7f6ee53db2 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/non-conforming-assignment-review-automation.md @@ -0,0 +1,91 @@ +--- +title: "Automate the Review of Non-conforming Assignments" +description: "Automate the Review of Non-conforming Assignments" +sidebar_position: 50 +--- + +# Automate the Review of Non-conforming Assignments + +How to automate the review of non-conforming assignments through **automation rules**. See the [Review Non-conforming Assignments](../../user-guide/administrate/non-conforming-assignment-review) and [Automation Rule](../../integration-guide/toolkit/xml-configuration/provisioning/automationrule) topics for additional information. + +## Overview + +Non-conforming assignments can't be reviewed entirely automatically because this type of review sometimes needs the intervention of a knowledgeable user. However, **automation rules** can help by making automatic decisions (in place of the reviewer) on assignments that need to be reviewed after a given waiting period. + +This type of rule is useful for example, when integrators intend to: + +- Decline all non-conforming assignments after X days to avoid accumulation. The waiting time can be +null if they need to delete non-conforming assignments as soon as they are detected; +- Automatically approve or decline discretionary requests if there is no validation after X days; +- Send notifications to validators before declining or approving pending approval assignments; +- Get information in order to deactivate an AD account if it hasn't been used in the past X days, +before deleting it. + +Integrators must show caution with pending approval assignments because this type of rule could short-circuit the whole approval process. + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know the organization and their team's entitlements. + + | Input | Output | + | --- | --- | + | Mastered non-conforming assignment review (required) Categorized accounts (optional) | Automated assignment review | + +See the [Review Non-conforming Assignments](../../user-guide/administrate/non-conforming-assignment-review) and [Categorize Resources](../../user-guide/set-up/categorization) topics for additional information. + +## Create an Automation Rule + +Create an automation rule by proceeding as follows: + +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. + +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule will be applied. + +![Addition Icon](/images/identitymanager/iconadd_v602.webp) + +**Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. + +![New Automation Rule](/images/identitymanager/reviewautomation_newrulefields_v602.webp) + +**Step 4 –** Fill in the fields. + +- Decision — Action to be taken on the described assignments. +- Criteria — Conditions that, if met, trigger the rule. +Currently, the criteria are used to match the context of an assignment and not the user data. For example, if a single role is assigned based on a specific Department, then the context of the assignment has the information about the Department. In that case, an automation rule having in its dimensions that given Department will match this assignment and could Deny/Accept it. +- However, if a single role is assigned without any context on the Department (for example, a manual +assignment with no parameter on the role), the automation rule will never match this assignment. +- **NOTE:** No context will never be present for non-conforming or pre-existing roles +- Type — Assignment type concerned by the new rule. Once filled, a new field is displayed to select +precisely an object from the existing objects belonging to this type. +- Workflow State — Workflow state of the assignments that need a decision. +- Waiting Period — Time period since the last change in the assignments' workflow states. + +:::tip + Remember, in a nutshell, this rule applies Decision to all assignments of Type (and matching all criteria), whose workflow state has been set to Workflow State for more than Waiting Period. +::: +## Impact of Modifications + +A modification in an automation rule doesn't impact the assignments affected by the previous version of the rule. + +## Verify Review Automation + +In order to verify the process: + +**Step 1 –** On the **Role Review** or **Role Reconciliation** screen, spot an entitlement assignment. + +**Step 2 –** Create an automation rule matching said assignment. + +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +**Step 3 –** Compute the role model through the complete job on the **Job Execution** page. + +**Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed according to the rule's settings. + +![New Automation Rule](/images/identitymanager/reviewautomation_rulemessage_v522.webp) + +Any role affected by an automation rule shows a specific message on the **Role Review** page. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/parameterized-role.md b/docs/identitymanager/6.3/user-guide/optimize/parameterized-role.md new file mode 100644 index 0000000000..b0d93bb2ca --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/parameterized-role.md @@ -0,0 +1,94 @@ +--- +title: "Configure a Parametrized Role" +description: "Configure a Parametrized Role" +sidebar_position: 80 +--- + +# Configure a Parametrized Role + +How to reduce the number of roles in the model by configuring **roles with parameters**. + +## Overview + +The assignment of a role to a user gives them an entitlement, usually a group membership, thanks to a navigation rule. See the [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +![Simple Role](/images/identitymanager/parameterizedroles_simplerole.webp) + +To enable the assignment of all existing entitlements, the role model usually contains numerous roles. + +For example, the SAP role can be given with slight differences according to the users' subsidiaries: + +**> ![Role Matrix](/images/identitymanager/parameterizedroles_numerousroles.webp)** + +In order to reduce the number of roles, we can configure **roles with parameters** by inserting a criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on the schema), we can have way fewer roles (right on the schema). + +![With/Without Parameters](/images/identitymanager/parameterizedroles_parameters.webp) + +In the previous example, with a parameter on the subsidiary, the number of roles would be divided by three. + +By extension, a composite role that assigns a parametrized single role is parametrized too. + +This way, when assigning a parametrized role, a pop-up window is displayed where the parameter must be specified. + +The same thing goes with type rules instead of navigation rules when we want to assign resource types instead of entitlements. + +## Configure a Parametrized Role + +Configure a parametrized role by proceeding as follows: + +**Step 1 –** Create in XML a dimension corresponding to the parameter that will affect the role. See the [Dimension](../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. + +For example, let's consider that we have many roles available on three different time slots: 8 hours a day, 12 hours a day, or 24 hours a day. We create a dimension for these time slots. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` + +``` + +![Example - Role](/images/identitymanager/parameterizedrole_examplerole_v603.webp) + +**Step 2 –** Create a single role. See the [Create a Role Manually](../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. + +**Step 3 –** Create one navigation rule linked to the role for each available value of the parameter. See the [Create a Role Manually](../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. + +Here we have three navigation rules, one for each distinct time slot (dimension A). For example: + +![Example - Rule](/images/identitymanager/parameterizedrole_examplerule_v603.webp) + +:::note + Make sure that the corresponding dimension is specified in the right `DisplayEntityType` in XML to be displayed in the UI. +::: +:::note + It is important to note that for manually assigned roles, if a new dimension is added to the definition of the role, the assignment's dimension will not be re-calculated, and will therefore not be propagated to calculate automatic assignments. Example Scenario — Role A was created as a composite role with no parameters a long time ago. Role A was later updated to depend on the optional parameter X and a single role rule was created to assign a single role B if a user had Role A and parameter X set to value Y. If a user already manually had the role A, even if its dimension X (for example its department, which could be calculated) was equal to value Y, got its permissions recalculated, that person would not get the role B. Since the modification occurred after the assignment, it is understood as if the role was assigned voluntarily with dimension X unset. However, if a user got role A assigned after the modification, and its dimension X was equal to value Y, then that user would get the role B. +::: +![Example - Role Parameter Required](/images/identitymanager/parameterizedrole_exampleroleparameter_v603.webp) + +**Step 4 –** Go back to the roles page to edit the single role from step 2, if needing to set the parameter required. + +If you want Identity Manager to provide suggestions to set the parameter's value, then make sure that users' [context rule](../../integration-guide/toolkit/xml-configuration/provisioning/contextrule) specifies the dimension. + +For example, with the `Title` dimension: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. + +``` +B1="Directory_UserRecord:Title" B2="Directory_UserRecord:Site" B3="Directory_UserRecord:Site.Region.Country" B4="Directory_UserRecord:UserType.Category" ... Policy="Default" SourceEntityType="Directory_User" /> +``` + +## Verify the Parametrized Role + +In order to verify the process, request manually the parametrized role for a test user. Some additional pop-ups are displayed to set a value for the role's parameter. See the [Request Entitlement Assignment](../../user-guide/administrate/manual-assignment-request) topic for additional information. + +In our example: + +![Example - Step 1](/images/identitymanager/parameterizedroles_parameterexamplestep1_v603.webp) + +![Example - Step 2](/images/identitymanager/parameterizedroles_parameterexamplestep2_v603.webp) + +If the dimension is specified in the users' context rule, then Identity Manager will provide suggestions. + +![Example - Suggestion](/images/identitymanager/parameterizedrole_examplerolesuggestion_v603.webp) + +For example, concerning the `Title` dimension mentioned above. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/policy-creation.md b/docs/identitymanager/6.3/user-guide/optimize/policy-creation.md new file mode 100644 index 0000000000..c8cb3fad8f --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/policy-creation.md @@ -0,0 +1,82 @@ +--- +title: "Create a Policy" +description: "Create a Policy" +sidebar_position: 40 +--- + +# Create a Policy + +How to define policies to organize roles and rules. See the [Policy](../../integration-guide/toolkit/xml-configuration/provisioning/policy) topic for additional information. + +## Overview + +A policy is a subgroup of the role model. It defines an ensemble of roles and assignment rules that apply to specific identities. So policies are used to handle separately several sets of identities, based on dimensions with different permissions and workflows. See the [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) and [Conforming Assignments](../../integration-guide/role-assignment/conformingassignmentcomputation)topics for additional information. + +Integrators must minimize the number of policies because it segments identities, and segmentation implies high maintenance. Netwrix recommends using **one policy per population**. A population is a group of people that can be managed following the same rules, role model, workflows, etc. This means, for example, one policy for workers (meaning employees and contractors), another one for partners, another one for clients. But sometimes partners are included in the same policy as workers, it depends on the organization. + +:::note + Netwrix Identity Manager (formerly Usercube) provides a default policy. Only when the project is mature enough should integrators think about creating additional policies. +::: +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards identity management. + + | Input | Output | + | --- | --- | + | Resource type (optional) | Policy | + +See the [Create a Resource Type](../../user-guide/set-up/categorization/resource-type-creation) topic for additional information. + +## Create a Policy + +Create a policy by proceeding as follows: + +![Home - Access Policies](/images/identitymanager/home_accesspolicies_v602.webp) + +**Step 1 –** Access the policies screen by clicking on **Access Policies** on the home page in the **Configuration** section. + +![New Policy](/images/identitymanager/policycreation_policies_v602.webp) + +**Step 2 –** Click on **+ New policy** at the top right corner. + +![createpolicy](/images/identitymanager/createpolicy.webp) + +**Step 3 –** Fill in the information fields. + +The UI elements are identified as follows: + +- Identifier — Must be unique among policies and without any whitespace +- Name — Will be displayed in the UI to identify the resource type +- Provisioning — Allows provisioning for the policy +- Simulation — Allows simulation creation for the policy +- Approve Roles Implicitly — Can be enabled to bypass approval steps if the person who issues a +given role request is also the role officer +- Roles can be prolonged without a new approval workflow — Enables the policy's roles and resource +types to have their assignment's end dates postponed without any validation +- Is Managed by External Source — Can be enabled **only during policy creation** to indicate that its +permissions are managed by another IGA tool and are to be ignored by Identity Manager's role model computation +- Maximum Duration — Duration (in minutes) after which the policy's roles and resource types will be +automatically revoked, if no earlier end date is specified. It impacts only the roles and resource types which are manually assigned after the maximum duration is set. Pre-assigned items are not impacted. +- Grace Period — Duration (in minutes) for which a lost automatic role or resource type is +prolonged. A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. +- Lock the end date — locks manual permission's at the end date + + - Explicit, by default not context bound — By default, the assignment's end date will not be +context bound in order to encourage the manual entry of an end date + - Explicit, by default context bound — By default, the assignment's end date will be context +bound and therefore locked, but a manual date can be entered + - Never — The assignment's end date will never be locked and needs to be specified manually + - Always — The assignment's end date is always locked according to the applicable context rule + - Dimensions — Criteria that, if met, trigger the membership of given identities to the policy + +:::note + What we call another IGA tool can be another application or even another version of Identity Manager. +::: +**Step 4 –** Click on **Create**. + +Once you have completed the steps the policy is created. + +## Verify Policy Creation + +In order to verify the process, check that the policy has been added with the right options to the list on the **Access Policies** page. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/risk-management.md b/docs/identitymanager/6.3/user-guide/optimize/risk-management.md new file mode 100644 index 0000000000..f0eea763dc --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/risk-management.md @@ -0,0 +1,146 @@ +--- +title: "Manage Risks" +description: "Manage Risks" +sidebar_position: 30 +--- + +# Manage Risks + +How to use the [**Risk management**](../../integration-guide/governance/risks) module to identify entitlement assignments that pose a security risk, especially about segregation of duties and high privileges. + +## Overview + +A [Risk](../../integration-guide/toolkit/xml-configuration/provisioning/risk) describes a sensitive situation in which entitlement assignments need to be monitored for security purposes. Examples include: + +- Segregation of duties: a situation where at least two entitlements pose a risk when assigned to +the same identity. +- High privilege: a particularly sensitive entitlement. + +[**Risk management**](../../integration-guide/governance/risks) is essential to auditing. Among other things, it allows auditors to: + +- Identify the identities representing the highest security risk. +- Compute the corresponding risk score. +- Schedule and [Perform Access Certification](../../user-guide/administrate/access-certification) +accordingly. + +Using risks involves three steps: + +1. Create a risk: declare the nature of the risk. +2. Create risk rules: create the rules that assign risks to identities, depending on identities' +entitlement assignments. +3. Monitor risks: via the **Identified Risks** screen or certification campaigns. + +## Participants and Artifacts + +Integrators may need the help of the application owner, security manager and role model officers to assess risks inherent to entitlements. + + | Input | Output | + | --- | --- | + | Identity repository (required) Role catalog (required) | Risks catalog | + +See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) and [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topics for additional information. + +## Create a Risk + +Create a risk by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Risks**. + + ![Home Page - Risks](/images/identitymanager/home_risks_v602.webp) + +2. On the risks page, click on the addition button at the top right corner. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +3. Fill in the fields. + + ![New Risk](/images/identitymanager/riskmanagement_newrisk_v602.webp) + + - `Identifier`: must be unique among risks and without any whitespace. + - `Name`: will be displayed in the UI to identify the risk. + - `Policy`: [Create a Policy](../../user-guide/optimize/policy-creation) in which the risk exists. + - `Entity Type`: +[Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) targeted by the risk. + - `Description`: explanation of the risk that will be displayed with the exemption policy +message. + - `Remediation`: potential alternative solutions that will be displayed with the exemption +policy message. + - `Exemption Policy` See the +[**Risk management**](../../integration-guide/governance/risks) topic for additional information. + - `Type` + - `Level`: risk level that is used to compute risk scores. + - `Rules`: a risk is based on the union of rules, themselves based on the intersection of rule +items. A rule item specifies the risk-triggering resource(s). A high-privilege risk must contain at least one rule with one rule item. A segregation-of-duties risk must contain at least two rule items in the same rule. + +When risks are based on the exemption policy called **Approval required**, the corresponding role requests appear on the **Role Review** screen with a specific workflow state. See below this note. See the [Reconcile a Role](../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation) topic for additional information. + + ![Risk Icon](/images/identitymanager/riskmanagement_workflowstate_v523.webp) + +### Write risk rules + +A risk rule is simply the condition that triggers the assignment of a risk to an identity, depending on the identity's entitlements. + +Within Identity Manager, an entitlement assigned to an identity is represented by the value of a given navigation property, in a resource owned by said identity. See the [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) topic for additional information. + + > For example, imagine that we want to grant unlimited Internet access to the administrator + > profile of an identity. This entitlement won't be assigned directly to the identity but to + > their AD administration account. In our Active Directory, there is a resource called + > `DL-INTERNET-Restricted` identified from among AD entries as a group. Therefore, we need to + > add this group membership to the properties of the identity's AD account, using + > `DL-INTERNET-Restricted` as a value of the `memberOf` property. + +4. Choose the resource type to be targetted by the risk. See the +[Categorize Resources](../../user-guide/set-up/categorization) topic for additional information. + + > We choose `AD User (administration)` to prevent this situation from happening in our example. + +5. Choose the navigation property that corresponds to the situation. + + > `memberOf` in our example. + +6. Choose a value for this navigation property. The value would be a resource from the unified +resource repository. See the [Identity Management](../../introduction-guide/overview/identity-management) topic for additional information. + + > The group `DL-INTERNET-Restricted` in our example. + + ![Risk Item Example](/images/identitymanager/riskmanagement_newriskitem_v602.webp) + +This final value is an entitlement, linked to the owner identity through the navigation property and the ownership relationship. + +This final value is an entitlement, linked to the owner identity through the navigation property and the ownership relationship. + + > In our example, a risk is identified for a person as soon as their administration AD account + > is part of the `DL-INTERNET-Restricted` group. + +7. Click on **Create**. + +Risks are taken into account from the moment the `Compute Resource Risk Scores` task runs (or the complete job which contains said task). + +The `Compute Resource Risk Scores` task doesn't need to be launched right away, but new risks can't be identified before it runs at least once. + +## Monitor Identified Risks + +After creating at least one risk and computing risk scores, identified risks are listed on the **Identified Risks** screen, accessible from the home page in the **Administration** section. + +![Home Page - Identified Risks](/images/identitymanager/home_identifiedrisks_v602.webp) + +![Identified Risks](/images/identitymanager/riskmanagement_identifiedrisks_v522.webp) + +For a given identity in the list, user information can be viewed and accessed by clicking respectively on the eye and arrow buttons on the right-hand side. + +## Impact of **Modifications** + +**Modifications** in a risk are taken into account only after running the `Compute Risk Scores` task. Therefore, risk scores are computed according to the new parameters. + +**After a modification:** while risk scores are computed for all identities and assignments (pre-existing and newly created), a modified exemption policy is applied only to future entitlement assignments. For example, changing the exemption policy of a risk from warning to blocking won't remove entitlements from the identities who already have them. But future assignments are going to be blocked. + +The **deletion** of a risk simply triggers the computation of risk scores during the next `Compute Risk Scores` task, and removes any exemption policy steps in an assignment request. See the [**Risk management**](../../integration-guide/governance/risks) topic for additional information. + +## Verify **Risk management** + +In order to verify the process, assign to a fake identity a permission that is supposed to trigger the created risk, and check the consequences: + +- The message displayed at the end of the entitlement request must correspond to the configuration +of the exemption policy. See the [**Risk management**](../../integration-guide/governance/risks) topic for additional information. +- Once the entitlement is assigned, a line must appear on the **Identified Risks** page. + diff --git a/docs/identitymanager/6.3/user-guide/optimize/simulation.md b/docs/identitymanager/6.3/user-guide/optimize/simulation.md new file mode 100644 index 0000000000..328934a469 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/optimize/simulation.md @@ -0,0 +1,124 @@ +--- +title: "Perform a Simulation" +description: "Perform a Simulation" +sidebar_position: 90 +--- + +# Perform a Simulation + +How to assess the impact of a modification on the role model, including the role catalog, role assignment **rules** and resource correlation **rules**, using a dedicated [Create a Policy](../../user-guide/optimize/policy-creation). See the [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation), [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment)[Correlate Resources](../../user-guide/set-up/categorization/correlation), and [Create a Policy](../../user-guide/optimize/policy-creation) topics for additional information. + +## Overview + +Identity Manager's simulations gather **roles** and **rules** which are to be created, modified or deleted, without being inserted in the actual role model straight away. More specifically, a simulation can involve: + +- Correlation **rules** and classification Rule; +- Scalar **rules** and navigation **rules**; +- Resource Type **rules**; +- [Single Role](../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) +and [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole); +- [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) +and [Composite Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/compositerolerule). + +See the [Correlate Resources](../../user-guide/set-up/categorization/correlation) [Resource Classification Rule](../../integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule), and [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topics for additional information. + +A simulation can also be created by the [Perform Role Mining](../../user-guide/optimize/assignment-automation/role-mining) for the automation of role assignments. + +Through simulation, integrators can: + +1. create, modify or delete **roles** and **rules** in a given policy; + +Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and +provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +NETWRIX recommends using simulation whenever performing an action (creation/modification/deletion) on the role model. + +## Participants and Artifacts + +Integrators are able to perform simulation if they master the new role model. + + | Input | Output | + | --- | --- | + | Role catalog (optional) Automate Role Assignments (optional) Categorize Resources (optional) | Updated role model | + +See the [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation), [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment), and [Categorize Resources](../../user-guide/set-up/categorization) topics for additional information. + +## Launch a Simulation + +Launch a simulation by proceeding as follows: + +1. Access the simulation list by clicking on **Simulations** on the home page, in the +**Configuration** section. + + ![Home - Simulations](/images/identitymanager/home_simulations_v600.webp) + + ![Simulation List](/images/identitymanager/simulation_list_v602.webp) + +2. Create a new simulation by clicking on the addition button at the top right corner. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +3. Fill in the fields. + + ![Simulation List](/images/identitymanager/simulation_new_v602.webp) + +4. Click on **+ Create**. +5. Perform changes through the ****roles** Changes** and ****rules** Changes** tabs and the following icons, +respectively for addition, modification and deletion: + + ![Edition - Approval Icon](/images/identitymanager/iconadd_v602.svg) + + ![Recommendation Icon](/images/identitymanager/simulation_iconedit_v600.svg) + + ![Discouragement Icon](/images/identitymanager/simulation_icondelete_v600.svg) + +At any time, you can click on the line of a previously made change to access its description, even click on **Cancel** to erase it. + + ![Cancel Change](/images/identitymanager/simulation_cancel_v602.webp) + +6. Click on **Start** to launch the simulation. + + ![Start Simulation](/images/identitymanager/simulation_start_v602.webp) + +7. After a few seconds, click on **Refresh** to display the simulation results. +8. Observe the results in the overview and in the Excel report available via the Download button. + + ![Download Icon](/images/identitymanager/icondownload_v602.svg) + +## Shift from Simulation to Production + +After all needed changes have been simulated, you can decide to apply or cancel them. + +![Apply or Cancel Changes](/images/identitymanager/simulation_decision_v600.webp) + +Then, the simulation is no longer active. + +Clicking on **Apply** applies the simulated changes to the role model. You need to launch the [Compute Role Model Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) to observe the actual changes in users' entitlements. + +## Impact of Modifications + +Once you've applied or canceled the changes of a simulation, said simulation is no longer active. If you still need to simulate changes on the same policy, you can create a new simulation. + +Deleting a simulation doesn't impact the role model. It simply undoes the simulated changes which haven't been applied yet. + +## Verify Modification + +In order to verify the process, check that the **roles** and **rules** are created with the right parameters. + +For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +Select the type of role that you want to check, and find the **roles** you created inside the right category and with the right parameters. + +![Select **roles**](/images/identitymanager/categorycreation_test_v602.webp) + +For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. + +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) + +Select the type of rule that you want to check, and find the **rules** you created with the right parameters. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/categorization/classification.md b/docs/identitymanager/6.3/user-guide/set-up/categorization/classification.md new file mode 100644 index 0000000000..6df3407a5a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/categorization/classification.md @@ -0,0 +1,150 @@ +--- +title: "Classify Resources" +description: "Classify Resources" +sidebar_position: 30 +--- + +# Classify Resources + +How to define [Resource Classification Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule) in order to classify remaining uncorrelated resources, assigning them resource types. See the [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation) topic for additional information. + +## Overview + +### Classification purpose + +Classification is the process of putting on an existing resource a label called resource type, to show its intent and/or purpose within the managed system. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +Every resource type can be assigned a set of classification rules. + +### About the confidence rate + +As the aim here is to classify uncorrelated resources in a given managed system, classification rules are going to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow the creation of a single infallible correlation/classification rule for all resources. Hence, you may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data resources with a high confidence rate, and a second rule applicable to resources with a lower data quality. This second rule is going to have a lower confidence rate, thus a lower priority, because the strategy is to apply the first rule as much as possible. But the second rule is essential in case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the +highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the +one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. +requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, +i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule in Identity Manager. The **Provisioning Review** page displays the resource and property changes whose workflows require a manual approval. + +### Classification rule example + +Classification rules are commonly based on logins or organizational units. Account types are usually assigned specific strings to be easily recognized, such as for example `adm` for administrator accounts. They can also include the employee identifier which includes specific digits according to the account type. + +Consider an organization that places basic users in organizational units `Users` and `Locations` with a CN starting with `U`. This means that a basic user should have a `dn` attribute different from zero, containing `OU=Users` and `OU=Locations`, and starting with `CN=U`. Then, a classification rule could take as a target expression: + +``` +return resource.dn != null && resource.dn.Contains("OU=Users,") && resource.dn.Contains("OU=Locations,") && resource.dn.StartsWith("CN=U"); +``` + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation) (required) [Synchronize Data](../../../user-guide/set-up/synchronization) (required) [Correlate Resources](../../../user-guide/set-up/categorization/correlation) (recommended) | Classification rules | + +## Create a Classification Rule + +The principle of a classification rule is to use the expression of the target object, to assign (or not), the resource type to said object. + +Fill a resource type with a classification rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. + + ![New Classification Rule](/images/identitymanager/resourcetype_newclassifrule_v602.webp) + +Classification rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Classifications** tab and the addition button at the top **right** corner. + + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Classification Rule Fields](/images/identitymanager/resourcetype_newclassifrulefields_v602.webp) + + - **Target Object** > `Expression`: C# expression based on the resource that needs to be +classified. + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order.. + > Our overview example would look like: +> + > ![Classification Rule Example](/images/identitymanager/classification_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify +Resource Types** to apply the new classification rules. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a classification rule doesn't trigger a new computation of classification for the resources that are already categorized, i.e. **both classified and correlated**. The new version of said classification rule will be applied only to new resources along with the existing resources whose correlation and/or classification was not yet reviewed (as unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** screen "blocks" correlation and classification "as is". Neither will be re-computed. + +This also means that only non-conforming resources (displayed on the **Resource Reconciliation** screen) can have their classification questioned and re-computed. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in classification rules. See the [Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + +Any modification in classification rules is taken into account via the classification job: on the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource Types**. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +## Verify Classification + +In order to verify the process, analyze samples and check that all objects are classified, and well classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu of the home page. + +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Uncategorized** filter that spots unclassified resources, and the **Owner / Resource Type** column that shows the resource type assigned to each resource. + +![Owner / Resource Type Column](/images/identitymanager/classification_test_v522.webp) + +Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must analyze a few samples to ensure that resources are classified in the **right** resource type. + +## Troubleshooting + +If a resource is not classified (or not correctly), then: + +![Unclassified Resource](/images/identitymanager/classification_unclassified_v600.webp) + +- If the resource is correlated, check whether the corresponding correlation rule is in the **right** +resource type. +- If the resource is not correlated, check the validity of the classification rules. +- Check the resource's data quality. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/categorization/correlation.md b/docs/identitymanager/6.3/user-guide/set-up/categorization/correlation.md new file mode 100644 index 0000000000..32c2269835 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/categorization/correlation.md @@ -0,0 +1,167 @@ +--- +title: "Correlate Resources" +description: "Correlate Resources" +sidebar_position: 20 +--- + +# Correlate Resources + +How to define the [Resource Correlation Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule) to match up resources across systems, usually accounts with their **owner**. + +## Overview + +### Correlation purpose + +Correlation is the process of establishing an ownership relationship between a **source** resource (usually an identity) and a **target** resource (usually an account). It is the basis of the link between an identity and their fine-grained entitlements. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +Every resource type can be assigned a set of correlation rules. + +Correlation rules must be created with caution as an error in the **correlated** attributes may result in the unwanted assignment of a given account to an existing user. + +Correlation should be based on **immutable attributes**, for example codes that don't change during the resource's lifecycle rather than display names that can vary in time. This method prevents integrators from losing the history of the changes made to a resource after a correction. + +> In addition to display names, counter-examples for correlation properties are: positions; marital +> names; locations, etc. + +### About the confidence rate + +As the aim here is to correlate all resources in a given resource type, correlation rules are going to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow the creation of a single infallible correlation/classification rule for all resources. Hence, you may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data resources with a high confidence rate, and a second rule applicable to resources with a lower data quality. This second rule is going to have a lower confidence rate, thus a lower priority, because the strategy is to apply the first rule as much as possible. But the second rule is essential in case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the +highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the +one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. +requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, +i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule in Identity Manager. The **Provisioning Review** page displays the resource and property changes whose workflows require a manual approval. + +### Correlation rule examples + +Consider AD accounts (**target**) and their owners (**source**). A classic example is to try and correlate identities and AD accounts based on the first name and last name. We can write a correlation rule that states that, for a given identity, Identity Manager looks for all AD accounts that bear the same first name and the same last name. All AD accounts that match this description are said to be **correlated** to the identity. The identity becomes the **owner** of the accounts. + +A set of correlation rules for a resource type could be: + +- a rule with 100% confidence on login + name + first name; +- a rule with 90% confidence on login only. + +Usual rules can also be made, for example, on: + +- name + first name using phonetics to avoid typos; +- first name + name + entry date if the entry date is known in the **source** systems; +- email address; +- Windows login. + +Correlation rules don't have to compare equivalent properties from Identity Manager and from the managed system. A rule can compare for example users' `Login` from Identity Manager with their `sAMAccountName` from the AD, even using C# expressions if needed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application **owner** who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Identity repository (required) Resource types (required) [Synchronize Data](../../../user-guide/set-up/synchronization) (required) | Correlation rules | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) and [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation) topics for additional information. + +## Create a Correlation Rule + +The principle of a correlation rule is to compare the expressions of the **source** and **target** objects. + +Fill a resource type with a correlation rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. + + ![New Correlation Rule](/images/identitymanager/resourcetype_newcorrelrule_v602.webp) + +Correlation rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Correlations** tab and the addition button at the top **right** corner. + + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Correlation Rule Fields](/images/identitymanager/resourcetype_newcorrelrulefields_v602.webp) + + - ****source** Object**: at least one property from the **source** system that is going to be linked to +a given **target** object. Can be defined by a property path and/or an [Expression](../../../integration-guide/toolkit/expressions). + - ****target** Object**: one property from the managed system that is going to be linked to a given **source** object. Can be defined by a property path and/or an [Expression](../../../integration-guide/toolkit/expressions). + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order. + > In this example, a person via their login and name, is the **owner** of a nominative AD + > account via its `sAMAccountName` attribute and display name: +> + > ![Correlation Rule Example](/images/identitymanager/correlation_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare +Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on **Jobs** > **Compute Role Model** to apply all correlation rules. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a correlation rule doesn't trigger a new computation of correlation for the resources that are already **correlated**. The new version of said correlation rule will be applied only to new resources, along with the existing resources whose correlation was not yet reviewed (as unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) can have their correlation and classification re-computed. + +Even without selecting an **owner**, reviewing unauthorized accounts on the **Resource Reconciliation** screen "blocks" correlation and classification "as is". Neither will be re-computed. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in correlation rules. See the [Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + +Any modification in correlation rules is taken into account via the following jobs: on the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and then on **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +## Verify Correlation + +In order to verify the process, check the list of [Review Orphaned and Unused Accounts](../../../user-guide/administrate/orphan-unused-account-review) and analyze them to look for patterns revealing correlation issues. To do so, click on the **target** entity type(s) affected by your rule(s) in the left menu of the home page. + +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Orphan** filter that spots resources without an **owner**, and the ****owner** / Resource Type** column that shows the **owner** assigned to each resource. + +![**owner** / Resource Type Column](/images/identitymanager/correlation_test_v522.webp) + +A knowledgeable person must analyze a few samples to ensure that resources' owners can all be justified, meaning that orphaned accounts are supposed to be so, and that **correlated** resources are matched with the **right** **owner**. + +Another possibility of correlation validation is to compare the **number of AD accounts** to the number of users. However, keep in mind that several accounts are sometimes assigned to a single user. + +## Troubleshooting + +If a resource is not **correlated** (or not correctly), then: + +![Uncorrelated Resource](/images/identitymanager/correlation_uncorrelated_v600.webp) + +- Check the validity of correlation rules. +- Check the resource's data quality. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/categorization/index.md b/docs/identitymanager/6.3/user-guide/set-up/categorization/index.md new file mode 100644 index 0000000000..4582fb7892 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/categorization/index.md @@ -0,0 +1,122 @@ +--- +title: "Categorize Resources" +description: "Categorize Resources" +sidebar_position: 80 +--- + +# Categorize Resources + +How to correlate managed systems' resources with identities, classifying resources into [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation). + +## Overview + +Managing resources can quickly become chaotic when the number of resources increases significantly. You will need to manage orphaned (without an owner) and unused accounts through resource reviews, and make sure that all accounts follow their owner's lifecycle. To do so, resources can be categorized, which for our purposes means two things. They are: + +- correlated with their owners, so that accounts follow the corresponding identity's lifecycle. + > For example, if a user leaves the company, then their account is deactivated accordingly. +- classified according to their intents, in other words you need to specify resources' functions or +goals within the managed system, especially in terms of security; + > For example, a basic user account (low-privileged) and an administrator account + > (high-privileged) have different intents. These two distinct account types are handled in + > different ways security-wise, and they represent different entitlements with different + > security measures applied. + +Categorization is designed to help resource managers to easily identify a resource's owner and purpose. + +> For example, when Identity Manager spots an orphaned account, resource managers must be able to +> determine whether the account should have an owner, or if it is a service/technical account and +> thus does not need an owner. + +### Technical principles + +Technically, Identity Manager uses the notion of resource types to categorize resources. A resource type is, in fact, a way to gather similar resources under one meaningful name, because they have the same intent. + +> Our example above would use a resource type `AD User (administration)` to group all AD +> administrator accounts, and `AD User (nominative)` to group all AD basic user accounts. + +Thus, a resource type is a name that informs users about the intent of a resource. As stated above, it serves to implement our two elements of categorization. This happens with two distinct sets of rules, one for correlation, and the other for classification. + +**Classification** is a process that simply aims to assign a resource type to specific resources. A specific resource can only be assigned a single resource type. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +![Classification Schema](/images/identitymanager/categorization_classifschema.webp) + +Any resource that is unclassified will not be available for review. + +**Correlation** is a process that aims to establish an ownership relationship between two resources. In most cases, an identity resource that becomes the owner of an account resource. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +![Correlation Schema](/images/identitymanager/categorization_correlschema.webp) + +While an owner can possess several resources, a resource can have only one owner. + +Some resources are orphaned (without an owner) for good reasons. For example service/technical accounts are often used by applications to access data held in Identity Manager or other managed systems and don't belong to a specific user. + +As stated previously, both classification and correlation work through sets of rules. + +> For basic users, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_examplebasicuser.webp) +> +> For basic users, we have in the AD: +> +> ![Example - Basic Users in AD](/images/identitymanager/categorization_examplebasicad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email +> franck.antoine@acme.com = franck.antoine@acme.com 2. displayName = user's last name + user's first +> name Antoine Franck = Antoine + Franck | + +> For administrators, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_exampleadminuser.webp) +> +> For administrators, we have in the AD: +> +> ![Example - Admin Users in AD](/images/identitymanager/categorization_exampleadminad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id +> A28022 = A + 28022 2. displayName = "ADM" + user's last name + user's first name ADM Colin Jean = +> ADM + Colin + Jean | + +Sometimes you may not know if your rules are always going to apply. Therefore, each rule expresses a certain level of confidence. Identity Manager will establish a priority order between rules based on the confidence rate, and will also act differently depending on whether the confidence rate is above or below 100%. See the [Correlate Resources](../../../user-guide/set-up/categorization/correlation) topic for additional information. + +A resource type can have zero correlation rules, since accounts can be without owners. But a resource type with neither correlation nor classification rules serves no purpose. + +**Correlation triggers classification:** a matching correlation rule for a given resource type will perform both actions of categorization: both correlating a resource with its owner, and classifying the resource at the same time. + +See below this note. + +Hence, integrators should start with correlation rules, and then write classification rules for any remaining uncorrelated resources. + +In the same way, Identity Manager will apply correlation rules before classification rules. + +![Categorization Schema](/images/identitymanager/categorization_categschema.webp) + +Now that you have created resource types and their correlation/classification rules, you have created the first elements for your role model. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. The role model contains all the roles and rules which drive the entitlement assignment logic inside Identity Manager. + +A role model is made up of [Policy](../../../integration-guide/toolkit/xml-configuration/provisioning/policy) which contain roles, rules and resource types. Most often the default policy is enough. However, in more complex situations, additional policies can be created to separate groups of roles, rules and resource types. See the [Create a Policy](../../../user-guide/optimize/policy-creation) topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) (required) [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation) (required) [Synchronize Data](../../../user-guide/set-up/synchronization) (required) | Categorized resources Correlated accounts Orphaned account list | + +## Categorize Resources + +Categorize resources by proceeding as follows: + +1. Create at least one [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation); +2. Create the appropriate [Correlate Resources](../../../user-guide/set-up/categorization/correlation); +3. Create the appropriate [Classify Resources](../../../user-guide/set-up/categorization/classification) for accounts that do not have an owner. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting correlation and classification rules using [Perform a Simulation](../../../user-guide/optimize/simulation) in order to previsualize changes. + +## Next Steps + +Once accounts are categorized, integrators can start to [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation). + +Categorization also enables the [Review Orphaned and Unused Accounts](../../../user-guide/administrate/orphan-unused-account-review). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/categorization/resource-type-creation.md b/docs/identitymanager/6.3/user-guide/set-up/categorization/resource-type-creation.md new file mode 100644 index 0000000000..1971000f3d --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/categorization/resource-type-creation.md @@ -0,0 +1,160 @@ +--- +title: "Create a Resource Type" +description: "Create a Resource Type" +sidebar_position: 10 +--- + +# Create a Resource Type + +How to create the container for future correlation and classification rules inside a given managed system. + +## Overview + +A [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) is created to highlight differences in intent between resources. It materializes the organization's profiles. In a given managed system, different types of resources have different security needs. + +> For example, can usually be found: +> +> - **nominative accounts** for basic user accounts with low privileges; +> - **administrator accounts** for accounts with higher privileges, on several administration +> entitlements levels; +> - **generic accounts**, i.e. shared by a group of users (often for testing use); +> - **old** in opposition to **new accounts** because of potentially evolving naming conventions; +> - **service accounts** owned by applications instead of users. + +In practice, a specific resource type is created for a given resource when there are differences in: + +- the owner type (for example worker, partner, customer, application, robot, etc.); +- the required set of classification and/or correlation rules; See the [Classify Resources](../../../user-guide/set-up/categorization/classification), and [Correlate Resources](../../../user-guide/set-up/categorization/correlation) topics for additional information. +- the approval circuit for a resource's modification or assignment, i.e. the number of required approvals, validators, etc.; +- the type of provisioning (**Manual** or **Automatic**). See the [Provision](../../../user-guide/administrate/provisioning) topic for additional information. + +### Source vs. target resource + +Resource types are the vessel for ownership relationships. They involve the definition of source and target objects chosen from among the properties of existing entity types. The source (usually identities) is the owner of the target (usually resources from your managed systems, such as a nominative AD account). This relationship is the basis for correlation as much as for future provisioning. See the [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation), [Correlate Resources](../../../user-guide/set-up/categorization/correlation), and [Provision](../../../user-guide/administrate/provisioning) topics for additional information. + +See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Identity repository (optional) Target connector (required) Synchronized data (optional) | Resource type | + +See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading), [Connect to a Managed System](../../../user-guide/set-up/connect-system), and [Synchronize Data](../../../user-guide/set-up/synchronization) topics for additional information. + +## Create a Resource Type + +A new resource type requires an existing entity type. See the [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation) topic for additional information. + +Create a resource type by proceeding as follows: + +1. On the relevant connector page, click on the addition button in the **Resource Types** frame. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +Resource types can also be created through the **Access Roles** screen (accessible from the home page, in the **Configuration** section), using the **+ New** button and selecting `Resource Type` in the first field called `Type`. + + ![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) + +2. Fill in the fields. + + ![New Resource Type](/images/identitymanager/resourcetype_newresourcet_v603.webp) + + - `Identifier`: must be unique among resource types, without any whitespace, and be C#-compatible. +[See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to identify the resource type. + - `Policy`: [policy](../../../user-guide/optimize/policy-creation) in which the resource type +exists. + - `Source Entity Type`: entity type (from any existing connector) used to fill the target entity type. + - `Target Entity Type`: entity type (part of the connector) to be filled with the source entity type. + - `Category`: category assigned to the resource type. It can be chosen from among the existing categories or [created](../../../user-guide/set-up/single-roles-catalog-creation) directly from the categories list by clicking on the **+ Category** button. + - `Approval Workflow`: represents the number of validations required to assign a resource from this type to an identity. + - `Approve Role Implicitly`: relevant only for workflows with at least a simple approval process. `Implicit` mode bypasses the approval step(s) if the person who issues the role request is also the role officer. `Explicit` refuses said bypass. `Inherited` follows the policy decision to approve role implicitly or not. See the [Create a Policy](../../../user-guide/optimize/policy-creation) topic for additional information. + - `Prolongation without a new approval workflow`: enables the resource type to have its assignment's end date postponed without any validation. `Inherited` follows the policy decision to enable this option or not. See the [Create a Policy](../../../user-guide/optimize/policy-creation) topic for additional information. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View Permissions** dialog. This setting does not apply to roles which are either inferred or have workflow states which require **Manual** action. + - `Arguments Expression`: when using a connection for **Automatic** provisioning, C# expression used to compute a dictionary of strings in order to compute the arguments of [provisioning](../../../user-guide/administrate/provisioning) orders, such as the identifier of the workflow to launch within Identity Manager, or the identifier of the user's record to copy. See the [Provision](../../../user-guide/administrate/provisioning) topic for additional information. + - `Allow Addition`: enables Identity Manager to automatically create new resources in the managed system when their owners are given the right entitlements. Otherwise, resource managers must create resources manually directly in the managed system. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP accounts are configured with `Allow Addition` disabled. In this case, if we give the role `SAP` to a user, then said user doesn't automatically receive an SAP account. The relevant resource manager must create an account for said user in the SAP application. + + - `Allow Removal`: enables Identity Manager to automatically deprovision resources in the +managed system when their owners are deprived of the right entitlements. Otherwise, Identity Manager is able to delete resources in the managed system only with a **Manual** approval on the **Resource Reconciliation** screen. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Removal` disabled. Finally, consider a given user who + > has the role `SAP` and the corresponding SAP account. In this case, if we deprive said + > user from the role `SAP`, then the SAP account isn't automatically deleted. Identity + > Manager  displays this assignment as non-conforming on the **Resource Reconciliation** + > page, and the relevant resource manager must confirm the account deletion. + +**Allow Addition / Allow Removal:** + +These options set to `No` are interesting especially in testing mode when the role model isn't entirely reliable yet. + + - `Remove If Orphaned`: enables Identity Manager to automatically deprovision resources when +their owner is deleted. Otherwise, said resources are displayed on the **Resource Reconciliation** screen. Can be activated only if `Allow Removal` is activated too. + - `Require Provisioning Review`: forces an additional mandatory review of all provisioning +orders for the resource type (on the [Review Provisioning](../../../user-guide/administrate/provisioning/provisioning-review) screen). + + > Consider AD accounts. While **nominative accounts** can be provisioned without specific + > precautions (option set to `No`), **administrator accounts** sometimes require an additional + > review (option set to `Yes`). + +This option can be bypassed when computing the role model by clicking on the **Compute Role Model, no provisioning review** job in the **Resource Type** frame on the connector's overview page. + + - `Discard **Manual** Assignments`: allows the provisioning of a new value computed by a +provisioning rule for a property, based on a change in the source data, no matter the property's current workflow state. + +Set to `No`, any **Manual** change of a property's value made directly in the target system will be "protected" (only after the change is approved in Identity Manager in **Resource Reconciliation**). It means that a future change in the source data will not trigger the provisioning of the new value. Instead, Identity Manager will keep the value of the **Manual** change, and state the value as `Questioned`. + + > Consider an HR system (source) whose data isn't often synchronized into Identity Manager. + > Let's say that a user marries and changes their name. In this case, the value in Identity + > Manager needs to be updated (via workflows) so that all managed systems are updated too + > with the new name. However, `Discard **Manual** Assignments` should be enabled because the HR + > system should still be the authoritative source in case of another change. + + - `Correlate Multiple Resources`: enables Identity Manager to link a single owner to several +existing target objects from this resource type. + + > Consider records, representing users' positions in the resource type + > `User Record (from HR)`. In some organizations, one user can have several records at once, + > or have several records that overlap, and these records can be created either via Identity + > Manager's workflows or via the upload of an HR file. Thus, on the one hand it is complex + > to anticipate the number of records created for an identity, on the other hand there + > shouldn't be records without an owner. In other words, when creating a new record via a + > workflow, we want the record to be linked to the right user, whether or not a record is + > already linked to the user's HR sheet. Therefore, the correlation of multiple resources + > (of the same resource type) to a single owner should be permitted. + + - `Transmitted State Validity`: The period in minutes during which fulfillment orders can stay +in Transmitted/Executed state. When the time is exceeded the orders are set in error state. + - `Depends On Resource Type`: potential resource type (other than the one presently created) +which must be provisioned for a given identity **before** this resource type can be created for said identity. + + > This option can be used so that a user must have an AD account **before** they can own an + > Exchange account, because the Exchange account needs the AD account's address. + + - `Depends On Owner Property`: potential properties which must be filled for a given identity +**before** this resource type can be created for said identity. + + > This option can be used so that a user must have a ServiceNow identifier **before** they can + > own an AD administrator account, because the AD administrator account needs this random + > identifier computed by ServiceNow in order to be able to perform **Manual** provisioning in + > ServiceNow. + +3. Fill the **Fulfill Settings** arguments according to the selected package. + +Integrators need to know the required provisioning connection, especially whether the connection is about **Manual** or automated provisioning. **Automatic** provisioning means that Identity Manager writes in the managed system. **Manual** provisioning means that Identity Manager isn't allowed to write directly inside the managed system, and thus it creates tickets so that resource managers perform the needed changes. + +4. Click on **+ Create & Close** > **Create**. + +## Verify Resource Type Creation + +In order to verify the process, check that the resource type has been added with the right options to the list on the **Access Roles** page, accessible from the home page in the **Administration** section. + +![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) + +![Test Connector](/images/identitymanager/resourcetype_test_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/configure-global-settings.md b/docs/identitymanager/6.3/user-guide/set-up/configure-global-settings.md new file mode 100644 index 0000000000..2386297d9e --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/configure-global-settings.md @@ -0,0 +1,49 @@ +--- +title: "Configure Global Settings" +description: "Configure Global Settings" +sidebar_position: 30 +--- + +# Configure Global Settings + +This topic covers the customization in the application **Settings**. + +## Overview + +The Settings interface provides information and management options for the application. + +![accesscertificationonlyapprovedenysettings](/images/identitymanager/accesscertificationonlyapprovedenysettings.webp) + +### Look and Feel + +The **Look and Feel** section allows you to customize the application to your preferences. + +The customization includes the following: + +- **Application Title**as the name of the application visible on the tabs +- The **Primary Color**, **Secondary Color**, **Banner Color**, **Banner Gradient Color**, **Banner +Selected Tab Color**, and **Banner Text Color** +- The **Logo** to be displayed in the top left corner; + +### Languages + +It presents the languages in which the application can be displayed. In the above example you have English-United States and French-France. + +See the [Languages](../../integration-guide/toolkit/languages) topic for additional information. + +### Features + +The feature **Only allow approving and refusing on access certifications items** gives the administrator the option to limit the user's option to either **Approve** or **Deny** the Access Certification items while making the **More** button unavailable. + +![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **No** the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny](/images/identitymanager/accesscertificationonlyapprovedeny.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **Yes** the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp) + +This is how the user's experience can be customized directly from the UI. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/configure-workflows.md b/docs/identitymanager/6.3/user-guide/set-up/configure-workflows.md new file mode 100644 index 0000000000..57c80ebdc9 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/configure-workflows.md @@ -0,0 +1,106 @@ +--- +title: "Configure Onboarding Workflows" +description: "Configure Onboarding Workflows" +sidebar_position: 40 +--- + +# Configure Onboarding Workflows + +How to adjust the validation process and homonym detection of onboarding [Workflows](../../integration-guide/workflows). + +## Overview + +Onboarding workflows are the processes that users follow in order to add in Identity Manager a new user, as a new employee has arrived in the company. + +The most common situation consists in having two onboarding workflows: one for employees and one for contractors. The Workforce Core Solution module provides these two workflows. + +Usually, using one of these workflows means: + +1. filling a form containing the new user's information, such as their name, first name, contract +type, job title, etc; +2. if needed, sending the request of user creation for review by a knowledgeable user. + +See how to [Update an Individual Identity](../../user-guide/maintain/identity-data-modification/individual-update)in Identity Manager. + +### User Creation Review + +Identity Manager provides the review step as optional, for its necessity depends on the situation. + +To perform the review of a user creation, one should have the right permissions. + +![Review Permissions](/images/identitymanager/workflows_reviewpermissions_v601.webp) + +When a review is needed, a notification appears on the **MY TASKS** tab at the top. + +![My Tasks Tab](/images/identitymanager/home_topbar_v601.webp) + +The reviewer can then complete the creation request and finally approve it. + +### Homonym Detection + +User creation often benefits from a homonym detection that checks if the resource already exists in the system, preventing duplicates. + +Identity Manager provides a homonym detection, whose parameters can be adjusted. + +See the [Workflows](../../integration-guide/workflows) topic for additional information. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the expected validation process and homonym detection during users' onboarding. + + | Input | Output | + | --- | --- | + | Identity repository (required) | Adjusted Onboarding Workflows | + +See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) topic for additional information. + +## Configure Onboarding Workflows + +Configure onboarding workflows by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > +**Onboarding Workflows** in the left menu. + + ![Home - Settings](/images/identitymanager/home_settings_v523.webp) + +2. For each workflow, choose whether a review step is required. + + ![Workflows Review Steps](/images/identitymanager/workflows_reviewsteps_v601.webp) + +Netwrix Identity Manager (formerly Usercube) recommends enabling the review for the onboarding of employees, and disabling the review for contractors. + +From experience, in most use cases, the onboarding of new workers is done by their managers, and HR people review the creation of employees and not contractors. It also happens that HR people are in full charge of employees, in which case they do the onboarding and don't need a review. + +3. Configure the homonym detection. + + ![Workflows Homonym Detection](/images/identitymanager/workflows_homonyms_v601.webp) + +Netwrix Identity Manager (formerly Usercube) recommends enabling the birth name comparison to detect user duplicates due to name changes, when the GDPR supports it. + +The other parameters for homonym detection should be enabled/disabled according to your needs. + +4. Click on **Save** at the top of the page. + + ![Save Icon](/images/identitymanager/iconsave_v602.svg) + +## Verify Workflow Configuration + +Validate the process by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Execute the workflows for a new employee and a new contractor. +3. Make sure that the homonym detection works in accordance with the specified options. + + > For example, if the inversion comparison is enabled between the first and last names: +> + > ![Workflows Homonym Detection](/images/identitymanager/workflows_verifyhomonyms_v601.webp) + +4. Make sure that the potential validation steps are in accordance with the specified options. + +## Next Steps + +Once onboarding workflows are configured, integrators can start configuring a connector. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/connection-creation.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connection-creation.md new file mode 100644 index 0000000000..82625da584 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connection-creation.md @@ -0,0 +1,145 @@ +--- +title: "Create a Connection" +description: "Create a Connection" +sidebar_position: 30 +--- + +# Create a Connection + +How to create a [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) inside a [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) and choose the appropriate package. + +## Overview + +A connection is the information that allows to connect to a managed system, which includes credentials and path. + +There is a minimum of one connection per connector. In many cases, there is one connection to[Synchronize Data](../../../user-guide/set-up/synchronization)and one connection for [Provision](../../../user-guide/administrate/provisioning). + +A connection is associated with a package, representing the technology to use for the data transfer. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the purpose of the application. + + | Input | Output | + | --- | --- | + | Connector container(required) Connector model(required) | Connection(s) | + +See the [Create the Connector](../../../user-guide/set-up/connect-system/connector-declaration) and [Model the Data](../../../user-guide/set-up/connect-system/connector-modeling) topics for additional information. + +## Create a Connection + +Create a connection by proceeding as follows: + +1. Click on the addition button in the **Connections** frame on the connector's summary page. + + ![Add a New Connection](/images/identitymanager/connection_newconnection_v602.webp) + +2. Fill in the connection information fields on the left, then select a package (AD, CSV, etc.) and +fill the associated agent settings on the right. + + ![Connection Creation](/images/identitymanager/connectioncreation_connectioncreation_v602.webp) + + - `Identifier`: must be unique among connections, without any whitespace, start with a letter, +and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connection. + - `Package`: the technology that enables the connection. Choose the package that fits best the +managed system. See details below. + - `Agent Settings`: depends on the selected package. + +Then click on **Create & Close**. + +### Select a package + +A package is chosen according to the following constraints: + +- What kind of technologies do we need? + + > An Active Directory, a plain CSV file, etc. + +- Do we need incremental or complete synchronizations, or both? + +Incremental synchronizations, usually launched approximately every two hours, are to be performed for real-time needs, while complete synchronizations, scheduled no more than once a day, will recover any changes that may have slipped through the cracks of the incremental synchronizations. See the [Upward Data Synchronization](../../../integration-guide/synchronization/upward-data-sync) topic for additional information. + +- Do we need [Provision](../../../user-guide/administrate/provisioning)? If so, should provisioning be +performed manually or automatically by Identity Manager? + +NETWRIX recommends starting by creating a connector that only does synchronization, and do not worry yet about provisioning. It allows Identity Manager to read data from your managed system, without writing to the system. + +One connector can contain **several connections, and each connection contains one package**. + +> For example, an `AD` connector, that will handle synchronization and provisioning between Identity +> Manager  and an AD, would generally use the `Directory/Active Directory` package which can do +> synchronization and automated provisioning. A second package for manual provisioning, +> `Ticket/identitymanager` could be added to request manual provisioning of administration accounts that +> need more security. + +Each type of package needs its own settings, and secured options can be used to store sensitive connection information. See the [Connections](../../../integration-guide/connectors/configuration-details/connections) topic for additional information. + +## Refresh Schemas + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current +connection is refreshed; + + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are +refreshed. + + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. + +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "_There is no schema for this connection_". + +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Impact of Modifications + +Changes on a connection may imply changes in the connector's entity types. When a connection schema changes, a warning may appear in the entity type screen indicating that a mapped property doesn't exist anymore. + +## Verify the Connection + +In order to verify the process: + +1. click on **Check Connection** to ensure that Identity Manager can reach the managed system; + + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) + +Some connectors have both incremental and complete setting modes. See the [Jobs](../../../integration-guide/tasks-jobs/jobs)topic for additional information. They are relatively independent so they both need to be tested. + +2. check that the connection appears in the **Connections** frame with the right options, and +without the Failed icon. + +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) + +## Troubleshooting + +If the Failed icon appears, then: + +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) + +Ensure that the schema of the connection is refreshed. + +If the schema couldn't be recovered, then: + +![Schema Not Recovered](/images/identitymanager/connection_notrecovered_v523.webp) + +- Ensure that the managed system is properly connected. +- Check the connection's settings. + + > Example: For a CSV connection, ensure that the file paths are written correctly in full, such + > as `C:/identitymanagerDemo/Sources/Directory.xlsx`. + +You may have a schema that could not be recovered if you work with a system without a direct access to the agent. In this case, schema refreshment will fail but that does not mean that there necessarily is a problem. + +Try again from a system that can access the agent. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-declaration.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-declaration.md new file mode 100644 index 0000000000..2e4bd68578 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-declaration.md @@ -0,0 +1,62 @@ +--- +title: "Create the Connector" +description: "Create the Connector" +sidebar_position: 20 +--- + +# Create the Connector + +How to declare the technical container of a [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector). + +## Overview + +Here, you will learn how to create a connector: the shell that harbors entity types and connections related to a single managed system. + +Keep in mind that a Identity Manager installation can have more than one agent. Connectors should be created with a specific agent in mind since the agent needs to physically connect to the managed system's data. Fortunately, you don't need to worry about that right now, since you are starting with the agent provided with Identity Manager's SaaS environment. See the [Architecture](../../../introduction-guide/architecture) topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the purpose of the application. + + | Input | Output | + | --- | --- | + | - | Empty connector | + +## Create a Connector Container + +Create a connector container by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Connectors** button. + + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) + +You will see all existing connectors. + +2. Click on the addition icon and fill in the information fields. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + + ![Connector creation](/images/identitymanager/connectorcreation_declaration_v602.webp) + + - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, +and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connector. + - `Agent`: agent that the connector is supposed to use. + +Netwrix Identity Manager (formerly Usercube)recommends choosing the provided SaaS agent. + + - `**complete** Job`: [Jobs](../../../integration-guide/tasks-jobs/jobs) scheduled to +perform a set of tasks, including completesynchronization and/or provisioning for all the connectors, for which you selected the corresponding checkbox. + - `**incremental** Job`: [Jobs](../../../integration-guide/tasks-jobs/jobs) scheduled +to perform frequently a set of tasks, including incrementalsynchronization and/or provisioning for all the connectors, for which you selected the corresponding checkbox. + +3. Click on **+ Create** to get on the connector's overview page: + + ![Connector page](/images/identitymanager/connectorcreation_connectorpage_v602.webp) + +## Verify the Connector Declaration + +In order to verify the process, check that the connector has been added to the connectors list with the right name and identifier. + +![Test Connector](/images/identitymanager/connectorcreation_test_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-modeling.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-modeling.md new file mode 100644 index 0000000000..c97c0e5c85 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/connector-modeling.md @@ -0,0 +1,373 @@ +--- +title: "Model the Data" +description: "Model the Data" +sidebar_position: 10 +--- + +# Model the Data + +How to choose the appropriate model for a connector's data. + +## Overview + +In this part, you work outside Identity Manager to define the model that is going to be used in the next steps to represent a managed system's resources **and** entitlements inside Identity Manager, as a connector. + +This page is no technical procedure, but rather a guide aiming to give a global view on connectors (with their components **and** their purpose), in order to help integrators choose the most appropriate way to model the managed system in the form of a connector later inside Identity Manager. + +The aim is to think about said managed system in order to specify: + +- what data you need to import into Identity Manager; +- how you are going to organize this data together, **and** model it as a connector inside Identity +Manager. + +### Useful data + +Modeling the connector is a matter of identifying what data you want to get into Identity Manager. You should not retrieve all the data from the managed system, but only two kinds of useful data: + +1. data that represents how the authorization system works in the managed system, i.e. data that +composes entitlements **and** their assignments; +2. data that you want to watch **and**/or control **and**/or fulfill. + +The model must take both into account. So both kinds of data must be extracted from the managed system. + +> Let's take an example. An Active Directory manages authorization through group membership (using +> the user-group paradigm). +> +> So first we need to retrieve both groups **and** accounts, in order to manage the AD's assignments of +> entitlements for our users (in the AD **language**: manage their accounts **and** group memberships). +> +> Secondly, we want to control attributes such as the name or e-mail of the account, **and** ensure they +> are consistent with the correlated identity. Thus these attributes are the second kind of +> information that we want to retrieve. + +### Data models + +Fortunately, you won't have to design your connector model from scratch. NETWRIX has done a little work ahead, **and** you are presented here with four model templates that have proven to work so far. Experience shows that most managed systems can be shaped using one or a mix of the following: + +- the User model is the most **simple** model for a connector, where a user is directly associated with +a list of entitlements; +- the User-Group model represents typical +[Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) mechanisms, where the ability to perform an action is granted through accounts' **membership to a specific group** (also called role or profile according to the system); +- the Account-Profile-Transaction model represents a system, where the ability to perform an action +is granted through the assignment of fine-grained entitlements (called **transactions**) which are **packaged into profiles**; +- the Star model represents a system, where the ability to perform an action is granted through the +assignment of entitlements which are based on at least two variable parameters. + +Each template presents a few objects **and** the relationships between them. To become the model of the actual managed system, these objects must be renamed **and** their attributes defined according to the **reality** of said managed system. + +This sheet guides you through choosing the right model template for your connector. The actual technical implementation of the model will be tackled in the last part of the connector configuration: [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation). + +**Connector model **and** roles:** + +The design of a model must take into account what is really going on inside the managed system in terms of entitlements, **and** be flexible enough to express it as roles in the context of the role model. The role model is the universal RBAC/ABAC **language** used by Identity Manager to express all entitlements. + +You don't have to worry about this "role" part right now. It is going to be tackled during single role catalog creation. At this point, you will take a look at the way roles are defined **and** linked to resources to represent entitlements. But the work starts here, by modeling the resources that exist in the managed system. Some of those resources, such as Active Directory groups, include interesting information about entitlements. + +Right now, you can see the connector's model as a precise description of the **shape** of the technical resources **and** entitlements of the managed system. **and**, you can see roles as the higher-order universal **language** in which entitlements **and** their assignments are expressed in Identity Manager for all managed systems. + +**Connector model **and** provisioning**: + +After defining the useful data that you need to model a given system, you also have to decide what data you need Identity Manager to write to the managed system. Identity Manager writing to an external system is called provisioning. + +## Participants **and** Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the purpose of the application. + + | Input | Output | + | --- | --- | + | - | Connector model | + +## Define the Connector Model + +Define your connector model by proceeding as follows: + +1. Use the advice **and** examples given about each model template to find the template that most +closely matches your use case. +2. Adapt the template to the **reality** of your managed system by renaming **and** adjusting the model's +objects. +3. Define your useful data, **and** thus the attributes of each object according to the **reality** of the +data in your managed system. +4. Ensure that all objects have at least one attribute that can serve as a key to be uniquely +identified within Identity Manager. You will get more details about keys during entity type creation. +5. Ensure the following guidelines' enforcement: + +**Keep it **simple**** + +The model must stay as **simple** as possible. Embed just enough information. + +**Keep it readable for most users** + +The model must be easy to understand. For this, adopt a business approach, i.e. make the model user-friendly **and** close to real activities. This functional approach is essential to the efficiency of data flows (synchronization/provisioning loop). Keep in mind that the aim is to define a model close to the **reality** of the system. + +**Keep it open to changes** + +The model is going to change **and** evolve during the life of the application, to account for new needs or changes. This must be considered too in the initial model to make future changes less painful. + +Find at the bottom a procedure example about modeling the Active Directory. + +## Model Templates + +All templates are detailed with examples **and** schemas with the following key: + +![Schemas' Key](/images/identitymanager/connectormodel_key.webp) + +During the technical modeling inside Identity Manager, these objects will become **entity types**, their attributes will become **scalar properties**, the links between them will become **navigation properties**. + +### User + +#### Authorization mechanisms + +The User template is the most **simple** model for a connector, **and** used to represent **a user directly associated with a list of entitlements**. + +Users are represented by the accounts they own, **and** entitlements are represented by resources. + +Permissions can be managed: + +- by resource, with a list of authorized accounts for each resource; +- by account, with a list of authorized resources for each account. + +#### Model + +![User Model](/images/identitymanager/connectormodel_user.webp) + +Thus you need to create one entity type to represent either accounts or other resources. + +Each entity type needs to be shaped with properties, chosen according to the data useful for entitlement assignment. + +The only sensitive **and** required properties are the keys **and** the property holding entitlements. It means that: + +- if entitlements are managed by resource, then the entity type representing resources must have an +attribute (scalar property) containing the list of authorized accounts; +- if entitlements are managed by account, then the entity type representing accounts must have an +attribute (scalar property) containing the list of authorized resources. + +**Recommendation: categorize accounts in types** + +Some of the managed systems following this model offer predefined **types of accounts**, with a pre-packaged set of authorizations (such as the `basic` user with read/write permissions on non-sensitive resources, or the `admin` with higher privileges). + +Account types make modeling easier, as they bring another level of information about the entitlements they contain. So we can embed more useful information in the model, thanks to an attribute that represents the account type. + +In further steps, you will be able to define one resource type per account type **and** map each one to a role for assignment **and** provisioning. + +#### Example - Canteen badges + +Canteen badges are a **simple** system handled with the User model. Indeed users can simply have among their attributes the access authorization for a given building **and** a given time. Or also, instead of creating an entity type for users, we can create an entity type for the badges. They would have in their attributes their respective access location **and** time, **and** an attribute listing authorized users. + +![User Model - Canteen Badges Example](/images/identitymanager/connectormodel_user-canteen.webp) + +#### Example - Mailboxes + +Mailboxes constitute a complex system, but IGA purposes require little information (only accounts) so this system can too be handled with the User model, either through users **and** their entitlement lists, or through mailbox entitlements **and** their lists of authorized users. + +![User Model - Mailboxes Example](/images/identitymanager/connectormodel_user-mailbox.webp) + +### User-Group + +#### Authorization mechanisms + +The User-Group template is better suited to represent typical Role-Based Access Control authorization mechanisms, where a user is authorized to perform an action according to their account's **membership to a specific group**. Instead of groups, some systems talk about roles or profiles: users are authorized to perform an action through a given role or profile which they are assigned, instead of a group membership. It is all the same idea, **and** the User-Group template is perfect for them too. + +Groups can also be categorized **and** grouped into larger groups. + +Users are represented by the accounts they own. + +#### Model + +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) + +Thus you need to create one entity type to represent groups (or roles or profiles) **and** one for accounts. + +Each entity type needs to be shaped with properties, chosen according to the data useful for entitlement assignment. + +The only sensitive **and** required properties are those constituting the link between both **entity types**, i.e. the **navigation properties** representing the group membership. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between several **types of accounts**. + +In further steps, you will be able to define one resource type per account type **and** map each one to a role for assignment **and** provisioning. + +#### Example - SAB + +The SAB system handles authorizations using users **and** groups. A user is authorized to perform an action according to their group membership. + +We define two **entity types** `SAB - User` **and** `SAB - Group`. We fill them with a few attributes useful to manage entitlements in the SAB application. Finally, we add a navigation property in both **entity types** in order to link `User` with `Group` with an "n-to-n" relationship. + +![User-Group Example - SAB](/images/identitymanager/connectormodel_sab.webp) + +#### Example - RACF + +The [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) connector is used to manage critical entitlements on the mainframe. RACF is a complex system, but IGA purposes only require information about accounts **and** groups, as entitlements are given by group membership. Thus the system can be simplified to be managed by Identity Manager following the User-Group model. + +![User-Group Example - RACF](/images/identitymanager/connectormodel_racf.webp) + +For RACF, Identity Manager provisions only the link between accounts **and** groups. + +#### Example - TSS + +The TSS connector is similar to RACF in its use, but manages fine-grained entitlements at a higher level than RACF. TSS is at least as complex as RACF, **and** its connector follows a similar simplification as RACF's. + +Identity Manager manages users (with their accounts) **and** groups called here profiles. Both users **and** profiles are grouped into departments, themselves grouped into partitions. Entitlements are called authorizations, **and** are linked to users through group (profile) membership. + +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss.webp) + +For TSS, Identity Manager provisions only the link between users **and** profiles. + +Identity Manager receives a write access for users **and** profiles, only a read access for the rest of the model. It is interesting to keep the whole model for query goals such as listing a given user's entitlements. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between several **types of accounts**. + +In further steps, you will be able to define one resource type per account type **and** map each one to a role for assignment **and** provisioning. + +**Roles:** During the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation)step for this connector you can build roles based on the group-membership system represented by users **and** profiles. Thus you will create navigation rules to represent the link between users **and** profiles. + +#### Example - SDGE + +The SDGE connector is used not to manage people but positions, so the application screens depend on the user's position. In other words, Identity Manager is going to manage users' entitlements in SDGE through their positions. + +The object `User` or `Account` from the template, which contains users' accounts, is called here `Worker`. + +The object `Group` from the template is called here `Position` (grouped into organizations, themselves grouped into organization types). It contains the way an entitlement is given, here through a given position **and** wallet. + +![User-Group Example - SDGE](/images/identitymanager/connectormodel_sdge.webp) + +For SDGE, Identity Manager provisions only workers **and** the link between workers **and** positions. + +### Account-Profile-Transaction + +#### Authorization mechanisms + +The Account-Profile-Transaction model is better suited to represent a system, with the following basic characteristics: + +- To be able to perform an action or read a piece of data, a user must be granted one or several +**transactions**. **transactions** represent fine-grained entitlements. They can be associated to a type **and** conditions that restrict their use, such as a maximum per day or a context of validity. +- **transactions** are not assigned directly to an account, but are **packaged into profiles**, which are +then assigned to accounts, which are owned by users. +- Profiles can sometimes be classified into categories representing the sensitivity of the +**transactions** they contain. + > For example, profile categories can be `Privilege Profiles` for high privilege **transactions** on + > sensitive data, **and** `Technical Profiles` for technical **transactions** related to system + > administration. + +#### Model + +![Account-Profile-Transaction Model](/images/identitymanager/connectormodel_profiletransaction.webp) + +Thus you need to create one entity type to represent accounts, one for profiles, **and** one for **transactions**. + +Each entity type needs to be shaped with properties, chosen according to the data useful for entitlement assignment. + +The only sensitive **and** required properties are those constituting the link between **entity types**, i.e. the **navigation properties** representing the packaging of **transactions** into profiles on the one hand, **and** the assignment of profiles to accounts on the other hand. You can potentially add a navigation property in the `Profile` entity type in order to categorize profiles within larger profiles. + +Instead of creating as many `Profile` objects as there are categories of profile, NETWRIX recommends **shaping the `Profile` object with a `category` attribute**. Indeed, a multiple-object model complexifies the addition of new profiles in the future. **and** as new profiles can be created in the future though, then you must plan for it. + +For example, instead of modeling two artificial types of profiles called `PP` for "Privilege Profile" **and** `TP` for "Technical Profile", prefer a single object `P` that represents all profiles using a specific attribute to differenciate technical from privilege profiles. This way, the model sticks to the real capacity of the technical tool **and** all use-cases are considered. + +See the schema below this note. + +![Profiles Example](/images/identitymanager/connectormodel_profiles.webp) + +**transactions** are not mandatory in a model. Most of the time, the profile packages are predefined once **and** for all, or are the responsibility of the **application owner**. Then Identity Manager doesn't need to manage the specific **transactions** for a profile directly inside the managed system. You can hence avoid modeling **transactions** altogether. In this case, you fall back on the User-Group model with a twist: if profile categories are relevant in the system's authorization mechanism, then you must take them into account. + +#### Example - TSS + +The TSS connector is actually a mix of the User-Group **and** Account-Profile-Transaction models. The User-Group part is explained above. + +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss-prof-trans.webp) + +**transactions** are called here authorizations. + +For TSS, Identity Manager provisions only the link between users **and** profiles. **transactions** (**and** the rest of the model) are only readable. + +### Star + +#### Authorization mechanisms + +The Star model is better suited to represent a system, where the ability to perform an action is granted through the assignment of entitlements, based on **several variable parameters**, most often the combination of a profile **and** at least one user data criteria. + +> For example, you might want to give certain entitlements only to users who have an administrator +> profile **and** work in Marseilles. + +As the parameter combination is not predetermined, the whole system can become highly complex with the addition of data criteria. + +Users are represented by the accounts they own. + +**Comparison with other models:** while the User-Group model grants an entitlement via a group membership, the Star model grants said entitlement via a special authorization linking the right criteria altogether (i.e. the right profile **and** other user parameters). + +#### Model + +![Star Model](/images/identitymanager/connectormodel_star.webp) + +Thus you need to create one entity type to represent accounts, one for each criterion, **and** another one to represent the object linking acounts to criteria. + +Each entity type needs to be shaped with properties, chosen according to the data useful for entitlement assignment. + +The difficulty of this model is to map everything to roles in the role model. In Identity Manager's role model, one assignment is always one role. But in this case, in the managed system, an assignment is a tuple of things. + +To map the tuple of things on a role, we have several choices: + +1. **Create a role per possible combination of tuple of things**. This can quickly get out of hand as +far as the number of created roles is concerned. +2. **Use parametrized roles**. The number of roles will be contained, but it is a little more +complicated to configure. + +The flexibility generated by parameters is particularly interesting for roles that incorporate entitlements in a more complex way than application roles. If the information contained in a role is complicated to deduce, then parameters can bring some clarity in the configuration. The objective is always to minimize the number of distinct roles, **and** the number of roles that are assigned to one given identity. + +#### Example + +Consider an application which manages entitlement assignment with different rules, according to users' profiles, attachment areas **and** sites. Our example shows 4 profiles, 4 attachment areas **and** 3 sites. So a user may be assigned a given entitlement for a given profile, attachment area **and** site. + +![Star Model Example](/images/identitymanager/connectormodel_starmodel.webp) + +For this connector, Identity Manager provisions only the links between accounts **and** linking objects, **and** the links between linking objects **and** each criterion. + +Concerning roles, integrators have two options: + +- either create a specific role for `Profile_i` with `AttachmentArea_j` **and** `Site_k` for all +available profiles, attachment areas **and** sites, which makes a total of 48 roles (for a quite **simple** example); +- or create a single role with parameters for profiles, attachment areas **and** sites. + +## Procedure Example + +**Step 1: choose the connector model.** + +Let's say we are modeling an Active Directory, which handles authorization through the group memberships of accounts. In other words, to assign an entitlement to an identity, we make the AD account of said identity member of the corresponding AD group. That is exactly what the User-Group template is designed to handle. See the Model the Data topic for additional information. + +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) + +**Step 2: adapt the model to your **reality**.** + +We start by renaming the `Account` object as `AD_User` **and** the `Group` object as `AD_Group`. + +![AD Example - Step 1](/images/identitymanager/connectormodel_ad-step1.webp) + +**Step 3: define useful data close to your **reality**.** + +We **shape** these objects with the following attributes: + +![AD Example - Step 2](/images/identitymanager/connectormodel_ad.webp) + +**Step 4: ensure that all objects have unique keys.** + +Indeed we defined `objectGuid` as a key for both accounts **and** groups. + +**Step 5: ensure the guidelines' enforcement.** + +We could content ourselves with this model. The main benefit of this model is to closely mimic the **reality** of the AD authorization mechanism. But we'd like to go a bit further, applying a "keep it open to changes" approach. + +Observe the similarities between `AD_User` **and** `AD_Group`. There are many attributes repeating between the two **entity types**. + +We can simplify: prefer a single object `AD_Entry` that can represent both users **and** groups. The difference between the two types of object will be made clear via specific properties like `objectCategory`, `member` **and** `memberOf`. + +Beyond avoiding repetition, this makes the model easily adaptable if new elements pop up. + +> For example, we could want to include computers or organizational units in the model in the +> future. Instead of creating two new additional objects `AD_Computer` **and** `AD_OU`, the existing +> object `AD_Entry` can represent them both at no additional modeling cost. Even though we could add +> `AD_Computer` **and** `AD_OU` without merging groups with entries, designing `AD_Entry` with all these +> attributes provides the means to add objects without creating new **entity types**. +> +> ![AD_Entry Example](/images/identitymanager/connectormodel_adentry.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md new file mode 100644 index 0000000000..e6402b50cb --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md @@ -0,0 +1,69 @@ +--- +title: "Organize Resources' Datasheets" +description: "Organize Resources' Datasheets" +sidebar_position: 60 +--- + +# Organize Resources' Datasheets + +How to change the default display of the resource data from this entity type, by creating display groups. + +## Overview + +Here you will learn how to change how a resource's data is organized in the UI, by creating display groups. + +If you do not add display groups, Identity Manager displays the data of this entity type's resources in alphabetic order. + +> For example, for an HR user without any display groups: +> +> ![Without Display Groups](/images/identitymanager/entitytypecreation_displaygroups_without_v603.webp) + +## Organize Resources' Datasheets + +Organize resources' datasheets by proceeding as follows: + +1. Start by creating the entity type with its scalar properties and keys. See the +[Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition) and [Select Primary Keys](../../../../user-guide/set-up/connect-system/entity-type-creation/key-selection) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the +top right corner. +3. On the entity type's definition page, click on the **Display** tab. + + ![Display Groups](/images/identitymanager/entitytypecreation_displaygroups_v603.webp) + +4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag +and drop the properties to customize the order. + + > For example: +> + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example1_v603.webp) + +5. When needing to group properties together, click on **Add Display Group**, fill in the fields and +select from the pop-up window the properties to be grouped. + + ![Display Group Fields](/images/identitymanager/entitytypecreation_displaygroups_fields_v603.webp) + + - `Identifier`: must be unique among display groups, without any whitespace, and be +C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property group. + > For example: +> + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2_v603.webp) +> + > The entity type's resources would look like: +> + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2results_v603.webp) + +6. Click on **Save & Close**. + +Changes in display groups won't take effect until the next [Update Entity Property Expressions Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask) runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. + +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md new file mode 100644 index 0000000000..1bf77cd001 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md @@ -0,0 +1,65 @@ +--- +title: "Set Resources' Display Names" +description: "Set Resources' Display Names" +sidebar_position: 50 +--- + +# Set Resources' Display Names + +How to change the value of the display name for resources of an [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype). + +## Overview + +Here you will learn how to change a **resource's display name**, which is the name used by the UI to identify a resource of an entity type. Its value is computed from existing properties. For example for the entity type `HR - User`, integrators may set the display name to: ` - `. + +![Display Name - Example](/images/identitymanager/entitytypecreation_displaynameexample_v600.webp) + +If you do not set your own display name, Identity Manager provides a default value based on the first scalar property after alphabetizing all the properties whose name contains `name`. + +## Set the **resource's display name** + +Set the **resource's display name** by proceeding as follows: + +1. Start by creating the entity type with its calar properties and keys. See the [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition) and [Select Primary Keys](../../../../user-guide/set-up/connect-system/entity-type-creation/key-selection) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top right corner. +3. On the entity type's definition page, click on the **Settings** tab. + + ![Display Name - Property Path](/images/identitymanager/entitytypecreation_displayname_v603.webp) + +4. Set the display name. As a display name, you can use either the value of an existing property, or compute [Expressions](../../../../integration-guide/toolkit/expressions) based on existing properties. + + > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined + > functions. +> + > ![AD Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplead4_v602.webp) +> + > ![AD Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplead4-result_v602.webp) + + > Another example from the HR connector (User entity type): +> + > ![HR User Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplehr_v602.webp) +> + > ![HR User Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplehr-result_v602.webp) + +5. Click on **Save & Close**. + +Changes inside connectors won't take effect until the next [Synchronize Data](../../../../user-guide/set-up/synchronization). More specifically, changes in display names won't take effect until the next [Update Entity Property Expressions Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask) runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. + +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Troubleshooting + +If no property appears in the display name auto-completion, then: + +![No Property](/images/identitymanager/entitytypecreation_troubleprop_v602.webp) + +Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top right corner of the screen. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md new file mode 100644 index 0000000000..045c49c2a2 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md @@ -0,0 +1,77 @@ +--- +title: "Create the Entity Type" +description: "Create the Entity Type" +sidebar_position: 10 +--- + +# Create the Entity Type + +How to create the technical container of an [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype). + +## Overview + +Here, you will learn how to create an [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype): the shell that harbors the (scalar and navigation) properties which describe a given set of resources related to one managed system. + +## Create the Entity Type + +Create the entity type by proceeding as follows: + +1. Access the connector's page by clicking on the **Connectors** button on the home page in the +**Configuration** section, then on the relevant connector. + + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) + +2. On the connector's page, in the **Entity Types** frame, click on the addition button. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +3. Fill in the information fields. + + ![Entity type creation](/images/identitymanager/entitytypecreation_entitytypecreation_v602.webp) + + - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. +[See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). NETWRIX recommends using `_` in the singular. + - `Name`: will be displayed in the UI to identify the entity type. + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and +will be displayed with the entity type in the left menu of the home page. + - `Auto Complete in Pickers`: can be set once properties are created (and saved) so that, when +using a searchbar for selected properties, Identity Manager suggests existing entries. + +4. In the entity type's **Properties** section, choose a source so that the connection provides the +source's data structure. + + ![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) + + > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the + > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want + > to classify, with the properties that are useful for assignment management. +> + > The AD connector uses as a source `Connection Active Directory - entries`. Its structure was + > retrieved when we refreshed the schemas of the `Active Directory` > + > [Create a Connection](../../../../user-guide/set-up/connect-system/connection-creation), thus retrieving the attributes from + > the Active Directory and storing them temporarily on the agent side, inside CSV files. + +## Next Steps + +To continue, [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition)for this entity type. + +## Troubleshooting + +If there are no connection tables available in the **Source** dropdown list of an entity type, then: + +![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) + +Ensure that there are existing connections: + +- if this is the case, then click on **Refresh all schemas** on the connector page, and verify that +there is no error. See the [Create a Connection](../../../../user-guide/set-up/connect-system/connection-creation) topic for additional information. +- if not, then you must create at least one connection. + +If there is a message stating to refresh the connection's schema, then: + +![No Connection Table Error](/images/identitymanager/entitytypecreation_troubleshootingschema_v603.webp) + +Start by making sure that the connection's schema is refreshed by clicking on **Refresh all schemas** on the connector page, and verify that there is no error. + +If the message is still displayed, then it means that the previously selected connection table no longer exists in the managed system. In this case, either the table's name simply changed, or the table is not relevant anymore. Then you should find a relevant table in the **Source** dropdown list. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/index.md new file mode 100644 index 0000000000..02ae3c0d39 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -0,0 +1,55 @@ +--- +title: "Create an Entity Type" +description: "Create an Entity Type" +sidebar_position: 40 +--- + +# Create an Entity Type + +How to create an [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) that corresponds to the connector model. + +## Overview + +An entity type is a model of a managed system's data. It defines the shape of the associated resources (instances of said model) and not the intent (that would be a resource type). See the [Create a Resource Type](../../../../user-guide/set-up/categorization/resource-type-creation) topic for additional information. It defines a set of properties describing said resources and linking them together. + +In other words, an entity type is supposed to model the representation of a certain group of resources inside Identity Manager. It is a relational model, made of properties ([Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition)) and links between entity types ([Define Navigation Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition)), both described later. + +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) + +The configuration of entity types depends entirely on the previously established by [Model the Data](../../../../user-guide/set-up/connect-system/connector-modeling). + +Entity types will impact the import of the managed system's resources, and the way said resources are displayed in the UI. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the purpose of the application. + + | Input | Output | + | --- | --- | + | Connection (required) Refreshed schemas (required) Connector's data [Model the Data](../../../../user-guide/set-up/connect-system/connector-modeling) (required) | Entity type | + +See the [Create a Connection](../../../../user-guide/set-up/connect-system/connection-creation) and [Model the Data](../../../../user-guide/set-up/connect-system/connector-modeling) topics for additional information. + +## Create an Entity Type + +Create an entity type by proceeding as follows: + +1. [Create the Entity Type](../../../../user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration). +2. [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition)to be used in the entity type. +3. Choose the [Select Primary Keys](../../../../user-guide/set-up/connect-system/entity-type-creation/key-selection) and key properties which will identify resources. +4. Define [Define Navigation Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition)if applicable. +5. Customize the [Set Resources' Display Names](../../../../user-guide/set-up/connect-system/entity-type-creation/display-name-setting) for the entity type's resources. +6. Organize the [Organize Resources' Datasheets](../../../../user-guide/set-up/connect-system/entity-type-creation/datasheet-organization) for the entity type's resources in Identity Manager. + +For some connectors, Identity Manager provides a template to automatically create a basic configuration. See below this note. + +> For example, the Active Directory template automatically creates an AD entity type and two +> resource types for a standard AD connector. The template is available for a connector with an AD +> connection but no entity types. +> +> ![Entity Type - AD Template](/images/identitymanager/entitytype_template_v602.webp) + +## Verify the Entity Type + +Changes will take effect once you have launched synchronization. Therefore, in order to verify the process, follow the verification procedure indicated to [Synchronize Data](../../../../user-guide/set-up/synchronization). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/key-selection.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/key-selection.md new file mode 100644 index 0000000000..bd317e237a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/key-selection.md @@ -0,0 +1,100 @@ +--- +title: "Select Primary Keys" +description: "Select Primary Keys" +sidebar_position: 30 +--- + +# Select Primary Keys + +How to choose its keys and an [Entity Type Mapping](../../../../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) key in order to uniquely identify the [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype)'s resources at different points in a resource's lifecycle. + +## Overview + +Here you will learn how to select keys from among the entity type's scalar properties, in order to ensure the unique identification of resources at different times. + +It is important to show caution when choosing the **mapping key** and **key properties** for a set of data. Every extracted resource must have unique keys in order to be uniquely identified in all IGA actions performed by Identity Manager. + +### **key properties** + +The key property of an entity type is a property chosen from among scalar properties. A key property is used only in the XML configuration, but required when working both from the UI or from the XML configuration. + +The purpose of **key properties** is to uniquely identify a resource from the entity type in the XML configuration. In particular, some rules need to fetch a resource, by querying the key property's column in Identity Manager's database. + +> For example a navigation rule involving an AD group can be written: +> +> ``` +> +> +> +> ``` +> +> Identity Manager needs to know what column to query to find the right resource via +> `CN=SG_APP_AG002...`. In this example we must choose `dn` as a key property because it is the `dn` +> property we use to represent the AD resource. + +**key properties** must be **unique and immutable**. They do not have to be immutable but they must enable resources to be uniquely identifiable at t time. + +> The `dn` attribute of a resource in the Active Directory usually depends on the resource's +> position, which often changes during the resource's lifecycle. However, `dn` is unique at a given +> time, and rather useful to define for example query rules for `parentdn`. + +Only one key property is required, but using several **key properties** can sometimes help with the rules in the XML configuration. Identity Manager will search the columns of each key property, one by one, until a corresponding resource is found. + +> For example, the AD's unique identifier is `objectGuid`. However, integrators may prefer to use +> `dn` because it constitutes a clearer group identification from a user's point of view. Plus, +> `objectGuid` is environment-specific so using it can complexify a situation where we want to move +> the configuration from an environment to another. +> +> Since an `objectGuid` can still be an interesting identifier, we want to have both the `dn` and +> the `objectGuid` as **key properties**. In this case, Identity Manager will be able to fetch a +> resource in a rule using said resource's `dn` or `objectGuid`. + +### **mapping key** + +The **mapping key** is also chosen from among scalar properties, and serves to uniquely identify any resource during the [Synchronize Data](../../../../user-guide/set-up/synchronization). It must be **unique and immutable**, i.e. must not change during the whole lifecycle of the resource. + +> A **mapping key** cannot be based on properties subject to change, such as the display name of any +> object, or users' title which could be renamed. +> +> For example, resources from the AD are usually identified through the `objectGuid` attribute which +> is therefore specified as **mapping key**. + +Commonly used mapping keys are: + +- `objectGuid` for the Active Directory +- `objectid` for Microsoft Entra ID +- `entryUuid` for LDAP +- `Identifier` for the directory +- `Login` for SAB +- `sapid` for SAP +- `sys_id` for ServiceNow +- `EmployeeId` for the HR + +Since the mapping is able to uniquely identify any resource, NETWRIX recommends that your **mapping key** is always part of your **key properties**. + +## Select the Entity Type's Keys + +Create an entity type by proceeding as follows: + +1. Start by defining the entity type's scalar properties. See the [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition) topic for additional information. + + ![Keys](/images/identitymanager/entitytypecreation_keys_v522.webp) + +2. In the entity type's **Properties** section, choose the **key properties**. +3. Choose the **mapping key**. +4. Click on **Create & Close** > **Create** to save your changes. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. + +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +After the entity type is created with its scalar properties and keys, you can [Define Navigation Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition) and/or [Set Resources' Display Names](../../../../user-guide/set-up/connect-system/entity-type-creation/display-name-setting). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md new file mode 100644 index 0000000000..e9306307aa --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md @@ -0,0 +1,155 @@ +--- +title: "Define **navigation properties**" +description: "Define **navigation properties**" +sidebar_position: 40 +--- + +# Define **navigation properties** + +How to define the properties which describe the [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype)'s relationships to other entity types. + +## Overview + +Here you will learn to define **navigation properties**, which contain scalar values just like scalar properties, but which are also linked to and point to other properties:from the same entity type or to another entity type. See the [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition) topic for additional information. + +> For example, `memberOf` can contain a list of groups, thus linking a user to groups, and a group +> to other groups. In the UI, `memberOf` is displayed just like scalar properties, but you can click +> its values to access each group in the list. Here for the AD entry `ADM Vidal Pierre`: +> +> ![Navigation Property - memberOf](/images/identitymanager/entitytypecreation_memberof_v600.webp) +> +> Clicking on one of these groups will display the group"​™s properties, including the other side of +> the `memberOf` property:called `member`:which contains the list of users and groups who are +> members. Example: `SG_APP_RAY_0_LDAP_READLDSFEDE`: +> +> ![Navigation Property - member](/images/identitymanager/entitytypecreation_member_v600.webp) + +> As another example, a department is linked to a manager who is an existing user. The user +> identifier is used in the `Manager` property to create the link between department and manager. In +> the UI, `Manager` is displayed like scalar properties, but you can click it to access the +> manager"​™s page: +> +> ![Navigation Property - Manager](/images/identitymanager/entitytypecreation_manager_v600.webp) +> +> Clicking the manager displays their properties, including the `Department` property, which points +> back to the managed department: +> +> ![Navigation Property - Managed Department](/images/identitymanager/entitytypecreation_managerof_v600.webp) + +**navigation properties** can create a link: + +- inside an entity type; +- between two entity types from the same connector; +- between two entity types from different connectors. + +Inside Identity Manager, a navigation property has a flip side:one for each linked element. + +For example, in AD: + +- `member`: for groups (contains a list of users) +- `memberOf`: for users (contains a list of groups) + +Some systems only expose one side. For example, AD only exposes `member` on groups. Users don"​™t have `memberOf`. But Identity Manager links both sides, translating the info to simulate bidirectionality. + +When importing from AD, `member` updates Identity Manager's `member`, which then updates `memberOf`. + +Most properties in Identity Manager are linked to those in the managed system so data can be imported and stored correctly. These mappings are configured in Step 3 below. + +If a property doesn"​™t exist in the source system, you can still create it using **+ Add a navigation property**. This is useful for storing internal-use data that the connected system can"​™t read or write. + +**---** + +## Define the Entity Type's **navigation properties** + +Define **navigation properties** by following these steps: + +1. Start by declaring an [Entity Type](../../../../user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration). +2. In the entity type's **Properties** section, click on the ****navigation properties**** tab. +3. Click **Map a navigation property** to display existing columns from the external source, then +select the ones to use. +4. Fill in the information fields: + + ![**navigation properties**](/images/identitymanager/entitytypecreation_navigationproperties_v602.webp) + +If you map a column from the source, the first line is for the source column, and the second is the new navigation property in Identity Manager (always in the entity type). + +### Application Metadata Fields + +- `Identifier`: Unique, no whitespace, must be C#-compatible. +[See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure) +- `Entity Type`: Always refers to the entity type of the second property. +- `Storage Indicator`: Describes the association: + + - **Mono-valued** (1:1 or many:1) + - **Multi-valued** (1:many or many:many) + +Identity Manager can store up to 25 **optimized** mono-valued nav properties. Prioritize: + + 1. Properties used in forms/search bars + 2. Properties used in expressions/role models + 3. Others + +- `Name`: Displayed in the UI. + +**Conventions:** + + - Mono-valued → singular + - Multi-valued → plural + - Names/IDs cannot be "Id" + +### External System Fields + +- `Source`: Source connection for the data. + + - Auto-select from the **mapped** source + - Choose from other entity types in the same connector + - Use the search icon to select across connectors + +- `Source Column`: Column where data comes from +- `Column Content`: Which attribute (e.g. `dn`, `id`) to use for matching resources + +> Example: If the source column `manager` contains user `dn`s, select `dn` as source content. + +> Common AD **navigation properties**: +> `Entries`, `assistant`, `assistantOf`, `manager`, `directReports`, `memberOf`, `member`, +> `parentdn`, `children` + +**> ![AD Entity Type - **navigation properties**](/images/identitymanager/entitytypecreation_examplead3_v603.webp)** + +5. Click the gear icon to access advanced settings: + + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: Choose from [Microsoft icon set](https://uifabricicons.azurewebsites.net/) + - **Source Expression**: Define using a property path or +[expression](../../../../integration-guide/toolkit/expressions) + + > Example: Scalar `isUnused` created by combining `accountExpires` and `lastLogonTimestamp` +> + > ![Source Expression Example](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: Adds advanced search matching + - `History Precision`: Set how often property history is recorded + + > Example: `lastLogonTimestamp` changes often. Without limiting historization, the database + > fills quickly. + > Set `History Precision` to 1 week (10080 min) to only record weekly changes. + +Clicking **Continue** closes the window but **does not save** the configuration. + +**---** + +## Reload + +After saving, a green banner reminds you to reload the schema. It"​™s not necessary after every step:but is **required after the final step** to apply changes. + +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + +The **Reload** button ensures updates appear in the menu links on the UI home page. You"​™ll find it either in the banner or on the connector dashboard. + +**---** + +## Next Steps + +Once the entity type is defined:with scalar properties, keys, and navigation properties:you can [Set Resources' Display Names](../../../../user-guide/set-up/connect-system/entity-type-creation/display-name-setting). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md new file mode 100644 index 0000000000..22d0d4ddc4 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md @@ -0,0 +1,137 @@ +--- +title: "Define **scalar** Properties" +description: "Define **scalar** Properties" +sidebar_position: 20 +--- + +# Define **scalar** Properties + +How to define the simple, or **scalar**, properties of an [Entity Type](../../../../integration-guide/toolkit/xml-configuration/metadata/entitytype)'s resources. + +## Overview + +Here you will learn how to define **scalar** properties, which contain **scalar** values, mostly based on the properties from the corresponding managed system. + +> For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. +> +> ![**scalar** Properties](/images/identitymanager/entitytypecreation_scalarex_v600.webp) + +Most often, properties inside Identity Manager are each linked to a property from the managed system. This way, data from the managed system can be imported into Identity Manager and stored in the corresponding property. These properties are **mapped** from the source (see step 2). + +If the property to be created does not exist in the external source, it is impossible to map the property, but it can still be created with **+ Add a **scalar** property**. + +This can be used to store data needed for assignment management, but which you cannot write to the connected system. Since these properties do not exist in the connected system, they cannot be written or read. + +For example, we may need to create in the AD the property `isUnused` to spot unused accounts. It would be configured with a C# expression based on other properties from the same entity type. These properties, such as `accountExpires` and `lastLogonTimestamp`, are each linked to a property from the AD, while `isUnused` is for governance and surveying AD accounts. + +Such properties do not exist in the AD, and thus will never be written to the AD, nor overwritten by any property from the AD, but will be recalculated based on the other properties. + +## Define the Entity Type's **scalar** Properties + +Define the entity type's **scalar** properties by proceeding as follows: + +1. Start by declaring the [Create the Entity Type](../../../../user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration). +2. In the entity type's **Properties** section, click on **Map **scalar** properties** to display +existing columns from the external source, and select the properties to be used in the entity type. + + ![Map from source](/images/identitymanager/entitytypecreation_scalarpropertiesmap_v602.webp) + +You need to configure at least one property to be able to define primary keys later, and thus create an entity type. + +3. Fill in the information fields. + + ![**scalar** properties](/images/identitymanager/entitytypecreation_scalarproperties_v603.webp) + + - **APPLICATION METADATA**: fields about the future display of the properties inside Identity +Manager. + + - `Identifier`: must be unique among properties, without any whitespace, and be +C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property. + +Entity properties' names and identifiers cannot be "Id". + + - `Format`: format used for the property's display in Identity Manager, for search tools and +computation based on said property. **Do not keep the default string format if the property is not a string**. See the [References: Format for the EntityPropertyMapping](../../../../integration-guide/connectors/entitypropertymapping-format) topic for additional information. + + > For example, dates, booleans, integers, etc. + +For one entity type, Identity Manager can store up to 128 **scalar** properties of any format, and an unlimited number of binaries which are stored differently. Among these 128 properties, only 4 can be formatted as more-than-443-character strings (with a limit of 4,000 characters), and 124 as less-than-443-character strings. + + - **EXTERNAL SYSTEM**: fields about the corresponding properties inside the connected system. + + - `Source Column`: column in the external system where the property data comes from. +Advanced settings can be configured according to the description below. + - `Format`: for **mapped** properties, format used to convert a value during export and fulfill +from Identity Manager to the connected system, whenever different from a string. + > To continue with the `AD - Entry` entity type, we map all the properties we need: +> + > `accountExpires`; `c`; `cn`; `comment`; `company`; `department`; `description`; + > `displayName`; `division`; `dn`; `employeeId`; `employeeNumber`; `employeeType`; + > `extensionAttribute10`; `extensionAttribute11`; `givenName`; `groupType`; + > `homeDirectory`; `homeDrive`; `initials`; `l`; `lastLogonTimestamp`; `mail`; `mobile`; + > `objectCategory`; `objectGuid`; `objectSid`; `ou`; `pwdLastSet`; `rdn`; + > `sAMAccountName`; `scriptPath`; `sn`; `st`; `telephoneNumber`; `thumbnailPhoto`; + > `title`; `uid`; `userAccountControl`; `userPrincipalName`; `whenCreated`. +> + > We create the properties that do not exist in the external system: `AppName`; + > `businessCategory`; `isUnused`; `thumbnailPhotoTag`. +> + > Some of them have a specific format in case of provisioning to the managed AD like + > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as + > `1601 Date`. +> + > ![AD Entity Type - **scalar** Properties](/images/identitymanager/entitytypecreation_examplead2_v602.webp) + +4. Click on the Gear symbol to add advanced settings if needed. + + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and +will be displayed with the property among users' data. + - **Source Expression**: expression that defines the property based on at least one source +object. Can be defined by a property path and/or [Expressions](../../../../integration-guide/toolkit/expressions). + + > For example, `isUnused` is created to spot unused accounts via a combination of + > `accountExpires` and `lastLogonTimestamp`: +> + > ![Advanced Settings](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: expression that inserts adaptable comparison flexibility +when using a searchbar for the property. + - `History Precision`: time period over which Identity Manager historically records only one +value. + + > For example, the `lastLogonTimestamp` property of an AD resource is modified every time + > the user connects to the application. Every modification triggers the historization of all + > properties for said resource inside the database. Hence, the database can quickly become + > full of data. In order to lighten the database, we can set the `History Precision` option + > to one week (10080 minutes) so that resources are historized once a week at most + > (concerning changes on `lastLogonTimestamp`). In the meantime, in case of a change, + > instead of historizing resources with all their properties, only `lastLogonTimestamp` is + > updated with the new value. + +Clicking on **Continue** closes the pop-up window so that you can continue the configuration of the entity type. **But it does not save anything**. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. + +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +Before saving, you must first [Select Primary Keys](../../../../user-guide/set-up/connect-system/entity-type-creation/key-selection)for the entity type. + +## Troubleshooting + +If the Format column is not displayed in the External System part, then: + +![**scalar** properties](/images/identitymanager/entitytypecreation_scalarpropertieswithoutformat_v522.webp) + +Refresh the connections' schemas. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/connect-system/index.md b/docs/identitymanager/6.3/user-guide/set-up/connect-system/index.md new file mode 100644 index 0000000000..5e377975b2 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/connect-system/index.md @@ -0,0 +1,128 @@ +--- +title: "Connect to a Managed System" +description: "Connect to a Managed System" +sidebar_position: 60 +--- + +# Connect to a Managed System + +How to create a new [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) using the provided SaaS agent. See the [Architecture](../../../introduction-guide/architecture) topic for additional information. + +Identity Manager provides demo applications [Run the Banking Demo Application](../../../integration-guide/connectors/configuration-details/demoapp-banking) and [Run the HR Demo Application](../../../integration-guide/connectors/configuration-details/demoapp-hr) to help set up connectors, test them, and understand Identity Manager's abilities towards external systems. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to third-party applications, i.e. the applications used in your organization, such as Active Directory, ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) + +NETWRIX strongly recommends the creation of one connector for one application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. + +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- synchronization in the "managed system-to-Identity Manager" direction; +- provisioning in the "Identity Manager-to-managed system" direction. + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of the system's data in the form of CSV files. These files are cleaned and loaded into Identity Manager. In other words, synchronizing means taking a snapshot of the managed system's data and loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to either automatically write these orders to the managed system or to create a ticket for manual provisioning. + +> For example, we can use the data from Identity Manager's Identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading) topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity Manager's central identity repository. While both inbound and outbound connectors allow data to flow both ways, they do not work in the same manner. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD. + +- a connector must be created, first as a named container which will include the connections and +entity types related to one managed system; + + > We create a connector named `AD` (so far, an empty shell). + +- A [Connector](../../../integration-guide/toolkit/xml-configuration/connectors/connector) +is linked to an agent which acts as the go-between for Identity Manager's server and the managed system; + + > Our `AD` connector uses the provided SaaS agent. + +- A [Connection](../../../integration-guide/toolkit/xml-configuration/connectors/connection) +describes the technology used that enables data to flow back and forth between Identity Manager and the managed system; + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Identity Manager. + +You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), and generic connections to communicate with any application (CSV, Powershell, RobotFramework, SQL, etc.). + +- the shape of the extracted managed system's data is modeled by [Entity Type](../../../integration-guide/toolkit/xml-configuration/metadata/entitytype) (we will use the term resource to refer to an entity type that has been instantiated); + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- The intent of resources within the managed system is made clear by categorizing resources into [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation). See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource type. + +**Local vs. Saas agents:** To simplify things, Identity Manager has made it possible to start configuring connectors without installing a local agent in your organization's network. Instead, you can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the functional and technical details of the application. + + | Input | Output | + | --- | --- | + | Administrator account for the Development Environment (required) Identity repository (required) User Profile (required) | Connector Connected System | + +See the [Install the Development Environment](../../../user-guide/set-up/development-environment-installation), [Create the Workforce Repository](../../../user-guide/set-up/initial-identities-loading), and [Configure a User Profile](../../../user-guide/set-up/user-profile-configuration) topics for additional information. + +## Create a Target Connector + +For one managed system, create a connector by proceeding as follows: + +1. Outside Identity Manager, [Model the Data](../../../user-guide/set-up/connect-system/connector-modeling). +2. [Create the Connector](../../../user-guide/set-up/connect-system/connector-declaration) for said managed system. +3. Enable the technical transfer of data by creating and configuring [Create a Connection](../../../user-guide/set-up/connect-system/connection-creation). +4. Set up [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation) to represent the data model decided upon in step 1. + +**Connector modification:** The process for modifying a connector is not so different from the process for creating a connector, as you mainly modify the fields specified during creation. However, keep in mind that **a connector must be deactivated before modification**, in order to withdraw the connector's synchronization- and provisioning-related tasks from any jobs. See below this note. + +You can activate the connector again at any time using the same button. + +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) + +## Next Steps + +Once the connector has been created, you can start to [Synchronize Data](../../../user-guide/set-up/synchronization). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/development-environment-installation.md b/docs/identitymanager/6.3/user-guide/set-up/development-environment-installation.md new file mode 100644 index 0000000000..78a7327b9c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/development-environment-installation.md @@ -0,0 +1,38 @@ +--- +title: "Install the Development Environment" +description: "Install the Development Environment" +sidebar_position: 10 +--- + +# Install the Development Environment + +How to connect to Identity Manager's SaaS environment to set up the development environment. + +When using Identity Manager's on-premise option, follow the procedure of installation of the bootstrap version. See the [Quick Start Guide](../../installation-guide/quick-start) topic or additional information. + +## Overview + +The installation of Identity Manager's production environment usually takes time, while we want to start configuring at once. + +This is why Identity Manager offers a bootstrap version of the application, useful as a development environment. + +## Participants and Artifacts + +Integrators must be in contact with Netwrix Identity Manager (formerly Usercube) to be able to get infos about the SaaS tenant URL and authentication. + + | Input | Output | + | --- | --- | + | - | Development environment | + +## Install the Development Environment + +The documentation is not yet available for this part and will be completed in the near future. + +## Verify Environment Installation + +In order to verify the process, try to authenticate to Identity Manager server, and access the configuration screens. + +## Next Steps + +Once the development environment is ready, integrators can start to [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/index.md b/docs/identitymanager/6.3/user-guide/set-up/index.md new file mode 100644 index 0000000000..86477d5e0a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/index.md @@ -0,0 +1,120 @@ +--- +title: "Set Up" +description: "Set Up" +sidebar_position: 20 +--- + +# Set Up + +- [Install the Development Environment](../../user-guide/set-up/development-environment-installation) + +How to connect to Identity Manager's SaaS environment to set up the development environment. + +- [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) + +How to initiate the repository for workforce identities by loading identities into Identity Manager with the right attributes. + +- [Configure Unique Property Generation](../../user-guide/set-up/initial-identities-loading/generate-unique-properties) + +How to configure Identity Manager to generate unique identifiers, mails and logins for any user who does not have them already. + +- [Load Identities to Identity Manager](../../user-guide/set-up/initial-identities-loading/load-identities) + +How to load identities into Identity Manager for the first time using a basic data model in the form of a template MS Excel file. + +- [Template Description](../../user-guide/set-up/initial-identities-loading/template-description) + +Description of the MS Excel template for the creation of the identities repository. + +- [Adjust the Workforce Data Model](../../user-guide/set-up/initial-identities-loading/adjust-datamodel) + +How to select the properties to be part of the data model for the workforce repository (therefore displayed in the UI), and choose their optimal displaying mode. + +- [Configure a User Profile](../../user-guide/set-up/user-profile-configuration) + +How to tweak the permissions for actions within Identity Manager, for a standard set of basic Identity Manager profiles. + +- [Configure Onboarding Workflows](../../user-guide/set-up/configure-workflows) + +How to adjust the parameters of onboarding workflows. + +- [Connect to a Managed System](../../user-guide/set-up/connect-system) + +How to create a new connector using the provided SaaS agent. + +- [Model the Data](../../user-guide/set-up/connect-system/connector-modeling) + +How to choose the appropriate model for a connector's data. + +- [Create the Connector](../../user-guide/set-up/connect-system/connector-declaration) + +How to create the technical container of a connector. + +- [Create a Connection](../../user-guide/set-up/connect-system/connection-creation) + +How to create a connection inside a connector and choose the appropriate package. + +- [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) + +How to create an entity type that corresponds to the connector model. + +- [Synchronize Data](../../user-guide/set-up/synchronization) + +How to launch data synchronization, i.e. read managed systems' data and load it into Identity Manager. + +- [Categorize Resources](../../user-guide/set-up/categorization) + +How to correlate managed systems' resources with identities, classifying resources into resource types. + +- [Create a Resource Type](../../user-guide/set-up/categorization/resource-type-creation) + +How to create the container for future correlation and classification rules inside a given managed system. + +- [Correlate Resources](../../user-guide/set-up/categorization/correlation) + +How to define correlation rules to match up resources across systems, usually accounts with their owner. + +- [Classify Resources](../../user-guide/set-up/categorization/classification) + +How to define classification rules in order to classify remaining uncorrelated resources, assigning them resource types. + +- [Create a Provisioning Rule](../../user-guide/set-up/provisioning-rule-creation) + +How to define scalar rules, navigation rules and/or query rules to compute and provision target resources values from source resources values. + +- [Create Resources](../../user-guide/set-up/provisioning-rule-creation/resource-creation) + +How to define resource type rules to create new (target) resources for given users, computing and provisioning their properties based on source resources. + +- [Compute a Scalar Property](../../user-guide/set-up/provisioning-rule-creation/scalar-property-computation) + +How to define scalar rules to compute and provision the values of scalar properties for target resources based on source resources. + +- [Compute a Navigation Property](../../user-guide/set-up/provisioning-rule-creation/navigation-property-computation) + +How to define navigation rules and/or query rules to compute and provision the values of navigation properties for target resources based on source resources. + +- [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) + +How to define single roles to model entitlements, and organize them inside the role catalog, basis of the role model. + +- [Create Roles in Bulk](../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) + +How to create role naming rules, which create single roles using existing naming conventions from the managed system. + +- [Create a Category](../../user-guide/set-up/single-roles-catalog-creation/category-creation) + +How to structure roles into categories. + +- [Create a Role Manually](../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) + +How to create single roles manually. + +- [Assign Users a Profile](../../user-guide/set-up/user-profile-assignment) + +How to assign Identity Manager's access permissions to users through profiles. + +- Manage Role Officers + +How to manage role officers in order to ensure the approval for entitlement assignments. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/adjust-datamodel.md b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/adjust-datamodel.md new file mode 100644 index 0000000000..bd0661894e --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/adjust-datamodel.md @@ -0,0 +1,105 @@ +--- +title: "Adjust the Workforce Data Model" +description: "Adjust the Workforce Data Model" +sidebar_position: 40 +--- + +# Adjust the Workforce Data Model + +How to select the properties to be part of the data model for the workforce repository (therefore displayed in the UI), and choose their optimal displaying mode. + +## Overview + +After you created the initial version of the workforce repository, Identity Manager provides an easy method to optimize the structure of the data model, for example preventing empty fields in the UI. + +According to the number of resources in the organization, Identity Manager's analysis of the data model's usage suggests: + +- to remove unused entity types (country, site, gender, subsidiary, etc.) from the data model and +from the UI; +- to remove unused properties (phone number of a user, position end date, town of a site, etc.) from +fields to fill in the workflows for entity creation, except for properties that are essential to Identity Manager's operation and thus ensured to be part of the data model (e.g. the contract's start date); +- an optimized display mode in the UI for all entity types, and for the fields which link to another +entity (manager of a department, contract type of a user, gender of a user, etc.) and thus require a query tool (dropdown box, search bar, etc.). + +You can then make your own choice about activating/deactivating/re-activating any property, and you will be able to make modifications at any time. + +## Participants and Artifacts + +Integrators may need the help of the **HR department** who know the organization. + + | Input | Output | + | --- | --- | + | IdentityManagerServer (required) Initial workforce repository (required) | Adjusted workforce repository | + +See the [Install the Development Environment](../../../user-guide/set-up/development-environment-installation) and [Load Identities to Identity Manager](../../../user-guide/set-up/initial-identities-loading/load-identities) topics for additional information. + +## Adjust the Data Model + +Adjust the data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) + +2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model +to your specific situation. + + ![Scan Data Model](/images/identitymanager/iconscandatamodel_v602.svg) + + ![Scan Data Model](/images/identitymanager/initialload_scandatamodel_v60.webp) + +Identity Manager counts the entries for each attribute and suggests a quantification: + + - Empty attributes are deactivated as they should be excluded to simplify the data model. + - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's +forms optimally (e.g. dropdown list, search tool, etc.). + + ![Scan Data Model - Result](/images/identitymanager/initialload_scandatamodel-result_v523.webp) + +3. Observe the result and adjust manually the data model if needed, by clicking on the properties. + +While Identity Manager suggests a structure for the data model, the choice is yours to activate/deactivate any property. + + > For example, empty attributes should be excluded to simplify the data model. However, you can + > choose to keep an empty property anyway if you know that you want to fill it in later. + +Note that Identity Manager stays authoritative to activate some properties that are mandatory for Identity Manager's operation. + +For example the contract's start date is necessary for Identity Manager's workflows. + +Modifications can be performed later, decisions can be reconsidered. See the [Modify the Identity Data Model](../../../user-guide/optimize/identity-datamodel-modification) topic for additional information. + +4. Click on the Save icon at the top. + + ![Save Icon](/images/identitymanager/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/images/identitymanager/reload_v603.webp) + +## Verify Identities Loading + +In order to validate the process: + +1. Choose a test field and note its displaying mode. + + > For example, our `Region` field in `Site` is sized as `large`. +> + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example_v523.webp) + +2. Navigate within Identity Manager to find a workflow using the test field. Observe the displaying +mode in the UI. + + > Our `State` field must be filled in during the creation of a new site. It can be filled by + > opening a pop-up and choosing the region in the list. +> + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example2_v523.webp) +> + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example3_v523.webp) + +3. Back on the scanning feature, change the displaying mode of your test field and save. + + > We change `large` to `extra small`. + +4. Verify the test field's displaying mode. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/generate-unique-properties.md b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/generate-unique-properties.md new file mode 100644 index 0000000000..6132615818 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/generate-unique-properties.md @@ -0,0 +1,107 @@ +--- +title: "Configure Unique Property Generation" +description: "Configure Unique Property Generation" +sidebar_position: 10 +--- + +# Configure Unique Property Generation + +How to configure Identity Manager to generate unique identifiers, mails and logins for any user who does not have them already. + +## Overview + +All users need to: + +- be uniquely identifiable through an identifier, for example in order to link all accounts to their +owners; +- have a reserved **unique email address**, even if they do not need a mailbox; +- have a **unique login** that can be used as a seed for all users' accounts. + +For each unique property, Identity Manager provides a set of generation rules. You are free to choose the most adequate method regarding your actual approach. + +An identifier/email/login suffix can be specified later according to users' contract types, when loading identities through an Excel template. See the [Load Identities to Identity Manager](../../../user-guide/set-up/initial-identities-loading/load-identities) topic for additional information. For example, contractors can get `-ext` added automatically to their email addresses. The unicity checks performed for identifiers/emails/logins do not consider prefixes nor suffixes. + +For example, `john.doe@acme.com` and `john.doe-ext@acme.com` cannot exist simultaneously. + +## Participants and Artifacts + +Integrators may need the help of the **HR department** to understand the actual approach of the organization to compute these unique properties. + + | Input | Output | + | --- | --- | + | IdentityManagerServer (required) | Generation rules for unique properties | + +See the [Install the Development Environment](../../../user-guide/set-up/development-environment-installation) topic for additional information. + +## Configure Unique Property Generation + +Configure the generation of unique properties by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) + +2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Identity Manager's +instructions to configure the generation of a **unique identifier** for new workers (if needed), based on one of the available options. + + ![**unique identifier** Generation](/images/identitymanager/initialload_uniqueidentifier_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all +special characters; can add a separator between the first name and the last name if needed (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more +letters of the first name up to the whole first name; in case of homonyms still, appends a sequence number to the full name. + - `Random Number`: uses a random number with a default prefix which is used when no specific +prefix is specified on the user's contract type. + +Netwrix Identity Manager (formerly Usercube) recommends using random numbers, as they have the advantage of not containing any personal information nor giving any hint about the users' seniority. + + - `Sequence`: uses a sequence with a default prefix which is used when no specific prefix is +configured on the user's contract type. + +3. Follow Identity Manager's instructions to configure the generation of a **unique email address** for +all users (who do not have one), based on one of the available options. + + ![Unique Email Generation](/images/identitymanager/initialload_uniqueemail_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all +special characters; can add a separator between the first name and the last name if needed (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more +letters of the first name up to the whole first name; in case of homonyms still, appends a sequence number to the full name. + - `Based on **unique identifier**`: uses a combination of the **unique identifier** (defined on the same +page) and the email domain. + +No matter the strategy: + + - the default email domain is used when no specific domain is specified on the user's +subsidiary; + - emails are generated in a way that lets users keep their email address, even if they move +from contractors to employees, or change to another subsidiary. + +4. Follow Identity Manager's instructions to configure the generation of a **unique login** for new +workers (who do not have one), based on one of the available options. + + ![**unique login** Generation](/images/identitymanager/initialload_uniquelogin_v602.webp) + + - `Based on Email`: uses the local part of the email, i.e. before `@`. + - `Based on Full Email`: uses the full email. + - `Based on **unique identifier**`: uses the **unique identifier** (defined on the same page) prepended +with the default prefix when no specific prefix is specified on the user's contract type. + +5. Click on the Save icon at the top. + + ![Save Icon](/images/identitymanager/iconsave_v602.svg) + +6. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/images/identitymanager/reload_v603.webp) + +## Verify Property Generation + +In order to verify the process, add a fictitious employee through the workflows from the UI. + +![Home - New Employee](/images/identitymanager/home_newemployee_v600.webp) + +Verify in the directory that the employee's sheet displays the expected values for the configured unique properties. + +![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/index.md new file mode 100644 index 0000000000..fbd5872be6 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/index.md @@ -0,0 +1,101 @@ +--- +title: "Create the Workforce Repository" +description: "Create the Workforce Repository" +sidebar_position: 20 +--- + +# Create the Workforce Repository + +How to initiate the repository for workforce identities by loading identities into Identity Manager with the right attributes. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform,once you installed the development environment. + +The identity repository is supposed to contain the list of all kinds of identities in the company. Each identity will be represented by a set of properties that are to be used in the calculations for entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) +> +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) + +See the [Identity Repository](../../../integration-guide/identity-management/identity-repository) topic for additional information. + +The **initial workforce repository** is going to be the first version of a comprehensive repository containing **all users** in the organization. This repository is crucial in setting up the identity lifecycle management features and managing assignments of entitlements. + +### Creation strategy for the workforce repository + +In a nutshell, Identity Manager has made it as easy as a copy-paste from employee and contractor HR files into an MS Excel file. + +#### Special properties generation + +First, you have to choose rules about how email, login, and internal identifiers are going to be built for new identities, and for existing identities who do not have these unique properties yet. + +#### Organizational model creation + +Then, you are going to need a **model of the organization's structure** where the identities fit in. This model is supposed to provide valuable information for automation and governance features later. + +The model is where you are going to identify for example the type of identities you want to manage (such as employees and contractors), the hierarchical relationships between them, the geographical areas they work in, and so on. + +Identity Manager has already built a template model for you, in the form of an Excel file. This basic model is customizable and will be adaptable to most organizations. You can customize it simply by writing information from your organization into said Excel file. + +Even if you have more specific or exotic needs that aren't met by this model, it is still a good starting point and a good way to quickly start delivering value. We recommend that you start building your project using this model, identify its limits along the way, and enhance it down the road to make it fit your needs more accurately. + +#### Organizational model filling + +Then, you write down the actual identities information, still using the same Excel file, using data from HR extractions or other records of contractors and temporary workers. As simple as a copy-paste. + +The data you are going to load is analyzed by the engine and some simplifications will be suggested. + +**HR synchronization is not enough:** + +Another way of handling a part of the initial data loading is to set up an automated synchronization of HR data with Identity Manager. + +While it seems to be a good idea, it poses a few problems. Among them: + +- a specific IT infrastructure is required and its implementation is likely to delay the project's +progress; +- HR data usually misses crucial information (for example contractor data) and is rarely up to date +early enough to be really useful. + +Hence, in order to rather focus on awaited IGA activities, we choose to build the first iteration of the project upon a manual data upload to create the **initial workforce repository**. + +## Participants and Artifacts + +Integrators may need the help of the **HR department** and its **assistants** who know the organization in order to get the identity and organizational data. After the initial loading, the **HR department** can review the data to confirm its accuracy. + + | Input | Output | + | --- | --- | + | IdentityManagerServer (required) | **initial workforce repository** | + | Organizational chart (required) | | + | Third-party staff data (optional) | | + +## Create the Workforce Repository + +Create the workforce repository by proceeding as follows: + +1. [Configure Unique Property Generation](../../../user-guide/set-up/initial-identities-loading/generate-unique-properties) for **all users**, pre-existing and new, who do not have them yet. +2. [Load Identities to Identity Manager](../../../user-guide/set-up/initial-identities-loading/load-identities) to Identity Manager based on the recommended attributes from the provided organizational model +[Template Description](../../../user-guide/set-up/initial-identities-loading/template-description). +3. [Adjust the Workforce Data Model](../../../user-guide/set-up/initial-identities-loading/adjust-datamodel) following Identity Manager's suggestions. +4. Continue with the next steps of this guide, and come back later to fill the organizational model with additional data. + +## Next Steps + +Once the initial identities are loaded, integrators can start the User Profile configuration. See the [Configure a User Profile](../../../user-guide/set-up/user-profile-configuration) topic for additional information. + +From there you will be able to keep your repository up to date: + +- concerning identity data through workflows; +- concerning the data model + +The initial identities loading also enables: + +- HR connector creation. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/load-identities.md b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/load-identities.md new file mode 100644 index 0000000000..d4cc76c036 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/load-identities.md @@ -0,0 +1,160 @@ +--- +title: "Load Identities to Identity Manager" +description: "Load Identities to Identity Manager" +sidebar_position: 20 +--- + +# Load Identities to Identity Manager + +How to load identities into Identity Manager for the first time using a basic data model in the form of a template MS Excel file. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform, once you installed the development environment. + +The initial workforce repository is going to be the first version of a comprehensive directory containing all users in the organization. This directory is crucial in setting up the identity lifecycle management features and managing assignments of entitlements. + +Identity Manager contains a template model, downloadable as an Excel file. Below is an example of a part of the `UserRecord` tab, used in Identity Manager's demo: + +![Template Example](/images/identitymanager/initialload_templateexample_v602.webp) + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. + +## Participants and Artifacts + +Integrators may need the help of the **HR department** who knows the organization in order to get the identity and organizational data. After the initial loading, the **HR department** can review the data to confirm its accuracy. + + | Input | Output | + | --- | --- | + | IdentityManagerServer (required) | Initial workforce repository | +HR data (required) | | Third-party staff data (optional) | | + +See the [Install the Development Environment](../../../user-guide/set-up/development-environment-installation) topic for additional information. + +## Load Identities + +Load identities for the first time by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) + +2. On the **Workforce** > **Data Upload** page, download the empty Excel template. + + ![Upload Icon](/images/identitymanager/icondownload_v602.svg) + +3. Collect identity and organizational data. + +If you don't know where to start, identities most often include **long-term employees, temporary employees** (such as interns and temps) **and external contractors**. The template contains a `UserType` tab that lists all the types of workers that you want to include, i.e. the usual identities listed just before, but also partners, clients, even applications. + +Workforce should include obviously all current workers, but also incoming workers, and those who left the organization in the past XXX (time period defined by the rules of the security officer). It is interesting to have past workers in order to understand the process and ensure that they are supposed to be orphaned. See the [Review Orphaned and Unused Accounts](../../../user-guide/administrate/orphan-unused-account-review) topic for additional information. + +**Employees** + +The workers that are directly employed by the organization usually have their data stored in the **HR system**. + +**Contractors** + +Often third-party workers like contractors are not part of the **HR system**. Then, there are a few possible solutions to get their data: + + - through **purchasing department** if it doesn't imply any personal data security breach; + - **manually** with knowledgeable people, for example department managers and assistants; + - through a filter on data from available directories, for example on the email address if it +contains a specific string like `.ext@`; + - through an **Active Directory extraction** with a filter on an attribute that works with a +specific part, for example on the employee identifier. + +4. Fill said template with the data you collected. + +The Excel file contains several tabs which organize data, but not all tabs and columns are mandatory. You can find **more details about the [Template Description](../../../user-guide/set-up/initial-identities-loading/template-description)**. Below are the minimum recommended attributes (mandatory in orange): + + ![Template Recommendations](/images/identitymanager/initialload_templatereco_v600.webp) + +[**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + +Every object (so every tab) of the directory must have a **key**, which is an attribute: + + - **unique**, i.e. designed to uniquely identify an object/resource, one key can't be shared; + - **immutable**, i.e. must not change during the whole lifecycle of the object/resource, even for +renaming for example; + - **consistent**, i.e. identical everywhere the object/resource is specified. + +Among other things, a **consistent** key allows identities to use the same login in all applications. A **consistent** key is also essential to form the link between identities and the other objects (organizations, titles, etc.). + +**Create your initial workforce repository with only recommended attributes.** + +As we aim to quickly enable Identity Governance and Administration (IGA) actions (like the review of orphaned and unused accounts, or access certification, etc.), Netwrix Identity Manager (formerly Usercube) recommends **loading identities with only necessary data**. The model can be completed later. + +Moreover, Identity Manager's Query module can help gather data from other systems. + +For example, let's say that contractors' phone numbers are found only in the AD. Then we can wait for the connection of Identity Manager to the AD, and finally use the Query module to collect missing data. In this case: + + 1. Upload the `Directory.xlsx` file with only recommended data, validate and synchronize as +explained on this page. + 2. Connect the AD, synchronize AD data, update correlation and classification. See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + 3. Follow the usual query procedure to request phone numbers from the AD. + 4. Ensure you display a key (for example `EmployeeId` or `email`) to master the order of the +displayed data. + 5. Download the report. + 6. Copy the report's columns one by one to paste them into the Directory.xlsx file. + 7. Synchronize directory data. + +5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in +order to feed the data back to Identity Manager. + + ![Upload Icon](/images/identitymanager/iconupload_v602.svg) + +The latest uploaded file overwrites the previous one. + +6. Click on **Verify and Synchronize** to check the file's consistency and import its data into +Identity Manager. + + ![Verify and Synchronize](/images/identitymanager/initialload_dataupload-synchronize_v602.webp) + +Now you are able to view users' pages in the directory. + + ![Directory - Users](/images/identitymanager/initialload_directoryusers_v602.webp) + +## Verify Identities Loading + +In order to validate the process: + +- Check **manually** a sample in the user directory accessible from the home page. You should verify at +least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +- Check that **every organization includes a manager**. Organizations are accessible from the department +directory on the home page. + + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) + + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) + +If the system contains many organizations, then it is also possible to list each organization with its manager through the Query module. + +- Create reports with indicators on the number of workers per type or per organization for example +(through Identity Manager's predefined reports, the Query module or Power BI), in order to ensure that Identity Manager's content sticks to reality. + +See the [Generate Reports](../../../user-guide/administrate/reporting) topic for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/template-description.md b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/template-description.md new file mode 100644 index 0000000000..8c8582d6c6 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/initial-identities-loading/template-description.md @@ -0,0 +1,249 @@ +--- +title: "Template Description" +description: "Template Description" +sidebar_position: 30 +--- + +# Template Description + +Description of the MS Excel template for the creation of the identities repository. + +[**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + +![Template Model](/images/identitymanager/initialload_templatemodel_v603.webp) + +All tabs contain a column `Command` only used at a later stage to modify (massively) identity data. See the [Update Identities in Bulk](../../../user-guide/maintain/identity-data-modification/mass-update) topic for additional information. + +## User - Required + +An identity is split into two parts, the first one being the parent resource called `User` which represents the user's identity card. It contains the few attributes which shall not change during the identity's lifecycle. See the [Identity Management](../../../integration-guide/identity-management) topic for additional information. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | ConsentPhotoUsage (optional) | Boolean | | + | IsDraft (optional) | Boolean | | + +## UserRecord - Required + +An identity is split into two parts, the second one being the one or several child resources called `UserRecord` which represent the user's positions. Records belong to users and help materialize: + +- several positions at once; +- validity periods for positions/assignments unrelated to the user itself; +- position changes. + +In other words, records represent the lifecycle of a user inside the company, i.e. multiple contracts, mutation, etc. + +Thus, the `UserRecord` tab usually holds users' information that might change over time, while the `User` tab groups all records of a given user around its identifier. + + | Attribute | Type | Description | + | --- | --- | --- | + | RecordIdentifier (recommended) | String | Identifier of the Records. See the[Position Change via Records](../../../integration-guide/identity-management/joiners-movers-leavers/position-change). **Note:** it can be the same as `PositionIdentifier` when users can have no more than one contract simultaneously. **Note:** required when using records. | + | User (required) | ForeignKey | `Identifier` from the `User` tab. | + | EmployeeId (recommended) | String | | + | Gender (optional) | ForeignKey | `Identifier` from the `Gender` tab. | + | PersonalTitle (optional) | ForeignKey | `Identifier` from the `Personal Title` tab. | + | FirstName (recommended) | String | | + | LastName (recommended) | String | | + | BirthName (optional) | String | | + | BirthDate (optional) | DateTime | | + | Email (recommended) | String | | + | EmailAliases (optional) | String | Outdated, or any other email address associated with the user. This is used to prevent the re-assignment of a previously used address. | + | Login (optional) | String | | + | PhoneNumber (optional) | String | | + | MobileNumber (optional) | String | | + | VIP (optional) | Boolean | `True` to specify that the user is special/important. | + | ContractIdentifier (required) | String | | + | ContractStartDate (required) | DateTime | Start date of the user's contract in the company. | + | ContractEndDate (recommended for permanent contracts, required for fixed-term contracts) | DateTime | End date of the user's contract in the company. | + | AccessesExpirationDate (optional) | DateTime | Date when the user will be deprived of their access rights. | + | UserType (required) | ForeignKey | `Identifier` from the `User Type` tab. | + | Subsidiary (optional) | ForeignKey | `Identifier` from the `Subsidiary` tab. | + | ExternalCompany (optional) | ForeignKey | `Identifier` from the `External Company` tab. | + | PositionIdentifier (required) | String | | + | PositionStartDate (optional) | DateTime | | + | PositionEndDate (optional) | DateTime | | + | Organization (recommended) | ForeignKey | `Identifier` from the `Organization` tab. | + | Manager (recommended) | String | Line manager. `Identifier` from the `User` tab. | + | IGAManager (optional) | String | Validator of IGA requests. `Identifier` from the `User` tab. | + | JobTitle (optional) | String | | + | Title (optional) | ForeignKey | `Identifier` from the `Title` tab. | + | Site (optional) | ForeignKey | `Identifier` from the `Site` tab. | + | Office (optional) | ForeignKey | `Identifier` from the `Office` tab. | + | OfficeNumber (optional) | String | | + | IsMainPosition (optional) | Boolean | | + | Suspended (optional) | Boolean | | + | StartDate (optional) | DateTime | Start date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | + | EndDate (optional) | DateTime | End date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | + +Recommendations: + +- There is **no absolute need for a unique identifier**, because Identity Manager can compute one in the +next steps. +- Be aware of the **difference between a hierarchical manager and an IGA manager** who approves +entitlement requests. They aren't necessarily the same person. + +## UserType - Required + +User types represent users' contract types, such as permanent contract, fixed term contract, interim, contractor, trainee, etc. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | Category (required) | ForeignKey | `Identifier` from the `User Category` tab. | + | EmailSuffix (optional) | String | Suffix to concatenate to the email string (immediately before the `@` character). | + | IsExternal (required) | Boolean | | + | LoginPrefix (optional) | String | | + | LoginSuffix (optional) | String | | + | UniqueIdentifierPrefix (optional) | String | | + | UniqueIdentifierRangeEnd (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeEnd` set to 9999 means that no unique identifier should be greater than 9999. | + | UniqueIdentifierRangeStart (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeStart` set to 1000 means that no unique identifier should be less than 1000. | + | UniqueIdentifierSuffix (optional) | String | | + +## UserCategory + +Categories constitute an additional layer to organize users who can be sorted by types and then further by categories, and categories can be transverse or not. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## Subsidiary + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | EmailDomain (optional) | String | | + +## ExternalCompany + +Including external workers into the workforce repository requires listing external companies. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## Organization + +A company is divided into organizations, also called departments, such as the board of directors, corporate banking, call center, USA operations, France operations, treasury, etc. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | Manager (recommended) | ForeignKey | `Identifier` from the `User` tab. | + | Assistant (optional) | ForeignKey | `Identifier` from the `User` tab. | + | Parent (optional) | ForeignKey | `Identifier` of another organization. | + | Type (optional) | ForeignKey | `Identifier` from the `Organization Type` tab. | + +## OrganizationType + +Organizations can be categorized into organization types, if relevant. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## Title + +Each position can be represented by a title which names said position, such as architect, CEO, purchasing manager, recruiter, etc. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | JobCategory (optional) | ForeignKey | `Identifier` from the `Job Category` tab. | + +## JobCategory + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## Country + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | ISOCode (optional) | String | | + +## Region + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | Country (optional) | ForeignKey | `Identifier` from the `Country` tab. | + +## Site + +All positions specify a working site. + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | Name (optional) | String | | + | StreetNumber (optional) | Int32 | | + | StreetName (optional) | String | | + | StreetType (optional) | String | | + | Floor (optional) | Int32 | | + | PostalCode (optional) | Int32 | | + | City (optional) | String | | + | Region (optional) | ForeignKey | `Identifier` from the `Region` tab. | + | PreferredLanguage (optional) | String | | + | TimeZone (optional) | Int32 | | + | Latitude (optional) | Int64 | | + | Longitude (optional) | Int64 | | + | Url (optional) | String | | + +## Office + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + | Site (recommended) | ForeignKey | `Identifier` from the `Site` tab. | + +## PersonalTitle + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## Gender + + | Attribute | Type | Description | + | --- | --- | --- | + | Identifier (required) | String | | + | DisplayName (recommended) | String | | + +## ReservedEmail + + | Attribute | Type | Description | + | --- | --- | --- | + | Description (recommended) | String | | + | Value (required) | String | | + +## ReservedIdentifier + + | Attribute | Type | Description | + | --- | --- | --- | + | Description (recommended) | String | | + | Value (required) | String | | + +## ReservedLogin + + | Attribute | Type | Description | + | --- | --- | --- | + | Description (recommended) | String | | + | Value (required) | String | | + diff --git a/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/index.md b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/index.md new file mode 100644 index 0000000000..e14ded4fed --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/index.md @@ -0,0 +1,52 @@ +--- +title: "Create a Provisioning Rule" +description: "Create a Provisioning Rule" +sidebar_position: 90 +--- + +# Create a Provisioning Rule + +How to define scalar rules, navigation rules and/or query rules to compute and provision target resources values from source resources values. See the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +## Overview + +[Categorize Resources](../../../user-guide/set-up/categorization) led to the grouping of resources into resource types (classification), and the establishment of source-to-target relationships between these resources (correlation). + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of scalar and navigation properties for the target resources used in entitlement management, based on source resources. We are going to [Provision](../../../user-guide/administrate/provisioning) these properties, i.e. write them to the managed system. + +The right tools for the job are provisioning rules: scalar rules, navigation rules, query rules. + +These provisioning rules are designed to: + +1. retrieve the input data in source objects; +2. compute the output value for target objects; +3. provision the corresponding properties in the managed system with the computation result. + +Another kind of provisioning rule is called resource type rule. Instead of computing existing properties, resource type rules create automatically target resources to be owned by given source resources (identities). + +In testing mode, the impacted resource types can be configured to block provisioning, by adding a mandatory review before actually writing to the managed system. See the [Create a Resource Type](../../../user-guide/set-up/categorization/resource-type-creation) topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Categorization (required) | Scalar rules Navigation rules Query rules | + +See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + +## Create Provisioning Rules + +- [Create Resources](../../../user-guide/set-up/provisioning-rule-creation/resource-creation)type rules to automatically create resources. +- [Compute a Scalar Property](../../../user-guide/set-up/provisioning-rule-creation/scalar-property-computation) to compute scalar properties; +- Create navigation and/or query rules to compute navigation properties. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting provisioning rules using simulations in order to anticipate changes. See the [Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + +## Next Steps + +Once provisioning rules are created, integrators can start to [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation). + diff --git a/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md new file mode 100644 index 0000000000..8eb140bb2e --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md @@ -0,0 +1,246 @@ +--- +title: "Compute a **navigation** Property" +description: "Compute a **navigation** Property" +sidebar_position: 30 +--- + +# Compute a **navigation** Property + +How to define **navigation** rules and/**or** query rules to compute and provision the values of **navigation** properties for target resources based on source resources. See the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of **navigation** properties for the target resources used in entitlement management, based on source resources. See the[Define **navigation** Properties](../../../user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition) topic for additional information. We are going to provision these properties, i.e. write them to the managed system. See the [Provision](../../../user-guide/administrate/provisioning) topic for additional information. + +The right tools for the job are **navigation** and query rules. + +A **navigation** property's value can be computed by a **navigation** rule **or** a **query rule**, assigning a given resource from the entity type pointed by the **navigation** property (which can be the target entity type itself). Let's call this entity type the "other" one. + +- A **navigation** rule assigns a fixed resource, which is chosen from among the "other" entity type's +resources during the rule's creation. The assigned resource is the same for all impacted accounts. Use a **navigation** rule when a given resource must be assigned, regardless of users' attributes. +- A **query rule** assigns a resource from the "other" entity type too. However, the resource is chosen +according to a query via a C# expression with conditions, based on the attributes of the source objects (usually users). Hence, contrary to a **navigation** rule, a **query rule** can assign a different resource for each impacted account, based on the attributes of the account's owner. Use a **query rule** when there is the need to use variables from among users' attributes to select the resource to assign. + +![Schema - Scalar Rule](/images/identitymanager/provrules_schemanavigation.webp) + +> A **navigation** rule could add the AD group `SG_APP_SQL` to the `memberOf` **navigation** property to all +> AD nominative accounts provided that the user has the single role `SQL Server Administration`. + +> A **query rule** could compute the value of the `department` **navigation** property for ServiceNow +> nominative accounts (entity type `ServiceNow_User`), with a query from among resources from the +> `ServiceNow_Department` entity type, where the name of the resource would match the display name +> of the organization specified for the user (owner of the ServiceNow account). +> +> We need here to query the `ServiceNow_Department` entity type in order to find the right +> department to update the value of `department`, which is specific to each ServiceNow account. +> +> Thus, each user owning a ServiceNow account will see the value of `department` in their account +> updated with the resource from `ServiceNow_Department` which corresponds to the department +> specified for this user. + +> Another **query rule** could compute the `parentdn` attribute for AD nominative accounts, with a query +> from among AD entries, where the `dn` attribute of the resource would match a complex expression +> based on the user's (owner of the AD account) presence state, employee type, location, etc. +> +> We need here to query the `AD - Entry` entity type in order to find the right dn to update the +> value of `parentdn`, which is specific to each AD nominative account. +> +> Thus, each AD nominative account will have the value of its `parentdn` set according to its +> owner's attributes (presence state, employee type, location, etc.). + +The application of a **navigation** rule can depend on the assignment of a single role, and/**or** user dimensions. See the[Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information on the assignment of a single role and [Conforming Assignments](../../../integration-guide/role-assignment/conformingassignmentcomputation) topic for additional information on dimensions. + +A **query rule** does not use criteria as it is designed to compute a given **navigation** property for all existing resources in a given resource type. However, in case of several query rules on a same property, the application of a **query rule** depends on its confidence rate and the corresponding priority it receives compared to other query rules. See the [Classify Resources](../../../user-guide/set-up/categorization/classification) topic for additional information. + +While both **navigation** and query rules compute **navigation** properties, the value of one **navigation** property should be computed by **either** **navigation** **or** query rules, not both. + +In Identity Manager, a **navigation** property has two "sides", one for each linked element. + +For example in the AD, the group membership of a user is represented by the properties `member` for groups (containing a list of users) and `memberOf` for users (containing a list of groups). However, some managed systems only have one of these two sides. + +The AD only uses `member` from among groups' properties. Users do not have a `memberOf` property. As Identity Manager uses and links both sides, it is able to "translate" the information, so that the corresponding **navigation** property, which actually exists in the managed system, is modified by the **navigation**/**query rule**. + +Identity Manager assigns an entitlement to a user by assigning a group-membership to an account. Thus we can create a **navigation** rule which adds a group to the `memberOf` property of given accounts. Identity Manager will update the `member` property of groups accordingly (in Identity Manager), and then provision the `member` property of said groups in the AD, adding the impacted accounts. + +A **navigation** rule will **trigger the creation** of a target resource for all impacted source resources (so all users), which are not yet correlated with a resource of this resource type. + +:::note + A **query rule** **does not create** resources, and only computes the **navigation** properties of existing resources. +::: +## Guidelines + +Follow these guidelines when configuring **navigation** properties. + +**Expression code must not contain too much data** + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in the resource and out of the expression. It is easier to change data than to change a rule. + +> For example, consider an organization that manages email addresses according to the site with +> `.fr` for France and `.be` for Belgium. +> +> A working option could be to write an expression with a condition `if` on the site to assign the +> domain name. However, if the organization expands and needs to consider an additional country, +> then the rule requires change in the expression code. +> +> A better solution is to change the identity data model by adding a field `Domain Name` to describe +> the object `Site`, and to be used in the rule expression. In this case, if there is an additional +> country, then a new field is added in the data model for `Site` and `Domain Name`. Thus, the rule +> expression remains simple by using the new objects, for example +> `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +**Priority between **navigation**/query rules** + +When creating **navigation** and query priorities, follow these rules: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property +value over time, via time offsets. See the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +### Navigation rules with ResourceFromDimension + +Instead of specifying an explicit `Resource`, you can use the `ResourceFromDimension` property to reference a dimension. The system behaves as if a separate rule exists for each resource in that dimension, with automatic parameterization on the single role. This approach reduces configuration entries when the same rule logic applies to multiple resources. + +```xml + +``` + +This is equivalent to creating individual rules for each resource in the dimension: + +```xml + + + +``` + +**Use when:** You need multiple rules that differ only in the assigned resource, and all resources belong to a dimension. + +**Configuration requirements:** + +- The `SingleRole` property is required +- Do not use both `Resource` and `ResourceFromDimension` in the same rule +- The dimension's entity type must match the target entity type of the navigation property +- Do not specify dimension criteria (D0, D1, etc.) - they are set automatically for each resource in the dimension + +For complete XML configuration reference, see [ResourceType - NavigationRule](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype#child-element-navigationrule). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application users, entitlements and data model. See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + + | Input | Output | + | --- | --- | + | Categorization (required) | **navigation** rules Query rules | + +## Create a **navigation** Rule + +Fill an entity type with a **navigation** rule by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future **navigation** rule. + +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Addition Icon](/images/identitymanager/iconadd_v602.webp) + +**Step 4 –** Fill in the fields. + +![Create a **navigation** Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) + +- `Join`: **navigation** property from the target entity type, whose value is to be impacted. +- `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the +`Join` property. +- `**navigation** denied`: option that forbids the resource assignment. +- `Offset of effective date`: time period that defines the actual effective date for property +computation according to the value's start and/**or** end date. + + > For example, account activation and deactivation can be managed according to the start and/**or** + > end dates. + +- **Criteria**: conditions that, if met, trigger the rule application. + +> Our example would look like: +> +> ![Scalar Rule Example](/images/identitymanager/provrules_examplenav_v602.webp) + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +The **navigation** rule is now configured and can be found in the Access Rules tab. + +## Create a **query rule** + +Fill an entity type with a **query rule** by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future **query rule**. + +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Queries** tab and on the addition button at the top right corner. + +![Addition Icon](/images/identitymanager/iconadd_v602.webp) + +Fill in the fields. + +![Create **query rule**](/images/identitymanager/provrules_queryrule_v522.webp) + +Once the `Resource Type` is provided, more fields appear. + +![**query rule** Fields](/images/identitymanager/provrules_queryrulefields_v602.webp) + +- **Target Object** > `Property to fill`: **navigation** property from the target entity type, whose +value is to be impacted. +- **Target Object**: property (**or** expression of properties) from the entity type pointed by the +`Property to fill`, which will be the value of the `Property to fill` if it matches the source object. Can be defined by a property path and/**or** an expression. See the [Expressions](../../../integration-guide/toolkit/expressions) topic for additional information. +- **Source Object**: property (**or** expression of properties) from the source entity type. Can be +defined by a property path and/**or** an expression. See the [Expressions](../../../integration-guide/toolkit/expressions) topic for additional information. +- `Offset of effective date`: time period that defines the actual effective date according to the +value's start and/**or** end date. An offset of effective date can be useful for some attributes. For example, account activation and deactivation can be managed according to the start and/**or** end dates. +- `Confidence Rate`: rate expressing the confidence in this link, and its priority order. See +the[Classify Resources](../../../user-guide/set-up/categorization/classification) topic for additional information. + +> Our examples would look like: +> +> ![**query rule** Example](/images/identitymanager/provrules_examplequery_v602.webp) +> +> ![**query rule** Example 2](/images/identitymanager/provrules_examplequerybis_v602.webp) + +Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a **navigation** **or** **query rule** is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity through a **navigation** rule (and its criteria), and if the user's criteria do not comply with the new version of the rule, then the corresponding resource is automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource **only on the Identity Manager side**. There are several barriers to cross before said resource is removed from the managed system. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in **navigation** and query rules. See the [Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +**Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to be reconciled following the same pattern, then there may be a rule that needs to be changed. + +**Step 2 –** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 3 –** Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to be reconciled following the same pattern, then there may be a rule that needs to be changed. + +See the[Review an Unauthorized Account](../../../user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review) and the[Reconcile a Role](../../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation) topics for additional information. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/resource-creation.md b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/resource-creation.md new file mode 100644 index 0000000000..f3e299540a --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/resource-creation.md @@ -0,0 +1,103 @@ +--- +title: "Create Resources" +description: "Create Resources" +sidebar_position: 10 +--- + +# Create Resources + +How to define [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) rules to create **new** (target) resources for given users, computing and provisioning their properties based on source resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to create target resources and assign them to given users. We are going to [Provision](../../../user-guide/administrate/provisioning) these resources, i.e. write them to the managed system. + +The right tools for the job are resource type rules. + +The application of a resource type rule can depend on the assignment of a single role, and/or user dimensions. + +> A resource type rule could assign a SAP account to users working in Germany, and who already have +> the role `SAP: manager access`. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Categorization (required) | Resource type rules | + +See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + +## Create a Resource Type Rule + +Create a resource type rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +3. Click on the **Resource Types** tab and on the addition button at the top right corner. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Resource Type Rule](/images/identitymanager/provrules_typerule_v602.webp) + + - `Resource Type`: resource type to be automatically assigned. + - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among +suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested; or `Automatic` so that the resource type is automatically assigned to users matching the criteria; or `Automatic but with validation` so that the resource type is listed in the permission basket of **new** workers, these assignments can still be modified. + - `Resource type denied`: option that forbids the assignment. + - `Offset of effective date`: time period that defines the actual effective date for resource +creation/deletion according to the value's start and/or end date. + - **Criteria**: conditions that, if met, trigger the resource creation. + > Our example would look like: +> + > ![Resource Type Rule Example](/images/identitymanager/provrules_exampletype_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a resource type rule is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +This task applies the rules and computes **new** assignments. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity by a resource type rule, and if the user's criteria do not comply with the **new** version of the rule, then the corresponding resource is automatically deleted. + +A modification in a resource type rule can trigger the removal of a resource only on the Identity Manager side. There are several barriers to cross before said resource is removed from the managed system: first before the creation of an Assigned Resource Type in Identity Manager's database, and again before the actual action in the managed system. + +> In our example, let's say that we replace the country criterion `Germany` with `France`. Consider +> a user who had a SAP account assigned through this rule. Now that the country criterion has +> changed, our user working in Germany would be deprived of their account. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in resource type rules. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) + +2. Create a resource type rule involving an account that said user doesn't already have, based on +criteria which the selected user satisfies. +3. Trigger the computation of the role model by clicking, on the corresponding connector's overview +page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +4. See the **new** account in the user's **View Permissions** tab. + + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) + +If the type rule uses a single role as a criterion, and the user has said role, then both the resource type and the role will be displayed in the user's permissions, **but only if** the role is related to a [Compute a Navigation Property](../../../user-guide/set-up/provisioning-rule-creation/navigation-property-computation). Otherwise, only the resource type will be visible. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md new file mode 100644 index 0000000000..cefc772bec --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md @@ -0,0 +1,149 @@ +--- +title: "Compute a **scalar** Property" +description: "Compute a **scalar** Property" +sidebar_position: 20 +--- + +# Compute a **scalar** Property + +How to define **scalar** rules to compute and provision the values of **scalar** properties for target resources based on source resources. See the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype)  topic for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of **scalar** properties for the target resources used in entitlement management, based on source resources. See the [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation) topic for additional information. We are going to provision these properties, i.e. write them to the managed system. See the [Provision](../../../user-guide/administrate/provisioning)topic for additional information. + +The right tools for the job are **scalar** rules. + +A **scalar** property's value can be computed by a **scalar** rule, based on at least one **scalar** property from the source entity type, possibly writing a C# expression. + +![Schema - **scalar** Rule](/images/identitymanager/provrules_schemascalar.webp) + +A **scalar** rule could define the **scalar** property displayName of nominative AD accounts based on its owner's name with the expression: + +return person.LastName + " " + person.FirstName; + +The application of a **scalar** rule can depend on the assignment of a single role. See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +Sometimes we create in Identity Manager properties which are not directly linked to any real property in the managed system. A **scalar** rule on this kind of property will not find a property to provision in the managed system, and thus **will not produce any result**. + +For example, we may need to create in the AD the property isUnused (to spot unused accounts) with a C# expression based on other properties from the same entity type. These properties, such as accountExpires and lastLogonTimestamp, are each linked to a property from the AD, while isUnused is for Identity Manager's use only. This **scalar** property isUnused does not exist in the AD, thus will never be provisioned to the AD, and thus will not be computed by a **scalar** rule. + +Also some properties, like lastLogonTimestamp in the AD or identifiers from ServiceNow, must be changed only by their application. Identity Manager can/must not change these properties, thus no provisioning rule is appropriate for them. + +A **scalar** rule using a single role as criterion will **trigger the creation** of a target resource for all impacted source resources (so all users), which are not yet correlated with a resource of this resource type. + +Without a criterion, a **scalar** rule **does not create** resources, and only computes the **scalar** properties of existing resources. + +## Guidelines + +**Expression code must not contain too much data** + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in the resource and out of the expression. It is easier to change data than to change a rule. + +For example, consider an organization that manages email addresses according to the site with .fr for France and .be for Belgium. + +A working option could be to write an expression with a condition if on the site to assign the domain name. However, if the organization expands and needs to consider an additional country, then the rule requires change in the expression code. + +A better solution is to change the identity data model by adding a field Domain Name to describe the object Site, and to be used in the rule expression. In this case, if there is an additional country, then a new field is added in the data model for Site and Domain Name. Thus, the rule expression remains simple by using the new objects, for example `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +**Priority between **scalar** rules** + +A **scalar** rule with a role as a criterion has a higher priority than a rule without a role criterion. + +For example, consider the situation where we want the login `` for users with the single role ``, and the login `` for the others. In this case, we can write two distinct **scalar** rules where the first one has the role `` as a criterion. This rule will be applied before the other. + +Other than that, there should not be more than one rule meant to provision a given property on a given time period. + +It means that: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property +value over time, via time offsets. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owner** who knows the application users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Categorization (required) | **scalar** rules | + +See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + +## Create a **scalar** Rule + +Fill an entity type with a **scalar** rule by proceeding as follows: + +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) + +**Step 1 :** Click on **Access Rules** on the home page in the **Configuration** section. + +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +**Step 2 :** In the dropdown menu at the top left, choose the source entity type for the future **scalar** rule. + +![iconadd_v602](/images/identitymanager/iconadd_v602.webp) + +**Step 3 :** Click on the **Scalars** tab and on the addition button at the top right corner. + +![Create **scalar** Rule](/images/identitymanager/provrules_scalarrule_v522.webp) + +**Step 4 :** Fill in the fields. + +![**scalar** Rule Fields](/images/identitymanager/provrules_scalarrulefields_v602.webp) + +Once the Resource Type is provided, more fields appear. + +- Source Object: **scalar** property (or expression of **scalar** properties) from the source entity type, +which constitutes the input for the computation of the target object. Can be defined by a property path and/or an expression. +- Target Object: **scalar** property from the target entity type, whose value is to be impacted. +- Offset of effective date: Time period that defines the actual effective date for property +computation according to the value's start and/or end date. + +For example, account activation and deactivation can be managed according to the start and/or end dates. + +- Applicable: Create & Update to use this computation to both provision the managed system and +synchronize the property back to Identity Manager; **Create Only** to use this computation to only provision the managed system and ignore this property during synchronization, this way the property can never be displayed as non-conforming. + +**Create Only** is usually set to adapt the configuration to the constraints of the managed system, when Identity Manager does not retrieve and/or update the property value. + +For example, consider a system, that we want to connect to Identity Manager (let's call it SYST) using a title property. Consider also that SYST needs to be provisioned with the value of title, but does not allow any other system to retrieve said value. + +In this case, we use **Create Only** so that Identity Manager sends the adequate provisioning order upon creation, and then sets the provisioning state to **None** without synchronization. If any changes impact that ****scalar** Property** value the workflow state will be modified to **PolicyApprovedWithChanges** meaning that the policy value is not equal to the external system's value and that will not be provisioned. + +- Comparison type: Comparison type between the value of the target object computed by the rule and +its value from the managed system. Non-conforming values are displayed on the **Provisioning Review** screen. +- Criteria: Conditions that, if met, trigger the rule application. + +Our example would look like: + +![**scalar** Rule Example](/images/identitymanager/provrules_examplescalar_v522.webp) + +**Step 5 :** Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a **scalar** rule is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity through a **scalar** rule (and its single role criterion), and if the user's criteria do not comply with the new version of the rule, then the corresponding resource is automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource **only on the Identity Manager side**. There are several barriers to cross before said resource is removed from the managed system. + +Simulations are available in order to anticipate the changes induced by a creation/modification/deletion in **scalar** rules. See the [Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +**Step 1 :** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 2 :** Review unreconciled properties on the **Resource Reconciliation** screen to help check **scalar** rules: if there are numerous properties to be reconciled following the same pattern, then there may be a rule that needs to be changed. See the [Reconcile a Property](../../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) topic for additional information. + +Once the steps completed the process is verified. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/category-creation.md b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/category-creation.md new file mode 100644 index 0000000000..cba9bbec9d --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/category-creation.md @@ -0,0 +1,71 @@ +--- +title: "Create a Category" +description: "Create a Category" +sidebar_position: 20 +--- + +# Create a Category + +How to structure roles into categories. See the [Category](../../../integration-guide/toolkit/xml-configuration/provisioning/category) topic for additional information. + +## Overview + +A category is usually created to: + +- **reflect the validation process**, i.e. represent groups of roles that follow the same validation +process with the same validator(s); +- help users find intuitively the entitlement that they are looking for. + +> For example, creating one category per application often fulfills both requirements. + +There is usually one validator per category. + +There can be several category levels. For example, integrators can choose to create one category per department, then one per position, and finally one per application. They usually gather roles by application. Here are a few examples of categories: `AD`, `HR` , `SAP`, `IT Administration`, `Test Environments`, etc. Some of these "application categories" are gathered into larger categories by theme as long as their role owner is identical. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owners** who know the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Role Catalog (optional) | Categories | + +See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. + +## Create a Category + +Categories are not mandatory to create roles, but they are highly recommended to organize single roles. + +Create a category by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles +page. + + ![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) + +2. All existing categories are shown in the menus on the left. To create a new category, click on +**+**. + + ![Add a New Category](/images/identitymanager/singlerolescatalog_newcategory_v602.webp) + +3. Fill in the fields. + + ![Create a Category](/images/identitymanager/singlerolescatalog_createcategory_v602.webp) + + - `Identifier`: must be unique among categories and without any whitespace. + - `Name`: will be displayed in the UI to identify the created category. + - `Collapsed in the role tree`: option that enables a collapsed view of the category in the role +tree. + - `Parent category`: optional link to an existing category that would contain the created +category. + +4. Click on **Create** and see the category added in the menus. + +When creating a category, you must be cautious about the associated validators that are not yet defined. + +## Verify Category Creation + +In order to verify the process, check on the **Access Roles** screen that the category is created with the right parameters. + +![Verify Category](/images/identitymanager/categorycreation_test_v602.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/index.md new file mode 100644 index 0000000000..bec1a04846 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/index.md @@ -0,0 +1,170 @@ +--- +title: "Create Roles in the Role Catalog" +description: "Create Roles in the Role Catalog" +sidebar_position: 100 +--- + +# Create Roles in the Role Catalog + +How to define [Single Role](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) to model entitlements, and organize them in the role catalog, basis of the role model. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + +The creation of the role catalog is a time-consuming part, with an important workload concerning the description of the internal processes for all applications. Actors here need to really understand the useful permissions within managed applications. + +## Overview + +The aim here is to establish and create the exhaustive list of [Role Models](../../../integration-guide/role-model) needed by the organization. Roles are a way to represent entitlements which are assigned to identities, so that said identities are able to work with the managed systems. + +![Schema - Single Role](/images/identitymanager/singlerolescatalog_schemarole.webp) + +In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles in the organization, hiding the technical complexity of entitlements behind the business vision of user-friendly names and categories, in order to: + +- assign roles to users, by requesting them manually, or using rules that assign roles automatically +based on users' attributes; +- simplify the implementation of Segregation of Duties (SoD); +- simplify the implementation and execution of access certification campaigns. + +Roles are not chosen at random as they must correspond to the way entitlements were modeled during connector modeling. + +### Technical Principles + +Identity Manager's roles are all built the same way. Technically speaking: + +- a role is part of a policy which is a subgroup of the role model. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. + + > Let's take the example of the unlimited Internet access, part of the default policy. + +- a role is created to be owned by users represented by a given entity type; + + > We choose users from `Directory_User`. + +- roles need to be structured so categories are created to: + + - represent groups of roles that follow the same validation process with the same validator(s); + - help users find intuitively the entitlement that they are looking for. + +NETWRIX recommends creating one category per application, as this method often fulfills both requirements. + +Then single roles can be grouped together through [Composite Roles](../../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) for applicative purposes, allowing users to be assigned several entitlements simultaneously. Leave composite roles for later, when the system runs as is and would benefit from an additional layer in the role model. + + > This role is part of the previously created `Internet` category. + +- a role is created with a given approval workflow according to the entitlement's sensitivity; + + ![Schema - Approval Workflow](/images/identitymanager/singlerolescatalog_schemaapprovals.webp) + + > We choose to require one manual validation from a knowledgeable user before the Internet role + > is assigned to a user. + +- to be effective, roles must be linked to actual entitlements in the managed systems. Technically +speaking, this means that for each entitlement that you want to assign through a given role, you must create a navigation rule to build said link. A navigation rule is specific to one resource type. See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. + + ![Schema - Single Role with Navigation Rule](/images/identitymanager/singlerolescatalog_schemarolerule.webp) + + > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation + > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for + > all users having the role. + +This part is about single roles, dealing with entitlements one-to-one. The idea is to associate one single role with one fine-grained entitlement. + + ![Schema - Roles and Identities](/images/identitymanager/singlerolescatalog_schemarolesidentities.webp) + + > For example, an accountant needs read access to the accounting software, a project manager to + > their billable hours for their projects on SAP, etc. + +When roles are well-defined, one entitlement request must lead to the direct functional entitlement assignment. No more, no less. + +## Strategy for Role Creation + +### Role structuring + +Functionally speaking, the main benefit of roles is to give entitlements user-friendly names, easily understandable by managers. And to be understandable, roles must be structured. + +The strategy for role creation and structuring varies according to the [Model the Data](../../../user-guide/set-up/connect-system/connector-modeling) established for a given system. Here, we will take as example the common use-case that organizes and categorizes roles by application. Then, the strategy varies whether the system hosts a single application (like SAB or SAP) or several (like the AD or LDAP). + +In any case, role creation and maintenance are made easier by entitlements' naming conventions. Thus, no matter the kind of system that you are working with, if the system uses no naming conventions, then you should start by creating some. They will be the basis for role structure in Identity Manager, and will really simplify role creation. + +**One system for one application** + +A common and intuitive case is when a system is simply one application. Then, integrators can create one role per entitlement in said application, and one category for the application. + +> The SAP application is about entitlements only for itself. Then, we create a single role per +> entitlement in SAP inside a category called `SAP`: +> +> ![Roles Example](/images/identitymanager/singlerolescatalog_strategymono_v602.webp) + +One system hosting several applications with existing naming conventions + +If a given system is used to manage entitlements for several applications, then building categories becomes more complicated. + +> For example, the Active Directory usually hosts many groups used to manage entitlements in several +> distinct applications. +> +> ![AD Groups](/images/identitymanager/singlerolescatalog_strategymulti_v522.webp) + +The goal here is to find a way to clarify the link between each entitlement and the corresponding application. + +If the system uses naming conventions for entitlements, then it is possible to deduce the application it corresponds to, from the entitlements' names. + +> For example, a group is called `SG_APP_banking/digital/haumea/reader` in the AD. The membership to +> this group gives an entitlement. Knowing the organization, integrators understand that this +> entitlement is about the department `banking`, the position `digital`, the application `haumea` +> and the access right `reader`. + +Roles can be created accordingly, with one role per entitlement and a category per application. + +One system hosting several applications without existing naming conventions + +However, in the case of a connector for several applications, sometimes no information can be deduced from the entitlements' names. It is still necessary to find a way to clarify the link between each entitlement and the corresponding application. + +Then, the solution is to add information inside the managed system, creating a specific field or filling an empty field. + +> For example in the Active Directory, integrators can modify the field called `description` to +> specify the application name (such as Outlook in this example). +> +> ![Appropriated Field](/images/identitymanager/singlerolescatalog_strategymultinoname_v522.webp) + +Thus, the needed information is added to the managed system. After the execution of synchronization, said data is accessible inside Identity Manager database and can be used as a naming convention. + +In some cases, integrators are not allowed to create/modify fields in the external systems. Then, the information can be added on Identity Manager side only. As the new field doesn't exist in the external systems, it can't be overwritten. + +### Automation of role creation + +The UI provides tools to create single roles manually, working top-down from abstraction (role name) to the technical aspects (navigation rule and technical entitlement). Most projects use thousands of single roles, which makes role creation a long, tedious and repetitive process. See the [Create a Role Manually](../../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. + +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schematopdown.webp) + +Roles can also be created bottom-up via role naming rules. Instead of the previous process, you can use the name of said entitlement in your managed system to create automatically the corresponding single role and rule (and category if it does not already exist). In other words, Identity Manager's naming rules are to be based on your existing naming conventions for entitlements. See the [Create Roles in Bulk](../../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) topic for additional information. + +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schemabottomup.webp) + +One naming rule can generate many roles, so a few automatic rules can easily and faster create the single role catalog. Naming rules prove particularly useful when you need to add multiple new permissions in your external system. You won't have to create manually the corresponding categories, roles and rules as long as said permissions are created with properties matching the conditions from the rules. + +NETWRIX recommends starting the role catalog with as many naming rules as possible before creating roles manually. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | Connector's data [Model the Data](../../../user-guide/set-up/connect-system/connector-modeling) (required) [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) (required) [Classify Resources](../../../user-guide/set-up/categorization/classification) (required) | Single role catalog | + +## Create the Single Role Catalog + +Create the single role catalog by proceeding as follows: + +1. Create as many single roles as possible (with their navigation rules and categories) via the [Create Roles in Bulk](../../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) naming rules. +2. Complete the role catalog if needed by creating manually additional [Create a Category](../../../user-guide/set-up/single-roles-catalog-creation/category-creation) and single roles with their navigation rules. +3. Add [Create a Composite Role](../../../user-guide/optimize/composite-role-creation) to the single role catalog only if the project is mature enough. Composite roles are more complex than single roles +and they are not mandatory. + +## Impact of Modifications + +[Perform a Simulation](../../../user-guide/optimize/simulation) are available in order to anticipate the changes induced by a creation/modification/deletion in roles and navigation rules. + +## Next Steps + +Once the role catalog is established, integrators can start role officer management. + +The role catalog is also a prerequisite for [Manage Risks](../../../user-guide/optimize/risk-management) management. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md new file mode 100644 index 0000000000..ae7916707c --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md @@ -0,0 +1,162 @@ +--- +title: "Create a Role Manually" +description: "Create a Role Manually" +sidebar_position: 30 +--- + +# Create a Role Manually + +How to create single **roles** manually. + +## Overview + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings a layer of abstraction through a user-friendly name, close to the business view. See the [Single Role](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerole) topic for additional information. + +To be effective, **roles** must be linked to actual entitlements in the managed systems. Within Identity Manager, an entitlement assigned to an identity is in fact represented by the value of a given navigation property, in a resource owned by said identity. See the [Create an Entity Type](../../../user-guide/set-up/connect-system/entity-type-creation)topic for additional information. Thus, each role is linked to one navigation rule per entitlement. See the [Resource Type](../../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. + +:::note + For example, imagine that we want to grant unlimited Internet access to the administrator profile of an identity. This entitlement won't be assigned directly to the identity but to its AD administration account. In our Active Directory, there is a resource called `` identified from among AD entries as a group. So we need to add this group membership to the properties of the identity's AD account, using `` as a value of the **memberOf** property. +::: +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owners** who know the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | [Classification](../../../user-guide/set-up/categorization/classification) (required) | Single **roles** | + +## Create a Single Role + +Create a single role by proceeding as follows: + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access **roles**** to access the **roles** page. + +![createsinglerole](/images/identitymanager/createsinglerole.webp) + +**Step 2 –** On the **roles** page, click on the adequate category and create a role by clicking on **+New** at the top right corner. + +**Step 3 –** Fill in the fields. + +- Identifier: Must be unique among **roles** and without any whitespace. +- Name: Will be displayed in the UI to identify the created single role. +- Policy: Policy in which the role exists. +- Entity Type: Entity type targeted by the role. +- Description: Description of the role. +- Tags: Label(s) that can later be used to filter the target **roles** of access certification +campaigns. See the [Schedule a Certification Campaign](../../../user-guide/administrate/access-certification/certification-campaign-scheduling) topic for additional information. + +:::note + Netwrix recommends using role tags when you want to perform an access certification on a set of **roles** that are from several categories. +::: +- Category: Category which is to contain the created role. +- Secondary Categories: Other potential categories which are to contain the created role. +- Approval Workflow: Represents the number of validations required to assign the created role. +- Lock the end date: Locks or binds manual permission assignments to the identity's end date (as +defined by the context rule). + +It has five options: + + - Inherited:The policy's setting will be used. + - Explicit, by default not context bound: By default, the assignment's end date will not be +context bound in order to encourage the manual entry of an end date. + - Explicit, by default context bound: By default, the assignment's end date will be context +bound and therefore locked, but a manual date can be entered. + - Never: The assignment's end date will never be locked and needs to be specified manually. + - Always: The assignment's end date is always locked according to the applicable context rule. + +- Approve Role Implicitly: Needs at least the simple approval workflow. **Implicit** mode bypasses +the approval step(s) if the person who makes the role request is also the role officer. **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve **roles** implicitly or not. See the [Create a Policy](../../../user-guide/optimize/policy-creation) topic for additional information. +- Prolongation without a new approval workflow +- Hide in Simplified View: Hides the role from the users' **Simplified View** in **View Permissions** dialog. This setting does not apply to **roles** which are either inferred or have workflow states which require manual action. +- Maximum Duration: Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. + +:::note + The maximum duration impacts only the **roles** which are **manually assigned after** the maximum duration is set. Pre-assigned **roles** are not impacted. +::: + - If no duration is set on the role, the maximum duration of the associated policy is applied. + - If the duration is set to 0 on the role, it prevents the associated policy from applying its +maximum duration to it. + +- Grace Period: Duration (in minutes) for which a lost automatic single role is prolonged. A review +will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. + +:::note + The grace period is only applied if the loss of the entitlement is due to a change in the **rules**, i.e. rule deletion or criteria changes. +::: +If the grace period is not defined, the value is inherited from the policy. + +**Step 4 –** Click on **Create** and see a line added on the **roles** page. + +**Step 5 –** Create at least one navigation rule with the single role as a criterion. + +Once you have completed the steps the single role is created. + +## Create a Navigation Rule + +Navigation **rules** aim to assign given resources to identities based on specific criteria. A navigation rule sets the value of the navigation property on a specific resource, if a given condition is met. It is linked to a parent resource type that sets the target entity type. One rule creates one navigation. + +Create a navigation rule by proceeding as follows: + +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access **rules**** to access the **rules** page. + +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +**Step 2 –** In the drop down menu at the top left, choose the entity type to which the future navigation rule will be applied. + +![Addition Icon](/images/identitymanager/iconadd_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Create a Navigation Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) + +**Step 4 –** Fill in the fields. + +- Join: Target property whose value is impacted by the created rule. +- Resource: Value to be set on the JOIN. +- Navigation denied: Option that forbids the resource assignment. +- Offset of effective date: Time period that defines the actual effective date according to the +value's start and/or end date. An offset of effective date can be useful for some attributes. For example, account activation and deactivation can be managed according to the start and/or end dates. +- Criteria: Conditions that, if met, trigger the created navigation. + +**Step 5 –** Click on **Create** and see a line added on the **rules** page. + +Once you have completed the steps the navigation rule is created. + +## Impact of Modifications + +When deleting a single role, caution must be used when deleting the corresponding navigation **rules**. Indeed, these **rules** thus lose their criteria and may be applied to far too many people after that. + +## Verify Single Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +**Step 1 –** For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. + +![Access Single **roles**](/images/identitymanager/namingrulecreation_testroles_v602.webp) + +**Step 2 –** Select single **roles** and find the role you created inside the right category and with the right parameters. + +Our example would look like: + +![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) + +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) + +**Step 3 –** For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. + +![Access Navigation **rules**](/images/identitymanager/namingrulecreation_testrules_v602.webp) + +**Step 4 –** Select navigation **rules** and find the rule(s) you created with the right parameters. + +Our example would look like: + +![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) + +The verification of role creation has been completed. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md new file mode 100644 index 0000000000..81e98b7f51 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md @@ -0,0 +1,145 @@ +--- +title: "Create **roles** in Bulk" +description: "Create **roles** in Bulk" +sidebar_position: 10 +--- + +# Create **roles** in Bulk + +How to create role naming **rules**, which create single **roles** using existing naming conventions from the managed system. See the [Role Mapping](../../../integration-guide/toolkit/xml-configuration/provisioning/rolemapping) topic for additional information. + +## Overview + +A role naming rule automatically creates single **roles** and the corresponding navigation **rules** based on the name of the corresponding entitlements in the managed system. + +Role naming **rules** replace the tedious process of manual role creation. Instead of creating **roles** individually with their navigation **rules**, you can use role naming **rules** to generate **roles** in bulk and thus faster create the single role catalog. + +> For example, consider a naming convention in our organization that states that AD groups have +> their cn: `SG_APP_`. Then, we can create a naming rule that indicates that for +> all AD groups starting with `SG_APP_`, we create a role that gives the adequate user the +> corresponding group membership, with `` as a name. For example, we have the +> application Contoso and the group `SG_APP_Contoso`. + +**roles** created via role naming **rules** **can still be modified** later in the UI, if needed. + +A role naming rule, for a given resource type, creates **roles** and **rules** only for resources which are **not yet linked to a role, nor a navigation rule of this resource type**. This implies that: + +- role naming **rules** do not overwrite manual changes; +- role naming **rules** cannot link more than one resource (so one entitlement) to one role. + +If a role naming rule is supposed to create a role that already exists, then a corresponding navigation rule is created **only if** the existing role has the same policy and category as specified in the role naming rule. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the **application owners** who know the application's users, entitlements and data model. + + | Input | Output | + | --- | --- | + | [Create a Provisioning Rule](../../../user-guide/set-up/provisioning-rule-creation) (required) | Role naming rule Single **roles** Navigation **rules** Categories | + +## Create a Role Naming Rule + +Create a role naming rule by proceeding as follows: + +1. On the home page, click on **Access **rules**** in the **Configuration** section. + + ![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will +be applied. + + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) + +3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Naming Rule](/images/identitymanager/namingrulecreation_newrule_v602.webp) + + - `Policy`: +[Policy](../../../integration-guide/toolkit/xml-configuration/provisioning/policy) in which the rule exists. + - `Property`: navigation property which will define the actual entitlement in the future +navigation rule. + - `Identifier`: must be unique among **rules** and without any whitespace. + - **+ New Rule**: a naming rule is based on the union of **rules**, themselves based on the +intersection of rule items. A rule item specifies one of the conditions that will trigger the enforcement of the naming rule. See the [Role Mapping](../../../integration-guide/toolkit/xml-configuration/provisioning/rolemapping) topic for additional information. + - `Where Expression`: C# expression returning a boolean to condition the application of the +rule. + +Netwrix Identity Manager (formerly Usercube) recommends using this option **only when** the options available in the rule items do not suffice. + + - **Single Role**: single role(s) to be created. See the +[Create a Role Manually](../../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. + + - `Identifier`: must be unique among **roles** and without any whitespace. If the defined +identifier is already used, then neither the role nor the rule is created. Can be defined by a property path and/or [Expressions](../../../integration-guide/toolkit/expressions) (mandatory). + - `Name`: will be displayed in the UI to identify the future single role. Can be defined by +a property path and/or an [Expressions](../../../integration-guide/toolkit/expressions). + + - **Category**: the +[Category](../../../integration-guide/toolkit/xml-configuration/provisioning/category) for the future role(s). + + - `Identifier`: either matches an existing category and selects it, or doesn't match and +therefore a new category is created. Can be defined by a property path and/or an expression. + - `Name`: will be displayed in the UI to identify the category. Ignored if the `Identifier` +attribute matches an existing category's identifier. Can be defined by a property path and/or an expression. + - ` Parent Identifier`: for a potential parent category. Must match an existing category's +identifier. Can be defined by a property path and/or an expression. + - `Default Category`: category for the future role(s) if the category's `Identifier` +attribute isn't filled in or doesn't compute. + + - `Role Policy`: policy in which the future **roles** exist. + - `Approval Workflow`: represents the number of validations required to assign the future +role(s). + - `Approve Role Implicitly`: needs at least a simple approval workflow. `Implicit` mode bypasses +the approval step(s) if the person who issues the role request is also the role officer. `Explicit` refuses said bypass. `Inherited` follows the policy decision to approve **roles** implicitly or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View +Permissions** dialog. This setting does not apply to **roles** which are either inferred or have workflow states which require manual action. + - `Comment Management on Permission Review`: to change if different from the role policy. + > Our example would look like: +> + > ![Example - Naming Rule](/images/identitymanager/namingrulecreation_example_v602.webp) + +5. Click on **Create** and see a line added on the **rules** page. + +## Impact of Modifications + +As naming **rules** are applied only to resources that aren't already linked to a role or a navigation rule, neither deletion nor modification in a naming rule can affect the previously created **roles** and **rules**. + +## Verify Naming Convention + +In order to verify the process: + +1. to take the changes into account, on the appropriate connector's overview page click on +**Jobs** > **Apply Naming Conventions**; + + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) + +2. check that the correct **roles** and **rules** were created. + +For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. + +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) + +Select single **roles** and find the role(s) you created inside the right category and with the right parameters. + +![Access Single **roles**](/images/identitymanager/namingrulecreation_testroles_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) + +For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. + +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) + +Select navigation **rules** and find the rule(s) you created with the right parameters. + +![Access Navigation **rules**](/images/identitymanager/namingrulecreation_testrules_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) + diff --git a/docs/identitymanager/6.3/user-guide/set-up/synchronization.md b/docs/identitymanager/6.3/user-guide/set-up/synchronization.md new file mode 100644 index 0000000000..bc23c751a0 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/synchronization.md @@ -0,0 +1,225 @@ +--- +title: "**synchronize** Data" +description: "**synchronize** Data" +sidebar_position: 70 +--- + +# **synchronize** Data + +How to launch data synchronization, i.e. read managed systems' data and load it into Identity Manager. + +## Overview + +Data synchronization is a data flow from the managed systems into Identity Manager. + +### Process + +A connector's main purpose is to read and **export** the data previously mapped with [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) in order to **synchronize** it with Identity Manager. Connectors provide tools to perform a basic extraction of the system's data in the form of CSV/XLSX files. These files are cleansed and loaded into Identity Manager. Synchronization is a three-step ETL process going through **export**, synchronization preparation and the synchronization itself. + +![Synchronization Schema](/images/identitymanager/synchro_schema.webp) + +#### **export** + +The [**export** Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask) creates **extractions**, a snapshot of the managed system's data, used to insert and/or refresh the data that is inside Identity Manager. **extractions** are accessible when there is at least one connection with an **export**-enabled [References: Packages](../../integration-guide/connectors/references-packages). Extracted data becomes meaningful when it is loaded into resources as specified by the entity type structure. + +Exported data is stored inside CSV files in the folder `/{InstallationFolder}/Temp/ExportOutput`. + +#### Prepare synchronization + +The [Prepare Synchronization Task](../../integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask) performs a preparatory data cleansing to spot errors and list them in a generated file in the `/{InstallationFolder}/Work/Synchronization` folder. + +> For example, this task spots an identity if it is linked to an organization code which doesn't exist. + +#### **synchronize** + +The `**synchronize**` task loads data into Identity Manager's database. + +See the [Upward Data Synchronization](../../integration-guide/synchronization/upward-data-sync) topic for additional information. + +### Prerequisites + +#### Extracted data must have keys + +Every extracted resource must have an attribute that serves as a primary key so that Identity Manager can uniquely identify the resource to be added/updated/deleted during synchronization. You must have defined keys during Entity Type creation. See the [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) topic for additional information. + +****extractions** must not be modified before synchronization** + +**extractions** must not be modified manually, for it may induce synchronization issues. + +> For example, saving an XLSX file implies an automatic modification of format. + +Also, synchronization must not be disturbed by a change in the source format, such as the deletion of a column in the middle of the file. + +****Thresholds must never be deactivated**** + +Thresholds are essential safety guards that control all changes, for example preventing the overwriting of important data by mistake. Thresholds are by default activated to warn users when synchronization or provisioning triggers too many modifications. If the number of modifications exceeds the specified threshold, Identity Manager stops the synchronization and displays a warning _"Threshold Exceeded"_ on the log page described below. + +Once the changes have been reviewed, the blocked job can be resumed (or not). + +Thresholds are configured with default values using the following [Connector](../../integration-guide/toolkit/xml-configuration/connectors/connector) attributes: + +- `MaximumDeletedLines`, `MaximumInsertedLines` and `MaximumUpdatedLines` for scalar properties; +- `MaxPercentageDeletedLines`, `MaxPercentageInsertedLines` and `MaxPercentageUpdatedLines` for +scalar properties by percentage; +- `MaximumLinkDeletedLines`, `MaximumLinkInsertedLines` and `MaximumLinkUpdatedLines` for navigation properties; +- `MaxLinkPercentageDeletedLines`, `MaxLinkPercentageInsertedLines` and `MaxLinkPercentageUpdatedLines` for navigation properties by percentage. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to perform synchronization. + + | Input | Output | + | --- | --- | + | Connector with its entity types (required) | Synchronized data | + +See the [Connect to a Managed System](../../user-guide/set-up/connect-system) topic for additional information. + +## Launch Synchronization + +Launch synchronization for a given managed system by proceeding as follows: + +1. Access the list of connectors by clicking on **Connectors** on the home page in the +**Configuration** section. + + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) + +2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. + +Here are all the tasks available for synchronization. They **synchronize** all connections and entity types for only this connector. It is possible to launch them individually in order to test them and debug a situation, or all together with **All Tasks**. According to the created connection(s) and package(s), all these tasks can be launched either in incremental or complete mode. + + ![**synchronize** Job](/images/identitymanager/synchro_executionjobs_v602.webp) + + - `Update Expressions`: computes the expressions used in the entity type mapping. + - `All Tasks`: launches all previous tasks in a row. + +Notice that some connectors, depending on their connections and packages, can't be synchronized in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a choice between `Complete` and `Incremental`. See below this note. + + ![**synchronize** Job (Only Complete)](/images/identitymanager/synchro_executionjobs-complete_v602.webp) + +## Manage Synchronization Automation + +**export** and synchronization are executed manually from the connector screens. By default, they are also part of scheduled [Jobs](../../integration-guide/tasks-jobs/jobs) provided by Identity Manager: + +- the complete job is scheduled to launch a synchronization once a day of all resources, modified or not; +- the incremental job is scheduled to launch a synchronization several times a day only of the resources modified since the last synchronization. + +See the [Set Up Incremental Synchronization](../../integration-guide/tasks-jobs/jobfast) and [Set up Complete Synchronization](../../integration-guide/tasks-jobs/jobdaily) topics for additional information. + +Scheduling the jobs avoids manually triggering them everyday. + +However, you can choose to withdraw a given connector from both the complete and incremental jobs by clicking on **Deactivate** on the connector's dashboard. This is particularly useful when modifying a connector. You can also re-insert it at any time with the same button which is now named **Activate**. + +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) + +You can fine-tune the synchronization and/or provisioning of the connector by clicking on the **Edit** button. + +![Edit button](/images/identitymanager/synchro_edit_v600.webp) + +Click on **Job Results** to access the progress of this connector's jobs. + +All jobs are accessible on the **Job Execution** page in the **Administration** section. + +![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) + +## Verify an Entity Type's Synchronization + +In order to verify both the synchronization configuration and [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation): + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that synchronization completed successfully. + + ![Jobs Results](/images/identitymanager/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check +synchronized resources, by navigating in the UI from the accounts through a sample of associations, via the eye icon: + + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) + +You should first look for configuration validation, and only later validation of the actual data being synchronized. + + > For example, let's say we created a connector for SAB that contains two entity types called + > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. +> + > ![SAB Example - Home Page](/images/identitymanager/synchro_examplesab_v522.webp) +> + > Clicking on `SAB - Users` displays the list of all synchronized resources. +> + > ![SAB Example - Data List](/images/identitymanager/synchro_examplesab2_v602.webp) +> + > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: +> + > ![SAB Example - Resource Attributes](/images/identitymanager/synchro_examplesab3_v602.webp) +> + > Clicking on any eye icon displays the corresponding resource. SAB was created here with a + > simple user-group schema that links n users to n groups. So here, we can check these links by + > navigating from a given user to one of their groups, to one of said group's users, to one of + > said user's groups, etc. + +## Troubleshooting + +Make sure you followed the prerequisite guidelines for synchronization. + +Keep in mind that a problem observed in synchronized data might also come from a mistake made previously in the connector's configuration. Therefore, logs can give more details. Logs are accessible from the **Job Results** button on the dashboard of a given connector. + +Don't hesitate to launch synchronization-related tasks individually and observe the corresponding logs in order to debug a situation. + +If the connector and/or entity type doesn't appear in the menu items, then: + +![Test Entity Type](/images/identitymanager/home_entitytypes_v602.webp) + +Access the relevant connector's page and click on the **Reload** button to take into account the last changes in the entity type mappings. + +If a newly added property doesn't appear in users' data, then: + +Access the relevant connector's page to click on the **Reload** button to take into account the most recent changes in the entity type mappings. + +If a synchronization is blocked by an exceeded threshold, then: + +![Threshold warning](/images/identitymanager/synchro_threshold_v603.webp) + +Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: + +1. On the logs page (accessible from the **Job Results** button), click on the line of a task +instance to see its logs. +2. Study synchronization counters and the list of all synchronization changes. These tools help you +make a decision about whether to bypass synchronization thresholds. + + ![Job progress](/images/identitymanager/synchro_thresholdlog_v603.webp) + +In most cases, the first synchronization exceeds thresholds because no data exists in Identity Manager yet. Thus, a high quantity of modifications is expected and the synchronization is to be resumed. + +Numerous modifications can also be triggered by: + + - a change in date format; + - the input of blank files by mistake, because it would overwrite and erase all existing data; + - a swap of two headers in an input file. + +3. If, after verifying, all changes are legitimate, click on the **Resume** button at the top of the +job progress page. This will restart the job and allow the changes to be synchronized. + +Be cautious, check twice for mistakes before resuming. + + ![Resumed Job](/images/identitymanager/synchro_thresholdresumed_v602.webp) + +If an **export** doesn't complete, then: + +- Check the connection's settings. +- If you manually typed the source column of a property in the entity types, then make sure that the +source column exists in the corresponding managed system. + + ![Source Column](/images/identitymanager/entitytype_sourcecolumn_v602.webp) + +If a given property from users' data is displayed in an unexpected way, then: + +Check the format of both the application metadata and the external system. + +![Property Format](/images/identitymanager/entitytype_format_v523.webp) + +> For example, if you find that a given date doesn't comply with what you set, then maybe the format +> in the External System section wasn't correctly selected, thus inducing a conversion error during +> the **export** computation. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/user-profile-assignment.md b/docs/identitymanager/6.3/user-guide/set-up/user-profile-assignment.md new file mode 100644 index 0000000000..2d7f8148cd --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/user-profile-assignment.md @@ -0,0 +1,92 @@ +--- +title: "Assign Users a Profile" +description: "Assign Users a Profile" +sidebar_position: 110 +--- + +# Assign Users a Profile + +How to assign Identity Manager's access permissions to users through profiles. + +## Overview + +All the permissions to access items in Identity Manager, **and** to perform given actions, are managed by assigning profiles to users **and** permissions to profiles. See the [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile) **and** [References: Permissions](../../integration-guide/profiles-permissions/permissions) topics for additional information. + +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) + +For example, the access to the list of users with their personal data is usually restricted to HR people, **and** the possibility to modify personal data restricted to HR managers. + +We define here a permission as an entitlement **within** Identity Manager. See the [Configure a User Profile](../../user-guide/set-up/user-profile-configuration) topic for additional information. + +**Users are assigned profiles according to the permissions they need to work**, at least one profile per user. A user without a profile cannot access the application. Experience shows that most users have one profile, sometimes two, **and** rare case have maximum three, or more. + +The goal here is to link users to basic profiles. + +The right time to assign profiles to users is just before they need it, so it depends on the deployment strategy. For example, we connected a given application **and** now we want to list orphaned accounts. Then we need to assign a role officer. + +The priority is often about **resource managers** who will review orphaned **and** unused accounts. + +## Participants **and** Artifacts + +Integrators must have the knowledge of who must be able to access what **within** Identity Manager. + + | Input | Output | + | --- | --- | + | [Configured profiles](../../user-guide/set-up/user-profile-configuration) (required) | Assigned profiles | + +## Assign a Profile to an Account + +In the following section you will read about how to assign a profile to an account. + +**Manual assignment** + +Assign manually a profile to a user by proceeding as follows: + +![Home Page - Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) + +**Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** section. + +![Addition Icon](/images/identitymanager/iconadd_v602.webp) + +**Step 2 –** Click on the addition button at the top right corner. + +![New Profile](/images/identitymanager/roleofficers_newprofile_v602.webp) + +**Step 3 –** Fill in the fields. + +- **Profile**: Profile chosen from among existing profiles. +- **Resource**: Identity chosen from among entries to be assigned said profile. +- **Profile's Email**: Email created in order to receive the corresponding approval requests. +- **Deny this Profile**: Option that forbids the profile assignment instead of applying it. +- **Start Date** **and** **End Date**: Particularly useful for profile delegation. + +:::note + If filters are defined in the Access Rules, **and** are assigned to the profile, a **Criteria** section will appear containing them. Filters are conditions that, if met, trigger the Access Control Rule Application. The only filters which can be displayed in this section are filters related to dimensions or hard coded criteria (Single Role, Composite Role, Resource Type **and** Category). The filters are defined in the XML configuration on the access control rules. The criteria displayed are a fusion of the filters of all the rules associated with the profile. See the [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) topic for additional information. +::: +**Automatic assignment** + +The largest profiles with the most basic permissions (like a simple access to the application) concern many identities **and** are low-privileged. Thus integrators can set up profile assignment rules through the XML configuration in order to assign profiles automatically, based on accounts' resource type **and** potentially specific criteria. See the [Profile Rule Context](../../integration-guide/toolkit/xml-configuration/access-control/profilerulecontext) topic for additional information. + +![Launch Button](/images/identitymanager/launch_v603.webp) + +Click on **Launch** to apply these profile rules. + +:::note + Profile rules can also be applied through the same button on the **Profiles** page, by clicking on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the left menu. +::: +## Delegate a Profile + +Sometimes, users need to lend their entitlements, while on leave for example. In this case, it is interesting to create new profiles, identical to the initial ones but without the right to delegate the corresponding entitlements. + +For example, let us consider the Manager profile which we appointed as request validator per department. In order to ensure the presence of all validators at all times, we choose to create a Assistant Manager profile which is to be assigned occasionally to another user by a manager. A user with the Assistant Manager profile will receive exactly the same entitlements as someone with the Manager profile, except for the ability to assign the Assistant Manager to another user. + +Thus no workflow in Identity Manager can be blocked by the absence of the workflow's actors, **and** security is ensured by preventing unwanted entitlement delegation. + +## Verify Profile Configuration **and** Assignment + +In order to verify both profile configuration **and** assignment, check that a sample of users can effectively perform the actions allowed by their profiles. See the [Configure a User Profile](../../user-guide/set-up/user-profile-configuration) topic for additional information. + +A functioning **and** well-assigned profile must not trigger 403 errors in the server logs, nor in the UI in the form of a red notification at the bottom right corner of the application. This kind of error appears if an entitlement is incomplete, i.e. giving access to a button but not to the page said button leads to. + +For example, you can check whether an ordinary user can access another user's personal data from the **Directory** tile. + diff --git a/docs/identitymanager/6.3/user-guide/set-up/user-profile-configuration.md b/docs/identitymanager/6.3/user-guide/set-up/user-profile-configuration.md new file mode 100644 index 0000000000..98214c2ef5 --- /dev/null +++ b/docs/identitymanager/6.3/user-guide/set-up/user-profile-configuration.md @@ -0,0 +1,109 @@ +--- +title: "Configure a User Profile" +description: "Configure a User Profile" +sidebar_position: 50 +--- + +# Configure a User Profile + +How to tweak the [References: Permissions](../../integration-guide/profiles-permissions/permissions) for actions **within** Identity Manager, for a set of basic [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile). + +## Overview + +All the permissions for accessing items and performing actions in Identity Manager are managed by assigning profiles to users and permissions to profiles. + +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) + +> For example, access to user lists with personal data is usually restricted to HR staff, and the +> modification of personal data would be restricted to HR managers. + +We define here a permission as an entitlement **within** Identity Manager. + +Permissions can be about: + +- **administration**, which gives access to [Administrate](../../user-guide/administrate) actions, +accessible in the ****administration**** section on the home page; +- **directory**, which gives access to users' data (with several available levels of access), and also +any other data accessible in the ****directory**** section on the home page; +- **workflows**, which gives access to actions for users' lifecycle (onboarding-movement-offboarding), +through the **workflows** provided by Identity Manager **within** the ****directory**** pages; +- **reports**, which gives access to Identity Manager's predefined **reports** about workforce. See the +[Generate **reports**](../../user-guide/administrate/reporting) topic for additional information. +- **notifications**, which enables notification reception when specific **workflows** are launched. + +Netwrix Identity Manager (formerly Usercube) recommends creating and using the following profiles: + +- `Administrator` for requesting entitlements, performing potential additional role reviews, and +updating user data, the role model and the settings; +- `Helpdesk` for requesting entitlements and updating user data only, not for updating the role +model or other settings; +- `HR` for managing internal users, i.e. creating, updating and deleting them; +- `Manager` for requesting their teams' entitlements and managing their external users, like +contractors; +- `RoleOfficer` for reviewing and approving roles; +- `User` for basic viewing of user and organizational information. + +A user can have up to 10 assigned profiles. + +The goal here is to create profiles and link specific permissions to the profiles, in order to build a set of typical profiles that will later be assigned to users. See the [Assign Users a Profile](../../user-guide/set-up/user-profile-assignment) topic for additional information. Instead of assigning permissions one by one to users, you will assign them sets of permissions (i.e. profiles). + +### Responsibility scopes + +Each permission can be assigned a responsibility scope, which represents the scope of action of users with said permission. + +> For example, managers can be assigned the `View Requests` and `Manage Accounts` permissions, but +> only for the teams in which they have the manager title. In this case they will handle the +> entitlement requests **within** the team they manage, having their scope of responsibility defined as +> their team. It means that the manager cannot see or do anything outside the identities included in +> their team. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the IGA project. + + | Input | Output | + | --- | --- | + | [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) (required) | User profiles | + +## Configure a User Profile + +Configure a user profile by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > +**Profiles** in the left menu. + + ![Home - Configuration](/images/identitymanager/home_settings_v523.webp) + +2. Check whether the profile to configure is part of the provided list. If not, create it by +clicking on the addition button at the top right and fill in the fields. + + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) + + ![New Profile](/images/identitymanager/profiles_creation_v602.webp) + + - `Identifier`: must be unique among profiles and without any whitespace. + - `Name`: will be displayed in the UI to identify the profile. + +Click on **Create**. + +3. Access the page for profile configuration by clicking on **Workforce** > **Profiles & +Permissions** in the left menu. +4. Follow Identity Manager's instructions for assigning permissions to the profile by clicking on +the appropriate permissions, one by one, selecting if needed their responsibility scope. + + ![Profile Configuration Example](/images/identitymanager/profiles_example_v603.webp) + +5. Click on **Save** at the top of the page. + + ![Save Icon](/images/identitymanager/iconsave_v602.svg) + +## Verify Profile Configuration + +Before you can see the profile in action, it needs to be assigned to a user. + +See the [Assign Users a Profile](../../user-guide/set-up/user-profile-assignment) topic for additional information. + +## Next Steps + +Once user profiles are configured, integrators can start configuring onboarding **workflows**. See the [Create the Workforce Repository](../../user-guide/set-up/initial-identities-loading) topic for additional information. + diff --git a/docs/identitymanager/current/index.md b/docs/identitymanager/current/index.md index a44fe79348..eaace48888 100644 --- a/docs/identitymanager/current/index.md +++ b/docs/identitymanager/current/index.md @@ -1,6 +1,6 @@ --- -title: "Netwrix Identity Manager 6.3" -description: "Netwrix Identity Manager 6.3" +title: "Netwrix Identity Manager 7.0" +description: "Netwrix Identity Manager 7.0" sidebar_position: 10 --- diff --git a/docs/identitymanager/current/installation-guide/overview.md b/docs/identitymanager/current/installation-guide/overview.md index 96547efb6f..580619c92c 100644 --- a/docs/identitymanager/current/installation-guide/overview.md +++ b/docs/identitymanager/current/installation-guide/overview.md @@ -1,4 +1,4 @@ ---- +--- title: "Overview" description: "Overview" sidebar_position: 10 @@ -10,7 +10,7 @@ This section will give you an overview of Identity Manager's components, their r ## Components and Data Flow -![Components & Data Flow](/images/identitymanager/installation-guide/overview/components_data_flow.webp) +![Components & Data Flow](/images/identitymanager/components_data_flow.webp) ### Components @@ -79,13 +79,13 @@ Two scenarios unfold: This approach is useful when managed systems need to run on separate and isolated networks. -![Server & Agents isolated](/images/identitymanager/installation-guide/overview/distribution_1.webp) +![Server & Agents isolated](/images/identitymanager/distribution_1.webp) **2.** The Server and **One** Agent are installed on the same workstation In that case, the Identity Manager Agent can run directly within the Identity Manager Server process. The hosting workstation would **only host a Identity Manager Server process** (**with the integrated agent**) and no separate agent needs to be installed. The database could be installed on the same workstation or on a separate **One**. -![Server & Agent together](/images/identitymanager/installation-guide/overview/distribution_2.webp) +![Server & Agent together](/images/identitymanager/distribution_2.webp) ## Authentication diff --git a/docs/identitymanager/current/installation-guide/production-ready/agent.md b/docs/identitymanager/current/installation-guide/production-ready/agent.md index 83ac7df8a0..9a8e29e05e 100644 --- a/docs/identitymanager/current/installation-guide/production-ready/agent.md +++ b/docs/identitymanager/current/installation-guide/production-ready/agent.md @@ -1,4 +1,4 @@ ---- +--- title: "Install the Agents" description: "Install the Agents" sidebar_position: 40 @@ -80,7 +80,7 @@ The following is [mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-* - **Application Pool** > **Identity Manager ``** > **Advanced Settings** > **General** > **.NET CLR Version** > **No Managed Code** -![IIS Settings](/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp) +![IIS Settings](/images/identitymanager/iis_settings.webp) This sums up IIS settings. @@ -191,7 +191,7 @@ To fix the **missing** permissions follow the steps: **Step 5 –** Select the newly added user name in the Group or user names panel at the top of the window. -![Object Names](/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) +![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) **Step 6 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for the others. See the[Server](../../installation-guide/requirements/server-requirements) topic for additional information. diff --git a/docs/identitymanager/current/installation-guide/production-ready/database.md b/docs/identitymanager/current/installation-guide/production-ready/database.md index e96d33ad06..47c7ca885a 100644 --- a/docs/identitymanager/current/installation-guide/production-ready/database.md +++ b/docs/identitymanager/current/installation-guide/production-ready/database.md @@ -1,4 +1,4 @@ ---- +--- title: "Install the Database" description: "Install the Database" sidebar_position: 20 @@ -41,7 +41,7 @@ Preferred methods include [SQL Server Management Studio](https://docs.microsoft. - Locate the database name dropdown, next to the **Execute** button in the top left section of the screen. -![Execute Query](/images/identitymanager/installation-guide/production-ready/database/execute_query.webp) +![Execute Query](/images/identitymanager/execute_query.webp) - From the dropdown, select the newly created database. - Click **Execute**. diff --git a/docs/identitymanager/current/installation-guide/production-ready/server.md b/docs/identitymanager/current/installation-guide/production-ready/server.md index 9dab4fae6c..2526b1a587 100644 --- a/docs/identitymanager/current/installation-guide/production-ready/server.md +++ b/docs/identitymanager/current/installation-guide/production-ready/server.md @@ -1,4 +1,4 @@ ---- +--- title: "Install the Server" description: "Install the Server" sidebar_position: 30 @@ -60,7 +60,7 @@ The following is mandatory: - **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR Version > `No Managed Code` -![IIS Settings](/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp) +![IIS Settings](/images/identitymanager/iis_settings.webp) An SSL Certificate should also be set to the IIS Server to perform HTTPS communication with end-users. @@ -137,7 +137,7 @@ This guide will show you how to perform these operations using SQL Server Manage **Step 1 –** Open SQL Server Management Studio (SSMS) **and** log in to access the server on which runs the Identity Manager Database with an account member of the **sysadmin** **or** **securityadmin** server-level role. -![New Login](/images/identitymanager/installation-guide/production-ready/server/newlogin.webp) +![New Login](/images/identitymanager/newlogin.webp) **Step 2 –** Expand the **Security** **and** **Login** nodes, **and** look for the Identity Manager service account in the list. @@ -151,7 +151,7 @@ If you cannot find the service account click on the **Login** node, right-click **Step 6 –** Go to **User Mapping****and** make sure `Usercube/` is checked (top panel), as well as **db_owner** **and** **public** (bottom panel). -![Bulk](/images/identitymanager/installation-guide/production-ready/server/bulk.webp) +![Bulk](/images/identitymanager/bulk.webp) **Step 7 –** Right-click the **Server** root node **and** select **Properties**, **and** in the **Permissions** tab, select the service account **or** group name. @@ -189,7 +189,7 @@ to do **Step 1 –** Click on **Edit** **and** then on **Add**. - ![Object Names](/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + ![Object Names](/images/identitymanager/enter-the-object-names-to-select.webp) **Step 2 –** In the **Enter the object names to select** textbox, enter the service account name in the down-level log on format, such as `CONTOSO/identitymanagerContosoServer`, then click **OK**. diff --git a/docs/identitymanager/current/installation-guide/quick-start.md b/docs/identitymanager/current/installation-guide/quick-start.md index f0fc9ca9d8..b3ce470109 100644 --- a/docs/identitymanager/current/installation-guide/quick-start.md +++ b/docs/identitymanager/current/installation-guide/quick-start.md @@ -1,4 +1,4 @@ ---- +--- title: "Quick Start Guide" description: "Quick Start Guide" sidebar_position: 30 @@ -23,7 +23,7 @@ If the certificate is named something other than Usercube.pfx, remember to chang **Step 1 –** Go on the Netwrix Identity Manager (formerly Usercube) [portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) and download the artifacts of the expected version. -![Extranet Artifacts](/images/identitymanager/installation-guide/quick-start/extranet_v601.webp) +![Extranet Artifacts](/images/identitymanager/extranet_v601.webp) **Step 2 –** Extract from SDK the folder Usercube Bootstrap anywhere on the computer. @@ -31,7 +31,7 @@ If the certificate is named something other than Usercube.pfx, remember to chang When extracting Usercube Bootstrap to the root of the computer, it looks like: -![Project Directory](/images/identitymanager/installation-guide/quick-start/directory_v602.webp) +![Project Directory](/images/identitymanager/directory_v602.webp) **Step 4 –** Move or copy your certificate inside the Runtime folder. @@ -67,7 +67,7 @@ In our example, the command would be, still in the Runtime folder: **Step 10 –** Open a browser and navigate to http://localhost:5000. Authenticate with administrator as a username and the password specified in the Runtime/appsettings.json file, in the Authentication section. -![Authentication Dialog](/images/identitymanager/installation-guide/quick-start/authentication_v601.webp) +![Authentication Dialog](/images/identitymanager/authentication_v601.webp) Now you can start using the application. @@ -75,7 +75,7 @@ Now you can start using the application. From there, you can start setting up Identity Manager via the **Settings** page which is accessible from the **Configuration** section of the home page. -![Home Page - Settings](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) +![Home Page - Settings](/images/identitymanager/home_settings_v523.webp) Then, Netwrix recommends following the user guide to start the configuration of your IGA project from scratch. See the [User Guide](../user-guide) topic for additional information. diff --git a/docs/identitymanager/current/installation-guide/reverse-proxy.md b/docs/identitymanager/current/installation-guide/reverse-proxy.md index c89f16405b..f1ca9fc4c1 100644 --- a/docs/identitymanager/current/installation-guide/reverse-proxy.md +++ b/docs/identitymanager/current/installation-guide/reverse-proxy.md @@ -1,4 +1,4 @@ ---- +--- title: "Reverse Proxy" description: "Reverse Proxy" sidebar_position: 50 @@ -15,18 +15,18 @@ A reverse proxy is usually used when: - needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be able to monitor plain text requests from/to Identity Manager's server; - ![Proxy Purposes: Encryption](/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp) + ![Proxy Purposes: Encryption](/images/identitymanager/proxy_purpose_encryption.webp) - installing Identity Manager with an integrated agent on a network isolated from the users' browsers, in order to be able to access sensitive systems which are protected by being set up on a network isolated from the Internet; - ![Proxy Installation Example](/images/identitymanager/installation-guide/reverse-proxy/proxy_example.webp) + ![Proxy Installation Example](/images/identitymanager/proxy_example.webp) This installation will be used for the configuration examples below. - using several Identity Manager's server instances for load-balancing purposes. - ![Proxy Purposes: Load Balancing](/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp) + ![Proxy Purposes: Load Balancing](/images/identitymanager/proxy_purpose_loadbalancing.webp) As Identity Manager is **session-less**, working with several servers does not imply the need to synchronize sessions between servers, nor the need to guarantee that a particular IP will be processed by a particular server. diff --git a/docs/identitymanager/current/integration-guide/api/index.md b/docs/identitymanager/current/integration-guide/api/index.md index 19726c07a7..0f75deadc6 100644 --- a/docs/identitymanager/current/integration-guide/api/index.md +++ b/docs/identitymanager/current/integration-guide/api/index.md @@ -1,4 +1,4 @@ ---- +--- title: "API" description: "API" sidebar_position: 170 @@ -16,7 +16,7 @@ The page `[Usercube application's URL]/swagger` can be used to explore and test This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Identity Manager [OpenAPI](https://swagger.io/specification/) definition. -![Usercube server swagger page](/images/identitymanager/integration-guide/api/swagger.webp) +![Usercube server swagger page](/images/identitymanager/swagger.webp) A function can have several versions. This is why the API description is split into several OpenAPI definition files. diff --git a/docs/identitymanager/current/integration-guide/api/pagination.md b/docs/identitymanager/current/integration-guide/api/pagination.md index f280cf365f..ea3e7240d2 100644 --- a/docs/identitymanager/current/integration-guide/api/pagination.md +++ b/docs/identitymanager/current/integration-guide/api/pagination.md @@ -1,4 +1,4 @@ ---- +--- title: "Pagination" description: "Pagination" sidebar_position: 30 @@ -10,7 +10,7 @@ Each function returning a list of items supports pagination. This pagination is The principle is to call the function with the ContinuationToken obtained from the previous call. -![Pagination sequence diagram](/images/identitymanager/integration-guide/api/pagination/pagination.webp) +![Pagination sequence diagram](/images/identitymanager/pagination.webp) :::note Pagination is optional. If PageSize is not specified, the function will return all items or use the limit specified in the squery parameter. If PageSize is specified, no limit must be specified in the squery parameter. diff --git a/docs/identitymanager/current/integration-guide/api/request-postman.md b/docs/identitymanager/current/integration-guide/api/request-postman.md index f22f4e8736..9ad4fffeee 100644 --- a/docs/identitymanager/current/integration-guide/api/request-postman.md +++ b/docs/identitymanager/current/integration-guide/api/request-postman.md @@ -1,4 +1,4 @@ ---- +--- title: "Request APIs via Postman" description: "Request APIs via Postman" sidebar_position: 40 @@ -15,15 +15,15 @@ Get an access token by proceeding as follows: 1. Launch Postman. 2. Create a new request by clicking on **+ New** then **Request**. - ![Postman: New Request](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp) + ![Postman: New Request](/images/identitymanager/postman_newrequest.webp) 3. Fill in the fields and click on **Save to Identity Manager**. - ![Postman: New Request Fields](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp) + ![Postman: New Request Fields](/images/identitymanager/postman_requestfields.webp) 4. Fill in the authentication information as follows: - ![Postman: Authentication](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp) + ![Postman: Authentication](/images/identitymanager/postman_authentication.webp) - **Method**: POST - **URL**: ``/connect/token @@ -35,7 +35,7 @@ Get an access token by proceeding as follows: 5. Click on **Send** and get the access token from the response body. - ![Postman: Access Token](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp) + ![Postman: Access Token](/images/identitymanager/postman_accesstoken.webp) ## Use an Access Token @@ -44,7 +44,7 @@ Use an access token by proceeding as follows: 1. Create a new request in Postman. 2. Fill in the authorization information as follows: - ![Postman: Authorization](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp) + ![Postman: Authorization](/images/identitymanager/postman_authorization.webp) - **Method**: GET - **URL**: ``/``?api-version=1.0 @@ -54,7 +54,7 @@ Use an access token by proceeding as follows: 3. Click on **Send** and get the result from the response body. - ![Postman: Access Token Result](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + ![Postman: Access Token Result](/images/identitymanager/postman_accesstokenresult.webp) ## Create a Combined Request @@ -63,7 +63,7 @@ Create a combined request by proceeding as follows: 1. Create a new request in Postman. 2. Fill in the authorization information as follows: - ![Postman: Authorization (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp) + ![Postman: Authorization (Combined Request)](/images/identitymanager/postman_authorizationcombined.webp) - **Method**: GET - **URL**: ``/``?api-version=1.0 @@ -73,7 +73,7 @@ Create a combined request by proceeding as follows: 3. Click on **Get New Access Token** and fill in the fields as follows: - ![Postman: New Access Token Fields (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp) + ![Postman: New Access Token Fields (Combined Request)](/images/identitymanager/postman_newaccesstokencombined.webp) - **Token Name**: `` - **Grant Type**: Client Credentials @@ -88,8 +88,8 @@ Do not replace `@` with its encoding. 4. Click on **Request Token** to get the token. - ![Postman: Get Token (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp) + ![Postman: Get Token (Combined Request)](/images/identitymanager/postman_gettokencombined.webp) 5. Click on **Use Token** and **Send** and get the result from the response body. - ![Postman: Access Token Result (Combined Request)](/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + ![Postman: Access Token Result (Combined Request)](/images/identitymanager/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/current/integration-guide/api/server/accesscontrol.md b/docs/identitymanager/current/integration-guide/api/server/accesscontrol.md index 59567c0a5f..3fd56f205b 100644 --- a/docs/identitymanager/current/integration-guide/api/server/accesscontrol.md +++ b/docs/identitymanager/current/integration-guide/api/server/accesscontrol.md @@ -33,7 +33,7 @@ Returns all the accessControlEntrys according to the provided query. #### Post ##### Summary: -Creates a accessControlEntry. +Creates an accessControlEntry. ##### Parameters: @@ -52,7 +52,7 @@ Creates a accessControlEntry. #### Get ##### Summary: -Returns a accessControlEntry corresponding to the provided identifier and its information according to the provided query. +Returns an accessControlEntry corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -76,7 +76,7 @@ Returns a accessControlEntry corresponding to the provided identifier and its in #### Put ##### Summary: -Updates a accessControlEntry. +Updates an accessControlEntry. ##### Parameters: @@ -94,7 +94,7 @@ Updates a accessControlEntry. #### Delete ##### Summary: -Deletes a accessControlEntry. +Deletes an accessControlEntry. ##### Parameters: @@ -139,7 +139,7 @@ Returns all the accessControlFilters according to the provided query. #### Post ##### Summary: -Creates a accessControlFilter. +Creates an accessControlFilter. ##### Parameters: @@ -158,7 +158,7 @@ Creates a accessControlFilter. #### Get ##### Summary: -Returns a accessControlFilter corresponding to the provided identifier and its information according to the provided query. +Returns an accessControlFilter corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -182,7 +182,7 @@ Returns a accessControlFilter corresponding to the provided identifier and its i #### Put ##### Summary: -Updates a accessControlFilter. +Updates an accessControlFilter. ##### Parameters: @@ -200,7 +200,7 @@ Updates a accessControlFilter. #### Delete ##### Summary: -Deletes a accessControlFilter. +Deletes an accessControlFilter. ##### Parameters: @@ -247,7 +247,7 @@ Returns all the accessControlPermissions according to the provided query. #### Get ##### Summary: -Returns a accessControlPermission corresponding to the provided identifier and its information according to the provided query. +Returns an accessControlPermission corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -298,7 +298,7 @@ Returns all the accessControlRules according to the provided query. #### Post ##### Summary: -Creates a accessControlRule. +Creates an accessControlRule. ##### Parameters: @@ -317,7 +317,7 @@ Creates a accessControlRule. #### Get ##### Summary: -Returns a accessControlRule corresponding to the provided identifier and its information according to the provided query. +Returns an accessControlRule corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -341,7 +341,7 @@ Returns a accessControlRule corresponding to the provided identifier and its inf #### Put ##### Summary: -Updates a accessControlRule. +Updates an accessControlRule. ##### Parameters: @@ -359,7 +359,7 @@ Updates a accessControlRule. #### Delete ##### Summary: -Deletes a accessControlRule. +Deletes an accessControlRule. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/api/server/connectors.md b/docs/identitymanager/current/integration-guide/api/server/connectors.md index 9b413b1f81..4599af4cc7 100644 --- a/docs/identitymanager/current/integration-guide/api/server/connectors.md +++ b/docs/identitymanager/current/integration-guide/api/server/connectors.md @@ -33,7 +33,7 @@ Returns all the agents according to the provided query. #### Post ##### Summary: -Creates a agent. +Creates an agent. ##### Parameters: @@ -52,7 +52,7 @@ Creates a agent. #### Get ##### Summary: -Returns a agent corresponding to the provided identifier and its information according to the provided query. +Returns an agent corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -76,7 +76,7 @@ Returns a agent corresponding to the provided identifier and its information acc #### Put ##### Summary: -Updates a agent. +Updates an agent. ##### Parameters: @@ -94,7 +94,7 @@ Updates a agent. #### Delete ##### Summary: -Deletes a agent. +Deletes an agent. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/api/server/job.md b/docs/identitymanager/current/integration-guide/api/server/job.md index ff6f7b4573..0f402400a9 100644 --- a/docs/identitymanager/current/integration-guide/api/server/job.md +++ b/docs/identitymanager/current/integration-guide/api/server/job.md @@ -688,7 +688,7 @@ Returns all the EntityType's task according to the provided query. #### Post ##### Summary: -Creates a EntityType's task. +Creates an EntityType's task. ##### Parameters: @@ -707,7 +707,7 @@ Creates a EntityType's task. #### Get ##### Summary: -Returns a EntityType's task corresponding to the provided identifier and its information according to the provided query. +Returns an EntityType's task corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -731,7 +731,7 @@ Returns a EntityType's task corresponding to the provided identifier and its inf #### Put ##### Summary: -Updates a EntityType's task. +Updates an EntityType's task. ##### Parameters: @@ -749,7 +749,7 @@ Updates a EntityType's task. #### Delete ##### Summary: -Deletes a EntityType's task. +Deletes an EntityType's task. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/api/server/metadata.md b/docs/identitymanager/current/integration-guide/api/server/metadata.md index 00513773f6..424f559617 100644 --- a/docs/identitymanager/current/integration-guide/api/server/metadata.md +++ b/docs/identitymanager/current/integration-guide/api/server/metadata.md @@ -298,7 +298,7 @@ Returns all the entity associations according to the provided query. #### Post ##### Summary: -Creates a entity association. +Creates an entity association. ##### Parameters: @@ -317,7 +317,7 @@ Creates a entity association. #### Get ##### Summary: -Returns a entity association corresponding to the provided identifier and its information according to the provided query. +Returns an entity association corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -341,7 +341,7 @@ Returns a entity association corresponding to the provided identifier and its in #### Put ##### Summary: -Updates a entity association. +Updates an entity association. ##### Parameters: @@ -359,7 +359,7 @@ Updates a entity association. #### Delete ##### Summary: -Deletes a entity association. +Deletes an entity association. ##### Parameters: @@ -404,7 +404,7 @@ Returns all the entity properties according to the provided query. #### Post ##### Summary: -Creates a entity property. +Creates an entity property. ##### Parameters: @@ -423,7 +423,7 @@ Creates a entity property. #### Get ##### Summary: -Returns a entity property corresponding to the provided identifier and its information according to the provided query. +Returns an entity property corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -447,7 +447,7 @@ Returns a entity property corresponding to the provided identifier and its infor #### Put ##### Summary: -Updates a entity property. +Updates an entity property. ##### Parameters: @@ -465,7 +465,7 @@ Updates a entity property. #### Delete ##### Summary: -Deletes a entity property. +Deletes an entity property. ##### Parameters: @@ -511,7 +511,7 @@ Returns all the entity types according to the provided query. #### Post ##### Summary: -Creates a entity type. +Creates an entity type. ##### Parameters: @@ -530,7 +530,7 @@ Creates a entity type. #### Get ##### Summary: -Returns a entity type corresponding to the provided identifier and its information according to the provided query. +Returns an entity type corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -554,7 +554,7 @@ Returns a entity type corresponding to the provided identifier and its informati #### Put ##### Summary: -Updates a entity type. +Updates an entity type. ##### Parameters: @@ -572,7 +572,7 @@ Updates a entity type. #### Delete ##### Summary: -Deletes a entity type. +Deletes an entity type. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/api/server/provisioningpolicy.md b/docs/identitymanager/current/integration-guide/api/server/provisioningpolicy.md index 5155423223..f943dff75b 100644 --- a/docs/identitymanager/current/integration-guide/api/server/provisioningpolicy.md +++ b/docs/identitymanager/current/integration-guide/api/server/provisioningpolicy.md @@ -693,7 +693,7 @@ Creates an automation rule. #### Get ##### Summary: -Returns a automation rule corresponding to the provided identifier and its information according to the provided query. +Returns an automation rule corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -1206,7 +1206,7 @@ Returns all the identified risks according to the provided query. #### Get ##### Summary: -Returns a IdentifiedRisk corresponding to the provided identifier and its information according to the provided query. +Returns an IdentifiedRisk corresponding to the provided identifier and its information according to the provided query. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/api/server/workflows.md b/docs/identitymanager/current/integration-guide/api/server/workflows.md index 9002808060..47ed0b54e3 100644 --- a/docs/identitymanager/current/integration-guide/api/server/workflows.md +++ b/docs/identitymanager/current/integration-guide/api/server/workflows.md @@ -94,7 +94,7 @@ Updates an activity. #### Delete ##### Summary: -Deletes a activity. +Deletes an activity. ##### Parameters: @@ -194,7 +194,7 @@ Returns all the activityTemplates according to the provided query. #### Get ##### Summary: -Returns a activityTemplate corresponding to the provided identifier and its information according to the provided query. +Returns an activityTemplate corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -247,7 +247,7 @@ Returns all the activityTemplateStates according to the provided query. #### Get ##### Summary: -Returns a activityTemplateState corresponding to the provided identifier and its information according to the provided query. +Returns an activityTemplateState corresponding to the provided identifier and its information according to the provided query. ##### Parameters: @@ -300,7 +300,7 @@ Returns all the activityTemplateTransitions according to the provided query. #### Get ##### Summary: -Returns a activityTemplateTransition corresponding to the provided identifier and its information according to the provided query. +Returns an activityTemplateTransition corresponding to the provided identifier and its information according to the provided query. ##### Parameters: diff --git a/docs/identitymanager/current/integration-guide/architecture/index.md b/docs/identitymanager/current/integration-guide/architecture/index.md index c00a6bdf56..10003b38e9 100644 --- a/docs/identitymanager/current/integration-guide/architecture/index.md +++ b/docs/identitymanager/current/integration-guide/architecture/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Architecture" description: "Architecture" sidebar_position: 220 @@ -19,7 +19,7 @@ specific API called by the web client application. Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) applications running on Windows. Identity Manager's database is a [Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. -![Architecture](/images/identitymanager/integration-guide/architecture/architecture.webp) +![Architecture](/images/identitymanager/architecture.webp) See the [SaaS Environment](../../integration-guide/architecture/saas) topic for additional information on Netwrix Identity Manager (formerly Usercube) recommended architecture when working in a SaaS environment. diff --git a/docs/identitymanager/current/integration-guide/architecture/on-prem.md b/docs/identitymanager/current/integration-guide/architecture/on-prem.md index 9c8b33bfd6..0ba78ac219 100644 --- a/docs/identitymanager/current/integration-guide/architecture/on-prem.md +++ b/docs/identitymanager/current/integration-guide/architecture/on-prem.md @@ -1,4 +1,4 @@ ---- +--- title: "On-Premises Environment" description: "On-Premises Environment" sidebar_position: 20 @@ -12,7 +12,7 @@ When working in an on-premises environment, Identity Manager needs a specific a Identity Manager recommends the following architecture: -![On-Premises Recommended Architecture](/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) +![On-Premises Recommended Architecture](/images/identitymanager/architecture_onprem.webp) Most situations do not need Identity Manager so much that they need a fail-over system, i.e. installing several Identity Manager instances in order to prevent breakdowns. In most situations, a single Identity Manager instance is enough. diff --git a/docs/identitymanager/current/integration-guide/architecture/protect-agent-server-communication.md b/docs/identitymanager/current/integration-guide/architecture/protect-agent-server-communication.md index 8ccafd671f..a000dbd3c5 100644 --- a/docs/identitymanager/current/integration-guide/architecture/protect-agent-server-communication.md +++ b/docs/identitymanager/current/integration-guide/architecture/protect-agent-server-communication.md @@ -1,4 +1,4 @@ ---- +--- title: "Protect Agent/Server Communication" description: "Protect Agent/Server Communication" sidebar_position: 30 @@ -21,7 +21,7 @@ The idea, when sending data from the agent to the server, is the following: 3. the server receives and decrypts the message, before encrypting it again with its own encryption certificate configured by Identity Manager. -![Schema: Agent/Server Communication](/images/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp) +![Schema: Agent/Server Communication](/images/identitymanager/agent-server-communication.webp) ### Configuration details diff --git a/docs/identitymanager/current/integration-guide/architecture/saas.md b/docs/identitymanager/current/integration-guide/architecture/saas.md index 93afbfbc6e..917973c5f3 100644 --- a/docs/identitymanager/current/integration-guide/architecture/saas.md +++ b/docs/identitymanager/current/integration-guide/architecture/saas.md @@ -1,4 +1,4 @@ ---- +--- title: "SaaS Environment" description: "SaaS Environment" sidebar_position: 10 @@ -12,7 +12,7 @@ When working in a SaaS environment, Identity Manager needs a specific architect Identity Manager recommends the following architecture: -![SaaS Recommended Architecture](/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) +![SaaS Recommended Architecture](/images/identitymanager/architecture_saas.webp) ### Agent(s) diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/azuread-register.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/azuread-register.md index f08729dc4c..77dd067088 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/azuread-register.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/azuread-register.md @@ -1,4 +1,4 @@ ---- +--- title: "Register for Microsoft Entra ID" description: "Register for Microsoft Entra ID" sidebar_position: 60 @@ -18,7 +18,7 @@ Create a new registration for Identity Manager with Microsoft Identity Platform 4. Go to **App Registrations** in the left panel. 5. Click the **+ New Registration** button in the top menu. - ![Azure AD Export - Add New Registration](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp) + ![Azure AD Export - Add New Registration](/images/identitymanager/howtos_azuread_exportregistration.webp) A new registration form is displayed: @@ -55,7 +55,7 @@ end-user authentication, but doesn't apply to Identity Manager. The **Essentials** top panel displays the **Application (client) ID** required by the Identity Manager Agent. The same page also displays the **Directory (tenant) ID** that will also be needed by the Identity Manager Agent. - ![Azure AD Export - New ApplicationId](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp) + ![Azure AD Export - New ApplicationId](/images/identitymanager/howtos_azuread_exportapplicationid.webp) ### Get the application's secret key @@ -71,7 +71,7 @@ A **Client Secret** key needs to be generated. Get it by proceeding as follows: The Client Secret is now listed in the bottom panel **Client Secrets**. The Client Secret value is needed by the Identity Manager Agent settings file. - ![Azure AD Export - New Client Secret](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp) + ![Azure AD Export - New Client Secret](/images/identitymanager/howtos_azuread_exportsecret.webp) The **Client Secret** value is only displayed in the UI in plain text at first. After a while, it is only displayed as `**************`. It should hence be stored in the appsettings.agent.json file or an environment variable as soon as it is created, to be used subsequently by Identity Manager. If the key is lost, a new key can be created to replace the lost one. @@ -84,7 +84,7 @@ Grant Identity Manager directory permissions by proceeding as follows: 3. Go to **API Permissions** in the left panel. 4. Click on the **+ Add a permission** button. - ![Azure AD Export - Add Permission](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp) + ![Azure AD Export - Add Permission](/images/identitymanager/howtos_azuread_exportpermissions.webp) 5. Go to **Microsoft graph** > **Application permissions**. 6. Search and open the **Directory** category. @@ -92,7 +92,7 @@ Grant Identity Manager directory permissions by proceeding as follows: If you plan on configuring fulfillment too, you must only check the **Directory.ReadWrite.All** permission. - ![Azure AD Export - Directory Permission](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp) + ![Azure AD Export - Directory Permission](/images/identitymanager/howtos_azuread_exportdirectorypermission.webp) 8. Confirm with the **Add permissions** button at the bottom of the page. @@ -100,6 +100,6 @@ You now see the Directory.Read.All or Directory.ReadWrite.All permission in the 9. Grant admin consent by clicking on **√ Grant admin consent for** name of the organization. - ![Azure AD Export - Grant Admin Consent](/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp) + ![Azure AD Export - Grant Admin Consent](/images/identitymanager/howtos_azuread_exportadminconsent.webp) You should now see the status displayed as **√ Granted for** name of the organization. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/configure-secured-options.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/configure-secured-options.md index abff3451da..c0e17d5394 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/configure-secured-options.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/configure-secured-options.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Secured Options" description: "Configure Secured Options" sidebar_position: 30 @@ -24,37 +24,37 @@ Configure a secured option by proceeding as follows: - for a simple field: - ![AD creation](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp) + ![AD creation](/images/identitymanager/securedoptions_adlogin_v603.webp) - for multiple key-value fields: - ![SQL connection string](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp) + ![SQL connection string](/images/identitymanager/securedoptions_keyvalue_v603.webp) Contrary to simple fields, multiple-key-value secured options are not restricted to a given property. They are arbitrary and can be set to anything. 2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. - ![Eye Icon](/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) > For example, for a simple field in an AD connection, the **Login** and **Password** are by > default hidden with ??????: > - > ![Login Secured Options Hidden](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp) + > ![Login Secured Options Hidden](/images/identitymanager/securedoptions_adexample_v603.webp) > - > ![Login Secured Options Revealed](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp) + > ![Login Secured Options Revealed](/images/identitymanager/securedoptions_adexamplevisible_v603.webp) > For example, for multiple key-value fields in an SQL connection, some elements of the > connection string might be sensitive and need to be hidden: > - > ![SQL connection string](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp) + > ![SQL connection string](/images/identitymanager/securedoptions_sqlexample1_v603.webp) > > In this example, the database name and the minimal pool size are secured options: > - > ![SQL Secured option filled](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp) + > ![SQL Secured option filled](/images/identitymanager/securedoptions_sqlexample2_v603.webp) > Another example of multiple key-value fields in a Powershell connection: > - > ![Powershell Secured option hidden](/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp) + > ![Powershell Secured option hidden](/images/identitymanager/securedoptions_powershellexample_v603.webp) 3. Once saved, any secured option's value can no longer be seen. However, it can still be modified by deleting the value and re-specifying it. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/connections.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/connections.md index 8725d1b543..b48f1d768c 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/connections.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/connections.md @@ -1,4 +1,4 @@ ---- +--- title: "Connections" description: "Connections" sidebar_position: 10 @@ -26,7 +26,7 @@ The name of these files are used to specify the connection tables of the [Entity A connection table is used in the definition of an entity type as `Source`, while the available columns of the selected table are used for the mapping as `Source Columns`. -![connectiontables_ui_v60](/images/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp) +![connectiontables_ui_v60](/images/identitymanager/connectiontables_ui_v60.webp) ## Refresh Schema @@ -38,20 +38,20 @@ Identity Manager refreshes a connection's schema: - when clicking on **Refresh Schema** on the connection's page: only the schema of the current connection is refreshed; - ![Refresh Schema of One Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) - when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are refreshed. - ![Refresh all Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. -![Failed Refresh Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "There is no schema for this connection". -![No Schema](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no connection table available in the `Source` dropdown, so you will not be able to save anything. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/entra-ID.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/entra-ID.md index fbc0af77e4..c41a6eece3 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/entra-ID.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/entra-ID.md @@ -1,4 +1,4 @@ ---- +--- title: "For Microsoft Entra ID" description: "For Microsoft Entra ID" sidebar_position: 10 @@ -240,7 +240,7 @@ This is how the connectors are displayed on the UI. Each connector should be configured with a menu item, which is created automatically when working via the UI. -![Menu Item - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp) +![Menu Item - Azure AD Connector](/images/identitymanager/howtos_azure_menuitem_v603.webp) In XML, it should look like this: @@ -267,7 +267,7 @@ Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml
``` -![Navigation Properties - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp) +![Navigation Properties - Azure AD Connector](/images/identitymanager/howtos_azure_navproperties_v603.webp) Microsoft Entra ID's resources are listed in a table. @@ -284,7 +284,7 @@ Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml
``` -![Display Table - Azure AD Connector](/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp) +![Display Table - Azure AD Connector](/images/identitymanager/howtos_azure_table_v603.webp) This is how the resources are displayed on the UI. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/index.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/index.md index e160888c28..f63095188e 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/index.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/create-connector/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Connector" description: "Create a Connector" sidebar_position: 70 @@ -80,7 +80,7 @@ An association mapping is the equivalent of an entity type mapping, but for the Identity Manager provides a menu item to list all connectors in the dashboard's left menu. -![Menu Item - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Menu Item - Connectors](/images/identitymanager/home_entitytypes_v602.webp) > It is usually written like this: > diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-banking.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-banking.md index d9ca73a2af..23dc376ed9 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-banking.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-banking.md @@ -1,4 +1,4 @@ ---- +--- title: "Run the Banking Demo Application" description: "Run the Banking Demo Application" sidebar_position: 40 @@ -16,14 +16,14 @@ The Banking application is a demo application that represents a web based extern - A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add a user by clicking on **Create New User** - ![Users list](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp) + ![Users list](/images/identitymanager/demoapps_banking_userslist.webp) - A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on **Details** on a group shows the users belonging to that group - A user's details page for each user, accessible by clicking on **Details** on a user in the users list - ![User details](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp) + ![User details](/images/identitymanager/demoapps_banking_userdetails.webp) The most interesting part of the Banking application is a user's page. On a user's page, it is possible to: diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-hr.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-hr.md index ae67c5780d..88e1db1f9d 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-hr.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/demoapp-hr.md @@ -1,4 +1,4 @@ ---- +--- title: "Run the HR Demo Application" description: "Run the HR Demo Application" sidebar_position: 50 @@ -12,11 +12,11 @@ This guide shows how to set up and run the HR demo application. The HR application is a demo application that represents a web based external system. The HR application contains an employee list. -![Users list](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp) +![Users list](/images/identitymanager/demoapps_hr_userslist.webp) Each employee also has their own page, with the possibility to edit their profile or delete them. It is also possible to add a new employee. -![User details](/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp) +![User details](/images/identitymanager/demoapps_hr_userdetails.webp) The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv file will be modified, and the changes will be saved. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-gui-robotframework.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-gui-robotframework.md index 0af0772da3..cb3def4ca8 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-gui-robotframework.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-gui-robotframework.md @@ -1,4 +1,4 @@ ---- +--- title: "Interact with a GUI Application via Robot Framework" description: "Interact with a GUI Application via Robot Framework" sidebar_position: 150 @@ -36,11 +36,11 @@ This tool lets you choose the UIA (UI Automation) version. Picking UIA3 should w The FlaUI inspection tool shows each window that is open on the computer. To find the element the script is supposed to interact with, it is possible to manually search through the windows, and through the elements. However, the easiest way is to use the Hover Mode, which is accessible in the tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > **Show XPath**. -![Show XPath](/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp) +![Show XPath](/images/identitymanager/robotframeworkflaui_flauishowxpath.webp) To see the XPath of an element, hover over the element, and press control. A red box should appear around the element, and the FlaUI inspection tool should show the element's information. The XPath should be at the bottom left of the FlaUI element. -![Highlight Element](/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp) +![Highlight Element](/images/identitymanager/robotframeworkflaui_flauixpathexample.webp) As an example, imagine an application showing a list of files and folders. Targeting a specific file would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The important parts of this path are the beginning and the end. The beginning of the XPath specifies the window. The middle part of the XPath, in most cases, is irrelevant. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md index 68b61f71e4..619d0d7569 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/interact-web-page-robotframework.md @@ -1,4 +1,4 @@ ---- +--- title: "Interact with a Web Page via Robot Framework" description: "Interact with a Web Page via Robot Framework" sidebar_position: 140 @@ -38,7 +38,7 @@ Selenium is a web browser automation tool. Selenium can automatically perform sc The basic structure of a web page is defined with HTML. It is accessible with the inspect tool, which can be opened by pressing the F12 key on most browsers. For Selenium, we want to find information on specific parts of the page. Inspecting an element can be done by right clicking the element, and clicking **Inspect**. -![Inspect Tool](/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp) +![Inspect Tool](/images/identitymanager/robotframeworkselenium_inspecttool.webp) Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to ensure that the file is up to date with the documentation. To do this, the Robot Framework has to click on the **copy to clipboard** button with the keyword [`Click Element`](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html#click-element). @@ -52,7 +52,7 @@ In the HTML, the button has a class `class="copy-to-clipboard"`. The element loc Each element on the web page has an XPath, and each XPath uniquely identifies an element. This means that we can always use an XPath locator. To get the XPath of an element, inspect the element, then right click it in the HTML, and click on **Copy** > **Full XPath**. -![Copy Full XPath](/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp) +![Copy Full XPath](/images/identitymanager/robotframeworkselenium_copyfullxpath.webp) For the `copy to clipboard` button, the XPath is `/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/powershell-fulfill.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/powershell-fulfill.md index 70806ca8b4..b2cb362907 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/powershell-fulfill.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/powershell-fulfill.md @@ -1,4 +1,4 @@ ---- +--- title: "Fulfill Microsoft Exchange via PowerShell" description: "Fulfill Microsoft Exchange via PowerShell" sidebar_position: 100 @@ -318,7 +318,7 @@ Conf/MicrosoftExchange/MicrosoftExchange Nav.xml This example adds a new menu item under the `Nav_Connectors` menu item declared in the root `Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange entities. -![Microsoft Exchange Menu Items](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) ### Configuration @@ -354,7 +354,7 @@ Conf/MicrosoftExchange/MicrosoftExchange UI.xml This example configures the following display for [wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). -![Microsoft Exchange Display Entity Type](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) The scalar properties require no configuration: they are automatically displayed. The only information that the [Display Entity Type](../../../integration-guide/toolkit/xml-configuration/user-interface/displayentitytype) adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be displayed to take you directly to the matching page. @@ -374,7 +374,7 @@ Conf/MicrosoftExchange/MicrosoftExchange UI.xml This example configures the following list display: -![Microsoft Exchange Display Table](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) #### Internal Display Name @@ -488,7 +488,7 @@ In fact, an `ADMicrosoftExchange_Entry` is required to create a mailbox. To upda The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name input in the Job's **DisplayName_Li** attribute. -![Microsoft Exchange Jobs](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp) +![Microsoft Exchange Jobs](/images/identitymanager/microsoftexchange_jobs_5.1.7.webp) From there, the Synchronization job can be launched and debugged (if needed). @@ -496,9 +496,9 @@ After execution, Microsoft Exchange resources and databases should be in the `UR The results can also be viewed on the UI: -![Microsoft Exchange Menu Items](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) +![Microsoft Exchange Menu Items](/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp) -![Microsoft Exchange Display Entity Type](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) +![Microsoft Exchange Display Entity Type](/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) -![Microsoft Exchange Display Table](/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) +![Microsoft Exchange Display Table](/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp) diff --git a/docs/identitymanager/current/integration-guide/connectors/configuration-details/scim-cyberark-export.md b/docs/identitymanager/current/integration-guide/connectors/configuration-details/scim-cyberark-export.md index 07fbe5554f..cdee6e672f 100644 --- a/docs/identitymanager/current/integration-guide/connectors/configuration-details/scim-cyberark-export.md +++ b/docs/identitymanager/current/integration-guide/connectors/configuration-details/scim-cyberark-export.md @@ -1,4 +1,4 @@ ---- +--- title: "Export CyberArk Data via SCIM" description: "Export CyberArk Data via SCIM" sidebar_position: 160 @@ -465,7 +465,7 @@ Conf/SCIMCyberArk/CyberArk Nav.xml ... For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit > of `userAccountControl`. > -> ![New Property for Bit Provisioning](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp) +> ![New Property for Bit Provisioning](/images/identitymanager/bitprov_property_v603.webp) > > XML configuration looks like the following: > @@ -129,5 +129,5 @@ This allows the export of the attribute `u_startdate` as a date in Identity Mana The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** declared in the ResourceType. -![Export and Fulfill Data transformation](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) diff --git a/docs/identitymanager/current/integration-guide/connectors/index.md b/docs/identitymanager/current/integration-guide/connectors/index.md index 6f82767325..faf52faadc 100644 --- a/docs/identitymanager/current/integration-guide/connectors/index.md +++ b/docs/identitymanager/current/integration-guide/connectors/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Connectors" description: "Connectors" sidebar_position: 40 @@ -16,7 +16,7 @@ In this documentation, we talk about managed systems (sometimes called external A connector, therefore, acts as an interface between Identity Manager and a managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of one connector for each application. @@ -31,7 +31,7 @@ Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. -![Outbound System=](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) In this case, data flows between Identity Manager and the managed system are also called: @@ -91,7 +91,7 @@ resource types. See the [Resource Type](../../integration-guide/toolkit/xml-conf > `AD User (administration)` for sensitive administration accounts, which we want to provision > manually through Identity Manager. -![Connector Technical Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) A connector requires at least one connection and one entity type. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/activedirectory.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/activedirectory.md index 400cd28229..e05b0379bf 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/activedirectory.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/activedirectory.md @@ -1,4 +1,4 @@ ---- +--- title: "Active Directory" description: "Active Directory" sidebar_position: 10 @@ -10,7 +10,7 @@ This connector exports and fulfills users and groups from/to an [Active Director This page is about Directory/Active Directory. See the Active Directory topic for additional information. -![Package: Directory/Active Directory](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp) +![Package: Directory/Active Directory](/images/identitymanager/packages_ad_v603.webp) ## Overview @@ -35,23 +35,23 @@ To enable permissions, the Active Directory administrator must do the following: **Step 1 –** Check the **View** details in the Active Directory and Computers. -![Enable Permissions - Step 1](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp) +![Enable Permissions - Step 1](/images/identitymanager/references_connectors_activedirectory_01.webp) **Step 2 –** Open the **Advanced Security Settings** dialog box for the domain root. -![Enable Permissions - Step 2](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp) +![Enable Permissions - Step 2](/images/identitymanager/references_connectors_activedirectory_02.webp) **Step 3 –** Select the **Replicating Directory Changes** check box from the list. -![Enable Permissions - Step 3](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp) +![Enable Permissions - Step 3](/images/identitymanager/references_connectors_activedirectory_03.webp) **Step 4 –** To change groups' membership, in the Applies field, select Descendent Group object and select the **Read Members** and **Write Members** check boxes from the list. -![Read/Write Members](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp) +![Read/Write Members](/images/identitymanager/references_connectors_activedirectory_04.webp) **Step 5 –** To Reset Password capabilities, in the Applies field, select Descendent User object and select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. -![Read/Write Lockout Times](/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp) +![Read/Write Lockout Times](/images/identitymanager/references_connectors_activedirectory_05.webp) Administrator rights must **not** be granted to the **service account**. Doing otherwise would create a security breach. Administrator rights must **only** be granted to the target perimeter. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/azure.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/azure.md index ae219b2f22..ea788450e3 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/azure.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/azure.md @@ -1,4 +1,4 @@ ---- +--- title: "Azure" description: "Azure" sidebar_position: 20 @@ -10,7 +10,7 @@ This connector exports [Azure](https://azure.microsoft.com/en-us/resources/cloud This page is about [Azure](../../../integration-guide/connectors/references-packages/azure). -![Package: Cloud/Azure](/images/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp) +![Package: Cloud/Azure](/images/identitymanager/packages_azure_v603.webp) ## Prerequisites diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/csv.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/csv.md index 3c80008264..0d7477f949 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/csv.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/csv.md @@ -1,4 +1,4 @@ ---- +--- title: "CSV" description: "CSV" sidebar_position: 40 @@ -10,7 +10,7 @@ This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comm This page is about [CSV](../../../integration-guide/connectors/references-packages/csv). -![Package: File/CSV](/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) ## Overview @@ -87,7 +87,7 @@ This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comm This page is about [CSV](../../../integration-guide/connectors/references-packages/csv). -![Package: File/CSV](/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) +![Package: File/CSV](/images/identitymanager/packages_csv_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvista.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvista.md index 50893677fc..bf48f3c8d0 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvista.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvista.md @@ -1,4 +1,4 @@ ---- +--- title: "EasyVista" description: "EasyVista" sidebar_position: 50 @@ -10,7 +10,7 @@ This connector exports and fulfills users from/to an [EasyVista](https://wiki.ea This page is about EasyVista . -![Package: ITSM/EasyVista](/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp) +![Package: ITSM/EasyVista](/images/identitymanager/packages_easyvista_v603.webp) ## Overview @@ -86,7 +86,7 @@ The `ExportSettingsOptions` attribute is necessary only if custom entities are e | Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | | --- | --- | | --- | --- | - | ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp) | + | ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/images/identitymanager/easyvista_view_v523.webp) | ### Output details diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvistaticket.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvistaticket.md index 087a9c0784..e33469681e 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvistaticket.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/easyvistaticket.md @@ -1,4 +1,4 @@ ---- +--- title: "EasyVista Ticket" description: "EasyVista Ticket" sidebar_position: 60 @@ -10,7 +10,7 @@ This connector opens tickets in [EasyVista](https://wiki.easyvista.com/xwiki/bin This page is about [EasyVista Ticket](../../../integration-guide/connectors/references-packages/easyvistaticket). -![Package: Ticket/EasyVista](/images/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp) +![Package: Ticket/EasyVista](/images/identitymanager/packages_easyvistaticket_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/excel.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/excel.md index 9683871d66..dfcf39c0ac 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/excel.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/excel.md @@ -1,4 +1,4 @@ ---- +--- title: "Microsoft Excel" description: "Microsoft Excel" sidebar_position: 140 @@ -10,7 +10,7 @@ This connector exports datasheets from a [Microsoft Excel](https://www.microsoft This page is about [Excel](../../../integration-guide/connectors/references-packages/excel). -![Package: File/Microsoft Excel](/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) ## Overview @@ -92,7 +92,7 @@ This connector exports datasheets from a [Microsoft Excel](https://www.microsoft This page is about [Excel](../../../integration-guide/connectors/references-packages/excel). -![Package: File/Microsoft Excel](/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) +![Package: File/Microsoft Excel](/images/identitymanager/packages_excel_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/googleworkspace.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/googleworkspace.md index c2d4965ac9..433de6957d 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/googleworkspace.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/googleworkspace.md @@ -1,4 +1,4 @@ ---- +--- title: "Google Workspace" description: "Google Workspace" sidebar_position: 70 @@ -10,11 +10,11 @@ This connector exports and fulfills users and groups from/to a [Google Workspace This page is about [Google Workspace](../../../integration-guide/connectors/references-packages/googleworkspace). -![Package: Directory/Google Workspace](/images/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp) +![Package: Directory/Google Workspace](/images/identitymanager/packages_workspace_v603.webp) ## Overview -Google Workspace provides a set of softwares and products developed by Google. The Google Workspace connector exports and fulfills users and groups from/to a Google Workspace instance. It exports user-group memberships too. +Google Workspace provides a set of softwares and products developed by Google. The Google Workspace connector exports and fulfills users, groups, organizational units, roles and role assignments from/to a Google Workspace instance. It exports user-group memberships too. ## Prerequisites @@ -23,16 +23,20 @@ Implementing this connector requires: - reading first the [appsettings.agent](../../../integration-guide/network-configuration/agent-configuration/appsettings-agent)documentation; - a service account impersonating the following permission scopes: -[https://www.googleapis.com/auth/admin.directory. user](https://www.googleapis.com/auth/admin.directory.user) and [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). +[https://www.googleapis.com/auth/admin.directory.user](https://www.googleapis.com/auth/admin.directory.user) and [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). See [Google's documentation](https://developers.google.com/workspace/guides/**create**-credentials#googles-documentation) Google's documentation to **create** the service account with the right impersonation. :::tip Remember, Google's documentation describes this procedure as optional, while the Google Workspace connector requires it. ::: + +:::note + To discover custom user schemas during schema refresh, the service account also requires the [https://www.googleapis.com/auth/admin.directory.userschema.readonly](https://www.googleapis.com/auth/admin.directory.userschema.readonly) scope. Without this scope, the schema refresh still returns all standard attributes but will not include custom schema columns. +::: ## Export -This connector extracts users, groups and user-group memberships from a Google Workspace instance, and write the output to CSV files. +This connector extracts users, groups, organizational units, roles, role assignments and user-group memberships from a Google Workspace instance, and write the output to CSV files. ### Configuration @@ -90,7 +94,7 @@ The identifier of the connection and thus the name of the subsection must: This connector is meant to generate to the [Application Settings](../../../integration-guide/network-configuration/agent-configuration/appsettings)Export Output folder the following CSV files: -- `GoogleExportFulfillment_Users.csv` and `GoogleExportFulfillment_Groups.csv` whose headers come +- `GoogleExportFulfillment_Users.csv`, `GoogleExportFulfillment_Groups.csv`, `GoogleExportFulfillment_OrgUnits.csv`, `GoogleExportFulfillment_Roles.csv` and `GoogleExportFulfillment_RoleAssignments.csv` whose headers come from the entity type mapping's `ConnectionColumn` and from the entity association mappings' columns which are not _members_ columns; - `GoogleExportFulfillment_Members.csv` with the following columns: - **value**: ID of the group; diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/homefolder.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/homefolder.md index 427949551d..d08a43b575 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/homefolder.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/homefolder.md @@ -1,4 +1,4 @@ ---- +--- title: "Home Folder" description: "Home Folder" sidebar_position: 80 @@ -10,7 +10,7 @@ This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directo This page is about [Home Folders](../../../integration-guide/connectors/references-packages/home-folders). -![Package: Storage/Home Folders](/images/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp) +![Package: Storage/Home Folders](/images/identitymanager/packages_homefolders_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalresources.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalresources.md index 7833bcc8ab..968437eb27 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalresources.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalresources.md @@ -1,4 +1,4 @@ ---- +--- title: "Internal Resources" description: "Internal Resources" sidebar_position: 100 @@ -15,9 +15,9 @@ This page is about: See the [Manual Ticket](../../../integration-guide/connectors/references-packages/manual-ticket) and [Manual Ticket and CUD Resources](../../../integration-guide/connectors/references-packages/manual-ticket-and-cud-resources) topics for additional information. -![Package: Ticket/identitymanager](/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp) +![Package: Ticket/identitymanager](/images/identitymanager/packages_identitymanagerticket_v603.webp) -![Package: Ticket/identitymanager And Create/Update/Delete resources](/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp) +![Package: Ticket/identitymanager And Create/Update/Delete resources](/images/identitymanager/packages_identitymanagerticketcud_v603.webp) See the [Provision Manually](../../../user-guide/administrate/provisioning/manual-provisioning) topic for additional information. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalworkflow.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalworkflow.md index 934b871658..785dd64c53 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalworkflow.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalworkflow.md @@ -1,4 +1,4 @@ ---- +--- title: "InternalWorkflow" description: "InternalWorkflow" sidebar_position: 90 @@ -10,7 +10,7 @@ This connector triggers workflows in Identity Manager for a system's provisioni This page is about Identity Manager Internal Workflow. See the [Workflow](../../../integration-guide/connectors/references-packages/workflow) topic for additional information. -![Package: Usercube/Workflow](/images/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp) +![Package: Usercube/Workflow](/images/identitymanager/packages_workflow_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/json.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/json.md index e04da71a03..6cc0ec9560 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/json.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/json.md @@ -1,4 +1,4 @@ ---- +--- title: "JSON" description: "JSON" sidebar_position: 110 @@ -10,7 +10,7 @@ This connector generates [JSON](https://www.json.org/json-en.html) files for eac **This page is about [JSON](../../../integration-guide/connectors/references-packages/json)** -![Package: Custom/JSON](/images/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp) +![Package: Custom/JSON](/images/identitymanager/packages_json_v603.webp) The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldap.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldap.md index 736d45801e..38c536ba21 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldap.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldap.md @@ -1,4 +1,4 @@ ---- +--- title: "LDAP" description: "LDAP" sidebar_position: 120 @@ -15,13 +15,13 @@ This page is about: - [Apache Directory](../../../integration-guide/connectors/references-packages/apache-directory); - [Red Hat Directory Server](../../../integration-guide/connectors/references-packages/red-hat-directory-server). -![Package: Directory/Generic LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp) +![Package: Directory/Generic LDAP](/images/identitymanager/packages_ldapgeneric_v603.webp) -![Package: Directory/Oracle LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp) +![Package: Directory/Oracle LDAP](/images/identitymanager/packages_ldaporacle_v603.webp) -![Package: Directory/Apache Directory](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp) +![Package: Directory/Apache Directory](/images/identitymanager/packages_ldapapache_v603.webp) -![Package: Directory/Red Hat Directory Server](/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp) +![Package: Directory/Red Hat Directory Server](/images/identitymanager/packages_ldapredhat_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldif.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldif.md index 310cd6deb3..6c625d2293 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldif.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/ldif.md @@ -1,4 +1,4 @@ ---- +--- title: "LDIF" description: "LDIF" sidebar_position: 130 @@ -10,7 +10,7 @@ This connector exports entries from an [LDIF](https://en.wikipedia.org/wiki/LDAP This page is about [LDIF](../../../integration-guide/connectors/references-packages/ldif). -![Package: Directory/LDIF](/images/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp) +![Package: Directory/LDIF](/images/identitymanager/packages_ldif_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftentraid.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftentraid.md index 8387fba6dc..df9e1640a7 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftentraid.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftentraid.md @@ -1,4 +1,4 @@ ---- +--- title: "Microsoft Entra ID" description: "Microsoft Entra ID" sidebar_position: 30 @@ -10,7 +10,7 @@ This connector exports and fulfills user and groups from/to a [Microsoft Entra I See the[Microsoft Entra ID](../../../integration-guide/connectors/references-packages/azure-active-directory)topic for additional information. -![Package: Directory/Microsoft Entra ID](/images/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp) +![Package: Directory/Microsoft Entra ID](/images/identitymanager/packages_azuread_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftexchange.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftexchange.md index a54303be34..980cd977a6 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftexchange.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/microsoftexchange.md @@ -1,4 +1,4 @@ ---- +--- title: "Microsoft Exchange" description: "Microsoft Exchange" sidebar_position: 150 @@ -10,7 +10,7 @@ This connector exports mailboxes from a [Microsoft Exchange](https://support.mic This page is about [Microsoft Exchange](../../../integration-guide/connectors/references-packages/microsoft-exchange). -![Package: Server/Microsoft Exchange](/images/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp) +![Package: Server/Microsoft Exchange](/images/identitymanager/packages_exchange_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/nimprofile.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/nimprofile.md index b626ba3cf1..a9dbaafdbf 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/nimprofile.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/nimprofile.md @@ -1,4 +1,4 @@ ---- +--- title: "NIM Profile" description: "NIM Profile" sidebar_position: 110 @@ -10,7 +10,7 @@ This connector exports and fulfills profile assignments from/to an Identity Mana This page is about [NIM Profile](../../../integration-guide/connectors/references-packages/nimprofile). -![Package: Netwrix Identity Manager/NIM Profile](/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/packages_nimprofile_v63.png) +![Package: Netwrix Identity Manager/NIM Profile](/images/identitymanager/packages_nimprofile_v63.png) ## Overview @@ -59,13 +59,13 @@ More specifically, based on the profiles, dimensions and entity types in the tar - UI components (views and menu items) - A dedicated category for the connector -![NIM Profile Modal](/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfileModal_v63.png) +![NIM Profile Modal](/images/identitymanager/nimProfileModal_v63.png) When generating the configuration, as seen above, the following elements need to be specified: - **Policy**: Defines where to include the category, single roles, resource types, and rules - **Profile**: Defines the profile used to specify the access control rules - **MenuItem**: Determines where to nest the sub-menu items for the NIM connector in the user interface (see screenshot below showing menu item locations). For example, in the demo configuration, `Nav_Connectors` should be used. Parent Menu Item `Nav` can be used. It will add the items to the root of the navigation left panel on the Home page. For more information, refer to the [Menu Item documentation](../../toolkit/xml-configuration/user-interface/menuitem). -![NIM Profile Menu Items](/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfile_MenuItem_v63.png) +![NIM Profile Menu Items](/images/identitymanager/nimProfile_MenuItem_v63.png) :::note In complex scenarios, when the owner entity type is different from the identity entity type (the entity type bound via the `ResourceIdentityProperty` setting), the wizard generates multiple Resource Types per profile, one for each identity correlation path (e.g., separate Resource Types for nominative and administrative accounts). diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/odata.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/odata.md index a997ccb5a7..9a68dd1fd4 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/odata.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/odata.md @@ -1,4 +1,4 @@ ---- +--- title: "OData" description: "OData" sidebar_position: 160 @@ -10,7 +10,7 @@ This connector exports and fulfills data from/to an [OData](https://www.odata.or This page is about [OData](../../../integration-guide/connectors/references-packages/odata). -![Package: Custom/OData](/images/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp) +![Package: Custom/OData](/images/identitymanager/packages_odata_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/okta.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/okta.md index 4a96e80e07..c2633b5287 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/okta.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/okta.md @@ -1,4 +1,4 @@ ---- +--- title: "Okta" description: "Okta" sidebar_position: 170 @@ -8,7 +8,7 @@ sidebar_position: 170 This connector exports and fulfills entries from/to Okta application. -![okta](/images/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp) +![okta](/images/identitymanager/okta.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/openldap.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/openldap.md index ef210b54f4..c0c2ce5ee9 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/openldap.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/openldap.md @@ -1,4 +1,4 @@ ---- +--- title: "OpenLDAP" description: "OpenLDAP" sidebar_position: 180 @@ -10,7 +10,7 @@ This connector exports and fulfills entries from/to an [OpenLDAP](https://www.op This page is about [OData](../../../integration-guide/connectors/references-packages/odata). -![Package: Directory/Open LDAP](/images/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp) +![Package: Directory/Open LDAP](/images/identitymanager/packages_ldapopen_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellprov.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellprov.md index c61ec8b1cb..bf53623ed9 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellprov.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellprov.md @@ -1,4 +1,4 @@ ---- +--- title: "PowerShellProv" description: "PowerShellProv" sidebar_position: 190 @@ -10,7 +10,7 @@ This connector writes to an external system via a [PowerShell](https://learn.mic This page is about [PowerShellProv](../../../integration-guide/connectors/references-packages/powershellprov). -![Package: Custom/PowerShellProv](/images/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp) +![Package: Custom/PowerShellProv](/images/identitymanager/packages_powershellprov_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellsync.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellsync.md index d320b89df4..1049969e78 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellsync.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/powershellsync.md @@ -1,4 +1,4 @@ ---- +--- title: "PowerShellSync" description: "PowerShellSync" sidebar_position: 200 @@ -10,7 +10,7 @@ This connector exports data from an external system via a [PowerShell](https://l This page is about [PowerShellSync](../../../integration-guide/connectors/references-packages/powershellsync). -![Package: Custom/PowerShellSync](/images/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp) +![Package: Custom/PowerShellSync](/images/identitymanager/packages_powershellsync_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/racf.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/racf.md index 893651a5ea..4cdded1f89 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/racf.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/racf.md @@ -1,4 +1,4 @@ ---- +--- title: "RACF" description: "RACF" sidebar_position: 210 @@ -10,7 +10,7 @@ This connector exports users and profiles from a [RACF](https://www.ibm.com/docs This page is about [RACF](../../../integration-guide/connectors/references-packages/racf). -![Package: MainFrame/RACF](/images/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp) +![Package: MainFrame/RACF](/images/identitymanager/packages_racf_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/robotframework.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/robotframework.md index 73c63c8667..94246f1c3a 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/robotframework.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/robotframework.md @@ -1,4 +1,4 @@ ---- +--- title: "Robot Framework" description: "Robot Framework" sidebar_position: 220 @@ -10,7 +10,7 @@ This connector writes to an external system via a [Robot Framework](https://robo **This page is about [Robot Framework](../../../integration-guide/connectors/references-packages/robot-framework)** -![Package: Custom/Robot Framework](/images/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp) +![Package: Custom/Robot Framework](/images/identitymanager/packages_robot_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/saperp6.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/saperp6.md index 6d8653dccd..728afefa8b 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/saperp6.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/saperp6.md @@ -1,4 +1,4 @@ ---- +--- title: "SAP ERP 6.0 and SAP S4/HANA" description: "SAP ERP 6.0 and SAP S4/HANA" sidebar_position: 230 @@ -10,7 +10,7 @@ This connector exports and fulfills users and roles from/to an [SAP ERP 6.0](htt This page is about ERP/SAP ERP 6.0. -![Package: ERP/SAP ERP 6.0](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp) +![Package: ERP/SAP ERP 6.0](/images/identitymanager/packages_saperp6_v603.webp) ## Overview @@ -96,11 +96,11 @@ To set up the prerequisites for reading follow the steps below. **Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Identity Manager. -![connectorreadprerequisites1](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp) +![connectorreadprerequisites1](/images/identitymanager/connectorreadprerequisites1.webp) **Step 2 –** Unzip the "hdbclient.zip" archive to C: drive and add the path to the Path environment variables. -![connectorreadprerequisites2](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp) +![connectorreadprerequisites2](/images/identitymanager/connectorreadprerequisites2.webp) **Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and `HDBADOTNETCORE=C:\hdbclient\dotnetcore`. @@ -115,11 +115,11 @@ To set up the prerequisites for reading follow the steps below. **Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Identity Manager. -![connectorwriteprerequisites](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp) +![connectorwriteprerequisites](/images/identitymanager/connectorwriteprerequisites.webp) **Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. -![connectorwriteprerequisites2](/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp) +![connectorwriteprerequisites2](/images/identitymanager/connectorwriteprerequisites2.webp) **Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 (e.g.: `C: \donetx86\dotnet.exe`). diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sapnetweaver.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sapnetweaver.md index 591569a6f8..23131f6466 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sapnetweaver.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sapnetweaver.md @@ -1,4 +1,4 @@ ---- +--- title: "SAP Netweaver" description: "SAP Netweaver" sidebar_position: 240 @@ -10,7 +10,7 @@ This connector exports and fulfills users and roles from/to an [SAP Netweaver](h This page is about [SAP S/4 HANA](../../../integration-guide/connectors/references-packages/saphana). -![Package: ERP/SAP S/4 HANA](/images/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp) +![Package: ERP/SAP S/4 HANA](/images/identitymanager/packages_sap_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/scim.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/scim.md index 280a97693b..e7e43bf68f 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/scim.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/scim.md @@ -1,4 +1,4 @@ ---- +--- title: "SCIM" description: "SCIM" sidebar_position: 250 @@ -15,13 +15,13 @@ This page is about: - Messaging/Slack - PAM/cyberark -![Package: Custom/SCIM](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp) +![Package: Custom/SCIM](/images/identitymanager/packages_scim_v603.webp) -![Package: CRM/Salesforce](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp) +![Package: CRM/Salesforce](/images/identitymanager/packages_salesforce_v603.webp) -![Package: Messaging/Slack](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp) +![Package: Messaging/Slack](/images/identitymanager/packages_slack_v603.webp) -![Package: PAM/cyberark](/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp) +![Package: PAM/cyberark](/images/identitymanager/packages_cyberark_v603.webp) ## Overview @@ -49,29 +49,29 @@ To connect to the Salesforce application do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-advancesetup](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) **Step 2 –** Go to **Advanced Setup**. -![salesforce-newconnectedapp](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp) +![salesforce-newconnectedapp](/images/identitymanager/salesforce-newconnectedapp.webp) **Step 3 –** Go to **App Manager** and ****create** a Connected App**. -![salesforce-enableoauth](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp) +![salesforce-enableoauth](/images/identitymanager/salesforce-enableoauth.webp) **Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth Scopes. **Step 5 –** Save the Application. -![salesforce-manageconnectedapps](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp) +![salesforce-manageconnectedapps](/images/identitymanager/salesforce-manageconnectedapps.webp) **Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. -![salesforce-manageconsumerdetails](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp) +![salesforce-manageconsumerdetails](/images/identitymanager/salesforce-manageconsumerdetails.webp) **Step 7 –** Click on **Manage Consumer Details**. -![salesforce-consumerkey](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp) +![salesforce-consumerkey](/images/identitymanager/salesforce-consumerkey.webp) **Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. @@ -81,11 +81,11 @@ To enable the OAuth authentication do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-advancesetup](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) +![salesforce-advancesetup](/images/identitymanager/salesforce-advancesetup.webp) **Step 2 –** Go to **Advanced Setup**. -![oauthauthentication](/images/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) +![oauthauthentication](/images/identitymanager/oauthauthentication.webp) **Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, enable the option to **Allow OAuth Username-Password Flows**. @@ -95,15 +95,15 @@ To reset the user token do the following: **Step 1 –** Log into Salesforce using an admin account. -![salesforce-usertoken-settings](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp) +![salesforce-usertoken-settings](/images/identitymanager/salesforce-usertoken-settings.webp) **Step 2 –** Click on **Settings** under the profile details. -![salesforce-resetseuritytoken](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp) +![salesforce-resetseuritytoken](/images/identitymanager/salesforce-resetseuritytoken.webp) **Step 3 –** Click on **Reset My Security Token**. -![salesforce-checkemail](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp) +![salesforce-checkemail](/images/identitymanager/salesforce-checkemail.webp) **Step 4 –** An email containing the new token will be sent. @@ -113,15 +113,15 @@ To configure the Salesforce connection do the following: **Step 1 –** Log into Identity Manager using an admin account. -![salesforce-connector](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp) +![salesforce-connector](/images/identitymanager/salesforce-connector.webp) **Step 2 –** **create** a new Salesforce connector. -![salesforce-connection](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp) +![salesforce-connection](/images/identitymanager/salesforce-connection.webp) **Step 3 –** Add a new Salesforce connection. -![salesforce-agent-settings](/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp) +![salesforce-agent-settings](/images/identitymanager/salesforce-agent-settings.webp) **Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowentitymanagement.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowentitymanagement.md index 70dee42ab9..aba1394e90 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowentitymanagement.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowentitymanagement.md @@ -1,4 +1,4 @@ ---- +--- title: "ServiceNow" description: "ServiceNow" sidebar_position: 260 @@ -10,7 +10,7 @@ This connector exports and fulfills any data, including users and roles, from/to This page is about [ServiceNow](../../../integration-guide/connectors/references-packages/servicenow). -![Package: ITSM/ServiceNow](/images/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp) +![Package: ITSM/ServiceNow](/images/identitymanager/packages_servicenow_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowticket.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowticket.md index 301023ec13..68db6f80ad 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowticket.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/servicenowticket.md @@ -1,4 +1,4 @@ ---- +--- title: "ServiceNowTicket" description: "ServiceNowTicket" sidebar_position: 270 @@ -10,7 +10,7 @@ This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for ma This page is about [ServiceNow Ticket](../../../integration-guide/connectors/references-packages/servicenow-ticket). -![Package: Ticket/ServiceNow](/images/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp) +![Package: Ticket/ServiceNow](/images/identitymanager/packages_servicenowticket_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharedfolder.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharedfolder.md index b2cfad3374..57a9eb7211 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharedfolder.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharedfolder.md @@ -1,4 +1,4 @@ ---- +--- title: "SharedFolders" description: "SharedFolders" sidebar_position: 290 @@ -10,7 +10,7 @@ This connector exports users and permissions from Windows shared folders. This page is about [Shared Folders](../../../integration-guide/connectors/references-packages/shared-folders). -![Package: Storage/Shared Folders](/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp) +![Package: Storage/Shared Folders](/images/identitymanager/packages_sharedfolders_v603.webp) ## Overview @@ -24,7 +24,7 @@ Implementing this connector requires an account with the permissions: - **Log on as a batch job** in the local group policy, when the connector's authentication mode is batch. - ![SharedFolder - Permission for Batch Authentication](/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp) + ![SharedFolder - Permission for Batch Authentication](/images/identitymanager/sharedfolder_permission.webp) ## Export diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharepoint.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharepoint.md index 5bb760e3de..129b2b754f 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharepoint.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sharepoint.md @@ -1,4 +1,4 @@ ---- +--- title: "SharePoint" description: "SharePoint" sidebar_position: 280 @@ -10,7 +10,7 @@ This connector exports sites, folders, groups and permissions from a [SharePoint This page is about Storage/SharePoint. -![Package: Storage/SharePoint](/images/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp) +![Package: Storage/SharePoint](/images/identitymanager/packages_sharepoint_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sql.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sql.md index ba077c45e8..f82e290a7e 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sql.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sql.md @@ -1,4 +1,4 @@ ---- +--- title: "Sql" description: "Sql" sidebar_position: 300 @@ -18,19 +18,19 @@ This page is about: - Database/[PostgreSQL](../../../integration-guide/connectors/references-packages/postgresql); - [SAP ASE](../../../integration-guide/connectors/references-packages/sapase). -![Package: Directory/Database/Generic SQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp) +![Package: Directory/Database/Generic SQL](/images/identitymanager/packages_sqlgeneric_v603.webp) -![Package: Directory/Database/Microsoft SQL Server](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp) +![Package: Directory/Database/Microsoft SQL Server](/images/identitymanager/packages_sqlserver_v603.webp) -![Package: Directory/Database/MySQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp) +![Package: Directory/Database/MySQL](/images/identitymanager/packages_sqlmy_v603.webp) -![Package: Directory/Database/ODBC](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp) +![Package: Directory/Database/ODBC](/images/identitymanager/packages_sqlodbc_v603.webp) -![Package: Directory/Database/Oracle](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp) +![Package: Directory/Database/Oracle](/images/identitymanager/packages_sqloracle_v603.webp) -![Package: Directory/Database/PostgreSQL](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp) +![Package: Directory/Database/PostgreSQL](/images/identitymanager/packages_sqlpostgre_v603.webp) -![Package: Directory/Database/SAP ASE](/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp) +![Package: Directory/Database/SAP ASE](/images/identitymanager/packages_sqlsap_v603.webp) ## Overview @@ -122,7 +122,7 @@ Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: 1. Download and extract the package. > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). > - > ![MySQL: Download Package](/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp) + > ![MySQL: Download Package](/images/identitymanager/sql_downloadpackage.webp) 2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. > For MySQL, the DLL is `MySql.Data.dll`. 3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: @@ -132,7 +132,7 @@ Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: > For MySQL: > - > ![Package Characteristics Example](/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp) + > ![Package Characteristics Example](/images/identitymanager/sql_packagecharacteristics.webp) - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with **Factory** in its name. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sqlserverentitlements.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sqlserverentitlements.md index e247403622..b859e676eb 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/sqlserverentitlements.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/sqlserverentitlements.md @@ -1,4 +1,4 @@ ---- +--- title: "Sql Server Entitlements" description: "Sql Server Entitlements" sidebar_position: 310 @@ -10,7 +10,7 @@ This connector exports entitlements from [Microsoft SQL Server](https://www.micr This page is about [SQL Server Entitlements](../../../integration-guide/connectors/references-packages/sql-server-entitlements). -![Package: Database/Microsoft SQL Server Entitlements](/images/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp) +![Package: Database/Microsoft SQL Server Entitlements](/images/identitymanager/packages_sqlservermanagement_v603.webp) ## Overview diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/topsecret.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/topsecret.md index 256f6e89f8..befe3b7731 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/topsecret.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/topsecret.md @@ -1,4 +1,4 @@ ---- +--- title: "Top Secret" description: "Top Secret" sidebar_position: 320 @@ -10,7 +10,7 @@ This connector exports users and profiles from a [Top Secret](https://www.ibm.co This page is about [TSS](../../../integration-guide/connectors/references-packages/tss). -![Package: Mainframe/Top Secret](/images/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp) +![Package: Mainframe/Top Secret](/images/identitymanager/packages_tss_v603.webp) The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/current/integration-guide/connectors/references-connectors/workday.md b/docs/identitymanager/current/integration-guide/connectors/references-connectors/workday.md index 8c839676ca..52764cbe1f 100644 --- a/docs/identitymanager/current/integration-guide/connectors/references-connectors/workday.md +++ b/docs/identitymanager/current/integration-guide/connectors/references-connectors/workday.md @@ -1,4 +1,4 @@ ---- +--- title: "Workday" description: "Workday" sidebar_position: 330 @@ -10,7 +10,7 @@ This connector exports users and groups from a [Workday](https://www.workday.com This page is about [Workday](../../../integration-guide/connectors/references-packages/workday). -![Package: ERP/Workday](/images/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp) +![Package: ERP/Workday](/images/identitymanager/packages_workday_v603.webp) ## Prerequisites diff --git a/docs/identitymanager/current/integration-guide/entity-model.md b/docs/identitymanager/current/integration-guide/entity-model.md index 9c59080271..860b03568b 100644 --- a/docs/identitymanager/current/integration-guide/entity-model.md +++ b/docs/identitymanager/current/integration-guide/entity-model.md @@ -1,4 +1,4 @@ ---- +--- title: "Entity Model" description: "Entity Model" sidebar_position: 30 @@ -154,7 +154,7 @@ Let's take, for example, a case where we want to store an employee's start date: We need to transform the input data, from the export, into something readable by Identity Manager�and, when writing to the external system, transform Identity Manager's data back into something readable by the external system. -![Export and Fulfill Data transformation](/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) +![Export and Fulfill Data transformation](/images/identitymanager/entitypropertymapping-format-flowchart.webp) The format used in the external system can be provided through the [Entity Type Mapping](../integration-guide/toolkit/xml-configuration/connectors/entitytypemapping) using the [References: Format for the EntityPropertyMapping](../integration-guide/connectors/entitypropertymapping-format) attribute to help Identity Manager�to convert data appropriately. diff --git a/docs/identitymanager/current/integration-guide/executables/references/create-databaseviews.md b/docs/identitymanager/current/integration-guide/executables/references/create-databaseviews.md index 45177a5631..159fa3fc57 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/create-databaseviews.md +++ b/docs/identitymanager/current/integration-guide/executables/references/create-databaseviews.md @@ -1,4 +1,4 @@ ---- +--- title: "Usercube-Create-DatabaseViews" description: "Usercube-Create-DatabaseViews" sidebar_position: 60 @@ -36,5 +36,5 @@ The following example allows the user to connect to Identity Manager server at You can explore created views in the Identity Manager database's Views folder in SQL Server Management Studio -![SSMS Views](/images/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp) +![SSMS Views](/images/identitymanager/identitymanager-create-databaseviews_ssms.webp) diff --git a/docs/identitymanager/current/integration-guide/executables/references/export-configuration.md b/docs/identitymanager/current/integration-guide/executables/references/export-configuration.md index 1355a9d571..f21c023509 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/export-configuration.md +++ b/docs/identitymanager/current/integration-guide/executables/references/export-configuration.md @@ -1,4 +1,4 @@ ---- +--- title: "Usercube-**export**-Configuration" description: "Usercube-**export**-Configuration" sidebar_position: 110 @@ -22,7 +22,7 @@ Netwrix Identity Manager (formerly Usercube) recommends configuring Identity Man - a basic **export** will **export** the translation JSON files; - a scaffolding **export** will **export** the XML configuration generated by scaffoldings. -![Schema - **export** Process](/images/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp) +![Schema - **export** Process](/images/identitymanager/identitymanager-export-configuration.webp) For **all** **export** types, Netwrix Identity Manager (formerly Usercube) recommends using as output directory a folder other than the one containing the old XML configuration. This way, the exported configuration does not overwrite the old one, and: diff --git a/docs/identitymanager/current/integration-guide/executables/references/invoke-job.md b/docs/identitymanager/current/integration-guide/executables/references/invoke-job.md index 33a1098de6..f0aa2b7749 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/invoke-job.md +++ b/docs/identitymanager/current/integration-guide/executables/references/invoke-job.md @@ -1,4 +1,4 @@ ---- +--- title: "Usercube-Invoke-Job" description: "Usercube-Invoke-Job" sidebar_position: 220 @@ -12,7 +12,7 @@ This tool launches a job on the agent side. The Usercube-Invoke-Job.exe tool is a **state machine**. -![Schematization](/images/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp) +![Schematization](/images/identitymanager/job_operation.webp) When a job is launched, the **state machine** starts by computing all the tasks that must be launched in the job. diff --git a/docs/identitymanager/current/integration-guide/executables/references/manage-configurationdependantindexes.md b/docs/identitymanager/current/integration-guide/executables/references/manage-configurationdependantindexes.md index 75193d1078..d8cc9d08e7 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/manage-configurationdependantindexes.md +++ b/docs/identitymanager/current/integration-guide/executables/references/manage-configurationdependantindexes.md @@ -13,6 +13,29 @@ This tool creates the necessary SQL indexes based on the latest deployed configu - Creates SQL indexes and statistics to optimize searches on specific entity types - Creates SQL indexes to optimize joins between records and main entity types - Creates SQL indexed views used to compute dashboard counters +- Creates SQL indexes to optimize workflow overview and consultation queries + +### Workflow Reverse-Join Indexes + +The tool automatically creates database indexes that improve the performance of Workflow Overview and Workflow Consultation pages. These indexes are derived from the workflow configuration and target the navigation properties used by workflow queries on the `UR_Resources` table. + +Without these indexes, workflow pages can become slow on large databases because the database engine must scan millions of rows to resolve related entities. With them, the same queries complete in milliseconds. + +**Behavior:** +- Indexes are created automatically — no manual configuration is required +- The set of indexes adapts to your workflow configuration +- Running the tool multiple times is safe — indexes that already exist are skipped, and indexes whose definition no longer matches the configuration are dropped and recreated + +**Expected storage impact:** approximately 0.1 MB per 1,000 rows in `UR_Resources`. + +**To verify that the indexes were created:** +```sql +SELECT name, filter_definition +FROM sys.indexes +WHERE object_id = OBJECT_ID('UR_Resources') + AND name LIKE 'ZZ_IX_%ReverseJoin%' +ORDER BY name; +``` ## Examples diff --git a/docs/identitymanager/current/integration-guide/executables/references/manage-history.md b/docs/identitymanager/current/integration-guide/executables/references/manage-history.md index b47c1a5288..7b18b83f8c 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/manage-history.md +++ b/docs/identitymanager/current/integration-guide/executables/references/manage-history.md @@ -1,4 +1,4 @@ ---- +--- title: "Usercube-Manage-History" description: "Usercube-Manage-History" sidebar_position: 260 @@ -10,6 +10,15 @@ This tool optimizes the data history stored in the database, reducing its size a The inner workings of this executable are based on the `ValidFrom` and `ValidTo` attributes that specify the validity period of a given assignment. These attributes are inside the following tables which are the tables actually purged: `ur_resources`; `ur_resourcelinks`; `up_assignedcompositeroles`; `up_assignedsingleroles`; `up_assignedresourcenavigations`; `up_assignedresourcetypes`. +### Protected resources + +When purging `ur_resources`, resources that are still referenced by other product data (assignments, workflows, certifications, etc.) are treated differently from fully unreferenced resources: + +- **Referenced (protected)**: the most recently expired row is kept, with only `Id`, `Type`, `ValidFrom`, `ValidTo` and `DisplayName_L*` retained. +- **Unreferenced**: all expired rows are deleted entirely. + +This preserves a traceable record of the resource for audit purposes. + ## Examples **Purge before a period** @@ -42,7 +51,7 @@ The database's history can be optimized by removing intermediate versions based The following example reduces the history from the database, keeping at most one history version per interval. Here we keep one version per day (1440 minutes) in the last 7 days, then one version per month (43920 minutes) in the last 6 months before the previously defined period, then one version per year (525960 minutes) in the last 2 years before the previously defined periods. -![Schema - Optimize](/images/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp) +![Schema - Optimize](/images/identitymanager/tools_managehistory_schema.webp) For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the versions are merged in the following way: @@ -99,8 +108,8 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor | --excluded-resource-columns required if --entity-type is set | String list | When using `--clean-duplicates` option, defines the list of column names (the name of the columns in the `UR_Resources` table, or the Identifier of the corresponding um_entityproperty) to exclude when comparing rows of `UR_Resources` table. | | --in-memory default value: False | No value | Performs optimizations in memory instead of the database. It implies heavy memory consumption but light SQL load. | | --optimize optional | String list | Reduces the history and optimizes the versions that are kept based on the precision given through ranges in the argument. A range is specified by a duration in minutes followed by the number of occurrences. For example 60:10 defines a range of 60 minutes repeated 10 times, or 10 snapshots repeated at 60 minute intervals. For each interval, at most one version is kept in the history. The intervals are evaluated in the given order from now, backwards. In the previous example, it means the more recent versions are kept with a high precision (one per day initially), then with lesser and lesser precision (one per month and then one per year). If the data has not changed over an interval, no optimization can be done. | - | --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. | - | --purge-before-months optional | String | Deletes all the history older than the given number of months. | + | --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. For `ur_resources`, referenced resources are kept; see [Protected resources](#protected-resources). | + | --purge-before-months optional | String | Deletes all the history older than the given number of months. For `ur_resources`, referenced resources are kept; see [Protected resources](#protected-resources). | | --database-connection-string required | String | Connection string of the database. | The available actions (clean duplicates; purge; optimize) are all optional, but at least one must be used in the executable command. diff --git a/docs/identitymanager/current/integration-guide/executables/references/prepare-synchronization.md b/docs/identitymanager/current/integration-guide/executables/references/prepare-synchronization.md index dae6027903..bc9f67d646 100644 --- a/docs/identitymanager/current/integration-guide/executables/references/prepare-synchronization.md +++ b/docs/identitymanager/current/integration-guide/executables/references/prepare-synchronization.md @@ -1,4 +1,4 @@ ---- +--- title: "Usercube-Prepare-Synchronization" description: "Usercube-Prepare-Synchronization" sidebar_position: 290 @@ -75,7 +75,7 @@ Any notification of a _complete_ Prepare-Synchronization would cancel the previo The figure models the complete _Prepare-Synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ and _manager_). -![Active Directory Prepare-Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) ## Examples diff --git a/docs/identitymanager/current/integration-guide/governance/accesscertification.md b/docs/identitymanager/current/integration-guide/governance/accesscertification.md index ccae16db1c..f7a316633f 100644 --- a/docs/identitymanager/current/integration-guide/governance/accesscertification.md +++ b/docs/identitymanager/current/integration-guide/governance/accesscertification.md @@ -1,4 +1,4 @@ ---- +--- title: "Access Certification" description: "Access Certification" sidebar_position: 20 @@ -151,7 +151,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor It automatically appears on the campaign creation screen, and binds itself to the created campaign: -![Campaign creation screen with policies](/images/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp) +![Campaign creation screen with policies](/images/identitymanager/creation_5.1.6.webp) To use it, modify the access control rules by adding a filter on the campaign policy. See the [Access Control Rule](../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) topic for additional information. diff --git a/docs/identitymanager/current/integration-guide/governance/reporting/analyze-powerbi.md b/docs/identitymanager/current/integration-guide/governance/reporting/analyze-powerbi.md index d558790d45..cf9bab0382 100644 --- a/docs/identitymanager/current/integration-guide/governance/reporting/analyze-powerbi.md +++ b/docs/identitymanager/current/integration-guide/governance/reporting/analyze-powerbi.md @@ -1,4 +1,4 @@ ---- +--- title: "Analyze Identity Manager's Data with Power BI" description: "Analyze Identity Manager's Data with Power BI" sidebar_position: 20 @@ -24,7 +24,7 @@ Based on this model, Power BI will be able to: - generate customized graphic reports - publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) -![Process Schema](/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) +![Process Schema](/images/identitymanager/powerbi_process.webp) ## Prerequisites diff --git a/docs/identitymanager/current/integration-guide/governance/reporting/connect-powerbi.md b/docs/identitymanager/current/integration-guide/governance/reporting/connect-powerbi.md index 08ed1b69b1..b027d41fea 100644 --- a/docs/identitymanager/current/integration-guide/governance/reporting/connect-powerbi.md +++ b/docs/identitymanager/current/integration-guide/governance/reporting/connect-powerbi.md @@ -1,4 +1,4 @@ ---- +--- title: "Connect Power BI to Identity Manager" description: "Connect Power BI to Identity Manager" sidebar_position: 10 @@ -24,26 +24,26 @@ Connect Power BI to Identity Manager by proceeding as follows: 1. Open Power BI Desktop. 2. Click on **Get data** either in the welcome window or in the home menu. - ![Get Data](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + ![Get Data](/images/identitymanager/powerbi_getdata.webp) 3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and click on **Connect**. - ![Get Data Window](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) 4. Enter Identity Manager's server URL in the opening window. - ![Server URL](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + ![Server URL](/images/identitymanager/powerbi_url.webp) 5. In the opening window, enter the [OpenIdClient](../../../integration-guide/toolkit/xml-configuration/access-control/openidclient)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. - ![Client Id / Client Secret](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) 6. You can now access in the left panel the [Universe](../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. - ![Universe Panel](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) **Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. @@ -59,5 +59,5 @@ Clear the cache by proceeding as follows: 1. In Power BI, click on **File** > **Options and settings** > **Options**. 2. In the **Data Load** tab, click on **Clear Cache**. - ![Clear Cache](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) diff --git a/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/analyze-powerbi.md b/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/analyze-powerbi.md index 4fe0307027..1ff194de90 100644 --- a/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/analyze-powerbi.md +++ b/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/analyze-powerbi.md @@ -1,4 +1,4 @@ -# Analyze Identity Manager's Data with Power BI +# Analyze Identity Manager's Data with Power BI This topic explains how to prepare Identity Manager's data and use it in Power BI, with the final goal to generate user-friendly reports. @@ -18,7 +18,7 @@ Based on this model, Power BI will be able to: - generate customized graphic reports - publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) -![Process Schema](/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) +![Process Schema](/images/identitymanager/powerbi_process.webp) ## Prerequisites diff --git a/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi.md b/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi.md index 1f7b907368..10f6b16ac5 100644 --- a/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi.md +++ b/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi.md @@ -1,4 +1,4 @@ -# Connect Power BI to Identity Manager +# Connect Power BI to Identity Manager This guide shows how to connect Power BI to Identity Manager. @@ -18,26 +18,26 @@ Connect Power BI to Identity Manager by proceeding as follows: 1. Open Power BI Desktop. 2. Click on **Get data** either in the welcome window or in the home menu. - ![Get Data](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + ![Get Data](/images/identitymanager/powerbi_getdata.webp) 3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and click on **Connect**. - ![Get Data Window](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + ![Get Data Window](/images/identitymanager/powerbi_getdatawindow.webp) 4. Enter Identity Manager's server URL in the opening window. - ![Server URL](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + ![Server URL](/images/identitymanager/powerbi_url.webp) 5. In the opening window, enter the [OpenIdClient](../../../../integration-guide/toolkit/xml-configuration/access-control/openidclient)of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. - ![Client Id / Client Secret](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + ![Client Id / Client Secret](/images/identitymanager/powerbi_clientid.webp) 6. You can now access in the left panel the [Universe](../../../../integration-guide/toolkit/xml-configuration/business-intelligence/universe)from Identity Manager configuration. You can click on the desired universe to expand it, and view and pick the desired tables. - ![Universe Panel](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + ![Universe Panel](/images/identitymanager/powerbi_universes.webp) **Power BI tip:** to view a table, click on its name. To select a table, check the box next to the table's name. @@ -53,5 +53,5 @@ Clear the cache by proceeding as follows: 1. In Power BI, click on **File** > **Options and settings** > **Options**. 2. In the **Data Load** tab, click on **Clear Cache**. - ![Clear Cache](/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) + ![Clear Cache](/images/identitymanager/powerbi_clearcache.webp) diff --git a/docs/identitymanager/current/integration-guide/governance/risks.md b/docs/identitymanager/current/integration-guide/governance/risks.md index ff28472270..fd49cf69e3 100644 --- a/docs/identitymanager/current/integration-guide/governance/risks.md +++ b/docs/identitymanager/current/integration-guide/governance/risks.md @@ -1,4 +1,4 @@ ---- +--- title: "**Risk Management**" description: "**Risk Management**" sidebar_position: 40 @@ -51,25 +51,25 @@ All risks are assigned an exemption policy that defines the behavior of Identity Risk-triggering permission requests can be forbidden with the **blocking** exemption policy. If at least one of the detected risks in the requested entitlement set has the **blocking** exemption policy, then Identity Manager does not allow the set to be requested at all. A message is displayed and the request must be cancelled: -![Exemption Policy - **blocking**](/images/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp) +![Exemption Policy - **blocking**](/images/identitymanager/risks_blocking_v522.webp) ### **approval required** Yet, instead of being unilaterally forbidden, risk-triggering permission requests can be authorized with an additional role review approval with the **approval required** exemption policy. If at least one of the detected risks in the requested entitlement set has the **approval required** exemption policy, then Identity Manager adds a step where this new set must be reviewed by a knowledgeable user like a security officer. A message is displayed and the request can be continued or cancelled: -![Exemption Policy - **approval required**](/images/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp) +![Exemption Policy - **approval required**](/images/identitymanager/risks_requiredapproval_v522.webp) If the request is performed, then a line appears on the **Role Review** screen. The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following risk icon. -![Home Page - Role Review](/images/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg) +![Home Page - Role Review](/images/identitymanager/risks_riskicon_v522.svg) ### **warning** Risk-triggering permissions can also be allowed with only a **warning** with the **warning** exemption policy. If all detected risks in the requested entitlement set has the **warning** exemption policy, then Identity Manager displays a message and the request can be continued or cancelled: -![Exemption Policy - **warning**](/images/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp) +![Exemption Policy - **warning**](/images/identitymanager/risks_warning_v522.webp) ### Upon Profile @@ -119,5 +119,5 @@ During access certification, assignments that are responsible for triggering the The risk score computation is performed by the risk score task. -![Compute Risk Score Task](/images/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp) +![Compute Risk Score Task](/images/identitymanager/risks_riskcomputetask_v522.webp) diff --git a/docs/identitymanager/current/integration-guide/identity-management/identity-repository.md b/docs/identitymanager/current/integration-guide/identity-management/identity-repository.md index 61f2f74433..258d31b211 100644 --- a/docs/identitymanager/current/integration-guide/identity-management/identity-repository.md +++ b/docs/identitymanager/current/integration-guide/identity-management/identity-repository.md @@ -1,4 +1,4 @@ ---- +--- title: "Identity Repository" description: "Identity Repository" sidebar_position: 10 @@ -15,13 +15,13 @@ The identity repository is supposed to contain the list of all kinds of identiti > For example, a user can be represented by an identifier and linked to their position which > includes the user's employee id, last name and first name, email, user type, organization, etc. > -> ![Identity Repository Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) > In Identity Manager, the identity repository can look like the following: > -> ![Identity Repository Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) > -> ![Identity Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) The identity repository can be created and updated by: diff --git a/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md b/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md index 2583168ff2..77669c2585 100644 --- a/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md +++ b/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/on-offboarding.md @@ -1,4 +1,4 @@ ---- +--- title: "Onboarding and Offboarding" description: "Onboarding and Offboarding" sidebar_position: 10 @@ -39,7 +39,7 @@ These start and end dates can be configured to be different from the actual star These dates should then be part of entity types' properties (for example as `StartDate` and `EndDate`), in order to be used in [Record Section](../../../integration-guide/toolkit/xml-configuration/provisioning/recordsection) and [Context Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/contextrule). -![Identities - Validity Period](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp) +![Identities - Validity Period](/images/identitymanager/validityperiod.webp) At the start date, the resource is created and a few entitlements are assigned to the identity. diff --git a/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change.md b/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change.md index 1466858976..41ffb81caa 100644 --- a/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change.md +++ b/docs/identitymanager/current/integration-guide/identity-management/joiners-movers-leavers/position-change.md @@ -1,4 +1,4 @@ ---- +--- title: "Position Change via Records" description: "Position Change via Records" sidebar_position: 20 @@ -37,7 +37,7 @@ Any change in an identity's lifecycle, such as a position change, usually entail It seems natural to model identities by splitting their properties into three entities: one for users' personal data, one for their contract(s) and one for their position(s): -![Records Origin - Three-Entity Model](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp) +![Records Origin - Three-Entity Model](/images/identitymanager/recordsorigin_firstmodel.webp) A user can have several positions over time, even simultaneously. A user's contract can change over time too. Even personal data is subject to change. This is why we can have several sets of personal data (and/or several contracts and/or several positions) for a single user, and also why the `User` entity is meant to contain only users' unique identifiers. @@ -76,16 +76,16 @@ To simplify the expressions, the model needs to be "flattened" in order to provi > fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap > from day D2 to day D3 when the first position ends. > -> ![User Example](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp) +> ![User Example](/images/identitymanager/recordsorigin_userexample.webp) > > Over time, the three entities are as follows: > -> ![Example - Timelines](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp) +> ![Example - Timelines](/images/identitymanager/recordsorigin_timelines.webp) > > From this, Identity Manager is able to combine the start and end dates of all entities at all > times to generate the following datasheets, named contexts: > -> ![Example - Contexts](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp) +> ![Example - Contexts](/images/identitymanager/recordsorigin_contexts.webp) Contexts are the result of the combination of all entities (personal data, contract and position) so that all values contained in a given context are valid on a given period of time. @@ -112,7 +112,7 @@ The complexity that comes from the combination of all start and end dates is tac The final step to a viable model is to find a way to **store optimally** this context model in the database, in order to be able to perform fast requests. Hence, the final model gathers all entities (personal data, contracts and positions), including their respective start and end dates, into a single entity named records, where a context is a record instance: -![Records Origin - Final Model](/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp) +![Records Origin - Final Model](/images/identitymanager/recordsorigin_thirdmodel.webp) While there are as many contexts for a user as the number of changes in the user's datasheet, there are only as many records as needed to store each value at least once. diff --git a/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings-agent.md b/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings-agent.md index 944488af04..a70bec2058 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings-agent.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/agent-configuration/appsettings-agent.md @@ -39,7 +39,7 @@ As Identity Manager does not know any object named Identity ManagerAgent, its c | Databases optional | List of Databases | Names and connection strings of all databases used by the agent through InvokeSqlCommandTask, other than Identity Manager's database and other than the databases provided in Identity Manager's available packages. This subsection contains a subsection for each additional database. **NOTE:** The Database is a subsection of the Connections section mentioned above. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Databases": {     "": ""   } }` Example: `{   …   "Databases": {     "UsercubeContoso": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"   } }` | | OpenId optional | OpenId | OpenId information, i.e. the ClientIds and related ClientSecrets that the agent may use to authenticate to the server in order to launch jobs and tasks. In order to launch jobs and tasks, the profiles related to these OpenId credentials must possess the required permissions. | | PasswordResetSettings optional | PasswordResetSettings | Parameters which configure the reset password process for the managed systems that support it. | - | SourcesRootPaths optional | String Array | List of folder paths from which Identity Manager is allowed to read. This option is used to validate the sources files defined in file-based connections. These paths are case sensitive. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "SourcesRootPaths": ["C:/identitymanagerContoso/SourceHR", "C:/identitymanagerContoso/SourcesPhone"]  }` | + | SourcesRootPaths optional | String Array | Whitelist of root folder paths from which the agent is allowed to read source files. File-based connectors (CSV, Excel, etc.) validate every configured path against this list. Paths are case-sensitive. **Default behavior:** on-premises agents default to an empty list — all connector source paths are blocked until this setting is explicitly configured. For SaaS installations, this is managed by Netwrix. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "SourcesRootPaths": ["C:/identitymanagerContoso/SourceHR", "C:/identitymanagerContoso/SourcesPhone"]  }` | | TaskAgentConfiguration optional | TaskAgentConfiguration | Various settings to customize the behavior of some agent tasks. | ## OpenId diff --git a/docs/identitymanager/current/integration-guide/network-configuration/configure-okta.md b/docs/identitymanager/current/integration-guide/network-configuration/configure-okta.md index 87f65aaa8c..b456dbe61a 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/configure-okta.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/configure-okta.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Okta" description: "Configure Okta" sidebar_position: 70 @@ -12,15 +12,15 @@ This guide shows how to configure the OIDC to set up the authentication to Ident On the Okta dashboard: -![Add Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) +![Add Application](/images/identitymanager/okta_addapplication.webp) **Step 1 –** Select the **Applications** section and click on the **Add Application** button. -![Create New App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) +![Create New App](/images/identitymanager/okta_createnewapp.webp) **Step 2 –** Then click on the **Create New App** button. -![Create Native App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) +![Create Native App](/images/identitymanager/okta_createnativeapp.webp) **Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. Click on **Create**. @@ -31,19 +31,19 @@ On the Okta dashboard: :::note The **Logout redirect URLs** section is marked as optional but it is mandatory for Identity Manager. ::: -![Save Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) +![Save Application](/images/identitymanager/okta_saveapplication.webp) ## Configure the Client Credentials The client secret in Identity Manager is required for the OIDC connection. You must therefore configure this OIDC connection option in the application. In the Application Dashboard, click on **Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and save the changes. -![Client Credentials](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) +![Client Credentials](/images/identitymanager/okta_clientcredentials.webp) ## Configure the Application Settings In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. -![Application Section](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) +![Application Section](/images/identitymanager/okta_applicationsection.webp) ## Configure the appsettings.json diff --git a/docs/identitymanager/current/integration-guide/network-configuration/how-tos/okta.md b/docs/identitymanager/current/integration-guide/network-configuration/how-tos/okta.md index bde97cde4e..46a83af54c 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/how-tos/okta.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/how-tos/okta.md @@ -1,4 +1,4 @@ -# Configure Okta +# Configure Okta This guide shows how to configure the OIDC to set up the authentication to Identity Manager. @@ -6,15 +6,15 @@ This guide shows how to configure the OIDC to set up the authentication to Ident On the Okta dashboard: -![Add Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) +![Add Application](/images/identitymanager/okta_addapplication.webp) **Step 1 –** Select the **Applications** section and click on the **Add Application** button. -![Create New App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) +![Create New App](/images/identitymanager/okta_createnewapp.webp) **Step 2 –** Then click on the **Create New App** button. -![Create Native App](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) +![Create Native App](/images/identitymanager/okta_createnativeapp.webp) **Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. Click on **Create**. @@ -25,19 +25,19 @@ On the Okta dashboard: :::note The **Logout redirect URLs** section is marked as optional but it is mandatory for Identity Manager. ::: -![Save Application](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) +![Save Application](/images/identitymanager/okta_saveapplication.webp) ## Configure the Client Credentials The client secret in Identity Manager is required for the OIDC connection. You must therefore configure this OIDC connection option in the application. In the Application Dashboard, click on **Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and save the changes. -![Client Credentials](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) +![Client Credentials](/images/identitymanager/okta_clientcredentials.webp) ## Configure the Application Settings In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. -![Application Section](/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) +![Application Section](/images/identitymanager/okta_applicationsection.webp) ## Configure the appsettings.json diff --git a/docs/identitymanager/current/integration-guide/network-configuration/index.md b/docs/identitymanager/current/integration-guide/network-configuration/index.md index 42ea377bc7..e67f6e84dd 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/index.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Network Configuration" description: "Network Configuration" sidebar_position: 230 @@ -48,7 +48,7 @@ Within a Configuration Set Tree, settings are organized into meaningful sections This means that every setting value either belongs to the settings root node or to a section, itself belonging to a parent section. -![tree like structure](/images/identitymanager/integration-guide/network-configuration/tree-like-structure.webp) +![tree like structure](/images/identitymanager/tree-like-structure.webp) ### Configuration files diff --git a/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/end-users-authentication.md b/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/end-users-authentication.md index eaae744ee5..0cd86fdf5b 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/end-users-authentication.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/server-configuration/end-users-authentication.md @@ -1,4 +1,4 @@ ---- +--- title: "End-User **authentication**" description: "End-User **authentication**" sidebar_position: 30 @@ -41,11 +41,11 @@ For each **authentication** method, one or several **authentication** providers Internal method & test mode form: -![authent_1](/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp) +![authent_1](/images/identitymanager/authent_1.webp) External method prompt: -![authent_2](/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp) +![authent_2](/images/identitymanager/authent_2.webp) ## Identity Server RSA Key Pair diff --git a/docs/identitymanager/current/integration-guide/network-configuration/settings.md b/docs/identitymanager/current/integration-guide/network-configuration/settings.md index e71683226e..366a7cf4e4 100644 --- a/docs/identitymanager/current/integration-guide/network-configuration/settings.md +++ b/docs/identitymanager/current/integration-guide/network-configuration/settings.md @@ -1,4 +1,4 @@ ---- +--- title: "Various XML Settings" description: "Various XML Settings" sidebar_position: 60 @@ -64,13 +64,13 @@ To navigate to the custom links from the user interface, NETWRIX recommends conf ``` -![LCustomLinksUserMenu.webp](/images/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp) +![LCustomLinksUserMenu.webp](/images/identitymanager/customlinksusermenu_v523.webp) ## DashboardItemNumber Some sections on the dashboard contain multiple links. These links are quick links with counters to the review page filtered by entity type. The links are sorted by entity type priority. -![LDashboardItemNumber.webp](/images/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp) +![LDashboardItemNumber.webp](/images/identitymanager/dashboarditemnumber.webp) By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is displayed with the concatenation of remaining counters. diff --git a/docs/identitymanager/current/integration-guide/notifications/native/errored-jobs.md b/docs/identitymanager/current/integration-guide/notifications/native/errored-jobs.md index 819d0fc7b3..8fe96622cf 100644 --- a/docs/identitymanager/current/integration-guide/notifications/native/errored-jobs.md +++ b/docs/identitymanager/current/integration-guide/notifications/native/errored-jobs.md @@ -8,5 +8,5 @@ sidebar_position: 60 Identity Manager is able to send notification emails when a job ends with an error. The notification email is sent to the user who has the necessary rights and the permission. -See the [Native Notifications](../../../integration-guide/notifications/native) and [Profiles & Permissions](../../content/integration-guide/profiles-permissions) topics for additional information. +See the [Native Notifications](../../../integration-guide/notifications/native) and [Profiles & Permissions](../../profiles-permissions) topics for additional information. diff --git a/docs/identitymanager/current/integration-guide/notifications/native/index.md b/docs/identitymanager/current/integration-guide/notifications/native/index.md index b83ea95d69..0f60576c3a 100644 --- a/docs/identitymanager/current/integration-guide/notifications/native/index.md +++ b/docs/identitymanager/current/integration-guide/notifications/native/index.md @@ -23,7 +23,7 @@ Concerning the notifications sent via permissions: In order to receive the notif For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission `/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. -See the [References: Permissions](../../content/integration-guide/profiles-permissions/permissions) topic for additional information. +See the [References: Permissions](../../profiles-permissions/permissions) topic for additional information. Each permission can be configured in an [Access Control Rule](../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) so that the corresponding notification is disabled. diff --git a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/create-assign-profiles.md b/docs/identitymanager/current/integration-guide/profiles-permissions/create-assign-profiles.md similarity index 82% rename from docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/create-assign-profiles.md rename to docs/identitymanager/current/integration-guide/profiles-permissions/create-assign-profiles.md index fdc091d970..9d2311af4a 100644 --- a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/create-assign-profiles.md +++ b/docs/identitymanager/current/integration-guide/profiles-permissions/create-assign-profiles.md @@ -1,4 +1,4 @@ ---- +--- title: "Create and Assign Profiles" description: "Create and Assign Profiles" sidebar_position: 20 @@ -10,7 +10,7 @@ This guide shows how to create in the XML configuration profiles and the appropr ## Create a Profile -Here is the xml configuration to create a profile in Identity Manager. See the [Profile](../../../../integration-guide/toolkit/xml-configuration/access-control/profile) topic for additional information. +Here is the xml configuration to create a profile in Identity Manager. See the [Profile](../toolkit/xml-configuration/access-control/profile) topic for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. @@ -20,7 +20,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor ## Automatically Assign Profiles -To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and ProfileRule. See the [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule) and [Profile Rule Context](../../../../integration-guide/toolkit/xml-configuration/access-control/profilerulecontext) topics for additional information. +To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and ProfileRule. See the [Access Control Rule](../toolkit/xml-configuration/access-control/accesscontrolrule) and [Profile Rule Context](../toolkit/xml-configuration/access-control/profilerulecontext) topics for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. @@ -30,7 +30,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor ## Configure the Set InternalUserProfiles Task -The Identity Manager-Set-InternalUserProfiles task is mandatory to automatically assign the profile. The task can be selected from the Job provisioning list. See the [Set Internal User Profiles Task](../../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask) topic for additional information. +The Identity Manager-Set-InternalUserProfiles task is mandatory to automatically assign the profile. The task can be selected from the Job provisioning list. See the [Set Internal User Profiles Task](../toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask) topic for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. diff --git a/docs/identitymanager/current/integration-guide/profiles-permissions/index.md b/docs/identitymanager/current/integration-guide/profiles-permissions/index.md new file mode 100644 index 0000000000..3eb904ebae --- /dev/null +++ b/docs/identitymanager/current/integration-guide/profiles-permissions/index.md @@ -0,0 +1,9 @@ +--- +title: "Profiles & Permissions" +description: "Profiles & Permissions" +sidebar_position: 200 +--- + +# Profiles & Permissions + +Identity Manager handles its own accesses through permissions grouped into profiles. diff --git a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/permissions.md b/docs/identitymanager/current/integration-guide/profiles-permissions/permissions.md similarity index 99% rename from docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/permissions.md rename to docs/identitymanager/current/integration-guide/profiles-permissions/permissions.md index eb2bdf5c6f..f1280bc00e 100644 --- a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/permissions.md +++ b/docs/identitymanager/current/integration-guide/profiles-permissions/permissions.md @@ -1,4 +1,4 @@ ---- +--- title: "References: Permissions" description: "References: Permissions" sidebar_position: 10 @@ -323,7 +323,7 @@ Permission to review provisioning corresponding to an access right owned by an o :::note In order to receive the notifications, a profile must have the full permission path. Having a (great-)parent permission will not enable notifications for all child entities. ::: -For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. Each permission can be configured in an access control entry so that the corresponding notification is disabled. See the [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule)topic for additional information. +For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. Each permission can be configured in an access control entry so that the corresponding notification is disabled. See the [Access Control Rule](../toolkit/xml-configuration/access-control/accesscontrolrule)topic for additional information. - /Custom/ProvisioningPolicy/ReviewRoles/`{entityType_identifier}` @@ -334,7 +334,7 @@ The permission's recipient will receive a notification email. :::note In order to receive the notifications, a profile must have the full permission path. Having a (great-)parent permission will not enable notifications for all child entities. ::: -For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. Each permission can be configured in an access control entry so that the corresponding notification is disabled. See the [Access Control Rule](../../../../integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule)topic for additional information. +For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a profile to perform manual provisioning with Directory_User as the source entity type, and receive the corresponding notifications. On the contrary, the permission /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning for all entity types, but not receive the corresponding notifications. Each permission can be configured in an access control entry so that the corresponding notification is disabled. See the [Access Control Rule](../toolkit/xml-configuration/access-control/accesscontrolrule)topic for additional information. - /Custom/Reports/`{reportQuery_identifier}` @@ -350,7 +350,7 @@ Permission to query and read any resource file changes from the ResourceFileChan - /Custom/ResourceFiles/`{entityType_identifier}`/`{property_identifier}`/View -Permission to query and read any resource files from the ResourceFile table corresponding to the property property_identifier of the entity entityType_identifier, for example the Directory_User photo property. This permission is generated by the [ViewAccessControlRules](../../../../integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) scaffolding. +Permission to query and read any resource files from the ResourceFile table corresponding to the property property_identifier of the entity entityType_identifier, for example the Directory_User photo property. This permission is generated by the [ViewAccessControlRules](../toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules) scaffolding. - /Custom/ResourceLinkChanges/`{connector_identifier}` diff --git a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/rightsrestriction.md b/docs/identitymanager/current/integration-guide/profiles-permissions/rightsrestriction.md similarity index 89% rename from docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/rightsrestriction.md rename to docs/identitymanager/current/integration-guide/profiles-permissions/rightsrestriction.md index 8ffc68e5e8..4b63a45064 100644 --- a/docs/identitymanager/current/integration-guide/content/integration-guide/profiles-permissions/rightsrestriction.md +++ b/docs/identitymanager/current/integration-guide/profiles-permissions/rightsrestriction.md @@ -1,4 +1,4 @@ ---- +--- title: "Restrict Users' Rights" description: "Restrict Users' Rights" sidebar_position: 30 @@ -32,7 +32,7 @@ Assign a profile based on users' dimensions by proceeding as follows: > > ``` -See the [Dimension](../../../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. +See the [Dimension](../toolkit/xml-configuration/metadata/dimension) topic for additional information. 2. Write profile rules and profile rule contexts to make the previously created dimensions act as filters in rules meant to assign profiles to users. @@ -48,7 +48,7 @@ filters in rules meant to assign profiles to users. The profile rule context must use a Sub-Binding to define the entity type that contains the dimension information. -See the [Dimension](../../../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. +See the [Dimension](../toolkit/xml-configuration/metadata/dimension) topic for additional information. ## Limit an Entity's Visibility @@ -64,7 +64,7 @@ Limit an entity's visibility by proceeding as follows: > > ``` -See the [Dimension](../../../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. +See the [Dimension](../toolkit/xml-configuration/metadata/dimension) topic for additional information. 2. Create an access control entity type to list all the properties whose visibility must be restricted, and link them to a visibility group. @@ -77,7 +77,7 @@ restricted, and link them to a visibility group. > > ``` -As a result, all the properties listed in the access control entity type are hidden from users by default when they have the usual permissions written above. See the [Dimension](../../../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. +As a result, all the properties listed in the access control entity type are hidden from users by default when they have the usual permissions written above. See the [Dimension](../toolkit/xml-configuration/metadata/dimension) topic for additional information. To be able to see these properties, a user must have these permissions with a full access. @@ -127,5 +127,5 @@ Limit a profile's permissions by using filters in the access control rule that g > > ``` -See the [Dimension](../../../../integration-guide/toolkit/xml-configuration/metadata/dimension) topic for additional information. +See the [Dimension](../toolkit/xml-configuration/metadata/dimension) topic for additional information. diff --git a/docs/identitymanager/current/integration-guide/role-assignment/assignments-of-entitlements.md b/docs/identitymanager/current/integration-guide/role-assignment/assignments-of-entitlements.md index 96084d39fe..15afa60d6c 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/assignments-of-entitlements.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/assignments-of-entitlements.md @@ -1,4 +1,4 @@ ---- +--- title: "Entitlement Assignment" description: "Entitlement Assignment" sidebar_position: 10 @@ -57,7 +57,7 @@ In addition to the workflow state that represents an assignment's progress in th ::: For example, roles exist only in Identity Manager and not in the managed systems, so assigned roles do not have a **provisioning state**, unlike assigned resource types, scalars and navigation, etc. -![**provisioning state** Schema](/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) +![**provisioning state** Schema](/images/identitymanager/prov_stateschema_v523.webp) The schema sums up the usual progress of an assignment's **provisioning state**. @@ -84,7 +84,7 @@ Technically speaking, Identity Manager creates entitlements in the managed syste A simple comparison between these two lists defines the **non-conforming assignments**, i.e. the list of all assignments that **do not comply** with the policy. -![**non-conforming assignments**](/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) +![**non-conforming assignments**](/images/identitymanager/governance_nonconforming.webp) A **non-conforming** assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: diff --git a/docs/identitymanager/current/integration-guide/role-assignment/configureindirectpermissions.md b/docs/identitymanager/current/integration-guide/role-assignment/configureindirectpermissions.md index eb362b3fbb..d451f581b5 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/configureindirectpermissions.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/configureindirectpermissions.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Indirect Permissions" description: "Configure Indirect Permissions" sidebar_position: 80 @@ -34,7 +34,7 @@ After adding this rule to the Configuration, do not forget to deploy the configu The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. -![Group Membership Schema](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) +![Group Membership Schema](/images/identitymanager/indirectpermissionsadexample.webp) A running Active Directory instance is required to reproduce these steps yourself. @@ -47,19 +47,19 @@ Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB`` Since we have manually edited the Active Directory, we first need to run an AD synchronization job. Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : -![Single Role Configuration Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) +![Single Role Configuration Example](/images/identitymanager/srconf_5.2.1.webp) We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: -![Composite Role Configuration](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) +![Composite Role Configuration](/images/identitymanager/crconf_5.2.1.webp) Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: -![Navigation Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) +![Navigation Rule Example](/images/identitymanager/navrule_5.2.1.webp) And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: -![Single Role Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) +![Single Role Rule Example](/images/identitymanager/srrule_5.2.1.webp) Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. @@ -71,15 +71,15 @@ The next screenshots were taken after adding the direct assignment directly insi If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: -![View Permissions Simplified](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) +![View Permissions Simplified](/images/identitymanager/viewpermissionssimplified_5.2.1.webp) To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: -![View Permissions Advanced](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) +![View Permissions Advanced](/images/identitymanager/viewpermissionsadvanced_5.2.1.webp) You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: -![AD Assigned Resource Navigations](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) +![AD Assigned Resource Navigations](/images/identitymanager/adassignednavigations_5.2.1.webp) ## Configure Indirect Permissions in an Microsoft Entra ID diff --git a/docs/identitymanager/current/integration-guide/role-assignment/evaluate-policy.md b/docs/identitymanager/current/integration-guide/role-assignment/evaluate-policy.md index 554162f7c9..495ca0bea0 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/evaluate-policy.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/evaluate-policy.md @@ -1,4 +1,4 @@ ---- +--- title: "Evaluate Policy" description: "Evaluate Policy" sidebar_position: 40 @@ -20,7 +20,7 @@ See the [Risk Management](../../integration-guide/governance/risks) topic for ad ## Overview -![Evaluate Policy Overview](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp) +![Evaluate Policy Overview](/images/identitymanager/evaluate-policy-1.webp) The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of assignments of entitlements that comply with the assignment policy. @@ -96,7 +96,7 @@ Before starting, a context rule is applied, giving for the input resource: - The dimension values - The time period validity of every assignment computed during this Evaluate Policy iteration -![Computing Context For Input Resource](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp) +![Computing Context For Input Resource](/images/identitymanager/enforce-context.webp) **Computing expected **role** assignments** @@ -104,7 +104,7 @@ Before starting, a context rule is applied, giving for the input resource: **role** assignments are the output of composite **role** rules and single **role** rules enforcement. The **outcome** of those rules, as assigned composite roles and assigned single roles, is conditioned by the input resource's context. They are the image of the status of trust and privilege granted to a resource-identity. -![Computing Expected **role** Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp) +![Computing Expected **role** Assignments](/images/identitymanager/compute-expected-1.webp) **Enforcing composite **role** rules** @@ -135,7 +135,7 @@ Fulfillment is just the **consequence** of the **role** assignment process. See Provisioning-orders-to-be are the output of resource type rules, navigation rules and scalar rules. The **outcome** of those rules, as assigned resource types, assigned resource navigation, and assigned resource scalar is conditioned by the input resource assigned roles, issued during the first expected **role** assignments computation or even earlier. They are the exact image of technical provisioning orders that are to be executed by the agent, after being validated by a knowledgeable user. See the [Resource Type](../../integration-guide/toolkit/xml-configuration/provisioning/resourcetype) topic for additional information. -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-expected-2.webp) **Enforcing resource type rules** @@ -171,7 +171,7 @@ Found manual assignments and derogation of resource types with their associated **Step 3 –** **Match **existing assignments** with **expected assignments**** -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/compute-find-matching.webp) The **expected assignments** list is now built. @@ -197,7 +197,7 @@ The result is a list of really **existing assignments**, without the expired, ca **Step 5 –** **Correlation** -![Computing Expected Provisioning Assignments](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp) +![Computing Expected Provisioning Assignments](/images/identitymanager/correlation.webp) Resource correlation rules are enforced: for every expected assigned resource type, the algorithm looks for a target resource that correlates the **owner**, which is the input resource. @@ -222,20 +222,20 @@ The workflow state is also analyzed; assignments with Approved (or Cancellation) | Workflow state | Description | | --- | --- | | 0—None | Used for Identity Manager's internal computation | - | 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) | + | 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) | | 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the **role**. | - | 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | - | 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) | - | 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the **role**. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) | - | 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) | + | 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) | + | 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) | + | 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the **role**. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) | + | 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) | | 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | | 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | | 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | | 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | | 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | - | 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) | + | 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) | | 17—Declined | The assignment is explicitly declined during one of the approval steps. | - | 20—Cancellation | The assignment is **inferred** by a **role** that was declined. ![Workflow State: Cancellation](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) | + | 20—Cancellation | The assignment is **inferred** by a **role** that was declined. ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) | **Step 7 –** **Delta** diff --git a/docs/identitymanager/current/integration-guide/role-assignment/existingassignmentsdeduction.md b/docs/identitymanager/current/integration-guide/role-assignment/existingassignmentsdeduction.md index ddc3691cdc..e1c4404a24 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/existingassignmentsdeduction.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/existingassignmentsdeduction.md @@ -1,4 +1,4 @@ ---- +--- title: "Existing Assignments" description: "Existing Assignments" sidebar_position: 100 @@ -30,7 +30,7 @@ This first use case involves a common role model situation: one single role repr Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory group _Internet_ through a navigation rule `N`. -![use_case_1_rolemodel](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp) +![use_case_1_rolemodel](/images/identitymanager/use_case_1_rolemodel.webp) We are going to consider here an identity named John Doe, and his Active Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com). @@ -56,7 +56,7 @@ Identity Manager performs the first synchronization and tries to correlate acco The situation in Identity Manager database at this point is the following. -![use_case_1_sync](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp) +![use_case_1_sync](/images/identitymanager/use_case_1_sync.webp) Integrators have defined the Internet single role and linked it to the _Internet_ AD group through the navigation rule `N`. @@ -64,7 +64,7 @@ Now, the Compute Role Model task "studies" the role model: the only rule that as The role is now listed under John Doe's assignment list (permissions) in Identity Manager. -![use_case_1_deduction](/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp) +![use_case_1_deduction](/images/identitymanager/use_case_1_deduction.webp) ## Use Case 2: Several Groups, One Role diff --git a/docs/identitymanager/current/integration-guide/role-assignment/generate-contexts.md b/docs/identitymanager/current/integration-guide/role-assignment/generate-contexts.md index 9d57f6b134..551c9c2dcf 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/generate-contexts.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/generate-contexts.md @@ -1,4 +1,4 @@ ---- +--- title: "Generate Contexts" description: "Generate Contexts" sidebar_position: 50 @@ -69,11 +69,11 @@ The configuration above binds the position to the contract end date, meaning tha The following image shows the positions of `Mark Barn` in a defined timeline. -![simple-recordsection-identity](/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp) +![simple-recordsection-identity](/images/identitymanager/simple-recordsection-identity.webp) With the given configuration and the identity of `Mark Barn`, the following contexts are generated: -![simple-recordsection-result](/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp) +![simple-recordsection-result](/images/identitymanager/simple-recordsection-result.webp) Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. @@ -109,7 +109,7 @@ The `ExtensionKind="None"` was removed for the `Location` property. Using the identity of `Mark Barn` the computed contexts should be as followed: -![recordsection-withvaluecopy-result1](/images/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp) +![recordsection-withvaluecopy-result1](/images/identitymanager/recordsection-withvaluecopy-result1.webp) Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to `Ce`. @@ -128,11 +128,11 @@ The property value copy can be leveraged to extend a chosen position when for so ```` -![positionextension-identity](/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp) +![positionextension-identity](/images/identitymanager/positionextension-identity.webp) Two contexts will be generated. -![positionextension-result](/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp) +![positionextension-result](/images/identitymanager/positionextension-result.webp) By default, the previous position is extended when there is a gap. If there isn't any previous position then the next position will be anticipated. diff --git a/docs/identitymanager/current/integration-guide/role-assignment/how-tos/configureindirectpermissions.md b/docs/identitymanager/current/integration-guide/role-assignment/how-tos/configureindirectpermissions.md index 60eb63cb41..a26568f422 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/how-tos/configureindirectpermissions.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/how-tos/configureindirectpermissions.md @@ -1,4 +1,4 @@ -# Configure Indirect Permissions +# Configure Indirect Permissions The following how-to assumes that you have already read the topic on [Indirect Permissions](../../../integration-guide/role-assignment/indirectpermissions). @@ -28,7 +28,7 @@ After adding this rule to the Configuration, do not forget to deploy the configu The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. -![Group Membership Schema](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) +![Group Membership Schema](/images/identitymanager/indirectpermissionsadexample.webp) A running Active Directory instance is required to reproduce these steps yourself. @@ -41,19 +41,19 @@ Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB`` Since we have manually edited the Active Directory, we first need to run an AD synchronization job. Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : -![Single Role Configuration Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) +![Single Role Configuration Example](/images/identitymanager/srconf_5.2.1.webp) We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: -![Composite Role Configuration](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) +![Composite Role Configuration](/images/identitymanager/crconf_5.2.1.webp) Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: -![Navigation Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) +![Navigation Rule Example](/images/identitymanager/navrule_5.2.1.webp) And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: -![Single Role Rule Example](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) +![Single Role Rule Example](/images/identitymanager/srrule_5.2.1.webp) Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. @@ -65,15 +65,15 @@ The next screenshots were taken after adding the direct assignment directly insi If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: -![View Permissions Simplified](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) +![View Permissions Simplified](/images/identitymanager/viewpermissionssimplified_5.2.1.webp) To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: -![View Permissions Advanced](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) +![View Permissions Advanced](/images/identitymanager/viewpermissionsadvanced_5.2.1.webp) You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: -![AD Assigned Resource Navigations](/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) +![AD Assigned Resource Navigations](/images/identitymanager/adassignednavigations_5.2.1.webp) ## Configure Indirect Permissions in an Microsoft Entra ID diff --git a/docs/identitymanager/current/integration-guide/role-assignment/indirectpermissions.md b/docs/identitymanager/current/integration-guide/role-assignment/indirectpermissions.md index 9080a74e87..5d1a49b73c 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/indirectpermissions.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/indirectpermissions.md @@ -1,4 +1,4 @@ ---- +--- title: "Indirect Permissions" description: "Indirect Permissions" sidebar_position: 120 @@ -61,7 +61,7 @@ Currently, Indirect Permissions are only displayed and found in the users' `View Although Indirect Permissions are marked as `Non-conforming`, they can be neither approved nor deleted. They also won't appear in Access certification campaigns. Indirect Permissions are always indicated by the following icon: -![Indirect Permission Icon](/images/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp) +![Indirect Permission Icon](/images/identitymanager/ic_fluent_flow_20_regular.webp) ## Disabling the Indirect Permission Computation diff --git a/docs/identitymanager/current/integration-guide/role-assignment/role-model-rules.md b/docs/identitymanager/current/integration-guide/role-assignment/role-model-rules.md index 5637e07218..ce370a494a 100644 --- a/docs/identitymanager/current/integration-guide/role-assignment/role-model-rules.md +++ b/docs/identitymanager/current/integration-guide/role-assignment/role-model-rules.md @@ -1,4 +1,4 @@ ---- +--- title: "Assignment Policy" description: "Assignment Policy" sidebar_position: 30 @@ -159,7 +159,7 @@ provisioned to materialize `SRa`. This series of steps is actually a very simplified version of the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. -![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) +![Cascading From Dimensions To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) **---** diff --git a/docs/identitymanager/current/integration-guide/role-mining.md b/docs/identitymanager/current/integration-guide/role-mining.md index 90990a19b9..13407f638f 100644 --- a/docs/identitymanager/current/integration-guide/role-mining.md +++ b/docs/identitymanager/current/integration-guide/role-mining.md @@ -1,4 +1,4 @@ ---- +--- title: "Role Mining" description: "Role Mining" sidebar_position: 100 @@ -22,7 +22,7 @@ After the role catalog is established, the [Compute Role Model Task](../integrat Now that users received their roles, the role mining tool can analyze these assignments and deduce [Single Role Rule](../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) which will assign single roles to certain users matching given criteria. -![Schema - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) Role mining is a Machine Learning process. It is a statistic tool used to emphasize the dimensions that constitute the key criteria for existing role assignments. See the [Conforming Assignments](../integration-guide/role-assignment/conformingassignmentcomputation)topic for additional information. It detects the most probable links between identities dimensions and their roles in order to suggest the appropriate entitlement assignment rules. @@ -45,7 +45,7 @@ Mining rules can be configured to generate: 2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an entitlement request for a user. - ![Suggested](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) You can generate both automatic and suggested rules for the same role, with different precision levels and different approval workflows. @@ -54,11 +54,11 @@ You can generate both automatic and suggested rules for the same role, with diff > above 95% and a second mining rule to generate suggested assignment rules when the ratio is > between 75% and 95%. > -> ![Rule Types](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: -![Rule Types - Sensitivity](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets certification campaigns focus on more sensitive entitlements. @@ -68,23 +68,23 @@ Role mining should be performed first for automatic rules as they are stricter p Consider that all users from a given organization have a given role. Then role mining will create a single role rule to assign automatically this role to any user of this organization. Then users' entitlements remain unchanged: -![Impact Example - Use Case 1](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp) +![Impact Example - Use Case 1](/images/identitymanager/rolemining_impact_usecase1.webp) Now consider that half of users in the organization have the role. Then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: -![Impact Example - Use Case 2](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp) +![Impact Example - Use Case 2](/images/identitymanager/rolemining_impact_usecase2.webp) Starting from the previous example, consider now that users progressively request the role. As long as the ratio is below a given threshold, then role mining will not generate a role assignment rule. Then users' entitlements remain unchanged: -![Impact Example - Use Case 3](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp) +![Impact Example - Use Case 3](/images/identitymanager/rolemining_impact_usecase3.webp) Starting from the previous example, consider now that users continue requesting the role. As soon as the ratio is above the threshold, then role mining will create a single role rule to assign automatically this role to any user in the organization. Then a few users are going to get the entitlement: -![Impact Example - Use Case 4](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp) +![Impact Example - Use Case 4](/images/identitymanager/rolemining_impact_usecase4.webp) Starting from the previous example, consider now that, as a result of a reorganization or an access certification for example, some users do not have the role anymore. If the ratio is below the threshold, then role mining will remove the single role rule. If the role (or its policy) is configured with a grace period, users who need the role will not lose it. Then users' entitlements remain unchanged: -![Impact Example - Use Case 5](/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp) +![Impact Example - Use Case 5](/images/identitymanager/rolemining_impact_usecase5.webp) ## Perform Role Mining @@ -96,11 +96,11 @@ Be aware that you can configure the [Get Role Mining Task](../integration-guide/ Simulating the results of role mining allows a knowledgeable user to analyze the impact of role mining on the role model, before applying them. -![Schema - Role Mining](/images/identitymanager/integration-guide/role-mining/rolemining_simulation.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_simulation.webp) The simulation tool gives another point of view on the role model as it emphasizes the changes. -![Schema - Role Mining](/images/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_simulationresults.webp) Identity Manager recommends simulating role mining before applying the results. diff --git a/docs/identitymanager/current/integration-guide/role-model/role-model-rules.md b/docs/identitymanager/current/integration-guide/role-model/role-model-rules.md index 9fbe91c688..ff0622f496 100644 --- a/docs/identitymanager/current/integration-guide/role-model/role-model-rules.md +++ b/docs/identitymanager/current/integration-guide/role-model/role-model-rules.md @@ -1,4 +1,4 @@ -# Assignment Policy +# Assignment Policy The assignment policy is the set of rules enforced on the resources to compute automatic assignments and risks. It contains the role model and risks definition. @@ -153,7 +153,7 @@ provisioned to materialize `SRa`. This series of steps is actually a very simplified version of the [Evaluate Policy](../../integration-guide/role-assignment/evaluate-policy) algorithm. -![Cascading From **dimensions** To Roles To Provisioning Orders](/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) +![Cascading From **dimensions** To Roles To Provisioning Orders](/images/identitymanager/enforce-assignment-policy-summary.webp) **---** diff --git a/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync.md b/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync.md index eac8146363..e404d7cdf6 100644 --- a/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync.md +++ b/docs/identitymanager/current/integration-guide/synchronization/upward-data-sync.md @@ -1,4 +1,4 @@ ---- +--- title: "Upward Data Synchronization" description: "Upward Data Synchronization" sidebar_position: 10 @@ -118,7 +118,7 @@ Exporting data from an Active Directory can be achieved by using the [Export Tas The Tasks requests from the source Active Directory all entries that match a configured filter. It outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries.csv`), information about group membership (`ad_members.csv`) and about the hierarchical organization (`ad_managers.csv`). -![Active Directory Export Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp) +![Active Directory Export Example](/images/identitymanager/ad_export_example.webp) `ad_entries.csv` contains raw AD entry data. @@ -220,7 +220,7 @@ Of course, any notification of a _complete__Prepare-Synchronization_ would cance The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. -![Active Directory Prepare-Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) +![Active Directory Prepare-Synchronization Example](/images/identitymanager/ad_preparesynchro_example.webp) ## Synchro @@ -281,7 +281,7 @@ Then, changes according to the _command_ column are applied to UR_Resources and This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Identity Manager database. -![Active Directory Synchronization Example](/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp) +![Active Directory Synchronization Example](/images/identitymanager/ad_synchro_example.webp) ## Handling Errors diff --git a/docs/identitymanager/current/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md b/docs/identitymanager/current/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md index ba3e14b633..afc5e21aa6 100644 --- a/docs/identitymanager/current/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md +++ b/docs/identitymanager/current/integration-guide/tasks-jobs/troubleshoot-connector-jobs.md @@ -1,4 +1,4 @@ ---- +--- title: "Troubleshoot Connector Jobs" description: "Troubleshoot Connector Jobs" sidebar_position: 50 @@ -12,7 +12,7 @@ This guide helps understand the behavior of synchronization and provisioning tas A managed system is synchronized and provisioned to/from Identity Manager with the following task sequence: -![Synchronization/Provisioning Schema](/images/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp) +![Synchronization/Provisioning Schema](/images/identitymanager/troubleshoot_synchroprovschema.webp) ### Export data diff --git a/docs/identitymanager/current/integration-guide/toolkit/deploy-configuration.md b/docs/identitymanager/current/integration-guide/toolkit/deploy-configuration.md index e4c20e9fae..a8f58938eb 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/deploy-configuration.md +++ b/docs/identitymanager/current/integration-guide/toolkit/deploy-configuration.md @@ -1,4 +1,4 @@ ---- +--- title: "Deploy the Configuration" description: "Deploy the Configuration" sidebar_position: 90 @@ -72,7 +72,7 @@ However, if, since then, there has been a change in the identity deploying/expor 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/current/integration-guide/toolkit/export-configuration.md b/docs/identitymanager/current/integration-guide/toolkit/export-configuration.md index e8b247f94f..1748b67fb4 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/export-configuration.md +++ b/docs/identitymanager/current/integration-guide/toolkit/export-configuration.md @@ -1,4 +1,4 @@ ---- +--- title: "Export the Configuration" description: "Export the Configuration" sidebar_position: 100 @@ -72,7 +72,7 @@ However, if, since then, there has been a change in the identity deploying/expor 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/current/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/current/integration-guide/toolkit/expressions/index.md index 636926965a..eb6bbbbf68 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/expressions/index.md +++ b/docs/identitymanager/current/integration-guide/toolkit/expressions/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Expressions" description: "Expressions" sidebar_position: 40 @@ -27,15 +27,15 @@ In the UI, the attributes that can be defined with an expression show two fields For example, the source object of a scalar rule based on user records is displayed: -![Property Path and Expression](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp) +![Property Path and Expression](/images/identitymanager/expression-propertypath_v602.webp) The field Property Path is usually filled in with the + button only when the rule involves one single attribute. If the object involves more than one attribute, then the attributes are to be written in Expression (C#), with the help of predefined simple transformations. See the [Predefined functions](../../../integration-guide/toolkit/expressions/predefined-functions.md) topic for additional information. The first example defines the source object as simply the user record's Login property, while the second defines the source object with an expression based on the user record's first and last names: -![Property Path Example](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp) +![Property Path Example](/images/identitymanager/expression-propertypath-example1_v602.webp) -![Expression Example](/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp) +![Expression Example](/images/identitymanager/expression-propertypath-example2_v602.webp) ### Expressions in XML @@ -138,7 +138,7 @@ C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name; ### White list -The following .NET libraries from the white list can be used. +The following .NET libraries from the white list can be used in C# expressions and [Razor notification templates](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate). **Authorized Namespaces** @@ -191,7 +191,7 @@ Beyond the authorized classes, the following methods can be used: Trying to use code from outside this white list would yield the following error during computation: -`the Method Name : ... Parent Class : ... NameSpace : ... used are not authorized` +`The C# method named ... is not authorized. Please refer to the documentation for a list of authorized methods.` Method ... cannot be called with entities as arguments. @@ -245,6 +245,19 @@ However, here is a whitelist of methods that can be called with these kinds of a - `System.Linq.Enumerable.ToHashSet()` - `System.Collections.Generic.List.ToArray()` +### Razor template white list + +[Razor notification templates](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) share the same white list as C# expressions, with the following additions: + +**Additional authorized classes:** + +- `System.TimeZoneInfo` +- `Usercube.Notification.Templating.Entities.HtmlHelper` + +**Additional authorized methods:** + +- `System.DateTime.ToLocalTime` + ## Literal Expression To avoid the use of a C# expression when the parameter is not needed, simple literal values can be written as literal expressions according to the following rules: diff --git a/docs/identitymanager/current/integration-guide/toolkit/how-tos/deploy-configuration.md b/docs/identitymanager/current/integration-guide/toolkit/how-tos/deploy-configuration.md index 8dbddb107d..99e1c9f899 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/how-tos/deploy-configuration.md +++ b/docs/identitymanager/current/integration-guide/toolkit/how-tos/deploy-configuration.md @@ -1,4 +1,4 @@ -# Identity Manager Deploy the Configuration +# Identity Manager Deploy the Configuration This guide shows how to deploy the XML configuration, in order to build and use the Identity Manager application. @@ -66,7 +66,7 @@ However, if, since then, there has been a change in the identity deploying/expor 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/current/integration-guide/toolkit/how-tos/export-configuration.md b/docs/identitymanager/current/integration-guide/toolkit/how-tos/export-configuration.md index 644cac0440..9dad7820cf 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/how-tos/export-configuration.md +++ b/docs/identitymanager/current/integration-guide/toolkit/how-tos/export-configuration.md @@ -1,4 +1,4 @@ -# Export the Configuration +# Export the Configuration This guide shows how to export the configuration as XML files to a given folder. @@ -68,7 +68,7 @@ However, if, since then, there has been a change in the identity deploying/expor 2. Log in to the IDP to be redirected back to this screen: - ![Usercube-Login.exe Success Screen](/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + ![Usercube-Login.exe Success Screen](/images/identitymanager/identitymanager-login_success_v602.webp) Once authenticated, an identification token is stored on your local machine for the authentication to Identity Manager's deployment and export processes. diff --git a/docs/identitymanager/current/integration-guide/toolkit/index.md b/docs/identitymanager/current/integration-guide/toolkit/index.md index 04301a10e9..b91b323024 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/index.md +++ b/docs/identitymanager/current/integration-guide/toolkit/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Toolkit for XML Configuration" description: "Toolkit for XML Configuration" sidebar_position: 210 @@ -14,5 +14,5 @@ The [Deploy Configuration Task](../../integration-guide/toolkit/xml-configuratio The Identity Manager project's integration cycle consists in developing a configuration by successive imports in a test instance. -![Integration cycle](/images/identitymanager/integration-guide/toolkit/configurationcycle.webp) +![Integration cycle](/images/identitymanager/configurationcycle.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/recommendations.md b/docs/identitymanager/current/integration-guide/toolkit/recommendations.md index 91bc25d158..78621f7e6c 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/recommendations.md +++ b/docs/identitymanager/current/integration-guide/toolkit/recommendations.md @@ -1,4 +1,4 @@ ---- +--- title: "Recommendations" description: "Recommendations" sidebar_position: 10 @@ -27,7 +27,7 @@ features. RedHat's XML extension provides auto-completion based on an XSD file. It opens an auto-completion popup when you start to edit an element or attribute name. You can open the popup by typing `Ctrl-Space`. -![Auto-complete](/images/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp) +![Auto-complete](/images/identitymanager/autocomplete.webp) Configure auto-completion by proceeding as follows: @@ -62,4 +62,4 @@ EntityAssociations and their mappings. - **_Jobs.xml_** file containing the jobs configuration. - **_Workflows.xml_** file containing the Workflows configuration for the given connector. -![Recommendation](/images/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp) +![Recommendation](/images/identitymanager/recommendation.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/AccessCertificationItemReviewer.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/AccessCertificationItemReviewer.md new file mode 100644 index 0000000000..a9286dc707 --- /dev/null +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-certification/AccessCertificationItemReviewer.md @@ -0,0 +1,15 @@ +--- +title: "AccessCertificationItemReviewer" +description: "" +sidebar_position: 3 +--- + +Junction table associating certification items with their reviewers when a campaign uses multi-reviewer mode. + +## Properties + +|Property|Details| +|---|---| +| Campaign required | **Type:** Int64 **Description:** Identifier of the campaign the item belongs to. Denormalized for query performance. | +| Item required | **Type:** Int64 **Description:** Identifier of the certification item being reviewed. | +| Reviewer required | **Type:** Int64 **Description:** Identifier of the resource acting as reviewer for this item. | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md index 831d586633..9966b77346 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule.md @@ -1,4 +1,4 @@ ---- +--- title: "AccessControlRule" description: "" sidebar_position: 3 @@ -65,7 +65,7 @@ This condition is actually a comparison expression between two elements: 1. the value of a property which is originating from an entity targeted by the rule; 2. a comparison value that can be constant, or originating from the user profile. -![Access Control Filter Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp) +![Access Control Filter Schema](/images/identitymanager/accesscontrolfilter_schema.webp) ### Examples @@ -120,7 +120,7 @@ Technically speaking, the filter here says that the rule's permissions apply onl ::: > For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension set to `Treasury/Chief Economist`. -> ![Matching Assigned Profile](/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp) +> ![Matching Assigned Profile](/images/identitymanager/assignedprofile_example_v603.webp) > Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users whose main department is `Treasury/Chief Economist`. The following example gives to the `RoleOfficerByCategory` profile certain permissions on assigned single roles, but only concerning the roles of a category assigned to the current user. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md index a6892eed0c..d41238983c 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/business-intelligence/universe.md @@ -1,4 +1,4 @@ ---- +--- title: "Universe" description: "" sidebar_position: 1 @@ -23,10 +23,10 @@ The following example builds a universe called `Universe1`: ``` -![Universe - Basic Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp) +![Universe - Basic Example](/images/identitymanager/bi_universeexampledisplaynames.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Display Names)](/images/identitymanager/integration-guide/datamodel/Universe_columnNameDisplayName.webp) +![Universe (Display Names)](/images/identitymanager/universe_columnnamedisplayname.webp) ##### Basic universe with identifiers instead of display names @@ -43,10 +43,10 @@ The following example builds a universe called `Universe1` with identifiers as l </Universe> ``` -![Universe - Basic Example](/images/identitymanager/integration-guide/datamodel/BI_universeExample.webp) +![Universe - Basic Example](/images/identitymanager/bi_universeexample.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Identifiers)](/images/identitymanager/integration-guide/datamodel/Universe_columnNameIdentifier.webp) +![Universe (Identifiers)](/images/identitymanager/universe_columnnameidentifier.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md index 8d753bbd62..9c29cf61ae 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "AccessReviewAdministrationAccessControlRules" description: "Generates the permissions to administrate campaign creation." sidebar_position: 1 @@ -8,7 +8,7 @@ Scaffolding to generate the rights to administrate campaign creation. Gives access to a shortcut on the dashboard to access this page. -![Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) +![Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md index 7ab2c5ed48..c148f88daa 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "JobAdministrationAccessControlRules" description: "Scaffolding to access the job administration page." sidebar_position: 2 @@ -6,7 +6,7 @@ sidebar_position: 2 Scaffolding to access the job administration page. This page is accessible from the administration part in dashboard of the user interface. -![Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Job Execution](/images/identitymanager/home_jobexecution_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md index bdd50933ae..8c6531906b 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "AssignProfileAccessControlRules" description: "Gives to a given profile the rights to create, update, delete and query any assigned profile." sidebar_position: 1 @@ -6,7 +6,7 @@ sidebar_position: 1 Gives to a given profile the rights to create, update, delete and query any assigned profile, from the **Assigned Profiles** screen. -![Assigned Profiles](/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) +![Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md index 2b2d2034df..117c8a6d6a 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ProfileAdministrationAccessControlRules" description: "Gives to a given profile the rights to create, update and delete profiles." sidebar_position: 3 @@ -8,9 +8,9 @@ Gives to a given profile the rights to create, update and delete profiles. Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. -![Settings](/images/identitymanager/buttons/Home_settings_V523.webp) +![Settings](/images/identitymanager/home_settings_v523.webp) -![Profiles](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/AccessControl_Profiles_V603.webp) +![Profiles](/images/identitymanager/AccessControl_Profiles_V603.webp) [See more details on profiles' APIs](/docs/identitymanager/current/integration-guide/api/server/accesscontrol). diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md index ffde89d64f..8cfac39c41 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ReportAccessControlRules" description: "Generates the permissions to access the report view." sidebar_position: 2 @@ -8,7 +8,7 @@ Generates the rights to access the report view. Gives access to a shortcut on the navigation to access this page. -![Reports](/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) +![Reports](/images/identitymanager/home_reports_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md index 3c82ec5ede..928ead9fe2 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "GovernanceRolesAccessControlRules" description: "Generates the permissions to access the governance review pages for a given entity type and profile." sidebar_position: 7 @@ -8,7 +8,7 @@ Generates the rights to access the role review pages for a given entity type and Gives access to a shortcut on the dashboard to access this page. -![Role Review](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) +![Role Review](/images/identitymanager/home_rolereview_v523.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md index b5084515f3..f147bf9c3f 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "PerformManualProvisioningAccessControlRules" description: "Generates the permissions to access the manual provisioning pages for a given entity type and profile." sidebar_position: 8 @@ -8,7 +8,7 @@ Generates the rights to access the access manual provisioning pages for a given Gives access to a shortcut on the dashboard to access this page. -![Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) +![Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) :::warning The connector connected to the entity type must have the manual type as the provisioning type, otherwise the information of the entity type cannot be displayed on this screen. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md index a95837ec97..246a2b674c 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ReconciliateResourcesAccessControlRules" description: "Generates the permissions to access the resource reconciliation pages for a given entity type and profile." sidebar_position: 9 @@ -10,7 +10,7 @@ Gives access to a shortcut on the dashboard to access this page. Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the EntityType to be filled in the Scaffolding. -![Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) +![Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md index 6129f9e9df..b25b65b863 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ReconciliateRolesAccessControlRules" description: "Generates the permissions to access the role reconciliation pages for a given entity type and profile." sidebar_position: 10 @@ -8,7 +8,7 @@ Generates the rights to access the access reconcile roles pages for a given enti Gives access to a shortcut on the dashboard to access this page. -![Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) +![Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md index 42eb0bb997..a489166ad9 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule.md @@ -1,4 +1,4 @@ ---- +--- title: "RedundantAssignmentAccessControlRule" description: "Generates the permissions to access the **Redundant Assignment** page, to analyze and remove redundant assignments." sidebar_position: 11 @@ -8,7 +8,7 @@ Generates the permissions to access the **Redundant Assignment** page, to analyz Gives access to a shortcut on the dashboard to access this page. -![Redundant Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) +![Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md index 7cc8d6a329..e948707db2 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ReviewProvisioningAccessControlRules" description: "Generates the permissions to access the provisioning review pages for a given entity type and profile." sidebar_position: 12 @@ -9,7 +9,7 @@ Also create the rights to view the TargetEntityTypes of all ResourceTypes whose Gives access to a shortcut on the dashboard to access this page. -![Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) +![Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md index d769106b04..d21cc923e9 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ReviewRolesAccessControlRules" description: "Generates the permissions to access the role review pages for a given entity type and profile." sidebar_position: 13 @@ -8,7 +8,7 @@ Generates the rights to access the access roles review pages for a given entity Gives access to a shortcut on the dashboard to access this page. -![Role Review](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) +![Role Review](/images/identitymanager/home_rolereview_v523.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md index 0644f59a85..f949beb970 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "RoleAdministrationAccessControlRules" description: "Generates the permissions to access the configuration pages and create, update, delete the elements of the role model." sidebar_position: 15 @@ -21,7 +21,7 @@ Generates the rights to access the access configuration pages and create, update Gives access to a shortcut on the dashboard to access this page. -![Configuration Section](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp) +![Configuration Section](/images/identitymanager/home_configuration_v603.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md index efef6c52fe..c6b698e3ae 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts.md @@ -1,4 +1,4 @@ ---- +--- title: "ManageAccounts" description: " " sidebar_position: 1 @@ -6,7 +6,7 @@ sidebar_position: 1 Gives access to the **Manage Accounts** buttons for the users of a given entity type. -![ManageAccounts Button](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp) +![ManageAccounts Button](/images/identitymanager/accesscontrol_manageaccounts_v603.webp) :::note The scaffolding gives access to the button, but you need to get the permissions on said accounts in order to see anything once you click on the button. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md index 80a05d015e..a43cff2805 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowAccessControlRules" description: "Generates the permissions to access the task page and visualize the workflows to be executed for a given entity type and profile." sidebar_position: 3 @@ -8,9 +8,9 @@ Generates the rights to access the task page and visualize the different workflo Gives access to a shortcut on the dashboard and on the top bar to access this page. -Top bar shortcut: ![Tasks in Top Bar](/images/identitymanager/buttons/Home_topBar_V601.webp) +Top bar shortcut: ![Tasks in Top Bar](/images/identitymanager/home_topbar_v601.webp) -DashBoard shortcut: ![](/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) +DashBoard shortcut: ![](/images/identitymanager/home_topbar_v601.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md index 3d10c1cd92..d195a980f7 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowOverviewControlRules" description: "Generates the permissions to access the workflow supervision page." sidebar_position: 6 @@ -8,7 +8,7 @@ Generates the rights to access the workflow supervision page. Gives access to a shortcut on the dashboard to access this page. -![Workflow Overview](/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) +![Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md index b57eed3541..2b0cbbc4a4 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings.md @@ -1,4 +1,4 @@ ---- +--- title: "ConnectorMappings" description: "Generates the mapping of an entity in a given connector." sidebar_position: 1 @@ -58,7 +58,7 @@ The following example generates a universe `U8_Users` based on the entity type ` ``` When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (ExcludedProperty)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) ### MappingPath diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md index 96c3428524..6db10ef744 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel.md @@ -1,4 +1,4 @@ ---- +--- title: "UniverseDataModel" description: "Creates, within a universe, entity instances and association instances based on a predefined template." sidebar_position: 2 @@ -49,7 +49,7 @@ The following example generates a universe `U8_Users` based on the entity type ` ``` When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (ExcludedProperty)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) +![Universe (ExcludedProperty)](/images/identitymanager/universe_excluded.webp) ### RootInstance @@ -67,10 +67,10 @@ The following example generates a universe `U2_UserRecords` based on the entity ``` -![Universe (RootInstance)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (RootInstance)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_rootInstance.webp) +![Universe (RootInstance)](/images/identitymanager/Universe_rootInstance.webp) #### RootInstance for several scaffoldings together @@ -85,10 +85,10 @@ A universe can be made of several scaffoldings which need to be grouped together <UniverseDataModel Universe="U3_UserRecords" EntityType="Directory_UserRecord" /> ``` -![Universe Schema (Several Scaffoldings with Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplicationSchema.webp) +![Universe Schema (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplicationSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Several Scaffoldings with Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplication.webp) +![Universe (Several Scaffoldings with Data Duplication)](/images/identitymanager/Universe_severalDuplication.webp) We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity instances. **The following example** generates a better version of the universe `U3_UserRecords` based on the entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_UserRecord` as `Directory_User_Records` to follow the naming rule, thus building the universe model with `Directory_User` as the core entity instance: @@ -101,10 +101,10 @@ We see that `Directory_User_Records` and `Directory_UserRecords` represent the s </UniverseDataModel> ``` -![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplicationSchema.webp) +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplicationSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplication.webp) +![Universe (Several Scaffoldings without Data Duplication)](/images/identitymanager/Universe_severalNoDuplication.webp) Thus we removed the duplicated data, and we understand easily the navigations of the model. ### SourceEntityType @@ -152,10 +152,10 @@ It generates: ``` -![Universe (No Template)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp) +![Universe (No Template)](/images/identitymanager/universe_notemplateschema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (No Template)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_noTemplate.webp) +![Universe (No Template)](/images/identitymanager/Universe_noTemplate.webp) :::info We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. @@ -194,10 +194,10 @@ It generates: </Universe> ``` -![Universe (Template Schema: Owned Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypesSchema.webp) +![Universe (Template Schema: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypesSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Template: Owned Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypes.webp) +![Universe (Template: Owned Resource Types)](/images/identitymanager/Universe_OwnedResourceTypes.webp) #### ResourceResourceTypes @@ -212,10 +212,10 @@ The following example generates a universe `U5_AD` based on the entity type `AD_ The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. -![Universe (Template Schema: Resource Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypesSchema.webp) +![Universe (Template Schema: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypesSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Template: Resource Resource Types)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypes.webp) +![Universe (Template: Resource Resource Types)](/images/identitymanager/Universe_ResourceResourceTypes.webp) #### OwnedSingleRoles @@ -247,10 +247,10 @@ It generates: </Universe> ``` -![Universe (Template Schema: Owned Single Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRolesSchema.webp) +![Universe (Template Schema: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRolesSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Template: Owned Single Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRoles.webp) +![Universe (Template: Owned Single Roles)](/images/identitymanager/Universe_OwnedSingleRoles.webp) #### OwnedCompositeRoles @@ -265,10 +265,10 @@ The following example generates a universe `U7_User` based on the entity type `D The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. -![Universe (Template Schema: Owned Composite Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRolesSchema.webp) +![Universe (Template Schema: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRolesSchema.webp) When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Template: Owned Composite Roles)](/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRoles.webp) +![Universe (Template: Owned Composite Roles)](/images/identitymanager/Universe_OwnedCompositeRoles.webp) ## Mixed Example @@ -303,4 +303,4 @@ The following example generates a universe `U9_AccessControl` aiming to create r ``` When [getting Identity Manager data in Power BI](/docs/identitymanager/current/integration-guide/governance/reporting/how-tos/connect-powerbi), we see the following: -![Universe (Mixed Example)](/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp) +![Universe (Mixed Example)](/images/identitymanager/universe_mixedexample.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md index ea9e2d4e17..4000776df6 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules.md @@ -1,4 +1,4 @@ ---- +--- title: "ConnectorsAccessControlRules" description: "Gives the permissions to manage the connector pages." sidebar_position: 1 @@ -10,7 +10,7 @@ Generates the permissions to access the connectors pages, the policies page, the Gives access to shortcuts on the dashboard to access these pages. -![Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) +![Connectors](/images/identitymanager/home_connectors_v602.webp) The scaffolding generates the following scaffoldings: diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector.md index 3daa3144a1..bde2f5577b 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/connector.md @@ -110,13 +110,13 @@ The [entity association mapping](/docs/identitymanager/current/integration-guide | Identifier required | **Type:** String **Description:** Connector Identifier. | | IncrementalJob default value: 0 | **Type:** JobIntegrationRule **Description:** Indicates how the connector should be used in the incremental job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the incremental job, setting that connector to `Used` for the incremental job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | | IsDeactivated default value: false | **Type:** Boolean **Description:** Indicates that the export and the provisioning are deactivated for this connector. | -| MaximumDeletedLines default value: 100 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | -| MaximumInsertedLines default value: 100 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | -| MaximumLinkDeletedLines default value: 1000 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | -| MaximumLinkInsertedLines default value: 1000 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | -| MaximumUpdatedLines default value: 100 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | | MaxLinkPercentageDeletedLines default value: 5 | **Type:** Int32 **Description:** Deleted association links threshold in percent. | | MaxLinkPercentageInsertedLines default value: 5 | **Type:** Int32 **Description:** Inserted association links threshold in percent. | | MaxPercentageDeletedLines default value: 5 | **Type:** Int32 **Description:** Deleted lines threshold in percent. | | MaxPercentageInsertedLines default value: 5 | **Type:** Int32 **Description:** Inserted lines threshold in percent. | | MaxPercentageUpdatedLines default value: 5 | **Type:** Int32 **Description:** Updated lines threshold in percent. | +| MaximumDeletedLines default value: 100 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | +| MaximumInsertedLines default value: 100 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | +| MaximumLinkDeletedLines default value: 1000 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | +| MaximumLinkInsertedLines default value: 1000 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | +| MaximumUpdatedLines default value: 100 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md index 67d882f8c7..2150e9051b 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping.md @@ -19,7 +19,7 @@ See [Connector](/docs/identitymanager/current/integration-guide/toolkit/xml-conf | Connector required | **Type:** Int64 **Description:** Id of the connector to which it is linked. | | EntityPropertyMapping1 required | **Type:** Int64 **Description:** The ID of mapping of the property use to establish the association. The property must be a unique key. | | EntityPropertyMapping2 required | **Type:** Int64 **Description:** The ID of mapping of the property use to establish the association. The property must be a unique key. | -| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | -| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | | MaxPercentageDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted association links threshold in percent. | | MaxPercentageInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted association links threshold in percent. | +| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md index 44cc25b1c9..ee47d84b12 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping.md @@ -19,12 +19,12 @@ An entity type mapping shares the same identifier as its related entity type. | C0 optional | **Type:** String **Description:** In a Microsoft Entra ID connector (formerly Azure Active Directory), generic column used to map the entities to be exported. By default, Identity Manager exports: `user`; `group`; `directoryRole`; `servicePrincipal`. | | ConnectionTable optional | **Type:** String **Description:** Name of the CSV file which contains, or will contain, the exported data from the corresponding entity type. | | Connector optional | **Type:** Int64 **Description:** Identifier of the related connector. | -| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | -| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | -| MaximumUpdatedLines default value: 0 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | | MaxPercentageDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold in percent. | | MaxPercentageInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold in percent. | | MaxPercentageUpdatedLines default value: 0 | **Type:** Int32 **Description:** Updated lines threshold in percent. | +| MaximumDeletedLines default value: 0 | **Type:** Int32 **Description:** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type:** Int32 **Description:** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | +| MaximumUpdatedLines default value: 0 | **Type:** Int32 **Description:** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | ## Child Element: Property Contains all the [entity properties](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype#child-element-property) of an [entity type](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/entitytype) that can be synchronized into Identity Manager physical model. Each mapping share the same id as its corresponding property in the entity type. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx index af16d287df..82b30fb334 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping.mdx @@ -12,7 +12,7 @@ Any resource type linked to a ServiceNow connection must be configured with a se Below is an example of an incident ticket in ServiceNow, where relevant properties (from Identity Manager's perspective) are emphasized: -![ServiceNow Ticket Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypemappings/ServiceNow_example.webp) +![ServiceNow Ticket Example](/images/identitymanager/ServiceNow_example.webp) ## Examples diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md index 74039b2391..9edfb90f05 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask.md @@ -189,7 +189,6 @@ Deploy your configuration. After deployment: - [CreateAgentSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete) - Scaffolding documentation - [CreateConnectorSynchroComplete](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete) - Scaffolding documentation - Task that sends a notification to all users who have pending roles to review, only for roles with a simple approval workflow, i.e. pending the validation 1 out of 1. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/language.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/language.md index 8155e7c5ec..fa97b758b0 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/language.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/language.md @@ -6,6 +6,8 @@ sidebar_position: 7 Represents a configuration entity used to create multilingual application. +By default, the product includes translations for English (en-US), French (fr-FR), Spanish (es-ES), German (de-DE), Italian (it-IT), Korean (ko-KR), and Traditional Chinese (zh-TW). + ## Examples The following example declares a new language. @@ -18,6 +20,6 @@ The following example declares a new language. |Property|Details| |---|---| -| Code required | **Type:** String **Description:** Unique identifier of the language (fr-FR, en-US...). | +| Code required | **Type:** String **Description:** Unique identifier of the language (fr-FR, en-US...). It is a combination of an ISO 639 two-letter lowercase culture code associated with a language and an ISO 3166 two-letter uppercase subculture code associated with a country or region. | | IndicatorNumber required | **Type:** Int32 **Description:** Defines the default language. | | JsonPath optional | **Type:** String **Description:** The original translations file path | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md index ae0cab8dd8..aac3d05187 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting.md @@ -1,4 +1,4 @@ ---- +--- title: "AppDisplaySetting" description: "This setting is used to customize the application display." sidebar_position: 1 @@ -20,23 +20,23 @@ The following example sets: ``` -![AppDisplay - Tab](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/AppDisplaySetting_tab_V603.webp) +![AppDisplay - Tab](/images/identitymanager/AppDisplaySetting_tab_V603.webp) -![Appdisplaysetting Tab V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/AppDisplaySetting_tab_V603.webp) +![Appdisplaysetting Tab V603](/images/identitymanager/AppDisplaySetting_tab_V603.webp) -![AppDisplay - Authentication](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp) +![AppDisplay - Authentication](/images/identitymanager/appdisplaysetting_screen1_v603.webp) ### Disable counters The following example disables the counters that are usually visible on the dashboard: -> ![AppDisplay - Without Counters](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp) +> ![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_counters_v603.webp) ```xml ``` -![AppDisplay - Without Counters](/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp) +![AppDisplay - Without Counters](/images/identitymanager/appdisplaysetting_nocounters_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md index a4aa5265d2..24f1618cb3 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification.md @@ -6,8 +6,8 @@ sidebar_position: 1 Reminder notification concerning access certification. -## Examples +## Examples The following example sends after 2 days a reminder notification to users who were already notified by the native notification for access certification (on resources from `Directory_User`) and have not yet performed the action. ```xml @@ -24,6 +24,7 @@ The following example sends the exact same notification as the previous example, The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. ::: + ## Properties |Property|Details| @@ -33,3 +34,4 @@ The `TitleExpression` property on typed notifications is not used. To customize | CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | + diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md index 350f54a76a..8ce3c8358d 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification.md @@ -6,8 +6,8 @@ sidebar_position: 2 Reminder notification concerning manual provisioning. -## Examples +## Examples The following example sends after 2 days a reminder notification to users who were already notified by the native notification for manual provisioning (on resources from `Directory_User`) and have not yet performed the action. ```xml @@ -24,6 +24,7 @@ The following example sends the exact same notification as the previous example, The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. ::: + ## Properties |Property|Details| @@ -33,3 +34,4 @@ The `TitleExpression` property on typed notifications is not used. To customize | CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | + diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md index a0a1b9ec6c..180b5bea75 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification.md @@ -6,8 +6,8 @@ sidebar_position: 3 Reminder notification concerning provisioning review. -## Examples +## Examples The following example sends after 2 days a reminder notification to users who were already notified by the native notification for provisioning review (on resources from `Directory_User`) and have not yet performed the action. ```xml @@ -24,6 +24,7 @@ The following example sends the exact same notification as the previous example, The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. ::: + ## Properties |Property|Details| @@ -33,3 +34,4 @@ The `TitleExpression` property on typed notifications is not used. To customize | CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | + diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md index d7c8715500..b8eb0871e4 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification.md @@ -6,8 +6,8 @@ sidebar_position: 5 Reminder notification concerning role review. -## Examples +## Examples The following example sends after 2 days a reminder notification to users who were already notified by the native notification for role review (on resources from `Directory_User`) and have not yet performed the action. ```xml @@ -24,6 +24,7 @@ The following example sends the exact same notification as the previous example, The `TitleExpression` property on typed notifications is not used. To customize notification subject and body, use [`RazorTemplate` and `CssTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) instead, or use the [`NotificationTemplate`](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate) configuration element. ::: + ## Properties |Property|Details| @@ -33,3 +34,4 @@ The `TitleExpression` property on typed notifications is not used. To customize | CssTemplate optional | **Type:** String **Description:** Path to the css file that defines the styles for the email.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | RazorTemplate optional | **Type:** String **Description:** Path to the Razor cshtml file that defines the email's body template.**Note:** the path must be relative to the configuration folder, and the file must be inside it.**Note:** when no template is specified, the reminder notification will use the same template as the original notification. | | ReminderInterval default value: 0 | **Type:** Int32 **Description:** Time period (in minutes) after which a reminder of the original notification should be sent.**Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | + diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md index f66f941135..3b81f50138 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate.md @@ -6,6 +6,12 @@ sidebar_position: 2 A notification template is used to overwrite the subject and/or body of a [native notification](/docs/identitymanager/current/integration-guide/notifications/native) with personalized templates. +## Authorized code in templates + +Razor templates referenced by `RazorTemplate` are compiled with the same security restrictions as [C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#white-list). Only methods, classes, and namespaces from the white list can be used in template code. + +See [Razor template white list](/docs/identitymanager/current/integration-guide/toolkit/expressions#razor-template-white-list) for the template-specific additions. + ## Examples The following example overwrites the template of the notification provided by Identity Manager for role review. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md index 53ac5bb32d..01a1dae94f 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/automationrule.md @@ -1,4 +1,4 @@ ---- +--- title: "AutomationRule" description: "" sidebar_position: 1 @@ -87,4 +87,4 @@ In the following example, the two first rules are equivalent (except for the wor | ResourceType optional | **Type:** Int64 **Description:** Identifier of the resource type targeted by the rule. | | SingleRole optional | **Type:** Int64 **Description:** Identifier of the single role targeted by the rule. | | Type required | **Type:** AutomationRuleType **Description:** Object type targeted by the rule. `0` - CompositeRole. `1` - SingleRole. `2` - ResourceType. `4` - Category. `5` - Policy. | -| WorkflowState default value: 0 | **Type:** WorkflowState **Description:** Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added.**Note:** usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined or an automatic rule is now outdated. [See more details](/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation#property-reconciliation-with-role-reconciliation). ![Workflow State: Cancellation](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). ![Workflow State: Suggested](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). **Info:** the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#discardmanualassignments). ![Workflow State: Approved - Questioned](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. ![Workflow State: Prolonged](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp) | +| WorkflowState default value: 0 | **Type:** WorkflowState **Description:** Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/images/identitymanager/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/images/identitymanager/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added.**Note:** usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/images/identitymanager/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/images/identitymanager/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/images/identitymanager/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/images/identitymanager/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/images/identitymanager/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/images/identitymanager/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined or an automatic rule is now outdated. [See more details](/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation#property-reconciliation-with-role-reconciliation). ![Workflow State: Cancellation](/images/identitymanager/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). ![Workflow State: Suggested](/images/identitymanager/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). **Info:** the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule#properties). `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. [See more details](/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype#discardmanualassignments). ![Workflow State: Approved - Questioned](/images/identitymanager/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/images/identitymanager/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. ![Workflow State: Prolonged](/images/identitymanager/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/images/identitymanager/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/images/identitymanager/118_givenbyarole_v603.webp) | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md index c614eb97b5..52e6a35c4a 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/contextrule.md @@ -1,4 +1,4 @@ ---- +--- title: "ContextRule" description: "" sidebar_position: 6 @@ -86,7 +86,7 @@ Context rules also contain some parameters for [role mining](/docs/identitymanag Users are distributed in a hypercube made of all dimensions, like in the following table (left) when we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' possible locations, and `A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension and sorting the dimension values per user percentage, we get the following table (right). -![Role Mining Tables](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp) +![Role Mining Tables](/images/identitymanager/contextrules_rolemining.webp) The tables here represent a simple situation with few dimensions. But the higher the number of dimensions, the more complex are role mining's computations. This is known as the curse of dimensionality. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md index d726bc60af..459b401d37 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/recordsection.md @@ -1,4 +1,4 @@ ---- +--- title: "RecordSection" description: "" sidebar_position: 10 @@ -102,7 +102,7 @@ Contract section: There can be some time gap where no context is defined, for example a time gap with a position but no contract or vice versa. Identity Manager offers the possibility to choose whether an existing context is to be extended to the period without context. And in case we decide to use another context and extend its values, which context should it be? -![Schema - ExtensionKind](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp) +![Schema - ExtensionKind](/images/identitymanager/recordsection_extensionkind.webp) Here, we decide to extend an existing contract to the gap, for example because users' email addresses are built using the contract type to add `-ext` for external users. And we decide to not extend the position. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md index 77bd018942..1ef7ef9d29 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/provisioning/resourcetype.md @@ -1,4 +1,4 @@ ---- +--- title: "ResourceType" description: "" sidebar_position: 13 @@ -57,27 +57,27 @@ Suppose a resource type managing the provisioning of Active Directory nominative The following scenario is about a user named Cedric Blanc, whose AD's `sn` property is set by the scalar rule to `Blanc`. -![Example - State 0](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state0_V602.webp) +![Example - State 0](/images/identitymanager/DiscardManualAssignments_state0_V602.webp) Let's see what happens when the user's name is changed manually directly in the AD. Suppose that we change in the AD the last name to `White`. As the scalar rule computes the `sn` value based on the user's data which still states the last name `Blanc`, such a change induces a difference between the value calculated by the rule and the actual value in the AD. This difference is spotted by the next synchronization, triggering a non-conforming assignment on the **Resource Reconciliation** page. -![Example - State 1](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state1_V602.webp) +![Example - State 1](/images/identitymanager/DiscardManualAssignments_state1_V602.webp) -![Example - Step 1](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step1_V602.webp) +![Example - Step 1](/images/identitymanager/DiscardManualAssignments_step1_V602.webp) -![Example - Step 2](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step2_V602.webp) +![Example - Step 2](/images/identitymanager/DiscardManualAssignments_step2_V602.webp) Once this manual new value is confirmed, the property is stated as `Approved`. -![Example - State 2](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state2_V602.webp) +![Example - State 2](/images/identitymanager/DiscardManualAssignments_state2_V602.webp) Now suppose that the user's last name is changed to `Black` via Identity Manager's workflows. As the source data is changed, the scalar rule computes a new value for `sn`. There are two options: * The default configuration (`DiscardManualAssignments` set to `false`) considers manual assignments, i.e. changes made directly in the managed system, as authoritative. So there will be no provisioning of the newly computed value for `sn`. The current `sn` value that was written manually in the AD stays as is, no matter the changes in the source data (here the user's last name). Identity Manager only states the property's value as `Questioned`. - ![Example - State 3](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state3_V602.webp) + ![Example - State 3](/images/identitymanager/DiscardManualAssignments_state3_V602.webp) :::note No change in the source data can affect the property's value. However, any manual change made in the managed system will trigger a non-conforming assignment. Then, reconciling the property by choosing to keep Identity Manager's suggested value will make the property's value go back to `Calculated` and thus follow the changes in the source data. @@ -85,10 +85,10 @@ Now suppose that the user's last name is changed to `Black` via Identity Manager * If `DiscardManualAssignments` is set to `true`, then the state of the property's value does not matter. Identity Manager applies the rules of the role model, and generates a provisioning order to overwrite the manual change `White` with the newly computed value `Black`. - ![Example - State 4](/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state4_V602.webp) + ![Example - State 4](/images/identitymanager/DiscardManualAssignments_state4_V602.webp) In this scenario for Cedric Blanc, these behaviors can be summed up like the following: -![Discardmanualassignments State0 V602](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp) +![Discardmanualassignments State0 V602](/images/identitymanager/DiscardManualAssignments_state0_V602.webp) ## Properties @@ -351,7 +351,7 @@ A scalar rule is applied according to reference start and end dates (configured A time offset adjusts the period for which the rule applies and computes a property's value. ::: -![Schema - Default Application Period](/images/identitymanager/integration-guide/datamodel/datamodel_scalarRule_timeOffsetDefault.webp) +![Schema - Default Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp) The following example impacts the property for the activation of nominative AD accounts: * the first rule deactivates the account from its creation, i.e. 1 month before the user's arrival day, until the arrival day; @@ -367,7 +367,7 @@ The following example impacts the property for the activation of nominative AD a </ResourceType> ``` -![Schema - Default Application Period](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp) +![Schema - Default Application Period](/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp) :::info If the time period of property computation exceeds the limits of the period of resource type assignment, then the period of resource type assignment is extended accordingly. @@ -375,7 +375,7 @@ If the time period of property computation exceeds the limits of the period of r Note that the rules are applied in a specific order according to their offset reference: `After`, `Before`, `Around` and `Default`. Each rule overwrites pre-existing values. Thus in case of overlapping rules, `Default`-offset rules overwrite the values of `Around`-offset rules, which overwrite the values of `Before`-offset rules, which overwrite the values of `After`-offset rules. We could have the following: -![Schema - Overlapping Offsets](/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp) +![Schema - Overlapping Offsets](/images/identitymanager/datamodel_scalarrule_timeoffsetoverlap.webp) ### Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md index 3425976d4c..398a43de47 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype.md @@ -1,4 +1,4 @@ ---- +--- title: "DisplayEntityType" description: "" sidebar_position: 2 @@ -31,7 +31,7 @@ The Priority property controls the order in which entity types are displayed in By default, the entity type with the highest priority is selected first. The end user can later change the selection using the top-left dropdown. -![Change Selection](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp) +![Change Selection](/images/identitymanager/ui_displaypriorities_changeselection_v521beta.webp) Priorities are integer values, positive or negative. The most important priority is assigned to the lowest value. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md index 2d0ffc2a48..c1269f1893 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup.md @@ -1,4 +1,4 @@ ---- +--- title: "DisplayPropertyGroup" description: "" sidebar_position: 3 @@ -28,7 +28,7 @@ Knowing that we have the following properties: ``` -![Display Property Group - Example](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp) +![Display Property Group - Example](/images/identitymanager/displaypropertygroup_example_v603.webp) :::info Any property without a value is not displayed. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md index 9239007cf9..95c23fbaf2 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/displaytable.md @@ -1,4 +1,4 @@ ---- +--- title: "DisplayTable" description: "" sidebar_position: 4 @@ -24,13 +24,13 @@ The following example displays sites as a table. ``` -![Example - DisplayTableDesignElement Set to Table](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/DisplayTableDesignElement_table_V602.webp) +![Example - DisplayTableDesignElement Set to Table](/images/identitymanager/DisplayTableDesignElement_table_V602.webp) #### list The following example displays users as a list. -![DisplayTableDesignElement_table_V602](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/DisplayTableDesignElement_table_V602.webp) +![DisplayTableDesignElement_table_V602](/images/identitymanager/DisplayTableDesignElement_table_V602.webp) :::note For resources to be displayed as a list, the display table must also be configured with **tiles**. @@ -49,7 +49,7 @@ The following example displays AD entries as a table, with an "Owner/Type" colum ``` -![Example - DisplayTableDesignElement Set to ResourceTable](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp) +![Example - DisplayTableDesignElement Set to ResourceTable](/images/identitymanager/displaytabledesignelement_resourcetable_v602.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form.md index f24c682897..d63e0d48a2 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/form.md @@ -1,4 +1,4 @@ ---- +--- title: "Form" description: "" sidebar_position: 5 @@ -36,19 +36,19 @@ The following example shows a form called `Directory_UserRecord_View` that invol When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. -![Access Permissions](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_hideRoles_V603.webp) +![Access Permissions](/images/identitymanager/Form_hideRoles_V603.webp) #### Adjust the request type When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: -![Form Hideroles V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp) +![Form Hideroles V603](/images/identitymanager/Form_hideRoles_V603.webp) When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: -![WorkflowRequestType = Helpdesk](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_requestTypeHelpdesk_V603.webp) +![WorkflowRequestType = Helpdesk](/images/identitymanager/Form_requestTypeHelpdesk_V603.webp) #### Display records in a table -![Form Requesttypehelpdesk V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp) +![Form Requesttypehelpdesk V603](/images/identitymanager/Form_requestTypeHelpdesk_V603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md index b1bac7a752..4870779a87 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/user-interface/menuitem.md @@ -21,7 +21,7 @@ A menu item displays grouped navigation actions. |---|---| | DisplayName_L1 optional | **Type:** String **Description:** Display name of the menu item in language 1 (up to 16). | | EntityType optional | **Type:** Int64 **Description:** Represents the linked entity type. | -| IconCode optional | **Type:** String **Description:** Code of one of [Microsoft's fabric icons](https://uifabricicons.azurewebsites.net/) to be displayed with the menu item. **Note:** on Microsoft page, see the icons' codes by moving the mouse over the icons, or using the detailed view. | +| IconCode optional | **Type:** String **Description:** Code of one of [Microsoft's fabric icons](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons) to be displayed with the menu item. **Note:** on Microsoft page, see the icons' codes by moving the mouse over the icons, or using the detailed view. | | Identifier required | **Type:** String **Description:** Unique identifier of the item. | | IsExpandedByDefault default value: true | **Type:** Boolean **Description:** Is an expanded by default menu item. | | IsSelfForm default value: false | **Type:** Boolean **Description:** Is a self form menu item. | diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md index a1e4af8fd3..cecb19447d 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "AddChangeAspect" description: "Modifies a given property value." sidebar_position: 1 @@ -51,7 +51,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md index ad7c9f63db..24b4b895ba 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "AssertValueAspect" description: "Checks whether the value of a given property satisfies a given condition." sidebar_position: 2 @@ -71,7 +71,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md index 7b39244193..e688344cdb 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "AssertValueRequiredAspect" description: "Checks whether a given property has a non-null value." sidebar_position: 3 @@ -37,7 +37,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md index 1c94328a7a..6fc4032d66 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "BuildUniqueValueAspect" description: "Computes a unique value for a given property." sidebar_position: 4 @@ -42,7 +42,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| @@ -62,7 +62,7 @@ The value of the source binding/expression is computed based on the properties o The rule compares the return value of the source binding/expression with the existing values of the target binding/expression in the target entity type. -![Schema: Unicity Check](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp) +![Schema: Unicity Check](/images/identitymanager/aspects_unicitycheck.webp) > For example, we need to generate an email address for any new user joining the company. We configure in a `BuildUniqueValue` aspect that users' emails are computed with `{firstName}.{lastName}@{EmailDomain}`. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md index 0c5ebbf5d6..172137ba4c 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "InvokeScriptAspect" description: "Executes a customized script." sidebar_position: 5 @@ -35,7 +35,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md index 99ef9167b8..697d83cd30 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "InvokeWorkflowAspect" description: "Launches a workflow." sidebar_position: 6 @@ -33,7 +33,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md index 15070d5415..02b76a5ad3 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect.md @@ -1,4 +1,4 @@ ---- +--- title: "NotificationAspect" description: "Sends a notification email to one or several users." sidebar_position: 7 @@ -6,6 +6,12 @@ sidebar_position: 7 Sends a notification email to one or several users. +## Authorized code in templates + +Razor templates referenced by `RazorFile_L*` are compiled with the same security restrictions as [C# expressions](/docs/identitymanager/current/integration-guide/toolkit/expressions#white-list). Only methods, classes, and namespaces from the white list can be used in template code. + +See [Razor template white list](/docs/identitymanager/current/integration-guide/toolkit/expressions#razor-template-white-list) for the template-specific additions. + ## Examples The following example sends a notification email based on the template `Notification_Directory_Guest.cshtml` and the subject computed by `SubjectExpression_L1`, which both use data from `Workflow_Directory_Guest:Directory_Guest`, and on the styles from `Notification_Directory_Guest.css`. @@ -42,7 +48,7 @@ A pointcut is a mechanism telling Identity Manager when to execute the linked [a The position of the pointcut is specified by an activity state and a mode (before or after). -![pointcut Schema](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) +![pointcut Schema](/images/identitymanager/pointcut.webp) |Property|Details| diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md index dd0f7dee2a..b8e5076994 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowAddAndEndRecordEntityForm" description: "Displays a form to define the end date of an existing record, and replace it with a new record at said date, by duplicating and adjusting the old record." sidebar_position: 1 @@ -41,14 +41,14 @@ And with the following form for the record data's content and summary, and for t ``` The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Update Position](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddAndEndRecordEntityForm_V603.webp) +![Form Example - Update Position](/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp) :::note The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. ::: The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Formexample Workflowaddandendrecordentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp) +![Formexample Workflowaddandendrecordentityform V603](/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md index e891c11df3..309224677d 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowAddRecordEntityForm" description: "Displays a form to add a new record for an existing resource, by duplicating and adjusting an existing record." sidebar_position: 2 @@ -46,14 +46,14 @@ And with the following form for the data that groups records together: ``` The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddRecordEntityForm_V603.webp) +![Form Example - Computer Request](/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp) :::note The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. ::: The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Formexample Workflowaddrecordentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp) +![Formexample Workflowaddrecordentityform V603](/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md index 5b497acb47..5cc41f9f41 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowCreateEntityForm" description: "Displays a form to create a new resource, without a record." sidebar_position: 3 @@ -58,7 +58,7 @@ The content of `MainControl` is visible during the workflow's execution: ![Form Example - Site Creation] The content of `SummaryControl` is visible after the workflow's execution: -![Formexample Workflowcreateentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp) +![Formexample Workflowcreateentityform V603](/images/identitymanager/formexample_workflowcreateentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md index 3c1fe62b22..6df898fc4c 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowCreateRecordEntityForm" description: "Displays a form to create a new resource with a record." sidebar_position: 4 @@ -52,7 +52,7 @@ And with the following form for the workflow's summary on record data: ``` The content of `MainControl` is visible during the workflow's execution: -![Form Example - New User from HR](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp) +![Form Example - New User from HR](/images/identitymanager/formexample_workflowcreaterecordentityform_v603.webp) The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md index 659931b399..e70299d636 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowCreateSeveralRecordsEntityForm" description: "Displays a form to create a new resource with one or several records." sidebar_position: 5 @@ -68,7 +68,7 @@ And with the following form for the data specific to each record: ``` The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the workflow's execution: -![Form Example - New User from Helpdesk](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp) +![Form Example - New User from Helpdesk](/images/identitymanager/formexample_workflowcreateseveralrecordsentityform_v603.webp) diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md index 897b215b04..197a34334d 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowEditEntityForm" description: "Displays a form to update or delete an existing resource, without a record." sidebar_position: 6 @@ -23,10 +23,10 @@ With the following form for the workflow's content and summary: ``` The content of `MainControl` is visible during the workflow's execution: -![Form Example - Computer Request](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowEditEntityForm_V603.webp) +![Form Example - Computer Request](/images/identitymanager/formexample_workfloweditentityform_v603.webp) The content of `SummaryControl` is visible after the workflow's execution: -![Formexample Workfloweditentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp) +![Formexample Workfloweditentityform V603](/images/identitymanager/formexample_workfloweditentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md index 87b01bd671..74c79fc858 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowUpdateRecordEntitiesForm" description: "Displays a form to update data for several resources simultaneously." sidebar_position: 7 @@ -45,7 +45,7 @@ And with the following form for the data that groups records together: ``` The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Mass Update](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp) +![Form Example - Mass Update](/images/identitymanager/formexample_workflowupdaterecordentitiesform_v603.webp) :::note The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be modified as one. diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md index 50d5722559..082471b3bc 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowUpdateRecordEntityForm" description: "Displays a form to select an existing record and update it." sidebar_position: 8 @@ -70,14 +70,14 @@ And with the following form for the data that groups records together: ``` The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: -![Form Example - Update Data](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowUpdateRecordEntityForm_V603.webp) +![Form Example - Update Data](/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp) :::note The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. ::: The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's execution: -![Formexample Workflowupdaterecordentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp) +![Formexample Workflowupdaterecordentityform V603](/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp) ## Properties diff --git a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md index 53f5d78ec7..cdda78c9d9 100644 --- a/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md +++ b/docs/identitymanager/current/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform.md @@ -1,4 +1,4 @@ ---- +--- title: "WorkflowUpdateSeveralRecordsEntityForm" description: "Displays a form to create, update or delete one or several records." sidebar_position: 9 @@ -68,10 +68,10 @@ And with the following form for the data that groups records together: ``` The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and `RecordSlaveControl` are visible during the workflow's execution: -![Form Example - Manage a User's Positions](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowUpdateSeveralRecordsEntityForm_V603.webp) +![Form Example - Manage a User's Positions](/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp) When adding a new position, we decide to make `Title` available, in addition to the fields used to update existing records: -![Formexample Workflowupdateseveralrecordsentityform V603](/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_v603.webp) +![Formexample Workflowupdateseveralrecordsentityform V603](/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp) :::note The content of `RecordUniqueItemControl` is not visible. The user's records that have the same values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially modified, as one. diff --git a/docs/identitymanager/current/integration-guide/ui/create-menu-items.md b/docs/identitymanager/current/integration-guide/ui/create-menu-items.md index 58849b319d..5c59305aea 100644 --- a/docs/identitymanager/current/integration-guide/ui/create-menu-items.md +++ b/docs/identitymanager/current/integration-guide/ui/create-menu-items.md @@ -1,4 +1,4 @@ ---- +--- title: "Create Menu Items" description: "Create Menu Items" sidebar_position: 20 @@ -12,7 +12,7 @@ After creating a workflow as for the EntityTypes, is mandatory to create the Men To add a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list you need to create a menu containing the different workflows and put a link to the entity's searchBar as below. -[See available icons](https://uifabricicons.azurewebsites.net/). +[See available icons](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons). The first MenuItem is the main action displayed on the right. @@ -24,7 +24,7 @@ The other MenuItems are displayed from left to right. This XML element gives the following result: -![Add workflow link in resource list entity](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) ### Create menu items for a workflow in a resource view @@ -38,6 +38,6 @@ These workflows will manipulate the selected resource in the view. This XML element gives the following result: -![Workflow in resource view](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) -![All workflow in resource view*](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/current/integration-guide/ui/custom-display-table.md b/docs/identitymanager/current/integration-guide/ui/custom-display-table.md index 2180681790..849cfa2054 100644 --- a/docs/identitymanager/current/integration-guide/ui/custom-display-table.md +++ b/docs/identitymanager/current/integration-guide/ui/custom-display-table.md @@ -1,4 +1,4 @@ ---- +--- title: "Customize Display Tables" description: "Customize Display Tables" sidebar_position: 30 @@ -20,7 +20,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this display table on the interface: -![DisplayTable(Table)](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument. @@ -36,7 +36,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this resource table on the interface: -![ResourceTable](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) ## Display Table with Tiles @@ -57,7 +57,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this display table on the interface: -![DisplayTable with Tiles](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) See the [Display Table](../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) topic for additional information. diff --git a/docs/identitymanager/current/integration-guide/ui/custom-search-bar.md b/docs/identitymanager/current/integration-guide/ui/custom-search-bar.md index 342941e4ed..647303a6c2 100644 --- a/docs/identitymanager/current/integration-guide/ui/custom-search-bar.md +++ b/docs/identitymanager/current/integration-guide/ui/custom-search-bar.md @@ -1,4 +1,4 @@ ---- +--- title: "Customize Search Bars" description: "Customize Search Bars" sidebar_position: 40 @@ -20,7 +20,7 @@ To search on a resource list for an entity, you must enter a SearchBar tag for t Here is the visualization of this searchbar on the interface: -![SearchBarWithoutFilters](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument in the display table. @@ -37,7 +37,7 @@ To add a default filter, you must add both of the following properties to a crit Here is the visualization of this criterion on the interface: -![SearchBarFilter](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) ## Search Bar Menu diff --git a/docs/identitymanager/current/integration-guide/ui/how-tos/create-menu-items.md b/docs/identitymanager/current/integration-guide/ui/how-tos/create-menu-items.md index 87b3d2835e..2692d365b3 100644 --- a/docs/identitymanager/current/integration-guide/ui/how-tos/create-menu-items.md +++ b/docs/identitymanager/current/integration-guide/ui/how-tos/create-menu-items.md @@ -1,4 +1,4 @@ -# Create Menu Items +# Create Menu Items After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the Navigation to this Workflow. @@ -6,7 +6,7 @@ After creating a workflow as for the EntityTypes, is mandatory to create the Men To add a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list you need to create a menu containing the different workflows and put a link to the entity's searchBar as below. -[See available icons](https://uifabricicons.azurewebsites.net/). +[See available icons](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons). The first MenuItem is the main action displayed on the right. @@ -18,7 +18,7 @@ The other MenuItems are displayed from left to right. This XML element gives the following result: -![Add workflow link in resource list entity](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) +![Add workflow link in resource list entity](/images/identitymanager/workflowinentitylist.webp) ### Create menu items for a workflow in a resource view @@ -32,6 +32,6 @@ These workflows will manipulate the selected resource in the view. This XML element gives the following result: -![Workflow in resource view](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) +![Workflow in resource view](/images/identitymanager/workflowinresourceview.webp) -![All workflow in resource view*](/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) +![All workflow in resource view*](/images/identitymanager/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/current/integration-guide/ui/how-tos/custom-display-table.md b/docs/identitymanager/current/integration-guide/ui/how-tos/custom-display-table.md index 0066f2f95c..b797e6c62b 100644 --- a/docs/identitymanager/current/integration-guide/ui/how-tos/custom-display-table.md +++ b/docs/identitymanager/current/integration-guide/ui/how-tos/custom-display-table.md @@ -1,4 +1,4 @@ -# Customize Display Tables +# Customize Display Tables This part shows how to define a custom way to display entity types' data. @@ -14,7 +14,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this display table on the interface: -![DisplayTable(Table)](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) +![DisplayTable(Table)](/images/identitymanager/displaytablestable.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a search bar. This avoids filter duplication. Thus, the `CanBeFiltered` property can be deleted in the `Column` argument. @@ -30,7 +30,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this resource table on the interface: -![ResourceTable](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) +![ResourceTable](/images/identitymanager/displaytablesresourcetable.webp) ## Display Table with Tiles @@ -51,7 +51,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here is the visualization of this display table on the interface: -![DisplayTable with Tiles](/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) +![DisplayTable with Tiles](/images/identitymanager/displaytablestiles.webp) See the [Display Table](../../../integration-guide/toolkit/xml-configuration/user-interface/displaytable) topic for additional information. diff --git a/docs/identitymanager/current/integration-guide/ui/how-tos/custom-search-bar.md b/docs/identitymanager/current/integration-guide/ui/how-tos/custom-search-bar.md index f122095754..1222c726a5 100644 --- a/docs/identitymanager/current/integration-guide/ui/how-tos/custom-search-bar.md +++ b/docs/identitymanager/current/integration-guide/ui/how-tos/custom-search-bar.md @@ -1,4 +1,4 @@ -# Customize Search Bars +# Customize Search Bars This guide shows how to define a custom way to search from a list of a given entity type's properties. @@ -14,7 +14,7 @@ To search on a resource list for an entity, you must enter a SearchBar tag for t Here is the visualization of this searchbar on the interface: -![SearchBarWithoutFilters](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) +![SearchBarWithoutFilters](/images/identitymanager/searchbarwithoutfilter.webp) Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids filter duplication. Thus, the `` property can be deleted in the `` argument in the display table. @@ -31,7 +31,7 @@ To add a default filter, you must add both of the following properties to a [Sea Here is the visualization of this criterion on the interface: -![SearchBarFilter](/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) +![SearchBarFilter](/images/identitymanager/searchbarfilters.webp) ## Search Bar Menu diff --git a/docs/identitymanager/current/integration-guide/ui/producttranslations.md b/docs/identitymanager/current/integration-guide/ui/producttranslations.md index 0e1cac68e4..7c3a9d8dbf 100644 --- a/docs/identitymanager/current/integration-guide/ui/producttranslations.md +++ b/docs/identitymanager/current/integration-guide/ui/producttranslations.md @@ -8,7 +8,7 @@ sidebar_position: 10 This topic shows how to import product translations into Identity Manager. A product translation means a translation of a Identity Manager's component, for example a button display message, not the translation of a configured component. -Currently in preview mode, Identity Manager supports both left to right and right to left languages. Use the toggle on the Settings Page to activate right to left languages. +Identity Manager supports right to left languages in preview mode. See [Activating Preview Features](../../preview-features#activating-preview-features) for setup instructions. ## JSON Translation File diff --git a/docs/identitymanager/current/integration-guide/workflows/activity-templates.md b/docs/identitymanager/current/integration-guide/workflows/activity-templates.md index 25d0294429..7948162145 100644 --- a/docs/identitymanager/current/integration-guide/workflows/activity-templates.md +++ b/docs/identitymanager/current/integration-guide/workflows/activity-templates.md @@ -1,4 +1,4 @@ ---- +--- title: "Activity Templates" description: "Activity Templates" sidebar_position: 10 @@ -12,7 +12,7 @@ This section describes the activities that constitute and model a [Workflow](../ Going through an activity means going through states and transitions. -![Activity Template - Example](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp) +![Activity Template - Example](/images/identitymanager/activitytemplates_example.webp) By default, Identity Manager's workflow engine implements the following activity templates: @@ -30,33 +30,33 @@ By default, Identity Manager's workflow engine implements the following activity Awaits user modifications **without** another user's intervention. -![Activity Template - Action](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp) +![Activity Template - Action](/images/identitymanager/activitytemplates_action.webp) ### ActionWithRefine Awaits user modifications **with** the possibility to delegate the action to another user. -![Activity Template - ActionWithRefine](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp) +![Activity Template - ActionWithRefine](/images/identitymanager/activitytemplates_actionwithrefine.webp) The `ActionWithRefine` activity can be translated into the following form: -![ActionWithRefine in the UI](/images/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp) +![ActionWithRefine in the UI](/images/identitymanager/activity_actionwithrefine_v602.webp) ### Review Awaits user approval **without** another user's intervention. -![Activity Template - Review](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp) +![Activity Template - Review](/images/identitymanager/activitytemplates_review.webp) ### ReviewWithFeedback Awaits user approval **with** the possiblity of getting feedback from another user before taking the action. -![Activity Template - ReviewWithFeedback](/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp) +![Activity Template - ReviewWithFeedback](/images/identitymanager/activitytemplates_reviewwithfeedback.webp) The `ReviewWithFeedback` activity can be translated into the following form: -![ReviewWithFeedback in the UI](/images/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp) +![ReviewWithFeedback in the UI](/images/identitymanager/activity_reviewwithfeedback_v602.webp) ### Persist diff --git a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-mono.md b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-mono.md index 31beae77f9..e4243c10f4 100644 --- a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-mono.md +++ b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-mono.md @@ -1,4 +1,4 @@ ---- +--- title: "For Resource Creation (Mono Record)" description: "For Resource Creation (Mono Record)" sidebar_position: 10 @@ -82,7 +82,7 @@ Resource Creation (Mono Record) topic for additional information. ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp) +![UI Form](/images/identitymanager/howto_resourcecreationmono_form_v602.webp) ### Add a summary (Optional) @@ -95,7 +95,7 @@ Summary form: ``` -![UI Summary](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp) +![UI Summary](/images/identitymanager/howto_resourcecreationmono_summary_v602.webp) ## Assign the Right Permissions @@ -119,7 +119,7 @@ Below is an example of an access control rule where the `Administrator` profile Creating a new resource, an interesting location for this workflow could be the users list page. -![Workflow Menu Items - Users List](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: @@ -159,7 +159,7 @@ Partial form for user data: ... ``` -![UI Homonym Detection](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) ## Customize the Display Table (Optional) diff --git a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-multi.md b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-multi.md index 7b7f5ef679..2b41338114 100644 --- a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-multi.md +++ b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-create-multi.md @@ -1,4 +1,4 @@ ---- +--- title: "For Resource Creation (Multi Records)" description: "For Resource Creation (Multi Records)" sidebar_position: 20 @@ -100,7 +100,7 @@ record individually, and calls the thirdform created previously. ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourcecreationmulti_form_v603.webp) ## Assign the Right Permissions @@ -124,7 +124,7 @@ Below is an example of an access control rule where the `Administrator` profile Creating a new resource, an interesting location for this workflow could be the users list page. -![Workflow Menu Items - Users List](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +![Workflow Menu Items - Users List](/images/identitymanager/menuitems_userslist_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: @@ -165,7 +165,7 @@ Partial form for user data: ... ``` -![UI Homonym Detection](/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) +![UI Homonym Detection](/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp) ## Customize the Display Table (Optional) diff --git a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-mono.md b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-mono.md index 4d0b82b89e..5d80d9fac2 100644 --- a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-mono.md +++ b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-mono.md @@ -1,4 +1,4 @@ ---- +--- title: "For Resource Update (Mono Record)" description: "For Resource Update (Mono Record)" sidebar_position: 40 @@ -64,7 +64,7 @@ The `MainControl` attribute is here an empty container, because it is a mandator ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdatemono_form_v603.webp) `End of transition` sets the date for the change of records scheduled by this form. @@ -84,7 +84,7 @@ Below is an example of an access control rule where the `Administrator` profile Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-multi.md b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-multi.md index 159d0037c9..b2dad5cae5 100644 --- a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-multi.md +++ b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-multi.md @@ -1,4 +1,4 @@ ---- +--- title: "For Resource Update (Multi Records)" description: "For Resource Update (Multi Records)" sidebar_position: 50 @@ -100,7 +100,7 @@ fields, for the update of record data shared with all records. Thus it calls the The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it copies part of the main record to pre-fill the fields of `RecordUniqueControl`. -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdatemulti_form_v603.webp) ## Assign the Right Permissions @@ -118,7 +118,7 @@ Below is an example of an access control rule where the `Administrator` profile Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-resource.md b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-resource.md index 405200496f..d38958a3d1 100644 --- a/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-resource.md +++ b/docs/identitymanager/current/integration-guide/workflows/create-workflow/workflow-update-resource.md @@ -1,4 +1,4 @@ ---- +--- title: "For Resource Update (No Record)" description: "For Resource Update (No Record)" sidebar_position: 30 @@ -49,7 +49,7 @@ A `WorkflowEditEntityForm` requires one child element `MainControl` that defines ``` -![UI Form](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp) +![UI Form](/images/identitymanager/howto_resourceupdateno_form_v603.webp) ### Add a summary (Optional) @@ -61,7 +61,7 @@ Another child element `SummaryControl` can be added to insert a summary part, i. ``` -![UI Summary](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp) +![UI Summary](/images/identitymanager/howto_resourceupdateno_summary_v603.webp) ## Assign the Right Permissions @@ -79,7 +79,7 @@ Below is an example of an access control rule where the `Administrator` profile Updating an existing resource, this workflow manages one given resource at a time. Hence an interesting location for this workflow could be the individual view page of users. -![Workflow Menu Items - User's Page](/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) +![Workflow Menu Items - User's Page](/images/identitymanager/menuitems_userview_v603.webp) To create a menu item here for the new workflow, you can add the following XML configuration to the existing menu items list: diff --git a/docs/identitymanager/current/introduction-guide/architecture.md b/docs/identitymanager/current/introduction-guide/architecture.md index 65b7d20a6b..a8c080c28c 100644 --- a/docs/identitymanager/current/introduction-guide/architecture.md +++ b/docs/identitymanager/current/introduction-guide/architecture.md @@ -1,4 +1,4 @@ ---- +--- title: "Architecture" description: "Architecture" sidebar_position: 20 @@ -26,11 +26,11 @@ Identity Manager can be installed: - **SaaS** so that the **server** dwells in the cloud and is provided as a service; - ![Architecture: **SaaS**](/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + ![Architecture: **SaaS**](/images/identitymanager/architecture_saas.webp) - **on-premises** so that the **server** is installed on an isolated network within the company. - ![Architecture: **on-premises**](/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + ![Architecture: **on-premises**](/images/identitymanager/architecture_onprem.webp) ## Next Steps diff --git a/docs/identitymanager/current/introduction-guide/overview/entitlement-management.md b/docs/identitymanager/current/introduction-guide/overview/entitlement-management.md index dfb9beead3..5421acbbf1 100644 --- a/docs/identitymanager/current/introduction-guide/overview/entitlement-management.md +++ b/docs/identitymanager/current/introduction-guide/overview/entitlement-management.md @@ -1,4 +1,4 @@ ---- +--- title: "Entitlement Management" description: "Entitlement Management" sidebar_position: 20 @@ -18,7 +18,7 @@ A managed system's entitlements can have many forms. They authorize identities t Identity Manager is designed to help establish an exhaustive and reliable catalog of the entitlements available in the managed systems, and assign the right entitlements to the right users. -![Role Catalog and Users](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp) +![Role Catalog and Users](/images/identitymanager/entitlements_rolecatalogusers.webp) Thus, the role model contains: @@ -26,7 +26,7 @@ Thus, the role model contains: - the **rules** that trigger the assignment of entitlements to identities, and more broadly manage the systems' resources. Some of them act as link between Identity Manager's **roles** and the systems' accounts and permissions. Some of them are linked to, and thus apply only to, specific **resource types**. -![Role Model](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp) +![Role Model](/images/identitymanager/entitlements_rolemodel.webp) The role model is a subset of a **policy** that also includes [Governance](../../introduction-guide/overview/governance) data such as risk definition. So, at a higher level, distinct policies can be used to implement distinct behaviors. @@ -36,11 +36,11 @@ Identity Manager intends to represent IGA-related access right mechanisms by a [ Entitlements from the managed systems are modeled by **roles**. For each entitlement, NETWRIX advises creating a **single role**, with an easily understandable name, more functional than technical, so that everyone knows what the role is for. -![Single **roles**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) +![Single **roles**](/images/identitymanager/singlerolescatalog_schemarole.webp) Each individual entitlement should usually be modeled by a **single role**, and single **roles** can be grouped together into composite **roles** to be closer to real job positions. -![Composite **roles**](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp) +![Composite **roles**](/images/identitymanager/entitlements_compositeroles.webp) ## A Rule Set @@ -60,7 +60,7 @@ Provisioning **rules** write the actual entitlements to the managed systems, mos > Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the > member list of a specific AD group. -![Provisioning **rules**](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp) +![Provisioning **rules**](/images/identitymanager/entitlements_provisioningrules.webp) Even when a role is manually assigned, provisioning **rules** will determine which account (and permission groups) are given as entitlements. @@ -77,7 +77,7 @@ While the role catalog and provisioning **rules** are together enough to manuall > For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title > is benefits manager and whose location is in France. -![Assignment **rules**](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp) +![Assignment **rules**](/images/identitymanager/entitlements_assignmentrules.webp) Once all assignment **rules** are created, Identity Manager is able to spot existing assignments that are not supported by any rule, marking them as non-conforming. @@ -96,7 +96,7 @@ Different resources can be managed through different **rules**, by being part of > steps in the workflows related to privileged accounts, for more security than for standard > accounts. -![Categorization **rules**](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp) +![Categorization **rules**](/images/identitymanager/entitlements_categorizationrules.webp) Identity Manager's categorization **rules** are: @@ -126,15 +126,15 @@ dimension, and identities are distributed along the line. - The schema with two **dimensions** would be a table, a square. - The schema with three **dimensions** would be a 3D **cube**. And you can imagine 4D or 5D hypercubes, etc. -![**dimensions** - 1D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp) +![**dimensions** - 1D](/images/identitymanager/entitlements_dimension1.webp) #### 1D -![**dimensions** - 2D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp) +![**dimensions** - 2D](/images/identitymanager/entitlements_dimension2.webp) #### 2D -![**dimensions** - 3D](/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp) +![**dimensions** - 3D](/images/identitymanager/entitlements_dimension3.webp) ## Next Steps diff --git a/docs/identitymanager/current/introduction-guide/overview/governance.md b/docs/identitymanager/current/introduction-guide/overview/governance.md index 2f2838624c..c7c5ea6ffc 100644 --- a/docs/identitymanager/current/introduction-guide/overview/governance.md +++ b/docs/identitymanager/current/introduction-guide/overview/governance.md @@ -1,4 +1,4 @@ ---- +--- title: "Governance" description: "Governance" sidebar_position: 30 @@ -14,7 +14,7 @@ By reading entitlement data from the managed systems, Identity Manager builds an Rules and roles define a policy. By definition, assignments not supported by a rule do not comply with the policy. These assignments are identified as **non-conforming** in order to be acted upon by knowledgeable users who can decide whether the assignment is warranted, such as security officers. -![**non-conforming** Assignments](/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) +![**non-conforming** Assignments](/images/identitymanager/governance_nonconforming.webp) A **non-conforming** assignment must be reviewed in Identity Manager by a knowledgeable user, and is therefore: diff --git a/docs/identitymanager/current/introduction-guide/overview/identity-management.md b/docs/identitymanager/current/introduction-guide/overview/identity-management.md index b4112030d7..02759762cf 100644 --- a/docs/identitymanager/current/introduction-guide/overview/identity-management.md +++ b/docs/identitymanager/current/introduction-guide/overview/identity-management.md @@ -1,4 +1,4 @@ ---- +--- title: "Identity Management" description: "Identity Management" sidebar_position: 10 @@ -14,7 +14,7 @@ A company involves many sorts of identities: obviously employees, but also exter Companies often use about one system for each identity type. Identity Manager capitalizes on information from several source systems in order to build a **central repository** meant to contain all the data necessary to **manage all identities throughout their whole lifecycle**. -![Usercube's Repository](/images/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp) +![Usercube's Repository](/images/identitymanager/identities_repository.webp) Identity Manager's **central repository** acts as an intermediary between the systems that provide data, for example the HR system, and those that receive data, for example the Active Directory. This greatly reduces the complexity in the links between all systems. @@ -22,7 +22,7 @@ Without an intermediary, adding one system to a set of n systems requires up to Now with the **central repository** as an intermediary, implementing a new system requires only one more set of **rules**. The complexity becomes linear. -![quadratic-linear-complexity](/images/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp) +![quadratic-linear-complexity](/images/identitymanager/quadratic-linear-complexity.webp) ## An Entity Relationship Model @@ -39,7 +39,7 @@ All this data is organized and modeled by **entities**. This concept is quite si > Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The > accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. -![Entity Type - Schema](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) These **entities**' instances are called **resources** in Identity Manager. A resource can be the digital identity of a user (human or bot), or an AD account or any other account, or an entry from the HR system, or the representation of a department of the company, etc. @@ -54,7 +54,7 @@ While Identity Manager provides a predefined model that should fit most organiz Each entity is related to a managed system, for example the Active Directory or SAB or ServiceNow, etc. The reading/writing data between the system and Identity Manager are ensured by **connectors**. So Identity Manager can be configured with one connector for each managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) For a given system, a connector contains: @@ -65,13 +65,13 @@ apply to manage entitlement assignment for this system. Thus, a connector enables **synchronization**, i.e. Identity Manager reading from a managed system via an [extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. -![**synchronization**](/images/identitymanager/introduction-guide/overview/overview_synchronization.webp) +![**synchronization**](/images/identitymanager/overview_synchronization.webp) > A typical example is the **synchronization** of the HR system's data to retrieve employees' personal > information. It also enables **provisioning**, i.e. Identity Manager writing to a managed system, but that is something we will dig into later. -![**provisioning**](/images/identitymanager/introduction-guide/overview/overview_provisioning.webp) +![**provisioning**](/images/identitymanager/overview_provisioning.webp) ## Repository Updates diff --git a/docs/identitymanager/current/introduction-guide/overview/index.md b/docs/identitymanager/current/introduction-guide/overview/index.md index 62f737ae39..0eedd0163e 100644 --- a/docs/identitymanager/current/introduction-guide/overview/index.md +++ b/docs/identitymanager/current/introduction-guide/overview/index.md @@ -1,4 +1,4 @@ ---- +--- title: "IGA and Netwrix Identity Manager" description: "IGA and Netwrix Identity Manager" sidebar_position: 10 @@ -27,13 +27,13 @@ Typically, Identity Manager manages entitlements automatically according to a us To do so, Identity Manager capitalizes on information from several source systems in order to build a central repository. This repository should contain all the organizational data relevant for access management for all users, meaning not only employees but also contractors, bots, or any kind of identity. -![Synchronization](/images/identitymanager/introduction-guide/overview/overview_synchronization.webp) +![Synchronization](/images/identitymanager/overview_synchronization.webp) **This implies involving external systems.** Access management requires reading/writing data to/from varied systems and applications, like the Active Directory. Identity Manager provides an expanded set of connectors which contain the technology required for IGA-related data flows. -![Connectors](/images/identitymanager/introduction-guide/overview/overview_connectors.webp) +![Connectors](/images/identitymanager/overview_connectors.webp) See more details on [Identity Management](../../introduction-guide/overview/identity-management) and connection between systems. @@ -45,13 +45,13 @@ In addition, Identity Manager helps you determine identities' expected entitleme As each working environment has its own particularities, you will be able to refine the identity model by defining dimensions, i.e. criteria from among organizational data that will trigger the rules. -![Calculation](/images/identitymanager/introduction-guide/overview/overview_calculation.webp) +![Calculation](/images/identitymanager/overview_calculation.webp) **Finally, we need to actually give identities their entitlements and then govern them.** Identity Manager can be configured to provision the managed systems in order to apply the changes dictated by the role model. This provisioning can be done either directly, with automatic provisioning, or by notifying system administrators of the needed changes. Thus, identities finally get their entitlements. -![Provisioning](/images/identitymanager/introduction-guide/overview/overview_provisioning.webp) +![Provisioning](/images/identitymanager/overview_provisioning.webp) Furthermore, Identity Manager provides a few workflows for entitlement request or user data modification, which often include approval from a third party, hence identities get their entitlements securely. diff --git a/docs/identitymanager/current/preview-features.md b/docs/identitymanager/current/preview-features.md new file mode 100644 index 0000000000..5c8b401758 --- /dev/null +++ b/docs/identitymanager/current/preview-features.md @@ -0,0 +1,148 @@ +--- +title: "Preview Features" +description: "Preview Features" +sidebar_position: 40 +--- + +# Preview Features + +Preview features are available so you can explore upcoming functionality early and share feedback before general availability. See [Providing Feedback](#providing-feedback) to share your experience. + +:::important +Preview features are not recommended for use in production environments. They may be incomplete, subject to change, or behave unexpectedly. Activate preview features in preproduction environments only. +::: + +## Activating Preview Features + +### SaaS + +The preview section is activated by default in preproduction environments. To enable a specific feature, navigate to **Settings → Preview** in the NIM UI and activate the feature you want to test. + +:::note +Preview features are not activated in production. +::: + +### On-Premises + +1. In the "FeatureFlags" section of your `appsettings.json` file, add the following: + +```json +"FeatureFlags": { + "EnablePreviews": true +} +``` +2. Restart the server. +3. Navigate to **Settings → Preview** in the NIM UI and activate the feature(s) you want to enable. + +--- + +## What's currently in Preview Mode? + +### Multi-Certifier in Certification Campaigns + +:::note +This feature is currently in preview. See [Activating Preview Features](#activating-preview-features) for setup instructions and safety guidance. +::: + +#### Overview + +Multi-certifier support allows multiple reviewers to be assigned to the same item during a certification campaign. All assigned certifiers receive the review request simultaneously, and can act on it. The last certifier to make a decision and confirm it, will be recorded as the Reviewer. Once a decision is confirmed, the item is automatically removed from the queues of all other assigned certifiers. + +This behavior mirrors the existing multi-approver logic used in access requests and reconciliation tasks, bringing consistency to certification workflows. + +#### Why Multi-Certifier? + +Previously, only a single certifier could be assigned to a permission during a campaign. When multiple application owners existed, this created ambiguity about who was responsible, often resulting in: + +- Bottlenecks and missed deadlines +- Unnecessary reassignment steps +- Lower campaign completion rates + +With multi-certifier, all eligible reviewers can act immediately without waiting for a reassignment, improving both speed and clarity. + +#### How It Works + +##### Configuring the Reviewer Mode + +The reviewer mode is configured at the campaign level. When creating a campaign, a **Reviewer Mode** field offers two options: + +- **Single Reviewer**: The default behavior. NIM assigns the campaign item to the first eligible certifier it finds. +- **Multiple Reviewers**: All users with permission rights to certify the item are notified and can act on it simultaneously. + +:::warning +The Reviewer Mode is set at the time of campaign creation and **cannot be modified once the campaign has launched**. Make sure to select the appropriate mode before starting the campaign. +::: + +##### Review Workflow + +1. **Notification**: All assigned certifiers receive a notification when a campaign item requires review. +2. **Decisions remain visible**: Even after an item has been reviewed, other certifiers can still find it by filtering on **Approved** or **Refused**. The name of the certifier who made the most recent decision is shown in the **Reviewer** column. +3. **Editing before confirmation**: As long as decisions have not been confirmed, any reviewer can edit and change a decision made by another certifier. +4. **Confirmation locks decisions**: Once a reviewer confirms decisions, the decision can no longer be modified. + +:::note +**On simultaneous conflicting decisions**: In rare cases where two certifiers submit conflicting decisions at the same moment, the system resolves the conflict by applying the **last received decision**, consistent with how conflicts are handled in role reviews elsewhere in the product. +::: + +##### Confirming Decisions + +When a certifier clicks **Confirm Decisions**: + +- Only the decisions **that the certifier has personally made** are finalized. +- Decisions made by other certifiers are confirmed independently when those certifiers confirm their own decisions. +- Confirmed decisions **cannot be modified**. + +In the **Confirm Decisions** tab, each certifier can see a summary that includes: + +- Items **approved by me** +- Items **approved by others** +- Items **refused by me** +- Items **refused by others** + +##### Campaign Reports + +Campaign reports show: + +| Scenario | Reviewer Column | +|--|--| +| Item has not yet been reviewed | Blank | +| Item has been confirmed | Name of the certifier who acted | + + +##### Audit Logs + +All certification actions are recorded in the system database, including: + +- The name of the certifier who made the decision +- The decision that was made (approved or refused) +- The date and time the decision was recorded + +--- + +### Right-to-Left Language Support + +:::note +This feature is currently in preview. See [Activating Preview Features](#activating-preview-features) for setup instructions and safety guidance. +::: + +#### Overview + +Netwrix Identity Manager does not natively include any right-to-left (RTL) languages. However, with this preview feature activated, the NIM UI is capable of rendering in RTL layout when the appropriate translation files are provided. + +This allows organizations that operate in RTL languages, such as Arabic or Hebrew, to experience a correctly oriented interface without waiting for native language support to be added to the product. + +#### How It Works + +RTL support requires: + +1. **Provide your own translation files** for the RTL language you want to support. NIM does not supply these files, so your team or a localization partner will need to prepare them. +2. **Activate the RTL preview feature** in the Preview section of the Settings in the UI, following the steps in the [Activating Preview Features](#activating-preview-features) section above. + +Once activated, the UI will adapt its layout to support right-to-left reading direction based on the language defined in your translation files. + +--- + +## Providing Feedback + +Features in preview are in active development. If you encounter issues or have suggestions, please share your feedback with your Netwrix Identity Manager representative or through the support portal. + diff --git a/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-execution.md b/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-execution.md index 0641cd594c..b962eb99fc 100644 --- a/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-execution.md +++ b/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-execution.md @@ -1,4 +1,4 @@ ---- +--- title: "Execute a Certification Campaign" description: "Execute a Certification Campaign" sidebar_position: 20 @@ -30,15 +30,15 @@ Execute certification by proceeding as follows: 1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home page. -![Home - Access Certification](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp) +![Home - Access Certification](/images/identitymanager/home_accesscertification_v523.webp) On this page, all assignments to be reviewed are listed. -![Access Certification](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp) +![Access Certification](/images/identitymanager/certifcampaign_accesscertification_v602.webp) Each assignment can be commented by clicking on the corresponding icon. -![Comment Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) +![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) 2. Choose one of the three possibilities to verify all assignments one by one: @@ -51,21 +51,21 @@ The **Recommended** icon indicates that the entitlement has been automatically g An absence of any icon indicates that the entitlement does not comply with the security policy. However, it has been manually granted or denied. Thus there is no recommendation, please review this entitlement **carefully**. ::: -![Recommendation Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg) +![Recommendation Icon](/images/identitymanager/certifcampaign_iconrecommendation_v522.svg) -![Discouragement Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg) +![Discouragement Icon](/images/identitymanager/certifcampaign_icondiscouragement_v522.svg) - Either click on the approval icon to confirm that this entitlement **is necessary** for this identity. -![Approval Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg) +![Approval Icon](/images/identitymanager/certifcampaign_iconapproval_v522.svg) - Or click on the decline icon to confirm that this entitlement **is not necessary** for this identity. -![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) - Or click on the three dots icon to highlight that this entitlement **is not part of your scope of responsibility **and forward it to the adequate person. -![Forward Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg) +![Forward Icon](/images/identitymanager/certifcampaign_iconforward_v522.svg) 3. Click on **Confirm Decisions** on the left of the page. @@ -75,15 +75,15 @@ If you've made an erroneous decision, exiting the page **before** confirming off Existing certification campaigns are listed on the page accessible via the **Access Certification Campaigns** button on the home page in the **Administration** section. -![Home - Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) +![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) -![Campaigns Page](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp) +![Campaigns Page](/images/identitymanager/certifcampaign_campaigns_v602.webp) ### Get reports A **Download** button is available for each campaign. It downloads a CSV report that lists all the entitlement assignments to be reviewed, the corresponding reviewers and their decisions. -![Report Example](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp) +![Report Example](/images/identitymanager/certifcampaign_decisions_v522.webp) ### Send notifications @@ -95,5 +95,5 @@ Once entitlement assignments have been reviewed, the final step is to apply thes An **Apply Decisions** button is available for each campaign. It shows all the decisions made in the campaign. The campaign administrator can then decide to actually apply said decisions and generate the appropriate provisioning orders for **deprovisioning** unjustified entitlements. Said orders will be considered during the next provisioning job. -![Apply Decisions](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp) +![Apply Decisions](/images/identitymanager/certifcampaign_applydecisions_v602.webp) diff --git a/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-scheduling.md b/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-scheduling.md index a741c5d180..b8827ad35c 100644 --- a/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-scheduling.md +++ b/docs/identitymanager/current/user-guide/administrate/access-certification/certification-campaign-scheduling.md @@ -1,4 +1,4 @@ ---- +--- title: "Schedule a Certification Campaign" description: "Schedule a Certification Campaign" sidebar_position: 10 @@ -30,13 +30,13 @@ Create an access certification campaign by proceeding as follows: 1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. - ![Home - Access Certification Campaigns](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + ![Home - Access Certification Campaigns](/images/identitymanager/home_accesscertificationcampaigns_v602.webp) 2. Click on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![New Certification Campaign](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp) + ![New Certification Campaign](/images/identitymanager/certifcampaign_newcertificationcampaign_v602.webp) - `Identifier`: Must be unique among certification campaigns and must not contain whitespace. - `Name`: Will be displayed in the UI to identify the campaign. @@ -49,7 +49,7 @@ are configured via the [Access Certification](../../../integration-guide/governa - `Target Specificities`: [AccessCertificationDataFilter](../../../integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter) defines the campaign scope (e.g., by object type, category, approval state). The campaign uses the union of all specificities. - ![Target Specificities](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp) + ![Target Specificities](/images/identitymanager/certifcampaign_targetspecificities_v602.webp) The campaign will target permissions that meet the **intersection (AND)** of all criteria. @@ -58,11 +58,11 @@ When listing role tags, roles with **any matching tag (OR)** will be included. - `Target Owners`: Filters based on identity attributes for those whose access is being reviewed. All filters are combined using **intersection (AND)** logic. - ![Target Owner Filters](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp) + ![Target Owner Filters](/images/identitymanager/certifcampaign_targetowners_v602.webp) Additional filters may be available depending on the target entity type. - ![Target Owner Additional Filters](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp) + ![Target Owner Additional Filters](/images/identitymanager/certifcampaign_targetownersadditional_v603.webp) - `Individual Owner`: A single identity whose access is to be certified. - `Active Target`: Identities with a specific property (from `Directory_UserRecord`) @@ -73,11 +73,11 @@ modified since a given date. > The following campaign targets all assigned single roles for two specific users: > - > ![Campaign Example](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp) + > ![Campaign Example](/images/identitymanager/certifcampaign_example_v602.webp) 3. Click **Create** to add the campaign to the list. - ![Campaigns Page](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp) + ![Campaigns Page](/images/identitymanager/certifcampaign_newlycreated_v603.webp) 4. Apply changes by clicking **Launch** to run the access certification job. @@ -85,7 +85,7 @@ The job's logs are available via the **Job Results** button. > Example: > - > ![Execute Access Reviews Job](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp) + > ![Execute Access Reviews Job](/images/identitymanager/certifcampaign_job_v522.webp) ## Impact of Modifications diff --git a/docs/identitymanager/current/user-guide/administrate/assigned-roles.md b/docs/identitymanager/current/user-guide/administrate/assigned-roles.md index 663287eea3..5af3ff83ae 100644 --- a/docs/identitymanager/current/user-guide/administrate/assigned-roles.md +++ b/docs/identitymanager/current/user-guide/administrate/assigned-roles.md @@ -1,4 +1,4 @@ ---- +--- title: "Review and Modify Assigned Roles" description: "Review and Modify Assigned Roles" sidebar_position: 70 @@ -48,11 +48,11 @@ Multiple filters can be combined simultaneously. Use filters to isolate specific Review the Assigned Roles by proceeding as follows: -![assignedroles](/images/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp) +![assignedroles](/images/identitymanager/assignedroles.webp) **Step 1 –** On the home page, in the Administration section of the UI click on Assigned Roles. -![assignedrolesscreen](/images/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp) +![assignedrolesscreen](/images/identitymanager/assignedrolesscreen.webp) **Step 2 –** View the list of users with different assigned roles and filter them by **Entity Type**, **Workflow State**, **Policy**, **Role** or by using a custom filter. diff --git a/docs/identitymanager/current/user-guide/administrate/manual-assignment-request.md b/docs/identitymanager/current/user-guide/administrate/manual-assignment-request.md index 8c5ad1339e..739bd4a666 100644 --- a/docs/identitymanager/current/user-guide/administrate/manual-assignment-request.md +++ b/docs/identitymanager/current/user-guide/administrate/manual-assignment-request.md @@ -1,4 +1,4 @@ ---- +--- title: "Request Entitlement Assignment" description: "Request Entitlement Assignment" sidebar_position: 60 @@ -32,15 +32,15 @@ View the identity's entitlements by proceeding as follows: 1. Access the **user** directory from the home page. - ![Home Page - Directory **user**](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the **user** to be checked. - ![Workflow - **user**](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - **user**](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **View Permissions** to access the entitlement list. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) ## Modify Identity's Entitlements @@ -48,16 +48,16 @@ Act on an existing identity by proceeding as follows: 1. Access the **user** directory from the home page. - ![Home Page - Directory **user**](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the **user** to be modified. - ![Workflow - **user**](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - **user**](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement request. - ![Workflow - Modify Permissions](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) 4. Follow the workflow's instructions to select entitlements and the action to be performed. You can: @@ -77,7 +77,7 @@ If the request is about assigning an entitlement via a role which requires at le In order to verify the process, check that the change you made in the **user**'s entitlements is displayed in their **View Permissions** tab in the directory. -![Home Page - Directory **user**](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory **user**](/images/identitymanager/home_directoryuser_v523.webp) -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md index 22d870d60c..5290f1cd82 100644 --- a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md +++ b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/property-reconciliation.md @@ -1,4 +1,4 @@ ---- +--- title: "Reconcile a Property" description: "Reconcile a Property" sidebar_position: 20 @@ -42,11 +42,11 @@ reviewed too, its workflow state transitioned to `Manual` (if approved) or `Canc > each role on the **Role Reconciliation** screen, **and** one item for all changes in the AD account on > the **Resource Reconciliation** screen: > -> ![Example - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) > -> ![Example - Resource Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) > -> ![Example - Resource Reconciliation - Properties](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) ## Participants **and** Artifacts @@ -63,20 +63,20 @@ Review an unreconciled property by proceeding as follows: 1. Ensure that the task for the computation of the role model was launched recently, through the complete job on the **Job Execution** page - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page, **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. - ![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) 3. Select `Unreconciled properties` as a `Workflow State`. - ![Unreconciled Property](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp) + ![Unreconciled Property](/images/identitymanager/reviewprop_unreconciled_v522.webp) 4. Choose the default resource view or the property view with the top right toggle. See the Reconcile a Property topic for additional information. @@ -86,7 +86,7 @@ Reconcile a Property topic for additional information. > nominative SAB account associated with his email address. In the **Resource Properties to be > Verified** frame, there is one unreconciled property that happens to be `Group`. > - > ![Unreconciled Property Example](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp) + > ![Unreconciled Property Example](/images/identitymanager/reviewprop_example_v602.webp) - `Name`: unreconciled property name. - `Proposed Value`: value proposed by Identity Manager. @@ -104,49 +104,49 @@ Decisions must be made with caution as they cannot be undone. - Either click on the approval icon to update the property with the proposed value. It discards the whole property history. - ![Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - ![Deletion Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) Automatic changes are essential for frequently-changing attributes. However, saving history information can sometimes be important for some attributes such as logins **and** emails. - Or click on the decline icon to not update the property **and** keep the resource value. In the future, this property will no longer be changed automatically. - ![Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of interest. Identity Manager won't be able to change this data **and** the service account manager will avoid authentication errors. It can be interesting to keep manual some sensitive data changes like `SAMAccountName` for example, so that Identity Manager does not change it **and** the service account manager does not risk problems in authentication. - Or click on the postponement icon to delay the decision. An unreconciled property is ignored by Identity Manager, **and** therefore cannot be modified. - ![Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 7. Click on **Confirm Property Values**. 8. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use property view By default, non-conforming assignments are listed by resource. It is possible to click on a resource **and** then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type **and** property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) ## Verify Property Reconciliation diff --git a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md index b8d80a9a5f..d13a3bde05 100644 --- a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md +++ b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/role-reconciliation.md @@ -1,4 +1,4 @@ ---- +--- title: "Reconcile a Role" description: "Reconcile a Role" sidebar_position: 10 @@ -45,11 +45,11 @@ reviewed too, its [Entitlement Assignment](../../../integration-guide/role-assig > each role on the **Role Reconciliation** screen, **and** one item for all changes in the AD account on > the **Resource Reconciliation** screen: > -> ![Example - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> ![Example - Role Reconciliation](/images/identitymanager/reviewrole_examplerole_v602.webp) > -> ![Example - Resource Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> ![Example - Resource Reconciliation](/images/identitymanager/reviewrole_exampleresource_v602.webp) > -> ![Example - Resource Reconciliation - Properties](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) +> ![Example - Resource Reconciliation - Properties](/images/identitymanager/reviewrole_exampleresourceprop_v602.webp) ## Participants **and** Artifacts @@ -66,22 +66,22 @@ Review a non-conforming permission by proceeding as follows: 1. Ensure that the [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) was launched recently, through the complete job on the **Job Execution** page - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page, **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** section, to get to the non-conforming permissions page. - ![Home Page - Role Reconciliation](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + ![Home Page - Role Reconciliation](/images/identitymanager/home_rolereconciliation_v523.webp) - ![Role Reconciliation Page](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp) + ![Role Reconciliation Page](/images/identitymanager/reviewrole_rolereconciliation_v603.webp) Each non-conforming permission can be commented by clicking on the corresponding icon. - ![Comment Icon](/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + ![Comment Icon](/images/identitymanager/certifcampaign_iconcomment_v522.svg) 3. Choose one of the two possibilities to verify the permission: @@ -89,26 +89,26 @@ Contrary to resources, reviewed roles are then displayed on the **Role Review** - Either click on the approval icon to keep the non-conforming permission. - ![Approval Icon](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg) + ![Approval Icon](/images/identitymanager/orphan_iconapprove_v602.svg) - Or click on the decline icon to delete the non-conforming permission. - ![Decline Icon](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg) + ![Decline Icon](/images/identitymanager/orphan_icondecline_v522.svg) 4. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. See the [Provision](../../../user-guide/administrate/provisioning) topic for additional information. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use bulk provisioning Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. -![Bulk Reconcile Roles](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp) +![Bulk Reconcile Roles](/images/identitymanager/reviewrole_rolereconciliationbulk_v603.webp) ## Verify Role Reconciliation In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md index 3490a09062..34631b2842 100644 --- a/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md +++ b/docs/identitymanager/current/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review.md @@ -1,4 +1,4 @@ ---- +--- title: "Review an Unauthorized Account" description: "Review an Unauthorized Account" sidebar_position: 30 @@ -26,33 +26,33 @@ Review an unauthorized account by proceeding as follows: 1. Ensure that the [Compute Role Model Task](../../../integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask) was launched recently, through the complete job on the **Job Execution** page: - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) Or through the connector's overview page **Jobs** > **Compute Role Model**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. - ![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + ![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) 3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. - ![Resource Reconciliation Page](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + ![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) 4. Choose the default resource view or the property view with the top right toggle. 5. Click on the line of an account with an owner. In the following example, the nominative LDAP account linked to the resource `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence rate. - ![Select Decision](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp) + ![Select Decision](/images/identitymanager/unauth_reviewunauthorized_v602.webp) The displayed confidence rate means that a rule actually assigned the account to the identity, but with a confidence rate too low to imply full automatic assignment. Approval will be required. See the [Classify Resources](../../../user-guide/set-up/categorization/classification) topic for additional information. The **Resource Properties** frame shows all the properties of the resources. They can be updated by clicking on the edit button. See the [Reconcile a Property](../../../user-guide/administrate/non-conforming-assignment-review/property-reconciliation) topic for additional information. - ![Edit Button](/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp) + ![Edit Button](/images/identitymanager/unauth_updateprop_v522.webp) 6. Select the appropriate decision. @@ -62,25 +62,25 @@ Decisions must be made with caution as they cannot be undone. 8. Trigger the [Provision](../../../user-guide/administrate/provisioning) by launching, on the appropriate connector's overview page **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ### Use property view By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current Values**, does not approve their unreconciled properties which will still be displayed on this screen. @@ -88,5 +88,5 @@ Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **A In order to verify the process, check that the changes you ordered appear on the corresponding user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/current/user-guide/administrate/orphan-unused-account-review.md b/docs/identitymanager/current/user-guide/administrate/orphan-unused-account-review.md index d5fe4c02f7..38ef452d1b 100644 --- a/docs/identitymanager/current/user-guide/administrate/orphan-unused-account-review.md +++ b/docs/identitymanager/current/user-guide/administrate/orphan-unused-account-review.md @@ -1,4 +1,4 @@ ---- +--- title: "Review Orphaned and Unused Accounts" description: "Review Orphaned and Unused Accounts" sidebar_position: 20 @@ -16,11 +16,11 @@ The review of **unused** and orphaned accounts is essential to solve security an A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed through the menu items on the left of the home page, in the **Connectors** section. -![Home - Entity Types](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Home - Entity Types](/images/identitymanager/home_entitytypes_v602.webp) These entity type pages can be configured via XML to customize all displayed columns and available filters, especially the ****Orphan**** filter that spots uncorrelated resources, and the **Owner / Resource Type** column that shows the owner of each resource. See the[Create Menu Items](../../integration-guide/ui/create-menu-items) topic for additional information on customization. -![Owner / Resource Type Column](/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) +![Owner / Resource Type Column](/images/identitymanager/orphan_entitytype_v523.webp) In the ****Orphan**** field, select **Yes** to see all existing resources without an owner. @@ -65,7 +65,7 @@ Once this "**unused**" property is created, a list of all **unused** accounts ca The previous example about the AD's **isUnused** property can be complemented in the query module by displaying this property alongside users' **EmployeeId**. -![Query of Unused Accounts](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp) +![Query of Unused Accounts](/images/identitymanager/orphan_unusedquery_v602.webp) ## Participants and Artifacts @@ -79,11 +79,11 @@ At this point, integrators should have all the elements they need to operate as Review an orphaned account by proceeding as follows: -![Home Page - Resource Reconciliation](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) +![Home Page - Resource Reconciliation](/images/identitymanager/home_resourcereconciliation_v523.webp) **Step 1 –** Go to the **Resource Reconciliation** page, accessible from the corresponding section on the home page. -![Resource Reconciliation Page](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) +![Resource Reconciliation Page](/images/identitymanager/unauth_unauthorizedaccounts_v602.webp) **Step 2 –** Select **Unauthorized account** as the **Workflow State**. Orphaned accounts are those appearing with no owner. @@ -91,13 +91,13 @@ Review an orphaned account by proceeding as follows: **Step 4 –** Click on the line of an account without an owner. -![Select Owner](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp) +![Select Owner](/images/identitymanager/orphan_revieworphans_v602.webp) In the following example, the nominative AD account linked to the email address nathan.smith@acme.com has no owner. You can **Select owner** from the list by clicking on the check box. -![Owners List](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp) +![Owners List](/images/identitymanager/orphan_revieworphans-owners_v602.webp) **Step 5 –** Answer the following questions in order to understand the situation. @@ -123,7 +123,7 @@ there a rule to change? ::: See the schema below this note. -![Schema - Service Accounts](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp) +![Schema - Service Accounts](/images/identitymanager/orphan_serviceaccounts.webp) **Step 6 –** Select the appropriate owner or no owner at all, according to the previous analysis. @@ -141,17 +141,17 @@ By taking the necessary steps the **Orphan** account will be delete or authorize By default, non-conforming assignments are listed by resource. It is possible to click on a resource and then access the list of all unreconciled properties for said resource. -![Resource View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) +![Resource View](/images/identitymanager/orphan_resourceview_v523.webp) It can be helpful to have the non-conforming assignments regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the **Property View** toggle at the top right corner. Once enabled, select a resource type to display all unreconciled properties linked to said resource type. In addition, select a property to display only the unreconciled properties linked to said resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) +![Property View](/images/identitymanager/orphan_propertyview_v603.webp) The review process is the same with both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. -![Bulk Reconcile](/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) +![Bulk Reconcile](/images/identitymanager/orphan_bulkreconcile_v603.webp) In addition, using property view enables bulk reconciliation to approve the proposed values or keep the current values for several resources simultaneously. @@ -159,7 +159,7 @@ In addition, using property view enables bulk reconciliation to approve the prop In order to verify the process, check that the line for your reviewed item has been removed from the **Resource Reconciliation** screen. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) In addition, if you reconciled an orphaned account with an owner, check the user's permissions to see said account. diff --git a/docs/identitymanager/current/user-guide/administrate/provisioning/automatic-provisioning.md b/docs/identitymanager/current/user-guide/administrate/provisioning/automatic-provisioning.md index 47bc6c063e..c4e219b441 100644 --- a/docs/identitymanager/current/user-guide/administrate/provisioning/automatic-provisioning.md +++ b/docs/identitymanager/current/user-guide/administrate/provisioning/automatic-provisioning.md @@ -1,4 +1,4 @@ ---- +--- title: "Provision Automatically" description: "Provision Automatically" sidebar_position: 30 @@ -16,7 +16,7 @@ In the lifecycle of a resource (entitlement assignment, resource creation, resou In an assignment request's lifecycle, provisioning automation implies skipping the `Transmitted` state as Identity Manager no longer waits for a user to make changes anymore. For this reason, an assignment request goes through the following provisioning states: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provauto_states_v523.webp) ## Participants and Artifacts @@ -36,7 +36,7 @@ There is no procedure to perform automated provisioning, for it is automatic and Make sure that the task used to compute and generate provisioning orders was launched after the request (or the provisioning review, if any), through the complete job in the **Job Execution** page. -![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) ## Verify Automated Provisioning @@ -44,7 +44,7 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the manual assignment workflow through [Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) to make a change in one of their permissions, which involves automated provisioning. diff --git a/docs/identitymanager/current/user-guide/administrate/provisioning/index.md b/docs/identitymanager/current/user-guide/administrate/provisioning/index.md index 6da6df0830..97f46d97fe 100644 --- a/docs/identitymanager/current/user-guide/administrate/provisioning/index.md +++ b/docs/identitymanager/current/user-guide/administrate/provisioning/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Provision" description: "Provision" sidebar_position: 30 @@ -68,17 +68,17 @@ In order to perform the provisioning you have to: In order to verify the process: -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) **Step 1 :** Select a test user in the directory, accessible from the home page. **Step 2 :** Follow the manual assignment workflow to make a change in one of their entitlements, which involves the type of provisioning that you want to test. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) **Step 3 :** Check the provisioning state of the requested entitlement at every step, in the user's **View Permissions** tab. -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) +![Provisioning State Schema](/images/identitymanager/prov_stateschema_v523.webp) Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or automated provisioning, below is the global state schema. diff --git a/docs/identitymanager/current/user-guide/administrate/provisioning/manual-provisioning.md b/docs/identitymanager/current/user-guide/administrate/provisioning/manual-provisioning.md index 73c783179c..4fe42de365 100644 --- a/docs/identitymanager/current/user-guide/administrate/provisioning/manual-provisioning.md +++ b/docs/identitymanager/current/user-guide/administrate/provisioning/manual-provisioning.md @@ -1,4 +1,4 @@ ---- +--- title: "Provision Manually" description: "Provision Manually" sidebar_position: 20 @@ -16,7 +16,7 @@ In the lifecycle of a resource (entitlement assignment, resource creation, resou In its lifecycle, an assignment request goes through the following provisioning states: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provmanual_states_v523.webp) ## Participants and Artifacts @@ -37,22 +37,22 @@ Perform manual provisioning by proceeding as follows: 1. Ensure that the task to compute or generate provisioning orders was launched after the request (or the provisioning review, if any), through the complete job in the **Job Execution** page. - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) - ![Manual Provisioning Screen](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp) + ![Manual Provisioning Screen](/images/identitymanager/provmanual_page_v603.webp) 2. Access the manual provisioning orders page by clicking on the entity type that you want to manage in the **Manual Provisioning** section. - ![Home Page - Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + ![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) 3. Choose a line to handle the corresponding provisioning order. 4. Creation, edition and deletion orders follow the same process: read Identity Manager's suggestions and create, edit or delete the appropriate resource directly in the managed system (outside Identity Manager). - ![Creation Provisioning Order](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp) + ![Creation Provisioning Order](/images/identitymanager/provmanual_createresource_v522.webp) - ![Creation Provisioning Order](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp) + ![Creation Provisioning Order](/images/identitymanager/provmanual_editresource_v522.webp) 5. Choose to confirm or report an error. @@ -60,7 +60,7 @@ suggestions and create, edit or delete the appropriate resource directly in the Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. -![Bulk Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp) +![Bulk Provisioning](/images/identitymanager/provmanual_bulk_v603.webp) ## Verify Manual Provisioning @@ -68,14 +68,14 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the workflow through [Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) to make a change in one of their permissions, which involves manual provisioning. 3. Perform manual provisioning and check the provisioning state of the requested entitlement at every step, in the user's **View Permissions** tab. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) 4. Check in your managed system that the change was effectively made. diff --git a/docs/identitymanager/current/user-guide/administrate/provisioning/provisioning-review.md b/docs/identitymanager/current/user-guide/administrate/provisioning/provisioning-review.md index c28b8b9626..9e72c48e6c 100644 --- a/docs/identitymanager/current/user-guide/administrate/provisioning/provisioning-review.md +++ b/docs/identitymanager/current/user-guide/administrate/provisioning/provisioning-review.md @@ -1,4 +1,4 @@ ---- +--- title: "Review Provisioning" description: "Review Provisioning" sidebar_position: 10 @@ -16,7 +16,7 @@ For security purposes, provisioning orders sometimes need to be reviewed before In an assignment request's lifecycle, provisioning review adds a few steps between the moment when the request is issued and when provisioning orders are computed: -![Provisioning State Schema](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp) +![Provisioning State Schema](/images/identitymanager/provreview_states_v523.webp) ## Participants and Artifacts @@ -42,9 +42,9 @@ Review provisioning orders by proceeding as follows: 1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** section. - ![Home Page - Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + ![Home Page - Provisioning Review](/images/identitymanager/home_provisioningreview_v523.webp) - ![Provisioning Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp) + ![Provisioning Review](/images/identitymanager/provmanual_provreview_v602.webp) 2. Click on a line to access details and handle addition, association, update or deletion orders. @@ -52,13 +52,13 @@ Once reviewed, provisioning orders are to be executed by Identity Manager during Automatic provisioning orders are directly executed, while manual provisioning orders are listed on the **Manual Provisioning** page. - ![Fulfill Task](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Fulfill Task](/images/identitymanager/synchro_resourcetype_v602.webp) ### Handle an addition order Identity Manager shows all the properties of the new resource to be created: -![Addition Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp) +![Addition Order Review](/images/identitymanager/provmanual_reviewaddition_v602.webp) - `Proposed Value`: value proposed by Identity Manager. - [Entitlement Assignment](../../../integration-guide/role-assignment/assignments-of-entitlements) @@ -75,15 +75,15 @@ Handle an addition order by proceeding as follows: - Either click on the approval icon to order the property creation with the proposed value. - ![Addition - Approval Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition - Approval Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - Or click on the decline icon to refuse the property creation. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Choose to confirm or ignore the creation. @@ -91,7 +91,7 @@ Handle an addition order by proceeding as follows: Identity Manager displays a given owner and a given resource to be associated with a given [Classify Resources](../../../user-guide/set-up/categorization/classification)and all resource properties to be verified: -![Association Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp) +![Association Order Review](/images/identitymanager/provmanual_reviewassociation_v602.webp) - `Confidence rate of proposed resource`: rate expressing the confidence in this [Correlate Resources](../../../user-guide/set-up/categorization/correlation). - `Proposed Value`: value proposed by Identity Manager. @@ -110,19 +110,19 @@ Handle an association order by proceeding as follows: - Either click on the approval icon to validate the proposed property value. - ![Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - ![Deletion Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + ![Deletion Icon](/images/identitymanager/reviewrole_icondelete_v602.svg) - Or click on the decline icon to refuse the property association. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Choose to confirm or deny the association. @@ -130,7 +130,7 @@ Handle an association order by proceeding as follows: Identity Manager shows a given resource and all resource properties to be verified: -![Edition Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp) +![Edition Order Review](/images/identitymanager/provmanual_reviewedition_v602.webp) - `Proposed Value`: value proposed by Identity Manager. - `Current Value`: value currently in the managed system. @@ -148,17 +148,17 @@ Handle an update order by proceeding as follows: - Either click on the approval icon to order the property update with the proposed value. - ![Edition - Addition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + ![Edition - Addition Icon](/images/identitymanager/provmanual_iconapprove_v602.svg) - ![Edition Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + ![Edition Icon](/images/identitymanager/provmanual_iconedit_v602.svg) - Or click on the decline icon to refuse the property update. - ![Addition - Decline Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + ![Addition - Decline Icon](/images/identitymanager/provmanual_icondecline_v522.svg) - Or click on the postponement icon to delay the decision. - ![Addition - Postponement Icon](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + ![Addition - Postponement Icon](/images/identitymanager/provmanual_iconpostpone_v522.svg) 2. Click on **Confirm Property Values**. @@ -166,7 +166,7 @@ Handle an update order by proceeding as follows: Identity Manager shows a given owner and their resources to be deleted: -![Deletion Order Review](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp) +![Deletion Order Review](/images/identitymanager/provmanual_reviewdeletion_v602.webp) Handle a deletion order by choosing either to confirm the deletion or to keep the resource. @@ -174,17 +174,17 @@ Handle a deletion order by choosing either to confirm the deletion or to keep th By default, provisioning orders are listed by resource. It is possible to click on a resource and then access the list of all provisioning orders for that resource. -![Resource View](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp) +![Resource View](/images/identitymanager/provreview_resourceview_v603.webp) In addition, using resource view enables **bulk unblocking** for provisioning orders with errors. -![Bulk Unblock](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp) +![Bulk Unblock](/images/identitymanager/provreview_bulkunblock_v603.webp) It can be helpful to have the provisioning orders regrouped by property, as some of the changes can be similar, so very likely to be validated by the same user. This is why a property view can be enabled by clicking on the `Property View` toggle at the top right corner. Once enabled, select a resource type to display all provisioning orders linked to that resource type. In addition, select a property to display only the provisioning orders linked to these resource type and property. -![Property View](/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp) +![Property View](/images/identitymanager/provreview_propertyview_v603.webp) The review process is similar on both views. However with property view, reviewers don't click on a given line, but choose a decision directly on the left of the property line. @@ -194,20 +194,20 @@ In order to verify the process: 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Follow the [Request Entitlement Assignment](../../../user-guide/administrate/manual-assignment-request) workflow to make a change in one of their permissions, which involves provisioning review. 3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) 4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource Types** frame, to execute the provisioning orders. - ![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Home Page - Job Execution](/images/identitymanager/synchro_resourcetype_v602.webp) 5. The orders using automated provisioning should be automatically handled with their state switching to `Executed`, while those using manual provisioning should appear on the **Manual Provisioning** page with their state switching to `Transmitted`. -![Home Page - Manual Provisioning](/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) +![Home Page - Manual Provisioning](/images/identitymanager/home_manualprovisioning_v523.webp) diff --git a/docs/identitymanager/current/user-guide/administrate/reporting.md b/docs/identitymanager/current/user-guide/administrate/reporting.md index 4801f9737b..59535220d2 100644 --- a/docs/identitymanager/current/user-guide/administrate/reporting.md +++ b/docs/identitymanager/current/user-guide/administrate/reporting.md @@ -1,4 +1,4 @@ ---- +--- title: "Generate Reports" description: "Generate Reports" sidebar_position: 10 @@ -16,16 +16,16 @@ A few reporting tools are already available in Identity Manager, used in other p - the list of entitlements for a given user in their **View Permissions** tab; - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) - the list of all requests that you are authorized to see in **Workflow Overview** accessible from the home page in the **Administration** section; - ![Home - Workflow Overview](/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + ![Home - Workflow Overview](/images/identitymanager/home_workflowoverview_v602.webp) - the list of [Review Orphaned and Unused Accounts](../../user-guide/administrate/orphan-unused-account-review). - ![Orphaned Account List](/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + ![Orphaned Account List](/images/identitymanager/orphan_entitytype_v523.webp) Identity Manager puts users in control of their reporting. Rich features help produce customizable reports that can be used to check the assignment policy results, or gather information for an audit. @@ -57,9 +57,9 @@ Download predefined reports by proceeding as follows: 1. Click on **Reports** on the left of the home page to access the list of predefined reports. - ![Home Page - Reports](/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + ![Home Page - Reports](/images/identitymanager/home_reports_v602.webp) - ![Reports](/images/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp) + ![Reports](/images/identitymanager/reporting_predefinedreports_v602.webp) 2. Choose the appropriate report and click on **Download** to get an Excel report. The downward-pointing arrow provides additional report formats. @@ -78,21 +78,21 @@ Create a custom report by proceeding as follows: 1. Click on **Query** in the **Administration** section on the home page. - ![Home Page - Query](/images/identitymanager/user-guide/administrate/reporting/home_query_v602.webp) + ![Home Page - Query](/images/identitymanager/home_query_v602.webp) - ![Query Page](/images/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp) + ![Query Page](/images/identitymanager/reporting_querypage_v602.webp) 2. Choose a query model from among the list. 3. Click on **Fields to Display** and select the appropriate fields from among the database [Universe](../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) and click on **Confirm**. - ![Fields to Display](/images/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp) + ![Fields to Display](/images/identitymanager/reporting_fieldstodisplay_v522.webp) In cases where Identity Manager doesn't display correctly the information you need, you must try to understand the entity instances and association instances that constitute the [Universe](../../integration-guide/toolkit/xml-configuration/business-intelligence/universe) that you are working with. Perhaps the fields that you chose cannot be properly correlated. 4. Click on **Filters**, write the appropriate condition and click on **Confirm**. - ![Filters](/images/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp) + ![Filters](/images/identitymanager/reporting_filters_v602.webp) For example, a report could list user names and identifiers but only those with their `Contract end date` less than today's date, so that we will see all the workers who have left the organization and are still stored in Identity Manager. diff --git a/docs/identitymanager/current/user-guide/deploy/change-management.md b/docs/identitymanager/current/user-guide/deploy/change-management.md index 667cae7d87..7a2ed52d79 100644 --- a/docs/identitymanager/current/user-guide/deploy/change-management.md +++ b/docs/identitymanager/current/user-guide/deploy/change-management.md @@ -1,4 +1,4 @@ ---- +--- title: "Plan Change Management" description: "Plan Change Management" sidebar_position: 10 @@ -24,13 +24,13 @@ interact with the project. Change management aims to support the teams throughout the **human process**. -![Process of Change Management](/images/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp) +![Process of Change Management](/images/identitymanager/changemanagement_process.webp) These processes include mandatory steps that all staff members have to go through, but not necessarily at the same pace. For that reason, change managers can benefit from the use of personas, i.e. creating characters that represent key populations. ## Participants and Artifacts -![Actors of Change Management](/images/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp) +![Actors of Change Management](/images/identitymanager/changemanagement_actors.webp) The aim of a Project Management Officer concerning critical stakeholders is to enable: @@ -58,7 +58,7 @@ Run change management by proceeding as follows: 1. Identify the populations impacted by change. Below is an example of impacted populations that can vary enormously. - ![Usual Populations](/images/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp) + ![Usual Populations](/images/identitymanager/changemanagement_populations.webp) 2. For all listed populations, estimate their size and the expected impact on them, through indicators like the frequency of their future use of the solution. Use personas to represent key population members, such as VIP users that don't use the application much, or users not feeling comfortable with computers. diff --git a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions.md b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions.md index c1c1899763..dfc324ed73 100644 --- a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions.md +++ b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/directory-permissions.md @@ -1,4 +1,4 @@ ---- +--- title: "Set the Working Directory's Permissions" description: "Set the Working Directory's Permissions" sidebar_position: 40 @@ -21,34 +21,34 @@ Set the working directory's permissions by proceeding as follows: 1. Right-click on the working directory, for example `C:/identitymanager`, to select **Properties**, and in the **Security** tab, click on **Advanced**. - ![Working Directory Properties: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp) + ![Working Directory Properties: Step 1](/images/identitymanager/prodagent_directoryproperties1.webp) 2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a principal**. - ![Working Directory Properties: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp) + ![Working Directory Properties: Step 2](/images/identitymanager/prodagent_directoryproperties2.webp) 3. Click on **Locations** to choose the current computer, and in the text area enter `iis apppool/identitymanager` (`Usercube` being the name of the previously created pool). - ![Working Directory Properties: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp) + ![Working Directory Properties: Step 3](/images/identitymanager/prodagent_directoryproperties3.webp) An error at this point should come either from a mistake in the pool's name or in the selected location. 4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and **Read** permissions are selected. - ![Working Directory Properties: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp) + ![Working Directory Properties: Step 4](/images/identitymanager/prodagent_directoryproperties4.webp) 5. Click on **OK** in the windows until they are all closed. 6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on **Edit**. - ![Temp Folder Properties: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp) + ![Temp Folder Properties: Step 1](/images/identitymanager/prodagent_foldersproperties1.webp) 7. Select the user corresponding to the pool and give them `Full control`. - ![Temp Folder Properties: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp) + ![Temp Folder Properties: Step 2](/images/identitymanager/prodagent_foldersproperties2.webp) 8. Click on **OK** in the windows until they are all closed. 9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and diff --git a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration.md b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration.md index 536cb6a87a..d405a67dfc 100644 --- a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration.md +++ b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-configuration.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure the Pool and Site" description: "Configure the Pool and Site" sidebar_position: 30 @@ -24,39 +24,39 @@ Configure the application pool and site by proceeding as follows: IIS can usually be found in Windows' search menu, or from Server Manager by accessing the **Tools** menu. - ![IIS: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp) + ![IIS: Step 1](/images/identitymanager/prodagent_iis1.webp) 2. Right-click on **Application Pools** to add a new pool named `Usercube`. - ![IIS: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp) + ![IIS: Step 2](/images/identitymanager/prodagent_iis2.webp) 3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. - ![IIS: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp) + ![IIS: Step 3](/images/identitymanager/prodagent_iis3.webp) 4. Right-click on the application pool to open its advanced settings and make sure that the following parameters are set as such: - ![IIS: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp) + ![IIS: Step 4](/images/identitymanager/prodagent_iis4.webp) - ![IIS: Step 5](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp) + ![IIS: Step 5](/images/identitymanager/prodagent_iis5.webp) 5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and double-clicking on **Server Certificates**. If the certificate is not ready yet, generate an auto-signed certificate. - ![IIS Server Certificate: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp) + ![IIS Server Certificate: Step 1](/images/identitymanager/prodagent_servercertificate1.webp) If the certificate is not there yet, import it by clicking on **Import** in the right-side menu, and specify the certificate's path and password. - ![IIS Server Certificate: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp) + ![IIS Server Certificate: Step 2](/images/identitymanager/prodagent_servercertificate2.webp) 6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings** and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's URL (without the `https` part) as host name, and finally selecting the server certificate. - ![IIS Server Certificate: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp) + ![IIS Server Certificate: Step 3](/images/identitymanager/prodagent_servercertificate3.webp) Click on **OK**. diff --git a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation.md b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation.md index dfe9ba233e..a650ec176b 100644 --- a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation.md +++ b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/iis-installation.md @@ -1,4 +1,4 @@ ---- +--- title: "Install IIS via Server Manager" description: "Install IIS via Server Manager" sidebar_position: 20 @@ -20,29 +20,29 @@ Install IIS via Server Manager by proceeding as follows: 1. Open the Server Manager program and click on **Add roles and features**. - ![Server Manager: Step 1](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp) + ![Server Manager: Step 1](/images/identitymanager/prodagent_servermanager1.webp) 2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based installation** is selected and click on **Next**. - ![Server Manager: Step 2](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp) + ![Server Manager: Step 2](/images/identitymanager/prodagent_servermanager2.webp) 3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. - ![Server Manager: Step 3](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp) + ![Server Manager: Step 3](/images/identitymanager/prodagent_servermanager3.webp) 4. In **Server Roles** tick **Web Server (IIS)**. - ![Server Manager: Step 4](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp) + ![Server Manager: Step 4](/images/identitymanager/prodagent_servermanager4.webp) 5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > **AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. - ![Server Manager: Step 5](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp) + ![Server Manager: Step 5](/images/identitymanager/prodagent_servermanager5.webp) 6. In **Confirmation** click on **Install**. - ![Server Manager: Step 6](/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp) + ![Server Manager: Step 6](/images/identitymanager/prodagent_servermanager6.webp) ## Next Steps diff --git a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files.md b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files.md index 70b7332bf7..768babcb99 100644 --- a/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files.md +++ b/docs/identitymanager/current/user-guide/deploy/production-agent-installation/settings-files.md @@ -110,7 +110,7 @@ folder and **FromAddress** to `no-reply@.com`; For example (in `*appsettings.agent.json*`): ```json "PasswordResetSettings": { "TwoFactorSettings": { "ApplicationUri": "http://localhost:5000" }, "EncryptionCertificate": { "File": "../identitymanager.pfx", "Password": "secret" }, "MailSettings": { "PickupDirectory": "../Mails", "FromAddress": "no-reply@contoso.com" } } ``` - - **SourcesRootPaths** contains the path to the `Sources` folder. + - **SourcesRootPaths** contains the list of root folders from which the agent is allowed to read source files (CSV, Excel, etc.). There is no default — all paths are blocked until this is set. Configure it explicitly, even if only one folder is needed. For cloud installations, Netwrix configures this setting. For example (in `*appsettings.agent.json*`): diff --git a/docs/identitymanager/current/user-guide/global-process/howto-maintaindirectory.md b/docs/identitymanager/current/user-guide/global-process/howto-maintaindirectory.md index 2250935574..9a589b72e3 100644 --- a/docs/identitymanager/current/user-guide/global-process/howto-maintaindirectory.md +++ b/docs/identitymanager/current/user-guide/global-process/howto-maintaindirectory.md @@ -1,4 +1,4 @@ ---- +--- title: "How to Maintain the Workforce Directory" description: "How to Maintain the Workforce Directory" sidebar_position: 20 @@ -10,7 +10,7 @@ How to keep the workforce directory up to date. ## Overview -![Process Schema - How to Implement a New System](/images/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp) +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemamaintain.webp) ## Process Details diff --git a/docs/identitymanager/current/user-guide/global-process/howto-newsystem.md b/docs/identitymanager/current/user-guide/global-process/howto-newsystem.md index 5e5b8d7ee2..d8b737e85a 100644 --- a/docs/identitymanager/current/user-guide/global-process/howto-newsystem.md +++ b/docs/identitymanager/current/user-guide/global-process/howto-newsystem.md @@ -1,4 +1,4 @@ ---- +--- title: "How to Implement a New System" description: "How to Implement a New System" sidebar_position: 30 @@ -18,7 +18,7 @@ The **option B** takes more time as it goes through the creation of the role mod The option B is more complicated and time-consuming than the option A, but leads to more gain. Be aware that **you can go through the process options simultaneously**. -![Process Schema - How to Implement a New System](/images/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp) +![Process Schema - How to Implement a New System](/images/identitymanager/globalprocess_schemaconnectsyst.webp) ## Process Details diff --git a/docs/identitymanager/current/user-guide/global-process/howto-start.md b/docs/identitymanager/current/user-guide/global-process/howto-start.md index f5a3cdc229..6e01c0264c 100644 --- a/docs/identitymanager/current/user-guide/global-process/howto-start.md +++ b/docs/identitymanager/current/user-guide/global-process/howto-start.md @@ -1,4 +1,4 @@ ---- +--- title: "How to Start" description: "How to Start" sidebar_position: 10 @@ -22,7 +22,7 @@ The options 2A and 2B are more complicated and time-consuming than the option 1, Netwrix Identity Manager (formerly Usercube) recommends the option 1 to be able to start IGA without waiting for the installation of an agent in your network, and go through the option 2 simultaneously. -![Process Schema - How to Start with Usercube](/images/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp) +![Process Schema - How to Start with Usercube](/images/identitymanager/globalprocess_schemastart.webp) ## Process Details diff --git a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/individual-update.md b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/individual-update.md index af07e565ea..36518c49eb 100644 --- a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/individual-update.md +++ b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/individual-update.md @@ -1,4 +1,4 @@ ---- +--- title: "Update an Individual Identity" description: "Update an Individual Identity" sidebar_position: 10 @@ -34,11 +34,11 @@ Declare a new worker by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. According to the type of the user to be declared, click on the corresponding button. - ![Workflow - New User](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp) + ![Workflow - New User](/images/identitymanager/datamodif_newuser_v602.webp) 3. Follow the workflow's instructions to fill the form with the user's data, choose the user's entitlements from your role catalog and send the request. See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. @@ -49,25 +49,25 @@ Act on an existing identity by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Click on the user to be modified. - ![Workflow - User](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + ![Workflow - User](/images/identitymanager/datamodif_user_v602.webp) 3. Click on **Actions** or **Helpdesk** to select the action to perform. - ![Workflow - Modify Permissions](/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + ![Workflow - Modify Permissions](/images/identitymanager/datamodif_changeuser_v602.webp) 4. Follow the workflow's instructions. If the workflow has been configured in this way, the update request may require a review. In this case, sending the request triggers the display of said request on the **My Tasks** screen for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. - ![Request - Review Pending](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) ## Verify Data Update In order to verify the process, check that the right data is displayed in the directory for the involved user. -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/mass-update.md b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/mass-update.md index 1a8348b4fb..8a31b331aa 100644 --- a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/mass-update.md +++ b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/mass-update.md @@ -1,4 +1,4 @@ ---- +--- title: "Update Identities in Bulk" description: "Update Identities in Bulk" sidebar_position: 30 @@ -35,22 +35,22 @@ Mass update identity data (in complete mode) by proceeding as follows: 1. Access the directory connector from **Connectors** on the home page, in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, choose the connection corresponding to identities. 3. In the connection's settings, download the Excel template full of the data from your database. - ![Download Full Template](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp) + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplatedata_v602.webp) 4. Update the data that needs change. 5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. 6. Click on **Upload** and choose the file you modified with new data. - ![Upload](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + ![Upload](/images/identitymanager/connection_upload_v602.webp) 7. Click on **Check Connection** to verify the path. - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) 8. Click on **Save & Close**. 9. Back on the connector's page, launch synchronization. See the @@ -65,12 +65,12 @@ Mass update identity data (in incremental mode) by proceeding as follows: 1. Access the directory connector from **Connectors** on the home page, in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, choose the connection corresponding to identities. 3. In the connection's settings, download the empty Excel template. - ![Download Full Template](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp) + ![Download Full Template](/images/identitymanager/datamodif_downloadtemplateempty_v602.webp) 4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation purposes), and fill the column `Command`, which can take a few available inputs: @@ -93,11 +93,11 @@ already exists, create a new identity otherwise. 5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. 6. Click on **Upload** and choose the file you modified with new data. - ![Upload](/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + ![Upload](/images/identitymanager/connection_upload_v602.webp) 7. Click on **Check Connection** to verify the path. - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) 8. Click on **Save & Close**. 9. Back on the connector's page, launch synchronization. See the @@ -112,14 +112,14 @@ In order to verify the process: - **Check manually a sample** in the `User` directory accessible from the home page. You should verify at least your own sheet and the sheets for your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that **every organization still has a manager**. Organizations are accessible in the `Department` directory accessible from the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains many organizations, then it is also possible to list them with their managers through the Query module. diff --git a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/multiple-update.md b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/multiple-update.md index 30c1fdf61c..7f898e3210 100644 --- a/docs/identitymanager/current/user-guide/maintain/identity-data-modification/multiple-update.md +++ b/docs/identitymanager/current/user-guide/maintain/identity-data-modification/multiple-update.md @@ -1,4 +1,4 @@ ---- +--- title: "Update Multiple Identities" description: "Update Multiple Identities" sidebar_position: 20 @@ -33,16 +33,16 @@ Perform multiple updates by proceeding as follows: 1. Click on **Multiple Updates**, accessible from the directory on the home page. - ![Home Page - Multiple Updates](/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp) + ![Home Page - Multiple Updates](/images/identitymanager/home_multipleupdates_v523.webp) 2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and send the request. - ![Multiple Updates Form](/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp) + ![Multiple Updates Form](/images/identitymanager/datamodif_multipleform_v602.webp) If the workflow has been configured in this way, the update request may require a review. In this case, sending the request triggers the display of said request on the **My Tasks** screen for the reviewer, while the state of the request is pending. In this case, the requested updates will be displayed in Identity Manager only after the request has been reviewed. - ![Request - Review Pending](/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + ![Request - Review Pending](/images/identitymanager/datamodif_reviewpending_v523.webp) ## Verify Data Update @@ -51,14 +51,14 @@ In order to verify the process: - **Check manually a sample** in the `User` directory accessible from the home page. You should verify at least your own sheet and the sheets assigned to your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that **every organization still has a manager**. Organizations are accessible in the `Department` directory on the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. diff --git a/docs/identitymanager/current/user-guide/maintain/troubleshooting.md b/docs/identitymanager/current/user-guide/maintain/troubleshooting.md index 1c7327dbe4..e022fabc00 100644 --- a/docs/identitymanager/current/user-guide/maintain/troubleshooting.md +++ b/docs/identitymanager/current/user-guide/maintain/troubleshooting.md @@ -1,4 +1,4 @@ ---- +--- title: "Troubleshoot" description: "Troubleshoot" sidebar_position: 20 @@ -23,17 +23,17 @@ In order to troubleshoot Identity Manager efficiently, the user, usually an appl - the connector screens, especially the jobs available there; - ![Connector Jobs](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp) + ![Connector Jobs](/images/identitymanager/troubleshooting_connectorjobs_v603.webp) - the resource screens (identities, accounts, etc.) with their data, and especially their history and sources; - ![User Data](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp) + ![User Data](/images/identitymanager/troubleshooting_userdata_v603.webp) - basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements and enable data modification and repair. - ![Helpdesk Workflow](/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp) + ![Helpdesk Workflow](/images/identitymanager/troubleshooting_helpdesk_v603.webp) ## Troubleshoot Synchronization Issues diff --git a/docs/identitymanager/current/user-guide/optimize/assignment-automation/automate-role-assignment.md b/docs/identitymanager/current/user-guide/optimize/assignment-automation/automate-role-assignment.md index aa5edfafd4..cadad7d236 100644 --- a/docs/identitymanager/current/user-guide/optimize/assignment-automation/automate-role-assignment.md +++ b/docs/identitymanager/current/user-guide/optimize/assignment-automation/automate-role-assignment.md @@ -1,4 +1,4 @@ ---- +--- title: "Automate Role Assignments" description: "Automate Role Assignments" sidebar_position: 10 @@ -29,20 +29,20 @@ Create a role assignment rule by proceeding as follows: 1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** section. - ![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create an Assignment Rule](/images/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp) + ![Create an Assignment Rule](/images/identitymanager/assignmentrules_newsrolerule_v602.webp) - `Single Role`: single role to be automatically assigned in a single role rule. `Composite Role` for a composite role rule. @@ -82,16 +82,16 @@ In order to verify the process, start by checking the rule's details on the **Ac 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Create a role assignment rule for a role that said user doesn't already have, and based on criteria which the selected user satisfies. 3. Trigger the computation of the role model through the complete job on the **Job Execution** page in the **Administration** section. - ![Home - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + ![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) 4. See the **new** permission in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) diff --git a/docs/identitymanager/current/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/current/user-guide/optimize/assignment-automation/index.md index cff720b449..76cb2cc2ee 100644 --- a/docs/identitymanager/current/user-guide/optimize/assignment-automation/index.md +++ b/docs/identitymanager/current/user-guide/optimize/assignment-automation/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Automate Assignments" description: "Automate Assignments" sidebar_position: 60 @@ -20,7 +20,7 @@ entitlements in the managed systems, through [Create Roles in Bulk](../../../use [Conforming Assignments](../../../integration-guide/role-assignment/conformingassignmentcomputation) topic for additional information. 3. Automation of the creation of said assignment rules through [Perform Role Mining](../../../user-guide/optimize/assignment-automation/role-mining), based on existing data analysis. -![Automation Concept](/images/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp) +![Automation Concept](/images/identitymanager/automation_schema.webp) Assignment rules can sometimes give to users an entitlement that they had already received manually. Hence, new assignment rules can imply redundancies between the entitlements assigned manually and approved, and those calculated by a rule and assigned automatically. @@ -38,7 +38,7 @@ all the entitlements required for them to start working. Even with roles aiming The entitlement management cost mainly varies according to the number of managed entitlements. Manual processing for entitlement requests implies a linear growth of the management cost according to the number of managed entitlements. -![Optimal Cost Chart - Manual Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp) +![Optimal Cost Chart - Manual Assignments](/images/identitymanager/automation_optimalcost_manual.webp) ### Automation benefits @@ -50,7 +50,7 @@ masters false positive assignments (entitlements assigned to a user while they o - Machine Learning can compute the role model way faster than a person. Consequently, the model can be computed more frequently and thus sticks closer to reality. -![Optimal Cost Chart - Automation Benefits](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp) +![Optimal Cost Chart - Automation Benefits](/images/identitymanager/automation_optimalcost_automationbenefits.webp) Automation helps integrators find basic assignment rules and face the previous risks, thus reducing cost. @@ -72,7 +72,7 @@ In a way, maturity with Machine Learning in IGA is much like a GPS: once we trav However, automation implies an increasing number of rules. And a high number of rules implies a certain complexity in rule model understanding, and consequently hiring expensive expert contractors to write the right rules. It drives up costs considerably and draws you near the automation wall. -![Optimal Cost Chart - Automation Limits](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp) +![Optimal Cost Chart - Automation Limits](/images/identitymanager/automation_optimalcost_automationlimits.webp) The automation wall represents the automation threshold that cannot be overcome. It mostly comes from the fact that with limited data, automation capabilities are also limited. Everything cannot be automated. @@ -80,7 +80,7 @@ The automation wall represents the automation threshold that cannot be overcome. The idea is to stop automation when the automatic cost curve increases faster than the manual cost curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix of automatic and manual assignments. -![Optimal Cost Chart](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp) +![Optimal Cost Chart](/images/identitymanager/automation_optimalcost.webp) Automation strategy consists in using Machine Learning through Role Mining to get closer to the automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the wall further away by improving data quality and quantity. @@ -102,7 +102,7 @@ The process of assignment automation is the following: Role Mining covers more use cases than writing assignment rules manually. It diminishes the error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to the automation wall. - ![Optimal Cost Chart - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp) + ![Optimal Cost Chart - Role Mining](/images/identitymanager/automation_optimalcost_rolemining.webp) **Enlarge the number of managed entitlements by tolerating errors:** @@ -119,22 +119,22 @@ BI to assess the automation wall and identify improvement areas. > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers > about their respective projects. This is a typical area for improvement in data quality. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex.webp) > For example, if charts show a high number of identities in the category `No Position`, > integrators understand that the data model must be completed for role mining to be efficient. > - > ![Data Quantity Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp) + > ![Data Quantity Example](/images/identitymanager/automation_dataquality_ex2.webp) > For example, if charts show a high number of unused roles, integrators understand that the > role model needs further improvement because roles are not adequate. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex3.webp) > For example, if charts show low automation rate per department, integrators will understand > that many identities may have switched departments while keeping their previous entitlements. > - > ![Data Quality Example](/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp) + > ![Data Quality Example](/images/identitymanager/automation_dataquality_ex4.webp) 3. Improve data quality and quantity to move the automation wall. @@ -142,7 +142,7 @@ Whether automatic or manual, assignment decisions are based on existing data ana Improvement in existing data quantity and quality entails the possibility of managing a higher number of entitlements. - ![Optimal Cost Chart - Improved Data](/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp) + ![Optimal Cost Chart - Improved Data](/images/identitymanager/automation_optimalcost_data.webp) A high quantity of data simplifies data analysis and inferences in assignment rules. diff --git a/docs/identitymanager/current/user-guide/optimize/assignment-automation/remove-redundant-assignments.md b/docs/identitymanager/current/user-guide/optimize/assignment-automation/remove-redundant-assignments.md index 8ab498d755..dc33d4dcf8 100644 --- a/docs/identitymanager/current/user-guide/optimize/assignment-automation/remove-redundant-assignments.md +++ b/docs/identitymanager/current/user-guide/optimize/assignment-automation/remove-redundant-assignments.md @@ -1,4 +1,4 @@ ---- +--- title: "Remove Redundant Assignments" description: "Remove Redundant Assignments" sidebar_position: 30 @@ -37,13 +37,13 @@ The **classic behavior** gives priority to **approved** manual entitlements over For example, consider a user who has a given entitlement which was assigned to them manually on several distinct time periods. When creating a rule that assigns the same entitlement to them automatically on a given time period, then we have: -![Schema - Compute Role Model](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp) +![Schema - Compute Role Model](/images/identitymanager/redundantassignments_examplewithout.webp) The **redundant assignment analysis** gives priority to the rules inside the role model and the policy. When an entitlement is assigned via a rule, it is stated as **calculated**, even if it is also assigned manually. Thus, manual assignments whose start and end dates overlap with the validity period are to be truncated or deleted. For example, consider the same situation as before. Using the redundant assignments analysis, then we have: -![Schema - **redundant assignment analysis**](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp) +![Schema - **redundant assignment analysis**](/images/identitymanager/redundantassignments_examplewith.webp) Redundant assignments can be removed by Identity Manager only when the corresponding assigned items are tagged as redundant and displayed in the most recent report. The manual assigned items that are not tagged are still kept as discretionary entitlements and will not be removed. @@ -61,11 +61,11 @@ See the [Create Roles in the Role Catalog](../../../user-guide/set-up/single-rol Remove redundant assignments by proceeding as follows: -![Home Page - Redundant Assignments](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) +![Home Page - Redundant Assignments](/images/identitymanager/home_redundantassignments_v602.webp) **Step 1 –** Click on **Redundant Assignments** on the home page in the **Administration** section. -![Redundant Assignments - Buttons](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp) +![Redundant Assignments - Buttons](/images/identitymanager/redundantassignments_buttons_v602.webp) **Step 2 –** Click on **Analyze** to tag the manual roles and resource types from all policies eligible for conversion to an automatic state. @@ -74,7 +74,7 @@ Remove redundant assignments by proceeding as follows: ::: **Step 3 –** Click on **Download Excel** to download a dedicated XLSX report which contains one tab per entity type representing identities. -![Redundant Assignments - Report Example](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp) +![Redundant Assignments - Report Example](/images/identitymanager/redundantassignments_reportexample_v602.webp) The example states that in the entity type Directory_User, the user Nicholas Acosta had the single role Banking/Sales/Eunomia/Administrator starting from February 28th 2023 (dateA) until May 16th (dateD). A new single role rule assigns him this role from April 14th (dateB) until 25th 2023 (dateC). @@ -86,17 +86,17 @@ It means that Nicholas Acosta will have the role in the ****calculated**** state In order to verify the process: -![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) **Step 1 –** Access the user directory from the home page. -![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) +![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) **Step 2 –** For one of the users mentioned in the report, access their permissions. **Step 3 –** Check that their roles (mentioned in the report) have actually switched from **approved** to **calculated**. -![Redundant Assignments - Result](/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp) +![Redundant Assignments - Result](/images/identitymanager/redundantassignments_reportexampleverif_v602.webp) When **removing redundant assignments** based on the previous report example the setting will be as above. diff --git a/docs/identitymanager/current/user-guide/optimize/assignment-automation/role-mining.md b/docs/identitymanager/current/user-guide/optimize/assignment-automation/role-mining.md index 1c60cb8fb6..2c0cf0be2f 100644 --- a/docs/identitymanager/current/user-guide/optimize/assignment-automation/role-mining.md +++ b/docs/identitymanager/current/user-guide/optimize/assignment-automation/role-mining.md @@ -1,4 +1,4 @@ ---- +--- title: "Perform Role Mining" description: "Perform Role Mining" sidebar_position: 20 @@ -19,7 +19,7 @@ After the role catalog is established, the Compute Role Model Task task is able Now that users received their roles, the role mining tool can analyze these assignments and deduce [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) which will assign single roles to certain users matching given criteria. -![Schema - Role Mining](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) +![Schema - Role Mining](/images/identitymanager/rolemining_schema.webp) Role mining is a Machine Learning process. It is a statistic tool used to emphasize the [Single Role Rule](../../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) that constitute the key criteria for existing role assignments. It detects the most probable links between identities dimensions and their roles in order to suggest the appropriate entitlement assignment rules. @@ -38,17 +38,17 @@ Mining rules can be configured to generate: 1. **automatic rules**, i.e. rules which assign roles automatically with or without a validation; 2. **suggested rules**, i.e. rules which don't assign roles directly, but suggest them during an entitlement request for a user. - ![Suggested](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + ![Suggested](/images/identitymanager/rolemining_suggested_v602.webp) You can generate both automatic and **suggested rules** for the same role, with different precision levels and different approval workflows. > Consider an organization where an unknown ratio of users have a given role. Using the precision settings, we can create a mining rule to generate automatic assignment rules when the ratio is above 95% and a second mining rule to generate suggested assignment rules when the ratio is between 75% and 95%. > -> ![Rule Types](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) +> ![Rule Types](/images/identitymanager/rolemining_ruletype.webp) You can also differentiate entitlements according to their sensitivity, for example require additional reviews following the request of a sensitive entitlement: -![Rule Types - Sensitivity](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) +![Rule Types - Sensitivity](/images/identitymanager/rolemining_ruletype-sensitivity.webp) The automation of entitlement assignments according to sensitivity brings greater confidence in basic entitlements assignment which won't need to be certified anymore. Thus, automation lets certification campaigns focus on more sensitive entitlements. @@ -72,15 +72,15 @@ Create a mining rule by proceeding as follows: 1. On the home page in the **Configuration** section, click on the **Role Mining** button. - ![Home page - Connectors](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp) + ![Home page - Connectors](/images/identitymanager/home_rolemining_v60.webp) You will see all existing mining rules. 2. Click on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![**new** Mining Rule](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp) + ![**new** Mining Rule](/images/identitymanager/rolemining_miningrule_v602.webp) - `Policy`: [Create a Policy](../../../user-guide/optimize/policy-creation) in which the mining rule exists. - `Entity Type`: @@ -112,7 +112,7 @@ Automation reduces the error rate by avoiding human mistakes. Errors can still o 1. Click on **Create** and see a line added on the rules page. 2. Click on **Simulate** to perfom role mining in a simulation. See the[Perform a Simulation](../../../user-guide/optimize/simulation) topic for additional information. - ![Role Mining Jobs](/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp) + ![Role Mining Jobs](/images/identitymanager/rolemining_launchjob_v602.webp) :::info If you need to bypass the simulation process, clicking on **Launch** will perform role mining and apply its results directly. NETWRIX recommends always performing role mining in simulation. @@ -127,7 +127,7 @@ Netwrix Identity Manager (formerly Usercube) recommends [Removing Redundant Assi In order to verify the process, access the rule list from the home page. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) Select **Single Roles** and check that the single role rules are created with the right parameters. diff --git a/docs/identitymanager/current/user-guide/optimize/composite-role-creation.md b/docs/identitymanager/current/user-guide/optimize/composite-role-creation.md index f69ce6810a..a3af676618 100644 --- a/docs/identitymanager/current/user-guide/optimize/composite-role-creation.md +++ b/docs/identitymanager/current/user-guide/optimize/composite-role-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Composite Role" description: "Create a Composite Role" sidebar_position: 70 @@ -12,7 +12,7 @@ How to define composite **roles** in order to create sets of single **roles** ea A composite role is a set of single **roles** that are usually assigned together, because they revolve around the same application, or the same job, etc. Composite **roles** are aggregates of single **roles**, they can help organize the role catalog. See the [Composite Role](../../integration-guide/toolkit/xml-configuration/provisioning/compositerole) topic for additional information. -![Schema](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp) +![Schema](/images/identitymanager/compositeroles_applicativeroles.webp) A composite role is a business role comprehensible by managers. It provides an additional layer of abstraction above existing entitlements and single **roles**. We can say that if a single role allows a user to perform a task, a composite role allows them to perform a job. @@ -22,7 +22,7 @@ Composite **roles** can also be created based on the **rules** provided by Role The following example shows single **roles** from A to F. Role Mining suggested the **rules** on the schema, linking these single **roles** to the organizations R&D and Project as well as to the functions developer, writer, contractor and project manager. The idea is to use these **rules** to create composite **roles**. Here, we clearly have one role for R&D-developer, one for R&D-writer, Project-contractor and Project-project manager. Thus, it is clear here that composite **roles** add an abstraction layer. -![Example](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp) +![Example](/images/identitymanager/compositeroles_schema.webp) Single role **rules** link composite **roles** to single **roles**: a single role rule states that specific single **roles** are assigned according to specific criteria, particularly composite **roles**. See the [Single Role Rule](../../integration-guide/toolkit/xml-configuration/provisioning/singlerolerule) and [Create **roles** in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation)topics for additional information. Thus, a composite role assignment can imply specific single role assignments. @@ -42,13 +42,13 @@ Create a composite role by proceeding as follows: **Step 1 :** On the home page in the **Configuration** section, click on **Access **roles**** to access the **roles** page. -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) **Step 2 :** On the **roles** page, click on the adequate category and create a role by clicking on **+ New** at the top right corner. **Step 3 :** Fill in the fields. -![singlerolescatalog_createcompositerole_v62](/images/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp) +![singlerolescatalog_createcompositerole_v62](/images/identitymanager/singlerolescatalog_createcompositerole_v62.webp) - **Identifier**: must be unique among **roles** and without any whitespace. - **Name**: will be displayed in the UI to identify the single role. @@ -89,11 +89,11 @@ In order to verify the process, check that the role and rule are created with th For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) Select composite **roles** and find the role you created inside the right category and with the right parameters. -![Access Composite **roles**](/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp) +![Access Composite **roles**](/images/identitymanager/compositeroles_testroles_v602.webp) For **rules**, follow the instructions about assignment **rules**. See the [Automate Role Assignments](../../user-guide/optimize/assignment-automation/automate-role-assignment) diff --git a/docs/identitymanager/current/user-guide/optimize/hr-connector-creation.md b/docs/identitymanager/current/user-guide/optimize/hr-connector-creation.md index 5f282702bb..3ceda428c1 100644 --- a/docs/identitymanager/current/user-guide/optimize/hr-connector-creation.md +++ b/docs/identitymanager/current/user-guide/optimize/hr-connector-creation.md @@ -1 +1,126 @@ - \ No newline at end of file +--- +title: "Create an HR Connector" +description: "Create an HR Connector" +sidebar_position: 20 +--- + +# Create an HR Connector + +How to create a connector dedicated to the automation of identity management (creation, update, +deletion), via the synchronization of HR data into Identity Manager and internal provisioning. See +the[Connect to a Managed System](/docs/identitymanager/current/user-guide/set-up/connect-system/index.md)provisioning. + +## Overview + +### HR connector in the global process + +The HR connector is no priority but rather an optimization, handled at the end of the configuration +cycle. + +The HR connector is sometimes the first created connector, used to develop the identity repository. + +However, the HR connector requires a specific IT infrastructure (agent, proxy, Virtual Machine, +etc.) which can take time to implement, and delay the project's progress. + +Moreover, in the long run it poses a few problems as HR data usually misses crucial information such +as contractor data, or the projects employees are working on. This can mean that: + +- the identity repository is filled using several sources. And when creating identities + automatically from HR data and other sources, you need to specify which properties of each + identity can be overwritten by a change in HR and which cannot. This is to avoid manually changed + attributes being overwritten by the HR data by mistake. This is very tedious. +- the HR data is rarely up to date early enough to be really useful as a trigger for identity + creation and deletion. As a result, identities end up being created manually through workflows + most of the time. + +Hence we choose to build the first iteration of the project upon a manual data upload to +[Create the Workforce Repository](/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md). + +This way, we do not have to wait for the agent's implementation to create the first profiles and +start connecting systems (AD, SAB, SAP, etc.). Thus value is created faster and we can focus on IGA +activities such as the review of orphaned and unused accounts, eliminating risk earlier in the +process. + +We can still connect HR data, later on, to check consistency between our identity repository and HR +data, through a certification-like process. + +### Technical details + +An HR connector is considered an inbound connector, as it writes to the central identity repository +inside Identity Manager. + +![Inbound System=](/images/identitymanager/connectorcreation_inbound.webp) + +As Identity Manager is able to feed all managed systems, it can also feed itself thanks to specific +connections such as the +[InternalWorkflow](/docs/identitymanager/current/integration-guide/connectors/references-connectors/internalworkflow.md) +connection. It means that the corresponding connector is able to launch workflows within Identity +Manager and keep track. + +Typically, an HR connector with such a connection would be able to launch workflows inside Identity +Manager for identity creation, update and deletion, based on HR files. + +## Participants and Artifacts + +This operation should be performed in cooperation with HR staff who can access HR data. + +| Input | Output | +| ------------------------------- | ------------ | +| Identity Repository. (required) | HR connector | + +See the [Create the Workforce Repository](/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md)topic +for additional information. + +## Create an HR Connector + +Create an HR connector by proceeding as follows: + +1. Outside Identity Manager, + [Model the Data](/docs/identitymanager/current/user-guide/set-up/connect-system/connector-modeling.md)of your connector. +2. Declare an HR connector using your local agent. See the + [Create the Connector](/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration.md) topic for + additional information. + + ![HR Connector Declaration](/images/identitymanager/hr_connectordeclaration_v602.webp) + +3. Create an Export CSV connection for each HR file to connect. See the + [Create a Connection](/docs/identitymanager/current/user-guide/set-up/connect-system/connection-creation.md) topic for + additional information. + + ![HR Connection](/images/identitymanager/hr_connection_v602.webp) + +4. [Create an Entity Type](/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/index.md) corresponding + to your model. For example: + + ![HR Entity Type - Scalar Properties](/images/identitymanager/hr_entitytypes_v602.webp) + + ![HR Entity Type - Navigation Properties](/images/identitymanager/hr_entitytypen_v602.webp) + +5. Don't forget to reload and [Synchronize Data](/docs/identitymanager/current/user-guide/set-up/synchronization.md) to access + HR data within Identity Manager. + + ![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) + + ![Synchronize Job](/images/identitymanager/synchro_executionjobs_v602.webp) + +## Verify HR Connector Creation + +In order to verify the process: + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/images/identitymanager/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/images/identitymanager/hr_validatemenu_v600.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the Eye icon: + + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) + + You should seek configuration validation, not validation of the actual data being synchronized. diff --git a/docs/identitymanager/current/user-guide/optimize/identity-datamodel-modification.md b/docs/identitymanager/current/user-guide/optimize/identity-datamodel-modification.md index 53732d3995..a2e822cd05 100644 --- a/docs/identitymanager/current/user-guide/optimize/identity-datamodel-modification.md +++ b/docs/identitymanager/current/user-guide/optimize/identity-datamodel-modification.md @@ -1,4 +1,4 @@ ---- +--- title: "Modify the Identity Data Model" description: "Modify the Identity Data Model" sidebar_position: 10 @@ -62,20 +62,20 @@ Add or modify properties within the identity data model by proceeding as follows 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. Access the data model on the **Workforce** > **Data Model** page. 3. Change the display option to show or hide properties in the identity repository. - ![Scan Data Model - Display Option](/images/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp) + ![Scan Data Model - Display Option](/images/identitymanager/datamodelmodif_scan_v600.webp) 4. After your changes are complete, click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 5. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Delete Properties @@ -90,14 +90,14 @@ In order to verify the process: - **Check manually a sample** in the user directory accessible from the home page. You should verify at least your own sheet and the sheets assigned to your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that **every organization still has a manager**. Organizations are accessible in the department directory accessible from the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains numerous organizations, it is also possible to list them with their managers through the Query module. See the[Generate Reports](../../user-guide/administrate/reporting) topic for additional information. diff --git a/docs/identitymanager/current/user-guide/optimize/non-conforming-assignment-review-automation.md b/docs/identitymanager/current/user-guide/optimize/non-conforming-assignment-review-automation.md index 22ffa5bdab..7f6ee53db2 100644 --- a/docs/identitymanager/current/user-guide/optimize/non-conforming-assignment-review-automation.md +++ b/docs/identitymanager/current/user-guide/optimize/non-conforming-assignment-review-automation.md @@ -1,4 +1,4 @@ ---- +--- title: "Automate the Review of Non-conforming Assignments" description: "Automate the Review of Non-conforming Assignments" sidebar_position: 50 @@ -37,19 +37,19 @@ See the [Review Non-conforming Assignments](../../user-guide/administrate/non-co Create an automation rule by proceeding as follows: -![Home Page - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule will be applied. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. -![New Automation Rule](/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp) +![New Automation Rule](/images/identitymanager/reviewautomation_newrulefields_v602.webp) **Step 4 –** Fill in the fields. @@ -79,13 +79,13 @@ In order to verify the process: **Step 2 –** Create an automation rule matching said assignment. -![Home Page - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home Page - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) **Step 3 –** Compute the role model through the complete job on the **Job Execution** page. **Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed according to the rule's settings. -![New Automation Rule](/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp) +![New Automation Rule](/images/identitymanager/reviewautomation_rulemessage_v522.webp) Any role affected by an automation rule shows a specific message on the **Role Review** page. diff --git a/docs/identitymanager/current/user-guide/optimize/parameterized-role.md b/docs/identitymanager/current/user-guide/optimize/parameterized-role.md index 249dcc37e7..b0d93bb2ca 100644 --- a/docs/identitymanager/current/user-guide/optimize/parameterized-role.md +++ b/docs/identitymanager/current/user-guide/optimize/parameterized-role.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure a Parametrized Role" description: "Configure a Parametrized Role" sidebar_position: 80 @@ -12,17 +12,17 @@ How to reduce the number of roles in the model by configuring **roles with param The assignment of a role to a user gives them an entitlement, usually a group membership, thanks to a navigation rule. See the [Create Roles in the Role Catalog](../../user-guide/set-up/single-roles-catalog-creation) topic for additional information. -![Simple Role](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp) +![Simple Role](/images/identitymanager/parameterizedroles_simplerole.webp) To enable the assignment of all existing entitlements, the role model usually contains numerous roles. For example, the SAP role can be given with slight differences according to the users' subsidiaries: -**> ![Role Matrix](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp)** +**> ![Role Matrix](/images/identitymanager/parameterizedroles_numerousroles.webp)** In order to reduce the number of roles, we can configure **roles with parameters** by inserting a criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on the schema), we can have way fewer roles (right on the schema). -![With/Without Parameters](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp) +![With/Without Parameters](/images/identitymanager/parameterizedroles_parameters.webp) In the previous example, with a parameter on the subsidiary, the number of roles would be divided by three. @@ -46,7 +46,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor ``` -![Example - Role](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp) +![Example - Role](/images/identitymanager/parameterizedrole_examplerole_v603.webp) **Step 2 –** Create a single role. See the [Create a Role Manually](../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. @@ -54,7 +54,7 @@ Code attributes enclosed with `<>` need to be replaced with a custom value befor Here we have three navigation rules, one for each distinct time slot (dimension A). For example: -![Example - Rule](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp) +![Example - Rule](/images/identitymanager/parameterizedrole_examplerule_v603.webp) :::note Make sure that the corresponding dimension is specified in the right `DisplayEntityType` in XML to be displayed in the UI. @@ -62,7 +62,7 @@ Here we have three navigation rules, one for each distinct time slot (dimension :::note It is important to note that for manually assigned roles, if a new dimension is added to the definition of the role, the assignment's dimension will not be re-calculated, and will therefore not be propagated to calculate automatic assignments. Example Scenario — Role A was created as a composite role with no parameters a long time ago. Role A was later updated to depend on the optional parameter X and a single role rule was created to assign a single role B if a user had Role A and parameter X set to value Y. If a user already manually had the role A, even if its dimension X (for example its department, which could be calculated) was equal to value Y, got its permissions recalculated, that person would not get the role B. Since the modification occurred after the assignment, it is understood as if the role was assigned voluntarily with dimension X unset. However, if a user got role A assigned after the modification, and its dimension X was equal to value Y, then that user would get the role B. ::: -![Example - Role Parameter Required](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp) +![Example - Role Parameter Required](/images/identitymanager/parameterizedrole_exampleroleparameter_v603.webp) **Step 4 –** Go back to the roles page to edit the single role from step 2, if needing to set the parameter required. @@ -82,13 +82,13 @@ In order to verify the process, request manually the parametrized role for a tes In our example: -![Example - Step 1](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp) +![Example - Step 1](/images/identitymanager/parameterizedroles_parameterexamplestep1_v603.webp) -![Example - Step 2](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp) +![Example - Step 2](/images/identitymanager/parameterizedroles_parameterexamplestep2_v603.webp) If the dimension is specified in the users' context rule, then Identity Manager will provide suggestions. -![Example - Suggestion](/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp) +![Example - Suggestion](/images/identitymanager/parameterizedrole_examplerolesuggestion_v603.webp) For example, concerning the `Title` dimension mentioned above. diff --git a/docs/identitymanager/current/user-guide/optimize/policy-creation.md b/docs/identitymanager/current/user-guide/optimize/policy-creation.md index 45b662618e..c8cb3fad8f 100644 --- a/docs/identitymanager/current/user-guide/optimize/policy-creation.md +++ b/docs/identitymanager/current/user-guide/optimize/policy-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Policy" description: "Create a Policy" sidebar_position: 40 @@ -31,15 +31,15 @@ See the [Create a Resource Type](../../user-guide/set-up/categorization/resource Create a policy by proceeding as follows: -![Home - Access Policies](/images/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp) +![Home - Access Policies](/images/identitymanager/home_accesspolicies_v602.webp) **Step 1 –** Access the policies screen by clicking on **Access Policies** on the home page in the **Configuration** section. -![New Policy](/images/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp) +![New Policy](/images/identitymanager/policycreation_policies_v602.webp) **Step 2 –** Click on **+ New policy** at the top right corner. -![createpolicy](/images/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp) +![createpolicy](/images/identitymanager/createpolicy.webp) **Step 3 –** Fill in the information fields. diff --git a/docs/identitymanager/current/user-guide/optimize/risk-management.md b/docs/identitymanager/current/user-guide/optimize/risk-management.md index 4f0850e39b..f0eea763dc 100644 --- a/docs/identitymanager/current/user-guide/optimize/risk-management.md +++ b/docs/identitymanager/current/user-guide/optimize/risk-management.md @@ -1,4 +1,4 @@ ---- +--- title: "Manage Risks" description: "Manage Risks" sidebar_position: 30 @@ -46,15 +46,15 @@ Create a risk by proceeding as follows: 1. On the home page in the **Configuration** section, click on **Risks**. - ![Home Page - Risks](/images/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp) + ![Home Page - Risks](/images/identitymanager/home_risks_v602.webp) 2. On the risks page, click on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the fields. - ![New Risk](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp) + ![New Risk](/images/identitymanager/riskmanagement_newrisk_v602.webp) - `Identifier`: must be unique among risks and without any whitespace. - `Name`: will be displayed in the UI to identify the risk. @@ -74,7 +74,7 @@ items. A rule item specifies the risk-triggering resource(s). A high-privilege r When risks are based on the exemption policy called **Approval required**, the corresponding role requests appear on the **Role Review** screen with a specific workflow state. See below this note. See the [Reconcile a Role](../../user-guide/administrate/non-conforming-assignment-review/role-reconciliation) topic for additional information. - ![Risk Icon](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp) + ![Risk Icon](/images/identitymanager/riskmanagement_workflowstate_v523.webp) ### Write risk rules @@ -103,7 +103,7 @@ resource repository. See the [Identity Management](../../introduction-guide/over > The group `DL-INTERNET-Restricted` in our example. - ![Risk Item Example](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp) + ![Risk Item Example](/images/identitymanager/riskmanagement_newriskitem_v602.webp) This final value is an entitlement, linked to the owner identity through the navigation property and the ownership relationship. @@ -122,9 +122,9 @@ The `Compute Resource Risk Scores` task doesn't need to be launched right away, After creating at least one risk and computing risk scores, identified risks are listed on the **Identified Risks** screen, accessible from the home page in the **Administration** section. -![Home Page - Identified Risks](/images/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp) +![Home Page - Identified Risks](/images/identitymanager/home_identifiedrisks_v602.webp) -![Identified Risks](/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp) +![Identified Risks](/images/identitymanager/riskmanagement_identifiedrisks_v522.webp) For a given identity in the list, user information can be viewed and accessed by clicking respectively on the eye and arrow buttons on the right-hand side. diff --git a/docs/identitymanager/current/user-guide/optimize/simulation.md b/docs/identitymanager/current/user-guide/optimize/simulation.md index 086fe63c76..328934a469 100644 --- a/docs/identitymanager/current/user-guide/optimize/simulation.md +++ b/docs/identitymanager/current/user-guide/optimize/simulation.md @@ -1,4 +1,4 @@ ---- +--- title: "Perform a Simulation" description: "Perform a Simulation" sidebar_position: 90 @@ -53,46 +53,46 @@ Launch a simulation by proceeding as follows: 1. Access the simulation list by clicking on **Simulations** on the home page, in the **Configuration** section. - ![Home - Simulations](/images/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp) + ![Home - Simulations](/images/identitymanager/home_simulations_v600.webp) - ![Simulation List](/images/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp) + ![Simulation List](/images/identitymanager/simulation_list_v602.webp) 2. Create a new simulation by clicking on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the fields. - ![Simulation List](/images/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp) + ![Simulation List](/images/identitymanager/simulation_new_v602.webp) 4. Click on **+ Create**. 5. Perform changes through the ****roles** Changes** and ****rules** Changes** tabs and the following icons, respectively for addition, modification and deletion: - ![Edition - Approval Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Edition - Approval Icon](/images/identitymanager/iconadd_v602.svg) - ![Recommendation Icon](/images/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg) + ![Recommendation Icon](/images/identitymanager/simulation_iconedit_v600.svg) - ![Discouragement Icon](/images/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg) + ![Discouragement Icon](/images/identitymanager/simulation_icondelete_v600.svg) At any time, you can click on the line of a previously made change to access its description, even click on **Cancel** to erase it. - ![Cancel Change](/images/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp) + ![Cancel Change](/images/identitymanager/simulation_cancel_v602.webp) 6. Click on **Start** to launch the simulation. - ![Start Simulation](/images/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp) + ![Start Simulation](/images/identitymanager/simulation_start_v602.webp) 7. After a few seconds, click on **Refresh** to display the simulation results. 8. Observe the results in the overview and in the Excel report available via the Download button. - ![Download Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + ![Download Icon](/images/identitymanager/icondownload_v602.svg) ## Shift from Simulation to Production After all needed changes have been simulated, you can decide to apply or cancel them. -![Apply or Cancel Changes](/images/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp) +![Apply or Cancel Changes](/images/identitymanager/simulation_decision_v600.webp) Then, the simulation is no longer active. @@ -110,15 +110,15 @@ In order to verify the process, check that the **roles** and **rules** are creat For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) Select the type of role that you want to check, and find the **roles** you created inside the right category and with the right parameters. -![Select **roles**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) +![Select **roles**](/images/identitymanager/categorycreation_test_v602.webp) For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. -![Home Page - Access **rules**](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) Select the type of rule that you want to check, and find the **rules** you created with the right parameters. diff --git a/docs/identitymanager/current/user-guide/set-up/categorization/classification.md b/docs/identitymanager/current/user-guide/set-up/categorization/classification.md index 4125eda28c..6df3407a5a 100644 --- a/docs/identitymanager/current/user-guide/set-up/categorization/classification.md +++ b/docs/identitymanager/current/user-guide/set-up/categorization/classification.md @@ -1,4 +1,4 @@ ---- +--- title: "Classify Resources" description: "Classify Resources" sidebar_position: 30 @@ -49,12 +49,12 @@ When the confidence rate is below 100%, correlation and classification reviews a - on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. requested manually or assigned automatically by a resource type rule; - ![Correlation Review - Provisioning Review Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) - on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. - ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule in Identity Manager. The **Provisioning Review** page displays the resource and property changes whose workflows require a manual approval. @@ -84,30 +84,30 @@ Fill a resource type with a classification rule by proceeding as follows: 1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. - ![New Classification Rule](/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp) + ![New Classification Rule](/images/identitymanager/resourcetype_newclassifrule_v602.webp) Classification rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Classifications** tab and the addition button at the top **right** corner. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 2. Fill in the fields. - ![New Classification Rule Fields](/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp) + ![New Classification Rule Fields](/images/identitymanager/resourcetype_newclassifrulefields_v602.webp) - **Target Object** > `Expression`: C# expression based on the resource that needs to be classified. - `Confidence Rate`: rate expressing the rule's reliability, and its priority order.. > Our overview example would look like: > - > ![Classification Rule Example](/images/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp) + > ![Classification Rule Example](/images/identitymanager/classification_example_v602.webp) 3. Click on **Create** and see a line added on the rules page. 4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource Types** to apply the new classification rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Impact of Modifications @@ -123,17 +123,17 @@ Simulations are available in order to anticipate the changes induced by a creati Any modification in classification rules is taken into account via the classification job: on the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource Types**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Verify Classification In order to verify the process, analyze samples and check that all objects are classified, and well classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu of the home page. -![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Uncategorized** filter that spots unclassified resources, and the **Owner / Resource Type** column that shows the resource type assigned to each resource. -![Owner / Resource Type Column](/images/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp) +![Owner / Resource Type Column](/images/identitymanager/classification_test_v522.webp) Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must analyze a few samples to ensure that resources are classified in the **right** resource type. @@ -141,7 +141,7 @@ Therefore, check that all resources show here a resource type. Moreover, a knowl If a resource is not classified (or not correctly), then: -![Unclassified Resource](/images/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp) +![Unclassified Resource](/images/identitymanager/classification_unclassified_v600.webp) - If the resource is correlated, check whether the corresponding correlation rule is in the **right** resource type. diff --git a/docs/identitymanager/current/user-guide/set-up/categorization/correlation.md b/docs/identitymanager/current/user-guide/set-up/categorization/correlation.md index 2515f2ae3f..32c2269835 100644 --- a/docs/identitymanager/current/user-guide/set-up/categorization/correlation.md +++ b/docs/identitymanager/current/user-guide/set-up/categorization/correlation.md @@ -1,4 +1,4 @@ ---- +--- title: "Correlate Resources" description: "Correlate Resources" sidebar_position: 20 @@ -56,12 +56,12 @@ When the confidence rate is below 100%, correlation and classification reviews a - on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. requested manually or assigned automatically by a resource type rule; - ![Correlation Review - Provisioning Review Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + ![Correlation Review - Provisioning Review Screen](/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp) - on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a correlation rule without a resource type rule triggers unauthorized accounts on the **Resource Reconciliation** page. - ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + ![Correlation Review - Resource Reconciliation Screen](/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp) Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values (gaps), i.e. resources and property values from the managed systems that are not allowed by a rule in Identity Manager. The **Provisioning Review** page displays the resource and property changes whose workflows require a manual approval. @@ -101,17 +101,17 @@ Fill a resource type with a correlation rule by proceeding as follows: 1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. - ![New Correlation Rule](/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp) + ![New Correlation Rule](/images/identitymanager/resourcetype_newcorrelrule_v602.webp) Correlation rules can also be created through the **Access Rules** screen (accessible from the home page, in the **Configuration** section), clicking on the **Correlations** tab and the addition button at the top **right** corner. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 2. Fill in the fields. - ![New Correlation Rule Fields](/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp) + ![New Correlation Rule Fields](/images/identitymanager/resourcetype_newcorrelrulefields_v602.webp) - ****source** Object**: at least one property from the **source** system that is going to be linked to a given **target** object. Can be defined by a property path and/or an [Expression](../../../integration-guide/toolkit/expressions). @@ -120,13 +120,13 @@ a given **target** object. Can be defined by a property path and/or an [Expressi > In this example, a person via their login and name, is the **owner** of a nominative AD > account via its `sAMAccountName` attribute and display name: > - > ![Correlation Rule Example](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp) + > ![Correlation Rule Example](/images/identitymanager/correlation_example_v602.webp) 3. Click on **Create** and see a line added on the rules page. 4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on **Jobs** > **Compute Role Model** to apply all correlation rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Impact of Modifications @@ -140,17 +140,17 @@ Simulations are available in order to anticipate the changes induced by a creati Any modification in correlation rules is taken into account via the following jobs: on the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and then on **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) ## Verify Correlation In order to verify the process, check the list of [Review Orphaned and Unused Accounts](../../../user-guide/administrate/orphan-unused-account-review) and analyze them to look for patterns revealing correlation issues. To do so, click on the **target** entity type(s) affected by your rule(s) in the left menu of the home page. -![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) +![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) The entity type's page can be configured via XML to customize all displayed columns and available filters, especially the **Orphan** filter that spots resources without an **owner**, and the ****owner** / Resource Type** column that shows the **owner** assigned to each resource. -![**owner** / Resource Type Column](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp) +![**owner** / Resource Type Column](/images/identitymanager/correlation_test_v522.webp) A knowledgeable person must analyze a few samples to ensure that resources' owners can all be justified, meaning that orphaned accounts are supposed to be so, and that **correlated** resources are matched with the **right** **owner**. @@ -160,7 +160,7 @@ Another possibility of correlation validation is to compare the **number of AD a If a resource is not **correlated** (or not correctly), then: -![Uncorrelated Resource](/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp) +![Uncorrelated Resource](/images/identitymanager/correlation_uncorrelated_v600.webp) - Check the validity of correlation rules. - Check the resource's data quality. diff --git a/docs/identitymanager/current/user-guide/set-up/categorization/index.md b/docs/identitymanager/current/user-guide/set-up/categorization/index.md index a6ef039a60..4582fb7892 100644 --- a/docs/identitymanager/current/user-guide/set-up/categorization/index.md +++ b/docs/identitymanager/current/user-guide/set-up/categorization/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Categorize Resources" description: "Categorize Resources" sidebar_position: 80 @@ -38,13 +38,13 @@ Thus, a resource type is a name that informs users about the intent of a resourc **Classification** is a process that simply aims to assign a resource type to specific resources. A specific resource can only be assigned a single resource type. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. -![Classification Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp) +![Classification Schema](/images/identitymanager/categorization_classifschema.webp) Any resource that is unclassified will not be available for review. **Correlation** is a process that aims to establish an ownership relationship between two resources. In most cases, an identity resource that becomes the owner of an account resource. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. -![Correlation Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp) +![Correlation Schema](/images/identitymanager/categorization_correlschema.webp) While an owner can possess several resources, a resource can have only one owner. @@ -54,11 +54,11 @@ As stated previously, both classification and correlation work through sets of r > For basic users, we have in Identity Manager: > -> ![Example - Basic Users in Usercube](/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp) +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_examplebasicuser.webp) > > For basic users, we have in the AD: > -> ![Example - Basic Users in AD](/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp) +> ![Example - Basic Users in AD](/images/identitymanager/categorization_examplebasicad.webp) > > Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | > --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email @@ -67,11 +67,11 @@ As stated previously, both classification and correlation work through sets of r > For administrators, we have in Identity Manager: > -> ![Example - Basic Users in Usercube](/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp) +> ![Example - Basic Users in Usercube](/images/identitymanager/categorization_exampleadminuser.webp) > > For administrators, we have in the AD: > -> ![Example - Admin Users in AD](/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp) +> ![Example - Admin Users in AD](/images/identitymanager/categorization_exampleadminad.webp) > > Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | > --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id @@ -90,7 +90,7 @@ Hence, integrators should start with correlation rules, and then write classific In the same way, Identity Manager will apply correlation rules before classification rules. -![Categorization Schema](/images/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp) +![Categorization Schema](/images/identitymanager/categorization_categschema.webp) Now that you have created resource types and their correlation/classification rules, you have created the first elements for your role model. See the [Entitlement Management](../../../introduction-guide/overview/entitlement-management) topic for additional information. The role model contains all the roles and rules which drive the entitlement assignment logic inside Identity Manager. diff --git a/docs/identitymanager/current/user-guide/set-up/categorization/resource-type-creation.md b/docs/identitymanager/current/user-guide/set-up/categorization/resource-type-creation.md index 5323e8c83a..1971000f3d 100644 --- a/docs/identitymanager/current/user-guide/set-up/categorization/resource-type-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/categorization/resource-type-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Resource Type" description: "Create a Resource Type" sidebar_position: 10 @@ -52,15 +52,15 @@ Create a resource type by proceeding as follows: 1. On the relevant connector page, click on the addition button in the **Resource Types** frame. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) Resource types can also be created through the **Access Roles** screen (accessible from the home page, in the **Configuration** section), using the **+ New** button and selecting `Resource Type` in the first field called `Type`. - ![Home - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + ![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) 2. Fill in the fields. - ![New Resource Type](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp) + ![New Resource Type](/images/identitymanager/resourcetype_newresourcet_v603.webp) - `Identifier`: must be unique among resource types, without any whitespace, and be C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). @@ -154,7 +154,7 @@ Integrators need to know the required provisioning connection, especially whethe In order to verify the process, check that the resource type has been added with the right options to the list on the **Access Roles** page, accessible from the home page in the **Administration** section. -![Home - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home - Access Roles](/images/identitymanager/home_roles_v602.webp) -![Test Connector](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp) +![Test Connector](/images/identitymanager/resourcetype_test_v602.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/configure-global-settings.md b/docs/identitymanager/current/user-guide/set-up/configure-global-settings.md index 5ac0fd18b0..2386297d9e 100644 --- a/docs/identitymanager/current/user-guide/set-up/configure-global-settings.md +++ b/docs/identitymanager/current/user-guide/set-up/configure-global-settings.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Global Settings" description: "Configure Global Settings" sidebar_position: 30 @@ -12,7 +12,7 @@ This topic covers the customization in the application **Settings**. The Settings interface provides information and management options for the application. -![accesscertificationonlyapprovedenysettings](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp) +![accesscertificationonlyapprovedenysettings](/images/identitymanager/accesscertificationonlyapprovedenysettings.webp) ### Look and Feel @@ -35,15 +35,15 @@ See the [Languages](../../integration-guide/toolkit/languages) topic for additio The feature **Only allow approving and refusing on access certifications items** gives the administrator the option to limit the user's option to either **Approve** or **Deny** the Access Certification items while making the **More** button unavailable. -![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) +![allowapprovingdenyingaccesscertificationitems](/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp) If the feature **Only allow approving and denying on access certification items** is set to **No** the following will be visible on the certification screen: -![accesscertificationonlyapprovedeny](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp) +![accesscertificationonlyapprovedeny](/images/identitymanager/accesscertificationonlyapprovedeny.webp) If the feature **Only allow approving and denying on access certification items** is set to **Yes** the following will be visible on the certification screen: -![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) +![accesscertificationonlyapprovedeny-disabled](/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp) This is how the user's experience can be customized directly from the UI. diff --git a/docs/identitymanager/current/user-guide/set-up/configure-workflows.md b/docs/identitymanager/current/user-guide/set-up/configure-workflows.md index dedb2c6f70..57c80ebdc9 100644 --- a/docs/identitymanager/current/user-guide/set-up/configure-workflows.md +++ b/docs/identitymanager/current/user-guide/set-up/configure-workflows.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Onboarding Workflows" description: "Configure Onboarding Workflows" sidebar_position: 40 @@ -28,11 +28,11 @@ Identity Manager provides the review step as optional, for its necessity depends To perform the review of a user creation, one should have the right permissions. -![Review Permissions](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp) +![Review Permissions](/images/identitymanager/workflows_reviewpermissions_v601.webp) When a review is needed, a notification appears on the **MY TASKS** tab at the top. -![My Tasks Tab](/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) +![My Tasks Tab](/images/identitymanager/home_topbar_v601.webp) The reviewer can then complete the creation request and finally approve it. @@ -61,11 +61,11 @@ Configure onboarding workflows by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > **Onboarding Workflows** in the left menu. - ![Home - Settings](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home - Settings](/images/identitymanager/home_settings_v523.webp) 2. For each workflow, choose whether a review step is required. - ![Workflows Review Steps](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp) + ![Workflows Review Steps](/images/identitymanager/workflows_reviewsteps_v601.webp) Netwrix Identity Manager (formerly Usercube) recommends enabling the review for the onboarding of employees, and disabling the review for contractors. @@ -73,7 +73,7 @@ From experience, in most use cases, the onboarding of new workers is done by the 3. Configure the homonym detection. - ![Workflows Homonym Detection](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp) + ![Workflows Homonym Detection](/images/identitymanager/workflows_homonyms_v601.webp) Netwrix Identity Manager (formerly Usercube) recommends enabling the birth name comparison to detect user duplicates due to name changes, when the GDPR supports it. @@ -81,7 +81,7 @@ The other parameters for homonym detection should be enabled/disabled according 4. Click on **Save** at the top of the page. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) ## Verify Workflow Configuration @@ -89,14 +89,14 @@ Validate the process by proceeding as follows: 1. Access the user directory from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Execute the workflows for a new employee and a new contractor. 3. Make sure that the homonym detection works in accordance with the specified options. > For example, if the inversion comparison is enabled between the first and last names: > - > ![Workflows Homonym Detection](/images/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp) + > ![Workflows Homonym Detection](/images/identitymanager/workflows_verifyhomonyms_v601.webp) 4. Make sure that the potential validation steps are in accordance with the specified options. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/connection-creation.md b/docs/identitymanager/current/user-guide/set-up/connect-system/connection-creation.md index 2ae41a7786..82625da584 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/connection-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/connection-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Connection" description: "Create a Connection" sidebar_position: 30 @@ -32,12 +32,12 @@ Create a connection by proceeding as follows: 1. Click on the addition button in the **Connections** frame on the connector's summary page. - ![Add a New Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp) + ![Add a New Connection](/images/identitymanager/connection_newconnection_v602.webp) 2. Fill in the connection information fields on the left, then select a package (AD, CSV, etc.) and fill the associated agent settings on the right. - ![Connection Creation](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp) + ![Connection Creation](/images/identitymanager/connectioncreation_connectioncreation_v602.webp) - `Identifier`: must be unique among connections, without any whitespace, start with a letter, and contain only letters, numbers, `.` and/or `-`. @@ -85,20 +85,20 @@ Identity Manager refreshes a connection's schema: - when clicking on **Refresh Schema** on the connection's page: only the schema of the current connection is refreshed; - ![Refresh Schema of One Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + ![Refresh Schema of One Connection](/images/identitymanager/connectioncreation_refreshschema_v522.webp) - when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are refreshed. - ![Refresh all Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + ![Refresh all Schemas](/images/identitymanager/connectioncreation_refreshall_v602.webp) In the **Connections** frame, either the last successful schema update is indicated or an icon is shown if the refresh schema failed. -![Failed Refresh Schemas](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) +![Failed Refresh Schemas](/images/identitymanager/connectioncreation_failedindicator_v602.webp) Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't displayed on the connection's page. On the connector's page, a connection without schema is indicated by the sentence "_There is no schema for this connection_". -![No Schema](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) +![No Schema](/images/identitymanager/connectioncreation_noschema_v522.webp) The connections' schemas must be refreshed before editing the connector's entity types via the UI, whether the connections were created via the UI or XML configuration. Otherwise, there will be no connection table available in the `Source` dropdown, so you will not be able to save anything. @@ -112,26 +112,26 @@ In order to verify the process: 1. click on **Check Connection** to ensure that Identity Manager can reach the managed system; - ![Check Connection](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + ![Check Connection](/images/identitymanager/connectioncreation_checkconnection_v602.webp) Some connectors have both incremental and complete setting modes. See the [Jobs](../../../integration-guide/tasks-jobs/jobs)topic for additional information. They are relatively independent so they both need to be tested. 2. check that the connection appears in the **Connections** frame with the right options, and without the Failed icon. -![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) ## Troubleshooting If the Failed icon appears, then: -![Decline Icon](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) +![Decline Icon](/images/identitymanager/certifcampaign_icondecline_v522.svg) Ensure that the schema of the connection is refreshed. If the schema couldn't be recovered, then: -![Schema Not Recovered](/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp) +![Schema Not Recovered](/images/identitymanager/connection_notrecovered_v523.webp) - Ensure that the managed system is properly connected. - Check the connection's settings. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration.md b/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration.md index bd7f8e926a..2e4bd68578 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/connector-declaration.md @@ -1,4 +1,4 @@ ---- +--- title: "Create the Connector" description: "Create the Connector" sidebar_position: 20 @@ -28,15 +28,15 @@ Create a connector container by proceeding as follows: 1. On the home page in the **Configuration** section, click on the **Connectors** button. - ![Home page - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) You will see all existing connectors. 2. Click on the addition icon and fill in the information fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![Connector creation](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp) + ![Connector creation](/images/identitymanager/connectorcreation_declaration_v602.webp) - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, and contain only letters, numbers, `.` and/or `-`. @@ -52,11 +52,11 @@ to perform frequently a set of tasks, including incrementalsynchronization and/o 3. Click on **+ Create** to get on the connector's overview page: - ![Connector page](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp) + ![Connector page](/images/identitymanager/connectorcreation_connectorpage_v602.webp) ## Verify the Connector Declaration In order to verify the process, check that the connector has been added to the connectors list with the right name and identifier. -![Test Connector](/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp) +![Test Connector](/images/identitymanager/connectorcreation_test_v602.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/connector-modeling.md b/docs/identitymanager/current/user-guide/set-up/connect-system/connector-modeling.md index e71a564ce9..c97c0e5c85 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/connector-modeling.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/connector-modeling.md @@ -1,4 +1,4 @@ ---- +--- title: "Model the Data" description: "Model the Data" sidebar_position: 10 @@ -109,7 +109,7 @@ Find at the bottom a procedure example about modeling the Active Directory. All templates are detailed with examples **and** schemas with the following key: -![Schemas' Key](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp) +![Schemas' Key](/images/identitymanager/connectormodel_key.webp) During the technical modeling inside Identity Manager, these objects will become **entity types**, their attributes will become **scalar properties**, the links between them will become **navigation properties**. @@ -128,7 +128,7 @@ Permissions can be managed: #### Model -![User Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp) +![User Model](/images/identitymanager/connectormodel_user.webp) Thus you need to create one entity type to represent either accounts or other resources. @@ -153,13 +153,13 @@ In further steps, you will be able to define one resource type per account type Canteen badges are a **simple** system handled with the User model. Indeed users can simply have among their attributes the access authorization for a given building **and** a given time. Or also, instead of creating an entity type for users, we can create an entity type for the badges. They would have in their attributes their respective access location **and** time, **and** an attribute listing authorized users. -![User Model - Canteen Badges Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp) +![User Model - Canteen Badges Example](/images/identitymanager/connectormodel_user-canteen.webp) #### Example - Mailboxes Mailboxes constitute a complex system, but IGA purposes require little information (only accounts) so this system can too be handled with the User model, either through users **and** their entitlement lists, or through mailbox entitlements **and** their lists of authorized users. -![User Model - Mailboxes Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp) +![User Model - Mailboxes Example](/images/identitymanager/connectormodel_user-mailbox.webp) ### User-Group @@ -173,7 +173,7 @@ Users are represented by the accounts they own. #### Model -![User-Group Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) Thus you need to create one entity type to represent groups (or roles or profiles) **and** one for accounts. @@ -193,13 +193,13 @@ The SAB system handles authorizations using users **and** groups. A user is auth We define two **entity types** `SAB - User` **and** `SAB - Group`. We fill them with a few attributes useful to manage entitlements in the SAB application. Finally, we add a navigation property in both **entity types** in order to link `User` with `Group` with an "n-to-n" relationship. -![User-Group Example - SAB](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp) +![User-Group Example - SAB](/images/identitymanager/connectormodel_sab.webp) #### Example - RACF The [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) connector is used to manage critical entitlements on the mainframe. RACF is a complex system, but IGA purposes only require information about accounts **and** groups, as entitlements are given by group membership. Thus the system can be simplified to be managed by Identity Manager following the User-Group model. -![User-Group Example - RACF](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp) +![User-Group Example - RACF](/images/identitymanager/connectormodel_racf.webp) For RACF, Identity Manager provisions only the link between accounts **and** groups. @@ -209,7 +209,7 @@ The TSS connector is similar to RACF in its use, but manages fine-grained entitl Identity Manager manages users (with their accounts) **and** groups called here profiles. Both users **and** profiles are grouped into departments, themselves grouped into partitions. Entitlements are called authorizations, **and** are linked to users through group (profile) membership. -![User-Group Example - TSS](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp) +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss.webp) For TSS, Identity Manager provisions only the link between users **and** profiles. @@ -231,7 +231,7 @@ The object `User` or `Account` from the template, which contains users' accounts The object `Group` from the template is called here `Position` (grouped into organizations, themselves grouped into organization types). It contains the way an entitlement is given, here through a given position **and** wallet. -![User-Group Example - SDGE](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp) +![User-Group Example - SDGE](/images/identitymanager/connectormodel_sdge.webp) For SDGE, Identity Manager provisions only workers **and** the link between workers **and** positions. @@ -253,7 +253,7 @@ then assigned to accounts, which are owned by users. #### Model -![Account-Profile-Transaction Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp) +![Account-Profile-Transaction Model](/images/identitymanager/connectormodel_profiletransaction.webp) Thus you need to create one entity type to represent accounts, one for profiles, **and** one for **transactions**. @@ -267,7 +267,7 @@ For example, instead of modeling two artificial types of profiles called `PP` fo See the schema below this note. -![Profiles Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp) +![Profiles Example](/images/identitymanager/connectormodel_profiles.webp) **transactions** are not mandatory in a model. Most of the time, the profile packages are predefined once **and** for all, or are the responsibility of the **application owner**. Then Identity Manager doesn't need to manage the specific **transactions** for a profile directly inside the managed system. You can hence avoid modeling **transactions** altogether. In this case, you fall back on the User-Group model with a twist: if profile categories are relevant in the system's authorization mechanism, then you must take them into account. @@ -275,7 +275,7 @@ See the schema below this note. The TSS connector is actually a mix of the User-Group **and** Account-Profile-Transaction models. The User-Group part is explained above. -![User-Group Example - TSS](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp) +![User-Group Example - TSS](/images/identitymanager/connectormodel_tss-prof-trans.webp) **transactions** are called here authorizations. @@ -298,7 +298,7 @@ Users are represented by the accounts they own. #### Model -![Star Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp) +![Star Model](/images/identitymanager/connectormodel_star.webp) Thus you need to create one entity type to represent accounts, one for each criterion, **and** another one to represent the object linking acounts to criteria. @@ -319,7 +319,7 @@ The flexibility generated by parameters is particularly interesting for roles th Consider an application which manages entitlement assignment with different rules, according to users' profiles, attachment areas **and** sites. Our example shows 4 profiles, 4 attachment areas **and** 3 sites. So a user may be assigned a given entitlement for a given profile, attachment area **and** site. -![Star Model Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp) +![Star Model Example](/images/identitymanager/connectormodel_starmodel.webp) For this connector, Identity Manager provisions only the links between accounts **and** linking objects, **and** the links between linking objects **and** each criterion. @@ -335,19 +335,19 @@ available profiles, attachment areas **and** sites, which makes a total of 48 ro Let's say we are modeling an Active Directory, which handles authorization through the group memberships of accounts. In other words, to assign an entitlement to an identity, we make the AD account of said identity member of the corresponding AD group. That is exactly what the User-Group template is designed to handle. See the Model the Data topic for additional information. -![User-Group Model](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) +![User-Group Model](/images/identitymanager/connectormodel_usergroup.webp) **Step 2: adapt the model to your **reality**.** We start by renaming the `Account` object as `AD_User` **and** the `Group` object as `AD_Group`. -![AD Example - Step 1](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp) +![AD Example - Step 1](/images/identitymanager/connectormodel_ad-step1.webp) **Step 3: define useful data close to your **reality**.** We **shape** these objects with the following attributes: -![AD Example - Step 2](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp) +![AD Example - Step 2](/images/identitymanager/connectormodel_ad.webp) **Step 4: ensure that all objects have unique keys.** @@ -369,5 +369,5 @@ Beyond avoiding repetition, this makes the model easily adaptable if new element > `AD_Computer` **and** `AD_OU` without merging groups with entries, designing `AD_Entry` with all these > attributes provides the means to add objects without creating new **entity types**. > -> ![AD_Entry Example](/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp) +> ![AD_Entry Example](/images/identitymanager/connectormodel_adentry.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md index 079649dcd3..e6402b50cb 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization.md @@ -1,4 +1,4 @@ ---- +--- title: "Organize Resources' Datasheets" description: "Organize Resources' Datasheets" sidebar_position: 60 @@ -16,7 +16,7 @@ If you do not add display groups, Identity Manager displays the data of this ent > For example, for an HR user without any display groups: > -> ![Without Display Groups](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp) +> ![Without Display Groups](/images/identitymanager/entitytypecreation_displaygroups_without_v603.webp) ## Organize Resources' Datasheets @@ -28,30 +28,30 @@ Organize resources' datasheets by proceeding as follows: top right corner. 3. On the entity type's definition page, click on the **Display** tab. - ![Display Groups](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp) + ![Display Groups](/images/identitymanager/entitytypecreation_displaygroups_v603.webp) 4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag and drop the properties to customize the order. > For example: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example1_v603.webp) 5. When needing to group properties together, click on **Add Display Group**, fill in the fields and select from the pop-up window the properties to be grouped. - ![Display Group Fields](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp) + ![Display Group Fields](/images/identitymanager/entitytypecreation_displaygroups_fields_v603.webp) - `Identifier`: must be unique among display groups, without any whitespace, and be C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). - `Name`: will be displayed in the UI to indicate the property group. > For example: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2_v603.webp) > > The entity type's resources would look like: > - > ![Display Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp) + > ![Display Example](/images/identitymanager/entitytypecreation_displaygroups_example2results_v603.webp) 6. Click on **Save & Close**. @@ -61,7 +61,7 @@ Changes in display groups won't take effect until the next [Update Entity Proper Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md index c7ed6bc457..1bf77cd001 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/display-name-setting.md @@ -1,4 +1,4 @@ ---- +--- title: "Set Resources' Display Names" description: "Set Resources' Display Names" sidebar_position: 50 @@ -12,7 +12,7 @@ How to change the value of the display name for resources of an [Entity Type](.. Here you will learn how to change a **resource's display name**, which is the name used by the UI to identify a resource of an entity type. Its value is computed from existing properties. For example for the entity type `HR - User`, integrators may set the display name to: ` - `. -![Display Name - Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp) +![Display Name - Example](/images/identitymanager/entitytypecreation_displaynameexample_v600.webp) If you do not set your own display name, Identity Manager provides a default value based on the first scalar property after alphabetizing all the properties whose name contains `name`. @@ -24,22 +24,22 @@ Set the **resource's display name** by proceeding as follows: 2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top right corner. 3. On the entity type's definition page, click on the **Settings** tab. - ![Display Name - Property Path](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp) + ![Display Name - Property Path](/images/identitymanager/entitytypecreation_displayname_v603.webp) 4. Set the display name. As a display name, you can use either the value of an existing property, or compute [Expressions](../../../../integration-guide/toolkit/expressions) based on existing properties. > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined > functions. > - > ![AD Entity Type - Display Name](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp) + > ![AD Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplead4_v602.webp) > - > ![AD Entity Type - Display Name Result](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp) + > ![AD Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplead4-result_v602.webp) > Another example from the HR connector (User entity type): > - > ![HR User Entity Type - Display Name](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp) + > ![HR User Entity Type - Display Name](/images/identitymanager/entitytypecreation_examplehr_v602.webp) > - > ![HR User Entity Type - Display Name Result](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp) + > ![HR User Entity Type - Display Name Result](/images/identitymanager/entitytypecreation_examplehr-result_v602.webp) 5. Click on **Save & Close**. @@ -49,7 +49,7 @@ Changes inside connectors won't take effect until the next [Synchronize Data](.. Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. @@ -59,7 +59,7 @@ You can find the **Reload** button either on the green warning, or on the connec If no property appears in the display name auto-completion, then: -![No Property](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp) +![No Property](/images/identitymanager/entitytypecreation_troubleprop_v602.webp) Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top right corner of the screen. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md index 05a40786de..a0ac36f07b 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration.md @@ -1,4 +1,4 @@ ---- +--- title: "Create the Entity Type" description: "Create the Entity Type" sidebar_position: 10 @@ -19,20 +19,20 @@ Create the entity type by proceeding as follows: 1. Access the connector's page by clicking on the **Connectors** button on the home page in the **Configuration** section, then on the relevant connector. - ![Home page - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home page - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the connector's page, in the **Entity Types** frame, click on the addition button. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 3. Fill in the information fields. - ![Entity type creation](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp) + ![Entity type creation](/images/identitymanager/entitytypecreation_entitytypecreation_v602.webp) - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). NETWRIX recommends using `_` in the singular. - `Name`: will be displayed in the UI to identify the entity type. - - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + - `Icon`: can be chosen from [Microsoft's list](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons) and will be displayed with the entity type in the left menu of the home page. - `Auto Complete in Pickers`: can be set once properties are created (and saved) so that, when using a searchbar for selected properties, Identity Manager suggests existing entries. @@ -40,7 +40,7 @@ using a searchbar for selected properties, Identity Manager suggests existing en 4. In the entity type's **Properties** section, choose a source so that the connection provides the source's data structure. - ![Properties' source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + ![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want @@ -59,7 +59,7 @@ To continue, [Define Scalar Properties](../../../../user-guide/set-up/connect-sy If there are no connection tables available in the **Source** dropdown list of an entity type, then: -![Properties' source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) +![Properties' source](/images/identitymanager/entitytypecreation_propertiessource_v522.webp) Ensure that there are existing connections: @@ -69,7 +69,7 @@ there is no error. See the [Create a Connection](../../../../user-guide/set-up/c If there is a message stating to refresh the connection's schema, then: -![No Connection Table Error](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp) +![No Connection Table Error](/images/identitymanager/entitytypecreation_troubleshootingschema_v603.webp) Start by making sure that the connection's schema is refreshed by clicking on **Refresh all schemas** on the connector page, and verify that there is no error. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/index.md index 81b3012bb2..02ae3c0d39 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/index.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Create an Entity Type" description: "Create an Entity Type" sidebar_position: 40 @@ -14,7 +14,7 @@ An entity type is a model of a managed system's data. It defines the shape of th In other words, an entity type is supposed to model the representation of a certain group of resources inside Identity Manager. It is a relational model, made of properties ([Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition)) and links between entity types ([Define Navigation Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition)), both described later. -![Entity Type - Schema](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) +![Entity Type - Schema](/images/identitymanager/entitytypecreation_schema.webp) The configuration of entity types depends entirely on the previously established by [Model the Data](../../../../user-guide/set-up/connect-system/connector-modeling). @@ -47,7 +47,7 @@ For some connectors, Identity Manager provides a template to automatically creat > resource types for a standard AD connector. The template is available for a connector with an AD > connection but no entity types. > -> ![Entity Type - AD Template](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp) +> ![Entity Type - AD Template](/images/identitymanager/entitytype_template_v602.webp) ## Verify the Entity Type diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/key-selection.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/key-selection.md index 102dc6fa4c..bd317e237a 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/key-selection.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/key-selection.md @@ -1,4 +1,4 @@ ---- +--- title: "Select Primary Keys" description: "Select Primary Keys" sidebar_position: 30 @@ -78,7 +78,7 @@ Create an entity type by proceeding as follows: 1. Start by defining the entity type's scalar properties. See the [Define Scalar Properties](../../../../user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition) topic for additional information. - ![Keys](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp) + ![Keys](/images/identitymanager/entitytypecreation_keys_v522.webp) 2. In the entity type's **Properties** section, choose the **key properties**. 3. Choose the **mapping key**. @@ -88,7 +88,7 @@ Create an entity type by proceeding as follows: Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md index 0b8125f3c0..fe29471dd5 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition.md @@ -1,4 +1,4 @@ ---- +--- title: "Define **navigation properties**" description: "Define **navigation properties**" sidebar_position: 40 @@ -16,25 +16,25 @@ Here you will learn to define **navigation properties**, which contain scalar va > to other groups. In the UI, `memberOf` is displayed just like scalar properties, but you can click > its values to access each group in the list. Here for the AD entry `ADM Vidal Pierre`: > -> ![Navigation Property - memberOf](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp) +> ![Navigation Property - memberOf](/images/identitymanager/entitytypecreation_memberof_v600.webp) > > Clicking on one of these groups will display the group"​™s properties, including the other side of > the `memberOf` property:called `member`:which contains the list of users and groups who are > members. Example: `SG_APP_RAY_0_LDAP_READLDSFEDE`: > -> ![Navigation Property - member](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp) +> ![Navigation Property - member](/images/identitymanager/entitytypecreation_member_v600.webp) > As another example, a department is linked to a manager who is an existing user. The user > identifier is used in the `Manager` property to create the link between department and manager. In > the UI, `Manager` is displayed like scalar properties, but you can click it to access the > manager"​™s page: > -> ![Navigation Property - Manager](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp) +> ![Navigation Property - Manager](/images/identitymanager/entitytypecreation_manager_v600.webp) > > Clicking the manager displays their properties, including the `Department` property, which points > back to the managed department: > -> ![Navigation Property - Managed Department](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp) +> ![Navigation Property - Managed Department](/images/identitymanager/entitytypecreation_managerof_v600.webp) **navigation properties** can create a link: @@ -69,7 +69,7 @@ Define **navigation properties** by following these steps: select the ones to use. 4. Fill in the information fields: - ![**navigation properties**](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp) + ![**navigation properties**](/images/identitymanager/entitytypecreation_navigationproperties_v602.webp) If you map a column from the source, the first line is for the source column, and the second is the new navigation property in Identity Manager (always in the entity type). @@ -114,19 +114,19 @@ Identity Manager can store up to 25 **optimized** mono-valued nav properties. Pr > `Entries`, `assistant`, `assistantOf`, `manager`, `directReports`, `memberOf`, `member`, > `parentdn`, `children` -**> ![AD Entity Type - **navigation properties**](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp)** +**> ![AD Entity Type - **navigation properties**](/images/identitymanager/entitytypecreation_examplead3_v603.webp)** 5. Click the gear icon to access advanced settings: - ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) - - `Icon`: Choose from [Microsoft icon set](https://uifabricicons.azurewebsites.net/) + - `Icon`: Choose from [Microsoft icon set](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons) - **Source Expression**: Define using a property path or [expression](../../../../integration-guide/toolkit/expressions) > Example: Scalar `isUnused` created by combining `accountExpires` and `lastLogonTimestamp` > - > ![Source Expression Example](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + > ![Source Expression Example](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) - `Flexible Comparison Expression`: Adds advanced search matching - `History Precision`: Set how often property history is recorded @@ -143,7 +143,7 @@ Clicking **Continue** closes the window but **does not save** the configuration. After saving, a green banner reminds you to reload the schema. It"​™s not necessary after every step:but is **required after the final step** to apply changes. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button ensures updates appear in the menu links on the UI home page. You"​™ll find it either in the banner or on the connector dashboard. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md index c453c02042..6f8c45fbb2 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition.md @@ -1,4 +1,4 @@ ---- +--- title: "Define **scalar** Properties" description: "Define **scalar** Properties" sidebar_position: 20 @@ -14,7 +14,7 @@ Here you will learn how to define **scalar** properties, which contain **scalar* > For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. > -> ![**scalar** Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp) +> ![**scalar** Properties](/images/identitymanager/entitytypecreation_scalarex_v600.webp) Most often, properties inside Identity Manager are each linked to a property from the managed system. This way, data from the managed system can be imported into Identity Manager and stored in the corresponding property. These properties are **mapped** from the source (see step 2). @@ -34,13 +34,13 @@ Define the entity type's **scalar** properties by proceeding as follows: 2. In the entity type's **Properties** section, click on **Map **scalar** properties** to display existing columns from the external source, and select the properties to be used in the entity type. - ![Map from source](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp) + ![Map from source](/images/identitymanager/entitytypecreation_scalarpropertiesmap_v602.webp) You need to configure at least one property to be able to define primary keys later, and thus create an entity type. 3. Fill in the information fields. - ![**scalar** properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp) + ![**scalar** properties](/images/identitymanager/entitytypecreation_scalarproperties_v603.webp) - **APPLICATION METADATA**: fields about the future display of the properties inside Identity Manager. @@ -81,13 +81,13 @@ from Identity Manager to the connected system, whenever different from a string. > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as > `1601 Date`. > - > ![AD Entity Type - **scalar** Properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp) + > ![AD Entity Type - **scalar** Properties](/images/identitymanager/entitytypecreation_examplead2_v602.webp) 4. Click on the Gear symbol to add advanced settings if needed. - ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + ![Advanced Settings](/images/identitymanager/entitytypecreation_propertiessettings_v602.webp) - - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + - `Icon`: can be chosen from [Microsoft's list](https://developer.microsoft.com/en-us/fluentui#/styles/web/icons#available-icons) and will be displayed with the property among users' data. - **Source Expression**: expression that defines the property based on at least one source object. Can be defined by a property path and/or [Expressions](../../../../integration-guide/toolkit/expressions). @@ -95,7 +95,7 @@ object. Can be defined by a property path and/or [Expressions](../../../../integ > For example, `isUnused` is created to spot unused accounts via a combination of > `accountExpires` and `lastLogonTimestamp`: > - > ![Advanced Settings](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + > ![Advanced Settings](/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp) - `Flexible Comparison Expression`: expression that inserts adaptable comparison flexibility when using a searchbar for the property. @@ -117,7 +117,7 @@ Clicking on **Continue** closes the pop-up window so that you can continue the c Every time an entity type mapping is modified and saved, a green pop-up appears saying that you should reload the schema to implement the changes. You do not need to click on the button every time. It is essential though to reload after the final changes are made. -![Reload](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) +![Reload](/images/identitymanager/entitytypecreation_reload_v522.webp) The **Reload** button mostly enables your changes to appear in the menu items, which configure the left menu links on the UI's home page. @@ -131,7 +131,7 @@ Before saving, you must first [Select Primary Keys](../../../../user-guide/set-u If the Format column is not displayed in the External System part, then: -![**scalar** properties](/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp) +![**scalar** properties](/images/identitymanager/entitytypecreation_scalarpropertieswithoutformat_v522.webp) Refresh the connections' schemas. diff --git a/docs/identitymanager/current/user-guide/set-up/connect-system/index.md b/docs/identitymanager/current/user-guide/set-up/connect-system/index.md index 9fba1fe0cf..5e377975b2 100644 --- a/docs/identitymanager/current/user-guide/set-up/connect-system/index.md +++ b/docs/identitymanager/current/user-guide/set-up/connect-system/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Connect to a Managed System" description: "Connect to a Managed System" sidebar_position: 60 @@ -18,7 +18,7 @@ In this documentation, we talk about managed systems (sometimes called external A connector, therefore, acts as an interface between Identity Manager and a managed system. -![Connector Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) +![Connector Schema](/images/identitymanager/connectorcreation_connectorschema.webp) NETWRIX strongly recommends the creation of one connector for one application. @@ -33,7 +33,7 @@ NETWRIX strongly recommends the creation of one connector for one application. In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity Manager will feed data into connected managed systems. -![Outbound System=](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) +![Outbound System=](/images/identitymanager/connectorcreation_outbound.webp) In this case, data flows between Identity Manager and the managed system are also called: @@ -89,7 +89,7 @@ You can find standard connections dedicated to one application (AD, Microsoft En > `AD User (administration)` for sensitive administration accounts, which we want to provision > manually through Identity Manager. -![Connector Technical Schema](/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) +![Connector Technical Schema](/images/identitymanager/connectorcreation_connectortechnicalschema.webp) A connector requires at least one connection and one entity type. @@ -120,7 +120,7 @@ For one managed system, create a connector by proceeding as follows: You can activate the connector again at any time using the same button. -![Jobs Results Dashboard](/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) ## Next Steps diff --git a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/adjust-datamodel.md b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/adjust-datamodel.md index 0d000d443b..bd0661894e 100644 --- a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/adjust-datamodel.md +++ b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/adjust-datamodel.md @@ -1,4 +1,4 @@ ---- +--- title: "Adjust the Workforce Data Model" description: "Adjust the Workforce Data Model" sidebar_position: 40 @@ -39,14 +39,14 @@ Adjust the data model by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model to your specific situation. - ![Scan Data Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg) + ![Scan Data Model](/images/identitymanager/iconscandatamodel_v602.svg) - ![Scan Data Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp) + ![Scan Data Model](/images/identitymanager/initialload_scandatamodel_v60.webp) Identity Manager counts the entries for each attribute and suggests a quantification: @@ -54,7 +54,7 @@ Identity Manager counts the entries for each attribute and suggests a quantifica - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's forms optimally (e.g. dropdown list, search tool, etc.). - ![Scan Data Model - Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp) + ![Scan Data Model - Result](/images/identitymanager/initialload_scandatamodel-result_v523.webp) 3. Observe the result and adjust manually the data model if needed, by clicking on the properties. @@ -71,11 +71,11 @@ Modifications can be performed later, decisions can be reconsidered. See the [Mo 4. Click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 5. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Verify Identities Loading @@ -85,7 +85,7 @@ In order to validate the process: > For example, our `Region` field in `Site` is sized as `large`. > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example_v523.webp) 2. Navigate within Identity Manager to find a workflow using the test field. Observe the displaying mode in the UI. @@ -93,9 +93,9 @@ mode in the UI. > Our `State` field must be filled in during the creation of a new site. It can be filled by > opening a pop-up and choosing the region in the list. > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example2_v523.webp) > - > ![Scan Data Model - Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp) + > ![Scan Data Model - Example](/images/identitymanager/initialload_scan-example3_v523.webp) 3. Back on the scanning feature, change the displaying mode of your test field and save. diff --git a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/generate-unique-properties.md b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/generate-unique-properties.md index 4a9388c9eb..6132615818 100644 --- a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/generate-unique-properties.md +++ b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/generate-unique-properties.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure Unique Property Generation" description: "Configure Unique Property Generation" sidebar_position: 10 @@ -39,12 +39,12 @@ Configure the generation of unique properties by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Identity Manager's instructions to configure the generation of a **unique identifier** for new workers (if needed), based on one of the available options. - ![**unique identifier** Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp) + ![**unique identifier** Generation](/images/identitymanager/initialload_uniqueidentifier_v602.webp) - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all special characters; can add a separator between the first name and the last name if needed (such as `.` most often); in case of homonyms, appends a sequence number to the full name. @@ -61,7 +61,7 @@ configured on the user's contract type. 3. Follow Identity Manager's instructions to configure the generation of a **unique email address** for all users (who do not have one), based on one of the available options. - ![Unique Email Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp) + ![Unique Email Generation](/images/identitymanager/initialload_uniqueemail_v602.webp) - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all special characters; can add a separator between the first name and the last name if needed (such as `.` most often); in case of homonyms, appends a sequence number to the full name. @@ -80,7 +80,7 @@ from contractors to employees, or change to another subsidiary. 4. Follow Identity Manager's instructions to configure the generation of a **unique login** for new workers (who do not have one), based on one of the available options. - ![**unique login** Generation](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp) + ![**unique login** Generation](/images/identitymanager/initialload_uniquelogin_v602.webp) - `Based on Email`: uses the local part of the email, i.e. before `@`. - `Based on Full Email`: uses the full email. @@ -89,19 +89,19 @@ with the default prefix when no specific prefix is specified on the user's contr 5. Click on the Save icon at the top. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) 6. Click on the **Reload** button to apply the recent changes to the application. - ![Reload Button](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + ![Reload Button](/images/identitymanager/reload_v603.webp) ## Verify Property Generation In order to verify the process, add a fictitious employee through the workflows from the UI. -![Home - New Employee](/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp) +![Home - New Employee](/images/identitymanager/home_newemployee_v600.webp) Verify in the directory that the employee's sheet displays the expected values for the configured unique properties. -![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) +![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md index 601838c8d6..fbd5872be6 100644 --- a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md +++ b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Create the Workforce Repository" description: "Create the Workforce Repository" sidebar_position: 20 @@ -17,13 +17,13 @@ The identity repository is supposed to contain the list of all kinds of identiti > For example, a user can be represented by an identifier and linked to their position which > includes the user's employee id, last name and first name, email, user type, organization, etc. > -> ![Identity Repository Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) +> ![Identity Repository Example](/images/identitymanager/identityrepository-example.webp) > In Identity Manager, the identity repository can look like the following: > -> ![Identity Repository Result](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> ![Identity Repository Result](/images/identitymanager/identityrepository_v602.webp) > -> ![Identity Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) +> ![Identity Example](/images/identitymanager/identityrepository-person_v602.webp) See the [Identity Repository](../../../integration-guide/identity-management/identity-repository) topic for additional information. diff --git a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/load-identities.md b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/load-identities.md index 9e099d4df2..d4cc76c036 100644 --- a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/load-identities.md +++ b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/load-identities.md @@ -1,4 +1,4 @@ ---- +--- title: "Load Identities to Identity Manager" description: "Load Identities to Identity Manager" sidebar_position: 20 @@ -16,7 +16,7 @@ The initial workforce repository is going to be the first version of a comprehen Identity Manager contains a template model, downloadable as an Excel file. Below is an example of a part of the `UserRecord` tab, used in Identity Manager's demo: -![Template Example](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp) +![Template Example](/images/identitymanager/initialload_templateexample_v602.webp) ### Useful data @@ -57,11 +57,11 @@ Load identities for the first time by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section. - ![Home Page - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home Page - Configuration](/images/identitymanager/home_settings_v523.webp) 2. On the **Workforce** > **Data Upload** page, download the empty Excel template. - ![Upload Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + ![Upload Icon](/images/identitymanager/icondownload_v602.svg) 3. Collect identity and organizational data. @@ -88,7 +88,7 @@ specific part, for example on the employee identifier. The Excel file contains several tabs which organize data, but not all tabs and columns are mandatory. You can find **more details about the [Template Description](../../../user-guide/set-up/initial-identities-loading/template-description)**. Below are the minimum recommended attributes (mandatory in orange): - ![Template Recommendations](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp) + ![Template Recommendations](/images/identitymanager/initialload_templatereco_v600.webp) [**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). @@ -122,18 +122,18 @@ displayed data. 5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in order to feed the data back to Identity Manager. - ![Upload Icon](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg) + ![Upload Icon](/images/identitymanager/iconupload_v602.svg) The latest uploaded file overwrites the previous one. 6. Click on **Verify and Synchronize** to check the file's consistency and import its data into Identity Manager. - ![Verify and Synchronize](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp) + ![Verify and Synchronize](/images/identitymanager/initialload_dataupload-synchronize_v602.webp) Now you are able to view users' pages in the directory. - ![Directory - Users](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp) + ![Directory - Users](/images/identitymanager/initialload_directoryusers_v602.webp) ## Verify Identities Loading @@ -142,14 +142,14 @@ In order to validate the process: - Check **manually** a sample in the user directory accessible from the home page. You should verify at least your own sheet and the sheets for your hierarchy. - ![Home - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home - Directory User](/images/identitymanager/home_directoryuser_v523.webp) - Check that **every organization includes a manager**. Organizations are accessible from the department directory on the home page. - ![Home - Directory Department](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + ![Home - Directory Department](/images/identitymanager/home_directorydepartment_v523.webp) - ![List of Departments](/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + ![List of Departments](/images/identitymanager/initialload_departments_v602.webp) If the system contains many organizations, then it is also possible to list each organization with its manager through the Query module. diff --git a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/template-description.md b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/template-description.md index 68f7b03aa4..8c8582d6c6 100644 --- a/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/template-description.md +++ b/docs/identitymanager/current/user-guide/set-up/initial-identities-loading/template-description.md @@ -1,4 +1,4 @@ ---- +--- title: "Template Description" description: "Template Description" sidebar_position: 30 @@ -10,7 +10,7 @@ Description of the MS Excel template for the creation of the identities reposito [**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). -![Template Model](/images/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp) +![Template Model](/images/identitymanager/initialload_templatemodel_v603.webp) All tabs contain a column `Command` only used at a later stage to modify (massively) identity data. See the [Update Identities in Bulk](../../../user-guide/maintain/identity-data-modification/mass-update) topic for additional information. diff --git a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md index bd1fe02887..8eb140bb2e 100644 --- a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md +++ b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/navigation-property-computation.md @@ -1,4 +1,4 @@ ---- +--- title: "Compute a **navigation** Property" description: "Compute a **navigation** Property" sidebar_position: 30 @@ -23,7 +23,7 @@ resources during the rule's creation. The assigned resource is the same for all - A **query rule** assigns a resource from the "other" entity type too. However, the resource is chosen according to a query via a C# expression with conditions, based on the attributes of the source objects (usually users). Hence, contrary to a **navigation** rule, a **query rule** can assign a different resource for each impacted account, based on the attributes of the account's owner. Use a **query rule** when there is the need to use variables from among users' attributes to select the resource to assign. -![Schema - Scalar Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp) +![Schema - Scalar Rule](/images/identitymanager/provrules_schemanavigation.webp) > A **navigation** rule could add the AD group `SG_APP_SQL` to the `memberOf` **navigation** property to all > AD nominative accounts provided that the user has the single role `SQL Server Administration`. @@ -139,19 +139,19 @@ Fill an entity type with a **navigation** rule by proceeding as follows: **Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future **navigation** rule. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 4 –** Fill in the fields. -![Create a **navigation** Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) +![Create a **navigation** Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) - `Join`: **navigation** property from the target entity type, whose value is to be impacted. - `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the @@ -167,7 +167,7 @@ computation according to the value's start and/**or** end date. > Our example would look like: > -> ![Scalar Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp) +> ![Scalar Rule Example](/images/identitymanager/provrules_examplenav_v602.webp) **Step 5 –** Click on **Create** and see a line added on the rules page. @@ -179,23 +179,23 @@ Fill an entity type with a **query rule** by proceeding as follows: **Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future **query rule**. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 3 –** Click on the **Queries** tab and on the addition button at the top right corner. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) Fill in the fields. -![Create **query rule**](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp) +![Create **query rule**](/images/identitymanager/provrules_queryrule_v522.webp) Once the `Resource Type` is provided, more fields appear. -![**query rule** Fields](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp) +![**query rule** Fields](/images/identitymanager/provrules_queryrulefields_v602.webp) - **Target Object** > `Property to fill`: **navigation** property from the target entity type, whose value is to be impacted. @@ -210,9 +210,9 @@ the[Classify Resources](../../../user-guide/set-up/categorization/classification > Our examples would look like: > -> ![**query rule** Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp) +> ![**query rule** Example](/images/identitymanager/provrules_examplequery_v602.webp) > -> ![**query rule** Example 2](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp) +> ![**query rule** Example 2](/images/identitymanager/provrules_examplequerybis_v602.webp) Click on **Create** and see a line added on the rules page. @@ -220,7 +220,7 @@ Click on **Create** and see a line added on the rules page. Any modification in a **navigation** **or** **query rule** is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity through a **navigation** rule (and its criteria), and if the user's criteria do not comply with the new version of the rule, then the corresponding resource is automatically deleted. @@ -234,7 +234,7 @@ In order to verify the process: **Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to be reconciled following the same pattern, then there may be a rule that needs to be changed. diff --git a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/resource-creation.md b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/resource-creation.md index 7495e477e5..f3e299540a 100644 --- a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/resource-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/resource-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create Resources" description: "Create Resources" sidebar_position: 10 @@ -37,19 +37,19 @@ Create a resource type rule by proceeding as follows: 1. Click on **Access Rules** on the home page in the **Configuration** section. - ![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Resource Types** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create a Resource Type Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp) + ![Create a Resource Type Rule](/images/identitymanager/provrules_typerule_v602.webp) - `Resource Type`: resource type to be automatically assigned. - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among @@ -60,7 +60,7 @@ creation/deletion according to the value's start and/or end date. - **Criteria**: conditions that, if met, trigger the resource creation. > Our example would look like: > - > ![Resource Type Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp) + > ![Resource Type Rule Example](/images/identitymanager/provrules_exampletype_v602.webp) 5. Click on **Create** and see a line added on the rules page. @@ -68,7 +68,7 @@ creation/deletion according to the value's start and/or end date. Any modification in a resource type rule is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes **new** assignments. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity by a resource type rule, and if the user's criteria do not comply with the **new** version of the rule, then the corresponding resource is automatically deleted. @@ -86,18 +86,18 @@ In order to verify the process, start by checking the rule's details on the **Ac 1. Select a test user in the directory, accessible from the home page. - ![Home Page - Directory User](/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + ![Home Page - Directory User](/images/identitymanager/home_directoryuser_v523.webp) 2. Create a resource type rule involving an account that said user doesn't already have, based on criteria which the selected user satisfies. 3. Trigger the computation of the role model by clicking, on the corresponding connector's overview page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 4. See the **new** account in the user's **View Permissions** tab. - ![View Permissions Tab](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + ![View Permissions Tab](/images/identitymanager/viewpermissions_v602.webp) If the type rule uses a single role as a criterion, and the user has said role, then both the resource type and the role will be displayed in the user's permissions, **but only if** the role is related to a [Compute a Navigation Property](../../../user-guide/set-up/provisioning-rule-creation/navigation-property-computation). Otherwise, only the resource type will be visible. diff --git a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md index 0a36327755..34dd8dfd2b 100644 --- a/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md +++ b/docs/identitymanager/current/user-guide/set-up/provisioning-rule-creation/scalar-property-computation.md @@ -18,7 +18,7 @@ The right tools for the job are **scalar** rules. A **scalar** property's value can be computed by a **scalar** rule, based on at least one **scalar** property from the source entity type, possibly writing a C# expression. -![Schema - **scalar** Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp) +![Schema - **scalar** Rule](/images/identitymanager/provrules_schemascalar.webp) A **scalar** rule could define the **scalar** property displayName of nominative AD accounts based on its owner's name with the expression: @@ -76,23 +76,23 @@ See the [Categorize Resources](../../../user-guide/set-up/categorization) topic Fill an entity type with a **scalar** rule by proceeding as follows: -![Home - Access Rules](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home - Access Rules](/images/identitymanager/home_rules_v602.webp) **Step 1 :** Click on **Access Rules** on the home page in the **Configuration** section. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 :** In the dropdown menu at the top left, choose the source entity type for the future **scalar** rule. -![iconadd_v602](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![iconadd_v602](/images/identitymanager/iconadd_v602.webp) **Step 3 :** Click on the **Scalars** tab and on the addition button at the top right corner. -![Create **scalar** Rule](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp) +![Create **scalar** Rule](/images/identitymanager/provrules_scalarrule_v522.webp) **Step 4 :** Fill in the fields. -![**scalar** Rule Fields](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp) +![**scalar** Rule Fields](/images/identitymanager/provrules_scalarrulefields_v602.webp) Once the Resource Type is provided, more fields appear. @@ -111,7 +111,7 @@ synchronize the property back to Identity Manager; **Create Only** to use this c For example, consider a system, that we want to connect to Identity Manager (let's call it SYST) using a title property. Consider also that SYST needs to be provisioned with the value of title, but does not allow any other system to retrieve said value. -In this case, we use **Create Only** so that Identity Manager sends the adequate provisioning order upon creation, and then sets the provisioning state to **None** without synchronization. If any changes impact that ****scalar** Property** value the workflow state will be modified to **PolicyApprovedWithChanges** meaning that the policy value is not equal to the external system's value and that will not be provisioned. +In this case, we use **Create Only** so that Identity Manager sends the adequate provisioning order upon creation, and then is able to change the provisioning state to **Executed** without synchronization. If any changes impact that ****scalar** Property** value the workflow state will be modified to **PolicyApprovedWithChanges** meaning that the policy value is not equal to the external system's value and that will not be provisioned. - Comparison type: Comparison type between the value of the target object computed by the rule and its value from the managed system. Non-conforming values are displayed on the **Provisioning Review** screen. @@ -119,7 +119,7 @@ its value from the managed system. Non-conforming values are displayed on the ** Our example would look like: -![**scalar** Rule Example](/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp) +![**scalar** Rule Example](/images/identitymanager/provrules_examplescalar_v522.webp) **Step 5 :** Click on **Create** and see a line added on the rules page. @@ -127,7 +127,7 @@ Our example would look like: Any modification in a **scalar** rule is taken into account when launching the role model computation task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > **Compute Role Model**. -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) This task applies the rules and computes new properties. Therefore, if a given rule's criterion is modified, then all corresponding assignments are computed again. If a resource was created automatically for an identity through a **scalar** rule (and its single role criterion), and if the user's criteria do not comply with the new version of the rule, then the corresponding resource is automatically deleted. @@ -139,7 +139,7 @@ Simulations are available in order to anticipate the changes induced by a creati In order to verify the process: -![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) +![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) **Step 1 :** On the corresponding connector's overview page, in the **Resource Types** frame click on **Jobs** > **Compute Role Model** to apply all rules. diff --git a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/category-creation.md b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/category-creation.md index 509922f1b8..cba9bbec9d 100644 --- a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/category-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/category-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Category" description: "Create a Category" sidebar_position: 20 @@ -41,16 +41,16 @@ Create a category by proceeding as follows: 1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles page. - ![Home Page - Access Roles](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + ![Home Page - Access Roles](/images/identitymanager/home_roles_v602.webp) 2. All existing categories are shown in the menus on the left. To create a new category, click on **+**. - ![Add a New Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp) + ![Add a New Category](/images/identitymanager/singlerolescatalog_newcategory_v602.webp) 3. Fill in the fields. - ![Create a Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp) + ![Create a Category](/images/identitymanager/singlerolescatalog_createcategory_v602.webp) - `Identifier`: must be unique among categories and without any whitespace. - `Name`: will be displayed in the UI to identify the created category. @@ -67,5 +67,5 @@ When creating a category, you must be cautious about the associated validators t In order to verify the process, check on the **Access Roles** screen that the category is created with the right parameters. -![Verify Category](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) +![Verify Category](/images/identitymanager/categorycreation_test_v602.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/index.md index a608f99a5f..bec1a04846 100644 --- a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/index.md +++ b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/index.md @@ -1,4 +1,4 @@ ---- +--- title: "Create Roles in the Role Catalog" description: "Create Roles in the Role Catalog" sidebar_position: 100 @@ -14,7 +14,7 @@ The creation of the role catalog is a time-consuming part, with an important wor The aim here is to establish and create the exhaustive list of [Role Models](../../../integration-guide/role-model) needed by the organization. Roles are a way to represent entitlements which are assigned to identities, so that said identities are able to work with the managed systems. -![Schema - Single Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) +![Schema - Single Role](/images/identitymanager/singlerolescatalog_schemarole.webp) In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles in the organization, hiding the technical complexity of entitlements behind the business vision of user-friendly names and categories, in order to: @@ -50,7 +50,7 @@ Then single roles can be grouped together through [Composite Roles](../../../int - a role is created with a given approval workflow according to the entitlement's sensitivity; - ![Schema - Approval Workflow](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp) + ![Schema - Approval Workflow](/images/identitymanager/singlerolescatalog_schemaapprovals.webp) > We choose to require one manual validation from a knowledgeable user before the Internet role > is assigned to a user. @@ -58,7 +58,7 @@ Then single roles can be grouped together through [Composite Roles](../../../int - to be effective, roles must be linked to actual entitlements in the managed systems. Technically speaking, this means that for each entitlement that you want to assign through a given role, you must create a navigation rule to build said link. A navigation rule is specific to one resource type. See the [Categorize Resources](../../../user-guide/set-up/categorization) topic for additional information. - ![Schema - Single Role with Navigation Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp) + ![Schema - Single Role with Navigation Rule](/images/identitymanager/singlerolescatalog_schemarolerule.webp) > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for @@ -66,7 +66,7 @@ speaking, this means that for each entitlement that you want to assign through a This part is about single roles, dealing with entitlements one-to-one. The idea is to associate one single role with one fine-grained entitlement. - ![Schema - Roles and Identities](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp) + ![Schema - Roles and Identities](/images/identitymanager/singlerolescatalog_schemarolesidentities.webp) > For example, an accountant needs read access to the accounting software, a project manager to > their billable hours for their projects on SAP, etc. @@ -90,7 +90,7 @@ A common and intuitive case is when a system is simply one application. Then, in > The SAP application is about entitlements only for itself. Then, we create a single role per > entitlement in SAP inside a category called `SAP`: > -> ![Roles Example](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp) +> ![Roles Example](/images/identitymanager/singlerolescatalog_strategymono_v602.webp) One system hosting several applications with existing naming conventions @@ -99,7 +99,7 @@ If a given system is used to manage entitlements for several applications, then > For example, the Active Directory usually hosts many groups used to manage entitlements in several > distinct applications. > -> ![AD Groups](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp) +> ![AD Groups](/images/identitymanager/singlerolescatalog_strategymulti_v522.webp) The goal here is to find a way to clarify the link between each entitlement and the corresponding application. @@ -121,7 +121,7 @@ Then, the solution is to add information inside the managed system, creating a s > For example in the Active Directory, integrators can modify the field called `description` to > specify the application name (such as Outlook in this example). > -> ![Appropriated Field](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp) +> ![Appropriated Field](/images/identitymanager/singlerolescatalog_strategymultinoname_v522.webp) Thus, the needed information is added to the managed system. After the execution of synchronization, said data is accessible inside Identity Manager database and can be used as a naming convention. @@ -131,11 +131,11 @@ In some cases, integrators are not allowed to create/modify fields in the extern The UI provides tools to create single roles manually, working top-down from abstraction (role name) to the technical aspects (navigation rule and technical entitlement). Most projects use thousands of single roles, which makes role creation a long, tedious and repetitive process. See the [Create a Role Manually](../../../user-guide/set-up/single-roles-catalog-creation/role-manual-creation) topic for additional information. -![Schema - Role Creation Top-Down](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp) +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schematopdown.webp) Roles can also be created bottom-up via role naming rules. Instead of the previous process, you can use the name of said entitlement in your managed system to create automatically the corresponding single role and rule (and category if it does not already exist). In other words, Identity Manager's naming rules are to be based on your existing naming conventions for entitlements. See the [Create Roles in Bulk](../../../user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation) topic for additional information. -![Schema - Role Creation Top-Down](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp) +![Schema - Role Creation Top-Down](/images/identitymanager/singlerolescatalog_schemabottomup.webp) One naming rule can generate many roles, so a few automatic rules can easily and faster create the single role catalog. Naming rules prove particularly useful when you need to add multiple new permissions in your external system. You won't have to create manually the corresponding categories, roles and rules as long as said permissions are created with properties matching the conditions from the rules. diff --git a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md index 0ee8e83ec9..ae7916707c 100644 --- a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-manual-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create a Role Manually" description: "Create a Role Manually" sidebar_position: 30 @@ -29,11 +29,11 @@ For a given managed system, integrators may need the help of the **application o Create a single role by proceeding as follows: -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access **roles**** to access the **roles** page. -![createsinglerole](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp) +![createsinglerole](/images/identitymanager/createsinglerole.webp) **Step 2 –** On the **roles** page, click on the adequate category and create a role by clicking on **+New** at the top right corner. @@ -99,19 +99,19 @@ Navigation **rules** aim to assign given resources to identities based on specif Create a navigation rule by proceeding as follows: -![Home Page - Access **rules**](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) **Step 1 –** On the home page in the **Configuration** section, click on **Access **rules**** to access the **rules** page. -![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) +![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) **Step 2 –** In the drop down menu at the top left, choose the entity type to which the future navigation rule will be applied. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. -![Create a Navigation Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) +![Create a Navigation Rule](/images/identitymanager/singlerolescatalog_createnavrule_v602.webp) **Step 4 –** Fill in the fields. @@ -134,29 +134,29 @@ When deleting a single role, caution must be used when deleting the correspondin In order to verify the process, check that the role and rule are created with the right parameters. -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) **Step 1 –** For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. -![Access Single **roles**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) +![Access Single **roles**](/images/identitymanager/namingrulecreation_testroles_v602.webp) **Step 2 –** Select single **roles** and find the role you created inside the right category and with the right parameters. Our example would look like: -![Example - Generated Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) +![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) -![Home Page - Access **rules**](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) **Step 3 –** For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. -![Access Navigation **rules**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) +![Access Navigation **rules**](/images/identitymanager/namingrulecreation_testrules_v602.webp) **Step 4 –** Select navigation **rules** and find the rule(s) you created with the right parameters. Our example would look like: -![Example - Generated Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) +![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) The verification of role creation has been completed. diff --git a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md index 43d602adc1..81e98b7f51 100644 --- a/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md +++ b/docs/identitymanager/current/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation.md @@ -1,4 +1,4 @@ ---- +--- title: "Create **roles** in Bulk" description: "Create **roles** in Bulk" sidebar_position: 10 @@ -43,20 +43,20 @@ Create a role naming rule by proceeding as follows: 1. On the home page, click on **Access **rules**** in the **Configuration** section. - ![Home Page - Access **rules**](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + ![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) 2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will be applied. - ![Entity Type Choice](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + ![Entity Type Choice](/images/identitymanager/provrules_entitytype_v602.webp) 3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) 4. Fill in the fields. - ![Create a Naming Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp) + ![Create a Naming Rule](/images/identitymanager/namingrulecreation_newrule_v602.webp) - `Policy`: [Policy](../../../integration-guide/toolkit/xml-configuration/provisioning/policy) in which the rule exists. @@ -100,7 +100,7 @@ Permissions** dialog. This setting does not apply to **roles** which are either - `Comment Management on Permission Review`: to change if different from the role policy. > Our example would look like: > - > ![Example - Naming Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp) + > ![Example - Naming Rule](/images/identitymanager/namingrulecreation_example_v602.webp) 5. Click on **Create** and see a line added on the **rules** page. @@ -115,31 +115,31 @@ In order to verify the process: 1. to take the changes into account, on the appropriate connector's overview page click on **Jobs** > **Apply Naming Conventions**; - ![Resource Type Jobs](/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + ![Resource Type Jobs](/images/identitymanager/synchro_resourcetype_v602.webp) 2. check that the correct **roles** and **rules** were created. For **roles**, click on **Access **roles**** on the home page in the **Configuration** section. -![Home Page - Access **roles**](/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) +![Home Page - Access **roles**](/images/identitymanager/home_roles_v602.webp) Select single **roles** and find the role(s) you created inside the right category and with the right parameters. -![Access Single **roles**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) +![Access Single **roles**](/images/identitymanager/namingrulecreation_testroles_v602.webp) > Our example would look like: > -> ![Example - Generated Role](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) +> ![Example - Generated Role](/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp) For **rules**, click on **Access **rules**** on the home page in the **Configuration** section. -![Home Page - Access **rules**](/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) +![Home Page - Access **rules**](/images/identitymanager/home_rules_v602.webp) Select navigation **rules** and find the rule(s) you created with the right parameters. -![Access Navigation **rules**](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) +![Access Navigation **rules**](/images/identitymanager/namingrulecreation_testrules_v602.webp) > Our example would look like: > -> ![Example - Generated Rule](/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) +> ![Example - Generated Rule](/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/current/user-guide/set-up/synchronization.md b/docs/identitymanager/current/user-guide/set-up/synchronization.md index 902a997928..bc23c751a0 100644 --- a/docs/identitymanager/current/user-guide/set-up/synchronization.md +++ b/docs/identitymanager/current/user-guide/set-up/synchronization.md @@ -1,4 +1,4 @@ ---- +--- title: "**synchronize** Data" description: "**synchronize** Data" sidebar_position: 70 @@ -16,7 +16,7 @@ Data synchronization is a data flow from the managed systems into Identity Manag A connector's main purpose is to read and **export** the data previously mapped with [Create an Entity Type](../../user-guide/set-up/connect-system/entity-type-creation) in order to **synchronize** it with Identity Manager. Connectors provide tools to perform a basic extraction of the system's data in the form of CSV/XLSX files. These files are cleansed and loaded into Identity Manager. Synchronization is a three-step ETL process going through **export**, synchronization preparation and the synchronization itself. -![Synchronization Schema](/images/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp) +![Synchronization Schema](/images/identitymanager/synchro_schema.webp) #### **export** @@ -81,20 +81,20 @@ Launch synchronization for a given managed system by proceeding as follows: 1. Access the list of connectors by clicking on **Connectors** on the home page in the **Configuration** section. - ![Home - Connectors](/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + ![Home - Connectors](/images/identitymanager/home_connectors_v602.webp) 2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. Here are all the tasks available for synchronization. They **synchronize** all connections and entity types for only this connector. It is possible to launch them individually in order to test them and debug a situation, or all together with **All Tasks**. According to the created connection(s) and package(s), all these tasks can be launched either in incremental or complete mode. - ![**synchronize** Job](/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + ![**synchronize** Job](/images/identitymanager/synchro_executionjobs_v602.webp) - `Update Expressions`: computes the expressions used in the entity type mapping. - `All Tasks`: launches all previous tasks in a row. Notice that some connectors, depending on their connections and packages, can't be synchronized in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a choice between `Complete` and `Incremental`. See below this note. - ![**synchronize** Job (Only Complete)](/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp) + ![**synchronize** Job (Only Complete)](/images/identitymanager/synchro_executionjobs-complete_v602.webp) ## Manage Synchronization Automation @@ -109,17 +109,17 @@ Scheduling the jobs avoids manually triggering them everyday. However, you can choose to withdraw a given connector from both the complete and incremental jobs by clicking on **Deactivate** on the connector's dashboard. This is particularly useful when modifying a connector. You can also re-insert it at any time with the same button which is now named **Activate**. -![Jobs Results Dashboard](/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) +![Jobs Results Dashboard](/images/identitymanager/synchro_dashboard_v522.webp) You can fine-tune the synchronization and/or provisioning of the connector by clicking on the **Edit** button. -![Edit button](/images/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp) +![Edit button](/images/identitymanager/synchro_edit_v600.webp) Click on **Job Results** to access the progress of this connector's jobs. All jobs are accessible on the **Job Execution** page in the **Administration** section. -![Home - Job Execution](/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) +![Home - Job Execution](/images/identitymanager/home_jobexecution_v602.webp) ## Verify an Entity Type's Synchronization @@ -128,31 +128,31 @@ In order to verify both the synchronization configuration and [Create an Entity 1. Launch synchronization. 2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that synchronization completed successfully. - ![Jobs Results](/images/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + ![Jobs Results](/images/identitymanager/synchro_results_v603.webp) 3. Check that the entity types have been added to the left menu of the home page. - ![Test Entity Type](/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + ![Test Entity Type](/images/identitymanager/entitytypecreation_test_v602.webp) 4. Access the relevant entity types (from the menu items on the left of the home page) to check synchronized resources, by navigating in the UI from the accounts through a sample of associations, via the eye icon: - ![Eye Icon](/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + ![Eye Icon](/images/identitymanager/iconeye_v600.svg) You should first look for configuration validation, and only later validation of the actual data being synchronized. > For example, let's say we created a connector for SAB that contains two entity types called > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. > - > ![SAB Example - Home Page](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp) + > ![SAB Example - Home Page](/images/identitymanager/synchro_examplesab_v522.webp) > > Clicking on `SAB - Users` displays the list of all synchronized resources. > - > ![SAB Example - Data List](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp) + > ![SAB Example - Data List](/images/identitymanager/synchro_examplesab2_v602.webp) > > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: > - > ![SAB Example - Resource Attributes](/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp) + > ![SAB Example - Resource Attributes](/images/identitymanager/synchro_examplesab3_v602.webp) > > Clicking on any eye icon displays the corresponding resource. SAB was created here with a > simple user-group schema that links n users to n groups. So here, we can check these links by @@ -169,7 +169,7 @@ Don't hesitate to launch synchronization-related tasks individually and observe If the connector and/or entity type doesn't appear in the menu items, then: -![Test Entity Type](/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) +![Test Entity Type](/images/identitymanager/home_entitytypes_v602.webp) Access the relevant connector's page and click on the **Reload** button to take into account the last changes in the entity type mappings. @@ -179,7 +179,7 @@ Access the relevant connector's page to click on the **Reload** button to take i If a synchronization is blocked by an exceeded threshold, then: -![Threshold warning](/images/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp) +![Threshold warning](/images/identitymanager/synchro_threshold_v603.webp) Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: @@ -188,7 +188,7 @@ instance to see its logs. 2. Study synchronization counters and the list of all synchronization changes. These tools help you make a decision about whether to bypass synchronization thresholds. - ![Job progress](/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp) + ![Job progress](/images/identitymanager/synchro_thresholdlog_v603.webp) In most cases, the first synchronization exceeds thresholds because no data exists in Identity Manager yet. Thus, a high quantity of modifications is expected and the synchronization is to be resumed. @@ -203,7 +203,7 @@ job progress page. This will restart the job and allow the changes to be synchro Be cautious, check twice for mistakes before resuming. - ![Resumed Job](/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp) + ![Resumed Job](/images/identitymanager/synchro_thresholdresumed_v602.webp) If an **export** doesn't complete, then: @@ -211,13 +211,13 @@ If an **export** doesn't complete, then: - If you manually typed the source column of a property in the entity types, then make sure that the source column exists in the corresponding managed system. - ![Source Column](/images/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp) + ![Source Column](/images/identitymanager/entitytype_sourcecolumn_v602.webp) If a given property from users' data is displayed in an unexpected way, then: Check the format of both the application metadata and the external system. -![Property Format](/images/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp) +![Property Format](/images/identitymanager/entitytype_format_v523.webp) > For example, if you find that a given date doesn't comply with what you set, then maybe the format > in the External System section wasn't correctly selected, thus inducing a conversion error during diff --git a/docs/identitymanager/current/user-guide/set-up/user-profile-assignment.md b/docs/identitymanager/current/user-guide/set-up/user-profile-assignment.md index 2beb73e03a..2d7f8148cd 100644 --- a/docs/identitymanager/current/user-guide/set-up/user-profile-assignment.md +++ b/docs/identitymanager/current/user-guide/set-up/user-profile-assignment.md @@ -1,4 +1,4 @@ ---- +--- title: "Assign Users a Profile" description: "Assign Users a Profile" sidebar_position: 110 @@ -10,9 +10,9 @@ How to assign Identity Manager's access permissions to users through profiles. ## Overview -All the permissions to access items in Identity Manager, **and** to perform given actions, are managed by assigning profiles to users **and** permissions to profiles. See the [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile) **and** [References: Permissions](../../integration-guide/content/integration-guide/profiles-permissions/permissions) topics for additional information. +All the permissions to access items in Identity Manager, **and** to perform given actions, are managed by assigning profiles to users **and** permissions to profiles. See the [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile) **and** [References: Permissions](../../integration-guide/profiles-permissions/permissions) topics for additional information. -![Schema - Profile Assignment](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) For example, the access to the list of users with their personal data is usually restricted to HR people, **and** the possibility to modify personal data restricted to HR managers. @@ -42,15 +42,15 @@ In the following section you will read about how to assign a profile to an accou Assign manually a profile to a user by proceeding as follows: -![Home Page - Assigned Profiles](/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) +![Home Page - Assigned Profiles](/images/identitymanager/home_assignedprofiles_v602.webp) **Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** section. -![Addition Icon](/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) +![Addition Icon](/images/identitymanager/iconadd_v602.webp) **Step 2 –** Click on the addition button at the top right corner. -![New Profile](/images/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp) +![New Profile](/images/identitymanager/roleofficers_newprofile_v602.webp) **Step 3 –** Fill in the fields. @@ -67,7 +67,7 @@ Assign manually a profile to a user by proceeding as follows: The largest profiles with the most basic permissions (like a simple access to the application) concern many identities **and** are low-privileged. Thus integrators can set up profile assignment rules through the XML configuration in order to assign profiles automatically, based on accounts' resource type **and** potentially specific criteria. See the [Profile Rule Context](../../integration-guide/toolkit/xml-configuration/access-control/profilerulecontext) topic for additional information. -![Launch Button](/images/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp) +![Launch Button](/images/identitymanager/launch_v603.webp) Click on **Launch** to apply these profile rules. diff --git a/docs/identitymanager/current/user-guide/set-up/user-profile-configuration.md b/docs/identitymanager/current/user-guide/set-up/user-profile-configuration.md index d6181084ab..98214c2ef5 100644 --- a/docs/identitymanager/current/user-guide/set-up/user-profile-configuration.md +++ b/docs/identitymanager/current/user-guide/set-up/user-profile-configuration.md @@ -1,4 +1,4 @@ ---- +--- title: "Configure a User Profile" description: "Configure a User Profile" sidebar_position: 50 @@ -6,13 +6,13 @@ sidebar_position: 50 # Configure a User Profile -How to tweak the [References: Permissions](../../integration-guide/content/integration-guide/profiles-permissions/permissions) for actions **within** Identity Manager, for a set of basic [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile). +How to tweak the [References: Permissions](../../integration-guide/profiles-permissions/permissions) for actions **within** Identity Manager, for a set of basic [Assigned Profile](../../integration-guide/toolkit/xml-configuration/access-control/assignedprofile). ## Overview All the permissions for accessing items and performing actions in Identity Manager are managed by assigning profiles to users and permissions to profiles. -![Schema - Profile Assignment](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) +![Schema - Profile Assignment](/images/identitymanager/profiles_schema.webp) > For example, access to user lists with personal data is usually restricted to HR staff, and the > modification of personal data would be restricted to HR managers. @@ -72,14 +72,14 @@ Configure a user profile by proceeding as follows: 1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the left menu. - ![Home - Configuration](/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + ![Home - Configuration](/images/identitymanager/home_settings_v523.webp) 2. Check whether the profile to configure is part of the provided list. If not, create it by clicking on the addition button at the top right and fill in the fields. - ![Addition Icon](/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + ![Addition Icon](/images/identitymanager/iconadd_v602.svg) - ![New Profile](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp) + ![New Profile](/images/identitymanager/profiles_creation_v602.webp) - `Identifier`: must be unique among profiles and without any whitespace. - `Name`: will be displayed in the UI to identify the profile. @@ -91,11 +91,11 @@ Permissions** in the left menu. 4. Follow Identity Manager's instructions for assigning permissions to the profile by clicking on the appropriate permissions, one by one, selecting if needed their responsibility scope. - ![Profile Configuration Example](/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp) + ![Profile Configuration Example](/images/identitymanager/profiles_example_v603.webp) 5. Click on **Save** at the top of the page. - ![Save Icon](/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + ![Save Icon](/images/identitymanager/iconsave_v602.svg) ## Verify Profile Configuration diff --git a/package-lock.json b/package-lock.json index 5d4eb97efe..5a9a634099 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "@docusaurus/babel": "^3.10.0", "@docusaurus/core": "^3.10.0", "@docusaurus/faster": "^3.10.0", - "@docusaurus/plugin-client-redirects": "3.10.0", + "@docusaurus/plugin-client-redirects": "^3.10.0", "@docusaurus/plugin-google-gtag": "^3.10.0", "@docusaurus/plugin-google-tag-manager": "^3.10.0", "@docusaurus/plugin-rsdoctor": "^3.10.0", @@ -299,15 +299,6 @@ "url": "https://github.com/sponsors/antfu" } }, - "node_modules/@antfu/utils": { - "version": "8.1.1", - "resolved": "https://registry.npmjs.org/@antfu/utils/-/utils-8.1.1.tgz", - "integrity": "sha512-Mex9nXf9vR6AhcXmMrlz/HVgYYZpVGJ6YlPgwl7UnaFpnshXs6EK/oa5Gpf3CzENMjkvEx2tQtntGnb7UtSTOQ==", - "license": "MIT", - "funding": { - "url": "https://github.com/sponsors/antfu" - } - }, "node_modules/@babel/code-frame": { "version": "7.27.1", "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz", @@ -2035,42 +2026,40 @@ "license": "MIT" }, "node_modules/@chevrotain/cst-dts-gen": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-11.0.3.tgz", - "integrity": "sha512-BvIKpRLeS/8UbfxXxgC33xOumsacaeCKAjAeLyOn7Pcp95HiRbrpl14S+9vaZLolnbssPIUuiUd8IvgkRyt6NQ==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-12.0.0.tgz", + "integrity": "sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==", "license": "Apache-2.0", "dependencies": { - "@chevrotain/gast": "11.0.3", - "@chevrotain/types": "11.0.3", - "lodash-es": "4.17.21" + "@chevrotain/gast": "12.0.0", + "@chevrotain/types": "12.0.0" } }, "node_modules/@chevrotain/gast": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-11.0.3.tgz", - "integrity": "sha512-+qNfcoNk70PyS/uxmj3li5NiECO+2YKZZQMbmjTqRI3Qchu8Hig/Q9vgkHpI3alNjr7M+a2St5pw5w5F6NL5/Q==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-12.0.0.tgz", + "integrity": "sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==", "license": "Apache-2.0", "dependencies": { - "@chevrotain/types": "11.0.3", - "lodash-es": "4.17.21" + "@chevrotain/types": "12.0.0" } }, "node_modules/@chevrotain/regexp-to-ast": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.0.3.tgz", - "integrity": "sha512-1fMHaBZxLFvWI067AVbGJav1eRY7N8DDvYCTwGBiE/ytKBgP8azTdgyrKyWZ9Mfh09eHWb5PgTSO8wi7U824RA==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-12.0.0.tgz", + "integrity": "sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==", "license": "Apache-2.0" }, "node_modules/@chevrotain/types": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.0.3.tgz", - "integrity": "sha512-gsiM3G8b58kZC2HaWR50gu6Y1440cHiJ+i3JUvcp/35JchYejb2+5MVeJK0iKThYpAa/P2PYFV4hoi44HD+aHQ==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-12.0.0.tgz", + "integrity": "sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==", "license": "Apache-2.0" }, "node_modules/@chevrotain/utils": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-11.0.3.tgz", - "integrity": "sha512-YslZMgtJUyuMbZ+aKvfF3x1f5liK4mWNxghFRv7jqRR9C3R3fAOGTTKvxXDa2Y1s9zSbcpuO0cAxDYsc9SrXoQ==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-12.0.0.tgz", + "integrity": "sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==", "license": "Apache-2.0" }, "node_modules/@colors/colors": { @@ -4371,19 +4360,14 @@ "license": "MIT" }, "node_modules/@iconify/utils": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/@iconify/utils/-/utils-2.3.0.tgz", - "integrity": "sha512-GmQ78prtwYW6EtzXRU1rY+KwOKfz32PD7iJh6Iyqw68GiKuoZ2A6pRtzWONz5VQJbp50mEjXh/7NkumtrAgRKA==", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@iconify/utils/-/utils-3.1.0.tgz", + "integrity": "sha512-Zlzem1ZXhI1iHeeERabLNzBHdOa4VhQbqAcOQaMKuTuyZCpwKbC2R4Dd0Zo3g9EAc+Y4fiarO8HIHRAth7+skw==", "license": "MIT", "dependencies": { - "@antfu/install-pkg": "^1.0.0", - "@antfu/utils": "^8.1.0", + "@antfu/install-pkg": "^1.1.0", "@iconify/types": "^2.0.0", - "debug": "^4.4.0", - "globals": "^15.14.0", - "kolorist": "^1.8.0", - "local-pkg": "^1.0.0", - "mlly": "^1.7.4" + "mlly": "^1.8.0" } }, "node_modules/@jest/schemas": { @@ -4929,12 +4913,12 @@ } }, "node_modules/@mermaid-js/parser": { - "version": "0.6.2", - "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-0.6.2.tgz", - "integrity": "sha512-+PO02uGF6L6Cs0Bw8RpGhikVvMWEysfAyl27qTlroUB8jSWr1lL0Sf6zi78ZxlSnmgSY2AMMKVgghnN9jTtwkQ==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.0.tgz", + "integrity": "sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==", "license": "MIT", "dependencies": { - "langium": "3.3.1" + "langium": "^4.0.0" } }, "node_modules/@module-federation/error-codes": { @@ -7090,6 +7074,16 @@ "integrity": "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==", "license": "ISC" }, + "node_modules/@upsetjs/venn.js": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@upsetjs/venn.js/-/venn.js-2.0.0.tgz", + "integrity": "sha512-WbBhLrooyePuQ1VZxrJjtLvTc4NVfpOyKx0sKqioq9bX1C1m7Jgykkn8gLrtwumBioXIqam8DLxp88Adbue6Hw==", + "license": "MIT", + "optionalDependencies": { + "d3-selection": "^3.0.0", + "d3-transition": "^3.0.1" + } + }, "node_modules/@webassemblyjs/ast": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.14.1.tgz", @@ -7268,9 +7262,9 @@ } }, "node_modules/acorn": { - "version": "8.15.0", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz", - "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", + "version": "8.16.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz", + "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==", "license": "MIT", "bin": { "acorn": "bin/acorn" @@ -7345,9 +7339,9 @@ } }, "node_modules/ajv": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz", - "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==", + "version": "8.18.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz", + "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==", "license": "MIT", "dependencies": { "fast-deep-equal": "^3.1.3", @@ -7654,14 +7648,14 @@ } }, "node_modules/axios": { - "version": "1.11.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz", - "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz", + "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.4", - "proxy-from-env": "^1.1.0" + "follow-redirects": "^1.15.11", + "form-data": "^4.0.5", + "proxy-from-env": "^2.1.0" } }, "node_modules/babel-loader": { @@ -7871,9 +7865,9 @@ } }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -8215,29 +8209,31 @@ } }, "node_modules/chevrotain": { - "version": "11.0.3", - "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.0.3.tgz", - "integrity": "sha512-ci2iJH6LeIkvP9eJW6gpueU8cnZhv85ELY8w8WiFtNjMHA5ad6pQLaJo9mEly/9qUyCpvqX8/POVUTf18/HFdw==", + "version": "12.0.0", + "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-12.0.0.tgz", + "integrity": "sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==", "license": "Apache-2.0", "dependencies": { - "@chevrotain/cst-dts-gen": "11.0.3", - "@chevrotain/gast": "11.0.3", - "@chevrotain/regexp-to-ast": "11.0.3", - "@chevrotain/types": "11.0.3", - "@chevrotain/utils": "11.0.3", - "lodash-es": "4.17.21" + "@chevrotain/cst-dts-gen": "12.0.0", + "@chevrotain/gast": "12.0.0", + "@chevrotain/regexp-to-ast": "12.0.0", + "@chevrotain/types": "12.0.0", + "@chevrotain/utils": "12.0.0" + }, + "engines": { + "node": ">=22.0.0" } }, "node_modules/chevrotain-allstar": { - "version": "0.3.1", - "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.3.1.tgz", - "integrity": "sha512-b7g+y9A0v4mxCW1qUhf3BSVPg+/NvGErk/dOkrDaHA0nQIQGAtrOjlX//9OQtRlSCy+x9rfB5N8yC71lH1nvMw==", + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.1.tgz", + "integrity": "sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==", "license": "MIT", "dependencies": { "lodash-es": "^4.17.21" }, "peerDependencies": { - "chevrotain": "^11.0.0" + "chevrotain": "^12.0.0" } }, "node_modules/chokidar": { @@ -8694,9 +8690,9 @@ "license": "MIT" }, "node_modules/confbox": { - "version": "0.2.2", - "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.2.2.tgz", - "integrity": "sha512-1NB+BKqhtNipMsov4xI/NnhCKp9XG9NamYp5PVm9klAT0fsrNPjaFICsCFhNhwZJKNh7zB/3q8qXz0E9oaMNtQ==", + "version": "0.1.8", + "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.1.8.tgz", + "integrity": "sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==", "license": "MIT" }, "node_modules/config-chain": { @@ -9462,9 +9458,9 @@ "license": "MIT" }, "node_modules/cytoscape": { - "version": "3.32.1", - "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.32.1.tgz", - "integrity": "sha512-dbeqFTLYEwlFg7UGtcZhCCG/2WayX72zK3Sq323CEX29CY81tYfVhw1MIdduCtpstB0cTOhJswWlM/OEB3Xp+Q==", + "version": "3.33.2", + "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.2.tgz", + "integrity": "sha512-sj4HXd3DokGhzZAdjDejGvTPLqlt84vNFN8m7bGsOzDY5DyVcxIb2ejIXat2Iy7HxWhdT/N1oKyheJ5YdpsGuw==", "license": "MIT", "engines": { "node": ">=0.10" @@ -9736,9 +9732,9 @@ } }, "node_modules/d3-format": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz", - "integrity": "sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.2.tgz", + "integrity": "sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg==", "license": "ISC", "engines": { "node": ">=12" @@ -9972,9 +9968,9 @@ } }, "node_modules/dagre-d3-es": { - "version": "7.0.11", - "resolved": "https://registry.npmjs.org/dagre-d3-es/-/dagre-d3-es-7.0.11.tgz", - "integrity": "sha512-tvlJLyQf834SylNKax8Wkzco/1ias1OPw8DcUMDE7oUIoSEW25riQVuiu/0OWEFqT0cxHT3Pa9/D82Jr47IONw==", + "version": "7.0.14", + "resolved": "https://registry.npmjs.org/dagre-d3-es/-/dagre-d3-es-7.0.14.tgz", + "integrity": "sha512-P4rFMVq9ESWqmOgK+dlXvOtLwYg0i7u0HBGJER0LZDJT2VHIPAMZ/riPxqJceWMStH5+E61QxFra9kIS3AqdMg==", "license": "MIT", "dependencies": { "d3": "^7.9.0", @@ -10161,9 +10157,9 @@ } }, "node_modules/delaunator": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.1.tgz", - "integrity": "sha512-8nvh+XBe96aCESrGOqMp/84b13H9cdKbG5P2ejQCh4d4sK9RL4371qou9drQjMhvnPmhWl5hnmqbEE0fXr9Xnw==", + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.1.0.tgz", + "integrity": "sha512-AGrQ4QSgssa1NGmWmLPqN5NY2KajF5MqxetNEO+o0n3ZwZZeTmt7bBnvzHWrmkZFxGgr4HdyFgelzgi06otLuQ==", "license": "ISC", "dependencies": { "robust-predicates": "^3.0.2" @@ -10326,9 +10322,9 @@ } }, "node_modules/dompurify": { - "version": "3.2.6", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.6.tgz", - "integrity": "sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==", + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.0.tgz", + "integrity": "sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==", "license": "(MPL-2.0 OR Apache-2.0)", "optionalDependencies": { "@types/trusted-types": "^2.0.7" @@ -10571,9 +10567,9 @@ } }, "node_modules/es-module-lexer": { - "version": "1.7.0", - "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz", - "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz", + "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==", "license": "MIT" }, "node_modules/es-object-atoms": { @@ -11014,9 +11010,9 @@ "license": "MIT" }, "node_modules/express/node_modules/path-to-regexp": { - "version": "0.1.12", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz", - "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==", + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz", + "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==", "license": "MIT" }, "node_modules/express/node_modules/qs": { @@ -11052,12 +11048,6 @@ "node": ">= 0.8" } }, - "node_modules/exsolve": { - "version": "1.0.7", - "resolved": "https://registry.npmjs.org/exsolve/-/exsolve-1.0.7.tgz", - "integrity": "sha512-VO5fQUzZtI6C+vx4w/4BWJpg3s/5l+6pRQEHzFRM8WFi4XffSP1Z+4qi7GbjWbvRQEbdIco5mIMq+zX4rPuLrw==", - "license": "MIT" - }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", @@ -11382,9 +11372,9 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "funding": [ { "type": "individual", @@ -11402,9 +11392,9 @@ } }, "node_modules/form-data": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", - "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", @@ -11655,18 +11645,6 @@ "node": ">=10" } }, - "node_modules/globals": { - "version": "15.15.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-15.15.0.tgz", - "integrity": "sha512-7ACyT3wmyp3I61S4fG682L0VA2RGD9otkqGJIwNUMF1SWUombIIk+af1unuDYgMm082aHYwD+mzJvv9Iu8dsgg==", - "license": "MIT", - "engines": { - "node": ">=18" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/globby": { "version": "11.1.0", "resolved": "https://registry.npmjs.org/globby/-/globby-11.1.0.tgz", @@ -13060,9 +13038,9 @@ } }, "node_modules/katex": { - "version": "0.16.22", - "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.22.tgz", - "integrity": "sha512-XCHRdUw4lf3SKBaJe4EvgqIuWwkPSo9XoeO8GjQW94Bp7TWv9hNhzZjZ+OH9yf1UmLygb7DIT5GSFQiyt16zYg==", + "version": "0.16.45", + "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.45.tgz", + "integrity": "sha512-pQpZbdBu7wCTmQUh7ufPmLr0pFoObnGUoL/yhtwJDgmmQpbkg/0HSVti25Fu4rmd1oCR6NGWe9vqTWuWv3GcNA==", "funding": [ "https://opencollective.com/katex", "https://github.com/sponsors/katex" @@ -13116,26 +13094,22 @@ "node": ">=6" } }, - "node_modules/kolorist": { - "version": "1.8.0", - "resolved": "https://registry.npmjs.org/kolorist/-/kolorist-1.8.0.tgz", - "integrity": "sha512-Y+60/zizpJ3HRH8DCss+q95yr6145JXZo46OTpFvDZWLfRCE4qChOyk1b26nMaNpfHHgxagk9dXT5OP0Tfe+dQ==", - "license": "MIT" - }, "node_modules/langium": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/langium/-/langium-3.3.1.tgz", - "integrity": "sha512-QJv/h939gDpvT+9SiLVlY7tZC3xB2qK57v0J04Sh9wpMb6MP1q8gB21L3WIo8T5P1MSMg3Ep14L7KkDCFG3y4w==", + "version": "4.2.2", + "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.2.tgz", + "integrity": "sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==", "license": "MIT", "dependencies": { - "chevrotain": "~11.0.3", - "chevrotain-allstar": "~0.3.0", + "@chevrotain/regexp-to-ast": "~12.0.0", + "chevrotain": "~12.0.0", + "chevrotain-allstar": "~0.4.1", "vscode-languageserver": "~9.0.1", "vscode-languageserver-textdocument": "~1.0.11", - "vscode-uri": "~3.0.8" + "vscode-uri": "~3.1.0" }, "engines": { - "node": ">=16.0.0" + "node": ">=20.10.0", + "npm": ">=10.2.3" } }, "node_modules/latest-version": { @@ -13449,12 +13423,16 @@ } }, "node_modules/loader-runner": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-4.3.0.tgz", - "integrity": "sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==", + "version": "4.3.1", + "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-4.3.1.tgz", + "integrity": "sha512-IWqP2SCPhyVFTBtRcgMHdzlf9ul25NwaFx4wCEH/KjAXuuHY4yNjvPXsBokp8jCB936PyWRaPKUNh8NvylLp2Q==", "license": "MIT", "engines": { "node": ">=6.11.5" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/webpack" } }, "node_modules/loader-utils": { @@ -13471,23 +13449,6 @@ "node": ">=8.9.0" } }, - "node_modules/local-pkg": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/local-pkg/-/local-pkg-1.1.1.tgz", - "integrity": "sha512-WunYko2W1NcdfAFpuLUoucsgULmgDBRkdxHxWQ7mK0cQqwPiy8E1enjuRBrhLtZkB5iScJ1XIPdhVEFK8aOLSg==", - "license": "MIT", - "dependencies": { - "mlly": "^1.7.4", - "pkg-types": "^2.0.1", - "quansync": "^0.2.8" - }, - "engines": { - "node": ">=14" - }, - "funding": { - "url": "https://github.com/sponsors/antfu" - } - }, "node_modules/locate-path": { "version": "7.2.0", "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-7.2.0.tgz", @@ -13504,15 +13465,15 @@ } }, "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash-es": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz", - "integrity": "sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz", + "integrity": "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==", "license": "MIT" }, "node_modules/lodash.debounce": { @@ -13664,9 +13625,9 @@ } }, "node_modules/marked": { - "version": "16.1.1", - "resolved": "https://registry.npmjs.org/marked/-/marked-16.1.1.tgz", - "integrity": "sha512-ij/2lXfCRT71L6u0M29tJPhP0bM5shLL3u5BePhFwPELj2blMJ6GDtD7PfJhRLhJ/c2UwrK17ySVcDzy2YHjHQ==", + "version": "16.4.2", + "resolved": "https://registry.npmjs.org/marked/-/marked-16.4.2.tgz", + "integrity": "sha512-TI3V8YYWvkVf3KJe1dRkpnjs68JUPyEa5vjKrp1XEEJUAOaQc+Qj+L1qWbPd0SJuAdQkFU0h73sXXqwDYxsiDA==", "license": "MIT", "bin": { "marked": "bin/marked.js" @@ -14032,9 +13993,9 @@ } }, "node_modules/mdast-util-to-hast": { - "version": "13.2.0", - "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz", - "integrity": "sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==", + "version": "13.2.1", + "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.1.tgz", + "integrity": "sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==", "license": "MIT", "dependencies": { "@types/hast": "^3.0.0", @@ -14155,33 +14116,40 @@ } }, "node_modules/mermaid": { - "version": "11.9.0", - "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.9.0.tgz", - "integrity": "sha512-YdPXn9slEwO0omQfQIsW6vS84weVQftIyyTGAZCwM//MGhPzL1+l6vO6bkf0wnP4tHigH1alZ5Ooy3HXI2gOag==", + "version": "11.14.0", + "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.14.0.tgz", + "integrity": "sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==", "license": "MIT", "dependencies": { - "@braintree/sanitize-url": "^7.0.4", - "@iconify/utils": "^2.1.33", - "@mermaid-js/parser": "^0.6.2", + "@braintree/sanitize-url": "^7.1.1", + "@iconify/utils": "^3.0.2", + "@mermaid-js/parser": "^1.1.0", "@types/d3": "^7.4.3", - "cytoscape": "^3.29.3", + "@upsetjs/venn.js": "^2.0.0", + "cytoscape": "^3.33.1", "cytoscape-cose-bilkent": "^4.1.0", "cytoscape-fcose": "^2.2.0", "d3": "^7.9.0", "d3-sankey": "^0.12.3", - "dagre-d3-es": "7.0.11", - "dayjs": "^1.11.13", - "dompurify": "^3.2.5", - "katex": "^0.16.22", + "dagre-d3-es": "7.0.14", + "dayjs": "^1.11.19", + "dompurify": "^3.3.1", + "katex": "^0.16.25", "khroma": "^2.1.0", - "lodash-es": "^4.17.21", - "marked": "^16.0.0", + "lodash-es": "^4.17.23", + "marked": "^16.3.0", "roughjs": "^4.6.6", "stylis": "^4.3.6", "ts-dedent": "^2.2.0", "uuid": "^11.1.0" } }, + "node_modules/mermaid/node_modules/dayjs": { + "version": "1.11.20", + "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.20.tgz", + "integrity": "sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==", + "license": "MIT" + }, "node_modules/methods": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz", @@ -16103,32 +16071,15 @@ } }, "node_modules/mlly": { - "version": "1.7.4", - "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.7.4.tgz", - "integrity": "sha512-qmdSIPC4bDJXgZTCR7XosJiNKySV7O215tsPtDN9iEO/7q/76b/ijtgRu/+epFXSJhijtTCCGp3DWS549P3xKw==", + "version": "1.8.2", + "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.2.tgz", + "integrity": "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==", "license": "MIT", "dependencies": { - "acorn": "^8.14.0", - "pathe": "^2.0.1", - "pkg-types": "^1.3.0", - "ufo": "^1.5.4" - } - }, - "node_modules/mlly/node_modules/confbox": { - "version": "0.1.8", - "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.1.8.tgz", - "integrity": "sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==", - "license": "MIT" - }, - "node_modules/mlly/node_modules/pkg-types": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-1.3.1.tgz", - "integrity": "sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ==", - "license": "MIT", - "dependencies": { - "confbox": "^0.1.8", - "mlly": "^1.7.4", - "pathe": "^2.0.1" + "acorn": "^8.16.0", + "pathe": "^2.0.3", + "pkg-types": "^1.3.1", + "ufo": "^1.6.3" } }, "node_modules/mrmime": { @@ -16718,9 +16669,9 @@ } }, "node_modules/package-manager-detector": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/package-manager-detector/-/package-manager-detector-1.3.0.tgz", - "integrity": "sha512-ZsEbbZORsyHuO00lY1kV3/t72yp6Ysay6Pd17ZAlNGuGwmWDLCJxFpRs0IzfXfj1o4icJOkUEioexFHzyPurSQ==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/package-manager-detector/-/package-manager-detector-1.6.0.tgz", + "integrity": "sha512-61A5ThoTiDG/C8s8UMZwSorAGwMJ0ERVGj2OjoW5pAalsNOg15+iQiPzrLJ4jhZ1HJzmC2PIHT2oEiH3R5fzNA==", "license": "MIT" }, "node_modules/param-case": { @@ -16929,9 +16880,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "license": "MIT", "engines": { "node": ">=8.6" @@ -16956,14 +16907,14 @@ } }, "node_modules/pkg-types": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-2.2.0.tgz", - "integrity": "sha512-2SM/GZGAEkPp3KWORxQZns4M+WSeXbC2HEvmOIJe3Cmiv6ieAJvdVhDldtHqM5J1Y7MrR1XhkBT/rMlhh9FdqQ==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-1.3.1.tgz", + "integrity": "sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ==", "license": "MIT", "dependencies": { - "confbox": "^0.2.2", - "exsolve": "^1.0.7", - "pathe": "^2.0.3" + "confbox": "^0.1.8", + "mlly": "^1.7.4", + "pathe": "^2.0.1" } }, "node_modules/pkijs": { @@ -18584,10 +18535,13 @@ } }, "node_modules/proxy-from-env": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", - "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==", - "license": "MIT" + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz", + "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==", + "license": "MIT", + "engines": { + "node": ">=10" + } }, "node_modules/pseudomap": { "version": "1.0.2", @@ -18652,22 +18606,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/quansync": { - "version": "0.2.10", - "resolved": "https://registry.npmjs.org/quansync/-/quansync-0.2.10.tgz", - "integrity": "sha512-t41VRkMYbkHyCYmOvx/6URnN80H7k4X0lLdBMGsz+maAwrJQYB1djpV6vHrQIBE0WBSGqhtEHrK9U3DWWH8v7A==", - "funding": [ - { - "type": "individual", - "url": "https://github.com/sponsors/antfu" - }, - { - "type": "individual", - "url": "https://github.com/sponsors/sxzz" - } - ], - "license": "MIT" - }, "node_modules/queue-microtask": { "version": "1.2.3", "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", @@ -19520,9 +19458,9 @@ } }, "node_modules/robust-predicates": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.2.tgz", - "integrity": "sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.3.tgz", + "integrity": "sha512-NS3levdsRIUOmiJ8FZWCP7LG3QpJyrs/TE0Zpf1yvZu8cAJJ6QMW92H1c7kWpdIHo8RvmLxN/o2JXTKHp74lUA==", "license": "Unlicense" }, "node_modules/roughjs": { @@ -19653,9 +19591,9 @@ "license": "Apache-2.0" }, "node_modules/schema-utils": { - "version": "4.3.2", - "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.2.tgz", - "integrity": "sha512-Gn/JaSk/Mt9gYubxTtSn/QCV4em9mpAPiR1rqy/Ocu19u/G9J5WWdNoUT4SiV6mFC3y6cxyFcFwdzPM3FgxGAQ==", + "version": "4.3.3", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.3.tgz", + "integrity": "sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA==", "license": "MIT", "dependencies": { "@types/json-schema": "^7.0.9", @@ -20574,35 +20512,18 @@ } }, "node_modules/socket.io-parser": { - "version": "4.2.4", - "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz", - "integrity": "sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==", + "version": "4.2.6", + "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.6.tgz", + "integrity": "sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==", "license": "MIT", "dependencies": { "@socket.io/component-emitter": "~3.1.0", - "debug": "~4.3.1" + "debug": "~4.4.1" }, "engines": { "node": ">=10.0.0" } }, - "node_modules/socket.io-parser/node_modules/debug": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", - "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", - "license": "MIT", - "dependencies": { - "ms": "^2.1.3" - }, - "engines": { - "node": ">=6.0" - }, - "peerDependenciesMeta": { - "supports-color": { - "optional": true - } - } - }, "node_modules/socket.io/node_modules/debug": { "version": "4.3.7", "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", @@ -21217,15 +21138,14 @@ } }, "node_modules/terser-webpack-plugin": { - "version": "5.3.14", - "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.14.tgz", - "integrity": "sha512-vkZjpUjb6OMS7dhV+tILUW6BhpDR7P2L/aQSAv+Uwk+m8KATX9EccViHTJR2qDtACKPIYndLGCyl3FMo+r2LMw==", + "version": "5.4.0", + "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.4.0.tgz", + "integrity": "sha512-Bn5vxm48flOIfkdl5CaD2+1CiUVbonWQ3KQPyP7/EuIl9Gbzq/gQFOzaMFUEgVjB1396tcK0SG8XcNJ/2kDH8g==", "license": "MIT", "dependencies": { "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", "schema-utils": "^4.3.0", - "serialize-javascript": "^6.0.2", "terser": "^5.31.1" }, "engines": { @@ -21320,10 +21240,13 @@ "license": "MIT" }, "node_modules/tinyexec": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.1.tgz", - "integrity": "sha512-5uC6DDlmeqiOwCPmK9jMSdOuZTh8bU39Ys6yidB+UTt5hfZUPGAypSgFRiEp+jbi9qH40BLDvy85jIU88wKSqw==", - "license": "MIT" + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.1.tgz", + "integrity": "sha512-VKS/ZaQhhkKFMANmAOhhXVoIfBXblQxGX1myCQ2faQrfmobMftXeJPcZGp0gS07ocvGJWDLZGyOZDadDBqYIJg==", + "license": "MIT", + "engines": { + "node": ">=18" + } }, "node_modules/tinypool": { "version": "1.1.1", @@ -21497,9 +21420,9 @@ } }, "node_modules/ufo": { - "version": "1.6.1", - "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.6.1.tgz", - "integrity": "sha512-9a4/uxlTWJ4+a5i0ooc1rU7C7YOw3wT+UGqdeNNHWnOF9qcMBgLRS+4IYUqbczewFx4mLEig6gawh7X6mFlEkA==", + "version": "1.6.3", + "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.6.3.tgz", + "integrity": "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q==", "license": "MIT" }, "node_modules/undici-types": { @@ -22163,9 +22086,9 @@ "license": "MIT" }, "node_modules/vscode-uri": { - "version": "3.0.8", - "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.0.8.tgz", - "integrity": "sha512-AyFQ0EVmsOZOlAnxoFOGOq1SQDWAB7C6aqMGS23svWAllfOaxbuFvcT8D1i8z3Gyn8fraVeZNNmN6e9bxxXkKw==", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz", + "integrity": "sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==", "license": "MIT" }, "node_modules/watchman": { @@ -22177,9 +22100,9 @@ "license": "ISC" }, "node_modules/watchpack": { - "version": "2.4.4", - "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.4.tgz", - "integrity": "sha512-c5EGNOiyxxV5qmTtAB7rbiXxi1ooX1pQKMLX/MIabJjRA0SJBQOjKF+KSVfHkr9U1cADPon0mRiVe/riyaiDUA==", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.5.1.tgz", + "integrity": "sha512-Zn5uXdcFNIA1+1Ei5McRd+iRzfhENPCe7LeABkJtNulSxjma+l7ltNx55BWZkRlwRnpOgHqxnjyaDgJnNXnqzg==", "license": "MIT", "dependencies": { "glob-to-regexp": "^0.4.1", @@ -22209,9 +22132,9 @@ } }, "node_modules/webpack": { - "version": "5.100.2", - "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.100.2.tgz", - "integrity": "sha512-QaNKAvGCDRh3wW1dsDjeMdDXwZm2vqq3zn6Pvq4rHOEOGSaUMgOOjG2Y9ZbIGzpfkJk9ZYTHpDqgDfeBDcnLaw==", + "version": "5.106.2", + "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.106.2.tgz", + "integrity": "sha512-wGN3qcrBQIFmQ/c0AiOAQBvrZ5lmY8vbbMv4Mxfgzqd/B6+9pXtLo73WuS1dSGXM5QYY3hZnIbvx+K1xxe6FyA==", "license": "MIT", "dependencies": { "@types/eslint-scope": "^3.7.7", @@ -22220,25 +22143,24 @@ "@webassemblyjs/ast": "^1.14.1", "@webassemblyjs/wasm-edit": "^1.14.1", "@webassemblyjs/wasm-parser": "^1.14.1", - "acorn": "^8.15.0", + "acorn": "^8.16.0", "acorn-import-phases": "^1.0.3", - "browserslist": "^4.24.0", + "browserslist": "^4.28.1", "chrome-trace-event": "^1.0.2", - "enhanced-resolve": "^5.17.2", - "es-module-lexer": "^1.2.1", + "enhanced-resolve": "^5.20.0", + "es-module-lexer": "^2.0.0", "eslint-scope": "5.1.1", "events": "^3.2.0", "glob-to-regexp": "^0.4.1", "graceful-fs": "^4.2.11", - "json-parse-even-better-errors": "^2.3.1", - "loader-runner": "^4.2.0", - "mime-types": "^2.1.27", + "loader-runner": "^4.3.1", + "mime-db": "^1.54.0", "neo-async": "^2.6.2", - "schema-utils": "^4.3.2", - "tapable": "^2.1.1", - "terser-webpack-plugin": "^5.3.11", - "watchpack": "^2.4.1", - "webpack-sources": "^3.3.3" + "schema-utils": "^4.3.3", + "tapable": "^2.3.0", + "terser-webpack-plugin": "^5.3.17", + "watchpack": "^2.5.1", + "webpack-sources": "^3.3.4" }, "bin": { "webpack": "bin/webpack.js" @@ -22498,27 +22420,49 @@ } }, "node_modules/webpack-sources": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.3.tgz", - "integrity": "sha512-yd1RBzSGanHkitROoPFd6qsrxt+oFhg/129YzheDGqeustzX0vTZJZsSsQjVQC4yzBQ56K55XU8gaNCtIzOnTg==", + "version": "3.3.4", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.4.tgz", + "integrity": "sha512-7tP1PdV4vF+lYPnkMR0jMY5/la2ub5Fc/8VQrrU+lXkiM6C4TjVfGw7iKfyhnTQOsD+6Q/iKw0eFciziRgD58Q==", "license": "MIT", "engines": { "node": ">=10.13.0" } }, "node_modules/webpack/node_modules/enhanced-resolve": { - "version": "5.18.2", - "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.2.tgz", - "integrity": "sha512-6Jw4sE1maoRJo3q8MsSIn2onJFbLTOjY9hlx4DZXmOKvLRd1Ok2kXmAGXaafL2+ijsJZ1ClYbl/pmqr9+k4iUQ==", + "version": "5.20.1", + "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz", + "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==", "license": "MIT", "dependencies": { "graceful-fs": "^4.2.4", - "tapable": "^2.2.0" + "tapable": "^2.3.0" }, "engines": { "node": ">=10.13.0" } }, + "node_modules/webpack/node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/webpack/node_modules/tapable": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz", + "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==", + "license": "MIT", + "engines": { + "node": ">=6" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/webpack" + } + }, "node_modules/webpackbar": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/webpackbar/-/webpackbar-6.0.1.tgz", diff --git a/package.json b/package.json index 1dcba55e0f..071a6885dc 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "@docusaurus/babel": "^3.10.0", "@docusaurus/core": "^3.10.0", "@docusaurus/faster": "^3.10.0", - "@docusaurus/plugin-client-redirects": "3.10.0", + "@docusaurus/plugin-client-redirects": "^3.10.0", "@docusaurus/plugin-google-gtag": "^3.10.0", "@docusaurus/plugin-google-tag-manager": "^3.10.0", "@docusaurus/plugin-rsdoctor": "^3.10.0", diff --git a/sidebars/identitymanager/6.3.js b/sidebars/identitymanager/6.3.js new file mode 100644 index 0000000000..f4e8941a40 --- /dev/null +++ b/sidebars/identitymanager/6.3.js @@ -0,0 +1,8 @@ +module.exports = { + sidebar: [ + { + type: 'autogenerated', + dirName: '.', + }, + ], +}; diff --git a/src/config/products.js b/src/config/products.js index e9c9e901a9..6878601eae 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -282,6 +282,20 @@ export const PRODUCTS = [ categories: ['Identity Management'], icon: '', versions: [ + { + version: 'current', + label: 'Current', + isLatest: true, + sidebarFile: './sidebars/identitymanager/current.js', + customRoutePath: 'docs/identitymanager/current', + customDocPath: 'docs/identitymanager/current', + }, + { + version: '6.3', + label: '6.3', + isLatest: false, + sidebarFile: './sidebars/identitymanager/6.3.js', + }, { version: '6.2', label: '6.2', @@ -294,14 +308,6 @@ export const PRODUCTS = [ isLatest: false, sidebarFile: './sidebars/identitymanager/6.1.js', }, - { - version: 'current', - label: '6.3', - isLatest: true, - sidebarFile: './sidebars/identitymanager/current.js', - customRoutePath: 'docs/identitymanager/current', - customDocPath: 'docs/identitymanager/current', - }, ], defaultVersion: 'current', }, diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp b/static/images/identitymanager/118_givenbyarole_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp rename to static/images/identitymanager/118_givenbyarole_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp b/static/images/identitymanager/16_approved_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp rename to static/images/identitymanager/16_approved_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp b/static/images/identitymanager/17_declined_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp rename to static/images/identitymanager/17_declined_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp b/static/images/identitymanager/18_calculated_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp rename to static/images/identitymanager/18_calculated_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp b/static/images/identitymanager/1_nonconforming_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp rename to static/images/identitymanager/1_nonconforming_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp b/static/images/identitymanager/20_cancellation_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp rename to static/images/identitymanager/20_cancellation_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp b/static/images/identitymanager/21_suggested_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp rename to static/images/identitymanager/21_suggested_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp b/static/images/identitymanager/24_approvedquestioned_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp rename to static/images/identitymanager/24_approvedquestioned_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp b/static/images/identitymanager/25_pendingapprovalrisk_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp rename to static/images/identitymanager/25_pendingapprovalrisk_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp b/static/images/identitymanager/27_prolonged_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp rename to static/images/identitymanager/27_prolonged_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp b/static/images/identitymanager/3_preexisting_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp rename to static/images/identitymanager/3_preexisting_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp b/static/images/identitymanager/4_requested_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp rename to static/images/identitymanager/4_requested_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp b/static/images/identitymanager/5_calculatedmissingparameters_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp rename to static/images/identitymanager/5_calculatedmissingparameters_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp b/static/images/identitymanager/8_pendingapproval_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp rename to static/images/identitymanager/8_pendingapproval_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/AccessControl_Profiles_V603.webp b/static/images/identitymanager/AccessControl_Profiles_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/AccessControl_Profiles_V603.webp rename to static/images/identitymanager/AccessControl_Profiles_V603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/AppDisplaySetting_tab_V603.webp b/static/images/identitymanager/AppDisplaySetting_tab_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/AppDisplaySetting_tab_V603.webp rename to static/images/identitymanager/AppDisplaySetting_tab_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_checkbox_V603.webp b/static/images/identitymanager/ControlInputType_checkbox_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_checkbox_V603.webp rename to static/images/identitymanager/ControlInputType_checkbox_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_comboboxMultiselection_V603.webp b/static/images/identitymanager/ControlInputType_comboboxMultiselection_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_comboboxMultiselection_V603.webp rename to static/images/identitymanager/ControlInputType_comboboxMultiselection_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_combobox_V603.webp b/static/images/identitymanager/ControlInputType_combobox_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_combobox_V603.webp rename to static/images/identitymanager/ControlInputType_combobox_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_date_V603.webp b/static/images/identitymanager/ControlInputType_date_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_date_V603.webp rename to static/images/identitymanager/ControlInputType_date_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_image_V603.webp b/static/images/identitymanager/ControlInputType_image_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_image_V603.webp rename to static/images/identitymanager/ControlInputType_image_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_picker_V603.webp b/static/images/identitymanager/ControlInputType_picker_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_picker_V603.webp rename to static/images/identitymanager/ControlInputType_picker_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_textArea_V603.webp b/static/images/identitymanager/ControlInputType_textArea_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_textArea_V603.webp rename to static/images/identitymanager/ControlInputType_textArea_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlInputType_text_V603.webp b/static/images/identitymanager/ControlInputType_text_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlInputType_text_V603.webp rename to static/images/identitymanager/ControlInputType_text_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_basicCollection_V603.webp b/static/images/identitymanager/ControlOutputType_basicCollection_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_basicCollection_V603.webp rename to static/images/identitymanager/ControlOutputType_basicCollection_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_date_V603.webp b/static/images/identitymanager/ControlOutputType_date_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_date_V603.webp rename to static/images/identitymanager/ControlOutputType_date_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_image_V603.webp b/static/images/identitymanager/ControlOutputType_image_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_image_V603.webp rename to static/images/identitymanager/ControlOutputType_image_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_layoutContainer_V603.webp b/static/images/identitymanager/ControlOutputType_layoutContainer_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_layoutContainer_V603.webp rename to static/images/identitymanager/ControlOutputType_layoutContainer_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_layoutFieldset_V603.webp b/static/images/identitymanager/ControlOutputType_layoutFieldset_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_layoutFieldset_V603.webp rename to static/images/identitymanager/ControlOutputType_layoutFieldset_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_layoutRowset_V603.webp b/static/images/identitymanager/ControlOutputType_layoutRowset_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_layoutRowset_V603.webp rename to static/images/identitymanager/ControlOutputType_layoutRowset_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_textArea_V603.webp b/static/images/identitymanager/ControlOutputType_textArea_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_textArea_V603.webp rename to static/images/identitymanager/ControlOutputType_textArea_V603.webp diff --git a/static/images/identitymanager/integration-guide/database/ControlOutputType_text_V603.webp b/static/images/identitymanager/ControlOutputType_text_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/database/ControlOutputType_text_V603.webp rename to static/images/identitymanager/ControlOutputType_text_V603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state0_V602.webp b/static/images/identitymanager/DiscardManualAssignments_state0_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state0_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_state0_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state1_V602.webp b/static/images/identitymanager/DiscardManualAssignments_state1_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state1_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_state1_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state2_V602.webp b/static/images/identitymanager/DiscardManualAssignments_state2_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state2_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_state2_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state3_V602.webp b/static/images/identitymanager/DiscardManualAssignments_state3_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state3_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_state3_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state4_V602.webp b/static/images/identitymanager/DiscardManualAssignments_state4_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_state4_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_state4_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step1_V602.webp b/static/images/identitymanager/DiscardManualAssignments_step1_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step1_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_step1_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step2_V602.webp b/static/images/identitymanager/DiscardManualAssignments_step2_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypes/DiscardManualAssignments_step2_V602.webp rename to static/images/identitymanager/DiscardManualAssignments_step2_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/DisplayTableDesignElement_table_V602.webp b/static/images/identitymanager/DisplayTableDesignElement_table_V602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/DisplayTableDesignElement_table_V602.webp rename to static/images/identitymanager/DisplayTableDesignElement_table_V602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_hideRoles_V603.webp b/static/images/identitymanager/Form_hideRoles_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_hideRoles_V603.webp rename to static/images/identitymanager/Form_hideRoles_V603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_requestTypeHelpdesk_V603.webp b/static/images/identitymanager/Form_requestTypeHelpdesk_V603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/Form_requestTypeHelpdesk_V603.webp rename to static/images/identitymanager/Form_requestTypeHelpdesk_V603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypemappings/ServiceNow_example.webp b/static/images/identitymanager/ServiceNow_example.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/resourcetypemappings/ServiceNow_example.webp rename to static/images/identitymanager/ServiceNow_example.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRoles.webp b/static/images/identitymanager/Universe_OwnedCompositeRoles.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRoles.webp rename to static/images/identitymanager/Universe_OwnedCompositeRoles.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRolesSchema.webp b/static/images/identitymanager/Universe_OwnedCompositeRolesSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedCompositeRolesSchema.webp rename to static/images/identitymanager/Universe_OwnedCompositeRolesSchema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypes.webp b/static/images/identitymanager/Universe_OwnedResourceTypes.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypes.webp rename to static/images/identitymanager/Universe_OwnedResourceTypes.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypesSchema.webp b/static/images/identitymanager/Universe_OwnedResourceTypesSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedResourceTypesSchema.webp rename to static/images/identitymanager/Universe_OwnedResourceTypesSchema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRoles.webp b/static/images/identitymanager/Universe_OwnedSingleRoles.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRoles.webp rename to static/images/identitymanager/Universe_OwnedSingleRoles.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRolesSchema.webp b/static/images/identitymanager/Universe_OwnedSingleRolesSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_OwnedSingleRolesSchema.webp rename to static/images/identitymanager/Universe_OwnedSingleRolesSchema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypes.webp b/static/images/identitymanager/Universe_ResourceResourceTypes.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypes.webp rename to static/images/identitymanager/Universe_ResourceResourceTypes.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypesSchema.webp b/static/images/identitymanager/Universe_ResourceResourceTypesSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_ResourceResourceTypesSchema.webp rename to static/images/identitymanager/Universe_ResourceResourceTypesSchema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_noTemplate.webp b/static/images/identitymanager/Universe_noTemplate.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_noTemplate.webp rename to static/images/identitymanager/Universe_noTemplate.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_rootInstance.webp b/static/images/identitymanager/Universe_rootInstance.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_rootInstance.webp rename to static/images/identitymanager/Universe_rootInstance.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplication.webp b/static/images/identitymanager/Universe_severalDuplication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplication.webp rename to static/images/identitymanager/Universe_severalDuplication.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplicationSchema.webp b/static/images/identitymanager/Universe_severalDuplicationSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalDuplicationSchema.webp rename to static/images/identitymanager/Universe_severalDuplicationSchema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplication.webp b/static/images/identitymanager/Universe_severalNoDuplication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplication.webp rename to static/images/identitymanager/Universe_severalNoDuplication.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplicationSchema.webp b/static/images/identitymanager/Universe_severalNoDuplicationSchema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/scaffoldings/Universe_severalNoDuplicationSchema.webp rename to static/images/identitymanager/Universe_severalNoDuplicationSchema.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp b/static/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp rename to static/images/identitymanager/accesscertificationonlyapprovedeny-disabled.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp b/static/images/identitymanager/accesscertificationonlyapprovedeny.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp rename to static/images/identitymanager/accesscertificationonlyapprovedeny.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp b/static/images/identitymanager/accesscertificationonlyapprovedenysettings.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp rename to static/images/identitymanager/accesscertificationonlyapprovedenysettings.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp b/static/images/identitymanager/accesscontrol_manageaccounts_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp rename to static/images/identitymanager/accesscontrol_manageaccounts_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp b/static/images/identitymanager/accesscontrolfilter_schema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp rename to static/images/identitymanager/accesscontrolfilter_schema.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp b/static/images/identitymanager/activity_actionwithrefine_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp rename to static/images/identitymanager/activity_actionwithrefine_v602.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp b/static/images/identitymanager/activity_reviewwithfeedback_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp rename to static/images/identitymanager/activity_reviewwithfeedback_v602.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp b/static/images/identitymanager/activitytemplates_action.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp rename to static/images/identitymanager/activitytemplates_action.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp b/static/images/identitymanager/activitytemplates_actionwithrefine.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp rename to static/images/identitymanager/activitytemplates_actionwithrefine.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp b/static/images/identitymanager/activitytemplates_example.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp rename to static/images/identitymanager/activitytemplates_example.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp b/static/images/identitymanager/activitytemplates_review.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp rename to static/images/identitymanager/activitytemplates_review.webp diff --git a/static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp b/static/images/identitymanager/activitytemplates_reviewwithfeedback.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp rename to static/images/identitymanager/activitytemplates_reviewwithfeedback.webp diff --git a/static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp b/static/images/identitymanager/ad_export_example.webp similarity index 100% rename from static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp rename to static/images/identitymanager/ad_export_example.webp diff --git a/static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp b/static/images/identitymanager/ad_preparesynchro_example.webp similarity index 100% rename from static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp rename to static/images/identitymanager/ad_preparesynchro_example.webp diff --git a/static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp b/static/images/identitymanager/ad_synchro_example.webp similarity index 100% rename from static/images/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp rename to static/images/identitymanager/ad_synchro_example.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp b/static/images/identitymanager/adassignednavigations_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp rename to static/images/identitymanager/adassignednavigations_5.2.1.webp diff --git a/static/images/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp b/static/images/identitymanager/agent-server-communication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp rename to static/images/identitymanager/agent-server-communication.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp b/static/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp rename to static/images/identitymanager/allowapprovingdenyingaccesscertificationitems.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp b/static/images/identitymanager/allworkflowinresourceview.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp rename to static/images/identitymanager/allworkflowinresourceview.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp b/static/images/identitymanager/appdisplaysetting_counters_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp rename to static/images/identitymanager/appdisplaysetting_counters_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp b/static/images/identitymanager/appdisplaysetting_nocounters_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp rename to static/images/identitymanager/appdisplaysetting_nocounters_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp b/static/images/identitymanager/appdisplaysetting_screen1_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp rename to static/images/identitymanager/appdisplaysetting_screen1_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp b/static/images/identitymanager/appdisplaysetting_screen2_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp rename to static/images/identitymanager/appdisplaysetting_screen2_v603.webp diff --git a/static/images/identitymanager/integration-guide/architecture/architecture.webp b/static/images/identitymanager/architecture.webp similarity index 100% rename from static/images/identitymanager/integration-guide/architecture/architecture.webp rename to static/images/identitymanager/architecture.webp diff --git a/static/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp b/static/images/identitymanager/architecture_onprem.webp similarity index 100% rename from static/images/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp rename to static/images/identitymanager/architecture_onprem.webp diff --git a/static/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp b/static/images/identitymanager/architecture_saas.webp similarity index 100% rename from static/images/identitymanager/integration-guide/architecture/saas/architecture_saas.webp rename to static/images/identitymanager/architecture_saas.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp b/static/images/identitymanager/aspects_unicitycheck.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp rename to static/images/identitymanager/aspects_unicitycheck.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp b/static/images/identitymanager/assignedprofile_example_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp rename to static/images/identitymanager/assignedprofile_example_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp b/static/images/identitymanager/assignedroles.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp rename to static/images/identitymanager/assignedroles.webp diff --git a/static/images/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp b/static/images/identitymanager/assignedrolesscreen.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp rename to static/images/identitymanager/assignedrolesscreen.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp b/static/images/identitymanager/assignmentrules_newsrolerule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp rename to static/images/identitymanager/assignmentrules_newsrolerule_v602.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp b/static/images/identitymanager/authent_1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp rename to static/images/identitymanager/authent_1.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp b/static/images/identitymanager/authent_2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp rename to static/images/identitymanager/authent_2.webp diff --git a/static/images/identitymanager/installation-guide/quick-start/authentication_v601.webp b/static/images/identitymanager/authentication_v601.webp similarity index 100% rename from static/images/identitymanager/installation-guide/quick-start/authentication_v601.webp rename to static/images/identitymanager/authentication_v601.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp b/static/images/identitymanager/autocomplete.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp rename to static/images/identitymanager/autocomplete.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp b/static/images/identitymanager/automation_dataquality_ex.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp rename to static/images/identitymanager/automation_dataquality_ex.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp b/static/images/identitymanager/automation_dataquality_ex2.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp rename to static/images/identitymanager/automation_dataquality_ex2.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp b/static/images/identitymanager/automation_dataquality_ex3.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp rename to static/images/identitymanager/automation_dataquality_ex3.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp b/static/images/identitymanager/automation_dataquality_ex4.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp rename to static/images/identitymanager/automation_dataquality_ex4.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp b/static/images/identitymanager/automation_optimalcost.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp rename to static/images/identitymanager/automation_optimalcost.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp b/static/images/identitymanager/automation_optimalcost_automationbenefits.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp rename to static/images/identitymanager/automation_optimalcost_automationbenefits.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp b/static/images/identitymanager/automation_optimalcost_automationlimits.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp rename to static/images/identitymanager/automation_optimalcost_automationlimits.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp b/static/images/identitymanager/automation_optimalcost_data.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp rename to static/images/identitymanager/automation_optimalcost_data.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp b/static/images/identitymanager/automation_optimalcost_manual.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp rename to static/images/identitymanager/automation_optimalcost_manual.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp b/static/images/identitymanager/automation_optimalcost_rolemining.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp rename to static/images/identitymanager/automation_optimalcost_rolemining.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp b/static/images/identitymanager/automation_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp rename to static/images/identitymanager/automation_schema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp b/static/images/identitymanager/bi_universeexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp rename to static/images/identitymanager/bi_universeexample.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp b/static/images/identitymanager/bi_universeexampledisplaynames.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp rename to static/images/identitymanager/bi_universeexampledisplaynames.webp diff --git a/static/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp b/static/images/identitymanager/bitprov_property_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp rename to static/images/identitymanager/bitprov_property_v603.webp diff --git a/static/images/identitymanager/installation-guide/production-ready/server/bulk.webp b/static/images/identitymanager/bulk.webp similarity index 100% rename from static/images/identitymanager/installation-guide/production-ready/server/bulk.webp rename to static/images/identitymanager/bulk.webp diff --git a/static/images/identitymanager/buttons/Home_settings_V523.webp b/static/images/identitymanager/buttons/Home_settings_V523.webp deleted file mode 100644 index e6fb3c843e7511c97ab875d1095ebad44a6ac363..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1292 zcmV+n1@rn+Nk&El1pok7MM6+kP&gp?1ONbV9RQsHDr5j;06tMBk47V+At55FsBj7i zX#m$dU*dp2P%3BG@Ah7Ok0X0qpdZdZ#dyp91F74{$M+qON&x&v`H%UZ>Yvs>;d2@E z+x$nVU*;d_xWT9a{CoQU`>(hUji2_sn*LS(1OBi0?|?t$ztVrve{cQi{{izs>yP#? z*o*csijtK8W|Zy8;$~c$s&y~a>QVdkBNT6Ah%^vdL98RbJ!hG1<0|G>t-1z&)Z1VC zGe+gJtCWmVP=zNd4{hls15}8ED zH;p~^|Es^A0KzPc-32Mz0!9`=paRXGhyUaE2I#8A;2Efa+1XtTi(0gvN+LwI5x#iA z!C_X4{nIs>MvFb}75mr?H zs%a=p<1^?+_XD~@J1Q%L_KJDz~^EHmX{5jap#!AfunaK^?KUP#j>bw6x@XTY9xWMJ+ z3N;dGj^#?KxYnKlluGLSmvsa3zNhaVu-aadYC9jRpHqJgxTnSgPwFGrOoYB=-!2!p$}4ah%S$IEF!pfPVmeR8uB$1*%U)Ci^UeGkpXw^5 z0MnHN2r5f*VRR#ik6q47uwlBt+C^+4$TzL`LE3vHKzBj+{k!1%RFl}h^cYem*SF1X z-5uel0JZb23mLC`9Un&UbW%1dtAJbmiGhB9l$qO|2@C`wRs|{FlBi@QzBFTJb>N! z&atkaXaDio@JRU;@+1H$c!M4KWpQ}2|De)B|1)aV>d%D;cPIPH?3*I&UH|B~UygZCA=2@5 zb#-@|jR2Q^#_jLmnLzxIr9FgH-(HG$%C9vW?NMQeX69+&<3f_s7Lfq^q#;Urrw)hw;uza-v8!)-FyT7;Pn7- z0CrXVlc1NhKE`@6RUiA8kzcO=Ui_rw2h*pLZ|U2?9Ao&W^*`qyx*k;jqkb@X6aN+J zSNT`>@8{fr-Mj1o{A>AV`%mz{lpjYwwg0C6)#kJ0&-Gv8zZ8DJzmESd{~`U``=9<# z@PGgQqP=SVkb4yVsr~;!Wdq&EK*AF;Mg z7?_92)-1|@tkJ^H(qmaMmC)Mn5DgyYWu3qU;D$; zS5oIouEEpocaN*-Y}d_cB0I`vEM#_vwRSkIRITzy>js2VGB?gX4#Nt2rursfU$2vK zHW^J<&9VRLj^H(jp^ z^QC~z@B^p%=smXwNhz7GC)ew)qwJ6ID;LBGl+ar_?pCxH(MgOiq%Wd`UA|jK_rIz4 zsRMj%QBMB(XHDXlvr%+FJ|$V7Ypj4kumT@GY4EBLtt}Pob@I^n!cs!Y>o^5pQ57uO z+a|}=5y%Togc;9`56hwu<{*mRJ1m?=oh!wtvEN)~a zDZk(G-Y_nDQe0gDLD2_q?8jLa52`-ziBh(SC`ye*oPxXWT9-I|)!upY3`bI4T8xPB zv#Qkw9|FR3&_Jl(fNBTg`t?DVMqCj@KPs@u?+cM$6>Y}r{CqM-fUNO6?64^)@9~Lq zl=8?c=hOUA z$R?4krvp+lfjMJz|WYhzwc!Wq4a6G{hhf=ypYP0Qqw g5|dcX^=od2%E}E$E_XEcX&w7YJM;hm000000Hno~*Z=?k diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp b/static/images/identitymanager/categorization_categschema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp rename to static/images/identitymanager/categorization_categschema.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp b/static/images/identitymanager/categorization_classifschema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp rename to static/images/identitymanager/categorization_classifschema.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp b/static/images/identitymanager/categorization_correlschema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp rename to static/images/identitymanager/categorization_correlschema.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp b/static/images/identitymanager/categorization_exampleadminad.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp rename to static/images/identitymanager/categorization_exampleadminad.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp b/static/images/identitymanager/categorization_exampleadminuser.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp rename to static/images/identitymanager/categorization_exampleadminuser.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp b/static/images/identitymanager/categorization_examplebasicad.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp rename to static/images/identitymanager/categorization_examplebasicad.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp b/static/images/identitymanager/categorization_examplebasicuser.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp rename to static/images/identitymanager/categorization_examplebasicuser.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp b/static/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp rename to static/images/identitymanager/categorization_reviewsprovisioningreview_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp b/static/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp rename to static/images/identitymanager/categorization_reviewsresourcereconciliation_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp b/static/images/identitymanager/categorycreation_test_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp rename to static/images/identitymanager/categorycreation_test_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp b/static/images/identitymanager/certifcampaign_accesscertification_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp rename to static/images/identitymanager/certifcampaign_accesscertification_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp b/static/images/identitymanager/certifcampaign_applydecisions_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp rename to static/images/identitymanager/certifcampaign_applydecisions_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp b/static/images/identitymanager/certifcampaign_campaigns_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp rename to static/images/identitymanager/certifcampaign_campaigns_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp b/static/images/identitymanager/certifcampaign_decisions_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp rename to static/images/identitymanager/certifcampaign_decisions_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp b/static/images/identitymanager/certifcampaign_example_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp rename to static/images/identitymanager/certifcampaign_example_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg b/static/images/identitymanager/certifcampaign_iconapproval_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg rename to static/images/identitymanager/certifcampaign_iconapproval_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg b/static/images/identitymanager/certifcampaign_iconcomment_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg rename to static/images/identitymanager/certifcampaign_iconcomment_v522.svg diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg b/static/images/identitymanager/certifcampaign_icondecline_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg rename to static/images/identitymanager/certifcampaign_icondecline_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg b/static/images/identitymanager/certifcampaign_icondiscouragement_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg rename to static/images/identitymanager/certifcampaign_icondiscouragement_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg b/static/images/identitymanager/certifcampaign_iconforward_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg rename to static/images/identitymanager/certifcampaign_iconforward_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg b/static/images/identitymanager/certifcampaign_iconrecommendation_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg rename to static/images/identitymanager/certifcampaign_iconrecommendation_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp b/static/images/identitymanager/certifcampaign_job_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp rename to static/images/identitymanager/certifcampaign_job_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp b/static/images/identitymanager/certifcampaign_newcertificationcampaign_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp rename to static/images/identitymanager/certifcampaign_newcertificationcampaign_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp b/static/images/identitymanager/certifcampaign_newlycreated_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp rename to static/images/identitymanager/certifcampaign_newlycreated_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp b/static/images/identitymanager/certifcampaign_targetowners_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp rename to static/images/identitymanager/certifcampaign_targetowners_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp b/static/images/identitymanager/certifcampaign_targetownersadditional_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp rename to static/images/identitymanager/certifcampaign_targetownersadditional_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp b/static/images/identitymanager/certifcampaign_targetspecificities_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp rename to static/images/identitymanager/certifcampaign_targetspecificities_v602.webp diff --git a/static/images/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp b/static/images/identitymanager/changemanagement_actors.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp rename to static/images/identitymanager/changemanagement_actors.webp diff --git a/static/images/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp b/static/images/identitymanager/changemanagement_populations.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp rename to static/images/identitymanager/changemanagement_populations.webp diff --git a/static/images/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp b/static/images/identitymanager/changemanagement_process.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp rename to static/images/identitymanager/changemanagement_process.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp b/static/images/identitymanager/classification_example_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp rename to static/images/identitymanager/classification_example_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp b/static/images/identitymanager/classification_test_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp rename to static/images/identitymanager/classification_test_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp b/static/images/identitymanager/classification_unclassified_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp rename to static/images/identitymanager/classification_unclassified_v600.webp diff --git a/static/images/identitymanager/installation-guide/overview/components_data_flow.webp b/static/images/identitymanager/components_data_flow.webp similarity index 100% rename from static/images/identitymanager/installation-guide/overview/components_data_flow.webp rename to static/images/identitymanager/components_data_flow.webp diff --git a/static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp b/static/images/identitymanager/compositeroles_applicativeroles.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp rename to static/images/identitymanager/compositeroles_applicativeroles.webp diff --git a/static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp b/static/images/identitymanager/compositeroles_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp rename to static/images/identitymanager/compositeroles_schema.webp diff --git a/static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp b/static/images/identitymanager/compositeroles_testroles_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp rename to static/images/identitymanager/compositeroles_testroles_v602.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp b/static/images/identitymanager/compute-expected-1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp rename to static/images/identitymanager/compute-expected-1.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp b/static/images/identitymanager/compute-expected-2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp rename to static/images/identitymanager/compute-expected-2.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp b/static/images/identitymanager/compute-find-matching.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp rename to static/images/identitymanager/compute-find-matching.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/configurationcycle.webp b/static/images/identitymanager/configurationcycle.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/configurationcycle.webp rename to static/images/identitymanager/configurationcycle.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp b/static/images/identitymanager/connection_newconnection_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp rename to static/images/identitymanager/connection_newconnection_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp b/static/images/identitymanager/connection_notrecovered_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp rename to static/images/identitymanager/connection_notrecovered_v523.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp b/static/images/identitymanager/connection_upload_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp rename to static/images/identitymanager/connection_upload_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp b/static/images/identitymanager/connectioncreation_checkconnection_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp rename to static/images/identitymanager/connectioncreation_checkconnection_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp b/static/images/identitymanager/connectioncreation_connectioncreation_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp rename to static/images/identitymanager/connectioncreation_connectioncreation_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp b/static/images/identitymanager/connectioncreation_failedindicator_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp rename to static/images/identitymanager/connectioncreation_failedindicator_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp b/static/images/identitymanager/connectioncreation_noschema_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp rename to static/images/identitymanager/connectioncreation_noschema_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp b/static/images/identitymanager/connectioncreation_refreshall_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp rename to static/images/identitymanager/connectioncreation_refreshall_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp b/static/images/identitymanager/connectioncreation_refreshschema_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp rename to static/images/identitymanager/connectioncreation_refreshschema_v522.webp diff --git a/static/images/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp b/static/images/identitymanager/connectiontables_ui_v60.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp rename to static/images/identitymanager/connectiontables_ui_v60.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp b/static/images/identitymanager/connectorcreation_connectorpage_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp rename to static/images/identitymanager/connectorcreation_connectorpage_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp b/static/images/identitymanager/connectorcreation_connectorschema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp rename to static/images/identitymanager/connectorcreation_connectorschema.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp b/static/images/identitymanager/connectorcreation_connectortechnicalschema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp rename to static/images/identitymanager/connectorcreation_connectortechnicalschema.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp b/static/images/identitymanager/connectorcreation_declaration_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp rename to static/images/identitymanager/connectorcreation_declaration_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp b/static/images/identitymanager/connectorcreation_inbound.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp rename to static/images/identitymanager/connectorcreation_inbound.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp b/static/images/identitymanager/connectorcreation_outbound.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp rename to static/images/identitymanager/connectorcreation_outbound.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp b/static/images/identitymanager/connectorcreation_test_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp rename to static/images/identitymanager/connectorcreation_test_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp b/static/images/identitymanager/connectormodel_ad-step1.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp rename to static/images/identitymanager/connectormodel_ad-step1.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp b/static/images/identitymanager/connectormodel_ad.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp rename to static/images/identitymanager/connectormodel_ad.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp b/static/images/identitymanager/connectormodel_adentry.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp rename to static/images/identitymanager/connectormodel_adentry.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp b/static/images/identitymanager/connectormodel_key.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp rename to static/images/identitymanager/connectormodel_key.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp b/static/images/identitymanager/connectormodel_profiles.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp rename to static/images/identitymanager/connectormodel_profiles.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp b/static/images/identitymanager/connectormodel_profiletransaction.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp rename to static/images/identitymanager/connectormodel_profiletransaction.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp b/static/images/identitymanager/connectormodel_racf.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp rename to static/images/identitymanager/connectormodel_racf.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp b/static/images/identitymanager/connectormodel_sab.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp rename to static/images/identitymanager/connectormodel_sab.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp b/static/images/identitymanager/connectormodel_sdge.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp rename to static/images/identitymanager/connectormodel_sdge.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp b/static/images/identitymanager/connectormodel_star.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp rename to static/images/identitymanager/connectormodel_star.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp b/static/images/identitymanager/connectormodel_starmodel.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp rename to static/images/identitymanager/connectormodel_starmodel.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp b/static/images/identitymanager/connectormodel_tss-prof-trans.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp rename to static/images/identitymanager/connectormodel_tss-prof-trans.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp b/static/images/identitymanager/connectormodel_tss.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp rename to static/images/identitymanager/connectormodel_tss.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp b/static/images/identitymanager/connectormodel_user-canteen.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp rename to static/images/identitymanager/connectormodel_user-canteen.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp b/static/images/identitymanager/connectormodel_user-mailbox.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp rename to static/images/identitymanager/connectormodel_user-mailbox.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp b/static/images/identitymanager/connectormodel_user.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp rename to static/images/identitymanager/connectormodel_user.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp b/static/images/identitymanager/connectormodel_usergroup.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp rename to static/images/identitymanager/connectormodel_usergroup.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp b/static/images/identitymanager/connectorreadprerequisites1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp rename to static/images/identitymanager/connectorreadprerequisites1.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp b/static/images/identitymanager/connectorreadprerequisites2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp rename to static/images/identitymanager/connectorreadprerequisites2.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp b/static/images/identitymanager/connectorwriteprerequisites.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp rename to static/images/identitymanager/connectorwriteprerequisites.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp b/static/images/identitymanager/connectorwriteprerequisites2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp rename to static/images/identitymanager/connectorwriteprerequisites2.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp b/static/images/identitymanager/contextrules_rolemining.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp rename to static/images/identitymanager/contextrules_rolemining.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp b/static/images/identitymanager/correlation.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp rename to static/images/identitymanager/correlation.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp b/static/images/identitymanager/correlation_example_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp rename to static/images/identitymanager/correlation_example_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp b/static/images/identitymanager/correlation_test_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp rename to static/images/identitymanager/correlation_test_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp b/static/images/identitymanager/correlation_uncorrelated_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp rename to static/images/identitymanager/correlation_uncorrelated_v600.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp b/static/images/identitymanager/crconf_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp rename to static/images/identitymanager/crconf_5.2.1.webp diff --git a/static/images/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp b/static/images/identitymanager/createpolicy.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp rename to static/images/identitymanager/createpolicy.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp b/static/images/identitymanager/createsinglerole.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp rename to static/images/identitymanager/createsinglerole.webp diff --git a/static/images/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp b/static/images/identitymanager/creation_5.1.6.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp rename to static/images/identitymanager/creation_5.1.6.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp b/static/images/identitymanager/customlinksusermenu_v523.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp rename to static/images/identitymanager/customlinksusermenu_v523.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp b/static/images/identitymanager/dashboarditemnumber.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp rename to static/images/identitymanager/dashboarditemnumber.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp b/static/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp rename to static/images/identitymanager/datamodel_scalarrule_timeoffsetdefault.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp b/static/images/identitymanager/datamodel_scalarrule_timeoffsetexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp rename to static/images/identitymanager/datamodel_scalarrule_timeoffsetexample.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp b/static/images/identitymanager/datamodel_scalarrule_timeoffsetoverlap.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp rename to static/images/identitymanager/datamodel_scalarrule_timeoffsetoverlap.webp diff --git a/static/images/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp b/static/images/identitymanager/datamodelmodif_scan_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp rename to static/images/identitymanager/datamodelmodif_scan_v600.webp diff --git a/static/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp b/static/images/identitymanager/datamodif_changeuser_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp rename to static/images/identitymanager/datamodif_changeuser_v602.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp b/static/images/identitymanager/datamodif_downloadtemplatedata_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp rename to static/images/identitymanager/datamodif_downloadtemplatedata_v602.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp b/static/images/identitymanager/datamodif_downloadtemplateempty_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp rename to static/images/identitymanager/datamodif_downloadtemplateempty_v602.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp b/static/images/identitymanager/datamodif_multipleform_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp rename to static/images/identitymanager/datamodif_multipleform_v602.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp b/static/images/identitymanager/datamodif_newuser_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp rename to static/images/identitymanager/datamodif_newuser_v602.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp b/static/images/identitymanager/datamodif_reviewpending_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp rename to static/images/identitymanager/datamodif_reviewpending_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp b/static/images/identitymanager/datamodif_user_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp rename to static/images/identitymanager/datamodif_user_v602.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp b/static/images/identitymanager/demoapps_banking_userdetails.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp rename to static/images/identitymanager/demoapps_banking_userdetails.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp b/static/images/identitymanager/demoapps_banking_userslist.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp rename to static/images/identitymanager/demoapps_banking_userslist.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp b/static/images/identitymanager/demoapps_hr_userdetails.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp rename to static/images/identitymanager/demoapps_hr_userdetails.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp b/static/images/identitymanager/demoapps_hr_userslist.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp rename to static/images/identitymanager/demoapps_hr_userslist.webp diff --git a/static/images/identitymanager/installation-guide/quick-start/directory_v602.webp b/static/images/identitymanager/directory_v602.webp similarity index 100% rename from static/images/identitymanager/installation-guide/quick-start/directory_v602.webp rename to static/images/identitymanager/directory_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp b/static/images/identitymanager/discardmanualassignments_schema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp rename to static/images/identitymanager/discardmanualassignments_schema.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp b/static/images/identitymanager/displaypropertygroup_example_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp rename to static/images/identitymanager/displaypropertygroup_example_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp b/static/images/identitymanager/displaytabledesignelement_list_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp rename to static/images/identitymanager/displaytabledesignelement_list_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp b/static/images/identitymanager/displaytabledesignelement_resourcetable_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp rename to static/images/identitymanager/displaytabledesignelement_resourcetable_v602.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp b/static/images/identitymanager/displaytablesresourcetable.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp rename to static/images/identitymanager/displaytablesresourcetable.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp b/static/images/identitymanager/displaytablestable.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp rename to static/images/identitymanager/displaytablestable.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp b/static/images/identitymanager/displaytablestiles.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp rename to static/images/identitymanager/displaytablestiles.webp diff --git a/static/images/identitymanager/installation-guide/overview/distribution_1.webp b/static/images/identitymanager/distribution_1.webp similarity index 100% rename from static/images/identitymanager/installation-guide/overview/distribution_1.webp rename to static/images/identitymanager/distribution_1.webp diff --git a/static/images/identitymanager/installation-guide/overview/distribution_2.webp b/static/images/identitymanager/distribution_2.webp similarity index 100% rename from static/images/identitymanager/installation-guide/overview/distribution_2.webp rename to static/images/identitymanager/distribution_2.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp b/static/images/identitymanager/easyvista_view_v523.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp rename to static/images/identitymanager/easyvista_view_v523.webp diff --git a/static/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp b/static/images/identitymanager/enforce-assignment-policy-summary.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp rename to static/images/identitymanager/enforce-assignment-policy-summary.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp b/static/images/identitymanager/enforce-context.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp rename to static/images/identitymanager/enforce-context.webp diff --git a/static/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp b/static/images/identitymanager/enter-the-object-names-to-select.webp similarity index 100% rename from static/images/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp rename to static/images/identitymanager/enter-the-object-names-to-select.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp b/static/images/identitymanager/entitlements_assignmentrules.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp rename to static/images/identitymanager/entitlements_assignmentrules.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp b/static/images/identitymanager/entitlements_categorizationrules.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp rename to static/images/identitymanager/entitlements_categorizationrules.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp b/static/images/identitymanager/entitlements_compositeroles.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp rename to static/images/identitymanager/entitlements_compositeroles.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp b/static/images/identitymanager/entitlements_dimension1.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp rename to static/images/identitymanager/entitlements_dimension1.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp b/static/images/identitymanager/entitlements_dimension2.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp rename to static/images/identitymanager/entitlements_dimension2.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp b/static/images/identitymanager/entitlements_dimension3.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp rename to static/images/identitymanager/entitlements_dimension3.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp b/static/images/identitymanager/entitlements_provisioningrules.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp rename to static/images/identitymanager/entitlements_provisioningrules.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp b/static/images/identitymanager/entitlements_rolecatalogusers.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp rename to static/images/identitymanager/entitlements_rolecatalogusers.webp diff --git a/static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp b/static/images/identitymanager/entitlements_rolemodel.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp rename to static/images/identitymanager/entitlements_rolemodel.webp diff --git a/static/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp b/static/images/identitymanager/entitypropertymapping-format-flowchart.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp rename to static/images/identitymanager/entitypropertymapping-format-flowchart.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp b/static/images/identitymanager/entitytype_format_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp rename to static/images/identitymanager/entitytype_format_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp b/static/images/identitymanager/entitytype_sourcecolumn_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp rename to static/images/identitymanager/entitytype_sourcecolumn_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp b/static/images/identitymanager/entitytype_template_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp rename to static/images/identitymanager/entitytype_template_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_example1_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_example1_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_example2_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_example2_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_example2results_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_example2results_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_fields_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_fields_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp b/static/images/identitymanager/entitytypecreation_displaygroups_without_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp rename to static/images/identitymanager/entitytypecreation_displaygroups_without_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp b/static/images/identitymanager/entitytypecreation_displayname_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp rename to static/images/identitymanager/entitytypecreation_displayname_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp b/static/images/identitymanager/entitytypecreation_displaynameexample_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp rename to static/images/identitymanager/entitytypecreation_displaynameexample_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp b/static/images/identitymanager/entitytypecreation_entitytypecreation_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp rename to static/images/identitymanager/entitytypecreation_entitytypecreation_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp b/static/images/identitymanager/entitytypecreation_examplead2_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp rename to static/images/identitymanager/entitytypecreation_examplead2_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp b/static/images/identitymanager/entitytypecreation_examplead3_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp rename to static/images/identitymanager/entitytypecreation_examplead3_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp b/static/images/identitymanager/entitytypecreation_examplead4-result_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp rename to static/images/identitymanager/entitytypecreation_examplead4-result_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp b/static/images/identitymanager/entitytypecreation_examplead4_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp rename to static/images/identitymanager/entitytypecreation_examplead4_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp b/static/images/identitymanager/entitytypecreation_examplehr-result_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp rename to static/images/identitymanager/entitytypecreation_examplehr-result_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp b/static/images/identitymanager/entitytypecreation_examplehr_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp rename to static/images/identitymanager/entitytypecreation_examplehr_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp b/static/images/identitymanager/entitytypecreation_keys_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp rename to static/images/identitymanager/entitytypecreation_keys_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp b/static/images/identitymanager/entitytypecreation_manager_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp rename to static/images/identitymanager/entitytypecreation_manager_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp b/static/images/identitymanager/entitytypecreation_managerof_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp rename to static/images/identitymanager/entitytypecreation_managerof_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp b/static/images/identitymanager/entitytypecreation_member_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp rename to static/images/identitymanager/entitytypecreation_member_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp b/static/images/identitymanager/entitytypecreation_memberof_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp rename to static/images/identitymanager/entitytypecreation_memberof_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp b/static/images/identitymanager/entitytypecreation_navigationproperties_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp rename to static/images/identitymanager/entitytypecreation_navigationproperties_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp b/static/images/identitymanager/entitytypecreation_propertiessettings_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp rename to static/images/identitymanager/entitytypecreation_propertiessettings_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp b/static/images/identitymanager/entitytypecreation_propertiessource_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp rename to static/images/identitymanager/entitytypecreation_propertiessource_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp b/static/images/identitymanager/entitytypecreation_reload_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp rename to static/images/identitymanager/entitytypecreation_reload_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp b/static/images/identitymanager/entitytypecreation_scalarex_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp rename to static/images/identitymanager/entitytypecreation_scalarex_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp b/static/images/identitymanager/entitytypecreation_scalarproperties_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp rename to static/images/identitymanager/entitytypecreation_scalarproperties_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp b/static/images/identitymanager/entitytypecreation_scalarpropertiesmap_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp rename to static/images/identitymanager/entitytypecreation_scalarpropertiesmap_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp b/static/images/identitymanager/entitytypecreation_scalarpropertieswithoutformat_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp rename to static/images/identitymanager/entitytypecreation_scalarpropertieswithoutformat_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp b/static/images/identitymanager/entitytypecreation_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp rename to static/images/identitymanager/entitytypecreation_schema.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp b/static/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp rename to static/images/identitymanager/entitytypecreation_sourceexpressionexample_v60.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp b/static/images/identitymanager/entitytypecreation_test_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp rename to static/images/identitymanager/entitytypecreation_test_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp b/static/images/identitymanager/entitytypecreation_troubleprop_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp rename to static/images/identitymanager/entitytypecreation_troubleprop_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp b/static/images/identitymanager/entitytypecreation_troubleshootingschema_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp rename to static/images/identitymanager/entitytypecreation_troubleshootingschema_v603.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp b/static/images/identitymanager/evaluate-policy-1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp rename to static/images/identitymanager/evaluate-policy-1.webp diff --git a/static/images/identitymanager/installation-guide/production-ready/database/execute_query.webp b/static/images/identitymanager/execute_query.webp similarity index 100% rename from static/images/identitymanager/installation-guide/production-ready/database/execute_query.webp rename to static/images/identitymanager/execute_query.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp b/static/images/identitymanager/expression-propertypath-example1_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp rename to static/images/identitymanager/expression-propertypath-example1_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp b/static/images/identitymanager/expression-propertypath-example2_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp rename to static/images/identitymanager/expression-propertypath-example2_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp b/static/images/identitymanager/expression-propertypath_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp rename to static/images/identitymanager/expression-propertypath_v602.webp diff --git a/static/images/identitymanager/installation-guide/quick-start/extranet_v601.webp b/static/images/identitymanager/extranet_v601.webp similarity index 100% rename from static/images/identitymanager/installation-guide/quick-start/extranet_v601.webp rename to static/images/identitymanager/extranet_v601.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp b/static/images/identitymanager/form_recordtable_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp rename to static/images/identitymanager/form_recordtable_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp b/static/images/identitymanager/form_requesttypeself_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp rename to static/images/identitymanager/form_requesttypeself_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp b/static/images/identitymanager/formexample_workflowaddandendrecordentityform_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp rename to static/images/identitymanager/formexample_workflowaddandendrecordentityform_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp b/static/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp rename to static/images/identitymanager/formexample_workflowaddandendrecordentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp b/static/images/identitymanager/formexample_workflowaddrecordentityform_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp rename to static/images/identitymanager/formexample_workflowaddrecordentityform_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp b/static/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp rename to static/images/identitymanager/formexample_workflowaddrecordentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp b/static/images/identitymanager/formexample_workflowcreateentityform_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp rename to static/images/identitymanager/formexample_workflowcreateentityform_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp b/static/images/identitymanager/formexample_workflowcreateentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp rename to static/images/identitymanager/formexample_workflowcreateentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp b/static/images/identitymanager/formexample_workflowcreaterecordentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp rename to static/images/identitymanager/formexample_workflowcreaterecordentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp b/static/images/identitymanager/formexample_workflowcreateseveralrecordsentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp rename to static/images/identitymanager/formexample_workflowcreateseveralrecordsentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp b/static/images/identitymanager/formexample_workfloweditentityform_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp rename to static/images/identitymanager/formexample_workfloweditentityform_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp b/static/images/identitymanager/formexample_workfloweditentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp rename to static/images/identitymanager/formexample_workfloweditentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp b/static/images/identitymanager/formexample_workflowupdaterecordentitiesform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp rename to static/images/identitymanager/formexample_workflowupdaterecordentitiesform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp b/static/images/identitymanager/formexample_workflowupdaterecordentityform_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp rename to static/images/identitymanager/formexample_workflowupdaterecordentityform_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp b/static/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp rename to static/images/identitymanager/formexample_workflowupdaterecordentityform_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp b/static/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp rename to static/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_v603.webp b/static/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_v603.webp rename to static/images/identitymanager/formexample_workflowupdateseveralrecordsentityform_v603.webp diff --git a/static/images/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp b/static/images/identitymanager/globalprocess_schemaconnectsyst.webp similarity index 100% rename from static/images/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp rename to static/images/identitymanager/globalprocess_schemaconnectsyst.webp diff --git a/static/images/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp b/static/images/identitymanager/globalprocess_schemamaintain.webp similarity index 100% rename from static/images/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp rename to static/images/identitymanager/globalprocess_schemamaintain.webp diff --git a/static/images/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp b/static/images/identitymanager/globalprocess_schemastart.webp similarity index 100% rename from static/images/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp rename to static/images/identitymanager/globalprocess_schemastart.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp b/static/images/identitymanager/governance_nonconforming.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp rename to static/images/identitymanager/governance_nonconforming.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp b/static/images/identitymanager/home_accesscertification_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp rename to static/images/identitymanager/home_accesscertification_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp b/static/images/identitymanager/home_accesscertificationcampaigns_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp rename to static/images/identitymanager/home_accesscertificationcampaigns_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp b/static/images/identitymanager/home_accesspolicies_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp rename to static/images/identitymanager/home_accesspolicies_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp b/static/images/identitymanager/home_assignedprofiles_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp rename to static/images/identitymanager/home_assignedprofiles_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp b/static/images/identitymanager/home_configuration_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp rename to static/images/identitymanager/home_configuration_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp b/static/images/identitymanager/home_connectors_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp rename to static/images/identitymanager/home_connectors_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp b/static/images/identitymanager/home_directorydepartment_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp rename to static/images/identitymanager/home_directorydepartment_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp b/static/images/identitymanager/home_directoryuser_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp rename to static/images/identitymanager/home_directoryuser_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp b/static/images/identitymanager/home_entitytypes_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp rename to static/images/identitymanager/home_entitytypes_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp b/static/images/identitymanager/home_identifiedrisks_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp rename to static/images/identitymanager/home_identifiedrisks_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp b/static/images/identitymanager/home_jobexecution_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp rename to static/images/identitymanager/home_jobexecution_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp b/static/images/identitymanager/home_manualprovisioning_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp rename to static/images/identitymanager/home_manualprovisioning_v523.webp diff --git a/static/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp b/static/images/identitymanager/home_multipleupdates_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp rename to static/images/identitymanager/home_multipleupdates_v523.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp b/static/images/identitymanager/home_mytasks_v523.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp rename to static/images/identitymanager/home_mytasks_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp b/static/images/identitymanager/home_newemployee_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp rename to static/images/identitymanager/home_newemployee_v600.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp b/static/images/identitymanager/home_provisioningreview_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp rename to static/images/identitymanager/home_provisioningreview_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/home_query_v602.webp b/static/images/identitymanager/home_query_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/home_query_v602.webp rename to static/images/identitymanager/home_query_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp b/static/images/identitymanager/home_redundantassignments_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp rename to static/images/identitymanager/home_redundantassignments_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp b/static/images/identitymanager/home_reports_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp rename to static/images/identitymanager/home_reports_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp b/static/images/identitymanager/home_resourcereconciliation_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp rename to static/images/identitymanager/home_resourcereconciliation_v523.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp b/static/images/identitymanager/home_risks_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp rename to static/images/identitymanager/home_risks_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp b/static/images/identitymanager/home_rolemining_v60.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp rename to static/images/identitymanager/home_rolemining_v60.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp b/static/images/identitymanager/home_rolereconciliation_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp rename to static/images/identitymanager/home_rolereconciliation_v523.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp b/static/images/identitymanager/home_rolereview_v523.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp rename to static/images/identitymanager/home_rolereview_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp b/static/images/identitymanager/home_roles_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp rename to static/images/identitymanager/home_roles_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp b/static/images/identitymanager/home_rules_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp rename to static/images/identitymanager/home_rules_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp b/static/images/identitymanager/home_settings_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp rename to static/images/identitymanager/home_settings_v523.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp b/static/images/identitymanager/home_simulations_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp rename to static/images/identitymanager/home_simulations_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp b/static/images/identitymanager/home_topbar_v601.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp rename to static/images/identitymanager/home_topbar_v601.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp b/static/images/identitymanager/home_workflowoverview_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp rename to static/images/identitymanager/home_workflowoverview_v602.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp b/static/images/identitymanager/howto_resourcecreationmono_form_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp rename to static/images/identitymanager/howto_resourcecreationmono_form_v602.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp b/static/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp rename to static/images/identitymanager/howto_resourcecreationmono_homonym_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp b/static/images/identitymanager/howto_resourcecreationmono_summary_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp rename to static/images/identitymanager/howto_resourcecreationmono_summary_v602.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp b/static/images/identitymanager/howto_resourcecreationmulti_form_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp rename to static/images/identitymanager/howto_resourcecreationmulti_form_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp b/static/images/identitymanager/howto_resourceupdatemono_form_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp rename to static/images/identitymanager/howto_resourceupdatemono_form_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp b/static/images/identitymanager/howto_resourceupdatemulti_form_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp rename to static/images/identitymanager/howto_resourceupdatemulti_form_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp b/static/images/identitymanager/howto_resourceupdateno_form_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp rename to static/images/identitymanager/howto_resourceupdateno_form_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp b/static/images/identitymanager/howto_resourceupdateno_summary_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp rename to static/images/identitymanager/howto_resourceupdateno_summary_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp b/static/images/identitymanager/howtos_azure_menuitem_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp rename to static/images/identitymanager/howtos_azure_menuitem_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp b/static/images/identitymanager/howtos_azure_navproperties_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp rename to static/images/identitymanager/howtos_azure_navproperties_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp b/static/images/identitymanager/howtos_azure_table_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp rename to static/images/identitymanager/howtos_azure_table_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp b/static/images/identitymanager/howtos_azuread_exportadminconsent.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp rename to static/images/identitymanager/howtos_azuread_exportadminconsent.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp b/static/images/identitymanager/howtos_azuread_exportapplicationid.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp rename to static/images/identitymanager/howtos_azuread_exportapplicationid.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp b/static/images/identitymanager/howtos_azuread_exportdirectorypermission.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp rename to static/images/identitymanager/howtos_azuread_exportdirectorypermission.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp b/static/images/identitymanager/howtos_azuread_exportpermissions.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp rename to static/images/identitymanager/howtos_azuread_exportpermissions.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp b/static/images/identitymanager/howtos_azuread_exportregistration.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp rename to static/images/identitymanager/howtos_azuread_exportregistration.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp b/static/images/identitymanager/howtos_azuread_exportsecret.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp rename to static/images/identitymanager/howtos_azuread_exportsecret.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp b/static/images/identitymanager/hr_connection_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp rename to static/images/identitymanager/hr_connection_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp b/static/images/identitymanager/hr_connectordeclaration_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp rename to static/images/identitymanager/hr_connectordeclaration_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp b/static/images/identitymanager/hr_entitytypen_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp rename to static/images/identitymanager/hr_entitytypen_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp b/static/images/identitymanager/hr_entitytypes_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp rename to static/images/identitymanager/hr_entitytypes_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp b/static/images/identitymanager/hr_validatemenu_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp rename to static/images/identitymanager/hr_validatemenu_v600.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp b/static/images/identitymanager/ic_fluent_flow_20_regular.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp rename to static/images/identitymanager/ic_fluent_flow_20_regular.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg b/static/images/identitymanager/iconadd_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg rename to static/images/identitymanager/iconadd_v602.svg diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp b/static/images/identitymanager/iconadd_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp rename to static/images/identitymanager/iconadd_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg b/static/images/identitymanager/icondownload_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg rename to static/images/identitymanager/icondownload_v602.svg diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg b/static/images/identitymanager/iconeye_v600.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg rename to static/images/identitymanager/iconeye_v600.svg diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg b/static/images/identitymanager/iconsave_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg rename to static/images/identitymanager/iconsave_v602.svg diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg b/static/images/identitymanager/iconscandatamodel_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg rename to static/images/identitymanager/iconscandatamodel_v602.svg diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg b/static/images/identitymanager/iconupload_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg rename to static/images/identitymanager/iconupload_v602.svg diff --git a/static/images/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp b/static/images/identitymanager/identities_repository.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp rename to static/images/identitymanager/identities_repository.webp diff --git a/static/images/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp b/static/images/identitymanager/identitymanager-create-databaseviews_ssms.webp similarity index 100% rename from static/images/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp rename to static/images/identitymanager/identitymanager-create-databaseviews_ssms.webp diff --git a/static/images/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp b/static/images/identitymanager/identitymanager-export-configuration.webp similarity index 100% rename from static/images/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp rename to static/images/identitymanager/identitymanager-export-configuration.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp b/static/images/identitymanager/identitymanager-login_success_v602.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp rename to static/images/identitymanager/identitymanager-login_success_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp b/static/images/identitymanager/identityrepository-example.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp rename to static/images/identitymanager/identityrepository-example.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp b/static/images/identitymanager/identityrepository-person_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp rename to static/images/identitymanager/identityrepository-person_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp b/static/images/identitymanager/identityrepository_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp rename to static/images/identitymanager/identityrepository_v602.webp diff --git a/static/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp b/static/images/identitymanager/iis_settings.webp similarity index 100% rename from static/images/identitymanager/installation-guide/production-ready/server/iis_settings.webp rename to static/images/identitymanager/iis_settings.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp b/static/images/identitymanager/indirectpermissionsadexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp rename to static/images/identitymanager/indirectpermissionsadexample.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp b/static/images/identitymanager/initialload_dataupload-synchronize_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp rename to static/images/identitymanager/initialload_dataupload-synchronize_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp b/static/images/identitymanager/initialload_departments_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp rename to static/images/identitymanager/initialload_departments_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp b/static/images/identitymanager/initialload_directoryusers_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp rename to static/images/identitymanager/initialload_directoryusers_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp b/static/images/identitymanager/initialload_scan-example2_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp rename to static/images/identitymanager/initialload_scan-example2_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp b/static/images/identitymanager/initialload_scan-example3_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp rename to static/images/identitymanager/initialload_scan-example3_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp b/static/images/identitymanager/initialload_scan-example_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp rename to static/images/identitymanager/initialload_scan-example_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp b/static/images/identitymanager/initialload_scandatamodel-result_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp rename to static/images/identitymanager/initialload_scandatamodel-result_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp b/static/images/identitymanager/initialload_scandatamodel_v60.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp rename to static/images/identitymanager/initialload_scandatamodel_v60.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp b/static/images/identitymanager/initialload_templateexample_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp rename to static/images/identitymanager/initialload_templateexample_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp b/static/images/identitymanager/initialload_templatemodel_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp rename to static/images/identitymanager/initialload_templatemodel_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp b/static/images/identitymanager/initialload_templatereco_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp rename to static/images/identitymanager/initialload_templatereco_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp b/static/images/identitymanager/initialload_uniqueemail_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp rename to static/images/identitymanager/initialload_uniqueemail_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp b/static/images/identitymanager/initialload_uniqueidentifier_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp rename to static/images/identitymanager/initialload_uniqueidentifier_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp b/static/images/identitymanager/initialload_uniquelogin_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp rename to static/images/identitymanager/initialload_uniquelogin_v602.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeattachment.webp b/static/images/identitymanager/inputtypeattachment.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeattachment.webp rename to static/images/identitymanager/inputtypeattachment.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecheckbox.webp b/static/images/identitymanager/inputtypecheckbox.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecheckbox.webp rename to static/images/identitymanager/inputtypecheckbox.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecombobox.webp b/static/images/identitymanager/inputtypecombobox.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecombobox.webp rename to static/images/identitymanager/inputtypecombobox.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecomboboxmultiselection.webp b/static/images/identitymanager/inputtypecomboboxmultiselection.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecomboboxmultiselection.webp rename to static/images/identitymanager/inputtypecomboboxmultiselection.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypedate.webp b/static/images/identitymanager/inputtypedate.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypedate.webp rename to static/images/identitymanager/inputtypedate.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeimage.webp b/static/images/identitymanager/inputtypeimage.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeimage.webp rename to static/images/identitymanager/inputtypeimage.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypepicker.webp b/static/images/identitymanager/inputtypepicker.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypepicker.webp rename to static/images/identitymanager/inputtypepicker.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetext.webp b/static/images/identitymanager/inputtypetext.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetext.webp rename to static/images/identitymanager/inputtypetext.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetextarea.webp b/static/images/identitymanager/inputtypetextarea.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetextarea.webp rename to static/images/identitymanager/inputtypetextarea.webp diff --git a/static/images/identitymanager/integration-guide/datamodel/BI_universeExample.webp b/static/images/identitymanager/integration-guide/datamodel/BI_universeExample.webp deleted file mode 100644 index d277e49cef365a1590a5f033b1360b093e10a446..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2438 zcmV;133>KXNk&F~2><|BMM6+kP&il$0000G0000h0RSoh06|PpNJ#(y00B>+G?FAW zd3+M>t51d^BH+ZD{goVwB1vlQtWZb+A80@W4tTBLeUW2D^j}DjNOwp^IVvomKEK$! zW2wrjuxwewVy{Mj+W-JoP&gnC2><}_F94kZDl7pj06tMDkVT`Sp_1D)tT+V(pbW_- zkKi4IM~{2mTl&o7HS*ab^5dP20RCV(Dd!2mC&`Pbyr| zpXEKGe~|E}!_S=kqvbu$-|0M!eSrKY_7B+)%&&TXuy`Nt1Ng5{FH(P#@SoWR06!G| zQT|`^2mA-1=kGp%ejWVh(6{o>@E@1H`*(wV6Z{9T2lAijAM3xsepCG<{^9?l{2!c8 z%YVNA*8d;-o%9X-qxzTpPw*bre#U=qeUHCqfB&czj^7&C3p1Z8W=VQYNO9D+J?H1e zNF<^$HR@#k^ooI|3+=^tiYhw)VcF}HyBT*apk8r&?ndrG6sJGhr-Eo+8=u2+CP(?B z793udK%l78^L8$!@C=GbWdEh^FDveMza2!49AVVz!X&{Q8d!j6UqQl4UlB2qsnaFo zMX1smY6FP(o7Q=ImR1qQ0{lwW+#XLW8FZ$!DdB0_g+oR!`9zk+zZCuP7;0Yq{sMpi z)sW6uf56_Gp{7IrilU-Sk@%C{p?Ce-MYK&LJYyZboS28)g)QL1Wp2!xIU<@hLE*pv z1EB8rd{VU1YB<5p&QqEH_=i`Z6KcoC}C?HUNsn3KuKAVgC*5Q2;xShV(f?9GtzyNqYPvV#87eyqdA9yZ?RQM8zvR0) zPW+_@Aon@iZ*$pu+(8>QdFsXx2fMwjF`v+0v#l>ZaRYAmoTqm8AwQsx(m?3)0?3v=|So{)DcTtnv$3K?_C8~P;)}= zDml7d`smEf197i_VbIov{9p0s;Li>`r4)oJr*&D0%O(Zm2Rhy4JfYgK-pO&R2lMQm z>2d8LPvu7N71PAJC4#mX4LlZL1Rl8c5)rUyK+P&`)V8m8k|wGF0H+oKd!z)$EhboU<$S{r3Kx+UP@X7IR2yK10!2JSaAE3e=-Ude5{3t+_O( zyDTaqP&1LdTF_C_n`3C)46U~1&n7xd9E_+8khG=2Ys%GJR_0Z*?@1z}Zv-I=Ps@wgs|$_P7QUzTao=9Whg*%I83BEo!vMhA2j}EdM_1AzPSY{v3zR5E+qy5 zxme*4k?KxhcVbiAc=(m|S|qH-!rY(!Cxcu3cw(trB(0eKZ{k9-4Ui5@K?(rJX=uIi z|CllE4pINNe|N+XQ=7Z3DXDS@mSpYH5v<|uK2y{2;+$Kp3T#}q53@Re?epi!jq788 zu*Psj{E7|4Mn;S1W|I)2%bEfhZh=*s9jRi(XIcA(-yV~kv?de% zQBPz-)tUUhIh!+P4QVU`gz|oUS)II0!Ghirh4?}-sW<{w+Y_0rYa%nkH?<7%_Au8~JKnU% zGuqQO;(sS78m16bDsy{hDS#DR#-Y}B9tRJ&0&=-aO{s;NLuRg&^k0%a#)+F?V<>GZ zvOYHpq2;6b$O&5LMI}zVJ{XD0T(uS{QZG4PQsTCdF*OyB^c{v2fu*yVxs|uDZ-bQ! zJWJN$ey?HP=b1N#jxk-mGf)MN#jhGy9GxQ~W3-Q@QWW4|GShYc)O^FVJ7Ybp?pdaC zJt@6)ZPpcR3rzJFx-P*lqSsM-cR6|-Q6Cfc_AS>3zMK}$mYPX*-0pkm;&rZoKH1>& z|Eq`%%J2U8)3UtSw!h^K^aqw_OFhVe$iA9f4j!jb6kNZR{2dnsNApayn5x5q7r?k9 z$AnVd@efl;yLMvQ4a-$u1Lg?`Nz>=aX05@CzJHIN$TSV;`jV4o=fd-Ncm()N9war& z9Q-Bs*gJ3-H&3sD>tYCK9gk(}t${VgC-SBDgrF9YaBiEc+WTEA(80WUVX!T4SGwMR z)zdEf?6;MQre1js{LZ5j#72o|vkZOlr0MC{Y+u^j++}P+ir?W<{27oyTR>H>rlw?E zER8la1mG1w@ij!mNXGIYc?}*yB{b5KGT1VDQAON@kKtUxJeP#ezv}xC^+kP#X@gA^ zrV)ngOqkc0c%X7j$z;Uu*mE7L0WRUPKwH2T0c7Xd(yzLNpB9|Gq%z6_YjzKtVPr4> E07!Vw_5c6? diff --git a/static/images/identitymanager/integration-guide/datamodel/Universe_columnNameDisplayName.webp b/static/images/identitymanager/integration-guide/datamodel/Universe_columnNameDisplayName.webp deleted file mode 100644 index 3fa28016bef46449734b1dd92c29a41d7a7c2e29..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1972 zcmV;l2TS-;Nk&Gj2LJ$9MM6+kP&go<2LJ$YCjgxRDvAI~06tA1jYJ}%A($+N04M~+ zv4Cg@d3hRjbZgsg4Zogxfd9eMHm&BUw#($TR@-VKU6;l{cHBe)$i?o0Pq6*U--ZF-^<@153mm(zybM>@IUdt)_-xl zw10>ERrdqDzwsaQ{*!n5Py_i7^}qMO*?rKzQU7)Q^YRnf-{jxgf98Lb_yzt|{QLb^ z_MhG#@ZbOc|MW6mM4aPB|Hr z8l)XGwKAuu+R@5Q+(v0mR{Lm)>LzF{s};SdQ-*T!*?x;r3jW+47nzm#({lI$Wkw2M zu8U}W7y)$sIOeHITt@6 zSAdVhPeK^6zfm3?RPW|d&(r=AW2{5vFH< z`~9UQbJb_N%$m{0vQx1X`ovJ|oysL>pF9a3N%R=}7tf-#^y%)z`6dY{*q5^`T}xeJ zm6w)3WJFS^eLH97L)O#OkWw+{Fc~^_2ydsCo#_q-BF1u|m79&3Tc^d;e}AL{LTz}- z!*lsqX29vUn3!lHK!!X@?b#B)D5xR8j7(M_-LOU03mh66)!(-jQC1S&2_atb3A1Gi zTo5dKcPW*~LGqAcpYeAbl^$X;IvdkP9TW$FRM-b0s`vSS)6bLCshZ%6<@NknP@lbV zem>wrf`bRo$U}0;p`DxWjf4uP&PVhm$=sB1WpKixi47rz^_+}HGkjrNO-I3K)}`TK zgyt-46Y65R@Y+m#Gl-$#*+^cT_ zV7=4HFaa`i_fX_eQtIeIWOtB0K(>piuoPC}R%lM9hckYN_t^2Hfi4#@Apg+OnjyTH zF16ZX&y|)h$}(yGGl4yuGR}ID>n2bgRz+3Wd^GzJ)8wN0ehpiN=)N6X>RF2H9y)gs z^|StL6aVrFgaOHDYsr7l5OI)Yokl;-=C0?MhfGcPSelzL8o})xbr{;(V_JDLHO0Uv zc&EF>CoQqmz>&+Bij4UnU!gH5%QgAPK2U`>G|IXdr|8IPEnhFYrh_e9?QY{?>+s!* z+e|tB6(uh$?i8JxrdxW*gF{qxEm#jd>WNk`$J|LZWs@RXZ?yC>M?Y7MkNBYxcyZr_xQE(#>2 zFM^hidnuE#H*u~9IY3R!Ax2-psw4zrfrh2Xe!Ik(4LRUN4%MbXUy%%xr0Et6!_Y1_ zpi68tqeJ3p!SqQeydM(B&SHN{rz^uIK6#f8gG%Siay?B67*D~i^SMk$z zzxGnTsOFWGW-_BYmy{LlAlpITau?r#9cFpO0UyBHeF3{YJ#VCW8eZw!8k`;wE*Jm_ zSC+GSk54An0I1DU@8e?sU+=B?k}!+H4N?DMmo>tZfc=m_p;bJ{I^L+hnz--3PB@;F zuuT4=L^;(_`rEf=z~p!0t7bwY0p)xZ@)69pgSPzMRW_8F^$O)Q!E^wP*U-6)^IXve z*Z>oniRHN`24W^8p(#ehDj*{R5Q>*_4+y*rCTvBDK-K79;P>>H^QE>TfimP&PJ73> zHJVIQa2jMrII`b`U%!;5s3!55z52%5ne>&(u7C@->6Z*>SG|Yeb3*qK8vh6XD9tbgsw9yPL@)W?RkBrPbI4Khw=VKQ!OAcqW>nV1fp)k^6?6JQBosF(R7p*ch0{ zRnf3H7sBJl%bw>df&gRk0<^*!qq-jI5~xXPj(f1^n6`Yg5Oqrh4yFx+VnikXjfz{- z#-@u!Otx@nB{CFUyuSv6d))Xf5;_?{*F(I z1H?5Yy#ut&o<6(!PqY>3RDb~f`wB{9A(>=2qEG0i^9MVVogxe7C!Wqmi>5`{;YL1W~#QXU7{V7tr*P*l4@NA4rN zmjjW5$oYl2u@803zZ_uu`krQ|68dae<4i-duMd7(z`L0i!jrOoi ziWZCG+REPl{yCAGjb^3ttackwy32}Ofm7YlCi#hHb0Ue-n)h#}qXQ)Usx!-KH#c8v zU)nEb(GQvF-n+EUzIBAkb2B{v9-_{LD~a6uvMY*<_#0JF!3K{M~Xvub_EBVTe3w7d8< zQ9eJ?uo#E%@L+UBvJgeKQYhnQ?*Tcvt+j$RGL=J!Q5F10r@}c;IE)&NSFzL2oF+Mw z&7wjgdi;fN48QcK8d|h%Q{pX38|(wQ20KVV+D%O??Ghv1P00EuMb~R3O ziktDYVL8y!Y1`~MZP8y26Ga*}qWK7|0^i0x6#vEtUE;}o5`qBmBjIF_@MfQ!%Grf# zq&{i@Jw<(>nzkm+GlnIWxL$yH zO1)vKck|yy#z>%T#cxz&%@>#xsin7mrmD7A`00h^AwcI%%y+QUAXRiSiDa(_zY~Ik>I8 zcspG>f!#yd%M=Dp#7~9Se}dvnYB{R_9hMI_sNOdN7Dd*lu{kRDjFZ3=MI=*;mStvp z-W}mMGh+eMTZ-V)^^YDZ%xuW0Dk@F=G(3)^U*S|nu6vqSk+{v;+@L{Cn|n*X$=E<( zf>^;dLx!kCo~2!#lr2rVAoKq!*^1~26C(v{8Qwkf5w%Bel)!fR`c@^t7)!2NquX=! zdB(Twi7yJz=c$Vtuo;z=`fXm23zzn*q8Gh>Da!~s*u`U3rv0ceyp@0H1$h$^(>gtn zMZ^=_!i+bW*lW*`NEJJqqm+7iFAFQ#;emGD)N}{YLak+Cvv`}s?5zHA7RB4LQ}HfT zOr{VwYdJSoHKxjs$nMZz(dmY&BB$Qs8o8{Xo@bpe71X9IwH?j=7$zGaEP|6C^hE(l z_Hbn(05vivF5Eu^Rr?T_iJ+l>b#SK>zScR=)$hMVAC)IyCFFk5cklt$aY=iuK%x-; zJ^uon&bJwfFw~0muur{JdK@mzNhc&>@7SVA^R;}5??OL_W_arDBcx{ik4$nmtG{!?h1d{O>734FSzIKMWzH3%JLo9z#g0;p;%SJxXZzsW-r?iZ<8mJ=WGr2LYQx#hQ zyA{Bvt>~A=+pz7T%B6R*R$L4};E_XE@O{s)d{=eYkbKTCEA+ptX1)%_TP05GjE}+E z3MNHW|2lp0(NqdN^(bl<`_Z&tpe1-%WL-vcclL+=N`3859!E0JOITK^N<-Nk&T0{V zrtT^Aazbjg)Jz=VCN4(($E&r|J14MM<+3Zv;ZUdZhKTPpUQ!-le2+j9Ue@N0HQA&j z%ld*aj=bo?vKdVDlKp>{tph24K=yDgo{W?ZmvA77yGRp(&HuyW#$n#$2(s7^M2eh? zwISYsB?{!v{F4H?>Bo}`3MFRi0TA=&01N%%HSp|)M3V(6Zfb7zUyZI|G5Hf@~ zfUhS{f3b$`vpH&G*~MYfqBqm7xD&Sdch@<=5+E#w0w4hNxF7|5zx{5uj#|>#5h8L# z;MPqfcSUsY0#q~_(02>C$N@OJYHM7lLS5!k+YUeaeE2N_?RyT>ZDQOJ3mm@T5&$NyfkqQ1Ay~8H_BZTUFo# z>DhU4=Vbud6OS2%0(+;{v*_!ZEgyvR9RIKP07&-_hBX8l{1zIi3KWd?FtiBCpW_;D z$EV-&ZM`*Tu!>*yr#9tZp>8W-YFX6rO3J!a2B1qF z8O_-{E)4}C668+g>Aii1*y4sIB8d;B_Dhd4Jph4ATygzyTUT{Y3V*)1$3tTu(EH6X G5C8xlWg(3K diff --git a/static/images/identitymanager/integration-guide/datamodel/datamodel_scalarRule_timeOffsetDefault.webp b/static/images/identitymanager/integration-guide/datamodel/datamodel_scalarRule_timeOffsetDefault.webp deleted file mode 100644 index dc56253cba4968351ed944178583418e61d3673d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8466 zcmeHLbxa(YQ`S`G)kX&Z0Jwi=Dhl8Y0zmY$ zvdlCV0Dz#BOAEl|3>R>axeN+_{Rj4o(7;2}R?oiPcGYBgpw#W}&KcewCT4Hd zaAfSphIhM1{gUAHaD|u03RN@;P(MXPjruT)b5iWX<0jTwqUBUyEI%e=qU&~M_ha3u zZZyc!&xOjOFU%sl++vaRbbcghdFv0ph|+1+L%agq$9Z8dBO2uC_uCc^#AWq1Xp}yF zWbO5wuvV6JluF4AlwU1aF-9S?y8?;cQmRJ1yP~&|)A4I7ckIcU!v57?4fVEnTnTM; zo~YpGl#w*SdMmc$;Fm)o8?tg4zH-$9*W=}|r+5}C1d9?WVu7Oo{=kxlB2vL9%Fd4` z!0Zbqcb^w3?U5g`ID9|UJvns$YA$r*sBZIgDb4WTFuS{z3}tVcLV_%tUL?Glt#cH6< zn)#NV+lxC(H&rrL@QNvuwL?+OG-9rdts+sO)PCXv<ryf4)Q0Elei-JtVfbtr z8%$?FLaE@@Bj{o+`YdeCH`0&9wTZAqjV37}@17kH`$3v!;=GaHKw^^u=>oJG`Iip% zh4Rz&F2x~}^PaewkY2Yy)I{Go$Tovov1F*yoKN>Ki8MfH1VzFWhH+b{Kmsn=TYpoc z21$jp3wZ!aF0UurM|^R?C6Xp);eXl2{Va{Tr$b8&|N8979|9Jc?x>?dtv}5UNZz|z zsn1Fmm+_rQp^Tmd_RPp?eZAd8ByoNJY}bVO%2H5JCehc^ zuG9YL#!2exwE3Y}COdyZF@`lGThxT|kmN)$Ta#x@W8e0xT-YY%C(Z2nPM~Iq?o%?` zp*VYHPAdRZ)RinC64{tHg5>k%XhV!e~>bfs>$37F1UN^ z#Vi}!{!$M^evlXMP>j(qskAw}G`xDcUpkS_m_Wke#|J$>_Hy*)MIS4 z6VBU_e|DNJu8edxd<+T3)A4(y_o3}@>ese6UkmaEmK|NWPcvqv#k%Hf3Mlo{h6Kn>$ z%xKEMGO!QPQg@E??r3qdO5nOL^8lQ+@w&YUeT`)X3sWr7Wv zzG)BTRZ$ZeY*gtz3u7j{c^_WyxyBET?0R*XsA|Tox!;#ux^lBIm0jv}_rk@{1>DS{ zP_5~AOROv`_S@kGS_Gh2GpG9CM`Qa6l(~~1Udl*D*z+$xx42iLtU_yRPx1(0FW*P~ z!09ML*!U4a5dj*4+KQlFHDcy(P(>;_Ny(&de588Y3O)+S2~~8%ybB>6L|<4{N-317 zEkBI5i4z-O6f5}SIKTGl-S6RDhl_E=wUm-n8KRhyS)t0?6Z6Wbw{THZQc7yI(L@Em zsg=U+WvG`Oe$O18Qq?KJSSXq)&3p2392zKAN?2TFt%}eWEvt6-s998BJYb8 z|GNi>2;Eaem`6l0*T%d4gpRhW9Pw`ST`h`@Pd^0+U}TkS*{30f-KdACz1&y(d*Rk_ z7E#uO%)p<-s)>VrMX{FX2XALhzi8tkpXjzW^0KaVZ`wX=$3QUNI>f+ziK@NR`s6My z=2FFAC}{67366B@oe2VpX_N_k zbzBT=)KSBcK{kVrN{@w{mx@4GHSZ$I^vv(+B`p|O)suB7XO+DlgFYffpAb|@>LJ%; zS!8$e>vkpRIUfRAcQrSq16FF+6E$=piFzete2R$u<>HBwcI-So+ecif+5Lmdx2Pg= zD^Dcv`$}a`dSW$;pk|Ge{_);dJ{n_bsiu9RAK~eEJR}oX|2t_wQkacC~bxPb5C%IMn1$}j{ZB9C!R zgD{ElKQaiYGWGNL$Om6EK^cBS6N{l^YszKsL?Y{P)S{1!q$@b-Ot@&f>X{aMack_9 zaV_N#j;zcA@>XS(NsTKYB3PA=;*#HYfxD0OE{J`6s{y&0MVdvB^2lGyD|%k(vnXep z2ZRVj6u+O^%2?mPW>Oj0BzO7>g-ns#lag4O^reWA=CDZVG9@$p01E-}KPkew0v3Kv zl&u@p)rZW{#Hfvb3%s*QsU`Rr5F|rdsUit>qDzfh*m-}*Zrfm9Mfd_oHpcq6v;r{* zL-8uM?v*uv8XwMPY`aLjmMh9XygbsVhr0OpmR?4gX|sm7?E2jLg)Jl>-JccIF*=K? z4bjCfBtE8h6%NGTrjW-o|8nr0delG`CG^EV!Jp%Z@amTnK_d1wenHq9-!a8?GU>qa z_AMmSo9=+nCD&Vgq%J2)jHO@*1LuW zAhF*Y(Tb&0A{Oa$fb3xl7~*ZJ)6U+2%3Eb}6!21-&usH)!hXY+4_dGG$8rRT>iVA9 z5dYR2nMGR{Q+bR;=HXU{=nNo}7Zcc;bU@%xvr*kr9wo5`-Mvkk)(WHCT$#&K#dJ;w zrd&R$JvMzoZzG-j3q5XPFQhIERO8R7k3wkUirHI%12Ky#(?mk=HbCO(DCu9Rp-=4L za>R8JpQkxeix3R7okbivAL(+Y3`KTm>Rs=(2^mZ<8PTrNZ1j+)06jak(uHUYZ!)@5 zj{$~=&Mzgy^`mtvT!+4~*AJ>6UOKllskfz4fEZfp-4WzYa+ZG#95Hyq@4QDMOe&<> zv)LDZsh(_Uma6I{Nr@`q>Rj;{EIWwCC9Z}2)@n~m$F4}S;Oe;l6rA;itbCe^y?JFk zv2GJ;-bonqmp^%q41Y@IY~D`$^f<9rSKAx)w;1u5mmip1^PW)**gMix6nrvT}NyctpQt_**mw{fN( zPp02sVBif068cFg2Jv#WIG9kXdxyopDQ26H^t`N4Om#Lb*B$%9t4b{EHABiYG)6>_ z-N|*kFR}VWRQ|pxaBwdFbr)8ettblte&Z(rUAlo*|EjWgS8V>tCVw_3Fh1$riesZc zr->=FVwjyya(-5YTvP_qnVLj}+JQAFbxWV*A;OiXl|I^ZwYz^#BW|x4Eu*T(BncHo zXy2L#B!0`ks*!nxeRb91uIPKs+xLkDO>RSh!6vW&RtGDW>M;j8KWy5NYI778kX5Kpk6u;B*mKtpxe>X$ zZwn>aL?yhSolB!e@fEV8-J0m?AXMXd7nNCzJp|{r$)nUt<1v0{JU)@a1QWE9su^r1 z0_{h!N2`_;cj=DeGB4Twz25oP0!OMH`ERH9?hOF|aGnXsMqo-qAw&>TVThNa$^+%Ab4gu%5?Xx}R_iscJUcgf0v=;iiH;eyVW3 zdyY$l=ddT@mu@TgJrw@j3wQMm6i)YRhr>?};L>;I@TpOy+p{OX&aY?Cb2uD+cn5%A z93#M!zIW&O^#~*V9a7%3M0U2NMJkzAjOu19ks72;`6*KW5B%T8LrpJVWPQ~ZEkI}k z+pJwQx>3GB(JZm`jTzlP1+`c<8{0%9$|fFotg6V_Mz;(=ll!@tWB9(w?W&|F(<486 z@O?Xd#lG-QL9nh9;zbqme=1)TY)bJoYaoU<&m3#}eXNjgdtSJ`OOjWyn!zlf@=Y*k;hsw)W;g1s zHy~=v_Is96Uv_vYWY|5X@l830tt3s1Xi*gT!mQjOVHVe#GfU{S zpA=Q{^!UH5nw`}?M35;rsR-^=YTw2w3F^pxY(YErd2?t2u!oiXsxMIO+1LZ_NalDM zyCGUOPelc*mQMbsgp4gl(>k1!81L)qHp{A7sj1W1m8he+7r0*Rbi5q{hHD|ONX|LC zXZs;1_1zClLYLj(b3G^B-vC3b^P0i_ZTN5C8yP z?jHVrYW+`!6ui8dw1E1eW#1JoQT^xi>uUN{VXPjEN<4N1fNUUKBQh=+p!9PN=I3ue zpuAv%!j#QNM;@dhPUU&sjm?OIbL&EVyHI}M*`_Q401$>=U5>bTpCuM^G(?yXxpR>m zRrmarMieo6bOf81h?w8-;W<==uegXO6!ZHexBebvD-3ROrnf(KOCevipg#NRQEhtHW5pA-aothTOB7)P%@?CZJa)w663n1A6?bL_OV&p^`&4b$o2PYxS(= zL)OfQUz_`uo11X{II$M=)eLK+l{nH#RqZrGnG-z$3K~m`0yi?LryrO`a;Fm-{*-){ zGpVEpuYN8bgcE8d$o%vaoq7y+JlOsX#=!<=<_kQNMc5Pl3LnhfymS+@tHP79gr)pG)43iGi-X3=C2>Qq)w0$ zaIpml|LlYhlc&Gd!hOpEwf@)?^H3n7RX6419|Ezj2Jx!4FWPho(&}rd_y!w}@NRU3 z&?m4MxE$?#Uiq+SlMnjR=BjGbF~VT1%#Pgb=fNv1wZLV~4rdTxbLrM|@{<;fLZT5^ zV|k^VG!fcJ9Xq1{)C>GRMh1_Qt8R{ zhH9xE{e?4<=B%cVNXI^MX!m6Ri+e|4xzcLl;$(GpB*BWMsgdkbU4q6XR;y=A+IM#W zw@8E4@H?4|J1f++(lV7<2!xM|v7vHfuy=7a;kLsHo3^>r>HW9cxtm^>VRR^gMESma zLL;=PrGN^L~Gu((2BCh;U}*s`ONZ4 zb}UdXEBcLlHF~k4`>NvaKXXSs1tPmNJ@g(N6Q(nYUhP#i%W?ih(+8r}=NwNzt=|a9 zm5;60=_iu|ZSuS^MS%Rf`BvPrG3B_|IZ!X&+ z5b$~%oXks-wA9V=rj5?Cs*0R98n`6tF>?2Ehw^w}^=+;he8z|JqgTq6-8L}(43((a z)&Mt$%$ja3EG=SO-*w--yPjzv1;wZ2HLYk7>yFLzJyRW8j-vAb{NqaLPssUFhB8iA z6Jm5G;3sc7SRkS*KaC)dKr(A|63SLb?u{nK$E=yyl!0wXHtT?!PpC0r_sGJTfVlDzV9{sLW0ODq`phdXli&NNa zFmUA;ZA@`AgROxl%2{U8mC)YFLyVgAE^yJXG{thZbjL`d-rdZ#+R&tnJwfe-`<(go zc)Ixe4PWP0W>=lSgQl0BD$881r@!=BlV&7#d9wNF26ssR8h?-A^R(Jw#KB%3IdWCT zk96bxswB_PaZ9d!3lnMtLtkpdpw4pqUX*smU3GM{vCyN|Me+hKnibO2J4W6 zf|edtxaisPyT1}l>JeK7eP5o1+hF?7v9GXtE9`&s=igbR`l8S23CKUIX$t|W_@}Vsp+}%b?=5P!~EEZa>-yex+jJwq01>(sG71&igp~cvI z=j{;huiyx~-Ry9oaXsm7D|0+<1aXDtO?)jD@43!bMD~m%m3O6!#j4$Ex?A&i1WjM` zdB4wJlbvXyO6N$$O+F<{tEfy3q54eX@mZ?l-{!abEO7+$`6sC63(}oj8S;L9CNQCH zyG^mHJ6Bb%YaI*keDOl5RWWQW|7;bwJF52}uMxr?k(Fk=dw~!mKeoKL)akt zh^(Y-N8!66vEv-fH&iElW;GC!Ik<+}Ys1Y49i1y3=!-5>5EZl{W%b4~thBA4P@`ls zuAdzulIvWuBRg16+1V<+ z8om~S>x9*)O_E9U5p3e%&of7<#%VR2B~X!H@{W!6M`#O zF3b+Yrn#h-6+x$WZ{=Jf;VO!U{u(W>m3)_Cp?9UQLA@#b_nZ??xQd##{KX$8=XA+( z3WeNMx}9dC2ErqT5BjY=JlMu! znC7W8bMCRGD!8JK2#iL=)N9N$;BVW3WI{@^hvU18VPy?>A>@zG^2TV`p_MOL9^K7j z06o^pL4|J#HQ}SZ?l~SIUqZ0%5j2#5Gb@bMFy1qflxLkd*f+moPw*}G3z5i99NUrG zsCp$fAC(Po?UDFV5!h7PdrE=RVrBk1N9MaODZdMqh+m5&cqW`Jz=P_9Fqs6ofB<7a z*a_-uEZ_Yp)iPBh{uf;wOcC5I#=3HO)_A_VxjSU+#pqvh{JiNmklQ!EVj78Nw7MVa z7Py`6u1EfPQ@59id|6d^7fERMw>qf^89Q6}wBoDh>SYyvtY2on6v5@Ru{o)H`K6i?q@!v_QBxvo z;@R>_mEV}~CO4y{r?-`6YmJVwzT{bJ5N7cBe)h}ow13>>t5)sC01wbm9#jZAYY?HV z(S*45jGl%H(1>Arw)U6cbT@yj%#I7xbiQ1HJACiXM2Zx zpIkI^sHOeA79+(~P4Dmwa}eh4AKK441TGR^hjG<+RH^v7AByXJs+5wjkW#*BO$$-1 zSIwp)7L-tIfQ>Vx9k!adBs`onPdsIAsPOw7+w2S>Ag@CrG-!1j=lcq=Q~w!=7?x_X>4DS3)=(l!;6zUdE;!g~ZKvKwrzK8b!^+VZQHh!PSR1w>e#kz+s5_X&&<5D=2?9YuC9C zovU^!ONonDasmJvV#12*id@9`|C}r0f#iYEdVsHj{Iui9lqw&z50m&rM@DDh@1`jzQ#X; zzvVs?J{4XJwhC?tOFq!pd!7nz{Dl0R-Xh+JZg-9Yo`HeSZx1uK1-m_j{@|aD?*gw0 ze~Idl4uLbk1-~I*rEily)(fI5;FV8c0R4CKcf_Z`A=13UHSk4X5SaC~@$B?A^IH3{ zbL0=wlNq26jQM)`A_6k*0D(Xs1K`)7|53ol3*T1~@EtAb0Z?o-=9%!hRSyVdV#)(# zcN#)>@hbR+CqwtTKbyu~j^V8(b2gGYm`iR?CUs?z`LKxpzuT--mH0QGR2-txxks-m zX(4K5kx2T+ieq|gkwwdar@z*bdrM<-!)NA$r`jSKM7GC14p~sn?h_07q34EqtQQ8M ze7A{tkMBTsI3p216hd%hU6(pzE&Jh3Jo5*wNwh(J+gCbUO&DXFUuU{7H$xlKI1T`o zq42zahWA10wiMr}bo|Gy!5>lE~u+6U`)Kqy_$&SzYt0*^1Q7<%toVQsJSj#I()Ib>6U zyR9pB=j@3@{O`fY1P}khW8jl`>Fn87X$7FZp5Wz-s|E&?9Oo2gseg2lrrf!LoBBUc z>*Q$E78Gu?{xr9j0U_>hdUmpcL5Ab&XpH1>K6kdkGDH^SCTEW-9`Xf+R8)P%YpW(rI5APVj&J z*Q)-b(1%3=q_?%#e+phf<2R_57hlZHKR!f*Uw1DP&}=r-Tx-LyFU4ulX%B`S_&-EQ zs>ysXg69zp8{ztzjuZOJeZ7pj{(&RUqu3;HBIRS{bZ6=YF>YBK0b-X(z$e4*^n7djW@2#$u`0tA68lk4p1B76~^h}%9Fz)AA;WSqEi!-rl$ z%623XC4IZp+4q+Qw{0l$#mMOeB5kI$ZC}d-sOKQ+hpH`Er@@qXiE7yYJX6Lq|Cj?c&GJvAFGs&G~joy z->&9rIV%!#wc4+M2~2ae6y>gh^`L2p^hyxI_h|E#c4atdUFLa%<#O=&hG$d)HFONB zVV>CXlADoMlPz(iIfs9;?ccmv`+h$zSVfavnxrN0SV(%vFM9l6sq=3F;nJ-9LH1`J zKT}h3>_nWwopo_&1kAYsS#Mv|ag&fA>vm7Xj%vNQ~mK215gOm7B9$JNkXrHW^;|mX{TN88KPlH|6n6fUofM; zx&(b)0@!@j_d%t4!mq$$47?*N|9IMr*yGoIQQguOlcs^6hUtS7l-wT0$EpSgZzx8b zCeq*Bk&6OPF3agt5T`?bpJ)pYuV-`mAJ)+LVz>H-^_<&wds>UGHvaXf=~q2K9I+uW z-`T%K|G!9}g2Vm~FMto-I$TYRO-yYhVV4&2QzHrg+njnKf^k<(r|>bg|+KXpI|_WJu@9gxbO?0+|}|A>7gV!-z* zXgfxg>$W38C0S12Rq3CK;WR1^s<*4>_VHon#3~9h2WCfsc4~<~j>oQ}Vgqd4x%LlM z@#|_1F0fCSW4DRY4wRv=$zU2bTD}eYMmJg5^#k$8etI;jnFr>rSEK5cb3V%SbJVd; z9^K5DFzc?ew%1ltmq~|`MKc*0D4d&Ni*I2<_>*^A7wweHmF5Ub($>D}ua+3I)erh> ze7j|*;kAxre@43bJ1ogRF!TANtvaw9D6IJgdCc}h99e_U# z=@Y%^gwX4*MM?v31geiO&?T&qK_WR1H$n4Z*wgC^m8Ezq!G(P}Ps1V{;F-Sh)L!jN zj8|{%CGHzp^x0RYrStyazH=TmSw*&xuw6jjTZX_Ov!BJy{BY?1?MIMWDGo*qln5Wun#V^JBZ zN`LnsV_M-DvD&lDPV+WUeKVyC)WZf6=`Xli8~?cIj*+A3AxLYzonLmXmk3AutHmgK z@ONGnyN-~FlW_DG;qM=LZJS$VGj#m|m*WCe-t~rsSnOX*uo%2tt#!FTPc=r!D4v}j zzbmJR7_7k!XB%{8$v;8I3`$Tg3?V=$bg87XH;q7^byh`B6Q8hszpn?YrEz#g+J?KQ zNZRFl;nXfEBDxBi9wb*B<7X0cwJYvVDeYa^0Xv2WjM<5Z`{6d+8RDcNupsve@-Np@dWdMSluF z?*M)B*xKwbK|#$fLHWQjv%i`01>^fZ{ zz!Og@k6AWD%-$3qp?-KRF$zp#)#;b4o}(+LL@r1_z^|Zr=URv&xijhn3cH;MEM+H@ z)FNigdj+pr`_=B|cd4=ch>YXEX2Qij9{$a|DqKqB+SK|GSo(quR_E^T7?u-u&Ltru z-q*=8Tz`+#8`xZy&*0nBWy;Be04Xinb)yQXjAj)lJCGg7n@6#uUxqPyw^y1bEfjeI zSNqQ6fZc>gGMt4m%b6xj?h{ZXQf#ict)U-o-6aqUe9FOZum5$DL2Z58{{H>bUl2%K zk!+W;l2W!rYitIEc5)YrBl#I=$l%r0T9I8q}Yg_8(#=R7^|C)umA?;_G8<~5Mq zX65JSWb2g%^V^j$bcHaOX@f@0uip!(xTxC`5BgPzg<_Fut|V;31&#k!v4*(p{>MZ!yEH&sQT%4r3iBGiBx93nAi8Ax>$Ch6*qDZ--zahVu;yeim zZyUeMkR)@d(kE1W3gkPPNs2UTVAWn_&KWwtnac2|Ac~ zT0$JUKAGB$kWtIFu|b2%4W69uos%~+70O%(&TzLHau7HPX(io#7;Tfow?|vR+eJK7 z4LD+Ql-L`ZZ939F;SQ3=;fZxd~s5b|vANB~FP(l6O0dzfQvW{V5D z`OqyjA{Wv?000~e zBR3(5%pkb0KM?>>DEJ(xL;z+|?B@XZC89Y4N~@+09TL1cs8CyG-QMZvjeP1LCiEz= zIsm%O|9zp1j7jgV0)zYk4gl@m?zvA&MQD}&K1pcjiz@|dE*}tOdR9J=NtWEyLCRlo zo-A8aQ?rsyS;v78v+QCBL7Xofz)23ox!D;Yx z6S$7reZ2&W-yCe{;qbf0_sKQWpeM(HpiUKHftCpxz;_QlK}f*oa`6!0OF($iN%LB!#B9ptLeKxxApFu1BKzZk4u> z^>f;g*m-@09A&?eEy0bR=Uqz2YSEGwMU@N1BegT{>up^GSu3{@YCRdQxv>`|3vw_` zrkkytJ$BZEbM?aE4j-{DN$L)S<VoJCv-ZYV|+a^=PB!_N_E`Jtt~==`o1YWA^Z7JS1E_TgFdE;Q>F~6m(qCm#IJr zudUqL{0v&kgGUXWfQB+6TOfaiuOl#WY3Cd%g6Z(|YMiTVXg=W$yhF+z=~{yDc*h}t zVe}rxDz6xCo+oKX5iTfr48eEn0MK#lbY3n>3B@QFln@X-`})B5j4ML=%RkbKwO4!m z+Eu*g4FrS4hgM5mOj6cR7|;3lfXyI73Ml2P^)^vrhB8Nr_&-~(h{w%j8`tmUU9kW) zmp=D%z4KtXVrKDKzir%0#_mMXNA2{euy;j^QgWjhMyU7(P>_Xe^F-Oj=nIl~{fegK zl5uNTzl)-Gjf_B$3rIs39X~o4Ba0Y=FO}EU?d_ig1pyNNg(gnGtf>R*0)b!NP4}s9 zp={O$sIo*!jv|C&Sa@jJL-gtiQ_@V7>;uF1Y%OU8uUkD+EZUyho?5h18*h?aCPalz z8;++Xx5&*<)w=_CpZN;COaOo#Xcn4nowg$Y`m4YR9j!VvAmT*K^wK9h5j+S^Y|S4z zBiaoIC>qwh@y6Vw=%F0NhBvwUSBBFA@N?ui;*S!-t zqOgFgx_Dd@jKrRo%&aUnhp^9TK@tIi%932%uMl?sRz-W#6_3RgEgSw8`koI7ErT77 zb-d0Fq;3rzBXlaW+xp7Ru;Cc#-Cl7BH&M%l6CkCWfQb3&r!d&tlA6*)ITY^%GD%Z) z;4FKOqSSXG2zd|Fx`>4d;eqR!?1ic)mS0_!Q25H6=b4q@m%oHvw8z5p0BAwrlIOjq z6hA}(w`MK%A=M(zwmY!>p!* zRPNzP^kv}1QE?~~Pda0F{UFRsj!z>GHnHRHfmK91&JbHqgS;$5}B3U&i1vJd$?%nX{h^+*^epq}%cRWe0CDY+w%W2Is>SraEZ-P%#wD;j+Ofi9Nm#xWxQKKy z)jm-2FYH3XaNKM@Gme>lvm1ifWDyBYgsAe3n+H1?-X)Bbh^ISVMtuT_LF(PI{pmdh zr65bmEFSu&^9rZ+V%8 ziv!2F$pQ);-`lZW`%xDOL;mVX4qshoB#ScLWMGcRQ1$%e6?bvwT?oZ-k80ZpE*S+V zbwg|*F9>gW@Y)Ef#n@aZvj|Nr?I}Qf{FG>yoVW(IQqcSeslf>E}o?8ZGnUv;n5@$xY=dxvHAL*iWuZH z%t=6dkFZ5gUg3#Okz(B+4V}1*|ay_C~4&ZL|VdVb3&B9ucbUjVmhK(%Ilq0}n^|M)v2qV-+ zVj4n!_4{)d_AWD(&pMA~Ru@2kh14rSVw%PCzINVE?cfBKQ5`{I5cpeZ3(ouf=dfUJ zu{DTAH&@Xa68D96Nl?`XG-_9NoP_HiF9Hf{a%mX&G1*>oojGxcTsR=MIv%pF^!F|Y z72EeIeT3bZ5AU_(n9PbgNCq|r13!kWz%4^3^|gdj?@wF=qcD~(64~GmIBk!m0!IKO z#26COm^AAiI)J|bwB^~~#zWQVG~%3yGAz(>1nJM#hpN9S(mP~QOR4=umXD8V|22%j zDXq>NxUQRdo17axXrL^1`46vbvc-n@%cumQ(Gr=)Oi&ZEu}QZ=xv@T6<+N`{h)R4( zWO@(o^vpNncpMo*-s<>HYD&(4FN zRRJ()65G98q`q{-r!KNOOMK49b->&e#m8v8 zhzQrytjGI(r=eE3&v!W`KO>|Je)yKiCdQ+uEgT)Dov>7SHyq|KXl5r+5^hHxX*W9d z!|KnyQrVfn_UQK*5AWzg?E;q}!w<4>=lFDnZ~35~8WkJV8mtb}E}1MyH_?PWYl+nY ze1rIm;#|Ks4gsqE5`TN+eW%U2<2S+xs57{i(btfV2)p3i8Xc({MsG{Ps&w|w$UxZH zg(@=IT3^^}i(VKhtiQl4K^|SUleH~=^0w4?Ehek4p5w5Q93aYln;$YuDOq)~zq#<0n!`@vu1&DAH_5bXm(BR+fR|d4Tt+{!EW!M^S zO(1|7vk1i^v6r(dZmWA4x+@2--^(;j$QtF?uMyd9VX2u?sEFzL%AbXLGDl;`Y=B1b zAlmas*wsj%_yc{_<13?9q)%|UL-it@gTI#UP$8PAq_Y!??oE8iyi9ECUx&iUvNDM~ zjwfaByJZb&ey3zF1e+)F+cw~2^A*5e=8QmZ7U)|~Q57COUxM^A-~?e}0Q6Y*ycs&p zqcHP-T_Y7xG~Eg?vSEzE{Bdopx-4PiE*rqvxs}87T(YtZpWzfnjt@3`z{?_5;82U_4m@Th%td`DTuN29jV-l%MVN+Xh_k#Y|I-0+% zqri_mm@gg$GF_{5E@XgGMi#$V>$v9hWek0j!3%!;YRPNvAd^Ru3#VY@d@W^bn&*Y; zS1zikeAHPE8w~_t2?DGUP>b}~X?l6@8{N$v&bC>3w`Qcy zHq#k*iN=o}+iQtdQ4iN*bjR;hH$y-n=TjRlYQfh^@ZV6aC6mrJIXs2ZOtdz<)>red z8+o0EM5MA>7yhtKJHDy?Tda;D$I&+`O}|uDodwn!@|uYI@iZF+Hefp;jxtl6`=nG{0kz;H3( zSrF>09i%@pP$iT;&vDzHdwurhnXUyhh)Z9>&Doi&EPFSANT=HIq+GDzERYVjqo{Tn zrP0MMjS@T7u(nbBjF_dhrMg&-O?HR?IdNG^Kvm;>P1)7-(Rq+DzvgGOUm9nndv5`= zR1M;B(hgmae|80qx-S6tKCzRs&;_PI4jFU*j=^8$M^20J$dz@q+_$ltLRFlI?$ClR zj$T%pRJGF~V-{+`HcA5BvVK>5iA()qE{vkG38h1j{s#0GC(luX(V|VS&IV6c5|G{7 z7gDq~)@)3|M*qYZf~tcd0Y)_9$9E7v@dmX&tGw#ngTGoD*G1c?D&HpBw*|M8OGdz! z-cPs0eIsDvfIEdRvEXjF!snOi&FISOcS5DQZAp?U&C@%Pt)zC1oz88`;17MdFdwWL zo1l>0&5jHcZ6Km=3$DgIHibWiQ9Mt zuJ0^F=Eyjlm=pW^w6MJ&)M}!*ze0|zYuR3n3+S}r>I=kLS~dm^(i7T%k`hvMlMA=- zPPX|_1`JNljG{S~f=a_4M3AqIhg^dE*{b%zjPs2wgbp73`(_pgz|v!8=VBPGp$Vq2 zPiW(Zb@sju0z8=;bL(bWgrGBqAxOyj)p*6L%Vq=h3x(Owdo{PS?71jI@RgJ~-MZd~ zg-&&6QD3Gn`WO5^LaCI1go^#r#uV>B)1{E*))h2!y=?&X(i!;Pl^D)KiKk$<3jX_Vm)4TA!eh*XFvbS{ay6PdHSmHLlg2JorrXOwp1+M?U5YEtVlqF2 z1t_|wlDq;jsP{tqxOoq)-2@*8lZ2NL`&Ffwq#}<}5_N-1nCiNy!3(;N(Ve}!T?7Xt zcI1j`p)BjJNqaH)>_{-0X$5n_CjF<$-6x2f&hRozeN#_{BFNqQRcfH-L`YF< zdSSp+OJS4S_F#PvUy0;ph*Ae;DBmhn%X#hzkxz55Idzf+AAgs-EJ*VcdGt@gg`dMC z*97UkSpED|;3#AtfL_^Rt|BVS)XXcDEZRpt$byt!=I(twSj0`tgBK8i?2=Xm3(znZ zDyW$WdRu214^eccKUCu=xJkG|E}TPy=C#~4no?#TrM=!}MS@IUE&sI9KiEk~a1-%^ z*{wNiW=gKtn6Bn)G2FFN z*WEhMpeHto&Zw?#jt!oaEM`Fq!v^g3q7qkMk}}i%W3hxKFQ!cy`n6aYdwVN8!j`rT z;qr;4GTcN=6oW6R&A(4qdmYyg^n0vs1}e;sN;Vw>*vMRLcMW$DChf=NDN(A}(2Ulp z6@21b+o-4Eus)JFgDZQUM)w9=A9!AuS`{|;W^&tx!2PueLcoJ7<4ltbO(&~kGhx=! zvIjfQyIaO~7$3@zF(njURl<3+^4M(SpU4>liF?g0L%(5T3$4pBS9WV%nz2dZh(6W5)-4}peD$kcLQL7hHv<+^Jw9pMJl z)n)_%V^#xy0(<)~PYW$5v!+5xd|OG;2-PcNMf|DjnKX%nGyj4fEIM5;7xwN*m%Mkzxy&b&(eDQPJjkS^frob6C_OvS=r%^gpcH+D4cx9Eru z$<%k~M@uj4ME1zDUpMISQFwjw6A^zGQ>mG_vA9|IyTI4tUwOi7jLcO+rt*g-&^orR zA0>yQyAj4fY7degbfTanL<$&gZ@WpR17q7@IQZJvq)PTh(QG9l-)nRd(>Q{qX3dmXt-#(zP^%ov)ybn|@bZy= zlbrXKeC^u$xq`X5Oh9uZMNX?Zg1Nr3?-QaxxAciZg_15JF7SKAkPeb=&1<2DPBC6jh(=3@^kXRXFN5_=prHrR=0@e0 zdL2R9lnB04@-Yi#V-FHg!e_8x>BsTzT2?**mfO)~vRH@uXhyzX2-%Pxx` z?i!ThwgQ0Gcc*hZ6-TqzgaFOT8C1P2)bP$sv)#vDj?cSlEA?~Zaw@_AJhL(uI_X|n z>xU4R`O7SYmb8X4Ynn{5O3**MkW_l)jk4edP36Bh_)%r{4-({(vx6glRGLRz9~Oxh z!(&XSFwDmbr7L)30b%7h6zfgO0gmoRw0ceg3}-N3rj*8 vc(claY*(rxjiCc!~T*$v6j6M z*QoQtIt}8?A@J(ziMRf!4rE{pVcjmS7UHi0KXmLD?X{Tb`!YTX%21Ssw3uK;O;0C& zsqwNMBmu$YNl_Seif74xs&XZCf(u|*Qq@1{&(sLCTEzlGB|6u%fMx_G zUN;A6w*RP>pcGM+njU^Q2CbqC)7L|DPI}YA021Wr>to>Dt^7d&`yeXL)Kq4!nWQve z_oV7Fi9Yxy4b#}uv4adXayPnA?)_9h_yavD0rfG@>HF2uIQ-ghWpqD4vz<+RgKIDJ zC8}e>GU(=a=i>)@G#cU$-qa1eV-LJ8`+4%FRZ&qFq)O0^4tV}9*7qakQyLeYdwKQY z>cj=bRJbsB5={^YX?7N~?<0mQV{7WpZFP^?>k=WLIi}D-`J}35+{9$j^YSDuHmUk# zxV7-~s#~>!PhftTCr6V!8Noy8A{@t+?xXB&NxfrEqQS~L)jgYJoR~nAM=chxG`%PI zJyhPRyM`iZ!+wS5OF-UQh(2jwWee&=bHxvfhywX3mfLcw({=k&D}LV6uf%C|VlMxF zl?S?_hARU4lSnRmj<1~eP4PD`i!BQ(X*=<>D9jY%%d}~RTowYg`M%~SV9(!SIZ@4T z+0TWA-ntFLV3)R*a-XV5OJ1S0f;l;h5em9%HVnC#5vj_i^1M0AEm~d~FZ9$YylLy& zTL&pU{l-CvUpy~4V{h%5sh~P{P&PCd8#2OzOO7 z4|12sAul}VzL4mlJ2?KXaWXQOWu8P<BgkyLoO;*fuPBiiO`djOEJl?|g^&a)Y zUMRJj0L#EsRjF_`;m*LjHDK$fs1elRaoo*XvAbR>^%mzRF4N*@)r4|{ zqUMp1K0Ui*J`aa%_(k@MW}Fr+lV`FKVI-rCn^hD#@W-(k_FGsd6@&ta;EQdRv#}vH zxj2Dgx-;k9j&}lLV@2u>k5z9?3F;{9?mL9212fpTYIj$5Zy z4v4uEwa)iDOrt+s<;?H|Jo^H*p+gIBPYLyVg2?SSZ*lG{fh`(0OZC23bl2a9%Cf>D z4hOlpXP8paxy?5@vFJ{L>wvfTRkDVWH&&dDNI}9x5G;)`_k-C~tyL+v$+a;8 z9{=BQ4(lBG1I92LZoD~y<`&}3N5Y6J2@>pC8>kFMTc!M89Cx$i=S}wc@5Z}OLA)sn zeiwR(U32S8&@uTx4H;Jhp;bbyQ0i%|F*8F}!`fa?5ZqI|^LGCE*YGirrrApMTaio~ z4c_lT{SOZSGaWMEB%Wf{oDO+s7Anf>q_tpx^D~cglSbk-J#e~n2w}x)n;E&F^;{Af zT@FsSC3*-hS7X4~f4$L3L!wNjyY?l7ZAg-rE`|%1#!}T(KgZM57qjc(J$dW3QB#3f zk&@T5u04)Uylnq$H%890;>x#1HSh|mq1T`7X4I3pAz*E1{vnTK)FMSa{ z*%ld*II~Re&=C%s6BKUcZ*z#4Fa~sNok2GDXOmMyi%s(v|%RqgNQHCw~4_9 z9qgW{M&zCW2_5!JZn?YIXJv+BRyj-6i<}#rfIJrMb$3sR3-97pU93sD0~NT^ex6T3 z_{5i@ZdMpSJ+}JLsck8l_#!}TJ8ib9+zEPk{8zYc48r@MfT_sM9P?Uw=`j+!+&ilK zMQR%vpN8s|yj{~)ZV%K7EdE%u^5qXrv_-j1*wts>ptn&_TyT4}GkH8nE?8A^<5)`y z*;cK_v0vN-{vI_}ZW&omI>SI6;6h0Q~Fs1mzwZys!xkwz(fXrehKzKDUw>9ePo_5D`gY0wmi1)ZQd(OsHwz)%Y!qeH{26LkJ+HT{+d0;nBpXOeOnEa_c)G77Hds z*6g!MxzC;>N7}2=WKunveoAU0{TVs_+84T(wwB=VnB`S&sMLnNi%97o%3^7AqGymP z5SuWXf5!b*D(BGC_755+eK9vttbS*4{*{hIIMmh?JCW`5ZvQ0{-EF%xv~3FQX0$D5 zV+y4zjc)Vuh5G2)F5nSXy)=Wh{Pp9E7Xt_4DV{|l-j6N`Z;QCAt3RJo80X_nw7(#= z0tNf2$o+@}#6pEDjTI^&EA;9{_|qt4{I2L-I2q-{n94b4=`YtaMmFYG-4%{dp^2=V zPbL@;t+64{Rvn-Nnl!_(_JPfg0QH3b^cm~<7FR!Lg5YRv z^tq%1Bm4?ZN;qAc(N}|YSjc%|XAp$L8XKlqME*&oFVRf zjj6{WX6>h}VO--ZG|SLiFsDPwT5ZpQES2?|`#_nCxg15A{RPBdRH~79zoq^%lC>u* zsM!oJ=BTgNVy^j~&%7*FF7uwFF6&cekwH=wgIj01M#+)$;IZ#=w5aS&XFg6?KzyEQ zHcC>LUz%2uCP|2Kvk_GZ6B26J>ETx5%~04DB}2iMq=zd{X( z(88!lRpWVJc~xiGONXC~1Phlg%DJ>>&Fi_&0;_~up{)d>FvQRg`|i1;y@bAY*)@<% z4)t+n+vKHUbsn^0j)GEDa=vOzcP*-x{d{9ZcKQ5iVOA%SYnVF2bLJrlDqGv3H!A!t zwXCu9yH@%KK0+~2AFw0U_wGAU#G(9os_6nxYgSL4hz{lVZ=tP z*V*}WDOHW3d(`N|tA!N1n1?CFSNW;lXIx~DNr#0H8BF+@2yo>(?xlEBc!NsJ1z-h| ze?i^sS4l z%aTmzn(~h$Q)aG*7+;~|T->LbB2dwDir<;tGaBZc)s5kT>+P*@ygpM)2xmg*!K|6 zB?3k23Dcpqsw3vo`In-s>ht?{^-E#}E{}T6U;A)Z(_k;1?lRK436Wh82fwQvdq$t{ zRJJF{^5niU+*xk%%frlylVkK}5^bg9OCXq8pKdhmd#V^l5-+?6R@(6+q|)DJI#;_H zB8X#~_8}T`k7T!u{GjC>B>h{PbCkmIdNP|~7>jLn6R$wz;SeN6GG0TTwzfOmq+pOg zF2${CkUfXEDf~Od-xp#}w=JFKFs)x$+0(2e&JO1IZSadW9l=->yNk?aqAAk%cYg~< z@sKqUa*y%91GWx5Z zob$0eQLy(LC6Dyk@zx_7EgkdlU(7UEKsR&8IB{|cj#|DrQDwPaon^N&^sANp>#507 zgN|tGN>3NVXJORIVT5m3Xnr_&R(F(lw0Zv1g~-@Ek0)^8g-{Gp6M$DJ0|lTfZo7Pg z4uQ(ljD?SWESxOWdne_j)`DMB?II^?ll4}G`%@nRp3FgLntAdFFpMPzN68hna9LvZ z8>|sjmWXZRX%rd;eR~rt`ubE#Y2Vldkn}kT$!$ttEg;3CM10PJm3f{1fk2lip5#Eo?X=e$m@)cjY?;d3!IE7@HlP}~kKXZ-iJd0Fc z!hipLlq}g_zfz;M;9)JS2#dHK4dyV3gXeX?BQ}s5_Jzmj*JPr&UGuPOjm${u%d%t3 z0nfXdKfdPGER(@j>b`KAFjL2NTc=;vz~w)qJckm26+$fXqOtX`&(4~;G6sU8e^SW# z#gbpwU}<&$J6RY4*cOvUgH-fO`+1V9(rA+>#m-Cv|4!d_S5u;2rLngbNEi z=;5JcwMha4ggWKgS(A#nBbSvaLOrR!B0jDh?22|+-#(Z#ZBJo@4Y^p7qR8Hm_5R9$ z_d*!ziX_e(n3d4icwgt6e7-FY7q!R1ht=?qOjDyU1asP!8J#1`tnAnI@u)#_fKd@Q zo!q$7T&t@OMqMcN)?oR~cT_yUrYGk3m^3LS)%%RpnVdk>2B+me6xG#8AS5hERPESb zi)Z)B`F&QcgJ|dKU;3#vEObuERMi-L^`$i|3GVQNqwUZ#RZ#u2qy9+{&y$9|Xg!Ckl5;za{)jAh3Ah}p1+7j>wil}qVVuQ=->?LNHQI~O_yuurvVW2T1-YX%=Fv7YKz|x{jc_$V*P!1+nZF9UJf<#aaAh-d zf+EI?hMj53Wu*VkYv7=#5X9@YQk^cX7MxySk@G#pgq%dw z3@J#*QvP;rD02`ngd)q#+&p?KFS~aGuW`^>ig^r}!TaG!3n@pnOrO&VOXhyq6o5oR zfupSxpYzToiTX-Fm%@lrbCBQ0FZI2!&nklmk7N1rE-#;Cmste~f%E$Ymsiq4vhGEB za+PvGbQ{9;pAW(*wuRnzQrTvwP)0<5bDZo5`b)RAAT;VU+!>ehxdaC7H914rC$DUf z{;`~?IkX#?6pmTNV6IlKww<1#L$F diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp deleted file mode 100644 index 1712d89869bbb8acbbb62b58f8df287eabd7b84c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13008 zcmV;>GB3?iNk&G1T96qQ%+r-8hztwt!|DFAR*Z`mfQia2{Yk zfOL|I`1`-~SK)|8S4(|MwEh zKzI55U;CHr=kKXv_N^(XkJ*1yVsUH<#$clQs=ukRj) z{6qe;)C=*ytukAnF`^xfHb6Z8B@j|7REh6B_)rQFqAzY;{+y@+8u8b=Y-<} z8Vfb9;fiNdGB~*gK1*;9+d)|&etWq{h%pauUVzwAZv#_Y3<<3x{C4XTbRwB%6tg&A zGa3Z(SEOw5{}pJ$-$Cg0eW`@)8KbJ0xf(}?7jvG1qbO+W>+yR0|g zU1wNcsiCn$AhzC-4dKv`<#Oj;D_mFb+g1=-kqz z4Ey6|qo2!t^Qsl2Vy9qZ^~l6MNI2|pvA%g*dI|JsWJvi}pwA^R0-HZq}kG ztN8vjkYMbA_+Dq*+@cm@YC2-qn<-NXmErN?Ap~|E@AdLr*4|i(VF8@j<|xTe)3Wz* z)is_~?gYp-%4M6sgX?x?WIT>x3<*hL&WZ+zHxpJl)E;zVJ!L$nQ5Dy;O|^(8XR$p+ znf~X-A5DX0EJX#MXwb&|IqtccpQ0F(mu;JudUu>}QSZ`5%Tt;1P<#Vs%qrq$-|?(g z=7JhZnQaHDo#Pzt*YR9txUJ@LXHS@QHjG`s3S)iz^&yv z6;2a_j3F6XmMwW1?Yh`qF#t&>MzTslgL<{kH(U-Mdn?FY5(6%D^&l{*&l(S#-)6Z| zoCqgdp_M~sjl%V<3wsj;fBA2V$<9>B?==LUim;S$A*`zpwKuXy)dCsuaxkmVX?sm8 ziT|dRu%wtwv3Vg0gT4@~^vIaalK_3>Yhw)CYC}Kq8Hq*YLPD>9cyN0(B7%2ZO`YOw z;qcSLwiosYG+IG=MQ7@4|IB@DaAx~2npR@85;`DHCY+n~tEXlp4<>w+a0r&vP_F(m z4}%{iOGXwu<}T}V))3xzo2BK2kG?o#3NxQ8O*Tf!&|)~|>G{XPYezKNS@h|mnLPnA zCMER&^cXZfW_imZglsR;xK$yFOy-#R0002~y8~AUy@#ai4xhaNqN6@g^o(0IJWT$} ztp^PsbmfPz(ygptet_f^o>+Re1oxv&&j4!FsT{xlCa?Lom4z?=RzIA6qP&2k@o?B$ zicT>04FNL1bC`^=y$BG4T8L#UPX3I{g?56`V^Z7p0HS?_RJ@X==f?`mwiD+gb%h3& z7RICCF0_h#<;;=Iwl@gQl1UaP==*|Fl>@AJFLQ|=VkJJbMN8aVYlW2>$NTr#v0#vRlg>%mI`U7xnNKjB`sH0)!{-cyY_i01)H%u> zhG`}elx{c$5nY;wc%ZmkK%TObOs_l_#E*ewnZzPhWN&6S&PYLi{#v%aAsJB_2GtDC z5(nwQA%4;Z>4fmj zG%J^Ltn3FcEpTsGE++3z8S{!nX!W;Un(BYx54>HfZICS!Nd5QSbFW})MsjuoUx-Nn z9*i$lBPKe@^l9c?J#yiqoPOn+85T7WF}6tk5re1lJuXxXa%_l+EF7_YKwwzCAuU5? zfg7N)X&4ReAwQFkLWQ6=k=f7U=>R!#`t>uM7kTzf!b^iazghCLB^`gV&n?EkNhsiD z2#BzL-ILh2iJ9<;DtO`kL&5MvB$&|WTe(D;vYvpd+Ii4@ykK5P;vap1vo>>oAF{VU zUOxxmO3+!?co@zr*I5wM!&&6mpi1kc$H%-TMdsQ`ddmMzCSs7!+c$mpof9D6#GS`6 z)gA z|J`W>rQje_w2RJn;Q-{+*C-rcS!~x-Yf!P+>mk6KGD%IbB)do+;Qpv8RUi~LWRVw& zJF(41K)pEsKBK0y6_@|;hlHq{-7%&wVq4}5>o=o@@==K&2qK0;OVsF~!0kv$#!Ht4 z)}8+pU1EIQF6=;v0y}p8Y1>S1Tr!0JMVOlUlG*`nm&S*jZN$Jkj`NYP_{~q)+{On^ zA>GH?5<5@c08sRwIXU8c5ex#Mj%Np9%yzjHF9dfQ;pe^&Lu$#g%5QzMp@jCvn(D?~ z<48_=D5j1t)!O9=hB;19RtD+IZkISm#Gn58vTQlC89##Mc>?ghe2a~~!zAG7`DXks z`0z+GXRD?y-`kiju4z_dU{dA9>FY?J)bBTNLakV(#cwyk&!gd_uIx)WY$>mxEkR%} ztj7PmcEAA9-86Mz?m3|r&bP5L?Zkz%^Ubo(j^llu>Kn~v9myce(Q{P$mLF$q#6sEG zgDE8?n?vJgyR#GKxiPzJ#k`Rj7l8@0%lzLYPP2-H9-*Z8`m@KWpCgs&ONy9bWGbQ& zHaL|zCvRtIg1;URl;9EkwNK;>2iVazayri1Qv1B%-PfZNO3?!3HTC(JdkV>DB=M?r1D7$PgzBpkN0pt`%a4<_|@qm9iWn@;J7$QGAQD5<*tO)X&7&_L0x&a3hG1jN%~?>hHKTL z`Qyu4kuAX(`f$&zabW{5;B)6?!OesiZ4|>HF3(rlQE9 zM4^ZM+$iCmrB~%lu^eRBC!FO6T9j}?$nsVcfXUdvzywW!Ee>4{6V8>(mLA3E1H|%q ztZn}{4rp_{;&otiCA@~m2M;s?(u*$irpV0~7>C*DfS6;4v&zD<6+5LAbGzYVolqtufc(vqCA0Uy z8!#gO=l#AqMsTYslRy0Yzjm1pUo|E!zFMo;{vYfBrbUANBtlH6a{ql#@Zv0g5B7eE zcUkt0ndbn1_~28sDD$bie?)zKFG#s__#gW)LVu9}P%CB)nD>zav8HafU^Dq*a;4?h zNy`@CbtRCsnzO~(QH8!cp?Xm7Fe0LTjDcQ_FG=bv6()=Aag0%qu&0Vx zKDOgvK>GxPI>ud4m0=-*;>vqzRX;xHaOY^&EVJ)#z!iu~uJRLbX+`>}zKdw+ApZ^Aa3A zbmxS;shFNKk(^~OZ2u>SYcA*~zE`{4Q>d31h|kCI&^-8FHUSdl`0w zoiQQ~OTnnZle56CxSV%ui13VeKw!i*^|nTW1@ouN-UG_Iulir-`A|iFAGdACpXi2? z2kbOe$C}w?+Q=WiN^YNrG>GpK4=z}YyB8<_qSsDqt=b9(hjxB&$m(`JLivmWtVB;< zj<*oc?r34)nfQ9+c>sya`~278%(AB?pUBqt9veNnVUz6{I|QS@S1h4HF$#Q4?LSBx zf(+^ZEiKdAe?c#>QUx=hRL^yGc&h6j&R3*=GK{&##o^?5z<&!a^(VkK~;sF~2?{Ewv$6Rqq+xYTsHOo)})CJ3$u@d28@Dc+MSHn3=j8!Kw8QCLwmrBvEWrD#>%>#VROxYJ)hWG z#3B3>VlJM-L&F5KfU{E|MWB6*2Hl6PLZppzOW%T~)9E5j90tcP{b+Ocu{yU@R2Y zrEy-QG4tXIY@Lb+zXx|wq{Sdkxd`nK{!4%=Jh^tf>O&taU6i9EsvJ$nvN&mor2rY2A@-#reoeu_%@_p-l~qKGa}>AT^y74yP-}VU*+byypd;SKVco;z#?Z6$lkO^xy3MxvQT%PLWhuvL=;0 z)}WQzljROcg^R7H4PyxfCM1iGU|rTz!HC%lOCtr9TGu|mDg$N=%($O}*zsge!{pH2 zxHduv>n7Jdgfiu%Gsbn6n1=g2s9ok5qj5H7DeUi8kIfiP8RDCSq{5!~RfVb!{!ndT zRvE}*aI^owS~;8`-;#Zie}tdQ{EC(Rq_h`^owO_;w#3G2i}*5CvTeM6$lpyQ(28Xv zlaW4fQH_A$+RTgv-KQoZ zVKts~+iHL(>|xhIP|VzZ#74lHxOr={nUgA&%>*-NY4@08&?ySLOc=++gGuu71|!5P zgc(}Dq1p@(w~s#N!Q1NlGP_B9`#75vztX(RD^{MG_cf@0pX8OsMB6t z5qhrHxrIQVBCX+CTKzhHr`nffhvFFiCu}3+M&;6RhXJFD&;UM=U+*k zVQgcVy~JtV!smqCX@XjY?ij723pq!g$j~o9eEiGObfLFDIWD88-b*xLFt)jmC2EW? zc+N-L#2J>5N*(F`jkfLg?|cp2(=6j(4EQgj6mTu>1h#J|_+rrHdCqc#1_B6cee1ol zAY=nj8Rkv-+HWtzd%j!iHz4*Teb38|PUTg#@MEuThk-OJ`kS|>(N<}K+b332DR>u~ zUMk(4=A#q)s?UV9<`?4v(k22RQZ`R=>LRmo-ZPF2Xw9#Cs3Z3+&v3FEZcLeqiYeR8 z36Zy-Vx!Mg1e00hI(inmq&P~m_|3gQgy&2>d((t}Z)Ha0(HhzL%bJV?$r#M8kAr+Z zIZnd47M~o*OD0zO507476j7$vVx0i(nCXbhkz8Q2z-5O4U8)7mr2V)f6g1A3A6}%q zap-Hgr7zEEw_-#<54;;ih(e;Hv_hf*Zc69$JANA18-gYnrXB!KEHaaed=(=d%U!xu zOH_1kw^4SDVHrgKonPJd)>TLWZ;iLM2Bb_MA4x0WDcI9jv*1&eN8HtD%<%1OHbm^# zy(5%ZSq_*V8n#q7`m(idq4)syQwK6<=XO4}I-d)Ri_}}65pf(p@l0W~B4KIxcLc#B zLs0~mgwooytl|K#yzl~fVU(O(;HenyV$@S^Y0ZvbbhLDsck6n^&0NIAAYW>{G478F zG-J>wl(4qj>hah>eyWu~2`B44|4?~4A(C zkHZ>S>?p;7jPe^QDP&%4wDfl{sxG87=Z3FPLklKip*CP|<9qCi1i2!*S*DFo;U`y0 z9T2_GD)nmCBP4NNUHoW0yc&orhW7oI@6ED9hX+{k}b5PRr;_1*rCW02gSlK zw%XBW%4IZUQK5M4D~3zA-+tR|X{hV!-D$kL)eTa5(VHO!$^w$Z%l)SmDnpu^#;_xv zIGGE9DLZ!agfyHqKsq8Q!=@j7TN8voXAVN5odg!nI8!sP=ojH4U_frulQ7r20@Ll{ ziKpAl%X_4Xm=NXhDLh@-umCZR{_dt)$A`yIa!P@ZjTl-0h5v&q@1$xg&JXz$a@B07 zwKejA%TUV;u;xlZh2n*k6lVf-u7y+jk{c@PUd6Rh`BMR`d>Y?pnfA>2R=*})341}B z?r&ZxiwT#wq3+==Hdmifx;O1x4m`8kMOg*ELMb1_a#(-BHYAGvHUu0;hg@6!7ksPp zxF|o2ALlcMY9dI!Fu+{L?JN5#-UK5a7h=VWAE2*=iqRfu6d@9@U^S?IpYvU=Dj$0M zoH00Z;LE(OO&(OjpNk%6w6?H(hIrDa9{0eqS3OP~y(8hKI@TY9l zQkjG+n4U>(XaK<&!u!>3Z2@aeT)8=mAAE(g^Ubo(j^llu>Kn~v9m$HZMC_{QkgVP? zCFpSk!yOf|`eXT9c12Jg#$d|Bt%I+vPbhKJ@xMGPCjKkmM`db48Mw?s&FymthT}jT zcvNL88Og*@=BjX=k=oJq5~p zUu^Bb2N}vs(j?D-p~?uBS5d1eN~aO5#|d3m1)5-I)6oP>&&qLezJbCg-k5Fl1PwngC%>_=Ts08xLw4 zx{*KN4!t^{Oi2Oxn-3V!Sc11dZD@J*w+bHV!3fREu1ZdD6!DRSh?`aw3m-k_NLZDz z*??}!;#XP>+BE{=rfvmXh!jMxbF#bhPI^Md1|IxHM)`7a9UJ?>A5@2446bl)Qsf|< z__jqT!BN8^rt~}%2^@FTR`Xt(zipP@K)41e&`X}=6Qm;*LCk+deSI%TnN>Nu+UOqx z?L+P8RMGKlX`NBc0*K6tn=)5J(a!_?38SwB)qo8D`xw#S(W);&BG%_-k=}Dcc4enk z##_xY$Qw@y)e&r}E{$+;p^LNbkSDjPCexJ#N^I7FdqYRfy-e&CP127+Aymf>5x)T6 z*zJdE1@3!XXC_RuSCGHdoBhlZm+MuLU3DE($Z~N`%g?q^puI`OHPDW2O!Xd@gNDbT zL)QrLQ!)0yl?LLbq&w4`@;X2F9bAjADDD;H$*Tj)jfo)9V}7L5+BSb{J9jgx5X}oP zKzhZ9{RQpZvVf_ged_J2l^qbb`xdAr) z&2y;5A>9Uv7}S^O=g~~%u0X3j)%=kL&n6Nwx=)ms-^)g?^U;p6m4F%ZiGhtN#esp_ z0OSqwgb3~Q`z85tiysH#slOCRVRjLC(K;^XpDhH#wCGO}m!xzDMm8-B_C9piDVK|> zfgX0iTg5?F7AG6+P*=hmh!s-J8xBlI6Wo1mX;9O=wYT#_vjbzzTBC2T6Ie!A8Sjd; zpMOftAbn>8=z_RE+|paL&Xi`}cM6+y zOt(4h1s6ufpJSX4$IhCq2j<4sEWX=c8DgZjE9X~?oIBCI(G;Y$;%{p2GV4n~;#l#{ z3!{EFo5c#=b<3g`cms}H>{xj9x?_AKw2@j5F4Bx*yaNeGg|I5Tg7LH#!k+W9 z#NeGFF(W-j_=5JrDckfqtf9;b!(#pyUQD!V(WzVaLzH#N@t0#3${~9|G=;(xm0dLv zpP4t#{r{PGD-v@tYcW~^%B|hkR2Jo{^uf+CmgP&Q<7N8yqAtIpeSL$&5T0~8peNDn zVj0QQArVt(EcJwR8r9$7WVz_^Cc0h30r5Vv2#glX3-#wM#OeYA872hSc~5AF_W(-Y z_hE8;00KbB_~yN`{K8kRf=WZt1MPbjJ>0He;Ic+NoyKVhxXB@x2<8`{am!nl8;hg$ zIa>wk8fN<$)dsbm*WM!%pFl5T_@SX5Qr?!-JlmKMs$%Q?Gmi#+LlSyrzn~H#>#=;X zl|EAUgabK=JVc)4U^jMp6iU4-grkUQwdVOEb(~an^fPX@yHLh#dwd$tifu-P#Wst;yNS`vt1*5>3hh zG-`Y%2y8#!^OK5wU#B4>4T2A}~-PlH@@Z&Gve2Z|8wi zipzQu1n`bCTi2a;YceIsl$clKs*KMWl!zFJ;K@k6k&=NteETThYOb^|!J+&+aGf*1 zD6fW%L7KGD4IXiwQ7UM2nM3kb*3yD-X^a4^j;o3GC}OuPRwb}m`>H(qnmi{nht+xl z?1l(=$_wGJ!c8L^Cu?9NS9CAjhX^9emn5)LqUU4>$Hh!z0%&;-*GVj?S70$&8Tj0P zRD4JLw{iu>iNTTV7L@C-ye9@!okCR)6b}+^C%&wb!&q)$o##SzFFH)9%TDN9ho>&2 z@Jqmjv*L!ol;9{D9~H7ScW6-NfLP`VlGwz4u>THH<)KJ?}umYdRn?AB(L#J!q{bboCFXp{-U`@CWfC9u+>jdW8bx)kQZ_+ zad+_W3*E&2l7p9w9P*>_?il!VHFVIz^{+ob2g+}{>s~@8mZog+J{`?L{XAJ9o z3nd#{6}XlMLUU{tY=wQ8++o?9F3nWF^&`BGoF>^GFRVl}7s}p+K^m>!32CgMs5G7A z2qosFzfh7Y-28fUoXZ9W1B2(8tzD6fsrM-?>`XE$%DM}9e??W6iK&GSGU`qG1lWH= zGZWO^dWutd!tRcU)JFyg8lY(F=NJ)}!w=|Cq!cTp)_)4>kFp17GYdlkt?5WBG+tJTH{MyRL2d&b+f`ebA!Hp z@ccVctjKebF)scfl$7_K$Tzf02}Z<6N78Zz^)@w-A3sFeo7_RjVax)DgBHaG^_~sO zL*#8UyhV~Hlyd2_E*a~*-@|~43NCvW0a>rwG?VjtMVE@`zd3}ro-a1^mUd0^}rJm^}>M$tT3OusIb+9fZ?HJ zzE&*ED$_`8?S1Bn3+Tk-4S3G@DoDYz!8W7$OdJeFT8NL?MJX6@d*H8DD~Sh*lzjW; zH`=1CKsACPXKYZ}aA{A}NJwA?0o{}Cw*Awr3JPkJfoageBayZ~eB9hZm)ANgV(!?a zpK{PH7N1Ev0n4<$wu*~=AeXvD|B=5^F)||CohorZft|Q@s6qv6*o<`5W00}fkQhrj zLlgu3|B|z$rV8fM*3taQG|;4Yf02mdDBZhP;?O&zw`u)+_s)?Ce-j^F$;D|?%(Na?^C`2G)KtGK%~+|H~*^ut9Q-)Ewq;%TAIeb%NqIw;5Y3X zp1LzKZt=M@$X*lsl};|>pm_q-xKmpxmX?ve7cLt{ejvnjiwG1`HD=b+ywe+|bpLO} zBC$5c5sAiMU)(Wa(J>8PkWxq!v4lci;?S-|onxP}CZi8;xzzr_^n*3Q zGb=1NOEiDNdXEcGUAkN-Y%OG(=aSiSvqL6$xiP7*Ha?j zk3T=^WkMs;1N;*mm_qp^D#Xf;{Jf4Tsf}ZH(B=;lTf6&2vX4VmY@t4Jbf>Wdi zx~KPmL`4f@1SRkNh+xC_(nkBla8jT4^de3L@TzPd2aPk%{rW7kKiOKn@D?+_Kc9AGxsOks2AW zbq^Rc=yZ1|O(j!aZ6*|N9I_)BSt7m`D@1vaz=3?eJjE6!OG^%aPy9@(vfEJ!Gt_1S z6y68Jn@>VPZ@`L}2PS;>TI(DakJsM719zo|XM9*#T6&>Ak-I@Q z524|%m5mvHaz<}1qq;^h!y+%*zeo|6(oSwLSmr3E{TB;S_(rLH(Z0ZUH`%;Y1W&}e z0O$=BVk@D9A-w`Dy{5=7Wo+%fpz0qB=qXA$022cUtfq;FmK)GbU+uTf;x>!U3fxaz z`Y++PnpZ1HPh+BJrgbk|AHtJp#nu{2q$$&2v}*T89e(|lhOZnJCJ%}#CZs0{b-Nvs zX&PrUR-_dZ9g-bDn34nYI952(=T`uFKk!Dz{T(Nt0)CEWk-c&if*+s-&c1Ys8mi-0 z5w=W|aKz=Q@0$9RATCvJiZd&D4!V}+WxJ8L1}zY_ryx5j?yD%g#7QugDtfdXhiYU~ z;TvYa-Q?{c)qZOxi&!imF>Y09eXxWHk+IcUOnysMV1U(vGwsF4$!^~Z0>_&ShS zIT+)b#40Yu)1Qkj6(3=&_8#veVqM^~KYznJJu@)Nr#ZxAC2lS%M*JDW{O$9bdZb-m_wg6k2HqRptboxqP%?Xb zn2_v62QeBo+p@w`-h)^MF#=6j@{dw81W84$l!XED5lO~k#ZXuxjn)|*Pi$J`LeU@! zg)kJcAkAt}QebX*y16^teiJ*KnyD3B0z%~7TTM!~w=Z1%t%#fBY>Fzm$x%>MRXOG6 zP}PFzsb+5{ZW7iis+j~Xb~^ZNz*&^Bm5kb;|rk**tS)yAOA&86A;8D zs#%m0B~59>v;^9M?#g&GG1Qpc?ZUcR>&dPL?mXu{kCw)NDaxBScIgiaWIAm8FY zK^#KO_ZZ!=)zOdEc*lrY6INEOR;~H~@Aq-~C~&eL=iH^T~v{(F;uf8QlCC zx?(Lp={&dwV|Byj9zVY$nA)7U(v04&`=d~7HF=&~8iu-AX*^N3XA@dOT-1ZH!dzfG z4SA{cJp|B$8j;^ejhao)n_~CX&IiBrCm+C?x!bDo!53xMCg?p$#^=J+JIl*756KjB zB;9B*a-+fPhXhh2TtDWbrP>MTfb~Ht%w`-Td`ewaw&Om;`vujW9C>s(XeQjmK;p@6 zIqX}b!-RHXjhbG^E)oD)bmlb7HOX)Num(Rmm!q=USYrk{{nMM4ruQ(ir~CR8yCu*U zd}7*Vz@P+^hJLRNpt`3GRc z0yyrJ)CKmkppEA^4^*J%j#wuPScqmXmAwjrHCw(C)1_!eRm$)emVH2YTN34ROEil0 zuSkYAN}Csq_b)73+KM5Arw0#BPEJ71ZBmq^;hcm8y#XA2dX44vZ{g-vLiv$1zq&cn z`5Skewlf*n`x^S$J%d{|R#v35!sGZZ^u2jo_M-TX93J!~6Ho#U;rhszPWvs$0&#;i z^uy{P7!T``l&Z;#t_j%ay-k%&?~A`&K(MZh8E>O;O-uP%6hF51sTOid?juN>fKkIx<|YNEMaHyN zj2)Lc_AE~{mX)zGbUuvp01%|lwPwTm`;GfqQEn{_RW9}W+pnt3Np|{=kaf(I;-}y7 z!Le9i5f+07uHLHH_R=Y@CCL0H%)74I_p(HsuDqw*JF}+>%e2ger;QnZhnIt?6YN{Q z@)>_fRxqj5Tn(i9b0JJE_!H>?pUgeTwRZA%_PTAHefeY8HC7S4?;aYeNx`L=MWS-2 zI90K!f4^CV@%qx_M}Hr>Rf){h_cDeqGrXRT_&?QaO@o^}sioqC)poVyTgV79YK^e# zjXIsx)meE;e}QA+Lxrp%n?DYs`nYN>J)m?yNm_&c2vic~0+wT+`IByyr74t)Ho?Py zv8AeFnDnK?`TwC=(gNPdnq-=^UmH+hmvXySW4pSOHdw$WfA)|Om7fi2{sjOjsgKYq Sbm;ov>+Ml+^uH@Mpa1}!Ig;}L diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp deleted file mode 100644 index 9057eb4525a6c485e37ba283d86c4e7f77c8cdf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5132 zcmV+n6!Ys+Nk&El6aWBMMM6+kP&gp?6952kO#qz%Dq{g>06uLpl}02ZA|Wc6dZ>U6 ziDhp5e3)s#11-IEaYq9xYw+`H+AK+~+vo%TcTcb7exN>pJ0g7!f28Se|DXT=+&la) z{hweDJAYJ9^nRC~fFJ+;KtKQW&-4TOZ{v4=U)BF7{NMaf=0CjtLHeL&U!Wi8y$1d{ z_Dl31-M@7GHUC54Z@sVReL%k>{xkjm!%z91*_#jO1?v~cKhgha{D1Sd{m1iL+z-e9 zo`25w0RA)l^ZoCr-|V~(zE%Dg{-3xX^AGI*@&C+zWBnq2)&D2_7y8fLzh=Lee|-O~ z{vZ7>$S3l@>L2g_#Q&Q2(e@qtk^leQQ}$#3(XrKtnh_#RTQ8K`Vx1ZzU+T{84*U(k zhwypogKN-Wft(}8Q;2H=D$p@Iz`gjI$o#@BY%6994i$<~Tg0$4gm}tv4Pa$npPzdV zk>r5!tjJfmHY%Ym!ttTX=*qIXpo_GrqhvwhWG3|6x`KzLVqVaDcC)&!cvbgG2#(%HM6g;v-dd&e@+>viPH z@lP$BJP3qiiPIH~V3{)uNn@P#+hGs}Ql2BY%>PM`2Qu8)2>boc0&pD`JJC=q zi--|n7lsUGf<;I{;LDFTNogE?#&AV7qF*PRg)BLY5w~Xwvps@iOgtI*JCQETq$Zlo z(ilg`urcw0N3>^CO{pD69* z&?xBsd@XBRPc1LUHZm%tH*9;z78Wr~F%3rTBWmf8Sw zxNzK5$dyeK9%jPM-29vHIAOUI|NKwq3I9B9l`z}?dAoD?EcL~%O1KX+QQ0}>Zl_8z zB1EtA*UudfW0iJe5X66OKP$C`HQ$dtoZ_MJ@gew->v(+WpQk$L)~@#=FS}`jt|} zG|YQRO;bo>6m&d>4vlH7%fP(a`6?A)CX+^a6rfG%t@OMRzEBa0|E$9^G- zEsd;wfWt$qA`=!5K7Sxw)(iyMpw4O!Vt~kTr*i4RxAQgmD}2p*sN=K1Qe)*&spI$o z`0YMDlhs?IF6aNN)+Eq5zzH5ieuYI<9VGu1HV{?I+A8`z@HR&(tDHLBWURM*ptViS zSnT!plHvpn9%@iO_rE1AS;q8*IW(D;6hQYU->5p<-=3O<*o1JTzeQzn2lX7pxA&jc zFYM@t`-y;^*vi?4?y_$GK-NwA0CV|$6lU4&3zgF`b_@^h6qpM5>}pos{dcyj6i$%I ze=mwR_}kYRgv{VPpn=1?WH>HK727a!jZ4*f1e25DwqD1`ppU=+LEQBXPuuX??1ro z+jwRJu+Pj%${qQ8CiD3lMdyT6l?#D1g4d zItV2%F>{Wjx}T}sS*m&Bj9Hg%r~YLzNuO?^&C_yU)H(jwky{=8)P}dnbA1xAjw%Y0 zE~6NBbxtx$aS&Nx-@wa#zvF8F4A_v0Tf^8ilcQ_~bIXL~a3?n^6SA8E7U(H59}b6^ z%)i?&cJfEd{)&5s!8Kvo;m^vaDO??|m&Id7!Znj2>SFMm!k>OxhQaW)%0B$KfWCTeYbir4nS0sKfM30C~E$UR{%9TcUr-y3W)^*$RZ z8%wrNnX7Zr7g*p%o`9?%$iUD`6Xb!`i!6T07^2b7K|%$=aU15C&=!t3k|bT*H}Av8 zAtI(`uG}&pBlMAko}4k1mX{LDOs!};8vI=-Lri!#iV)7)sA1_QY?jmMJfyl+P{o19 zVJ4sTv@-vwL5{;hTq%rf_7P;*)44h+-i=+3IfK&6GO#`XJZZTM=_@ruOD{|Sk)bHC zK4)+L487tL47O5#uk~~3m;eB8K@w!oVDPF0H(b|ya6~N{hNiWsyq`??ul}-$$sPv? z5grl52|JTzribME{XN6#ie;nVrT%SE^02?`$bY3Aag7SH0M-}TEL;(E5mz^4m zyc6D0j|Py{NeBkh8nX2t&Mqqgn}!vZTvV<%9u7roVdJRWa-1U$(Yg|4xhKM$VEtLU zXR~@gV*tKj>V0N0vJ zMYjLyZo5QYmdI#ImsO)0Dc+dEQZ8fBe_&P3b^S!U01&yOr2Fo9K0 zem!|V>&opa1MvzE=T)VN8IJaW|L6$7V>Zmqx1N#gr4}ok*RLjl1^TC6itpfK6eEjh z9sMs5>4W>wYouQd;1*81;1||&P7w}3Q7K2ugi3(-9JXg$^K5pX-nBPwaEjHI;Ypj$ z(*=UN%&eiiNA|oOG#j|@T&<1)&D3*rzfJ-+`JkWlfrwsk;c9EhawW{ z5`m^AR26#uyHmIuPh&D+BLmg2;oASEuAj++?VYFnJ~RA(ak_3~bGC;oH>D6(eC>)2 zSUrwlNQZ#dGW37XBHs5|pH2igt8|yT_A9YoI+i?TFhC7xV1IM&p_baRWsACJ9+P9* ziOS<#c&tE2!ySGGQny2YntKu5J{6$A^-K?&*QGje-)4>5!fO5C@K!*oH?7Guy7X61 z7)U1;nt1XRT%7pZcObO3ngXKa9npvOyTxX?3aW9y5t(jQTKp%~1c%Oyuy}W7Dl{e) z2+>FwWOhi|*_Tpnm`!OeqctXqr^{vchPTiL7AM7w8yf0F?ubJv)E69MCPttMd^!e2 zS$78Zp-R3aQ*QD@Z|!$UP#O$6S_XxneM6{ufMM+nAW8gqQ#}c0o+(umXu;jOaM^Ty z7_NU0w#O=}TUJp^VqHi6I5nlDBGHz7OT~$n%Q^iDS5Bl@DKV%=nlFu-(C(l>qJW;T ziR9CAATbANOj-p>MrsDNY~W* zXUp>bqsJE6fLu}gz_FO#I}ro%+uLx$0PpfuVbzkW=VH4Lo;kw^kSCj)`@^_hzYpzB zB)eA^I0Os#C=O|DCxKa-61E5NQubP|H%pZGSP+x}y4(<_Pn)OTm_V={CAdhE&u=hZ z{ypOVC4X|wob658{afWF5>@|RW_ff{-G}libB6oW{R9ZW(zz7{%ddW}*$9L6OEe|M z_5ARxm-;qeRHHNnE)Pdm^3rVrl{fG2B^+6WZMg`wyEu|OKfb*sD2=O>@Y#+ys-$t? zLA0z7eF+C`cezg~88^;mBHqped8X}v6}t-Q5OK&Lbf4}aE*kn9m+LF@mlfgMF5idt zrxIPOi<&Yu#zKHf;pwHRFPWA2su=BX6L}+g6 zyA{K=W-19mW|oH`(4fULzF-S}St$VUm~m4K^{^#xNg}Fyxmo7B*Lrj!f&yePB{YR} zqAJ}tUj1(_xCt&*2DTz*Y{~Ob8iU6sjHn%+zN{lGb~zgwukB)DTh-|B*sw^aOUyw- z(`8_iZm=(@NayO7K;a0-i$unL3d0NJSVV`?+m;ZYsE>Yv|LAq2g-&avkvk=HLahN$ zQSg}vt>sUCQqdL++kI-iX5D@0pE3f3V?Rql(3^3Ea`bnFg`V%;VhnL&B!F?VFTQTT zkKR%Yp&$mVsa#3_y%*ZssJ48WQGny9z zbyyJ@fp8wAZHDy}+kddxWAM>2_bl83Qz!E9vqZj!m!M$Hp=!6mOz8)LPI24euDDSt z${O{WOqmSSL>!UA;SeeMs|S~R7l_lCyS6bw@o zPkC%Py21jq)I#7SrhrJ28&T~GO$Q+_=N@cE;2=nkXQS@WL8*jX%sDPw%p(2fwrh{` z%Y;o_FCY4e4{#n0p@4Sz!-Un~lwDh;eZDhOjsPy_aFWYlvmGHQQHSU~hyiK4zKK|B zzP#{WCd*@NA~)lt;wHJ*y*mwY-T*kh?pxUh3~nFk(A=Ns4&MS4`1K~SC;;NfHb zQ~d$`&|wLlX}fI=ywi3b(%Bb}JCD3E%}8=ZL*S+s;A|O-QN&1c^f68a1>6$hYE+>5 zUA0%kKNbBrc6GqTNZQKaA;{RQ3dnn-S!q!n45OSYu4!SVMNkeQ!0^ruS(dVR>O3o_ zUL0+0%W=mK$u5`*t&Q%fki{4rCU6R|#+5%&uB0T|-+=^chhH`tMKI4Vtp9U}%r^$h zMhlNZsJSr$zR^J%N3!Qp>lqy?98{SUeE3W7Kl75M?{Je-RP_Fmzu-wsA{=4?3afK3 z*;!W(!P5j$H01qU>U>8yQtc?aCM)Q(rW5X%bmgjsbfGW3?5AV>A*_iRa6DKE3D4p} zel2fiX+XX_i)2@Cp%t~fo>QHJ^00#EE~`j!hx#W;jP6KjbQTZ8QvHXe~a3Ev#3} z-Pv8?12pv#G6f(E!M4^-x>xTXcJwcilmRYST{69j`KSn=Q)Q_~Zy7EG4)HeIJpJb# z4M$we^66y@!MJ+19w~bce6~lAIue~PeddlQnBS2~Yp3jq$Jy{M&ADoB7%fS6-H7Sl zWo);@!9Qx9R+<7gL)0Ad3bI42&_7mr=S*n7(2EZKh*exdr|r{C?ITQe9MPr0x4%4; z<6%(ehj{7xg{qv%)5UqTL5@vPc!ym3v-y`l-zE4I)(_36sLRdek#Xzxg`kweAhwkd z_KS$4g~p*tii#c2`SUoH+Dbdb1hSrSji9vp5Vo;jfrvaxZxF+wbM(|R*$4={u_3Vjr`@+!%4c)cCg_1rd|&Z_iz4NQF}<61 zs;QEaCR$7M+c|h^U)_e5w)Ol|u%kfuxEw8CrS5dJgoe3mSfOXat=I!Vz@ZP?@@-`V zWDtGuTLpn1XD<75df8LcBAGK9Q+BYEJR4`ILVLlLsMgzh_-f=@b5cy;4WoeRGUGuH>viufPto$)ucURJMtB0p8F;#Q6TbfmRrq4KTn2Y14BYdR zT@S#;fyWjs72X+KuJCNkY0U%rR}CZFFng##uW73`+x+$ipCYO{nFi&X$FJdhaD8|} zONGydMsn>a-U5pgMFqoCRg8aNTU08F u00B0&)<=l|Kr_p{ubAVR2gXGsSB{(Ir7gpMm(p<`i!o+CIp{Cj{jdqXG9#_#|4ZDsa}L77cvkKp9+?*Yv0 z2@NwFzyE*a_HL)l9#&8|AdnXT08nE9odGKP0L=hCZ7`EYq$46BC$xRQfDMUdZv1nu zr1D?f`+?v#EI1bz{J6Y2%{*YdCMo6tIs;s>x7t3N{jXZ|1ehy3TGpYEQ3er^4W{r|WJ z@vrAU=RV|qLjN=2LG`cnAF!VQKgz$g|H%Ir`F-@K{9pdx^k13Y)_*tu1^-|C$G|u8 z&+FgxKg4!^{lx$O?#=sE|NSSJNKqwVn!G3v9QEhEASnyp28n(DmuLyA{fLUqgY}RC z0eRZmYa?_d88=(r5AOc`{i6+6=}dV{79=M|&1Awr9lYjW8zp54Em`gfcP>)Dt5|-F z;O8IPF$U@z^yYmtG)t(S{i3Zo)yeX02r%N)01NXl3uz1 zY<~o28@f5PcK8YIXHw15nV(H0Ks7E^Uv$cTX38$Sc}Ip9Hv;~j%yBy6|D^F_IqEqc z`dJR7s>wiEFE$8|N@8~Prh@D+=2{L5I1-$A3a-l1IK^Vi_CbD3UhRSpl*Of`=ogbk z2NWBbunFa2zhMRHRUzgL%zrZoFX9&T;j1LxyxSYMVv!C@_RCHP>Dh4b0RH_pX?ed8 zCf2wsDjF9mzRu-dTs2o!Sx53F@)#utWD_WUVgnm+9JVP6LI2;xL;?*VsUXQ2 z*cwvy=s*^s>C`c$UgrxOh3;Ie#P2W!H|wJOv2-+rdlpEAi<3(k1ek}yEca4!gFG@+ zOQc(M`vB!Ba_zBq{=>()bdqb{#KURa1QAN@pD{vX1hx9V6=c(z4*%VkAIv30C4cxC zFK4pxPF~Rg3FFFBJMwx5x$i=r6<5{Dh4Jo4kky}L3VCfo>5CBKnEHF12YuiFcT!J% z^XRdk&QnK#=p+XB`j^vB2O zSOminfmWkrW#wX>c}O6x(I}%Iz_pX;{ES<+FD9J3p(Pgi3z~qJU2E${1|P49v(s}( ze_g6Wl8P56Ft2s`LD1yFaXPI4LjO&xkE1Cpu-Y9>hdUbY*b&nj-i z4-Nm-9w-fKS9vq^tlyBg8MnGaaRKOJ&T#c*vuc5y#|aq8if(?nT}349S&E& ztirSnvq?+Kwh!G0&|NylWqp`W;qN|}{3lRc|D9OSXt(^}Y2+4Jk7!)`mKR?8CpjzQ zViTu_tIL10_n&KsQpw9g(I6USR3&NA8a3#i<8w9RN`;Qoc|%G9XiH;RD7?50GFS|2 z<5sgRCFGmj{yfzCwFz&;cFD-JLnL99rNM_TxbBrRVKUIQ5POf!>Ica$spJXQVNp;B zpKNCfnZcz%D+(~Ur58Nv|Fnp$%T$VTI?7ywUhY0c7yr@|haVhN{)*br!$=zff$w{? z4Q_57zKb6r*g+JqreCqFK5bh3$_^irUwfj|01BNw{LHS;%m4}k3BwSA+{83X9YRhH zyipo4{**~11(~s{v)&e{WoMg4&0KZ?8RFGs9nyvW8yE-wo16dtdqr~;scsrk5M+Vo z=cOtgqjD5`6@|Y_NcIu1cVcwN_Nr{6!?8u18Eb^^t~_F}ZMU1kYQOn5?vD?DJLfDg zjy(Ppf8IfV|KB>f$qZwvW&vZ{tcQ_Ih6fbNd&1o?v_US$V&2Sn^#~mYOGFz13o;;ysXH5-S~k4 zU0#Id8BH(T2g1!kl{1MV;7=1QO-#hEB663-dR5eOrp;d#X3hz zpHQ6b{aUx&`)@N`R`4SO;i#ZhUeTbX;{d`u1EBtBD8T&=3T~ib@KT~Zn^vG@d+d{< z*+&UJP*s*Ios+{&hpfbD_@s|x+{@Yvxtw|u3@Ll<=}?a~_RvH{tm#uC<@l;(!FZ?z zq4Ci~6vgwubO`>LRcmsc9(AF<^|8ExQ$& zhVCfSS^Z~OsnSk2!4HrR@+DWeKgpWkOC8`dWBZB2&dn|-MlR|T;Z*|rsDm0u)GCnD z-I4)Fsf+O**LY#u)&9s*wTqx0=ieogiqsV6FJ$t;>r#M(c*^RIdX z^okC#+^E6rde%zr3cbI8*K14+HPH2RS<~xG*PuU~a^n}ctOeAJ2o7B2nMh&f;6QU8 zP42xhs1WlUC{btj)9@x`n5`Zoc_!*o`;6v<3?Gw4ZzQ2)r4=Y(jk(Uxtly4$&6~tz z%fji7Wq5d>*@Gu{g&r^wHTLWZaz_NjNCvdnMUXw&G@#=(u`sRy}v$@Af_;XCqcJq2Ph&qSwqt480?4CGpr9gkvFiE+E z7rJ*ZGs7#&g8jYIEB$;!Tl0DusIUMR4Fuo-B~QIp|Hz}&{HVY2EQHz_6}x7*>{~5O zLj!$Iyx&gLHTi~mxJTpdiT=}u^`kxWmxlrv75#@mT+07Trj=Ih-NKM!54kuzJyyCV zr3s>bI&&ot(b0=_)Zgu)jN>IbV@P2M0@;ET`FED(!oJ2Zp*Exjm&5T-W&ghU)bJt~ zvEx$m(AhX(6IPbpag#9u2rGa5x;x#wSlnwH^b$zQWCt(U3@HfJJF9u0hZ2^E{HdR! zq@OCpVgyZ5tkTQBXFPBGwTw#_KGy@jNGeJ1ex(<$`lE(=c-8u>##~Cd#x|TA+#F1| z0sm%KQ8V9F`45mh*kfPo7M@L-;f=fieP!pT^VV3T!{DBMLwGYgus2eO7hvBHax)C+ zqU-@|N&k8V2R1C-qvExczt1njxa2^zHe31foUc=?5la+j@FI^`s9avEev93?6*GOtE#-Wll>jm+`=Dy-j2*MEVc?B z_C{d=i!kl8lga+YTh{XCA0k@C;phTT!2FHXb;$ z1})x*^E6g_u-b`rrQhB*7xv(R+H19rl2FRrQW%@L?<`QwZQoNdLgF_+kfc%pO#%w; zM?L44TeoxS#j7L>P)Gt{TM$03(kFmal=e`^iD`E?Gz?mUY*jPojRd(4b}aFG#-cZ} z*a4_9Zz!I7<%+ZEY!jQ~GSJ!g4)5Yz6aqsh$R7v`Q0iz8wmP#U@YJSF{n5H=KsSOO zs0Xx|?5_ur1*y%Uue(V6K)!H7k?~X2`>&tWcCR_s_R@a=Mh4(|LUT9SHk=5~flvi3 z_&kob=KvIi_d=T_pq2*sYF(^DBwhykj)bWgsk853yel;wM@+IYf5zyPXd-_zkT!y# zvrizuKrQw?{CXq5Slx>x=NTbH+5 z|B~#g1be7}XF9u~SKF0Bf92r{jL^D>QZGAV`7IuX?DtvheXfgTeQq~>fLU`#T6s6= z`UYl-4r=u1aA}eoXgPnaiT7}Bm5a4qVTpa)<^AZ3tXaAE;C=$Qad*VsBlX%58F|$H ziL*k$x{$H`X4?Yqc8YRE?K3vClUqfo==3#*m(TyZOzZ~yzrs7xIPtnWVG+SUAZeH^ zI4yHigC|7=XkTRpjP9)^cn6HO7~`WYi+OjKzrd^HIgxXo*@E1SnjeBh=K;O)3@x2~ zpeAqYmT{h_bhRX2Mmlw*s}PHJ9`}Wo89;56#rokK`Y1_SU)2rMsSP{=tijvPuk^z# zfgIxNK$y7X0)W&OYK8cbGuGOl;;_3=i%@$OIa6%|&Ne;5TVIWN@&R zagO;9I?jqfoD04dV4UO}uMkvAX9>np!*hZa5~WkAgBSuQBs_R-&`Tc5B7D3V@#a`{ z!U7-RkqOckZ9`pgL3g&rfyhTlKrKgXVG3%;YJ|HQaqzEOv@%21?-3|`;$QeWjH)&+ zQZIvlMs|vS7V};Qn@s-%Kzc;WRM%`b#$pTl);;F9Rol;01FMz?{qqcJW4X0M)l->! z-Bv0&yOZ+XJpKo#o^tjY&;eina0D&ml#AlOFR>rK_`9j{jy52q(!*2))JbBEeLJZv z+t{m5x$K5rrah*sPW{iyKj3j5fDsWf`TQb@S(bQxRzR<246GLJX^mR^j|AuELYWEahCw%(-mEEE84&wwLxQ zPFwJIC2nGhF1?Ts+-^3A&=k>q10KWLBWqK+Js&@lu?WY-sfCyA_Sst45Kc<-rbHBd z7vAYUOW`^&>5S3+;i> z;UQP=*p1q>zaX3Luj)W|fL?xVT;>ipRfXF_s2IIFIJz3rC;d2ahZ zF#Jc&U6YFbM{^GCn6X+HJWN$XsAPB$(B-Gh?GTt$5}Ajv;Z^fCf_G(1g>Bs8@}5Z= zUSHjnE{&%Gwu1|&FdnMDUcVW=5c{vb?!#Zag_V1+;u4DJjzrSKZkmqz1i}IiZiw^d zSuiCzM6Ov!b#uwK!Oi{$zA+ylFOcGW9#2?Us<*GOVHit?eEFFKNS~b+9Kz%v(quf zgZw`4`-_&76F z+n5NutDNj2+pk2DHW7 z6p(^^i;I>*RpADwGZEQRgb#?WIKX`GFj&Fcg)z8nOHY9@Kf=vOIp#NF(=d*sW1liR zbG7>+2?F^gn6%0lGwf$vGTjj8_He|to{x+@)e$tWpf{$*#u|$KL_RN_Ac@8^T6CJS zoaHK~0q-`yho9LlW?=g3k+L_05Sh;CE1Wt$IbF<&0(sRqf_bf6R)=GhG~FD2AX(7Z zK;QC+28VEUOYk?Q)Mi*iuI0JeJngW~W(G3%kpq1-755CDiy%C^I*N*1TrGyqO%)JG zsKR#hpK2iT=?w4)iz4@mLTz2E)$A6wiPOi0vWc!VgT9b3!grX+1)`2Yy18I{YDMSj z5zQqV$trsK!+e4X`t3CC=5?Lq_(HkQTi-pVs|#MKiW)RHi;T}%er3DrwFt=kKP_{* z6#C?6G>(}f&6srfB#VkxqkPMrBdJF6|E z!dKwz%^s%dpQ~9|(2FI`>*@tk@C6GSK0wGoquxahP>gwRi&LFihoOAMg_)tubM#Eo zv}m>}0zj6wp0ha@-1;X56h$P~+dy^z%-HxHtDGYx49@MZ15VDxcntwW7j>e6g~APH zv&;+Yt5^9#L+dS>6klMyH+EL$tXrtP{yy;enFdNYCb^v=!9M_O4C3*NPSZOM{VB&n zAOWnvn6dm5cm79R&%sTv{<-u!VgE=N7XdYKVol)E(uSU?wuP){%;Qk7x;(cFcHgX3 zsdO^}Yhd|F<#cl5h@N=DRqgf))6BzaXlz%eg;Lrc%Ls$qs&dHY+7L^k9nE8AqL>ikl%bpzRHL;!D2n^F|U*VbQUdaf_4F*gw zSQhwUuA&4PlNV|O)7PA$S2-srB-xAB*6WhiI4f6T;|l94LGx0{{zRmfDJy>d{o#dc zMeYkHPrHF`E-i!PSqQy<;{>}qE|taFgNPrR#UTw)#89pw%9LCHHXYcIOh@4D^fzJB z%yWpCSsZO>DnoSuZ}D?(nNlCA^Y*WY@gc!nPMd3Q-~?0B9yXA+tGHSQNf3*#?dNGi zW;Y8*faEyEt<$ks+f0QsBY&UCj*80&TcwL1;ko>uJ# zKulbNaE=N;ftEFUxWkBrZdUt1}gwRfM~I=|10!&w)Z3cf2+UG{fWGX z`DrECi{iiD@<8vOPG9psQ~kw%b z|9eya0RQdRAK>4_f0}*c@`hSow#=nvOdj6~aNB;Nr-;Dou|CRk${nvS3Y5l|f2lxNSkC0ziK12Qo`p@~_ z{U6>v!+h`i&-Cx~-}e8ufB*m4^cUkF&cDh3b^YT0-T(jp|L6zuU+16Zf4%Th;lI*<_5WS}|NsB!C-QITU+aIn|B?Ua{*V9v|Np#y|9`tb z9RF><{r=qip8mgo_Ww)!|Ns3RSaG(v>-qVN87DWY2u#`!VaJrWRTe!AD$|*e+WA!OpARj<|8L30|da{K%#FHs5|^ogomagi zT+$t;7FrR(M_iZKE>`Can`vxO>D!B4Zc`9$O^T}k{g?P1zmt>`&+VEgYCBIcJzDY? z+24QT!nrT7T($dyomagiT+$t;7FrOw#8;qe1q4AH*gmm4H*Tr8AJ>&@R+Qd5n!|T< z2QyV1yb!(Y*p2nleOhe+Xv^7~IZPX@6m^1kYqXr$e}phAaY|o*x0x~ za$rK-6zp*MMDL4(Rrz48MEZ@0NAS-+k+|);&?Pkw5Wp-n|k$-CLQqR!V1tTPkBKW*+R6)=X>LZrRi_slP zG0W7pPu*%!CfTx4j(E{c66G^ zMsN=QI62jOy(M;itu(H-yZ}uCb=Dr@18aV6T~_pc#7k7S0Y@66#IM$#d1!yjOnOFr z%FFQLg5sH~>LLgqK|16&cvgmx?J%p6Vrle~?_zybBK6E-AOdJe;pA98e|ln>Q9}Zn zOrdRcjA5ozf4Iy>tv2;ifurwdGCd2;pl_O~{dq{s_qWj9UwX_x|iRH#PA z6Q`^t-5ejqwY>HZ5z!v^#D&xJiM!H#wxxjI>QWIIPI5TM^OMOmsP^sVQWRAqy}9}q zknJy=@2B{Hf`l)>Lx`zQwcfZpvyPbZ-^Tx-Br$4yn?gm6)&ppcCCgGm+9 z=Vu*>d$7Wm`@k@R#PEVbs=ZR&_DD>a-`iDC{Qyt&))D-s4wxO% zrP16D&6;AR&ymJ0`l@QIoz$brC}L-+sLk@A=sdH*s{y5^X~=!VL*qWZv;^Z1#1HI# z_%sM}UmAqtK@n;IIfl>3S!hP=NAkt~&@de5|E?<0szr^OL4x`+x^n-*6FVm!n`bFF zdg|=FS>6!ay?5{u=H_cs2bWXOTM0|?;LV_jvg_eXi z-~9vH^F8+h@1FDD#`diAg!K1Pl!R{~F_hc*lil2{NKWjOmM!f??w1`%T&?<5BRRu< zxJ)$yIe!Cj*9AYt;))UEZXWsA_3J;cX%^A6ExbPY!<2SUO-1~D95-ST@+V*3@>MuF z`{s@>dPujV1laHDAvO+*{Qcx&vsZd9a%J>Wf0RT~O!q@HHGVS(SIZ!MG)OT}T@LLC z8}`YMjv?~8X0&;6^H%+j+tNc?TamrYd}5M(V!<|FwHt}~;NO@H>nMYgfvcW{z39Pn zo;@B?7B7;##C9UK6M;68bTvPiIvQKIi4ER zN&{787hJ0C4cE1us(t7neGE($A&6pIRR8cR0asTT9u9BukLOh-)ZZ>6X`jqfa)Ign zls5!HC0U@>uelz>dNogx# zx4gMzOkyI6_^~5GSYVTz#LIlq)L-8Qs>i+}ReU+}lqq#{LYAS*^t#DDM(J5kRg2kh zN1$SVD9C|7LUh4^-rA?KX_h(vwOQG?n%9{w)OY_FthsW2yZlZzGRL}b-P8=80?1@S zL$xQ^bDPgC_}JYuA3>%3Z^`MtT9K_<@>=2&E@hkrGC!zZi#8s#8=HI%(Z&ULE;qH3 zIjqRoKl1~XYNc#66gm{?DB}5OgB2)#ZjmpoMmGK0yvlISCd^(`sYPkwjv6oaN zI_w=|-o@??bzbz4sy>t0<1iyR|Miva@yhFx&vn{u2CEhxUy?@p}CJ07zH zf@BReVB!s6SlO z^q3TuJi+P>{Y@R&#p&CmSat5J+}lC3*9}kA@9_fc{=;#Z;y<>C7VZ>gQ21%+wn7t9 zEkvf&!p{2jfNh1&P&EWQOe&3V!3CX`s+|azot)%+KLIz+V^z^%1ahipY3>b2#aqy(-* zW-=ludXMx>JA9xzNZHLty|pbCP)cj`4r$!7jRDo`G&FCgmK|mec&FVTCv~m*?U!sa zO!V7N_6UOWC=W41pb}bS{mWmtIn@XRt9hzl35iF?G_ZhpG=b{`&%yrPorpRGS^4<@ z+*!F1*v%oO-EsxLRcnPs6zucIe>zgy`qg-*`GVc-s}a$icitK$4g1U5vI4p~wKp#UX3HX1vmlh1neOX0G)Gw+%u zr|@&qvyu~J&U5@qg~OzI(eFayl6w0IyTqBTg4 zTfiq)u#X;Bflm9VckcsMXVy@zeFA8zPnGBO=@4ehxk^pm16xO>E*BNxP+>?YBP0Es zCj|}bv2>Z%hpM*w0urG*UZLo~-zwmIrr9*Wg`dM3$B<$&lry2HQ35SZoxqqTcDW0G%E&OxvWFmc#`rdbDT-`9bqX07 zQ|qw+;mwl5C+AFMb0K^NU+UDmC?z78a=+a*+(yX^8`e9JKrguvgQ`SN3SJ@1r>0xw;dv>MQ~c{C^wK--qTaC3oA-ClbHSkZ>X zgYl?X%Ds_K0i=KtH+l?_S_e+r;gi38xQSz{=|2b$8o%3GoerjbXA=#`#7XksP%QI= z*u{0Mq?-qoc+-r;R|3)LC3~}_m{Ct)p$>+AVVTt9QqgQ9y0r?9L$rf+xZ|+ZPmwzT z&`W9_76cN?Z;UqPirPTw^1Q>MKn_21)mjG&b*&33086ilNHnk92$fGNZw>F;8p^JH z#S}nb03WEkV8-3<3mjV^SQhM{0RGm%|H|DeuOG%T?~lyvygo9>bbYkkxRuiu5L(S= zSIfq80re*h()&#OV40-7nObr%hu=6Jga7}+K$(w!b_MObuj>Dc26x5X5uIq(HuAe~ z(!wVySN&|(OihA-;!1qYt9b@{v6*zxLhIOUF`L{RVX6BFOd}mU&nvxI%vL${wf&2iH^S*;(Lwk?;ueZDg6NJL#=o{usS@o z59D_CN8N0YOm*4sRaifX)QEpgCYJh2{D4C`w`ucQfm;MTU-ZKNa@m1Z0*ZU`8AH)aHVTK;q`$<g(b|GjIE z$$J+`k-+v9M#S#@7e`ic>;M1&0ONaWP0EZg8MqE$1>&eoP|f!Fxe@@Wu&A4Wwmr?q z0y)Jc1qU&XLMOOXzW@OsqE-YgL1_dZ%jN0m4)%tR4wL_qzHEJ*(PLB5`z}+yr|mxN z`BUU)T@aGbmBJNg_BRqO1i6`_4OZ)PPQ&{wC=eA+=@z~G zu}cxj&m!o^fy=y<_%IgCRxGN4>aDJE!5orft5;FFd0IIES(|3IcE!dFZ35Ws=u^=-e;7RLB0vog6cJ=1ZOw{Cq>Rc>?y882MV zCL&SvgV;q3hK|_!3mV)h&OI*hgXqJ~9js*9&HJTS=9c0y=vGYq@NeX4&w|&LZ3YAt zv%kvPCYl~mZ2+lVo#{v|9^JPdkjx80Drxxa$dL(KEHG71Xfc{t60KI+?bk=K>FdOJ zxz0y zxl|Mq!)4t@FuPFSwf>d3q^UrR_WEW-?rX<-X~cNDa?)2N{6Y$)rf(O_$i*!N>9Jpp zGk`f-Sx(I^PA4m_n9na;r#>KA`RGZPj1qu=Ncm;_Yy7CKaRrSM>QgX0fddPu9rdD*UBnnNG1m?N>U8Orh){&)^!e4=7jB~$}96A3bWmr zPHWPbQ}iNvfwR!`Yzs@SYQ<-YeT4KXO4?lw%RbN^s9dfQn+XR$lx_ovBh{GX!+C{Z z%j%@;)eDc&?QmCAjm7~SoCG~%_eOhuNA%`F#^gUSqktOb1>2jvBZR%?v1>#V{_QqT zW28atb)ljn6k_)*7>^w3N8*?puDlUm=5IofcDQnX(H;4=Sp*y9++;Fbz&itu*}g&z z_-UShQsU%D?$4kAqQ%x2yEx1A^41o$W`fbd_zyVbBR$ObjfAdt5ZZNKD|5iMRPh>! z^rrGg+z)JUUQyCp0w)!KY(WmNSk{{{+xPM)O@=QOG&kFX;{@z{#7vo&xNe_B zQECiKzSD!WqN;4wMB1vmAm;aO-%pLhr?Z*uHoW}oTWZ{ZM#tlpmTDglY)#~dy5zu6 zJhJI7ew=UO37|&Klcmr-Op`21>uly>_B5WNb4|3_*_PPXzb^GxX;R?@4^+jbJu1e>WCisgBnWG5V+S+anrHQSXP*bT#VUt^e^jxBg2(BIonrn>!u?s*b{R z`Nh-bArFv~;h(y^-Pw^{jFxw+$+TTa*D$d17EdR8V^9a6O1H16T1(TOXr{%|LJizs z&HKaTISGFRMO9wH6`qA<2OmcofJCL9Cv`Rh33k`N$Ka`|tCyaoDl8NhEA}(yoN+vi zO^=bZ*<~+HLeB7z|KHm?T$>fWUPpKSPY^OA?13l8@N#QK4}mhlnndlzu2oLH+!;-b{rBMHh=>R~wTocwkwNWUsw5f0cyx>FvA@Y`RY|{~0W-|(2IV`< zhu|Ms)2W>Pm9YPX^Pd^{jMMHa7@FigN|H6~qc`b@hpKnl_Y4X9Zz`vy#<+8f-D}w^ zAu?8QM4A7!ziWu7J6u^Nb$5wGLEQ(xP64Aq&#pZf67G&D=Pp&$H{!sTxx8)i-~rj3 zm2YxIKx$Ar0Wwt1>r<xp>d-6hpFOeKbmn<+1#GbfEj^=4B+Vpkq{?5ZkuX{+2cs1Ct4d zXdjJev$jw?0~MYRS4Ex7NV8Uu#wzpy&Pw)aXqdK*ew9MhN87q{*v;x3Er6A!41ZK>MB}$LIB@^Ava^5 zKz;(WwLqUkX`a}AR3KcX_X=TDH<5jNszuhT>*$~s?xxx@Ip!L zEk-8Y1Ix81Zm<@)y}2b)XI&x_UI&a^?#UeZ!ucLlXGbImYm?n1SGj1;?@B}jk_`sR zr`S4n^d6>Z&?IMGfLfBs|FF?XBV$vlH;GW=mYzW=pD+D!C`DiNX^;0(%z@hZOf8L& z1I{1+W?ouy5XW-^3kkwbAP@POW!^B!e5E|$-OaRy+UcMr4wjQ;-iqR%iwY()m|nE2 zWtUH8q(GEYcDEVcAJ4gqsxU@tjhQafH8&Gd5et?sB*JWo1+(c4ssa2_j3E$#=!amp zMN#v7v$;Vsw+Kt8rX0W8sY*vSJ_M(4+ul@d)zd_AUWHnrhq?kt5_!@CiYCTsYz^rd z|3@*b^3-{P;$B#W6zrH`$7!Lw(=|$6&GOF8=D3-3md`+}_PAs(EEl~FYd4mo=;lU#eBkG4vo zKl~AIX}&?T%WVEs1}$tFt*?p5r%sOKS0vzK>{WXgV_`=@z=~KEh;ulZrPqBdBkp|H zW>Hr!4SQ`=4#A6NW0B6Eyoydr7viD3-fNoKFjjv{%5ag&&KBKyyqA8n;U0m|$^VGQ zEh=_1_n6pEfO{|MCo~ZPeaU-Y2-78{o}IUY!#AantUffi_Awx_n&6C6JU4xT zR@5!0+ao-@y_B6`G?ZcM+t^M9&2qBVJ@FYK3#O98=8kKM&5M_|y_CZPOFjShXsFNU zLL7rCd&2%3A8&o;1|Et&DMz<;X3*XZg3t~4*>G^jE1yQq$INYPv3i2rv6O)g& zYf_#s%oDALZ=VZ}Q~8}NoO0qR((d2`Q`(Jt7X;8yJXSA*88Xlhk=Y)qbQpYYCXqNN zwZ(^Q>-5a^=8~x2m~k8pPALJ|JNmW>+hT=%@p(0%M2bWwuY3RY0HA}aWQMK%C(v=$ z`Es8j!i!fu2&n+;_#2EsCiS{@(EL6%cVhc@o2IggPo7FNuts)vRWT!Bg5`qMS8T`M zXWZ>InT}H)IrD;ScG`s;Zax$8EX4yO_-G8U&?&JVY$%A(uIIKfg}a~ zq1{B=L=EN;ArsyIvLdAG@tY(|#|2ah-;j=&xp?L!?uRN2X8sRg6u?}-7CW)6{r;-l z?!t560}*!PAKZtbuk% z(wFnj0@^@?PLv-|$pPn|I7o^NB02yOQmmyq5oWQ~Ez*Q>zP}h_yjiDfd;^aF#*Cp* z`xViv_j8VSbE7s9v*O@vv3`EmJT_WjS6cg~6VLxyrtZmM`a7JmY7|I!(kh+L+UqN!~X>eLv_-5~E`$5WGd#^dwwB z;x>oI0+rOd*9_bo+)HwEwNDES>3jn_+f+m1(O8&0vN7aQ<^G zQ2qPiH@_yAP+^g7YzWA%E%_F5U2`Nv;J6`B=NpU;s}=(w#7fZCz!ZNyjM-SUB^j~{ zB7UPQAYLQ&Pm{9LfB|XYK3F|P{f#!@&zM1u07q4rQlCEM|3LsV6rYXyBKT!fNwQ5h zn&MzJI6M|b%WC3Cnc5H*jyIIw!pmUjNiN5aD}Of3yT6aV(`F}c+ms1C_-V8lZaZ&* zO#2WhOARhEhC#SBWS@|T4cNCQ32Sb6|7MpDvsKk+d!%!&jx9~k|hI_HnLo_B7k zfM8S=*bu)_XO7HzSNf|r58^&z&ac%Lkh5L8!Amz7bAWhp8S_b|B_#mkEDBFLq$OiB zn)89|lw4{css^fmckF>ga|neA{0^z=F9Hi?k4V%ad%K8J6L);X?(p ztDz&y$^$y^td5G*L>qcE1>TSB87IGLk}k&_8WR#hLg_!TzyCh&1y*-f9VIy!v&Ci$ zSwVM;;fZ7O;kfW@Phg2Z?p9%L)7;_jbOyb853woT2c`?3r`MAIsVYk{cf|_7o1+r$ zuFy=@&epZava?RDu5v!v!TsDMjLwH1BXF8M^F6EAwkHP;wBnrn?iJ?}LgH`G*%RsA zGCn&!`+|OXVL)4=ejvH|C3W&flGVt&*(=ACI*u&H*3<$|&s?RxwYtcKP@-rQ3@&wr z|51Kw4D*YM6$9KjdSS1iJ4LHcoql@4KBCN&$^f>>HtKgwqp}Ib)*UJ)f25Ll zXftoW>U9=nL@4dTEDgL&_elyhhVa#B2Ku4}!j5>&V$FUYLGD0q15q;z6BGYl8 z8S7f|`&}0exe)O=`P?w>-c&?-#gE+7Q^@rriLD4h6#t0McY9;a`ml=h|FVxvYgZUA z(W&c>C%u1=SH|J-6AyE0m8%->;58x5>p1&&o~7)9Ki#hPg}fQ}UhcSGUUUzZf*-Rj zII?ho9tKpvdq%e)F6eyqq~VnrhQN5MrUdT6d0V@EX_s3_Q z>!07VvnNi0@Yh0XRunUGzA+sp7g43fkEca+bnPiz<-0lIYKaAMtjvHv^J7)6S6<7+gkis(5gq@9=3io1UbGBk|3vreRdiX>KyB)~i>X z>>s%BoHu7hy~Q;jJ|JUmBrXNm|9mV6*F>UXoE5&%Qy>1?UGN9o`O^n1ZrX0kX#Z?^ z9}|VyJEvq*J0r}9(##`4tg=lHStvcj8p3-dvpzqClmMp1m-E-ZR<6H8Q8M3UvE0Bp zZh1wC*XmZdIs|}y;pb9N`6I$E=a#$U80_-bMnipYA&XyVPvV%{ko@*H5@Lj3SNT#M zTYr!QSRJkotsF8+15HH_SDNVgjZVOrq#D^VQHC=u3z4T1E~T@K_+DdN0C5hNBZd{U zV3cBH?D9x(CK`jOle;=;EC?0=dfY4h)AFRFKO`JulAB|J|8SITJg6TA;XVN=z{}Y@ zqhPlW2t0<+Hs%2FMuk>pE*UuLntn& za-mF|P#v?bPpq<93tP(j6L_vHsgbesttA8h z;VjP5ig9L?{#VAaW2gUlmMi$u7sg_NokVV(JhcLg0&ugbK-_WdCDu9Gaio2!D4^$k zEpM?PQxr+LQ^e$BCA#%N72oBzufy=dkw?&@MooVJbDg{xUwCstlr`k!Hf#86KZ@hN zCb&Z6@X))J;jAJ44`IcH?Fl@NQ<`3V+fBX;T`Nvac8n%{y4V5sZ=4_@^j&n`T4!DB zNYCq%yg?%hekyA+=4|KMnR{7xeB70s3}b*|5R3irW%rA&#t;8fN=AWXDwLh7>Dd#+qDc~Hu*F7~Uhp(*NQU^B16g`-SqvabL|;8U){d53w?b_N6h+${-j z5+`fC7{g}EE#N0$bA@!)MpWc?i9Z-;aHfcCVMKRnJ)*GcN}0YIm+7;V#Y=b3H}Q9ppPc)>sJh8 z=14wXSlU*3Hj2bIaP#Lr_A%exP)XWms&?;)>wKxLIofDV2u9g7-lFW14+I#M%-%=# z>~A59kaK{V6{Bs{DV*4Fk_2@~Cz|*$5*VxbL=GeYq#0-Hs7Hlls@5`bU@mlVR-*g~ z+{AD62@qf!*174kxz$r;FoDmwjfXa|u0a^-y*?HHydetAmN|>FO0h`+4ZLt~JzEvj zLIa?mC~4IMmHniEQ+Y0pg^z~I7Z9sD4bbnz6taZrE$2^R z96IjCDC=i8VoIQYQU!Q@MW4!TP z(PDBUSM&2*xorMsGgW&6>`r-mAhSIrL2&kW}r(Kqj%r%DwujzvWFYJqme4 zoDVZqxp62r!<-dYeO9-mXz0hi|C&NjF~tHt1Yap+mPtYM3I#jhn0w$GQ+f&v(X7uc zJxUlORj^J;Nju{`#kt-;tx$<@SAbWb{Uc!duD6)x5*`M$MnmhUEw-&Y^b&u@PEGia z8~fjd1_nIb<<3MMnW(+@a&X+-Y;<*-NK@^(i%x0*R3Tb86a@hISVq-jF_rAu6rl(E zE*@IRd1N(f(G9jL41r}!BH2S1&Ok40#DveKF&vKE&Y)$!484auG;>0=ObU(Wa5Bia zPp$9OOXm13wKJu~?uQ%iei%7VK5(#%pNFluXmbg_i>VpeiCfXYeT@EL1X;T9zS5uA{-f+^QW9G7caib7=wH#c;G*60Kq?8>bdRl#7SEgn_#kSXEr@<9FkWbi z0^-ScPFCS|;Jp*cHNjd|(JX{)A4dNN2Jo37T<1R617PiQ$x_Og9qb0nH5)5`px_9S z^r9~U*uz$JgYNr31z>YZVT)7U>5>Qq_g^(zvj8eH~m^0ZRd%GpTwHn(Nqj$tjhuc@|`Ts@ufgk_MIu43LLFDldp3eHe_57h(S zy7D@hnm_;tJ%O&b(K(zdYAmC9x2guYGOU8^!iiREsBphO7G)D{05qbZHRrHU0WcZ+ z8N`c>J0fK%LpTBxA0>SC=9KV0b2<#P*zG%h^IL;y>AkIG^nqXi7ps)-xc!9{L`Nsu zTc=g*gStQk7-6$RwdZ*L7#rodS>RzuO(>Y~8{d>gG;L7JD<|z!4GIU|w-Z;|bi;Sz zpcA%f$-M~=YB+TC(WU0M-3}=7;_0QRtQP2DF za;SdrW{yyC%D2AK;Q#)X^4QPE@Of2|(81d`SN}S}?bf6}2SqI^M3qg?@u>CfUu5hl z11GiV)Ci6K`Mmk%>O=rH-~a#?T1=w#W~aoEJHQl8mwVgzFG2z{DZztKv|Zpn@GDscv12tB~HaR7o z$}{G<)ncxb=G)_%7<{9&ZaDJOY}HoItThNh{Gm?KMue|1$W49=N^NnfdX+5`0jE}D z2d2@Br1c_Odi29BnK_3v!zXN09^-26-*)vPfx_Sy-tD++y9s?F1C}p+2OJhU(Y7Ox!UKsJ zOAf2QbMYPwb0sNJ?KRU7M5C%h1=&=L=0h*4SXKMXk6QKFDC!vDKY#tIjt92W5FoYna^oo^5WYQ&M}jPdCw@08^Tmk@kPp!2c9D+4DMp9LFdmXv zeg8&~U6Ar0_CG$*#LCGB3Yx${N=`=0C*daQTEUuH%qbB;dSiTZKX~OO4pMzo(ZZqs z#To#PR32fB{NE_Z2z8RPsSm14sX-`~kFNJ2^Ej2Z9{ zySu^qRZBo!XnJmC`u8SA_gF7AFmyVsL6Cj1+zJ5IB?de?=~^csD|sTDtHJLMP`E6e z^j1Fi`Y!!AVwz~|MQ0PC)1dQ813{FPQrMDU71QkEYF}#ElFQH^wU~y7?`4WDgCAY4 zEQde^$1}ai;_rJNCt_yCx_q^&ivg`dpjKX*&Sk@x#kF3rM}FK>H(CZdD?)TTs?@q-D2i=m@=p0gz zfL#@CqI?Pt0}2%8^g--Qs^h?6f{oF>u6M21iPhYvRXvRC(eeTCJzDpQTL*nIb}Dai zk*?l?N0i$5-tytqR{BOQ4Dd~VtZKcOEJNjGN?xp%I0E6S|GvI++|jR-8YALsAu=uL zkE1)ga}lHXBmwf<4Sb`Y0nb^p0sEzP&R)Y{wOI@{uujw1vCy7Z?9PdYgsOtv(f7>8 zx8ZBXL@n6@Yz?Ol8y6z)*Lb|HDEYgJM=v>{;KOfV9-+d!f|1PuXbbxiEcO60( zxp6!EX2TT`BDS6Bn5*(Tcc+QX^a~SYfj*2Y5PIPN}G|O>N z_87%usL?rBD`ugnY$KydLsVQq)y5OjLB9(BMbz(&S_9GPujkB7pxSQfK=56o5DSmeWvSKp6?$DURh&E=# zoEA(SbgAyyyO>6uGZ^q{bGsjK@Z%0FIZqgbTaH8Rskwi>nv8osmnsiFo8DJ`zLp-w z%=U7Wsl#!~q2@d6Kb?3{>V695>gW5^!%CEyR@hMCPW!?7%eARu=9f%RCXG9H)b7oE z`J!>5=&jJY{DU_J<`&vtYpgZ&Us~5Ns$S|nw{6usqXT2XBS`Cl=>x8I;fM_nwyD;5Z z?q?xz`=c0pT}NBUI8Z>W9!$*O8$AS$=$1V9Ce9aZPjT6r?NP!_crGal*EZ})MO9XV z3NyaDYTHjrq+0(psUbumtJJVUR;d8x9J(5~Vi@a{OM zNh*BoNd3{CtkL)QukbQtCW>#uqhoGw3~|&E_lg7_sSU0y;oM>16~X#w!$RdIMuN94 zKZ6&`!!-f%E2@6qQzkhIX5ZP9=Hte5j&|nUQ{u-A(c57^GXZH+Q)*;qo2+m(Y4 zxsDNy?2eC}4E0t-K=Rlmn#G}!S#E8|y5HQS=n*7t&%RD53tL^*jA0q1!aqx^4|Hmu zi}3rJ%webdMVkDZlbmJ($#2(fiLZl#cmZJLzf_-H+HPzQr(zs#QMYEOre61bPwK|m z>E^08nJWLZ7y-a$S%!`dF*JjP04iq zqYen_iF3cC{!OGWco=z-mgTMW7$#Txp&Xv>fCyTA3oCLw6%_gk=Ot5*LHmEK&6t~H z1$|%u2n2y=Y>FpH3We*+yh~MiiHklxNg^zEyhr)kS{b^JfiwvQeD0>vT%*ag8Bvn1J zvTF;ZyGrLpgCkVFAe!DWjips||4@YZ%z6?vzd058niZ2Y2Hpc;=u%8+2W3Qbmo0!U z+_6pP0IdSk#*sloYlegagbU!)jg}NR&^a?r^y8^gROmRs;j-?Bk0W)hm)iEn62DKk z&uZ7Ke|LP_R&WX$$f2WLw|o>bv1lTzm21tjJyKA2lFc_5xN6-<3DvPO1d+k?Vw`Di zjE?Mucr1}>a4s>aHuB>>3gVw=#q98=WEUbH`Og5XSWsB%jdiWM_t@dAq6jcZ z0NjYuh~~utz@E*APeI}{)zOlgi65Y&J=xFnhE|VmFo8mVByI$bFIg}FaxbT`{&`G8 z*ko{KC}k{&MYhgBz5lezlOdWfTJE#gzAcAoS8*f>HXmeGjh_m=*SD!2t<+Gbgfr9A ztrgKEIFD~dVa7f7guHWEurzAC#dHFL)g`RxfbiiYgLn=$p%~olJskpY?Bh{78mv|Y zh3eT~hLPH-=sD8h1=gJoE+QOM($rh$txB89dS|fE^hFi=L_9*} zv3^6wnUS_3!0Bo4WBDlIKqR9#&O|^{3Efv&f}=upPvk;eCw;|;NYjf>yBCW>h4x^y z`fAeE+U315gsg`}`qRUCI>s+T9;BbFCFDgF>=t=IF9m(K$Q3jr)nUe44((Rv?Osi3 zc;oW96!!>HL}VRHI*fcR-*sG$5p+-0A`?0C-y=VO!(uzyK+wPf8%obcD_3b28(GpV zYliRU(&2Q()l(VcaaQnwmshB(lVh+VqF~71vxh9Zn`z*P3`S0hmlU4Cd`uL7IM!IX zf;aZ)E!(%J{xGhUGz1_s*7<;fXzUm*olo{iw@W8Y4|Ra(z$D2 zyGpWU{bKo6jJ11fvr^>2@MT;jmf2*!V+V6xPPK)JsxuK#L~UAs-Kv0Zxzsk0DpZ~J zw@T0jI@hoKh(=0FnCt=D;4OttqTTd1Y<30vT;zBu9*gY!Kft^7nWL7k5-!ht&7*|C);V2nPc%RtpVm zI_nnU&~@~%iuSNb>x_%qH=pVFXZWUD7ZDTsQbVkM$N6{yzZKptKf75{%4+&>6>T%t zlGe^$7!?E#1`y^MU88OqrXi-R?0fo!(90xmNDvy?A|q52G76W?=OsG{VDz2vC#SET z)w8?$G(aT9o>pM+YflMs%>K>wTISgIBzA#&l&|$Fr#h+*-p+Mt*;~02A<%wY`dRf9 zd@k{+c|1qOj3-EIxm)MnQU4ENq9ExmO~Nu-qh2YJvz<=5pWE+wb$+Wri_hWC->ml6 z>2H@N@$OTJWt463x7f30ZxaHNv%fu2Hb zEAqiSTg%`8KvCw`Rh?DV9%Mj4Fpqo@a>Wl{2Qd&xxx;%Fgohhqpn7-NjaIIIxq zJ(CQE(fETRA;ztcTw}I4khqFy87D_ap?&VA(cg%VTJ}_2F~g_}#rS&Z$eLS%j#s`v z)z*;^2Ix+9f(12CB>G=iRk+dl->fJAWLPTj=kK0AmFEE5`Cmg3(Yt$+9F8-h?+rU0E=6CfkyUvDqz+b&ME(4Af&=*;IA{AHuw411UUX-=+r zBTY~UlNj^edf&U*o7J`Oyz}!09YTkZymK^|UO#u=zfjU-unXUWGP$XMKJ8Esx8rHo z2*d6ZCmtr>g*_&$FT`O=k@>HQt_x3$f_0c}itKP1)}3^rBh2uZq9}nk2j|Q7 z+Ul0|v+(NONX!u&wJu5K>7Le`Wl1IgG2MH!c05EO@DR_G)16%-f+n2o#v*!eU#!>g zf%7@$!pK^+3PLB-lHV^6tBuyxaSS$gqrVDcAu4Qj^rDq&MumA{J1V$Mx8%f0;vH3L z60CD%t)W19W$hni#cU(6HoruVi4I6n;lFUlQub$V?8w5oM1(bXkf6%?S(JNc;3@n8 zPv90e3h?l_x)@1PBNe<=zhH1WZwOX+mkh#yAcio2_)L5n!9>F*jsI>5WI%jaoXXtU zM+~(#e886po!}P{3>xdd)&Z%h-Zr5jI$z@q*vMs?ABQHRslG(*e;z@vUob;-APy%7 zjdQMn16!Z&nxo>=N{-jheaCS$M_(HEsbiF>&6xs;dlxscOFaogS^up@W>^|+@kdO_ za&2ciu72k;00PHOpaiUv70$?Fm-GNhK(@aLw)bo0mdXpfu~1k5000wATG`NAN~ul) zqV{rhe=?}yyM_%W!@>juT)eQN&tDxR*#J6E#30bIhAsb^47ibq~Kj| zFRYA9Ri4pJZw9T*9qPUpq%i=$c&jG}rtiQ|iGnSZo?&1KmuOeEh__c>3`C~wMvrf0 z2lZ*+69JYA&%2l5gEEI+&tjqt_g?N?a4xb zzPtC)IVji?g$)cDRXlCVa7`}~$TtRH>u`Y8xTlM|&$zBaXZ1OAgf{-OXgiH7$o;@G zIV)!J|6HSw%a|zia{C`jv~AaU-aSsRH3QT%zL)aJ{39zzQy?D(V5R`28QLtv-voI) zT!q0qX0Xag%L1x5NnB06y3?>oYP@btWfk_|sS;M%)nTzgbYaq+*nkxHjB->R5{aYw ziH{8Pj;*{R5?sWirP3<~s*U3|Dzfdfr1H$Kp1cKxMA7~F#um8!_8vu70nvT2FFt;; z1kR7Nk~*qzsU1>~Ur;FulA)6SA>geZ9Cvvqx9AIK}HD426qt5iW=cM>JjL9b4*A*rQqT+jmJ-=XuHP}<_O z{kn~!Uj)wlYw=dH;Vc(1%<;TvT{Q7r4Tf=NNTlOOR-lXY8ptbvKH>(Wid28lJbI&EflR8-Ru%Jh}34=jFh-o`HzxWWLHJ?LRDi$Y*#*{ID$I_qhYQ342rhy6nKJ|vsydc!93xFT`B+=kfj~b8# zheJ~~5X?)bvx;3^t@;83hC5eK_4gtv@{fzXn+3S^3NEoquS;qR>NhWZO3$Z5^O=<{ zW^PHW}a&@W{eJ#hh z>aQ@R7Acoop3HI4>$oLs_Y3=&(=SgC{tjz!j~>Pz8~Hf>_liK+YK^~M2TGz^k7Wd7 zm!zaTE%866TGPMV^GSHD2=}1LTEc-aYU<+I9(g;0enz1Uq2R7d)8!;{SmEF8;T5p| zQZ=S~4@(Lf(tb{&TN|>wSF&-6jRJ#}_q$i0%N1;LOPgJn?7#M9j&;eeA`hN~$S10Kn=DPs=ckbeE667kWZCGBh1qI$zC zt1+95W>yRcZJ#8`af+pFDw@x7%TXQ1eGAH`HF|KTcAPV^{~v%S7s;CcyL3In-yc)7 zGL8+$g74UsOCB{!gOUc7pjJxP0VxbjnSh&gdQh@Hz>P585c}bfe`+)ij68_t8!cIe z=*;k4@@Y!1LJ^|((C9dJ?Z6hQ4xQTvsG%XQap4znb>Q$97kn45%!>vXamLyB#)89t z`NGK3|>V%&hj{im*w+^`HvAXZqkY1> zKh-4Yx~LRlT9V~v4wrq(vMe2W1BO@9%|sKzqI0hw!Ev0AM)#BU7JIQiD&ilcu0EX@ z5{gm%cVO8L!a?wZA4a*JKgReJ|Kfn)ydf&6cm;UF?4HWD0(#V(lJU5GXy&C$I;yxP zi}LD?`gY88kA?e7p-1r;7h?DqpQmVsOZZ--(ypYTtc;ZirhJlA4HtrJAEJAJUUzU& ztA&s-em!tm$Ks%(gdJPh5X4fJ=QEgB4P8_}g=(W~VOywJT>-F5P#w8{-4W^g#exxm5|52&A^Mk?$ zGQx0VXtE)B7hPrGBtM45JKo;EtN>}Ii(oY~PN0fe&PeRJFnlRhCX|kQzaUPdlSV4?pB7j0HgWrX3E7Tonioq2`9S`El2PIktJjClo}f{R+{zJklN){Sk%*W zdR4f9b^iYsPNp;`{`VMdRp#rp>n0WR@05)snJ|{&+y3li@Q928FqT|8YRTv43rb4W z4ei9NB&jVK|ro)nhX zD2>l!qh8)gO!ud_vR&iPp3@!0@!2@|j=Z+{8)r}a6=>)+o#Ki3`gUVLHZ20rfB4mL zrka9#HEQ^Z5~Ml=XX@4&-)X{>4AIIUx#VGNjZ4vN?Jh>SBV=-|DeOp-smbZ6duML0%}_@%F~-1FT|Ch7CYtI>p#k_Pr$ zr1NQlKaj@)2YN2|%)>goHH9RJvsV*l5zxyB`-Ro;kiGJn0lemTCfYs$S{AP#x#*E@ zlKOj-8!DVGqsmohT}Xb~n+};ULD_;l-H;RQ@QZ3xjV+F7&rIXve1en!X=gyP0m!#?(fP1?GT`b~H>YXdbjfEo0=wMgz$qohK-q{pvbOW_Df65dn3tZHL zfg5+uzZAF*Hy$McS$KME-2;#3TY-XmR_|c~)%cPWekjJ*TUN{uia}isCGOQn{{j(h`=VJnyS9{m#N6|T*57K6qpRd@3j`?*;X$r}ejj1Im;=If z8FqXR0xXnZq90zpUXffwCPQClAZvbpt=Lw0Q=Ub;cvT1ZGacdZApe|5oe1c1vme2v z-fnu57>~y`u9<~XJ*BwHuUf5MbFhBn$~KKl)~Wl!Duy&NK;Yd}M;r+_VDMHJ5Ofk< z{pQg^zUdHeSgQ;+ZlkHrM}vzo^6eW(AGn}b0q09nz+a)LnYb>8wOuERmC#{9iv~|^ ztx(Yea^ut6;U!_oZkD*6%HbI1Mr>@U-Bnu)BInNp+>@a5vYXNoHV_hr@##X=HLT>zJZetq4RemDtQq-l0&vrBBHYBJFjmnRf;6ImGQp@-mbge51g>S>IO*6h9aYyXqfp8z z<~849Xb<<71r=%5`FDXxT2Ai61{x_oPkA2)INAj%GQf+Z zq~LPUGfyLhDmJT;URF6|4$Sknh6S#*&!>-Tv~TKp9Hii=^oN_5S?3mtOFuB>orKr= z*RbcdwCd%m?^KxTA5EErOhe-Hx4Azd*4ui=FTt~uTZpY*Uze=4rsl-;j=&gKyRj4I z=lrmi2i%@nls#r{POv-?R`#kkcrAQHx|02iXC~MWuwcOzBTbKEx1h35;N4Nu(kbC917Y`9=p5Ni(Qs@Xq zZ&QQhp^Of^LBM^OGoK$*>%OPG!CxcNR4zxR4vqKvodASPu3Qp&pn08%9W{$mP@-el ze}o$Igq>@jc^EwP|0*4LI=^deR8=Ds3mjdB$ODiwTi@np?F}`hHFpCv$c7Q#Qk%4m zBJ~9y7R)+8k7ziQqpI?zk%e!9g81V{e3fWM3yTNevI7?AUWaw4bGi4XjLi3&d5JH|vfk*>UYPuM2HZUvIXP(21T5iAQ(wce$i65*TS$g0 z`lc>TJbgWo<i%=%hEV{Lk;b<|pCcPF%(i8XXh8PEmL7HD=4HZDK zRYJHkT7vyI39I#Y{|9EhOJgpI5hnU){yyj@y==)))4`e@+op)Kf5} zblhfbMwK1juI&pKgBkc5lnpq}esdnY4%ImVv3v7KO0VRwA>XOF27K#s+TGZL%}{OH zXf<4#0X!ymLhcZzH?^mUsw$yE^N9nTEQdq!2za(^}vCEx`ftF|jDRE^dKxJ_T*aB3u?S0h6hO~Ce{Bn`9dz#oYmg1@cE09k&Zb@*xF>}9i8hB?>F0>&{4 zl8!q6G#j!?zBi2uyw!E5ogC&r5Jg{wwjp@$F7R0K5l;F2$v}L$3{q(#SUi#2&hKOq zx!i2hG#aHGmF*Bq?@@)?EafHSg5?aRkb58_*M{l_ntf5 zpbmg!KTdFEh&ag&;CopzN4rweLmrB*Nt|IoFeJQpFdKfh7TU8bI7m`B>NktVSIBCsFDn(zsYM0sJ|vir`-`C+csFhE!ZZzZtjy56Utw)y z@r|zjsdW`x{8_}`N)278Mg48lkq>N9P+yLgO_o%=Ro!h8NE%E=!u0 zk?~gCoDq|wu-TwiDY-=)JkM^h1bvgNBeb#fQ)>{XZLWZ^TwR@)J0JmylGAfiJC&|q zCo$SN#vdYqTV4GBoT+ExPD}Ms!y6-lmZ^JPrSgFf86T}?eLD4k-sro>?10ws>3Ecb zs8-k^uUzj14&;&wxe-cfAAb1LA9nnyZ7|3rM@m^}h+l!-r|1lZEW62K<|I@NEjy(n zJkC#YD|*vwN(U0f8VkluTY|rRirxMrg5u9dT$BfT0{)pMuf6hhCdkBhML& z>sMAoc66GEt)5j{3eG~EmZ_-d)p6~jm5RV2&dEg!h~G;I%4)a-T?Q>e+nLe(oCN`@ z=TFECY!MsS|5}s%)eLQby;(;@FB)jjhEM!991>?*yr^awYFF1 zw+ysSHuF`xNZNw`2#M4rr7YL&;oz$1e#wPhTJbviEKhLXE5iBqjl>7Ntit)0t=9r( zI{_qs{pkv}NG1y+18}F-_~3PNcE0ghdQpu8w);Ps9Z%o7`t$00npLtT`XXlcma2`% zel^Fe4qG>n{KYX5)x;!(tW?q{V8y{Z__;jz)V?m}vx^O5Hw&%4;Gk8t{iN~W%f0C3 zHbMssQ+PJP!4Fh-d+X-1vVVG1!kVRWJxmQF^xvpryd#qDY9s%LA2`vPu974#-hk?5 zrnG2wz^`GAO)6vUZ&&m)o)SoPYes(vqWF~%1jE9&tQG35K&0q6R6qEmKoQE;DM9A! zjlq~fT*pyXoYkA-&4I*;_e23O4!y$b%yv87oCayQQa-6i8IS7Y`H{vRq-_ge@)i*$ ziL2DGT{%QH9fI16;^8pdBlz?F|IclrxDo9EQ8)mRgR|jd{>l1+mNryK^n`@%@$5em z7rbHQ=P-77klkHA^db&0AL_aQ1!uyMt(}sy=G7d1tU-ZrGtiMZ6W{8CrDbk+pQ~b9 z$*7kc|A~T>0#`RTQ_t-1*i+B7X}h;{bn-`&x>pPiE;kp#%ilGNG{`%L`6Xor4}i!# zlDS{6;Ld7^2z9UA_s(jt$&_*WM|FAm`h`>LW|!{KJ?$A1P@}Pjg!XSpbE#*$jkRZN zs}ww=9}$3m0#ugwUTe%ro%57~?-bF*UQHm1s&}~CSjyq2baW&d84U^H{w9rFz6t-s zF$|3aZN>Z=dBsRt3E{=H=jCKVK@F9}(u5U^Q> zO_g+Kb)JwX>1wStKBVWXl<7P%H1N~zNlR)}@1&w%AJdmMcegoN9fxNUE(RlZHWKIB zdu#*>C8Rm}bL}ikXMBIAaAbE2I=b#O2=6v(FmHH*i?UHpI+#mOTUB-gM3*UUs9cg) z&F%1M`Mn$&F@}*gv0YKCk`xAH?$O#$0L&?`Ns+ncRWc%ngwDyRxwA0##U;G8Z)2`{ zH~i5eUPK?b>1bE=E%>8uoXqWGL+=c!=8h4cifR_V^qX#f zK^Zsw0`-aC+YTWQ=tvVw;y1`qJbA{O^bTaJ`3~k8P(H$pdh*5OcKm$DTa-vDr^Cy` z*m-SnDU;Z^#6yCa7g6}g#RrvyFTti6-TIaG zZQ*lVIIpSfUwq&7mnA@p3xX_}@f_qcSqen$+?hNBMoQgRJJtLpz^oWzq;r6r6-GgU zbrep3Lda{ATP@w!yJjB24|XLP?Hkq8X>r6!wtx%@R5A>A$%+L}!LRiyS~fnDPOm3> zF=ZjJfCdAxA&x5JsD0=W*{yG*!w6e}VNod(SFY=kme;LQ5Da%%uwWDOIMH*GYYI(3K@j^ zIG>z;?Uf@WaO3stjId7U4(9`ksgE3Ak*;?wd#eIposg8a-N@vK2jK-C!AT;+d zfKKRZyne+DIc3%4z&$3SBXi(cp+~qaK-u${oXpoH;zrRoW(&z(o@o%=)HbNO z=OG!-C;W<;v(B0p#F847p+|M}GnYF_<9tE)Qg}%{YO}zfGA^+PhZm`?UtZbzkTaal zfAh-jDpObXWtaGXFasp2lC-(71pDFDN8JN;((7EQt{rFgHT*=U0Fx*`Qd19O`zG&h z@KH_xl9$}HClGBWfoyRc({#Nc4i@iMWDy`_qkmI~%@9FNZ|v_urtjCN+68vGc!Suw z4kMOSSDULI2NqC~yI=uMSR6B)0}qxvvqkC-O^%KVdoqvR8z(v$(qZ=q1%%BX2Q`-_ zHeOU9L~2#RPgAY!r)Nds0MDw4Ls8m?*SJx5X+_UG2gkleP|3-<7WJq7wRR@{p#tUe zF%!GR)yo{nuJq7e@=aJbfff^Jz_!h&=^z^KW)w*dYdehN!t!y-(d++nxfelc4aeOh zANhv3hfav#e}iqo(DQ5Y876iBMZE1;C(2FG3O)jH|E0!?1V$Enu)MfolJa1n9QXjg z31C_mRyWyxop={}TOxk^>q z^=8+p7(x-vA+v{uF%<}s(};SuY_iazQ4a)nceA5w#P;QP_B4A;g&R)kOQG=I0I z-*?G#eRvEkbY^1NW8i*gih!s6E9ITGnno**-W<|6A^{n#tj=ihC;AsySA!16239mV zqpH9R?(T$6_rMHl8Empp#_un}zz)x5=QjB@IC{nYdG-aDFFbpsN`jzAbj)muwP&|K=@p|SXiAv|w2=Yyx1t#m*Y-9t@fojkH zUjc#EOS3YyOM7wcXuuTWub&1jDl|jqRe!y?>FZBCq9SYCol`msBIVy`dE(#eIFVmZ z(%SU~93jYO;>h`|9I!KA0sKzRb(k!faNAd~&bIIMCeh*r(kX$%F(In=wW!K>%aFi3 zkh=IyFB!Xbzcpc=Q!x0HfQ4iAy`WTj&tWd&ekP;YKb3uVl|WHIstDU_8kBhudbEg( zSq*rPG6n3yo-ehhm!qKfT?kJ9jnV&U#xh;fyb~E_dyHS(L8PQWeu%D_QRfU+aVN`D z?^cZWY67F;+A2-()i{Z}0oLZ#>MPN2*_}5RCq~3JVKvuvb2GdCp2vQ%T~Yfv&>VYCG3d#ooLvju1Q+y%;8^eNauky!VSdH zg-<4Z@2ePn87tATiyER`+S8yL3G`nSuLM~4UMcH|x8gS3^6(25s==^#Mwn_4_X0JL z(|TmmNq~#nhR)DO>Vh%DaI-YTj{}b=POmdxuvxWEGD$QW#S z&=(d#Nq}>=j@k*0Zk2)gSpBahBHyan{xY#tHJlC`cf&ZEFv#7v5JPjxBd5r#>v;ja zu4@$ZFL)R819Zl!$Uvk;j=#Bha)^?_!`!TQUSYc+cbv8wd7#7qV zmaP_9ODMa?GkW`@MY_-bZ8N)L$F8$O!uQHJs_)`N#pA*CHeC<3`?}(UTZ9GTL0?MY zt1SICchh8BTo2XW&ki`7Z(`B&Hd^R|!t*uB&}o@q9n-fBq(UR*Ci7s(w;SdWJZ!r= z>q#VZz{r)fmcnB`70d9sbGU!$g1D{M{?bb6hBC(wbJOswgd>PaoGz#rI7Lmj&Tm z#2yo+dSp|V4qquuJ1Wj8@1c5TN9l`)27Q_narOw9!2C4zcuW4kqe3~^l5JsZQ!{)X zCQE~Q2EV;0+x#H~QOHKfNo^cLV9s^zB|UczE(6_NpDqVOK$3^`4-y*##8?0ut!)XU z`8vwVC&q|v%S*XJ1bu}j8K7x%2$p^nH9PL#l@v%1gIFk-WYNE)S`s7yc#-X#UPBpo z(fuEKo1(5eP>`K3>R2}=56|D3;@-{T%d|zOl|W?@FaxM?4l{4ydAD!K2|{2igM_6y zH9MJ6!%!dfRj`7gWYm)O3Qz7&V|nKlF*^%-rz4A{gLZb{CSvAznZN}TuFyR$s8|$K$@w2L!mHMbvjG)v> z3tjm{cmTdN9g!YH6%%Ga$cHS%EG(hXPx{s^AjglJyS8<<|5HbR+}9pwrnPmXQdgjJ+V7xdhMfk5UiIL!$Z0)Figni zcF^iuC}<8=qUTY%;L&6RV!sn(If9kt3IHl04ZEKP2Gy{(xv3>Bl4}$ku;q> zF}I}8%V80K=3pTH5mo%49Q&NhS<{avKxAW{qFfXf9@DCzJh$tCQv>TG936;jZ)7$ZBa3=pHv zCfFQo%!s5FjE}=|n3hCI+;5VG8oL;Ms*OwJos!s$h5M#)>ND&NSe;NQr~DO5anu(; zxzWwnJt$XeE@_ABfo<1=t^b;MFN~Nq_Z)od%J3>(x)%do6DJM{$H{k)z&OM{RTvPq zap((xmh#5Hb4>_zKBG_!W?{6M?21{#_R+R}Tgoqz4<_~W_gShkgvX_7cvCZAL|aeZ zfkv77KMx_scigVSl|0&|Nm~Du)u%=SW|c6-R6NSp7!^(K@A*Sz2v~>a?dc02wpH7z zH$!$wG=`tgl^y`IO8{0>@2KV^&=Ty$4u0Yv_U|xii2cd?!dy-usWOh>YgLSO6mY96|W$>%H=+{6%i>k>3_ zxdc6Qao8P7G?04Pz9C?U&b*AP$!1Qtx~ zwGj>w{o=@?rbI(nyLK`CoIW@~U-)tz5}UwHyTUwV)`%%CvH3dRG8zz!;D`aX=vi^z z5p) z%1H!*Mku$yHTUjxBKPl9zxrYFxg((2}i%`x7q+q9Zo&rvx=G;lzy`JRRO7EY*kSbElH5(Mb|v8lCw)f<^T2x4OflH zjIce6)Tfmc;qtv3VXt7nt_y7`iJayMBAT6taZ@?pU`LQ;u)7RMXSo}0G20m_GLO?O zSwHGI#g21qU&1m<&cC?|_PV0m%M{Vu=DP}b7s3g2?Tuz*k0Q3rS?MvczDXyVM90>} zJKyX6wqxRLK67JzsPz1gTugaw!Mwp7Vr$W7UV+0R0((gh>L=CT3A3E=rD<@Jg`?v~ z>eJ89XCW0M#-5~DkdmLG)Gl1m0^{GI<^1LBVvhSC{;?>`TBJ{${4qriVuLWostaGk z*Zmt;H>JpXo0_g*YcccfBfYK%4Axea311bCs!@ zhS;Q463nf|ArctXZHA^D!S!X1g}jF{1AdZY1>@v8MMR8)U$L?|=jV>F@RAgp;rEHo zX4Oir(IefIWs_Q-t!O!pia^{3V#wQmh7?j@)K6>4y zhntmYu`pa(5Kkq%!ltKIsaI>+rlOBuxK69PVoyB-3JQZR`at@0JG@VrK72$4iS+2C zLVSuc$4lJGFq4dDGRlbueOBZ30@LI{lntr*cF3O+4;4nRsmOUs^b~<(b`qHYySZW9 zH%?;ywPcSjl+F&IL$%DTu)lrm^X#nZvMk9McE>pXpyM^eaHGyQh06O58<@*iE0F6{ zFsc`b(0m$aMr`CGn_8TK)RX)7=U~x|e@pG#M<*!Yn(EE%D(?SMb7kF_XUfULS&1%_ z5=fQoe=j#-8^QhzI|!dxfLxE9kHFXq&7LD!gIcze`{|?J!^<3+%gtrF zp;)36GhejOJrS;a#N&IgNPD8qL>yeE~vWOO8q!ma|Homf zx_{;7F4JiJ6!vC_H4J1%!FI;&hTP9D4d4uVwx}PPkuVpa-~*gLSn@80AL&%?dPL;MhQ* z)^cvirEqmo&N6!*H@s2x9%XM31>Ia*BhM#rydvQQUKsL2s<}^~BO%8#A#WG7In)f- z1%gxx0`qN^b{Mg2agC*iar)Ow2uXQmu4L~yzd%+|m;gYY@;+i`PXp(kW5zsHEb}Lt z+VM#=64FOsPb=9L*8G|byRp=k?Mr~N{p3E|znnnMH4jV4>FI|Oj`x<=ryYBLv$`-M zoz+H_=E0pMIY(h$eZ3Xdrkn5j7G~gL@$@4~-xGN|V!X;&BTD?c<1oDR7!e}n2w*tW zvm_ZF$BpooX7_liZil*9jrxM|Q)!R;Y+Z3@pXPTQD#4C%a__;qd0+BKn72FIqPmxA zlGM+em-F@6X^F(E3efwB&K*|H(wW%P@o2e!27uOkefwucVFn;W!pVDz?{4yPCFKCM zJ9Qx==@@9(A>-QU!YNk9>)w2l0LK4S)VkL?tM-Obqqx0l`~AIL zcK$E;K2LvKCmPLff+;LPIdkw$!}tXWBnHDB0b^C9rL{dgH<`S~tMNApY3t^J|Dj*3 zbpoTlO?=?^g03p#Kr==9H5Ru6El(KmZOr^{ut5T`dMj#3)}u4HFo2MHDgqo=3GI3H zd8`XNS){S4yTIq$uB-6S9gj}#qV`}&s<-Ll-&XisJT!h5ioVi@|L z4pZ+sLjN4%$hvWa3;CS_E`K_OWzrV}y{l-?ZP8hrL-5qJmUloKyO#UvJbF0#j_izR z&l3EV`^02~E}BabF3RtQAqLx}U*+U>l?2C}^^xB%1MhOx@?M(Nr>liXy~{uVUr*k< zb5}(Koq+e+t)Qs7QSWDWg?h8aS(?-7Bj&5`5_w^-%vLF#TzG?F6;9QT%Sep^&<`2y z>AFWPd_Kprq>v0S1`1oTOh?F?rKHs4UwcCFFT%;b@(JiU(;Z_A;hrT9c^&8?NYrRK zZw`2NRVwP#b{ZKA^nrzYTiv(Q9@{JbdL1lDi&F-}H2~Qy7(?2j0zaC-jnMJ7Zsb=W zL){4rBKp*KMs21^9t|a&bD?<9pcZBhF#d8&)%a=OF9mbXokv-mKl*N~`X3?14iVHi zreVbL8?WQT#dp%)1|ZQC`cPiSlT@ZXY%BN17jmHcZ;Wa`iL9O~myQIpDA1V{0k`G8pav-)Jiih2_AW;ju$;xn$f|8O&J*{w32oN%}?G!)f zyYyweI9P)UqVJ|U?HdNO`j8IzP5{0bd(!cGFni9Wc*4_Xu!&OVkYEiZw_96h7$+485tTyXv>ywQs7ORi|rr5cS-^N>6Rh`C5*UYVLi@ zURe=TC8?Zu4bJp_48net1@Z!wyo;WV@8dN2(EqxWm=2`#u5A~fzoT@W&v~i+&okCI z4@!1IWa>%?Q`em8ubsUB$4^A{W+R??-rQZ@+O`bk{l1vmtTL5Z3p++zX9K4ZJavil zQRyg5)}!{QTZ(s&!UQxQ8zeep0<9hc`$oI83cn_L&$-s`&QJBYy+j|X{;)gsV`0b` zjE~(|k^bRf1g3~+MUq8_&rk-J3wSq=2$)$}jM>^N;Tw;tdl9@D1~-t6FV(8&no--Ki!_=cR53zNE`dEKbiAxRdnlcC? zMQgW$AsiJ5&UjK=T%tEUj*WYHB{SZh;>mZ9K6@Wh$y8EL!3OfLxB$+y)>A2BVKcjm z=TDpEd*TrHhq@?bcm9@n*fQCR2 z2J5_)2Gign7y=PIg@_r{s^9Z{qS84+y&0R@wK@H5I_K= z55}-4Rz5+7WV>;_4k8LGxqJ%#hdIG3x}1a;3iu;-Dk(6k{TgdZR0&2$s9WA+JDEqVrT=Dl4#srr}(G6;O*m0w1NR2HO zTqEsBM#LXDInj6gT8KHf;GK3n4B3GhrO}86No5;t7`+iE zXeK!uYnC1_*So)yE&MhvdO87APiFf3HL^!0p4q;)i94CFIv)?Y=h-RwujDJt4 z);80X*-@#P(<7%qT^{qMI=d&Y?6=eyb)qD=$+~v1ktgOTgoB{lSjgm1ZL*5-ZYbj0 zY#oX*ATgYr#qPA|3+*M~>;+zr_6;i1OQ5{UaNhIWwaD)?;9D$y98UQu+)$@?&w{5B z|3qJ)&4jD^eU)5f)7m8?A^%{w9Gir=;I4=k?2^DD(hB&KB`!Afikbk)g4Xe~J6%T*l z>XUb#llI#OVvI-y#)LOrB+s%~)1Y#l;45lB) z@>Wi*F>sPRnDUT?iNJzS@@}4&p@9nnJ8pg>;`>zpzkyJ_o1rnxZaX%~Im#Ps>jKQe z9Aoff)_I4Gl>iUoQ|jEBK>y8gmY|&38;QZ}PNll@ZxZP>Q72QI<+jMOPd21N zD`bpQ@=Ycf`C#F@DBIjwn#Nodq^*$9p&YtfGy2a3K1R+(!wl7uaH--8Vr!ZI=+IW; zE9!CqN3fa6Fm}mFXGA84q)bUuNInhU3eZlw zfeR%Wh{2Cu1RuAfd6y{3$$@qptj4 zUW_}(+ja6leB+FOjO^{Un9I|uGOCk@%rZ*fgW&xjb?i3@>tKi>-iHPI-Trv-1c6vzDt zkwum@e6$tC?Mh1LF90Ja06-`5h$l702V1XI3%!d}(rKj|;jhJ@0(viW;~QZ_0?@9{ z=*MEd=#26tgs2%^3B$bIaXB2xZ9AS??~FEu{B!~t;gH{3OCs0Dq{4@BBR~ZvVcvJ}W8rPmFag%*2yROtGKOv93_K{mqeUszgi6ggMk~ze zoNPK++O)^3O)Tnr^WS5Vt_!n~;T6sW#sqVrUorjT*0l1?)0~8GhAHEvG&R1E! zjXL@#Zgt|rmL-xU09!a>ur)(I5*fh8OFz}xYd zYsRC=Wd@Xpf}mqBtQpc|p-&kN*`gBhW3KjtkN}yhC|vOQPDdFqB8V3W!pzVUG;ekD zE{p2}`hW{5vb|-fMUsd@eb^5&Akj=ab*La~nWQT0W$^0ge2Qt{{7d*AD;cjdBb2#! zO7>NyBUU77``UFPKE?dc`F3WCeG#>(j4FWd$(FjcCB|0}LF|&^N@1N{?~5_M-gq2# zfBT&XK`LWnS!Na8iB_9lERLyMt@o|VhHMwF8b}Hk`}gwA2KL6v--5R*7i)j`>@KrI#{H}CEzKdp z0FOX$zr`3VWR^f4e7xjg26EiV$onk@NwjWh;wxvU@N_?t=FC`1_C}(-Y+-WA1}mJS zJo-qqNSH={TUhFgHk=?E3o*OQFf$1uK{rZPfVOtJ`$esl`up4$Y)_y&4DgvIi^h=< zsIc~u!{2mTs0wsPT8i{URq%_hU`Y$W5@!IQ#_I_$5DYmPY4EFmS}BdPB}?@)-x_p? zhDLrD+=HH4VL$5lC+#uh=u$DdAuF#!c6{&4B7~X`#IZ*T-`7A1Q`%@qpA@%f?3{zv zdANiy{jmXqeTHpDERyT$9G!nB*L}Ws-*w0H$Pdcn0pE2;1LwwdHja1xD&)rHpVx#< z&cRZVy(+;v11T#JQ(j_cW`lM~SI4(7FNd2Y(Aw^|;i|fbjetL+`3}=;`i6qghCC!2 z`8uO#@ATI#g(qG`l#YQ*m@^l{j8k1`S(+t`Hx;{kfPdo?BHkOf45ykRqE za}FrGZuub5j6Saj{Bko4%xe(UMOksu?@a%D(i)3^2(qZvqdKo%`t$dvdUG4QR^Un< zd>Oa*!R1>^cS-Ju&mu@lftBDqqj5$zR9ABf28U6t2|kv(kpk#oe-n#zg?p$$+tm zVKryGC5`QCj%3R0(6rm{TXVDlIEszGDb6s^gtm%au8F!zod#Ae9;&2l14~N8v=HzP zyL`C*R4A!*Zk~2P$IYJT(JDoSiXnTIx{NTDWgYh__{%csEZ3FzqXP?{K+3f2fCef{ zP0dK|R=Iqf$7tsme2N8ack}*orJsjsn|6II2Udq#J+9LEK!=Qv*0VmHCrf6Kc}&o+ zA}T(`t~)e?RIaN$bsAFcS2&OYj`In9l7|64f`-C!$)s4hDZAg12Dp_@)=zC_ly2XqtP zRvJL4KreP&bwD?<5TSBvlO~p+z@3M5@IJZ($~Aw9S0vQ^EVy?2e-b3Z~lcS&;lJ-`(Dl0KrHARFuVO&Q-RkRPh{kyW!jD99HAj(}= z9E-WE;=@?Y!s~CiC>3pgX*_r?%#FvdKmLOSwsBaw(inUAkPe-1owE@?zfGiLfy3pF ze8>k9#u?)v%_@8kkzEf2&PkYa@<=rH&Kv{ut9Dkr3Pe!FQCx5d<>UCS5lB}2n8Ll3 zJ~KJFh--T4tkAr9q`$Ki-`BA>ms0C>v2yBBqfeMbL9iT2rsN_uutR9}EH?Jj#B5${ zb30}oPjUFGH&Q(;s{liCUWA9&@I;)+Enzy}>7Kk8ICq)M##f9C{z-=()=WlM-P)h6 z&>MNkG_03tq66xWFf6KSb3NI=kpMP@BU?KqXU(cO`&fel;Af#Ca3{aj2TID^?>|<= zx06vWIsX#{3C5uLHN8&c)z-O}K;hHHmwAm#SPNHN?QU~dx47&I#&~Y`uuHYqgT(AO zSVBSP5rLbx5PgL2qck`*Wo?v?ZNDggiIVrSI`~j?Sha0fQ~tikHLLRQ9*#-%L6Jo; z3hDN7H7~Vn$z|w{!yx0p=nt%YqNX9B2tFIY{|Gs!TGD_Pr>DFjP@!hzq3ecDAanO1 zC23Qp2l`2=inVs|s{sR?`R5`9R>E#M`y(_vY)eT2^T4&G`7fLhbgr&`7@_0oB9Sk({v)W-cS-K{zJ=4os zVez$?cXUBnk9&58y;!X)k0?pOMvD&*W(jT_`eDQ-JQKQ zk$arH@NWil)2PG8&}{VuC^8ICC+9N=>QKzU+Xmx6-c%g)jmbWII9NDq;Y=W>bm_cY z@Yi6J#R|@s??rsHA#}}2RE|BJ=-?b7*>^zDBon9dNE_U z@?APpeizG)M%qH6q!Fg)Wi9;9J)B1V#cHn|xE-<&zMkM1oUvf~f4G<6Fvtd8fnB*(+y zwRBwv0Y=Jt@I3w7&m_NM^tzp+yYF2cL&>tPaV#BepE5VhH z+R#>6;9~&}lxNHFg9wVn1mpjgUQa17P82P)w0OroN1G2R5A1_*U7pZugLAsM%rwC3 zT_he6j-t5*IUTaoKEnjVKJ+ArvqWDV8@x51aHTUS2m*F#NwFV48^)&K))CZ z40g&zZ7K`yy@7w;X;S60h$WM*`$_7F)$c-%@;x;tHeJ1D_?rROYeT>}sRQ+%l{qgC z%m^~(MCApY{n_9=foK!sTVYHz4`RP|5LuQcnx14U>^D1|X=0h@TZL6@>I2D)FiZ&v zHF7y^cYDdf2(x5KsGk&gr+Ecbv7}5@D*h{JQ})%8r~O?iM^3WoDrU4>_YR4g{T`L* zg#Lf|NZS-6D>Gr2>x#zAQPBRaYRw@u%BMw}t=+YlT)|=~O-{X^5aQEOqLT3L($K(x z5Ap`*lXBZNz|(MDZ92{SriT7}iYy-D1Cw%tw>XoD8T=SnV??=~EPxhWU8}t9eaV}o zj(GT2pfJ(@UrE<9l(d3$)p?A5*&oEq`bh@d_eG%)EYCHcpbWojGsmAVs`-UDR{*|1XBqBY!xC~_ba~)MpqW*Fby6O6zWQ4?5 zzT86;uzj)U1JN#S_tJ`k!FhMgm`aT*0yUbg#g;Ve$@J&oVqShg&jH-%g62kG0dECh`|9I!AcLU`Be8ENowSKad!#2vc-lK(Ng z)Og_H3AZDtl++iiwzB{L*kBK|e<#(-FrarBF;=fz95pP&TlYsGjcQROd1!lYYVIFo z{qD+7Q#i-qnL!dXrAV&(mF|mMmN;Cy`wUEc8iX6J1lbI{I18|V)`gqB7Dg5>x4s98 zKX+)fdG>$aw)EUTxUhxEcI#(!3U3_JG*n>FM&Qrq8QQgTu|4av`YvC_&1()x9YtK_ zyn32qn$=FBxRP>Bf(j1bC=ANhB6~NER+$gH=N5smcW-3`Y3)7WM{i1@$=4p2)?F4W z#?gFpSi`hR963JGTeZ?=+$lH*@K3GR32htJJkbn2FzQz&90KtYGfrC}9jmI)_7FT~ zCf*|(S;0uWB1voiURtZ_8b{wxThIz=KMnp`l>g>QDOf&Q(yqb5uk&Jpa3Exbv6R#H z&|&1m5&0sDsz`oS)sH8f&J2pEAJ3&c0xB|zzYs;>*A5Qrl(y>FC|&>vU>PrhQCd)! zP`c#h`wuOaeE`Bhr{kGN>cicFQ?xZft7{WT}|qvMsiz? zbplj&Z30sx z>=EyG)c&k(o}r!dZJ=`8-jh6|R5(R{*yY63bbG-^(l9^CuYBpwCmEj5ev`<%CDa+(n@6_ zUTtO=n;f4Le#(dKZpb{;Qyi#YY);G%uu&5lET%P}D(P-DP-$8QAGrUL8A=hw~<4M2@RL9R0V&mFW9QiL? zOYCL8KAwp6DDQ7`%+Muh*P#e$w?a5gJHY;`7?A3g5usJ5WkKB3a4weMAp_cvW`=Uv ztRc$|Pu^hL~(2S8b8~Wl= zLZa25nXNh}Re00syD%6U|p_Uwprp;4(C;2!5kT zJyZydsB?|#6cGIQ23JGX^11v3F7L^-pwR|sD`oWE+-6C#vErTJ;4PmMz+-X2SuXXR zQ)nmL9{JAztXNNu=r2uCP;3yn&V(bd2f#TxPr3lrKiI{CkRHtb^*dy?yeS7MPk4UJ zmt|B+Gg?^V4|44#%z3dem|oj5|Ni&EoL{y7ullS0<&{;#-s&)l*w;IoMWm{5>h;@M z6bR_A?xI;y2sI-Etx~HmT-Jc9!&tx0U{+yXhx@<}WN9E|fd0+rSk>EfI{hjmB!qK| zOk3g`8A$?YJm-X!CSu*nwq=n)Ga`iZo}JL3ej6{I_Xq7AaTva7ZHxs#kuCaSWg7W4 z!~aN633AN-&Y8IItD$Q)keWr=eeCdR>$a{Xj)l&k9<>4ngJD&uX}{Z z^#q@ETeGV?;kePR9V#?ergzulWdr+M8QV8aEcn51^t_&p=-q}Vj)O=&HS7~XnZtyer+;MZO%px?-FM9dV*y0yux@Q>MZKcEXB4TZ{q@mFu9!nkun^Z* zj3J)J<_O|2S|P9NjsXNXg(OBn)UFk!c4~LB4uz%TW{64*zyZXLt-Y6gh8F>w5wh}@ z7bmdyS<^6lVlb96!+K%~O~MVnc74M>pj{6@L_bxKMSDTY8pCpfv01<4Vs+`ILm*=e zC^O9}TR^6$s69SK^X*KfG|o-$`;p~lB((*JWTdD?m{%r!07tY3mggsQo|Vg5{tjF^ z;9mH~`Oub_l2ho=!rEa&nSjGdc6GMmP+Vn6@`LQH`!KN?;kQ5^Y1(J7#}VTY$_{7h zEAJ&~-3VB6814^XAbmS^Ky-VpGH>8b6IjUZ4?CUwRJ6-cu~G9GlI$PV?k2lfC~=YS zDgFO>UaY+b_dexZeSn_?ua&G+3QNT~G!2T36I)@yP6%tM<97#IJCn~KH9{-=9c-;l z(7bvk#v;=^Kg#Mja1F4Ogo6RC0=8Ci^kaJ^-1&vhkwLFTK^j_&ub@O4W1V^e;L3=H znIJ4oL#fbGW0!ZgPsc$j@ZYtu45BN5R#4aNXPwO&~bSx62juIWP}5%DTypHu;VzyjBm4?zIH^EtnEuD1a9p1iJH#9^>xD2pL&G zz{7qi2f5mq9hP>Qm)>56DvHMyP?(J2xECE2(|A@gT;=?Vg7{k(@%Ftv8&;o1e5lez>2oshK+`Mj}Y^U4Nq((g!qw=S+l|P$u zh0|u>XTSNgDY~OYp-RA0WCI%KKtp_WM-br%y>WPhEly| z2&d)J#!$s+iH%6eHG-}RFoz%x6oWB-rr~qYnj-yzwUN=MUMz0`0R9ih)oHf}L5y_J z(;NP^JA5IHXHdr&mfS}-cjqmGmB^AMgQWXcb?;pV=4)=EfR7%ZW2y)HF}gP;RDC!K z(A*qX!&_)k-tYO1#TAz=5}pE$JCpOkAMr7=@*zXw_!Cvxz5@(^rntuM&UY(@3rhYU z5UO2eP?t6%6<4xuMlr%&Z3(4raoQY()@98r>;0PRR7riOFc0xA#X%_d>gduQ`y!p- zJd`O-;Y9vE-E$TQ*l=lDV)e?|ZT>j&UN#zQ3UMue%AKbZy*rM6l9;=;E+wBM71KR_tez`W3*_{Nc9v;qvLJ8NDHf`XnJ{1xvy3ynR zDHbRj+b8UE(n!=`%cCMPV%;i1ude7d?H+|}=b&S`5LSy$qP+H5q`7OdS{3s)L(b_& z?<{#GP!$Cw!NyCvQGc662pdj!d>4iYXb$JS54*4icKv9;e@TA;TrG`d$wE2H^fq%* z1Qu=_`X__05qNrA`VyCW3CD~_=!BtUzgGtS?mq6)ZP-6;`QgST;fToh4C}tm%vXG= zjI^#14(AGvSL?kcy(pCZ7cBC4d!j496>3~q{)d*qza+wp$XqZ@S^IvcCl5(5!qv#@ zw|H2awxGs4`6qO$=}CX97O*=IYT=QMgoHH**<}`gL_2{z{VpK#x7Fd8?zR>2j?bYp zo=1)9kupbVXp|8r4+upxR+O9h=}4PcW0+#8oRQ{w^)jxWUYt=@JwbfiMknJ z(S>da^3s!7#xG@FpKe|O{Q$#K%a6$10ND(}avpAR8XlWFTNn~jpEv?BdRokltJ96} z+{j3_xxFuoV36I|*G-`TE+EOmh)I=%%xL`#^f3a=1onP@$SORhuw{&WDU!b|J>B!ysB^$90b3*yoyE8pd2f$Fk-= z1_^((+9@coOj?G0$M#7qqp3BwWPrT~0NAG-iC>2Ap5py=g3t`xLu9U{|Mi=_$yasw0nm>F&@`cGk8&Dc|8U~b_WzVn@0*&K>Upij-=0ir zQ&a}M<=W`f@ZpgQ)gTPdwB!5QK#-$IqPbv%{(&y)4eEUA`pjh1&J zXOeDycQ7!poFw7^|CyFu;|!O?<{m;|0-j?}{=?19iZux2aF?ge*XGI1Tl#uEzH2Vm zTHc3;>0XwXc454-`0x)jOsrk_o7@`lV8qeGu07AlR<+pZmkp$9v`_1IdMcF0cs$iq zZqc;F6FjR00AD_tgS9dMzvw-ILqALS<%_wnj#x6XbYJ>_1_z8Bx8^`~g+Mxcn~Ec7 z;SY)R^9x21fpMqK`y+Ed+J$3vBG;@5OZ!nMcT1pBM8E%Sp}^)3YXE?+ec+}iQR;bd zGNK8)vcbaXI@bXV-5%i}jYwcSTB1Ri1tnW`%obZIlSwnzSdAd>5o4tQ9_+DW@dbYX z!i-pu;CUyOT1hDzCuMjI!~UiAFdB}<=@X@&+ar{%G#3HQhoI@NTptC47gw;)?@#@r z8)F1bUmkWp>wGM!L;WEDO>;sp zM{!2VTT|1+xi-Uiaw9b0)_COieuoikB5_2LhW^jKSvjpg-_vF|5ny-Bj_i=_K7)HA z$AOt2kdjPg#_mVQxun8oJ*4}{ewHn$+qzpp-{*=5nO>(Ei!=9R7B#a(P)wvow3_I{lbrwH8CMd zy_z_)B}vlNPX}1JEgi@kS<+Y(b`0r*Uurfn`<5eyeZXaiW}zuo{#zuy1>(dNMf$!T zL%O#`oF}#now|=tE_D|@hmf&qfn#xXyCioz_^wa9^oce2j_+M{(2Nm9Y4uI-_A^cj z2kcC`r-&*b%XEc8Pxs;Kh!=F)!aE}*_Xxya?ld7t-egjC^g9O#cqNg!jAg=HdtL`&>m+m+ z9jNRGvI>Puh_tsSN^W{n%m3h!2b4ObqMEhE|6mqJq z^$f9r5>Y%Jrg^y3Qms*c+5$3kfkXgbC2GtUm^3|!;)3@bqPCbD*|bG?WW&v~yNOH0 z8Z_&0CVaFn_Iv}%9cWJ2EL=_tF2@~sD=#)-!){ZYn~9~-xc!Mlxr38a9Gn0RR;J9Y`<**&IoS`uDfnF00+WMZ zuS|^$d{QX4s|!>{IGIsYV~uNf^QLU*3`Ybch-SY8LQOuHjW%T23S%{Mc6g427vON? z24(uNz~J;pACY&EK`d`ui2$29T>^N1OP7DS#7>~m2LzZsY`@)m$tPeidPrbL9*YU} zK{&|gW%I8R#dQ!p;0{O&lgYca6+#4fzyFfjF<==iYY}!)GnHx2dl}@l+Z{qYN`q^JzDk=meZTc zTizCqDB|=ltJw$HraMiF!%ajd2C{cNoHuWOKP-NIp^1zHA4C_2smOx$(u`94kM~d* zt26O8Yr|r{1-;|^jc#v$9qGhN7uaU{l>Yw`-J@&zb5S02>IL$DOHNz8;>USsxP3vFFJuO4yf~gZie*=`a z3{oOW=);>y#@CTxfuE|Vv_m=8R@?4%;F4JE8iHg>+hC)L4ckw)w3m?^ZV%PM80PIy zh8CgbCA3ZljRe&4-b(m_`U#7e+o~~_0Tsm*LTa@`1uA;Q(bBZaE|FCArCvlqi)+hp zEE*Dw-u9zp%^$8Gg44=`Z3E#I%b%1#F8$i&(+*mWqg#hFN7b8DJrU%$Ym!s;WDEa(R&$b$$_lxD~*iTaF&QL07gree^9lQdh2F5=ZL>} zLK%|IjyDJYW8X;^*MVYSH8?yLMaydFk{Hk=RitQcAK_)NY#>!jRXy05WkW!9YQR|h ztdENCdUuPn7&cflAit9{h}cqi6u3&A#inhXsolNIMt%HU0rG>aiPqM&dwhSkYr0~y z^hqb%2tk(r4~{U(=BMYdxE;|B;Fkg_1TvnQ!c*Bb+mRe|+q_B zWx555Q@Ei{@1F%uBmRhkP}is3dTcbueB*dYm7lZVb3#t|UtA>SG{vKM(I3<{$CJWn z)Y}3fkL6X3D72cSjnwX$M`RO=tU6Ro|4B$B;7o%fLHb-QDW)HVrjMDs;nxMkqZcr3 z%#RPyAi#FBA^`Ws#KtW6TLy^)PI3)l4qV7T+=YhS1tUt*tp;uP{Z69HsD&N4MRaF) z0c~|C3YG0an+VQ#l%%pcA|+U4yV^=x6rpcks8Df0w0rLEn|%peSQ0V0c16dCpOKqC zo?q;!`1}xm3YLXKt0e&6y>S+EoshYsY~}1^a)Uc}XX3nR9gy%Fy_`w6gCJ?=vXsR$ zK4}PKpTk}=$Z06m#hZ=h@}pEKXpX|N8=(0xnOhXZVZ8i zXW@3{egCEx-J<*555Xbb3PVH1g!W_mO2s5g8QHu z>ss>rV+OZcX`8gu&!qGFC4F|_F)`c;qCT^-DJdlr$39q!hVZ3%IQ4!gj`LhZ-ts~A zHp_a&h!GdT227w7Urf1{06|O#eb?YeVC1}8mbG!lU{9Mvd09uH#LYHVleseVmtdu5 z1fX3RG%RVR9*=AsbHYmXMu4rqueS)3gqY> zEtaxCjv^qSK2!lUWy^JsQ71(`RWx{Ho}}BnpBtpY>NL2q^ysdRouw7qMCpyeh^14JPw*)R4q} zI7m*1S^Mhx9R+@0XNqSJ+;~nKv!dSOnvb6lF}D&I0_=aj76faeQ87*m-)Je1`U`Hm z*R;<29mXp3zq>{826fv-oc-1kcnwqpwT~plqg{7eD-7zISF##y2kG z;&DKCFW;q8A=^# z*nMEnaC)-HxCDQ0Trl_qT!)%FG~Su7Y4LTC$paQ7mP&>JNS)Z-at&&*99)D0Y^m;_ zKVm-ZXfVe?X>BwEx-nLGag!gTupFc5h7!OJcTJ#UM(qmPMI!djh>oA7v9SjtbpG|C z|IMfmtnr@EwmQT*tf9Ov5&O-m)BJtY7QtM7YPX9hBa(?>$63hoojrg86Ua=zRr2MH z>|l5sGQ8=ml361Cb}P8KS(V1cb2|kniG}HBBp)PG*;ZBv5zte#7XX`O13sU1r@t4n z6L1=!&AJ#}N}aYKwOYM!nH${G%W3ucJux>r%8G8?!^t$L@VG=?&-+dNS`7KAwPdy< zc;as67N;KQ1*z2wi;qUVagUgKfr~99DomKWLkyc~3)8g|{W1+H zJ~Z#=x>oDaBydeS`Z-%@M^%Tl!e}PZbZ75M(8(ez6BF;Ty}z%BYDkUX9P#)!3gxr? z;*NhJq)@ci5jvlp3=a43$9EuLk=zlkUMcwIdIE#Adk4V`Yw(0Xuj8uWz8gSa{soXZ zi9#NCyXbgvz?~~jp%5L$9eUO!|JZiM4!u*D*CY|bL%}6O3~+vy$14)EB|P@=yLRu; zqd2emo=@0pCogns$c z#UpYB%MJMCe00{7FF;|$m9F9`OWCWQ*MOd7^ILbxtqu2qmK;O26=|?h+}ryA>D7C} zZY~^cL3*yz-F@xe4{}S!N3X5)_+2wi7V?{R0)U0&Ofcto9b1J3H?@(-i^6bskzyjD zEwB=O4Wmu*oE$&|opVQc<4GM{1V^I)6}B}c)mkfOnDhS@ima`aC;K*<@3pwRH3&%O zWfjDQ{Q@rR^~Kqs;pxjS7`lkj>QX~^@E0a8F`Id0{%;PvzOwu6mQ;CXVL zq-x8mNpxb^MRe=dO<=~VrW6Ai07;H9rW{hCD-JMlV)WGE^}&QlQ!Py~J9Q#A1=>N$ z&7s$J6bG4^8f}5j8BIjqopsp$8k{Ewk4To+88k0I+4W@ThL|Y*It7<&WRc9if%lNO zu12w|ib&$Q3{FYj>K!>}hNm6QS9q3P*Opv`%BR>0*5=Qhs#~H<*yJ`G@A%341kVAz zj1C$aIM}!!E0BM$O`1M46D42s2qyKm!$a=c0R;FZ zEJs2^&T_-C!9gvbi8=OY)N~2*sFazO4)M0?wbSbZf$Y9IbE+zerdzABCgoy{W#3Z> zLNZZZEs)(jH=LpID(=-&<63Buy$5Is!-Xq~n>jomV{neX;%+;!AJpB7#qyzDQCKBO zN#`IS@yJ+5r&C8NVpKT?>YW%WW=vSdMsp7S{{TWb_nx~rK)n=-@aFZd1PuUSils1N z!sYSGT*V_MaR!fa1Jg1qV9t=YP+e0fB?_2H!^4jD+v=91OP}r?^Ek4Ma)t%W}VXoIMi>hS=p;HMweV5X1 zvBi{uYn}KV+H4>%LYN!&-m#Ws{`!?K>tV|;(zH}I*-EvEE|nIbEjSjPv0Fz_gHrUr z6{O!CTfcQX)uBWkXee-}|1K@L5?T(EE3Hs*7b#ynNnG!Yfm_L$BFJHKTa`9dW-=aU zWBF}ix%6KcDzTAUR4yTVQ>P@be`exW-BG?$CseeJ@$d4_X{$tPCX?EJ-gkL9wODmq z`gDPLPGi1d;QHf84dBZ5pCm&AzCSha;C_mgr#P%Kq;m$r_n4QbmaOv%h;kQ`sZe6l zi+nFl%ME4MteuczK&D*v)T4EED{n1fDJ(Z;0N? zI%@zeiD#0q|KG*~BJLE~vW%s}^m>z=l`%g_`Kpz?k~hCKcSpXX;nY?h4ls9_N_0HS z$V8qx+5xvZ8&mH}aa(4i)P5n-#2A!AD|eD01f|e~37m?E0V}oPVUMupU8OlH`?iXR zo-i8KLT)ISysa!wx|i&%5XqI}^vh07HEYuw0;SDLxu==WIpO+3HP)sA?0TTgKHm^9 zKV(1M+n^Y(vFVL^ypUA6LEv`0+NOI@9pX2P@(a$k@xp zg?yjqC9|D8%EyF?tkNZf)lYydH#1jfut%^YUjD(j$B~FE;G!e{+g8VQiVOz6aeR}= z=~#{_itK)P4rzeb&QXVjHr!G@X0)aayE(cf(f5H``lQYI!q+#Iblv|M%@5_^0Lc&iIt7f%TQl6hk-Hf#01o{?Rh6W_ zzw97t5!eq2h|m?-iBlQx!`-hd#qY0B1XK@BMz4~ocOn^7Rf!_=q@;$eCc671;h2N^Et} zlT24R4WVVbyp3&nlRZTq_Vq!6>K-&^F~L>P#H*WyKC{_3!hUdrYwyKU2cQwvvl{T( z|E7lZP{m~3Yuo!_Ly*C)gs1T&np1Kb0*|RA3~EvxE_0DF$O&|=EgDtNgFB2WY?7@% zce7!#|MuYy@#L8#lfSfHaY40+=rc5h_tg)*y0lllG$9x@D*nBiUuG7UTVXUNm>+Z4 z017ObNLr7(zy7A28Rc4nnu9t_zRJ%&c38WL2N4CT>R=lDs@n*q8XW*zhV$DmV~lBv zTJKWG`zDoC>Qov^N_p4+V@`*2y8K#gwmmaLX5p=wRr|RmJE*6qQbsT-v*T-F$beRq zi##nuP0{}^M0Obm9tS{uT*A=Jcj&|hWCT;ztAMZtZRQv|*t5-k4}gdV&Dc~pA3Ry` zfJ}0w+5NKs(*|^%OV=PJ(zvu~S1^Pr0QaCBO3cduP6J`&{R$M^q}QfiocL+x3|t-C z2#Qm)J(TWr&m~t_04wFyv!T~D{#=8)tw%>~^A&MolKe>%gy7g%z{ytlRz&~o45W*! zy};qyp1y@D%kn;nm(->l6Q|2MZ63DW4Z6=r6ZExL7h@;8clI!qnQ+F)61;6sjoFZ@iR|2{a;QiVc<@Z(p^**?Fca!uY8Iy_CX$89sk( zw(S4fnoq|f3>IEumg;NnjC4exKYOJu)X|YU0iG86TvgX$EvGF+7d88IQ^+!nmiFhb zX!R##>MnrPJ{21^()U$xVxV)BtHl?RIUQui5d(6~5)|8^nCokV<5>yEy9IKotP-3{I$GN!RM>wRQpyn~iME44p-~c3o zC166-7LY;wzM{yzM{p2y_*_G)=EvFbl7@Q6my^EAKh3bQSbfe=CAim6B}ZoYm%yx7 zkf)pN5AB|8GVJfNWR5jV9lYn=E_=*-|N1d~{-v8?p-uCC`L$UGbE zJmNo}=l`1Q?((G}$~Z1t6JG}e@B+uVRMXk)A+i~&G*R30Py~1?Cp(}Oo96rt;8+I9 zua3S)x-E^76)HWPjT#1#h zvjFl`-R5hBFWC+{{Zk4&B@@LW`RP0llkB0y)?bzanFc!mUbGOxc!x09-GZTH)RW~c zhV~NwF&}w6pq*R8LK}KF_o{Og=Rk->K1d@eD!mD!)VgOpI0Gg223_r7etWjjCEN@J zqeW8Qa$P@Y!-6`ZT<_^WlVxJNI|fC!GcE$f1WZB{-MUvi40KfZ7FOhVDk}S*UTg(2RbCYn)<9uIEqd$e}?s1W~3`x zTDSY>q&y#Jr~WKcQt0j(sTVL>-!}>;F*8HeD=()|h9TEMw9-SXnc&#|4qIDRy%OsO zP@z|}?PAT9hcm5m z80Vmnz~OPlziOjOJ*s5OQPb!)&(s@qwkWf%MA9q@M?nb5ZJxU$*~wCAx&T)D(#6)3 zF0JrlxkaD61_C$G zE7rBc|42^>a?JkCEc%U`Uf+-CG{1jS+o+THom;l8o-NZr6!(gO@bGQJXX+_Kw{8Cyk8_qDKzxo@mk`5*nI5#%hyN|u+2*DnPZTCqF zK`k=3;v}>IKP?Tnlgg8;w)vz1aZPZ&t|rQ9Kwlo z!tvMvIRgNSkljd*3#{dgGPHdH&dCnYb(>C=iAQ-wkY_)juXUSBUp?~sVVPK_M!bsw zDX4f+k2BpZC0B6B>jzXKHAc-TjISTOT>Z!+wTlUv>@s+ib#B_Wc(;E%XC8`2n@HOK zcm>?ue1Y@uS)X$nAzn#485d!h8QZGWbh1$4DDtt07>?fwdkse}H};?GQff+qZ102C z$u6fEOC%NV{YC*yV#kiX1GBK*FU~9AA@yk52Ra}ai%E)&6j3En%-hyw;i9jE{L;3D zMymYeuc38QE6+ttutM49KY;r?i6@;xV{>TvygLC>7Z502M7Xo4)yDeJ7w!ZaIPGs_Reg%CKCCle_cF!I z5x=)T@HO1rtBIqWzS@t3hc+fQB3JKU_9<<&MGAlWHj=}o#a#>eNwD_i1=nks z0}SMS`X36Ccl__ZHboeKgWWy5Rw%68v$HqV-3q+-0pL|m2?$V%OG1E!XEm!(y}7m+ z$T2*E_1<9CyYk_~m{T7-G=GGTL(8d&?U>R5u;v;{^HHhav_T^SaQZpvSm_?HI)SwY zM`zuR(6MmQWae%ytcsg8e-dRvJPOqFitX7d`NL2U$bheizdwNiPQ?_w`zps*bCkI8Sue`Z;KQH z6!M*789-{5>q(y0>T(GJq~~;2AmcUk*bMN+#WCfoL%J=l^NN-sViHhYJ;WEaX5pBkXwwk2pI@!q z<2nt?lsZ29&yVUY);a?~9cLj@&oy+`PerJ3` ztwZ@fb8ciG5oV-v2IU)J7)wIZH%KTG*2pd~+Z)Vhw@8*iTc5LX6Lq?D>`nw22l{#|Czt)^t5 zqU=Sd0wcBM3GkWAetw+iPEKNV>+JnKN}{@P_hitJnBb|g&ZYVGN)w~DM(Mq=k1_Ab8wYqn~b ze(3%1uk5<U^7K50Ukh-ApEumQlCc17C=l>)rT3zrF zi_Rl@?bWBy48hm>fulPWu<}2QeX;8R|(@Jl%9Lu<# z0%F1_l@9h#Cjtcew|@+IamQS?^BWR~k0Tt3xb9X5p)!O6CC^?Kd{$0UF9eGk0skxj z(@3xY*}<-Lrz|}X$=>T!n~AkB6DSppN#q4g8c3m4S({V*+5O;ijR2^Yi%idrjN^CI zx{nDyZl{TqCkoUwM~y1R%NIsU3QHqI`$?_N$&8b_i%l~Q@WRjK0N!_WprO~^sHA|* zTzDT&`5BJWp{CSr-YnV>QiI6%;63hZYGRD7+XQ!vDjiY55%!!>Vg7Ks^mfuPz)fQ& z$@!+$gLlICAcByom$Z54vd)F~bl+~?am+^j z+rcdNk{4B}=MR)YFP9Y;x0X=*szQR-1-WvH5vTP{7i0#e)mb*GQzi_c_UGhUmNFFg zjZ)VmZfqUc1M@79oBJu&>KWFc_O{CWOklX|P>A{As;f4}2E_i4rw0fl6 z;eJdXSw&3mxpnyqD0c1r+%=ig`ZnyOy1xg5Gdwi~y#q=b_aK9tNj#_3ANvjZM8-?B z0GkDcqx+B;m-1siA>1=A&P@<8io?9ZX2fpv$DwhY&=}pM>2%7cAH|`K*#dB#8ARWR zBJXch*0j%ZE`N3mZZ|`ReC&|oBE1ByG3wR^A-UK^DpI=|NP0mbjJth+F}thyq@lYD`@3t^4s^sq;J%;!K+UGvofGceu}Q z38lrf#P*8H?z3hlK;hPz#(3SJ66*i0yqEyT1L{98|`0pF}J_8KpfqP z28MbP;_tQK!#IXZ5NGlvqPR7st?e1kajzIxsTJ78GyJG>Og4bZwQe>GmY|=Uixij2 zNW+nE6q{m@baEl&c)rhlcsqi&8qt=w9;7hSDdz%sOEht2N|Ya$*~Ou^P-JsTO8P@i z5iFgZyLe4fEe%Q{WEzkHenYTF&0I$D#6cwuW8jd`$po5$y<6f1%bxf-va~`PnHxl* z!I`3UQYYz>{PtloSlza<%oz4AW}*Awvh>l!M&*LEs(iQHt*qw-4T>LW@z{<@Oa6u| zVMgfTkta~@e}Sch&?=Vbh?fUxtJ*yYepa3L$GCbC#atbQkYTbJi;X&Cvx5AB%BowUXP7in6v1?B>pUV36v9XlB@6b$}mbXFo3$oA0{ z;gb(G&fWC)MZwXWE-hU=A2!;2?j5aob zPXfl%Gb4)3NFIt}w}bO85FJ0qnH@P#?y^3nPrEcsYPi z?(t|_!Jq1U7>b+AuyYJU%!k-HDV>#ZR{1L7x%%D&8;x?`b878edZCY&k&9k3sV5p0 z=~ZVIn^NqC`Z41840vEHU6rKJL3>SG?sl5Y^@F47smcI=^(-a1M-B%nHKImc;n-+i zEf-~5tttQ6O6fkR&_k(-VcfvN!f=y_1O8@NcZ@P#?7Z4!skSBU?UAQ4HRWupE`~xR z5Jn)6;Lr6w3`8uxJ!RU8E(;~n*B3j;nK;%5P02ylVug@-1a}H=LnV5Y;~kC-HqF^U z!epG$!yNu`j$|8wowf;G|36&1Ju#NlMrmW&j^jT)6?-MO+8{yxxeOrHee>68gT{|O$cTW` zmSFZw8@x06?meM3tYc$93|7mJlIvi%yr;Q{tmtz*y$l{_5)H(wN3`GRFRvor5uyia z6!%jgo2;h<*%L2suVCFYWrBeQO(v3!+Nq03Lg4UP1RVK4g{00VY@ejx#3{%V{Vdd& z&W~zr66Q&IBfD`i=_JXVI>9d|eQPE%vd*$zu?^sCZD)V420mhHn^gZpXc8a$$D|n2 zO9}H@CAg;^TqnB=L@hbLhUK zF=We6#k^xy&N?d7mNA8CgluS#d!X72@*2Z~65xcpc(j+qqwg@X50Wcx-dAe&PBBrb zw~NqwOJ?6yJI-&=6_jQG5OBF`Y#^j+%w$MP*qgZ}=)d|*0JkEc^J261(|>v181uDK z8FT}HQ=)7NyM6QS9(#o|?D4Rr6!8s5v+F8Ec?Jd+Gw#ueo<0rh!(zV$mWIe@oQ;|? zxFTWpu=z~kaJLj^7p~7_G_)~Qcjty?Gw#*R+3S#@x5Witkgu@av7>H_g_aUK!{Ar< zXcyjBUY?Sv&%u9Fvg~Z=1?%XtmW*A_SUC(7lH?`Z9bIE23kVZmPu1CU>gvsavHxkjz5LUP)#3`v>2# zYZ$C^EDy6AMu1_zfC~rUbBP$j+B6{L%{m&}T?7#wnJ&Tfax@3h0!~YNQ)lGzVuj)48_kid#;2M1Y@C{LM$-zB_F1HTg*<%X`v z{rb`Vy?PlK$o@%=sx8H%b(9#PSe-_NlUf=+SN%^`CTGEbaNNDnUI|j_%_P zZL+?eWG^9ilS3{ETgem>QuHAuK6%(}W0xd9^oz7``45Q;>8SA8bN0nV)!lPHvJ ze7ohz7Mq5GcSz|7?MQBIRG%QD3OCZz1L_by2|92P1hztO#Fw?-vva^`==d_fsIYHX zU2uLV$~un?P~C9g#&r&PL&7>*LI@T*)pYm?X!`pZ+kH<6+<4H(Ic++$*f?nj{Wv=S zYkL#L1@2acwg98~>}JZvp(xFeSrhdcSpxANs(hW6qyP&~3G%_}FYIZz27JN{Z~{84 z!j$>T!d0Y9m zW!?OJ_M0&~e%z(7i2&KmT5BRebmwu45OF`+IN1p-ftb^iFmA=UIAA1#aaN&18i*tn z8tcPKD`s`ChGp99j zWHMJWQ41BBLt37CibN2Sx214+ZpkWlN>$u@r~?PNg<*<6 zQIdy1=YjmWbJ%GgwbZ3ByQKE_IH-CUsaE?;8Ikw1`sR*lqBEmD!6K{h5wJTz_;7lt zs2ESb$pj~@7q+2m25(nJc$%x0zt`5CI#gd?Sk3W(2?ck0iAeOM@4EP4ZRuy???6wli#&T7h{KQ zY57ISE>tmV{$!h}hSAsR3(!j81YFVu$~(wlLKJ zDzRSC*dr3q1D()Yo?y2dIwgN$He$mMU*xxomZ^8~gsTHA$E6&gJ^lhyuMfLdgvcO% zAn8X+&}LvsCvFj8E5K%Jjdn8+zBPi&TEzq9E8q1OyYGYWT<;XOUjM1A&D6ov+@|uu zmeer>r>{v=g9qxX*pKDZH2N#5vKDO(KbOrepcGU*yJG5tPv;>a2A16pYHfiK$MUMi zlv+(vM(TG=qp}Ib)*UJ)f25=ma3(>Kp#3fu6w?pF(?`tR@aux&QHz*9r$62@VfTui zJ+4wszw@~{JT#>$-5Zoau<6C*Ie({ww~X&qww@oAL4mO~vEZ$~#qo~K7GzAY4KdPR zITa}>{}G(-*3AYO9FbiQXgAiZoetRQtz0>^Kg^d$Lbt$yE-dL(AwSUW#BBM)_%iI- z$1#-QE7GQLt|o=Z_ou)3OilsWA$L@JFEyY{S@Wi-!Cn2JXZjGcCV(XR%C0 z^C)a47$Ak)X=5eeLs5!_yqEa*I2~=y77&UhFSV93sB|OJtPnLrUsG^%Kvb*2uSGWG z9+`)WRg!shPHcx&cpU;jey4Rg^X~x^0(E_JY^f9PG&Gjy$~ViNugB{0pCl3;Kq&l_ zY$S4qiZ5qGCg>qU5T3=S!VtOwZ({L#HgP!x=hHWZ7i^iUc_Jb}^~8F`kKEK#$n_(M ztq4IB|A@|ary6R8IBBeKST8}1jMK}HqgAo2%L2}3`{CJKO3hXlqprwFAgQv96$Z%L znencHuvC8kkDm&W7QEguM}Kp?xuL;t7A`i-q-9|w_7au*g3qyE(W_%(OKjGZ$8#r) zi%pk;p@w0&Ot|zSLVIKF56j}?K`W1u6^`iQ6-spE8^qq?69<$@POPp5!ly(xW`EO{ zRUfz}aHisiD_Y86dlCB&WCmW-U?~4_fp!6BC)oW=Hcs?3C%l%+2%UtjF3ZscBvxbi zG@H%OQbQ5=;UPL5XYZ@%bQSr1o++F^ap5>_&Wn4BYWkKz`yVrqRN4t#=}ESO8wn&l z5GRu_i|PGE!_G@uzKe;WEj zx>@PIg!Ze`Q(TuyENMGCV2Il^4VCdssSkeATPizL2Wq0VGc{6#R`nDG>um z-$_i`lPwuOxSf6@LdYG4cwZhWa~iKkMpiw`UOgYdZY1rZg9dvehCFVkdXNCc&$_Bz zNkT)~f7J3}<=Rf{#(?( zjcIKAPKy3@)Or$(^g9zO5fES`ulzK^g#`n(v}ERbd30JcARUqX6|a*EL+!c>5zCNu95DPWVz=Ivf zb`_eW9d*!cP@HEETt3Z*g0%20DZSw;@%k|Ffx|;bID75>*pxuqGLW3;i6s44_}vmh z$3#WvZhKXkNk9bNysB)X)$Ue9TdAZww)-+pS4hBewf2Ozrsx!K0kBo32|R501<<~c z0VtA%7FC`ZD6G*4hmP@;k5#E{f)lCJpE)$K5CDixwRz*$h;Hu{kI(U-L3ghK#cz*~Y#o>}-n$2YQoTYjVk=+y49BUC zHJe!%SPyF+vW?vtw_y#a3aYCTbEy7ND256usp+!TI0d{&yY5pTWqdoVrLkyc#J(VxSBFH-hU$bX{|304V zF_TTV3ci4qiW0l4Yp+g!UzPWGN+s)22AN;+`}V}8%IJKf*;q|@_z;qlHMqGUxJKha zqVVrDmAUjl9(s$$i8#pS%95i6vwWRAYH&f@+uN$)?STs%KrWif>qdKXBmkXD+ufap z2^fcR)gITA*JzwJOt!xpEc6>z`kuqivJbj0T9nn%BQ)UP9`Esoq>Df&vIi)l^=7BU zkUUEg*j|%@m~{{T!8^u;OWql7EKsk8LmpS1wE$}pEgV00dihIN6MHU&P8+tq2FYZj zJ%N0Twe3xcOaN=>Yx)h#Rv^&Q7{U5 zLrQmB_h7A-Z3io4BVhVB_&7I&$rYQc?tlit+UJs`l`uQl4VG#)R{uf35hdwFUInp+ ztn1^J!Z346+h1D{GP^pBR=6GB+$*F2I zx$N8JXr-@}vXSm>Zds7r0{igi>e^G1{q!~fSyXxOh5EqK;BM-)9)HN)n}mlZYUrnd zR0h8D1Yo+RP)ZdrlgHV8ChHtoNEW%@f!(IU0`w_OAZ_5iAwp@_Py;QrC&KqF&{N>) zq#hX319&pMr^yh&?~EFh#{BB#Z;?oyvQy%g=Jw&20024MIAq;kj#}5~;jxSXoqFZM zB|0{>ld&-G#0Rufrxy6UoC~5&_Py`l41UOlz5on>iE9mhs=!i#lOlE@LXPX`XD)Pi=kYf)xD#A#q-ZjnL#r^Zj^}hLTAx4GZnK1XdMTulRz9@heJ|M+9|jMv|J& zBJ3^JW>}a1c)jWV$d#+-)u-v);W#mhJOZ|NJ%gyZA{yTd8hq~FrDMTC#uxC~YE{*o zI0Stkg}TwPybi|Dt5ZyllCp%siu~RY;L$nvAlRMIz9l+<003-zS$M#Uu#2RSFkW-M zUrE`%gzF;Hg_$`2%a)Uiw5mg_lXZb~JdZjzK_`jrsQ@wvx^JIiyibU4cH+6K@f}B(Q;|ZEDOI{Y{=|Zx; z1P0!TQpc*)-JD{7mFBm}xqlH9A=M}aSFz^R=Mi%?szrHwf@t=_3hwM}!r&L)?YL{Z z34J01mM?t=92QK%Tf%F9Wh~yev1;$!{6~WwIHai2D}iFYOg3sgD;a=};{TrrTjDu8 zJLb+JR!muo@<2L^g$HkbUcYh$Y>*S}@PAX&<5R#njg~!_Z7z>>S-|m?K1&FtaZZRD zELi@i4l#A25LL@yH4Qm`DIUL#pKggv87bQ@1Q>>f<`aX)Uc?z z)fAS5F3&bu~SH)gBIN~tN{(*xo9(ygr(0hkZnL6`+~bCOKr&RpqIb2 z%k0S}cj*!?pBEH6OLz#^;=ctEZGKi9#H;_lSC1s?b}*z`54KL}{hhk&Bq_eRt(<;Ca+?SyugZ-K1T7sH`n~>8k z_AyBVsW09Sq;8O`i>JlK4$|G#f`hmvteDx0(HTSnT;q=iPUDN+sO5{wr$Nx)Pt!eJ7z26oPp9k`I=cGNWz78IHjHVqx(VG0l zJz!wl*LfM96M|e}lrN%P6GIGo`yEZO%bLZjYQmrA=S5a6lU;P+JV^8xH;ssf54av# zX7x~b`eJuhn{VzTVM%h4Y_P-zWCT;ztAMZtzr=)lmj5J-XB|rl9vsenUG8Y)DV?65 z;fl$2pHga!^r;FvXPwn8^h_C=*=+y|Qf1tM4C2GY@6F!}c`R}5T1Jc?ab||Vs}`@N z`=MwKTaV-7P znI`r4(qke@UKFg{!u6niK*sVy#k1|hhjcbTe%_0?#nY-{oEu79iNHO4`g*XEP;}ZA z!JmklnwQ*b=iG*S(7bVQXEAdzQ%Vlvsh>U^EF3lPrW0|FF$pl~De`*iBUkH3&EOw= zT2zOft!A0HL%o$IQ;mzqoyvH@ta5DM8bl`HmShBmUkC_XBteWxcx1V=SI53hS$!B2 zp3zmnN!n$t|CxT|<`~r5x4u8a;y_0$s%;_Fj0)u!JJN6)x##2ha0XlNcZ?F*aD^WEL_&fzlg9=c@! z-HH!hW~-C31X-)s(bYMN+E~`swAGXVA~|Q;Rlg2 z*O+6Ec%{^yl;vcWZjO#8Rikdg^>E*sV{C;%mLe-@-kFNNnW44X1)NJt;}9KMqG~F+ z-sNd-wI1!{fb8MNi zKqS1AnXJMNf}%+rH3>LXk0v1c#+%T>s@2+hl^d^2q?ihfKsOo5&oc|fQ5UVi*JMZY ze=0eiWsVWNT*$SZ=2#0ViQF(757xAX?q+|lPdOF`=WLjvfe~yTjF&Z^ z_D{4YNrqx`l;ayoMC@;Tk7awCn1NU12!`__OQnu0!Je6UoOUkQ>hT>72Hzmcy9$;k)=wrzVlf?t?3fs$GGGt>#3!JG-I5py5m!uFy%I?1NI+LlH z80mq^h49?sz{4FT$IQ>++SFQbd{3E)!2OnF-H}_wiS6It@WXV{Ni@x7;_q@rdTTaf zTdXHHh(j-QC7DLST@?TR-zp0rPBbvgC69fdco>X$o5Q9}+rK3w#^->0DaM;nY=?}F zj>^~P`g$g+kE<(}>mQX9yCP^k*HsZ1*=ST0=pUQJ4WqQO(TOmhUJ{EhyD!-1l`I^r z%c=m+Q&av=h3-wGkO1Ry&v6#3DpHBMp{!r8NGBTHm&<`sbR$ZMP;tn@E?jH4q$hrAthO zb($?WqGIdqg@r8C4F`trs`%KNvw?XJzldv)Ur=rSBh!ye=&`cMx{1A@wf3BH+{Js+ zi~1(B0utJBVsJ4nhKd8O2{}cPq;11z#1fD9mRq^8T^SUTKrI&NaiozG&l6L*qhg>zn=S za3zaPyjNp*NYMl*v`LgjhArDcHo%F3-t>Mj%xyV zogX?G>a2&tqpPY(bb%DEttN`~zqv`!B1qkze4RcV%2-XqWG&PzjGirP`JhBC8RCgb za%M*b|0Tw{wm@`N9!;vMoS-RTN{$wU4Upe=*0&MMjdf3=uB?C!z%2knOo z`hXt_2v(tF@oz3I&p%RG7~fj6;Etzn!@QV z8?$I`Dy`Z@)G6b~e_Q#jj+e6oXo-LA#dObq~3pOXerd>pG^@th6sO+~i5<=1g&>sHl|Hbh1$4DBJ)d zssI)fF0dHnLF%1|a5}!t;d55t0T}=9fjOaB%{?+n=>}}V&`V6M_=zn5Ps>AXWv4(h! z+aezMB2)mFA_$F)F8-Y`v$&FZ)FwAJkDJ4=6(Ml~ic5WWCnCE;?JZeN z7^U}O-9=FFUNwnda@!=$)NuGooD#PGAZKc$3D-PLp3jla4Y(<}2;XvK2q^WiNNrNa zj&LI4+JsAsI*nX!tpR@EL8Fe=_C;6Ns^jXzHUD!g zT)`XrbQbN~)BhM(N}2*1;IS-}l?jB9c1#jJHYaoxKnMIpt4!^z>3TuSn<8Em!fol5 zR%T{NzCA|@rJ2>^!2rP!l@p%*+<-9BU7c;XlouINe4zU)e#|UI!J?^rHMb3pJ5oWr z<5W-&XcQ#$mLq9xS1F@oE&+cMy1FqnOpD0lr02NIxP;mpuegT<_v<~CdADWE7xTz4 z5B%O!2Q*bsHidg}i|s!!FX{#X47S3vE>xexS1411;86#5Vt9uyv9Xu0?0=Hp`u&r0(P4cG;Z^y{ zk$5_?k|^CVF(EsOB^@XA$no)ovK%1ZlGr$x^ zKuGk&zQuygP}}nT@eggw0&!7|)E~=Y`z*T`$A5C}6^)oCRzA*zM?ByHWrK)pA6^8& z05-@ADoi`!L^sxWZ4+pK0K9DK6)b5{*sdHmTj6=OCw0?NeTgjnZoTN!4HFHj)1ek*5cArvH>3p_pqpRvm;YOS)@{=i4K@) zcuItGLbPkUD~#+=_Kih>`uQ*>LM}dCC{H&;!ECS2`TcR;u*RS_)BqWE`AW?N$wVqm zwFy^%!`Jk!=Qu1O6yD>#^qw12eP#+^Lz;^dz350?yd8HXuuQk+ zqpr07C>02RpwJRQ{c^d_tK8+Zap=H^y8I8g-fzL|lvfFpFgl*LfSqezGcZLJke8^1 ziZ~lJllXDy6tTFtgG(UU{j-i90y{&crE{OeR?4u&@>{5m*Ju8-mFtr>HeP|j!mA_2 zM(E{zhC0jbSG09>x}fQG{5H>LI3CVqsJ7?&^E{AqsHhK7syh)HJIii$(jPF}-J=Um94Pkvx6=j#?m93PXMryK&RPKXL969o0AgE0@JpmC`U3WJy2*vD;97 zMp94rf;ilOvdaZEm`p;W$5!CI9_xDlAF zYj6QfR7B7!0_rd^kI-tcH5IN7J#e{L68cC~VoYVaWu8be?5o8CH>PMb`R2acu^mvH z&Qs>RRNM9~r&XMpn&}+nyh2tSzhULF#Ln1-?XOKHED!QEK}#Y4`vMXqNzFWIBVuU& z%U}Q)X(AOG1nX;lIg+w4UuNk#b6PiHThPqgiXIMU|DbV8GQq4A0%`)>x0W;O zcr&{?&`|9^#o+wYrT+*J4RZ3ri#>dO0{RVYo*GeIV(+z4seF^NTM>{7kDzsc04)^- z8%>wlP0gm+pu|n(kqUeO1Xi6e?1usPg9824KHUrUup_fv=^b8VdBwbXO{-jiqTuD! fFTX&g0000fqV=z4w0Sk^KuOhPm;e9(00000LD1;X diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp deleted file mode 100644 index ead0b7017a1e52a698f80a1bb23117441e91ef55..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 21266 zcmZsBQ*dTcw{2|Owr$(CZQHgww(WGBbZpyp(y@*2_W94PQ|DIQs=Xfe!@?M2tud?S zoGQ{15-_SjK$_wrN*YRBS};IBKuG^a7YL9UFp#jEl9V$D5D;)8xO9`X?xz55V4MBc z|9mffGchF<_?I{SXT~HU@mmrJl{QN~M60WUIeG6FeDF}hypfM=O5YVfs(>oMa^QvF zbHRt=e}2COrH^(a+;Fs(w-O(;50~i*Yt3aY1mR_B!y;PntWxI_i>GeBZU5Jd|18kA zcW_55`T^GMYcAD8=WGL^w41zH4vapss#e&vo(-o49pL9$X!1uDHP~hV5sxavhEGY< zE*{h-x{g`MzL6cKlD16(=y_z-sj!GwvpV`Qb&5|kSmI`zAh$yL6dR5WSr;_e!o(J6 zUc~MhR0k$s$@prfLLbW)mYnCq#OLV0F?dnu&ZzE+)+pA1FEQ4lx;Misv{cMMs2*DPN9#>!+aw_ z;U=Gk7T`hXCbX2l73|C*+M?=O`W+h6;JB#TP=F|hHR$&B?o6{l(Kqs9p!FI{+s6Cp z8`1As`H*yxcZXEHlfM&)cfKJCZg-hW=ZP)BoeBpl|6g6J00E(e^ATw19r&B6W*32P z4!Dnuk^d!ZvU3C*v=_&0s>sCuN7(zL{k&6-#&^#q@9xzQe zh&ix;JzJU-87T=dxvI~25PYvCo9QJ^$UWYe47E>!xHTpSPV;~>BqfD4fQl58a02UG;`e+b@* zzBRPoCNfU;r2qndhTd^6WIxC32!8#f`~+4q)&O_`uHUy0fpdnhhIfX43JwGT0Kf<0 zgW$R0d0_9)U7*z`(2wLd<~Qe?;rQOKz%jt=7vL%OWA8)oEAT`BC@>>X8DRf|`Q>@l zw>WpV_Xd~^todGlse3-z+p1#Sdve}@IK{&fC3737Db{~X|FU(oa4E-!Cp->v^P z!)w?nt(7%VSJs2Jlc}Z+nky7g=SPyT-Ed%)E%`Pwjw+-g>TyKx996dOQiWUBZ z5~}bezte%UAqg<5f&hSAzgp9xtf#4Ig6N`DM{XxEX=TVrc+}N(HoDRIwPR`?-eO7{ zOTzlchy+m7=Dx3mi6GCgGKMC`iaotL1~+-Z(&fLa!a`Yw(o%u*g&{O zAG5uL-_dHmQ!48-n^G9c@VaZnn*pr@Y~yiK5%50;yvGT#{+lwxZRG0c{pmwWf}9-i zlz6Rpkw0#RLHnzfcbtWyMTtK@>^%me%r6H&MiC8U64CawI#{9S6Nrpb5xr7>+y93% zA--iA$2kLUwt9t-;gJTr6V-zAJMx+#a8Zu)uYsf7!UOuZ41@e-qEIqHssxJMLE^jm_Oi@!o54 zlYi94?EjZey5n{iN1d~;^jfAQ+#Y%zAL`O8?oER|de37%LqRP=Ee^lN7F7`Mxu4e@ z7-m~SkOugS7v?=}@B*`wRRsPQ^ncv8X90yYHQdd*n8~f{{TaKJ5EB&8l0l&*ThRQM~BcQR0}OCzmbrS zb@5aaC;o-xU`M@~69}w-Np7T%Ru{d;fGe;CyH0%Db&f!&A7#3cb3m8)Kq>J8*z-Ydi?w4M9$~b`ARfZ;c~A% zHN=Im8%?pIkx=-uIcoQNw?gCezHNy9rxWbZOa}!EvYv&lbsl0oCkQ$XxwkirzN$?- z5TUuliWe_?v25Q~;CS9+1Z}sSn}ohWWvbguFEg!ulG}UbZnFFkvDbgg$j&7oG(d`p zcoVn1R@3p=pLw~@^N}RZ*PLg7c-eLNwt;I?Kvnwap;_G8D;R{Jup#5)C0IFs*Sz@B z6V@5NgfuCG64mwUf=86W`_HH>%^i#9`X1H-=;A*R@&e0C?rVVFDFXfEZZJjkrE`<` zDm(6!0#kY}Jt8KiU_jA+Iu7u8LiITs%O5)yHpdCm_Ct}p$Rz)89s}-k3B=jSty~oV z;nnBRx4rGXsnxGpIF@gfF}mQ$&}Vw>H;R6;msnFq1D95uULY@KVm9zw35ia3HJcs6 z5LWfrl>nqObf#79F?gdteI2T=;S6)KVh2Ujx!EJ+DZ@<}&h0OiYrP-Z8MAA)SxJEG zPV=yvRmJKmshKc?o}YYVQ0AOd*)xih1cIW^AW627$Lzwu1(aN(c#tC;V0|<6LE@jS zA57npz`ErEbGw4Pw%>C7dhiZ@L7%oz+S^NS^^j4lu~mUttb;q*?eDoj4hy^p}n+Asqbh`;?lgQ3}n)ySR^WL3G?0+R9#@yTjOV=*OnA-nvc z&&rE>I}_02<0Xmh3#dAMU#EJ7`8QUS;lc;~Q<>O>ycIHyK^r>#9%s$bENF%6WyMbV z{PD`;-;%GBc}EfLeT&LWxscPjWH(cPZj*WF|2Za{{`dR4@rL>22w!xtRwsJ76xczw zHi+s=_od$f=rCq$q?q1M&-naUaLjO+s0q$HY4M)Nf8LY06E+cTJJu+9y_cLFVCEhx z0{A5LVD!$?6u%Bd6ph#m)mP=W0e$s%p88I2;o(wZ_l7jN#?*pErS02;l+TE@lvsdR z6J4zfGJKTn|8_%DHx~uuSA%xjN_)}n`vfj|L;K;}rH?+dYnixWv~h!J=v0=@QI2a(|thX z!1J@)A`2kUY^+S8k7(p9L%1u1hMD2Nz3snaP%wQoHApsTetL&^4Vv$BqzBSP@$(mQ zJ%XTM%=XG-vSFU4`1_o%f3?QlO8g^TwNs`>{r^z&ABzR0;Fa|b5;bbqypO`0^mvt}S zaa>2uAnNPrsYen>yi z&sSF>5J*EO>m+{NQ{|1AMtuMB7Tv$+mUXjbJLvne4<9K6qCVt|@%4)NSUV`AC_bWV zPf_L@+rPoz6CM26OK!7N@pMB&KpBj!JEOve`G`aBBQ(nT()v@18_=S>$N?&*i-s6@ zYz5@~W~`uAA;x;4{+o#Vo`w(*;TUIGi}Swux`6xhQhj3$5d*1uX)VjXP0b5Pl1m1+ zBgD#xg0gyS{NA z@qHxvlc;rK-3Z?Ov>$(kY8&B4QG=Qk=pJb;GQQt6O&3AoeSs}+*<1PZhL1TBy}qD% zJWu^O`e;EheebZOO&H}1Nf^eVDb3W%xjr!lABE@W#ds_n%9^H52k_ECI(TN+>7~^l z?%=5kOq=4~qfC1*1^%+f>9)8fq}#g>-=n1KPo7wMVoU9Xm?v+k(9?6Wag7w|Zi`0C{`8w$ThWsfGd8h$5cW}Ybcm}A>8>rG)(3W%ug zIr|Z-_DTM+GQZ?PN5oMfvd0P(QuAL{#fu)))VnOr-p9>9M49-E)5_XH-qGBXJ>M*v(Ag@Tt4zY*ooe6DRHGdDYV@ z2mSR?OA4NTM;(z^j$&@)GcL`U?HNwFvwE!FPR7ONblbTs=H&EA9NuetrEg$=k8?HS z=YjN`xu{%$Y4qET>sJ@vJF|-|r^h<#Au|v?s+Y5SPU~L}$eh2>kkOk$dfn+f(!K9! zh}8{env@T5@G>{Bo|Qrw2}NhALcu`Xpg8G?#9bsp;P|uvBT<*~BO|e2zWzY1gZk{N zGr4uZ*atlOd962pDFRH!MyZju#UuU~lJN&TjvnXI+#e zWs_FyHsvj~0UIncN&{}k-VT?1bn;G3X&rzUPlqvJeqYg1A`Y`IruLQ?`4v$MlY+tb z!l4e^@M-};);D3Pz?!kKR$oeUE{Ac2fVkyrfqQTFi_f=q8p2_;Ohw(^Bqr#a;N$}D z^u_zUwzJrow?I$wlhl3CnP26P%f{`=(I4$aJk?WDS0OqKIfa?D;FLFOw3KOY>AR0g z07kGPNtxrjq@tPfA~t!u-{qo`4IjM0L-_VJ=uB4mE2{ftWbaK7MPOd?q@pC2g{kqvg#uQC;;2?nIQ)AlMLlnPfmBb??z57G+;a_Tl_2g+hs73hM zqT;xfG3#cK{>7sDmWrE#^N(8;*)^#fW2j_o)Nh=>_4t(n4w!K6)Qhh}+Kq4tm3T%m zard%a?>2vz^zN`}Mvi$Gml!(PU+ZJb&5HI zgL&hT#q?+OchYgO9_b z?i8#M-{GE31#3~*{-Adr_yAqMaLJmq`LC|~EIj4!QZqkt^J>H)qMt~$;QKQyVnK)^ z4~vnv_5xc_WBTv;=SleKmqb*L7Tbm|8t>aYsrUKe(}}biK5F>$p=I<*E%2W)%1&%( z7E^E^yRTO?BA=yPM29qfOp^_8? zYXA2n-?%678ykqBah!yYrPgtN<@bwG5{gi{f%4(;bi8hgL<{z7{g~M#x(2@T9bRP{madYw@sI&3_x4*1|YA zl`E4damynxnO5$55GE-jH87Mr!k~f_P~rBpA>O+JFx=B%p#0Kv9HVVESemG^6F!c1 z>1hNMJEdWh=qvo5bl$$#>Zs7W1glpQIYB^(=`4Y$FIdtq`O`StT9n%`Ws1o zn%StXJ*Hel=t&EUA&Q;)cc!o+v5#I>#}t>o7^!=@kn<)2xJY? zDkM8j^P$W)PSGXtxIAAQ%Y=gJs$p(@%J|}8E<9@@tw!p5xuKEMX51EicKhqn!3Uu!sXSW&T2Ii;gu$h6_Ah-ED0!x zmnd4>dU8<+aPa`4l^y9dqW;*Mk*KnFP&42jSTn$jX&Y7Yz`>{_q+moo`$%e5BHM&r zam5JIOdEw3#$Gt6bBb#wVUn*-A5+^x)P`s-Fz?cSuJ@3q@u7|!?|`SD{DZMRWHu!6 zTT2JokaB(AML)7sVx(8#zXSl|p3t&;I_SlxoDpXCK! z9Go?o_di=D*pYaJod{=naD%WHXhO5A>^&pyFcpKz_qV7k!r3@Neo;v`5fF?Ubstkq zvBq>s%yZ2TJ!}vVkcFiOQOlqgXj{S>qE)2nI))sieUzC)tF*`XcFd9OtGnWE%T=&nGVc{sCH-REVdN&_3 z@kmg@&B6C!Md+uY%C)xI|D#=v~ot7GAO6Fs*##gLCj&}V(ODk!qq zbG=?v^mISj14g{pj@B|)6S;WcfnhSJll0Je=Vs7$X#Z&d(&NnU=IQnskKBe>$GAAx z{Lt@O1HvhocKT(WJ-KAGh5*6tynNm7*;%Hv8HNKoj$4#h85f#|-? zRe4p=B(+Q{5ayK-+>e}qr@uiE!XpU~ENa^S`=bYG0ZO%7oF%9F=wRV0D0h1O~?)VRojWT z9pE5N)fqZL3#s*zZKv^}aLoDrn=HTt3hYfgP~*4E6))-bh7Fucc2}*j2T)2(MI|SJ z$}>5`puo&#fZGW>MLh9&s5Kg^UJhBlFBz!X4Jo;aa?W)Ji(}&!m}skD5bqURx&{tT zn0`?e-Ri!gc356&Ox@p}nYjst0p59q7m$HorSTAAj$s9LH#oH|B7K8iC9-4`lqw%E z0i8E47^hF7DJG@YRc?a1o~{(Rnd+xbsZxc9-Ng3$jD&RagL-$mUmOgxsSMH- zOGBKpb6-Y`9cURl%7l;Z2CIRVp`)j66VPNz;z1s|SPd}B5B8J?I}NNyZ`jSKF{@_{B}3U^9JnG#-h{ADCppbDIr z(w<+F#gPJ%!=agN19FF`%_P;0St5FVGVGvlvg_O5A9W12VZ4LxQeO8ERtvcK>oi^` zee7_uo%Si*Uysr`IAQo<`zceTM2mfsMymZlK=8Bif1n2fcP7*hc7d{mUs6%a(P;+7 zg@KtvY{1eQM6s{JU>H4W!%y4p2z7IIp*#gA^5k`a8G)}Htk?_?+Ql82S-ni!KLJT7 z_y*PJ=OfEINc^Fh`EI|hw2cf8cRp|V9iMUSnS$Hy;mttvBZxssqGFCxn=cu3$xfZM z;(bh^eUJmEBajhV;0`UH{jxOiu~5ABviRf{D+DNXbp$*$S-XBZyl;Ts{t}*gUHU=S zw}Ov$POf&K3wu)F6S|etBFzyn$90%l82x4JA=QCSIMJg16Pakk*xWi|R56)*bHJI# zO(OQ$TH8Qoq?(1-=Wzb#z?_8E*F99f(f0Y0gzk>cC)OJ2nFSkLw87#=*t^ytD2!Hu zmej2FYQ!aQ@aeLS4oV>@es$)Q%wBJE;PPqOpDY7!_>gZ@3Y^}Grm`zp2g1K4_3I(N z3AJ}VDu>M>ea!ZFz`5!2r}7hSx;#}~7!EEhZ= z9RK5IZqeE{F?UAU0wl-MSU2?&_K$?HyNn+u$fzy(4l!)9h&y?UK_6Ov`T<1abgsnJ z(M%-Ty4=lJ3{E@PO5XW1z-CmqE0KcT#}EG=TFc7q)kyi*Mcp_NCPNVn2+<7>fmgL&w%dgoew3erxvW1wA|9Zt zT(WUosv1Eccz3cW z{lIT_RgJfVB_ZKsF)pHm`s&MZ?tnE>4L|9f#s-Rj!ff%kBQixJ(oUe7sw0dTb$#wv z2fpHVCA5IAGeUcX)Ab^~6Ng=NBChi>*PGDz*C%!AK%T_O5m2it)jlpV#;Xq8FuU^+ zUBP<}Zh?9-afYnw)ToWS>vfZ0ICXzIkH{`Z06z?bR+GUu`3qpc-iHloMS$(p>gx((#DMdbX5^Q;n-mVnt)1)}>2yik6KH z-e{@B+`azDyO%O2P$~JczGvouO(j)I(w~)BQ|NAp-Ren;!j;q+;p$-+ zsTm?oln7rw3Y6l%U$^A?)gWzy=U23t0lS%%3&j5Lte)GnF72sMdv3ZsYo@eOWe!W#!J zvcI((W_5!MInPj?o*i6@@%B-LcIg22dJWF!)7E>x;9->@m0GB+?ofuj2}!&YsW-u) zOa6E}raWO-VL@kR>|Qp`lB(poP()uhM`~!(^+4l7Q#qqjKtOP=j2z&3R;n?927z=q z_0P$+9^bQ*YWm6dq6>&>?AN-M?*BkyfZaKX^Ir1>dwv!E4y7{PFaO!G+B%o-&o1P^kyALHW9Td&kybXaTBzj zmg-ifG0)(DX=UOH=6}f8oy+V`BchWS9s^lv+!RG11vN2_Vs~&})Cs8rwmY2`luFxA zk+;>7SQf(yjXOStM4NpbJTHD6tPf<8GWPW_3~!tXkwUY^R=#pTrfTZexHLbklutbc zSU0ack|JJ@`ZGb;II4Ne5_%B_mWb7Kd=xLwMSLnCD~ZK`8+F=Iv($VBpy5&F{idaA zG?}Xq^okBhW`;=3)q8l7tKx7UP72N*!xB-Y^ys7QH&)=7lp}=#1Dq{8AMyr3T;k^m zxbJriuNv>yg7>5!KZ*HLc7UC~iLYCLE}9CsB%f#VZ2-`0j=w*OSk7U9#~2;*vZS$o zUlaMC;Hr6;Hj09VlrYN21vhB&v=!V?!cLs;9uSYisnphVHBt9JFa_2Qp{?&^v${#U z7=M2m`wk!MiGDSDh)R(s)VQe7-Ete{9p?-DJ|ST^D6cWL!yN2!D{7$UtEmz>^JeK4 zC`OEe8F+hni@O?7%xkLmv_Egnt?>9>xrelM;DkW}Hm*SKwa8jB#o)q6LY{srDl^>K zoU(Lpr&0}?8fv=Nnv}9;ki5M5GC!*-GxvBKBt2#h&U3%B6N0~xxFiA# zt)B$nq+=vZEc$lpd1;qm>YZDWwIbMC+l_o6qb*3U(#zFcCsUH@E{}3d+TAs&jK`FQ;p>oQ#p<%; z^allM`;cx@a=uUfPB8wlc8|ONR!rU)fmI;r_6;4blY1I%6&5BcnZ}^|LvNB27%0Z% zG)NZ)R4=hokt+)ioBQb3J$0cx>SA1Pv?&m(R9Dm@4#OH!E{Ph?C_ZCK>LZdM=q1sa4u6OYv2o%RY-)DxL)_7LH5R1n2Rr))n(I!p!yuivu4FTofG zUjsR%L!-sdLJAqaV4sMq$7kDYJTO)CQ9{6!%x;#l^0>Si0=hXDk&qDECBL{Uqr}90#c?5Ys{>5q<(1U z^!Q)fzoaEt1wXo6%`;3lIUc^1m~^RB-U+h>7p<(&n6m9vX?<=k7$oI)xeCQ^O}8!4j(Aw%4l$x4(B{P(kTKMllYSs^6Gc+hkc_0oiMO6DyDFR9 zie)_mQ$=(WA5t%S)RU<+-=z$CQs>N5UAj61U;Y50kfw)cHbc_}UqHF2GxU|HsOmZD4D;wzkjHpF(x*3D!dVv5 zhkn2~asU($8oj7VuJm1LbEH}R=zLJ%C)+%EhVC*y@_#zD7e`h4`xSz*Kwel~k$Z-% zm~DELwIJFBv6pWoy$@epc~EH$O^G)}Y_{r-9%7oS2i`Dv^BlAHRAwm7lSpeb?v=@j zcx}5^l9bBMlr&wa5m~JhF{LM+Qo|bSfc}EA^hP7V<~YrNR~+%7a}&PSn?C;G!k_O` zd7klD#sPk`SH7f4cM}ZuDppY+eL6rbRQZATNVuu*7i=0VQ^FzdW#;QYeBQnvhGy#Z zbo$%C_69LIQ8tUKpzCHffm0&D*Q)v3j)v_AK4w~MSV;%x^K zUTX)@W949n3x}~MS?DH4=Y?<7x54hS&<*{iX3Lp;mFU_SMwKDQYR(L3TY1r&$|&ah z#7vw`u3N~FZO2N! zIT(cs30qXIJZ0niRw0mn5kfh)T0!@Q6zgr zjt-FT?pX#B18|-ymVeAA6tQ|&hXD2u$`d08N0liBS|f>0YqwSgye5qzDo{Cvf$>hU zaaB9|X+FISsIHbTBQ@;dE;al}o{PQjr6=SgUpbHL256C zi3e&RH<08SQ|l|CZ${L&B7g|uq#lWL7b0NZ_Dt?0mJI&=!y`FLe%YN2(l1>lVO5Mg zQ3X%5tnv57uLUlvY^^0$Pky<$64qGWfPh(|X0ee|dmRGkcWfnPBZ(r;jA^LfwNS~3 z^iHagq<>smSUAQd|7Zf1FoZ?rAAeR9_roY*^cw>s8n}{Z_*wcuR(b6)t=~l>=;}V^ z;Qy6>QTq)ltVy;-UVW<))w@y}*ui2v74*5eCOuQZGj|W3gCD8ObN^x-WFKRYpkqaZ_Ne6MDc3OTz?Utfng`i=MUBYDcykQ2d+t>a*L+W z?Vg3{94V?H1s^iL)=p-|7p^5Up>DKP7}Pu_>%XjNYnCb4q#e2-1YwRW$wEUARQS3? z@`J`ZGocWL*Ik-rBq$Kg5mG~B_WaNaq>4uC5VDgH`s;uY+b!IwLrVx#JT6U1)W#V` zo|@k06BQf0B%D0ILpB1X+SjjI>IdQIf-d{ZyYZm$1lOe+gQgYtlW*KF;KfY=;ukEw zPp4=h4s7K$v6`vdVqTm@Y9|{Xf|V~4a3?Tr^1sCTa#dnAD30(DGG>8w@^b0SnmOWJ z-9we@%mM|pE@OJ(rNr_GlQwI70P?jkzdM@TNtol7swmgKi)Eh=iRJ^6k9{t_+^Zoj z&Ox&Lpo(tjFT&ilqL=ce6NEn+Gx)4U-LX(nj}tauaNCXk<_MI6SS(ss8TVJ3R0xs&hyhf zOQK4X&g3{a(fDBvjrok)AM>$a4?tSFr^<2CsI8=R z6hZqQN-Lxs=><+Px7&GYL*7vVD;*V@==SbYhLqLF7k`mmVNEbrlStD-(i-!*z?{Gn zA`&)R_)s5y|E=sF)hNuyx%hg2UGd6j@a7L$;h^K%^XpZ*w0=qOHN~b zlqCoj`$|sTJ}v%)Y#g%VsYcznQG{|Z;&E`Yg7kd6hZmV;GMA|jmAOwq3p`ir3xRlh8*$P*em@T z+;bytR5?FVjBD4(rR^pC+jkLBj!Gt?qsn~W6bV0m{<4xMk9{^ZqMiL^cq^UE1i1NR zX^O=he;3wL)3Bhak|OWtx=#ZVQj4o!E1;AWmEp^pxCN8$8DA^{c&b9qecV-oy4_j} z;;4m^aVTs_4T!;p|Bv)O6Fx?u9ofVj=qzsGJr~&;VMN$~9wfGa>fMMgV)x6Qymu`= z3IU<)*W`f%JO|bV)`mRQ)%(;EO@NX&bU!;Fh&}k+{z6kqa zF|(O#KDH)56WJZVPsR?>p|JPq8a}M7-Z?VX+S1CV`L-sH<&^)7ME^iwS#MG>4$nQ5 zeqbefgFG~pv_oNdkvQB6jFlCfTeBpnM_pRRhKC{c@cb=Rx^&&Cc)7-a2&KJ|2LHjq z*WazSNanlwT>C6^*#rugO_pj03Q<_VQ||Nrge=XLUvWa*HW-4ODaW9|n=d>^u{_vl zBW3C7+vXL`7XDqAMt;w(3r$Hy z0{%Qti}$T86lGiwjUpSUN~zIBy8COk7##pVvagVN+=Au!QN#~w zi z+bx7c|8-4W_Wt@B;FSeEpAxwb$ zXJuFk;rt{0`~le?{{XeCs106p;@MXAsX-fKTPH^mkAn4N8KtP1xk0~1%w|GI!Xup% z5e01d!PWbCS-tw&zc5vdV(tA|YBn%ZM+&=kg{*+^*e(0wf@HHW=(v-t1-TID4z=YR z_u*j1%u0;C6gtmnJkZ6EJGtUbg*}fs1$U{`xvts#4c^b7&|=6>U)O)K-drA>Z4$Yf z9r8rGlIJ&=`D=(+#E6(t{e80Hjn$N<&ThnY%AJGes)zli*BUlz#-3=uhH$v zK8YZWu##EB5MU0{KFgO(sL>ZnY3&S%U+MsrtZUi0&cCzPSR_+CeU;}_o$yXT|8I)k zmN9=wzG8G`==VFEJLWEXTp^i^DDa0}3{rU)`j!;ZjZ`+@f`)nmIIHx~S8lVJ6)(L- z%1Rhxm~-#!^KyjVApl%=2B)Pms&TDfpkmk7!8HHJAoY^4t^8OG(f#0}BIo;YB*vXmqhlZT7$Lae#Bv zXDj4i^PsYBi~^JWn zOk)s`c@@$?%!N~CG}TNY+R6f87?o+8OB4;y&@Nhvrs*kn=60IQOC?r8hjU3<>02qW44|a^KlDW zGcK$sja;n4lMMIasDtildS%~DgFC56xMZw*nckVE<`?}C!kFpt&{Oxy>%QXx( z2weWNp)zn*=CQ!PTmRQPUadG(tWN=Wsm=Ghp7WfI9pXW!7j<4-`;EwN@DlmWpqOU|Buv- zgP2@}QdKzFwbWa$EVluEtWm@PcL%>>Xy*_Dl)M{LQsW+eA%V#XGCvPx| z=@WG|=Xv3aywFX;g7s2sN57?3r$1>v(rk1(RM^AmX4BA*jy6@3-`{4qMOZrUiP;t2 z$2AU6rsv$GsWnG$el>LW(Vo+;%UR0#Pcj-<^k{!qy{Lq~vAv@j zxwb={vQ`gpkHJ5sc|7%ZuX%7w9OadWJbTWw+NEBYD-;UiOmYBHKKhzZrD@3Oy)E=i zh;ei7Nj$d_KF_+Ts7>?~e3Ho9_`2YPO>Xj?J+$sv6x}E>&D(RN@@7OvxTlW6I%e36 z9!Nf8ioMp0WP`STAqUJ4K}5vN0d(~0ZE}7M5mP&PA%Pe7hyYHeo2VK)a7)fm5iLc# zmdU&rWf>Gx`8lX}lrMwCq1yg4^=J;ivHX=vpdp*-va7}6T81SXSInQbvL52jJNMR{F{}p%%4QBMtH9zOWRRY_qd@E_Xph?3FJ6=L zir%8?wgv3TBud2f_Jn>qaW}6WtE>iG_Ct#Pb`&ge&f|iY&fE_#%SuJO>Nn4m{`cw2 zpdmLHjBn8C3SIAIUub2Ul19Uk{S1qywX=33sIyIVUm-uH(8sA}ZSNj)29dm{)Y>Tx6% zC%Ft}jzXzob{8kpekVPGJHiw1dEEiVA`;O~uBaqAAKQJtER8Ic{Z4FgYIn*!pq%=0 zvCm<*sV0D(7e#AFkBcCy`1_${(}?BV_`bs1E6~ng0_(s^w#~Xo=@r}2&s0W? zfKsY-g1HX0Ss{m^={-l$XP_$fj!ZE8dTV zSK?r!pw^tsG9MTo$4!aWqP(WxlS&WvwVUQUcyYpSuvO+*+#(R0;SG$G9^LDVHsje9 z2BZ;IiTeKBPu*Rqw2IWc%dZo9%J}u=lW}e`>~ZsAp?vRsaguZcPQiPyjRCl2wtjZR ziEv8YbQn=o9DQ`d>rkQ%k6T@X3!YYGj3V-%1$XLRMXcZj@n#f)@h< z(XANF{qJXKAhQV0gxg?E^;7l`NMrI@bqU7fM~kf+6a3JAfpI3l=Xy&-VER6XM4lv4 zW!&t&XX5^NIY#nd+FQzj3b)bZV)2ywVF!&aN;ud z!SGEtM*pooqGR_DEpLmSgzj6A{yfa+jC}(v0^lYtC=^wDVnMfPG_{b6m}aFbX4R+_ z=FI`N(nigVB~|xF9Z#F8L=j(|YIwuIDh3#^=7iss1JK(rzqm8w0N6Y)|1#zlkGIqS)y`8W?0K}|f!QDlvrFBzTbucqNn3}i*)qmNT#rOZAi zHY=O8lFVDJ*ASxN333SNj7sh*%=6=zY?N^mF>E!jhdkh?sEix;p*FpQqW0!(l1S6% zw&Mp`aD?RH+Q_*w=YqdO{m<&~%G2WG@-$n??&kMV;wkY8NhO^PeXc=ldqY)tMXvt% zb9rdyTYD!Fwu;tllvKfJXO?t^r|lO&C?)Ambeu@O1#f_rO83=|>!g&*z&d;`|Mi`= zEbIlDIfl)V#GtOO;_f{jIVs@)VQ^GRC>`;W`3d2HL7Q~}%p94p6F6=m`W?1zT@prj zl`yMo*pspzAGqj!Pb@=yk3cNttg*qMAIF%LO!({!;a7nforl)$R`n)$lv6?_;4N-L zsTcBOo_h}W^${WZ(*16fK3!S6gEi*mpyYtby8jWTXZSl7c*pX2t$DcXCZ{W22pT3& zhZUwogRX#usqiMOGD zWIg<@=u&}ie5OUK%(+R5*c$g*FLY4;)yO9&z!V-0{nD|BYEYxM%6hCfvT))lr%U5_ zCskVgvztfPs8}%UP(GEGeO+7J{6voJ24cEYV86EqYG{}u>5#Y}w3l;C6 z6DxC|f(PW6378Vw3~)VG@vg7(^`52hXaoE-Q6c8pfgOjgM~`1p^ksg`0aJ}5G}TZu z&a)jV&P~QZ&~jQ*S-T|V^Xh0npSa5a9xjGgj1YRH=;Gvqy(;yWYkTXIIuJXMbbX zUV_dN6yhC!!!S5R{wTXie6oVsPX24Y2mUQj&$2T8yPNeqHPxYnpXkD&iTQ?P3IMsE z9jnNmL3)kz);CZzWZM&y->%)RyYID^ubkn4z8DRP_&d8m;(%Ah1UO$AEN;wx->lBf zF@xHJ&`#*=Wl}jdpn^i)Nyd~0s7L}KM|OX^d$9aXE_Lk08*34~sepCD#V%NyCc0CH z57`Rv=gmp{!!Wm^zMe#gpR(}+&8c%664-FIfj_8+m|eC-JEo3e*wE=o9;XAu zNEfZwanPRBI@1WuUUf3u3?=i2;5%on9dfqCC0#eBdaE}8JrwdP_P?sw=M*&|(WnT! zly3DzdY<7R{EBMp|N8mZo2z+kazk!+1?5?p%X!-*9>AXDf|dg@-st2Woz_qhZH@d( zq`tz{fE3;Z!u8Zau++X$C(hastMf;E^+3*`$Y zUS2Vlk}RFH_Ln%s+Yc$wwOP2lwZBWk0W=~wWnN!B7zW01A2t*&V4NF zU={EUwl*a}vd4|}A4#zgXuY$kyLd>&2$SB!;8G$#bJOO+?6m>`Z^~X;I-yKYDGV<( z1%4}jHl-y)-6b3Dx*aBpv0E3eZ?Nz(xbXNhed&2~-PJBQ<#16Ig*SyO zyi24HI{^X^p2H-+{tR|Se$8lsDpA=MepcegEdkvIKonTlG zSs;xUuga}EcX>(I4GZs#8p__=0Nlq|+GDyQ5!9DJ@R5=Qjojq1=23s+vhqkHn(Qy& zG!=m+4=-I`Z{mh>km064rWOB0u8=u@c{sozshjh-rZv1I2|Kw{u4j_!=N6cv+fy#Eu1%!8FvMO<6~d0~wDI z;%+OTz^xT@fODJ?9Uc;3^+SIa2qrbX9?^H|Ap633fTP}GSA*S~?sJs7ADrEuth;Js zQf(qTE4g6=R{OHBiN;-s(C?Vpj_PSn{iEouu)FO(@~3d(D1~^=QGtonYA4b${Qm?q z63p$gyjl_|&h^t1OvV(kRP`edgnuT}9Mb)b+-Jk6zMS@WOSM3=N{iXtVbs3+6b^FXLf__y`!Da2u{JfO-!Gxru0u5#ncjlE zH)^<(rU;xEy2@3;wB`$^F{>D;cAV;Tv; zZ+^G-{fqh+J%zP4awcZFvmIL-1&dczEJ`tc%QkRKH>3{U`QIefJ8Bmjjw>HNO=I5Y zXn-OuSd;CBkov^If&suyt(!yL}@ulUpR$g0D(4FUEL~)0F4^++(&jm@1Q|7(o!lm_F1Tgp4{!vMna_>m63}W)eKh6Gj58DPr2iMvpr)1~D;T@B<6j-o0g_34 z5EvHnMtIADB}TRJ7N$z3Q|m}@KSvhP`IxEr1x0NO;Rlm;^`g_?sfn2Y!F&AuLC~;j z2mOtj`p$TjW*9ul4^C|}%%`p?17`4UqU}Np?jkHNPPJR4(dz?dbFyjEODf`qGV^V& zWN}Ejaj|GYV zdt-%1MbK{0u%?#W^ zp0XndnaafR5Sj`oEl&V-9ug3?#mFdoqMo&+AIWZA8_GFG`2 zPKR*RcZ}J8=$I%ziD66t00f9S&70Zy1fE{mX6{YW)Qd(FMY%|g;|zUag&pbC|0ph# z-$xPE5h5MWgoq{Jf~`#|bE=m!vE?g%z-^n%2eiLB@TFoohIat;MkSqU1!oAkT8ItzMF`J zwkw4g?KQ03&=kUSL?m91)?8#XC|6iJZ~ zvt|h`#E`f0wpS;B?+|m@0n60LQLIQFXmfdCM{9Z!Fa%IuI3DT7GcpmA3UDsHOjB@x zGgJN1Hc4=pnom|fvd#hS_c~y*kOG4)^IKtM=-Fx^KYXN7kP=_>68$#&CsHGEMKVL9 zpPomgdCSn8!DmqqhtIOFq%%b7p)ojv)`HGU3CCE?J!zvBdSdTQI%nv7`np~M)xc*Z zPDdK}>PABh3Uy|rcj9E=ZxL?`jqCc2s-#G3|NW`pR=+4XnEyN8RDRGyR$EGk1JyTy zq;A_pp_aFMO%Add)KnI$n8)h44sYsr|4qu~^<%nUKar5gq9sa6h~iyW6P325xw89< z`Y!U_b_JMV)b+(RJo{3{k%|QY7~vapTPVpD3UJAYq_83Mxr0VLq$Q;G$Hq0nWQ@+H z2M8iq>_CmrnsFOW-(kTwIvNN5q%x0*97$d%=^*?KCfU~lpR@kd;)IJfeinN$%qu^K z#e%nGHzk)DjSMwB0hzaSGg3CwJ&k++198Txvu$)}*|wW6sS1btk%RoQ7?y}+ z=G!AK0G#Zit)W|1th~ORvZvcuUEVr+3W`}RN|!*a%%kG73e~gyvo`<# zze|>#CG^ZBm(-7$zx4Yb^w+sKD1`*QD~C-6p65urtUgK=CS4PG9ih%heLC*G5zq1a z5#x}n2jRyXlYr(2E@gKeQ)>p66-TvILyUFf7*LFRXCp&?N=leyYe1Q?9*o!VLy;+= z6TK9NJnz8MG5?SN02Z)vg7M19Xv_7RM>SZO+0+SJi4*tceiCiOGM4znY;O#fh!sRGR@;}qtUUs$YRy~?| zrRJ`iSbNGGMmW0q2#7laln(*GSWpjh?4=l=z^djX^zBLSJw-P_*`8tWnmPA)1zssM zT3m1rlx0Cx4MDV@kgRa6&Jhwn>9#*p>R`|#3aLFH488sIdl!8Ytav^njU}dDy5#)MxX<<0+MstQ z7Au14Y!BR(n-I!~qQC9xC54}{e>8DG%Rdp2XG8aWtU014+3AcTkvDp?uH3x;l*h}mJD|`dCWGM*%{cfc(Vqp z9La$<>+>4t)l8yXvDyi@exEuH@Y?DlEN8L64+y{F6d>$r*Gf{Y_vjs6AZoM-3@#r2 z{#NB*Rt5#hvX)%|E{4Y#Ry&5Pd$xtZ3>pPZka_n70fk1DAXG-f!uMYI{u~7){Gb2; z2HLym@pI0!100g~&KC!AjYbt^OrF7oW}!Xt>Be%!83xBRMTZfFqkNpx4UzRJ-BUaI~mnK)7A5>+x!bY_^0^vLoG}c0XH4Ce`9x~=H1OSf7i}$fT70_wxF{t!Uc+BLb*QfHh10=zJTL@w#bhC!7V>j~vQ7KYnHMQ~ z#)IDGQ@m_TAP6M*#!Ky~jPDC74pr<@Lt6*h#rh`S+et9)@~5OS^$`@PukR&)|2ZWd z5L|SdA|#mEJNT<`^o;u=E)`G(uyYuC=!Fw=MlTR(#{R#rz~9x%2^2|lE<1UmJ8b31 zXH2zdQ{5*zWlqaIo)v8N+KNqCp{E}MYa7AktN5h-W9~}~Oj7ur;wM}b7P<{}U*Hp) zz1}zNqtD@kr9Az8-+qo17|Gt5n)Hg+i#_ir;#d1L>Q{LtxlIgu*VnglWUmw+XG2&A zOo?2!O+4;L7EtjG5(n0OyWU^(Y#RB%Kk@Welz7xs9KIm-!Q(_5cQtbWEtW-~he6A7DgWkzQ8+xmEcSIe zXreuvk0m)_dcexmzt5Ze25B%pP7Ik7`krP1XTl0#mxV*`W%X|{_Y-e!G7yUpXyab! z+ad-7R@KFza``f%eDYYhD`^9M&jvouG;aFR^xWG^C~*{BC;qHoK8v6@14m?T>$@5LU&;BCo z9y=w^Po}DW-*)Ua%(G#W4^Bz9YX4r&a{osz&W>qrnl1otoDbZSv>+*v=%etib99M# z96O<=$R2Q}S<|F}CrGc<{cCEvuKm1B%3zfybAC5*OB;4M@z?bhlxUb_ zLtVdMCn?w^*>78fDSW+jI~~IPdUOwtK3S(wmhL5ipAAIkWms{!cAlz0iMoCwTTptr z*3;XQ>SI3(Q3RWU6Q-P9M9&GcA8tF4y-muKIP6;GsRa47S6j7TifQzy!J3cDm4S&1 zVz|%<#(}eF+U!3ZHqed-V|pk6000Z16!{ZC9mmd7$WPOQ;KF|5Y`0YBVtn38vcCO; z!97ha*HUI9qKN@~X%GEue1TB#6RyZ_{`9In-jy6N^ydt@+dERaIpy_pW*-e(?j&mH zaef*!1_U)%Wrn{fm-5+f^6AzHc6GxW)S_n>BEVGdCt{?)UC8mp3@i|s~@^yPA5IxKEYz+#2VRYJ({}U>DJ0hrCyLSL5Io|!0T>7i3Jvdywv-cr|PHA z8ueQQrM61*9af-U1-vZuy1B3f9QZg-?RH-qO$zb?6NiA=a~UD=;o~`h>2BaY8clL&NI|FiWI$;J)N|n1fnW2%Xwr;F;KFk@nuqfiRO*JGDVY~m~ zfa$Ik1ko%iX^Ka}7s-$)8a9Q(p^EG9cjG4pLOkbq$t%T*X3Rg+ro_dTXIBEp9}NVX zcZ=b+r*DSKXP#vCDCSgDVB)14hX2kSJyR z7?G@Z&j9BrQ8Gnmf~&O=RKl2KSF#BN#l0N;y`IrQG6i zvEBxe8T(XgPqk9uCE%6})WnO@ki2WqxvBLp`7Y5+zCy*nD^>T%6@q{$GlDL@({Yi&^x{eY`9Q{ZbsQT}3OUNmGWlI%RtAuo6CCvrT@q)1 zil8qaLnQWJP-jR%g>*}nv$!>gB;6+-fPSV_)D@|yj|p8C>ez&lB@DYBwGGkN(28aBrgzj%i84VO#tGTWRmA&W@f?4R zR7j9594w0BK-V)uK7nB!ffQgTJ1lEP?0GJm)mr+P-wd%oI-4_c6ePsMWV^g1;8PU$ z_)Ay}2A)T1EQ4vd3~k!db$7*6T1a-d{NXrP2!K}h&tV$7Hy3hluj;?39_0DpJqz?O|JL>p{`=|y z`rYeo>W%(~qyzu2s0UO(LVvLSBlrpZqw>qnKLB2Q_Jh;c_iqE9Mf<;)-^M<~{;T_k znE&BC5%>f9->4VmAIX2q|6}z?`QFM*SNiw+FHkQ}zCr#o`-kKAo)_+4&^XZuI| z&u|apU(vtO{lR=Q{pZ1J=pW)fnZCe(m48nEL;f@Iv*{D}U;BULzt8$6{KNcL{ZI0r zyWc>+%KxSRzyAULSN5ytgV*owKmSj2&)E>eA_p!#P2MU@(c5{9Wz>yh=D3;oF3LtlCob<_{bU*}k)B}y%86FFca zGZIXzVGPH5i{qSc$`lK$&;}ee=#AU#5&DyxaNw34s)hG8CsOk1^qIv4|GW3UdMDs{R58|PWqlhw(?yMlDP#v zG)qz0yq|5G=gQMSuYQy8=@-Xyxb5L3VdsQl{RE)%4TJdT-+eRZp*u z%zbCC8n*6{>{wCl{?h-`QN&R9QL=S{R^hYWVYmBM;Qd8a{kuibKNwB+efBmZtMDI& z@!x0acM{2sojAEe_Yk%qj=4 zgdQr}cfBhX&@15YuwHDhHg%g6{Xb2jsX<(;tbDh1yN^#^#B*%%A`5FZb)WFiBo0rm) z)l=aJhtS9B6d>_pSR4O8KX2=!9wC1u!&GGivVks*6F`q3&y~`Tiv?Vy!&%2)8GIPj z)-1RzoB}6$!4d(hxiOOIy+&&m@4aWH(Cqbqv_-~75v(P6RuWiNb$`jzk6&K^3c_># zP3;fb?ukGgWS?rqZ{>kxRkd~@Z%RB_kve1{ab~ocOdUfP?<#d>R@s=ebK07PP`{sQ zqTGAsw^15Y>s9ti;$pkO0rq@hd%@%@-6%^T%=Ud~$EjdU{~Q!*WJpMUK8k)*(bA||buk}iw7DZ4vbQBkvdHycp-L-x3GzBO$UGw;u03 zxDZwqgWLQ^ns>7ER+xkBNcQg}ZD7q%{*79Fy5ZgFRNk{3Ch}n#X>5n>QPcUA-|1cQ zo%DI?2uYRdr#OG;MD5EFo+7wc&nU(K>4X%yqcRb@qw9qy8<`~11lwe+Oh!6D31?!Vti3DqGVKwR+vit}f zj3$N!*zUXcm#F;nc;QWv-{2J=33+-g?xPfkgF5#FS1&FJQU+I9gz+i8Ju!mY?2C|( z+AS20>A;Nb1-PfV3Ejv96Jl`dxYHx+Y3dv85-HRUsVvgJj`awySfWzsFqv3LX7ta` zN$w7f#ZW9~$_;3CtKV2a>M3e+)K5mweHWod1gI& z^$#4*i!tvBG(W)GABy}IkQ_5pqnP(_X|6OwMieBbIhjyi7qW(&^v_u03xVHU9%6pk z&?O_+BAN-v3J<(JGGd{_C_G8INWmWwgOM_w--D_j(FRbJPB3LT8CoDHA)%T4t-Q}N)o`0BU(ah}~6S)WwPsl(U!+ZST ze(w5ZbUEXFZCzYQIksJK4a9$qC^56g#|%^)cPUkueTxGP)F5o3nw)%J`5wN#E5L6o zw>?@H2s&`uKZl;@Aibq+|D)HeF9$F3U;Gay>}^z49unKl4CW6-YEMng!dLA`>lye( zctzOh3KT+@@Fb0)jb~?kj?$H=7wjye2qRh!qKLV&9NfQWquM6mZi{MgI0OihVjqZ? z&#Q9VpZS@Vp09&V1n<%0AcZv|b?A&pRr=;YzQDwpTvi2SKN7`1`UTa*)=v zf;xz_4@lVq!d9WtKpRU~+y({m77}|%i!PhhqGh^;J9lY9TdsnbCu)BJBFtxeze-V;W`>vhxs6G@^3h@j#dbGiUQKRi{cgYJ#frm z2!GuMiOUvVl&|xgPx6!IV*Kj9h`8OXw%ij*gm>=#Ez{|kHea@BCm48l@Q$$*8kX1K ztl;&G+R)lV<}rCl>WO@ILx9$g!c#$)wN^bvT!IiAB&XRC@Eq~$o-kD3g=ZFM2FcIN zf$vZf9zFpGHf1vHhO1Kv+1b9x8Lb{{NYFeGLLGxjY>njJ=G-KoQ{_&#j(>6h$;|Fk z;7$cUug#2rZhKJt@N6K@3};)F}KO8zS$YJ@|=8A@}cpjhcQwez7#TzZ7Th>%LB z{GghbW{6Xkh&n{=td-`4Ze#F{OP+xUkZ)EVtAT%ZW=RB;u90f*9R0DA(h`o{kfo+- zx2ZqDn8WzfPl+S^Y}$(28h{i?V>?uSESNc5#6qJuD$&PP@+`+u14;!@!k=~jxA=x| zC;mq(*9%;J#1CQJ>;CK-{gd)cCux@swCuiJ2nj;hXV17#sMMe!BTm8`%RW|T%5=4L z#tmgO(!&ITW28to}(_h3W-+P-Qa z8v5pzYqe_cMohwnJ>!+r|5F9LvX)%2Yv6IOHD<;lx7Msi@VOiGPo6QY*fBLXBHzBn zPQpu&#)nI5%X9xJ>EgVU_W<>7QzWlslqx!`GJ_(xozIID()-v@%V9PP+<6 zOoPd~+JEi?>ULvM9!Xg#8pR59jSx8nr}C41N2(*R-;w5bTPBwD7yzZ_Va8TmzBx8- z4kr0n`ITNK(?c*#K{;c80|V1tu7)99nw&YUmq$k;*3YG0h?7R~HYdm%f>B6Ia`nY? z>tuCt;Er`GE*5tVFla>{!unz$29Q7COWK_@%ro%Uo_d70?!*Bgr3A9ce&>n*_aA>~ zh~2=Ja>m@Vn1>Z*N?b`Jj#-on42+Y5qWPu`mnx*}H4D>g8s1F;prz+8l9b%s?2#|M1G_N!!y==>(q_=m5E6aisOfpiDkYi;%rbba z-&J0TKWt^}y`gK7=}R}+krU`RIWa!FXdUP;s@r#IC=Ci;Yhh|yn5K(%8sszErbT*< zfBN^0Y@P+Hc0Ml1SAgTp9Xaur3W}|I!~@C|nrI@BT2{21fm;8JU52pvZxl0>?DS{f z&l^q&qOgyJ-ri&VEPD6HdBMZ$l|YtKWR0+`fz>iG(mBo8o{q9xX^dGc0qDH3bbryO zS!FWAK`hjIFG#<*ffI439WrJ24c^f-QC*W{L~YIXHab9Hb|0@!W=P;EG@Q9E2ROzA zxpx}l#qf)&9x5i|`h`3LKx;cX(Jqa82+j(&*+gT?e~&ldt0Yz-fkF)abNFf{l-pae z*NZ^jiFBZR+Z_lI85G#N7YH!(A7|vM@z6V`$F{`GWt}v}{kY4e!JCK0Th!GfQ`J3y z{7+LZ%5SbN=YGGTb?DE6Z>Z>#qf#+PDYx7oMKjpIWTtL3HmQXdgkz{4V=d;4_y5|s z4#bK`PFJ{n*gX7TfPYMl!sQKwtsQUc!3HU!(;`#s&emsN%!}I9S4xxRJ$bm`3`-(( zkc1oC|K7H)=uKp|xFWj{knL(!YuDP`LYKNm-zc|3y(bX8KN@A`6=vZkKrW4+A24){ zMAD}TE06D)f_o2g{0dTq1GC3pHs2d^5Sw^-b~lWDk&PO+1t=6S|cb^?-_@nZ$`MAzxYqW3LM?w?OlZ~@a^V&k9-Z z?c-%eiwaGfIQ23W|Ip095K2f*MD=J_1O3XHGem3sfR&yMuA~eQm<~?WvO86h6d&MK zH0Mgb;k()FxJ;AtCwAh1>9ul)%Hg0B^S^A5xeR^7H1KE^&$A*~6w%4EPk zZxk>Iklb%xde*qp1q}UoepR~#yKlr(wDE4?QHX`?++LrJGV=uk>HY|`|0cHfiIWGT*lsYiO(Gp6$mAu3GJ*nhD}+Z4 zw)v~9Z%!3w^^ZKQ7yhSV` zdGc@m`pnm$x5|1VM(sbta4HTMowo6`7wrE2I!H}!@daU3j%YCo)oZW^tRu%Ch1x-_ zeP2=;R~A<6KQsK*DKWKimM?StfM?gS4!)^A=0UM`Edw6zSLo03w?lqRsQ@LNHSVn} z?9!;SMe1+4=jSe20WI#w^z*@YGq}PVhRRu0Kz_agHIqH~bBZJi3sJKxmk*Nuidybf zzuJFMu7&KOTQVaKBS#NOT9u_@cre;g8JypFm!{e6u0ZoPAwUEF@9tKsyFtSrQF?#* zo@6r|21^^>9tomz0B-@W)D?nk?My+v>p~Y{x=e=t0~eWKA34T_u9n`rghb(97%Vz6 zAbj56bXEJ_Jjl|)H^VXF$K!)c)mfG6e^AM=R97Rysx3aHDb?bMo>o?EFBw-4X4&y6 zJ3ltMUGjnsVWx@Z6Z000000000000^Mz AkN^Mx diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp deleted file mode 100644 index b62548a8eaff273aae446e49ceae41e21b6d69c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5654 zcmV+x7U}6yNk&Ev761TOMM6+kP&il$0000G0002T006xJ06|PpNVEU|01a?r+t#vN z+!Ki;RkO$O{&QSqSHaABeKy{$TO{Kp(CHa z|Ik4AE&vP-m+;jfiqPdOkd2`JqyAI#qQd9x1GlUQjD*h?0mvBif~X1K5rCmA0t1L5 zEKSHpQ2$Z?{k7(n4I6yO16EKtAT$*K01#OKodGJy0KNb|Z8DQcBqE`qs1r)yfDMUb zZv1=hZh{}}JDp}AmN@>qm;IOhEB~A4s`g#x1N7tetKMJ!9`tXjC-Z+$4?55I zU%6iszv=xkbsoHP{kyae>i>=&clgHiU$)+F9w)jB%-`gnVE-rmoA+ne4*UJ(|9k2M z`4{pZ@;)H@CUbA}U+FzTeOCFe`j7BGyPxSj9)EWGQur_GPx>#+&+s2$AIJZme~SF- z_Wo@AD3ZtrlWiTC zz=GUyTw~9g!GP@x~uAVcm-ok)w zFjM{P7X4heT@qPJcsxF_$@EAS?1w))9VFUP!ASx~`%K^Obs>uM3>9pQ3ir<`f_z*i zTAK;J%8NqLRg8O;N2@AZZ z`5t4xb2M7dDdVl=Dsawmf6Uc=j@8A7NN%A8D4;JipoW7K$Kim8b16ea#M!Iv`XrC9 zu!jdEZdr_rWksyrzQ^)e8~_0R{j}?i!lKGBAn?g4$28|E?rJisXlg;atwpxWR)Gh^ zgH0Juu62uZ*)}VTxR!A4uL~52{GXp&j;D50PvL;BO=Is_AOXzQ7HCOmX!y1NKF)1? z21fZon5ITOkW6_kBaZRgtplv7v4JIBnK@c!@Wgb@bO%^^5a-P=yFz#}15#8MCcMr=wzv#_qpJAnW|8NZqi z1n`6m=XAz=#CG)@V6euYy1&_hF^&-a}&VZ zipG0gz{$jpo6ID2zk~_127Y5UrWpra+xj#^5oCrnyox=gTpy%26o? z=fJgYtO>jr^OI`BnQ}2qzsuaIU8oYkGMpL9@nQ}XX2D?uW-yi|X7$~8r>YObwGPeN zu%!>6Szsgzn(B)9dv}PB0zaRKbz&1SP{{w)Xr9;!bmzU017|v^|0q0KIpM`lU#&+= zGY99XLYhf+)Bp*tm%P)o=op4+mlu3>x)=MA-(SwW0X|vfIEdt~cR4;%z)~oQdmf#$ zk|EWtMdpm4aqzzxgCe{fJg0c@*JSnfK|hoduh@OP=6?1##U6hK|EKUx7PyxR!GJdz zv(~eX5x87U?k##gym|Kv{gQ=kGljMmGp-u`Iag6(Jl?nyp;-616ITY~7Q3}NE#j8!M-AI9vZJXF1) zf40Kb*tof08>|I<69LO^$bl8P>3Zk^ihW^#7RzO$OT>?9wDY=FF)K!m!waeCyb;G2 zs{4ukdl6ZV{e?94@RhvQh8=8Ro;TLBwgYDniU9JwcF`enp3(9-JjipR#4;nZS`*VLbWIh0*zW;YY<=^vR^Bhx;wd= zeUEYiGf596A0)Y)QJ6nx7MK$oq{YF2mi)QFb9+w6Bl?}(;vm{xY&?;apd^`SWN<#@(-jQziv`#JUB6k z1HgL^lNN4+l0^Sh;3Wn#5n?{nmALT3CX+Ft%s}tQr>B+6QkN+6(5lnLgV- z23vvWUkVA>7ue_?y)q;#RsV^fckF*u{8yIdT7D_=dsp07O6$^j`6YRJYV=qRLXr+x zm?+i%z>43sEM0vf`zXQ4TsGM};tYaP)Y8jBjrd^{0|(H}c-Gqa z|A!p44@7TZ3`4Dn?(N4DbnF+TjWg#$=K{g>)PdIii4T4y6Hq-32Yg6`*xW_v+G6@` z?S27Fs^Efy&#^DSw-l-^_BtBcPfHGj`$jw13;f?TuGmPl z|CM(^7>*LY!)RkF*^hVqSXzFp&~F9^%BCJ2mJrhSR-6X-MdOJewV08k1V!xe0QwhM z=`I08^@s2NoyD$-8;$|rmxj32M8Vljk00QF8h$sy9vhA*EQ5yEoV+VRK`Ihcrfmj^ za^aIL_G%7`!t=62J6tV*eaHf#If(7`v)p2pdROcIFDonmGu@esfNFmk4Gw3DnH!+y zrB+;2FBz}-~@Fq83t)7b&}b_Q(5+b%Xp3rN&x<$dV*=Lhe>%_+#0oS^qlyLaXK&ov8?A92{XG+f)aFlOHIn#U+sN!isthzz z>$@=RD0`4D46+2*F~~`=S;k_oq>PY+sY8k7ib&(5yo-{LIz`THrnf3~-o!fJ|w95&!$v@RiP@-ZgPX*-b)l$WNTBLcIw2|I@Ok z2N?6=vAw*KFUOvSkHpfxattT6CRO@zlV$CkW}HOS7z6+B6vD0w1!vobeu&on7-#KQ z%ZSYvos(OH$VrOrb79jC<(3tE5XdHI&Vx#N%VC-*_@ynTxGlI8BNMD&ZvTc?7``%Y z412qk)L@SU2^+f8%zZ#hWi<0ci0Ro31yHLVN;#$rgediZ3)0vr3FkbuT~eC2qC9Xh zFowcJXkX$M6fAbeLXS-U21!FQ4Nr#e@Dhdn(NH;(J2FKVPy#38YVhY-`Eovr40av^ zQ7Ox($StH7_jdcuS;`4xfAqHptsKtr_is0vC=wV;5`(y>lUNp`i}FwA<}R_3#4=XU z&K2v=1TcLCOSp(&Tm`BGL|U=hyR9&vZM;c#dRa1`M*2J5n)2)Hq!{A(2dOdvg8utt z#!7O3FmWo6Q4H%e0SrhZFd*5fi6EXO+eOQ#N`wRc`H!8pr!D*F-uRm4FZrv|hd9&qt9LRG%ONaaYVqyZZ^;VUsn z*}Xy^OZSa%tyvc>l!oX{5NlwEu}gN&;M7~JgKCqr*4Q#TWEV$ffqa`zRO*y!Y#yT^ zbY-9*QV!NxOt)_5F_y!UM}StK3p>UWJaQXLvahhx;_96`)Gdm#bYUF}+jd)`nn3@- zYa3dXOOP~x?^g9y`qk)GtvEMm&{bGOA~800NzIsvrPnIr`J$`rFovC7Y9mCZh#=-G z;St{3a0abnpH?_>NxSVI7*UvO#Zd?W^l|M@~a%8nusMZ-%W~-)v`6k?I#0}*qUfju!mqv%#h)xZLUIK zt}1ICY|f*p@p$htWcuyV+sJBD9{i4QJ^yJ)8%S{IoV6OZ=(GY0dZ^3>(WL;XoSssb~xC_YNu1?E886)pXij33F0La?q$xv-tp*D0zy@FvnS zM-NS|@{Pu(ZPFK5l+{Rsz+_;KYvh9Sz^}_GG;99d;-73;lEFmY=_9bga1SY#2fDWy z$%;sW$o0`teE!&c&>h?gCNl{kRsSD_e>@qotCA&VHHzuFmR92u!;~6_))SgI+|v5e zbGG-K6|b4e3-lN5XV|I{0SstnHR+Oh-4_)ekb&vRXcmnel7%_2ds?|v_l#)1(u74F z8Bt7*Q`zRnG~-Qc?vz-%S#wCqrEFks2f`Q{md7S=vw|r$bjIn3?3jX+=x;eeB1JeU z==~e1`xxIeEO-davY+!-y@h-H7f!y<;~M2jx=++DiD*TG^A85u-(rj~93)%cl1=KM zA$PU^T60@@F!x~ge#xE%oMGog@&9qH+Ej#TXd5K4a%qcK+QI0uC^uzi>}Q!G~eiF58eF3lE?Wmrgmnep)o#BBjvq} zJlkb15p_y9^~jVj9%cFAPtOI-+r}{og?dpfstg-bi&*R^bSy!G@n=XP>vy7J<$`S% zN_LFWk};TV9)Nj&I616FptMnD)`!js(l2mwUM}zLaqu+u*|$Hw+4-Ury@1KcE-Pf3 zkgyQosgWEPEn&N*9OA6CI=^(P_t(!5IYuHUF#u!+VbBO0`-uLMjxVbW+2YTM*&x?$ z>j%JJa1z(s_Rp~c+JUKR4QGNB_mcf7wdn2F#c-;L&v`FaUU&jbt+RA!c@H@V*}9)= z>9+$I3*n*!OUgz-(A4D%&DWyK#`fyDoX*oAS+nAV0FO!N9Nen5Gzep|C|Mn<(EB7* z>7bdzziA`7C4i;%weE?tiAum}(;4?wLPh%BHrw)W54VAq3_6F9LUNx6*s)m3@RkHE zUjCdz%MA@_lZk~6eA-iT&G*V=CiwB-TF@^CMrRK5DU7M1juLm#s-;4YG;+F-M1C`c zNFhZ6sFZ#D9d~R0E=s-exbP&)UVxiABda`f3eSQF3D=M-)b5fbP;NC?mPClAQ5ojQ zag=z(S#G4Crc<9h&##>GL~Wk>Oc--&RTqiCbUH?V(xu&eL;0Vvdd9w+t>N0-K#Vi) z!9Zh?l#;-AJs8)f{szxziC-`Dy&NxjlPb!KqmwnnUKt*+CnW<}YKJsWAVl0mdrfb) znL0LIrJt+?vGE<~D^HFR#nscq=S?0}9Owc8kF?QNGv0gGvuqwo=F6>~W zRXA@^rLz`T_HvNQ$W&b&vMNQ(z7Jp@PDtNfN#hdzgBbf3qmjsw#Gdv+YMqcnM`x^m zHbnu_Tw93Q!Om(vUN;cxmZX93f#pt}&{A&~p!*8ei$cvsWm((h3Q61IeaRb?28Hkj$62i0%ep`1P;1V|^e^h%^#_XGFU}KtX!_rFnBHWW zif5+(9}2o!4atfsz$=3{>ZWFGflc!GI=mcgh(|bAUr7cXXl)F*dHUea^Fo=N#)k(% zkEh<{Qp|V*F6rILgQh{x_nEf^LAc)DLSX8$?|e@eYlV}JtnefNM_%jla@EKA7>YYS z*v?5@Ja*6Rbb21yV9Z>8(=v=eS9&gpQ7pTxfEB?xM5|&|?M;C1Ofw_tCEBY=T2m`m zHJh8IReJXP2qHcMMb+b+g$)mxyDg+g0V<;_|5ez5-frwnWjQa`zL$ zs5=iKiiQV#+omlep@YBIQubx+n@6^aAP(K3L|s8lxuklp)PngN>a@XhKVaFUSgdu; wtd2z6+6!_f>Myzet-HultZ0j5IK-%y@_?hDS|gt!ZZP@kcyBsJ=NJG004E6`@&Et; diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp deleted file mode 100644 index 3d76822e8841166e69f789fdc44f9484e3b54713..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 37210 zcmV)XK&`)0Nk&FekpKW!MM6+kP&gn)kpKV?OaYw%Dg^?Q0X}UmlSQN=p_dwE9hV%s4x5<<^6y^ z|N40UgZfME8~(qb58{98yH+4}|2zNx{ICAMA-~$c5nTWLSNgB?U%CGPUb6g$ z`^WW<@PGS%wtHjwC-^Vx-{$}E|B3(q|NrPO#y_2ZkN(~J)BcbD|NsBc59B}0zt8`F z{p|k%|NsC0&>!D_=zf3t5q&HD5B%@-KL9_;f2aSm{^kCY_K)cc_7C{K-#^WN^8b(j z|NsBOKg_?of71UG{)_*={ICE2|NlXMmH$TnY5n*7&;K9vpa1{={o()c{nz;U`-T7e z-4pgF|99vA{)Bk`0XW6XO;IY^q&j$jjurO-tWRXl>JQSffV4QK2oLDbO^n!3Dw(i~ zrfedqn*O7mfUNXsGj<(06ASo71B5g|#tj}e!huxHgjF+P6-?MgQ!_`PrDiWHynarK zWp4K26odXN?f?AafTz*JFtcwQzLk!{0L=6&8L*&LGhr1>*hNz|5V4qcK&lvCQw+0w zz|=>ws7qkPe~A+ICtbGjZNcX|2s+Mikizvp?<<1w8)eC-bXThi*yi&b`(RM(A+!wplHEzDA}G4-sf6zg2&opqQ}>uHk8!+p}9Ld@U>k)+*;?HVYa zd%Y;_antqtyIbu<+XfiLxvz?gP4dbNdAa28VlU8Rs0GvZunu&|km6<37s}4KeaqbW z%p__Lg_SeOCGXtjr|nT#usesHn1ap@cfOSclb0^ZSs~67;k}Z@W;Y`MpST&1KJl7S zOv&PM)qdxyTUZZ>3~7RE^kzvd1*Pj|4c>wdvhx3hT)EEZb)nWW=tEdDD#rz++G%mm zJRA#$+5gfCOW1s_BIL%T-R~pu^oa?#<%R3wr8tkd+O%4v|Jt0ec9Abs{%TbkY za`(saUK6A!F=s=2s({BYUuU`a-R&VIeDmz>DZf@%Vjusjlng3-=7r?~E@RR%c{M6f zif--&?l+ZPn+b?Z1&FxJXd2JNk{ZoRj;1sGz=s4M70to^Y#4L|AeSt&TycPnmW=bD zWiPqDw0S_L!iNfr%o1>cX?Vms<3)89K(2f@@%`Sb%=wbAr)f<^0JNs=^O)`)WIzjs z9?Qms=#_dN6a32HJcI?iD0Phs+8a~+rnX?x*n)GLA^~}qTgO)w**)Y9>K+eoMib`+arEpZvNU1ilhQ( zJGSW+5Kx%Cn6wd&P8-x5c^gSc289{`kwp-=phGz{4Bfa0pBPJxWkVSXoYJ_pqBHQ9 zJxrAbf+fqXoi>S=7wXxxBEp{RArEFH8dP02PrUr*b9}6J!jt$#=2@I^L4`_HVl!vgo=+h8fbi`prgqh7j(aaFLh325H<0{lA1xN*?}v6}p^Lg5z=s6>#tBe6Ew zoI{O?`I^-6@Lqe!X6n3FiNlO@Mf$seIQYA_-s_u@${jxZl1O%y6n zx%HOc(VNM#;V4!MX-4{>NLBV6UM?7ly0tV`-J1QpuhN=VjD~d{O+b8DD*2)JOtyZ! zX;`w`_i-KXutwnyo1Llr=cyL>`xT3@fSi=*`w1bROmp2#$_75&#DBpeg{$|WRJe|m zKl8>c+p((Cx>)7LxhhrW(%ii;t-Tujl zhaCK-7svO*E3DtGOvXl~Lp_q6bK;AB`HK2XLwvNkHGffPYYX_)-o)7XCaIwr*4@qw ziIp}lg5luN<79Lph8So?0$6h+Tdm|gWMFZA-l@>)5I$PbR_nN4dMBp3=u<2Hu_L6x zGJQiSA8+2_v{cO3S64#l<2rp*^EFzbHd*Es2TBA@TY>u(%K3sbCv13DHr8vFpOVIo z>Z^1JSP+>JBqHa~&-1dCQ-?_stRZPqY!zA2P+?qV_vSm;pr3T5n%?!Ji*E@bv^y#=zGXWS=2S4gn3x{AhGj~^| ztdE41uIw+zf_19lZtey#w$`0i$awWp)O2slO3M90SwZ^z%B>xeUqb%aWbb0 zO)HCq7HlZY%5DM!B{S4Ft3Q*>wu{Hy;>jC?jhc=-+cE0#2tvGFoZ^6 z@%6bd3qY|C&YY&$P%4(04FT_54ED_$$eo>uvJNmc-l5LHh_T#tb=M}My0tQtg_*&! zb@$30;1?wM579X!ilNv6{$M4U!5H=2u}~A61;MlB;*={n)%gWYaLd1fS0TflTsSOG z(n10mFRH-qZ3LIP1K=J(;|-u}i1!1d#f@3?v#^!azMc{w)o@(}VGI++J-9^yX@NU6 z&;xVCqG4Y=0NWsMLyEgUAeTB{d5w7n<{c7Fz^??g;r#m!ZIqs{i(fcPB+TMN{kY;? zepeDw=VYTG_>31@)q(2@lk-+#h|fZpSp2D~S*iZpmrOY~OG`yAk3<}1BlEg+9&PLU zP;yjSL(HJ(=Ki?h6SAib9CxCw)7_kHWb{tsNNHeJkt3(T+cerxI?kWCT3=WI0RG7Vtdvwz7HIyd z2(gdTQHjJBk8u&HbIAv%zUIf1T5uI;LIioCGvYZyREQ-vg)mP*@=Q%$wg31=e>lIh zIKmym_Wz1GN0xp?#)cdACl?YnPFx#F!oZp6u&)+=LCHtEPmQi5>mp zn_6mi4H4TyjsYvegb^3JnFqQFxvH1;fYkRx501HjIikFOUrMFO0*gOsFbJRyxf!kB zO9M75>uP}R!KxO@g$HczM%t1sllnUu%7?8P1=Ng*Bt#BVH1H1mCscjxZ+yqYbx!!= zG-8|CrrO;BmnFwl`mo7sNT5}XrWc4Ms`CnvPPq%xB)e~fA3tCK00v4<79!@7+ysIf zRI`#ZYVy%Ax<+CGI;*W#h;k1UNv`>U zY4`&fT^#u;LYaXH|BUq`f4IeD2$G9lL}@g&e404Fjm~RtnKoN4MMkw03|#Qq=pM1` zJ;EO9bb{Z%ZRMUd3SR51XfjJabqPos@Mr5alffmBK575}00R!IXUT&%7}7;&z(hE- zUvnXQo{>#WvVRQR8PDAjk|yoZ>n7p$Fragpy+8nnTcT@*A{wl_n0mx!T+;183F=>m z5oUfRjIrLyR&?#ZJI)V3(W`IjRaZ}~?EVaecAb0^8@VH#=h(!LhwEHf4uvq{TKIZ7 zyo{gbzlkw(HrDOpdH#dNo{N@fxDh>89MU;K^8qZ01d2@C5)uT9vE^jFcU>-&#=P_E zFc2{l8lMRWhq~ugK7L1l@!=0W{+`VcuIIGt15E#1`KEzz*Z5)Lkm#2jxte8~dKrg@ zot*)apxj%sJayU2}V2%D{|>`MZ?Fr1cIe(`JL&jt53W!mM=6>3kOeo-wvO^&0rM9r&`G}B7B@gdK{c36(F7|=NY0v zG`d_1It&Fvk~zAm#6vNriULG>%NjDe{h5d|dl2RmYwv^JGz0Yphwvh1d;EU1nzdL? z&y(yzqSj-9Vv^#gr}WlxXpD*p=%IU!CBd9G@^6JsMp*o(XgW+?tq&q)O4(;0?(|yg zJ{phk=85Z#0Z{5I>uGKfk^45a-T!M1;XJYm&_DnH00MstxDY)xC;DcX5D;*Q0JtqY zABs?-5FfNZ<%*#j#ILC#SG=y!Ioc3ZppyH<;o7)Qgah~R{8$Rq^_{mBh45D@H>Dhs z+e?_9uKn04daQ--`=uFD1pymM;a$CpaY|;3{r$tz#^C=8?Gn;b&V7kGWGRB>I7%S! z*G1~HuY5~y;glLbRrVKjb_Mb*uV3yR$Whv?!&`le#m}{F%-4l32{HrnbRkhLH4{?% z+ZlRiPLPNwP8{L+5{Xo97^@CTI)Ra z*|3s-aI1d+radr#0g!%w-PtmjWC-8X2??HVDm99=g68>Dd}moWaV!;=f-8_q89%by z%}u4XQC|-vn@tc3I);sA+3!?KM&b!fBig*5z_M}5<0C^tx0k(}+*Zfa)SjM7pR&+^ zS+5NV)y@-Gm2Om{pGk!Qq|9;vu`#RbUnk9>} zY+2$E7nahEt&qmN&jRHJ-$jtcORhf!{gGlY5i?B<53ezp) z(9^PLaIAJEB0&y$L@3za@ShAwiDI6JB2;j3p4DT^3|`>HHRlem z{gaOseLLAR?DN+vz#Z1F2aD zLI(g_baz_41)+C7S1#_DZi0+mW5yp zZhQU@b!vXODr@nB2!;jC$gSKNDeBb2^}Sm%<4-032ea3%RaXc1_<<6gU}*f^O0Ni3 z@scO3Xwk!VT&&8|&X@-=;%Tf>@$T6~NVp`t13P&2UHtQ8a67Du6tqwnth3k3C96@; zv&TT;TT4r7M=gK;h|$!_L67#m6xAT4IG1EUlzCHDJJ~qs|E&WW?`3gOtrcdM5D%ZP zW>9FYKJ*gZn=c&VBAC=h)eR9zu-!6gLIy=bWqBV+Z4{qbq0pikB+GXB=Di&z(NZ7PvAs1w!u$RcDl)4C!Mva&H*}} ziYg4pjm8(<3I}zR2VPkfh~FQ!#q{K`4xGW-m!SUvgzb2|9B(pQUsmqE_&8jd$<&iA zW~;Ms$+-iLsDyszy($OaJ?A^75|{Aq%nwMNWq@>iAu-gO+wo=a+&tXgZ526FN@^?L zc+uu+mJV~u4G~C7&{alX>;U?K_JTf629B4xV6w9{YgN+HXI_k?UjnY6fx#|Cz)Rww zS__E{?~LSB+b+Z6rj^IDc9rJ91ijzc_6&uKHmJw&X-Z3o(Oh$o*v9uiK-v5k7imhwI@ zS`gE}hjT_N9QfVEe41eS5qZ9qBE}q<1)?@}qkFB6i0Pb4{tEpHoGZQjS;Gk|muTL@ zn$Z^rK~(Amf&*2M8TSj<7j5s0yW@b@6c13Q{yc*tT7Yhp%k*Gva%L4hqnvX)$Y5Lw zrb(wbog+*eu@hkVh!|b9X&qO&H!{R_@@m_D*m|wK6=mQAd@WBK#jf=hTz^2@_qZq# zB@*LW9jXs^_J(lC`T|+nyP_^3{FGFD5>np&IIU>%TU^tzg4(5Jy6gi@JJKz&g~LOt zNZaAsSfULVG)4P_2(F6?G>0OLvU22j^DP&q-cEDz&_5Re7~-J7>?Af(85w^Q+WW%5X65!@!iK2DMvf|pEIGZf{&KBmHzMl@z$ zupo~nlpfAKr-MklgEK=ik|?Acfui#K19tQjaz_rgh2WA`J7k?J7Eo9l<_qK#muR_O zZ$PP+DIVf2bn;w^zBG(4RRtx7TEOL9alu1o+3NTW7pL~r?bhO=F*3Q%e9#Ghs@s{r zya3M+z8=k!o;z25tqVLAPiph66xPynbRU!U90dV_Z_$YtzwUQBSyQmnurSxJ$QvQ|s}ee#-~yUG3owrsZ=(wuf%r7uuI z5Zn>VXDm^d+JB#&XvwgT$xZ&XY5~t zcE+$;_WPnl_VR_7qpPx1l3MTY`>VR+hC~jn3OHV6T=_jNxNmlWPFh==q%k8q6yq~^ zE_?0$9>t>Kk;$ zy487zJN(X)*;*08WwaX=zQ%EhQ8ylUQ0NHuL+Wz+SPTXv@9t&#Kl!gDUAG?(EFbtse zyQhZ4ygE-8Ro>R0HdKdN!TinzvBwaxR75Q;nwQpF$;g^-Q2ZK3P1lc^NSmVkg-&B@ z+$zrQ(I(5*?K0zBT(f$*{>W(ib8#u?^ArCkoISKJ�EC3Q#lOzCE=hM#Dv!Ib{*eM`UnXT zL9Xx2=Hi~nLxxT7B__ek7aj zO9kO>&s+Plp{EvS_tp`l)FpAbMW@;wOw-VR06z3S;T&6!Gx9UhJ>HNFEmCt+Ai_Bm zl(3cnPks&d|HU=q6E>e!0qyYm{0|lf8YppI8 zqJXjS=8=OzEcL@GTr<4NGFNMaX>M}{g*tLOeo3GPc+YwR!oxJ#ERtnEoJdIJeIOp< z4VW>Y(}o_uQ%yEQ9q5+X(T(~p1$#VGnAeh?I;&8VJa9mF^c)Ywl1*Eo=8VqU{6NZr z5ji=JwxObNpN3B8rbBbNa-?*z813YvMC0EQ?Nz#9nNzJ^fW*e&h|M!vs6<;MG#ar? z3MDXWYfGhnNx>@Zt71IgxRPZQk2im7=A15XDf;!2wbjLWoNMiYBu<{aRKWc+?8xS+ zJrr05cmgan(YI{Re})SJ7yS-B^FXb9PNlG=uv;7tg%AEqE#Rbxk(z%bT-%=;@_LxZ zCl$M1@#j{KCx`O5$D2ugbSXlbbY1|@$SwDn&Ki2)ur1>m&EzK ze3P6dxxKq&#L7cLQL0U_iz>Ff(vFo}<{>HYja_(B~0`8J3pjLL{hok31B5AF>v^qKy_4H}=kE z#WCN91Ez9WOaS1z)-1}{;H`S~A(plGX5noocf4wlGj-0;BpQn@U>G*szuEJ|?WD6d z8#KIWtq(yr@d1@YML$7a_~0Sb4mVnuDR-_$tv%^783j_Ab>l%xC!TJfUgewoJx0U# zI3PQBW6!Me8eH%r5>ClfOVpHXy#R~Sq2imLGKaI&vT4+jfrDLV<#9oI1nHDmx5TYTGDpuh zKxr4}a8LY01tuX~%HmfDs@j02MS7mst<^CGNb7nJXvX!hoT`vf<0BTw=4-i2iB zr7^Wc@+m)?WD!|ASl$K7;V$hgdn-e^(_LnGaYYX?SQ8h%%)V!;74@_yQJNOEpuwZ}MG+xdl2^(gMeAGH&2QbR0GFoHX z{hLJNqdbR_#QuIc`_8T>h}#Wm`Oi>;P0nLlTSPE?jH(3ri)K_OOG7PGI2xp{z5ich z9#)=6Sp73cGIe#v=q72n*rppnU*o$AjJFk4e~??AX5uhM%A;LxaVXnjAVPX(wPnA% zSPDr1%^bdoHk=@}R3Z}TNVA2|e>+T}a>LK!*oJ=?I6I9=I19s&h4D!5p%_g4F0vI- zxZxoXz|cVK16dLLxl3?9f%_Te0yE+!c!DD-yUGtDsF2@=<7)o*^Nd$SAk23bEV+09^N>R(SjL~mVt=+OOW;aB9kQIEV*}||FOJ8X**IDXv zxBj)6t?64ZsFkT?A2a$Zm#rEt0ZFReFS+3Wu*2^LVcq8TI#~Ib&*D+W2OpTwZ)(>XdGC8Or{+h$z82xX$ zT3hF&Bv8ruH#IO_NfTlgxa3drd#|;LX-%-CIuklTepQ4}-1C?|Y;uBBvnp&)TC4Y$ z+^QGD38*p54uRt(hMT*-Tej@b?S-FmN3Jk!P0q}0oEVcT!MmmH%^*^8!m+YX*5(+8 zJOZ$e@NjVL^xy>}?kf2+inbk}%zsZL042ou+?(i6HtV$_^>;%GCO}s|fvNLKkitOe z{+%utgu8H*9e~~$gymiF_!PcKoz%UwXR6BwbQGhg+s3xCO~B~TccW0HgGHj23Hs~b zjV{nYmfHj+Gh%hl6~bDcU-=jBKZLTQ=>8`I;p~!jT!%QM zrLN+@*T9sX?!NXm7*Ix(jEx9#R~(_*mCn;L>v1%{Z1!QW{v5dyo5pdzD_mg^93;lq z&#^-9d@?KsEV6xYnYf75nQU6OIU|1e2aeERE`)OT)=0%(&B;mz2?V^d)L(b?kXM)%cf(5l30soTk{%-=oY2N zJ_-0w-o&uJ1oTH`*x={hG74Oo$r-hIv2E%A*g34d)B^<6b|5x{yL$2`B=MXSQ-@Zh z%Y~D)t}1tB!1$PI0z>rzZOq9o=#kAcdBHgi(_A?5gb+{wAu&GM%7sf;YKP6cqBGG{ zUMj7m2-;LAhc>lR$O9!63gTbaRj$}VUp_L@J>a`pm&bX-FU#C=wJp!M5^aP?@k-Kq z`VkV*Af;l_w`NalNKSMIaE9+tx1Y^&t-k3Xum#E}j&(f_4g4n7+ZyWAB6zC0_jF*t zrf9PK4+BUrg}l002attyF|TH44ZpIxoe72nZ5IF^MZkQ0SK`dE=?LK+M26Yq1!EXH zpI++%$%4TZHhGuGP~YC}I#1O`J4V}K$Um@4XU%iwSQv4tvk{OTxtUPErUlpl2|b<9 z&+MI?6;pc@CIzFUvC6Z(Q~aDZF?@MB_Ug$Tm+=l&SWM-?_@pQ`5Tw(`!`hk4tG z-)1Y_p%W)fN9Er-brZs#J|$b?trZ_8=)nhZ(taQaQFw`+u;d@uBU8B$8|05*0008^ zuC8~=MSu%;&fy_fN~fwaP^@}B?eS}m;5c1l&I(DtTTuw=W9N02>H)G z8dz7y+5%dkGK)BeZAcs+p)F(dVA3{@2_S&AZ%=>oYboZpXX)Rl(N)S=g}{6(2PY8( zw||JM7y$K7Tc9+Sm__bZ??H?F33J$G^*NamY;_OZm$fK|jnBgC@zE^TmLaTt0Rtut z4X5z5wsf@`5GCHCo1hiRNok$`3OOT;eIx9IN!y>pG^fEM8UhtGujHt&Dr<=+P^ zV3CkwQVcFRZH;kn1@*2UCK6l9+4Z8TGMx;tFs=UZ9^8c%B|^D}PD&(51#epfK;qq6 zZ_5I){3nqN5g8Ds2A?aNJ`EH+5S+|UePmNtQp^&yCU`IhO1l8C?peww(Vr=yF7 z-HNt@N{=q9D|LI9k8nY^)eWvy;*WhTJ}zaz(&&W-*&1U&rWLhPW%1&)#6M7%2`6O@ zXp@VrcGQRs;!sydwB-YKRI~AKTPIgT@}g|Z24k#WAwjZJ&`C}R;Ln1{{J4cDEDFC66b*X`*2j>Tx!hacK|osq$|qh|2|n2f_=+4@ps@P}9qY)q!Mx(yRch zL7?kcloau+0;oEh+9h3m(Som{gSPpsyrHSe+~4|f+Z8xgt+Ypx(Zhg;OV*_5Lu28n z+zi@kV?%Pj4-}xd0ga+`2{Q0vx=dMw-{K8({B2+I*tA(IT1Xu{jJqX4-MiWkyRWc$ zqUG<iVdwCqsARN z^Tq3>d>$r!!y)j=ayL=N;6mKuRxex>C1pzrm$IE==w2m*U!2)94_B-OITzDe zkOg@0H zN(~4nv5}yW-7G+5kKrdFib2o(P`8)aTI2xICe!14dngBQ8&2N?2m9R;M$R$#jFCvb zD8KP}FdD88l2HfM`!j01iH%1)zpvey-~Zv+OrV#8n{e$7SOu1kQ1_dsoiVx`rq8JFNDAHq?u$^QmX?aX zdQ4|4w0y~7UYfl-ti}FJc!zua z>9G{Ir5}@x+i%w%WonIjla_i(5;NFi-{#z%t#Qx0*i-S+*!lV<99<|dnHw}o8}A&L zjqLd@aTP-UEe;Gm-Kj+fZqpnlcGjZvZ`u61_?)@_OT`9RwKy)44 zG4^Q*U|lATMn22FWEGZW8$Tgo`(4GFi}l5{OsG{t$(*Tx^9yu=?-fgDGLf$^Y?RTU zlC7+RJgCJ8ecIEAg+qH?pu!(oA9=3uAEsJD+Z9@UwroyHNybo`vba<9Pax&cH!e7Y zo)`A&y9?I3Ec^u~0o(Y7u*s~rGXN%JzVkE9K9KQk5HU_mi0IrG zRCSZOuJ1y$;nD-aAY0~4gf3o?^53%APE&fl3>|=u`Zyw?Sk#f1Nu7_*`L&Tjfn5U) zB?^!g;8tWT0Cjj8KLV#JNEBb`rX=zcWbxd5-NC>gAmUhvu+P6goVy%s(P+Z+6S=*MI_jq> zcOFW_?vTP3GMgD%5Gm!~IPY-sMUjNYHy;XPTx?0KIXT_|7(pmI%gN12M4y{(<`WX_ z0MK5QZRn6x&GnA*UVzT&YL!^VH`4-^-i8z;kXxdj=0dWwh! zO|6+pY4%*{tx@h=BV~*sDWBh(p)J&yFY>Ndrl9w-O(PAD zcRrfdWC}w@bse>3Iwp2*5Z3`IIdtOqK7ldhmfM#a2~>8o)aEI7uC&G&)krzu1)A+c zwZPrf#SpkdpnV>Qpm|XxP0rYKY+?|6Z0ne6gVqB~#E6>J6*|2+Kql5T)?}Zu7wjF} zV4k}M5%yvZ$~gi!e&B%i(Y}KZAMvQOO@8Y^H0czE-O?C%B7Y0Gse4!oPK6yw@~6Yi zo23MR1Ru7dw}!_+cpGJr!dj$EsC8Id=V>2MUb#BVb@=>-|AOfp_W0|YGF+^5b33=C zyo}ge2&OSb(1ZFVRP2`El6 z7woIo;5@&^LUkGbu$_D3{}Fe)!3Ivln#}Z`(jB*7sJjD7KMydAU(Nb|)$^eSvBK1l zSZ=lR34pw3tavo?0dSdGU^J&>`)z0zZ$M84HtgaMs86*?J6q=EsJvv;$T zJJBT|pxRq5&uH&0y+FsiFh~=hzbt=tWaJVUXk{y{+({6g>bF&(=NJqEi~NP*Pwir0 z;`yMryMD`eu7+aM5(nO0A=v)A(iJk~tt3LoZ`k4QHjR2EQ^1$LcO4>`k14DqWvsN5KZBuIJ3ldi`{H__QL?lN5(HNLgNVF;ovdZh)*T~g zcX7h~@<=!~H{Y}kPZ>z>;2w}x74Q;{_2bg5Xaw>?eWC9-O2`3pk2$BT>9A633PQK0 zMqctA-laH)RQ(?EG$xI%xN=-4be%|Iq*hNKg~T`6Gn))j@^rB(NEh?$ z7TxdV0=WEE{>8h-*w&eWCVl09^TV6|#upQ*lpw}M3GE=bLTA^bgoB3PyYtk80iws* z;YbT;6h{5myO-lk%fOIkdHZwBsUcZnU?H>L`7DL{g(rG7rc__~<(HONK6P}E>KKI* z9Fk{NYX!w~JT4W`jqLyX!iiEugd`eSKqb&^xNZzP!E@E_8S~m`+A&crybvZFhF=aT zE{$Hv&9nF#Dkz0ZuOrUx2DHS}J2q@9C@3$s)R?v_Nf5Fd_BeaZqh5(r@FnXWiU&e4 z)9PzJkB?UB068x#I_?D``Yn@cnG{jG%gGj>r+&FfkQ^?8!a6QMNBAX&-sMbI411gA z;r#{S63G^nzKYoa2pzzIsEA73e0QK-EU5xxQJ@lf+c2~uV8)?lbYDu{IEuiN`7mnw zL3-TFM-(fZGl&vvv{6@C?1!j2(_b&uXkd0zhZzY)hnypu1fr83{N8mfPsjc}n;Lk1 z-g;d>#c6ESM7o)d%!;%YlM^1ZDo{^(a1{8}v$EJFxlD}$G7roZI9KbQFxBA0>fsn# z#PesOL?7UvCKfD3eVU8A0;4zda^sHq9A3o<)s<$vWltlk*Y2#5TGsWxuEb_|-}1%q z;rVvY)j)zpBStKvN@aouUn;-L?{J!hN7}(@Jn+1H5zB-L@zZmzOeglh1-_h0cHQ+u zvB91gj&K=ZD^u2X+*TLKy}W#1xLth1qD3I8@nu~M5c5vW#|Xc z#gX9JtR-=r)mz&v0V3_@@;_@2WAobU+x5$(8E#Z zQIFUoaFjxw!mm7s!XDcvF#%@Pp&{cSv`iT-%f)4Mv<(9h6Wa^Pr&E*SG^vQt(81tv z0001G2da_iTMK2Mmr2eG+$BwU8^|#aq61!F3m>8Y02+&RH4GMTppgSZD(d;CWc zA*e@CA?+V5B<$IA4j3hf!wwyFh#WXGE@}Nlg8Bw{(s+z{Pc`mOxi&9S`;X5BYcz;TXj}9Q8J(TR5azc=DlPM1(T$pWQQ}`L$WO(_p056orZb+q+iV2Yb^z3W2es@z&TecB%Lh zXDB!)8bV$ohm-(y!houg!qo15EE~FzYB(wf?my77ptc&gz9uU`Pp} zqh*U|&^b(55)F<7{d>fbmCVxPrn|l2mFV#Xod5^b6(Di<>=z?&Dra~Px9YzRb zwnkQq;FB^|(+F86U>pu@ZbNt;I;>3$F=H@venrOYz+TlrCd=>~c7(bMKJ~Hr z^)Yy%5yg&1H2YW@t1rUOGR7)9`d@utMOND$b0SiTz!#oc3!%cQc9k5|He{;x~MF>+Uv6z3c|#SirE0^>z*|3f0Y`2v#(%b zl+FpLVlkHP*^TGAxhZJ0hdEf=<(HtnCx=^8jkmLeW|Gw?m{C%i43WA=QzGPlxt`9PVeGM9n&UZ22*^2lAmS%+id77R zhRIYD{Xh;;I}hDXFMe-_1ILHwU4vrLjU{vC(}rHRE|btSVqb+dUZbVNHpS3Nm}C<4 z!g=udYj|zzZWs0Y{Y9R#Y4ESdAWHk zh>1V>m+9596+5HM4O)fV3dYseu9LxOMc)mMU+T>Ae;cpK2^S`g;4%r0q2M4ySG2A0 z7-aiEudLI6WSB#&nJaDTT2#%MA-k8t)q}Mq)v3%d1qc)iW2Zg)I+SI1ETXBiyt5I0|GecSR zV*rZw{S8V^TbgfFV@k!Z=h9TC^8#p&|%$34Q~{2`>PP;1J9i4*RE+gmBEDEwsGHA^Paxe=0SA=ddXbE;x4tu z#dH-bgG+>8LwY2D$?D!=aHVlFR~vkU`Ia7LdrZKd^ffsZ{l?;jh9j>;su_o6o#ci2 z_GUO;50pCUk1_Ez<)$G;Sgfj;%B2|yhO&uQ;$enl;FVw>xc3y&R7c$Fx)Xw#qT#J- z=`@3pS7#O4x~wzDJmAQrelWj3KOQns%OsmicRa&?l%SUJDD$dJB;7AyQ(^f3MeBxc zeaR}7IMw39$27lhukv_yDkm!awkPf_G$jQCY@*2S)gZN6V}=3$1QX~dks{=@Rfqp8 zR5nBkn1}Q+cWD|46DY$x!e^JI%M}L~*J+^2kFUqcZlz_bg+*5KQOL{!sT+g zFq?I6y-Gp8wRWK>U3m#zB!&zmQ~lqZrdoUto`8a{2Sa-vKVjp$#yskWJm={TWz4}q zB`2`+nVqq%K5>q7b%L8;CH|G_fsA$XYlrFk*Vfc7MJ5wjK9za(de<0}JHKkb)zSCK zruUz=XJa~}k=W}>TtNgWnrn1rfV>ik-`N7@BjlJUGf1j(RHNwesmtz4w6?|zE!_S9 zY_=s0uV|NX*8t|_9NR(>u&btGLB#m=l^v#U~QT{KP=BQE)GnxINbh)H#S_w|r$xjFFv~%;8~86D7T3K~$`1 zXlyg!^SWtrQgeRg;)lmUwQr#Kv6dt3-);xfnPMyoyPT}+IymF0H(hG+BcgS_vq=CW3LqtdR5*|iB%SB#0CaYq=*?s;mh&o!MH8q6pIw+XYxt#NAgHCFDQzd zClClr+lhsG{`m0U&7@&z8A(ub8>denxLV`#*tc~1zBMOunlr;^^zQ38x4g6ex3Y6V zzz;m7lEtUSqH}PfTYT{|!Y}PD<+{+tzX2t$oGf&&t&ip5qNJkp&>RTxi+Kg!>r+;G zyunQek_C0UfUrQ;p@rJ!2{+2z1qJxTM)GF2D+2kg)`m`DobNC(mzC`7kR2Et3!y4U zg_1-%f*2|~3_?Yd!a+iF$jR-CKf^2t)dQQZ&5a3raFk11LY#m=7cVz83VY3u9-Bd> z{D~c)qkJu2R_qpU`o!1uTf-`v*mJrq`j=ZsSIruKP|2BnU`Hh@KGNVYqPiot?JZwe zt6aks8798R;19|}8~y+|)uTuDm!c#2`c1>D%m+_V3((dp#+v2h<#SylJw=ZC2rkMr z=3ZH(D;zZB)J09UHOx#3h+fRgmU|YabP)K00euc$LWe%OE8gH{0mVCNNw(A8K!8H5Y2mm{0L(s>M_;y0D4yQmsQ%bD%d6wA+huC5fE_A)9k{Ge=}7c~>%(#<-fB zQz!joj^r;KjtSeGZfE$)b7XD>7^=>p9jGyEg?0K~a~I*-FW8K1r74YYou>)a6#MAn zOQwhRWt-*$jT&os{p1CGRwN}99M4M#A+)S`YlhF4dXqjezZ1y}p4-I{0GHiOm^02% zMOfL21KRr+r?lJ|o(00_iLkpD^zEkH`}dKQsDPD{@>H5*6PjrsR?CNCwO=9Vlxzt+ z7D+Z8mBH^@5?je%)r*q#&q)fW$tO%wU`ss3Jo2sBKQp@>*ls99XB=CH+bDibGPhhq zyy;Q=D7a9?8TggD(T9Kgg$tyO4+d0Z&o1P?%u=b$@$C>@lxfVovq)cj>HH!-mzM(2 z11O`+zsj-NcGy>Yn#ofz2Zvvrw+_k2c(j_>s^m zf4v;Y+i@5q3qEYM#jPBAet^e(5<11}02)83VRy4oG?`QL6j%W1icDzUb6I18*Yu*v zNijTXC^dqyOkA4kg%%76o>sdI4FWCeAeK5~Rj)CA^>8<8-283rSv#hn&~9TlH$e!| zTt21R{vePVdAulOB{6v%k>17fNEY>Z1RtjVN6JN;7-p&Zmb5&DdM_@PyQ|J+CRT5z zjv48KwD5*lyk7R4VTOluX)-xpba%Ik^0A}BI&fXCZVuDX{3so$w!#oZQ~+%d_g3%6U=^_8uB0l5cnGw!cDEj@ zCGGv3;ySY3=SEWga}=Fx2tYT{JOG>UAVR?+#Kyj7I!J6TczaovPIPR#f z4MO(nq#@c*ee!;jS5kK%7C`c(u;KEU)VMW8Zb;Di$!PPm+(%|lcJF~?Ws{yF23E&+Zr-{EGm2i4#6?0UCo?#va!9~k`5VK{l ziF`{IBaS0;!CH8fm=NyO;G9oH%>FJDKJ?vuH0Z1IxVJ0(lcg4QcLsIB0Ab**PB9JT z5ruyNC%kp7tC?|y-*?lDR!vnXM;VWmHgC7U8m#WSF0Fbg?SGONRgO3vlhc2|W5lPo zDh<-Nd=#V#bTWv2nNZ#7OKf8H0|E?AfE`j<`ZlS}#KHc}Tu>9s^fZ*JSAT2eXyJ4& zco?4{t4BD5vfJtD*_4+yLC^uinxkjw07blGH4@~7D{Qh7FF@>?&p~+MJ3+@)Ab5Tt z2Xa>;f%gb)+a@4gb=eCz_BUb)%$maBZ+Hli3zVN0`3rK<1i)QQg5{$j%qsX%UOUCL zYQ+=&(03aj&$NUGndp_j0T=5f5^GzV;7oH;J<1M33wv(0n z1M3Vi526z+ze!G%K|x0xl!hkIx6|@t;Jx=bo5aIVam-rFC!B|F1%Jdh(=`XV(j)Ok zCDe8oi&o^2^d}(J_&Y`@5zq1D1S4fa29o<{)`Ia@A&(bA97$(s z`VO(%C}!8UPmXl&)M%Mp4-BxqV5pjj22vWc_zz#x7*gKHrfgcIW*3~Jp5^t2x z8B*pt9-D!Bl~_A^c)$;LcCwLs(LCng)#0qL+qGh#gFOg-{?t$enf5NLE*3xnz~-r` zV21*5yhsu;;X3#^h2}a2W(G|Gs%s}K`Z_2`B@a!8Y*4qq9Vx-HPPQ6Im@b6JevAzm zfs@3L03oyw!}1Kp0z+B{`3>CRMC9cpO(k8vSD?T0Y$KVO=SUEyV zu~lR!y?du9g>rcSq4l=+u}aZ3lmBY{`V52%Rm|PfUVyHQ_6q3VeIo7I7LPT0Bwry- zYOkggch*S$FF8Ot*dEP_-cWqG>U|)(SX%E@({sS8{xO6`NWcZFq;)F0an!1(OPY*Ug@6gi?;aDxPYm(f zdW%XFLqrEP9JuybV4aQGPMMk|hHiPfDYTSezN0kF{Qxjig$HCtJ^(lLhu>mly0^?9 zziqmID}zmI&RfyJs$~y za-bM>o1c2^Bsxoly>ek#30F`aX=)mII$$6Onm^!D`?zT9m|2b|u`56W5f6C)yD#!&a!7&G@{Hk5`husOiXQswR`4pM~DZ$oZ+@`A0`| z);#h+?}o?OBf$m(6=$N(#aq<7ARu(?Vm#2DjbRr4x+X4vBt+)j{^2c2#Jd&$$W34^ zKNsQ}g3i z8mn)6onnHcBeixnxY~NwKaJ*VW5Lhe)cZ z_Fz$)S9Kr?6ig(En$Oe>@yVb{yqskV_DOJu(=h6Zh;Fh z14yk)s!S%N#3QGn>Wh_Wpf~c(*FWmCrfQ}jgfrX*2$}Alg`o4~pjG)V>ck zg-qujHD$7@5i4M77i;Nj7%`+6h1=SemoK89|adCBHZmgdRCW{p)!kiR+uo|J-? zsHcXD>;c+=V~v2%j@;RVKgh~kK{tIYq$X~0yKY^>eW=@|L8Kj7i_4t*t(A|ll@GHB zsXyS*bMzz?p6T>6ZFpwghS$}sNql;*N*X2<20>8E-%h6`oR(}f{e*cSEH&OjQN4D@ zSVNmzE{zK3rfCpcB9DFm(rAz+T(fZ)!sfOiye0(mN%QKo?tJ?!dVU{0+H#l-=FwBo zsXJtO%{_WHEJ%<#^I#~I@$=tjmXu2ISnrd<^MUK5P`f_zik$Krh&-#!LJ^ehnLF`? zY~XS63L@`z`KiDc2d3#LAgMCAp4Beua2XnOboMS*4-pGoj)Z{QgIO$_YW~xVDQfMK zCblo<1<)yhU6L^ie={^tuY-9qXvT#{HVZ>M1(-;N*XY|RvW?FBrhQ;DD&o_x{B73F zT=Hi~EzBn*CNMrk20q`~!zG9chq;{8W!2cymE>eJ;chHj3_vnYJ#@40$j42ureaiw z5bE;CR&OE;mDh}pxa5FuSp<^m{3TYKrt2Vxe-)S{E3osZh;_qTZ&HgD$14 zxZAih=K?9&E>gT~AU&BdV;1*{&p*8STB9jW3=XDUxkxx|TpbK#hSzk zEZAmHUhF7B{C{M+ufy}SvJ}9re~H~Mpx65_hWqM7e|Um)k#}HFP3{d|-UeUlMx}RN z9$Tc_lHr)YBCA5p{XhLQ>#GiRm^Q`(DU$V>2?9I%%9CJbg^6fow7xV&3R~c(Yq?WE zA))c?u%T;Q<T>UaeCvPltQfsv{09UHe4>d~_pkwlJE_c>d@+uBaZ!3!wk{tm)xK4 zr>9SqK54Z4MYMW3MxQBmM|$&7Lf&y;mlVvuVj-Q_Cd8OuqE$0*5kk!>b&R&(Hwzd{lZvZ|t_r>uO(==kytym`F zzk4k+V7i7G!98bFuMh^dg`uP35^De)JeOD9o*cX#43KerFdyt72JtaB^R4Lhh52!- zulI>AAb?4Lrg#&9MPlNG3|p>2@dpGxEmLCV=A5|eu%^W?#6GWUuNO!Fm<&;_QJ%>S z?lebq1LSd(b3vD0PrhI_xL(l6IL?-;Y%xv)TeQl~+kq%*3(`R$*k3$jQ84W8K*DjP zR#u5p6WoA@=0roKy9ytIGQMdm@8TaJSH&gxI<3vA)Yfk@`Y+f0 z&V)D(@~J_fG#(Tp`$(7O+ZAL2W^yjt`3y628jz!hhG*auWcu%ARk5M*G;%jWFo=Js z9um4KR7vr`AK*6q@cur3J)fH2k9AXv56(8Y*(m{r(Yqy*+D<_aqog7YW4twk7QN3M zOVDeYbD*fF(8A=+XxRpAcNG_*NT+J1JODtYLRXkUhQWl?>=2jK;3oo##l;F3o=BzN zn|P2AW5*waXORbkPq1jKu~9Qnr#K)8u*L%*0mYdv%{X z>D)DmD>--p>UpHZi0}lqLM4_s)Vzhya->*>x`HC#f6@uV%uW$mfozTxU9YleYeo%# zUvF%PNsSR=(baIt3J&Cd=1ZgR5&Ri{+euH)3x_cKEW)*=Udi2#@K{ht2i$(CYfGPx zYf=NRS%4b&xCp&?F9=AyCHsO=drQALDsF1iHNqmTdISq<d@GZsLo87iFipg}DH6?*p? z?)P<*L$M`jl-CHc#IJ;t@2!~jJ;DT_q>f^*!XM*nrjLScd!?Drl;-~+QBiVgQPyBx z8B;${c!b11-5nzXLl{yfvE~Mp%LEL*Rex{9;WYsfaL94-0mth<%?aJ^CVdpP+X~U| zPsxl4oe>kzV^x0rXm*rI+{Cy>BXQ}qnmZ25+x?k?C{9$9Q*lF!)GpIuIC38Q>D(o( zV&_KW;V7vD@lQC-5&@;s;91aMDjZH9H=VB0dR|zrDx7G8Ayt?Onf+oHeg`qz0+^;Y zi}>=LqXj0K%+#u0C??qL&#i$T8SAQ)9&yCqM?7PRGZKMP|_yJwa~ejs>> zKXlkZ1M`?_y7^7RGZ^Zl`HBs_DT^vb7AMlnHenx*TkVX}sO$mx=?=u=r|r6Jz3w*2 z^N6#>uxhsDvt3+Q@FY}ITwb4q`*R4K6C$1LeKzm{7(8}2+q?qSKUs5L*d22#eL(=5G&$CRrY1Db3977ahsV`p5$R35Mv=MK!t)iQDipSSZyYm0&dVQ7%d0o{nV zdZnM^N6^&EKGaCdt7ceaf7m@G|E0URxstXf6Va{b6U^xDA!5AGs6)8e^%eY`gcn{_2V}YWS_V_0KA;{B=iSJ z%hpI^rh^!gbvpC$UHL!N>G`n=xT&ROwg`(b$quQjso&zQ=}JRfr-O9TLp~Vu^M*f+ zj!ampHN5rV*^s!2*|O)b|Zuo`EU(&Xus1_K^0fH(qzJaGVpS5-caC$>Wk!x;Nj z-7hYr7{o-a6k?z`q7lWwFAX!yh^)8Ec9kq`N^1^MH4I?Kod@|Y%K47~2>$Gq<&1tJ zMmwnM-V_(`_KF97WM_jjp@<%M4X3hxm=zsgIP0TEBxL(lnHc30+in@c(!IFAaAmc613HDOe>+b;DU?aM6X$?B zOi~voFZm@12?x8|z$o$;v{x$Tqr~y@8oA>z*aWQ@0YcOnv7Y$3h9vtU(HW%J&3a%O zI1UPJb|h^l-{VhSGjSG4`-9-V$xDvXSGVjXON>b0Ab-|ci!a5?aH#)Lkx%L>O^^sU z_6wdm3T;Y$xV1B56d^`YYjqQA$c_|k*~5A4+VW=Xb${sBv*BbLONkng*aaW>RKz(d z3@`u}kJUheMJpf4)$j{AP)LEa$sKk*eUhA>fZ3hgsY9Gr)3cIxA}rraK__O*pm4z~ zMi_AGtU%$xnR8F-Bp1*##*@Tj%6YGHeaW$Um)yNx=BfOS)PbnWE%Z^T;`CuQ{2Ao7>?gEnU)}yeug>R*;HHDhkvKQ)?v9Y0w9l z)5G&WEf{!Nu}3Z{L6>FVKM-Rr7s4%%TY*jMQD~q%Zb1lM<&=^nYa=GL*~R?HBgV;Y zlpQ*Apeqeb4~Z{7HXO90yl3cbgG9Fcb?HFe)7_=Z9A1&a8T_CIT)SLi9)6Wy5z3*l zl)SkN(k{UHB0Dm6&#bKluM~`%%|;n<3Z$92)a3ZYndg1HX_I%6V1bTWps-msW)$VK z+X-ssH-d_gHgaT^xovDHvk*w>X(hEe-PHwA#5+3X7v9jB5h)bZkY}&qno}R}Q9kJJ zWl#+?J;r|kdlbhfK`lhN4*>IdIK-kgv>ueaiRQw4u zlq@yV4^P`>*B-MAOCI=EaJ4(26<}*fjGvS45$I0SzTJ9>1AYITi@-})z!J-&o@Syr zn{Us0rXSWa#5(s4a)_6$E{HntkiI`*o$p7x`XpOH2i6R1!qwY~u3-n^gmpMAc>;Bq?FahgeAbDeU$3=Mt}9IXe!cZtM188o|O?oVrj-?&LVnmy5qj?E4A3#WjiK?o$}ycqgcR1#t(5k1D%rpLyEATOKS1k{1~Z(L zYwgBDp79Ejq3ZE`XA%JuA6H~GVq!qELc73W&+&9kWBYYkJAWfZS_Ne(1(=JXo5?A! zMUvZ)o0%a9`e3$3p@RD;2$K*+CnO5@ZcPmPh3kv9_sFV+Emqm}?#u{Q|Eq+Fw{x)Q zq#ZSjFSG^1j(-|I0pO};#m6Vw0M*+WC}+8iF3do}?nLy_dTMx)>%9`}!T*!t0&{SG zyuZ1Y=1~I6!=i2^6wFG#Nsb$j(cP6QAZQ)w{(o2Pk7bJV*BQ!CMnTKb2N64rQmAAk zHdmruRzZ{*9nX;s^?CU9!6%_)GVEdp8QO7lz@R6yy=LvH!pQIV`!!kh64k0*IehnL zZ%Oxjz*!MNVV$43D=Vb9Px=3ah?Mu?O;@N=RkE=EHc-Tn zTiYeT0M^qG2deI8rQL&4-${#YDnViAI_YK0Noz^}sl|h!iz6S2GN1%j@VkHb>fG6* zIHmF2CNOX27X0Db|BOf^h8I&v2@gtg3Bd)#+$OcxDtsbT_Uy@g22^O?l1)xX?o(JN zV5-6$fRC2me)8x1aJ@qF9jsJpuY#~wxwd5)6{ako!L`c7gR-jb&D*#TQe-?L4rFX4 z>$#E>#0U*b)SDz}?-5|rrh0g5%42@_b``>lLY2aAG57HvilrJBT3}0Nnv{m^GC1kp zT;Nc(9K57cl1qy|uXBZh}}(aPqAZwYJ3n?B0zZ zKTb`q_}k!J2hQ&gL?%W(9NqoIV0+VnH5k7iZ)4ILrE&#NN6vctTbTxMeTl=l%50s? znVx*hBPkcq-iaI@=gM!=P_^?BMv{i#&v1qT=#`}xX@ut3Spy;DgYbJYI*mpVKCq#| zvjFqrsMv^hQbOby zM$vb~7(RnL?gIPB?=~EhG4Iws$-Il#DPo}F`t39$xO^3l;Az*;7=hJb+8aEPXv@($ z!s_2q{*~I1^c6q)VJ<-MK*s;mhBLgu8#|*7eBAKH3f7*bX8<6B+}2HZDccQ0_d=9?WJ|3~9>(h)tY6cN1U>t~ zbK(7@C?)a|{A^x@V%vK4$h?^! z`=s&E=*;2D%Pn12y3YMcwLH)DnN-F}YJt8p!l%u-g1)myV+~dTf(Dfx*nOPa5~<-6 zRjxslY~0`1zne=V&88rrHOML#LT!vEt>!deI_PGXIaDu}p6WEUY>`l6zzvg&YJwt^ zy`vfMFD~Tuehw6i#g7TfLTKZ~ON=pf{73-uL3UB6GV;wKF|EcNi*9@Es;)rL0bE^( zMnofDQKYrzr-?zev!s48&?rm+z68E_0^1(75$QM(eh|GKHqZdfl}!smOVWZUcJDS5 zI$j?uy#agnAfgpsl(j#{1!^?N3asXea6Gg~v92fSjklc~TWinELq+C}jF_57&b7^i zge`3^Aw8AG5Edt5ARPVc`3c21)^V0q}t_-;K%5>P4MN+uZu?Z=p>jQzW3 zMMSDWXW&1>9oA59Da@+y{=08UVR41(7!ypng~~P@U0r|wrNtjJOU<3|;3lE)#QyjD z`~yHCk-1jTh+Q1X^S`*XE)FwhB!zn)o0)n8Vl6)MW8L_H*<&j8A*^Z+oFX&@;5*TN z!Fb1yjwLpKot2M-5@@!*Q@V#h6yaPrba9o+!J6VEGDdb|GlhjTOqTVD1yVtXJ1=Me z-SXTGdEwDt2$L#@`jDVWRYLdy(0<2Cwx%owk7$m&*Cl{FsVq2rrZp}NQF$VG{UVDf zqkp!YD)&jvK=xr9v_gX+ZH?a2gkf~=o|Db+3P)LBr0Q~eB&HG@%`LU?X3R#9cF`}@#Yuiy` z3m_!Wa3rMs`T#S{qb$9^F5C72+-L_2il9r0H8O^&ohh1N5=59?j>d;l{QR<@4C-uk z@&i!AK{1Rn1k!-0Pu~$_f+ESMOBHRZMFIb@oTBYp-2IG3$&Q!yZv*5nKB&IP%ZkMv z51XHAa`zJg(d5iFEss`tLv^?Wb*9GqDZ4<W)pBw_DQHP_td6|`YZk)`)2rl;{h4WPASE1 z*SvYvqlw}Ct}*7)UtJ1K-cS!C?$u^0*3jbc@nua>Ss+l5U{4bv+k9b2IXv)3+a5{I z653gm{HFc8CqU8lNammN9;GC|FZ(ySKN$j@0R{*cT6z*#I05bAZM&Ge=Qmdd{Y+B- zjT#?vQ_^1s)To(%uLOU=NGE{-v1Bs)Dbhtm>sgm1BCX+BrPCdh9M~i=^ptEx|3$Q1 zySUAoW`eh?iY-yksE1||u2Jr=O}t9sM$tn{-U$7&;*ag)8 zC;B&NDdQq40&dgCrLM|WmLpq04sXYCP@Z11UbF+aWFj>+Ehhm*C8c{b6}82*HA7cB z>Vo?1L>5c`Lw2nz8%Wy1| z3s>IPX1ld{*s;2dbc?lxjb9IYkaWFfEoGC=L$?J> zv1-<{pVX^eSocPJmwX6S8C#EF2t3fcDB$)lEiR*RVl|4{!~9^;?Njvoys3z{H!YIq z+`KJc2nnr*JEQ-=;&XRpOWHm43)|l))GaXg1iq@#&Rj0hY07Sg;n%} zx|S2(rx8YAQknn=l0MVDeyy;`k!D?I7U|J=13w_Q)Z-r7>M|#eg3ARBSny5^{C%~6 z+Z)O$m3b!!)-uJwjQ`g9Fr?fb=51V4$uK5p=kspaEx|m+RzZA631p9B$Qvjq4SpQ1F>NdIA?*T4r&Kl_Uh*;u9j#PO)uwS zLZpf3#e-z*wtyH*)!oHp{STOs{2sTdMzdXo_DUq>hHy(}Tzu4UXD;MrH5*fT9nPOm<6rbbbBZk7f>Zz_tY5A`Ddo1G^+ z3{anNt#~WDD9#l}U-y^}>3iZqmAuO11{Yyp5_mcsWO`O6Z{GB6>Qxh{K6r_EfELY3 zBlorfXlL?pB_uPq(gCqf{YwvP_=0D0TgV~}5xHPn)SMb3)U;e)l>Peh!}pv<82l}@ z)kM_Tzkk2m^W~46v-DJW&G@@Ql+p2#4adR(9=4t?S_;?OpmcR9om>-#x{Jbo@UEo>tAU^3hZBS4;u^TdFSq=Q0hP)>zBFPY zrS-Y=@PDK=?*BbeIB$4OoV2r1CvIer-0@y3A30O52@=Smqqq_XRH{ILs!wa@-s?%6 zfi(JgGbwKa2FIbi@g`w%w%vhIu9=7q9X;LmV%YIn5C zPJ(HDRtL2Vt>A2Bi6H{VpQHXh!_3ZI%f&A--TfLzhyIyJY@wdK((6aLMi=DeMqT`swo!2geW<`JIqp*y*WP`j3aZ?F+;m)y%)nVeRS^NRswQS=rP{e?qossm+9Hd0 zvRdYHU}|@yhQqDtXUh18Q6L+#MwJV&^}poGMH^5qn`^{YG{JeKjY6#GMuQYI82FtG z*KexPYfNNPF*-1!7MugaA)q^=nl`y4Ra{bscv0jEDq`Wv+|`b)NLli<3B*moOdn(* zB#f`;;ZXO73i$QO$snzS<$cCBsHnGdi_0RT1JfYny35J0pZT2NJ(YnVOl^_fag)&k zow!xl_Gba%7tdtDv5tUOT+F`mLGcYU%O;LEg1$$(XzUs2=d^Ti023%37W1k1vp1Vw z>i0OFz@M!I>H?Hs(0ZLLROQc}yaPkHAm}7<<#>tKGa~IElsqrPX(h(=T<2s`D(8xE zcwQ)ThA;0&f%zXBWAUo|VEiDfyOD-pR4!0A+JWix;?tgts@vv?mFD`g-C zo8V(Y=DBVF1<3Y*>s25Eq`6Zja?gsU^PycL>(ukfAWZ)LYVfRQx%PUVCT}Jk{K-S> zpkHjQQwELn)AG-`1XK?v{)*4r*DHkaAzQ|zYQy*>$sbG(*$wXSjt4^?FatL~$JtOC zw2g%>Spnx(G`(Q9JNQbeo72=TYqO+~19&`QjM}@Y08pY~Buv(Rpl6Ov0#)SWC||Nm zgg%+6L~l&3d-&&F6e72{r({?w7I7{S3L^n!Dx&<_w2J8Qh~qosc#xVvZPVjvjYj_c z33mKUnz-_QoW-pXtIWyO;-hlBvukO_&cme9g~uX@u!u9xdZTUAhiF!@3K(^1u2D{z z6nRonemRFyLweJ|=vv(!mb~Tj+heZVooWFF(M@;{;jsA>3uw+5WtpF3sN^7NT*=7C z7ptal0wC+@(VxVP19Ux@`#*lP`%xkj6uupgKJK2&3^sXS;shgXraCvBH!l+b>wvgi z;wok;4hues#F&sTZ>L@a-3Ww$Z4gJU9mzv)}vBmf979aOayV z#TBXIVL{s2pRh=}F}HXG`a2a3r3DATfkUKapU!UNj8;CfjG5mJ8d)laHnyr_ZPMC` zg3Y_h)xs=+y7o3c62e^5RuvZui_Ny^mIXqoj<1Ul5vPY&utOyjia9#|2cg|Np;D*U zLM`fl_<4^;Uzcguq>=yVL@=8I4H>u?y|PaX<>dM+uQHx=dVgn}esjgML zyApH~KZiJzhNacWJRy1-{pLc)k2h~p-Gk$tX)Y-LH6Ljj58hD5kpk(R0lzB~)vLI_-$2#=uj@DdbOj^3pX z<&x~XA!D86DAVRBk&5pTTHR$+g@NTDSkI23s055imemXPx_(OoDXkbYBOiKpddcW5v8To zMy|Y-k#J|&?k^oA$CiW*8;hcM*2pzV4PI=0%2UL2t4f`|9tRJ0h)Cc!h5HYv*C$)i zuOX-w((_Vkwc+1cK7hliS=_}qi|IrkZfoOC&pK-ixVJ)JaD9ESb3hp7&az zUS`#J5(T~OVUolJL)^}4GV1JUO7b!qaJLpMh9DUy9=cigsn^ z%In5QTyj7+tb$2(eiE_GLH7@bwMle~b?q>=2u{6@GmDuZd24jv9hn&N<-!GX%Y~@? zPV{>haA~rPQ`+8_F4wHMyYV8z9Y_I-P%DjWA4rS;=zLwF5ZpFZH9vP%;a^~u{Rs%1 zrC~T2Bvj2I8J)uIa@#>}Q4RS3y1zCN6N(d*3iSe(s^|8(T$phNQdEb^;e?)5?sKej z)ax7vOaLtIKH~}j+y{w;O{OZtwqCz!n0_LDOPFbv(@2-~P>{16)2O)guOy)+;W2&9>s%BSuTiLAbPp)q+-Q)JeAriC8i7;5*F zAH`Em-J-XxK~9@(0j2GlOOm7a3mM;1zKfvb>dvBZK=9F#ds=)Mk|Vgw_OAYRe&ah; zJIP%nNPW;{?6`B`D2a4Tv$!y|?Tq2x0V_(}V6QX1vxv+*hQ@rZ+bNf&t~>ujlMpM) z&7dh0f#NR>l28V3)=q41s0AUpevv?poNY{%K#@f#`A&Fz@hV%GGGh;BZ#OCztgMi) zI)|JU_+RvLTiHG~wfdjJV6ese@AqSwW-j$lz!*uop}RX7->S&C{r1?Hj(Ie1ai|k} zw>#%?`(XZ(wENzXw&i%ePcDpu&^@04!mfB0bTS`>5A4 zB=fuZq5Bg)qwV=Gyn0d;L^gp}RdJ=7i&Dj$tYE_10QkXMGeie}_aR&wZZpiS!qwIR zHeg{8bM?}0K_UP8}Uwt zF@y=#OFOXI0LrVXgi8Y2upKw)8M}=ukK}x-XBR213SbS8=JPEGQy5zMUM$^UzXmN3 zV~PSCLb8Ubd<{SgscN!jT5L&XX7h}MUx#&Rcgh-hZ6M%gWZeUs`|B;$QtKT?kckGI zFc(iYna>4jLO9{Dqzk7-Bm zbf@R8FdTg&x*-@)T>YisXZBsS9AM!KC4N-I_n_HXTcsD!2s4QV!FrTPr%JWGu){uNhpOui;%gwsZelaZow`J6#WZ2=<*o(`428MOv4qD>cRlo=dEQ?tJx!deRUtPPMYM@g9j&Vx_h3cBEm(R1&7q-k3Nrfj6%Y)g&9-zG*$-WE z&C_*%y|&WJDwMKfysylz!Rq}`-~K0|?%j$jr*+|jfb2`$)r=fTAR|%zuea&57xxf;ILBk*_Z~LsZt@yr%t~<n zP0A-Nr~j56{*-6sg~fg0Ci$UUOuH~JECft)L4FjD703iZ$prT6gR|*9ddeYc%Av7* zxE~=P8BkaQE#;Q@v(6cb_`P#&-6u7i>52Y zT5!RKX%=4isPEOg+J@paq7+QV{cLfNAxXSkTiX_Mh+RapFAtJ7^VMb!c)G|peTIrs zn6=HW2h`1rm%+D2-mHXs54R1@fnCW*JIySW?u;c&Y>#@=uRVWIk~2;AnkECdOk(G7 zC-^f9Jd{{+*Ef#}jWVMlT7VZrf(J^&;2cXcZGvSIT0mb#0NsRV`g{cY!69~@l0`mc10r=m z;_ZB;KgefrMr2Ep^fT0#oh8{F;}GI~X}$v&$K6!D&9?IV!X%Q>{z!W8SwU~&umzi| z_#jEJAX4_ABjjK$Y1dA%;o(oYoFvtAALD=%-Q0KtO(Q*No|WLfZb(-yAU6Pehjvlm zH_TIwRO&_J-EA#@B^1Fky(ZnlTzt2({ld2Tc85ghYF(@XzEyTy_?6_Wv#gfjyZWpd zv03cT&?CsKpl82%|8t4vf$X9Q#~D@fz&{*LhUkEzr=2R{;ax)IWai=$bix$x3{ub! z)50@r=izsW0nZ8xvW!63E4B0BcjhZy?1#~O*Z{ze!>CGQQcbl;r&-)`ni1zF<~j59 z%Bi@D#*X7tG(Asy1-`^6AMP~Who8`j?6rpJ+bSes%9S1A5ir$PFJOJOwsAC8ajuyi~;%rzAhQAzbp&}5@nkei0 zu6u`i*Iu|ah~q7rYvbfK@sYfH=5{1`*VB!S7sF>`8B1sEq7-nBqac!4>PietFO%QT zp29EPj`ZQlr!@-W65ufkE*nf5!K;tAXC*6uhW*b@6>rmPDB$b|kUye*{#cVK=u%)k zXGCRcPESTe5&~9({rd~A=c-=dK$@tsZ1T%*|1X>hO0wn;54wG$GUZ!s_Klu3tDR{! zC7nLaGaytF_9CgwQpuPC?1bRZ1PtjrzTjV67M2}0o{^Znyv{BVC;dHRqy#;$>dSw; zxKTw|t6oAERIncJv{Vqh%@$TLk@IM#tp1vnaiwU4n{6B(O88TFNcc^_y!=rtUD^;- zppyqgo!0R?z6lM~w^`#M_lA=`)_u8Ya~{ zMd%+I+^nr-Ux*r~ZKR%;Ql+t31x2X%EdxEj9FYSK z5?ZrgV@ZFghxo~?uTV&nGMb@gG-0{F-}smrazm?#K)Hs$6dy}CxzH3OL=WGFC}CX7 z!H*aX#rrF0*N^vd_vz7ldNY>BPui}kD)+qG7_zXT%Qh6kR$wE>)XrW0b(T$T^>){% z{-Ms-1ZQ|a#R6mF%iS`$39l_)&~1SRTiHT^!=OFl{tLG*BwG_EN(ZEN1$J*B()2ov zT{Ep?fnb0@0b1VMuf{|`&GpN1V^fl+pQrQBB2;xpyR+-^6Fg%eCuKvdd{%^i3#6H7 zP7K6JJXVmo)*egPvPw5=sthJx@Ju1# zv~(!X1Lx66g$YI!DqUsHyTQb$gFrPis{Ax)rx0rR8*lz6-=Z1p5gU^Im)gqXlVY2ZZ1l1dtds}_(In{S%II>%0HpOvjFqrsMo3wJ(JXEH8V0*f=EhK z&J-ftaf@_e!>yQGto#TO`*|3&8IAjQOJpxGsIW{S&ySO!5rZBO3Y;6gXS+C+e7m=F z#?dri5d?gQ%Q*6A!P+kM68{bo79T3HnuxYF-tV3L`_`AMRd}24%O~(mC*V>hvjk3}4n} zlLdh2my%z0-H*E@e_9c-chGX#v$vW<)L}UnVCL<&lTRyw=hU`v=8-FES7$`>|FezC zXO!L1Su#aPOQ69;sGBZ96%a!3r8mvf^ds;m{AH-m*pwKUic#hY3ik2;d?g;P;?xCH z!92K}JLkr+^e)xXj+xQ&%?2mDm`6FPl4oY*1=yr(}up{lF$}Y3F<3> zqdQIC;B>wOXTj~$@XMtHEwxG?uAJyj*edh}8$Rx{gfMqZ;ybX`;ClZ6(~7c5u1ub6 zen;>4k0hdW5Vn08XU{!YTD@YFuV&CB^T1d8pGS=m>ri+A;dX}7R@_6RyBzf|z1vJj zzk*5kM=7_0nuxrdKC(D8E6`pO%87ACe9j-HE0_pw>&ant^v5*`Jd}~AIV}U~1`UH| z<0|UzzfRXUMJZ-eu3rn;hIU^;cj?n1KZY-M?L}8UCbv5IIgZFq$InTkZ!3RMON3;; zk#YYpSg=+Tco~?+%Yw3{P2}sKiojbMp!r+lyLP`03O@TNBhKw9_HUG6^BE7CQta-1 ze&z@`VXn=lVr58?+xbrzA+TpiJ=>t5UOZ}DFVFlvRdLy#Hs7WP>IAeS^6B%_3+LYN%JK7iQu~G+;aVPdZ1~g9$ z%@0D`o7;uK@V&*>c;cRhEuw}Im$kT2HHniW$+hfhb`FxJZr0Q;*RnX^u)DykGnNp7 zKc(IMuma~Va4^Q@B`!P1Z?9feW9!~Z0%e^hj%02+3#;b)8z8kgdNBqmwGuK=7>1=7 zQH;FeanU$kT_(P|*_rGfNRIcEq9vj{1)+(*buLFtV2{nIbC|W{(OP_tCZz2Kp-;@4 zb=VBkYPP$Nzy*E$bi-?V&IBF_GTIWcPx;m&zQUb-YJ80W-O4@qPP>@B@FM$@6;S(M z;Z(Po{(o=%6mx06;5}Zwf0CT2S*z@gLc=nW`<9j#=W;8g-Vh*#3b8X|lpW2j`a+VS zR|C&2DPGp$@iv=K|F@R+PtO|S0S89B2*{Ph;4bO!keAr75UPFIVq|STe(qI>MgKV*$>_u z0vyzw^wX4I^vSkdo*d%vAU?p8#WCO-S8Png?~Te{!etncCI`HGNSJ_{M$3oBNXvun zde$(=2GHb0H9mon^{^<@qdjy7^o_O50>F1d6P&T#>K?ll5{Z`qn3nNm5LTq_pkjdN zMA}&Y!+;IRr#`4wbCNan-)a^>|Bn1K16L4nYGc2di=ED^=z?6%S=%NuylTx58P(~y z;qpcB=>7m1`k{QJ8i@wWM;8j7gbaHCNeQ`+pl`7CTFe!je=H6gE)UcMAweMmdC|5b zFD2M_^DZlFh_F8L(b5j-Q$Kj*vE7A>S|M{IK&_m;N6*1rmKwd!HDRYEm= z1)`whG)N|wPJj!;d`S)om2ehq=NM>gox^hlRL15Ylj0#c6tBV7lfH8fWshfjes@w(^<~|7k>58uXJ7UuTqhitn7vg z*NstR!pJBBtnJ{>EyqkJC-FjBmlukm=bDlMc8J2~gaa@vaVhPJys^LnL3}F{rIrF- z!6OPfTysDq zhRrS5up9Y7^dbthkVjt6DM9Q3V9w9on>8^(FDxwFd~yY9U{hvKTb2GbZd7r{Ma0mu z1&@0}acjn=s(g>o7L(a z&|_-43DB&gP|MT1tlnVH7rtTiBcRT7-;!tno-^TSn=^Ha2;rUgyba~c@R&d7Hry&{ zU|=zod~tqCjlzPH8+G?*5Dtl3L_)V7R0cxP+g1<((Cm>Rls6Tmf)SMyc0;07^HlX$z|ksP z+LStg2Ix812cb){(pK~~)pHAe0C<>2DvksmJ}6kQlVV9`bw{AmXBj-jN7<|oJ8Ug9 zONyWE^|#=~Zx^YU2YcQ#n%lg%Xw6aUjCr(|*Fuyjr$yil{DR+?aHr7R%e}ckA)nWi z?+$u~0M=3Ew45%oKaz8Vww7f-DZg&syfkYRcEvaEv*=cWX&E^4jJ3?aB-+x2)MP&^ z_JARv<1GE#&c#jwWU0Pj^P8)Kex@mZ#*GiTDd{hRYABv0)`vIEOVF)|K@Z)P5r6D@ z)>J;kxn|PztG}!>7>i$d7KO=x-vzoyXOC}OUL2Ez_sAEcDwASl))H8X;nULqA;=bRIg!@T{I2qrVj}VgBF@wKmRAt#O#9 z&@qPxV4JL*M;AZ6<}8&?)5oQ*%2t*mTR;wP$8k`eUb9}b1Gr=%v%@Ll5qlbvcEz}n zGm|ntw(Z~B=Z$U`N>?1%0coFfw0+x_tubT|OPu2$9;6faR6fMn&G-Q}?PAFh^D>~S zq2imLGKaI&vU$w|v*l5r*6s0diQyVj&!zktS znS5HvQ;{Cn(-1a-`n)AgS1L2J;>#?+co6;dAV%_1gel{VjZ{51V|<4969U{G|exG-hPlASv2j`?)Uv1<-^5Azf7yJ$IT_qq;`51hLp-#G(XsiA@(n)ZfjL3!tuCpUiTeamM>+s*0Y4X2Xc!J~1DL6#cFpR{srbZVpHN1T|hQ z3~A95#g!ygW(FNTv-fqS=Wlg=Joyabkk!aI!$+G%qsJ}rDq!l(GjUCZerKja0)ep} zX~FLl40r5sm9L()Q8!DGo-KhNZnEPQov-*vJU8Irop$roQeIc#ww^{2M{%7URgW%C zADeiimiXXsvBPpoLjGZDzD-iK3>A!NAByY3SQaW<`Amx=D2mR-@ruf9)@;hNQP1%B z8Y#jq$mm8tws?#nisd(;3D2PR1jt6xa>Y4#DRb^{b7oYkqLp})o%=fYmf`x5E1=6Q zh{AL<5s3NeW?Sv|mfan=H;Xmc18|L4E*oW9vM^C^MYhp*b$$bUKdp?RoDtLI2A#SZ zv$*nM9Y7%_k4l1C6=lDF=XfMtA4c_RFq>XI44WB0B3D=?E8r9hxVw2q}pk>~O=Q#QyqVPZ6f#&-g$k)}=9kcX6Rv^O~ z2%n7d{1d;hitrz9AqJBB zq$>T5TZwWvpM3dUwbxBPOx#iVz&dQ$gX{@UBytP8%M)jFb22JejEM3WNRyL0U|km%Q4C41>Mso1E%Z3 zC0Uez2fW)dT6O|<`TxK*`hKG^8#@9j|H=wrsR~;*kq4woPm9QoVFrolk>Uf{*iN6E z6W{Lti5)wAH3V;lO8^uYC}}cptx;l#7m`R)uptJh93%Aj8KPu_nM^rUjnvs!c)$I$_da>>i zUj3?mt>9Zv7{J)-d=l-yFOnho(Dk)+C8_V$Yyps)Emq)TJ~R481`q&N5EsI^fdBvi00000eS%v9Z2$lO0001$9ZRSH diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp deleted file mode 100644 index c3ed723160de7dfdd18d33b184afd415841a5121..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17218 zcmY&=V~{35ukP43cWm3Xxns|cZQHhO+qUhQ9oshFyXV%u=X~c!SAHecNxGlvCrP!k zl(;yz2oR9En6RRnBBurn5D*a3ztsf-qyP*gB&#Sn0t^HM951rjTETbQX0v&51*nUj zR5RI(*8OowT&&gEkh0k1B{}qA@H{;6-TiJL35?kkk1e-c>LFZRbS$LJaZk>fwT8Se zce*3^f&>is{inFsFr}cGL0Y(%SF4N{Rq+*NrC>t+3d^JAH7q$5efoi>!N=@+t^40f zHAsY+513s5jpiqkWSNb#>2R5qAwK}{2L!LQzL{&f`?76%*=3fe4@Dut?($_O(xP0o zE9g%Upgu+}#E}f$amJA@$5Di&t>b7iJQLq&b?D?oUW_F21l?w%a-*;?r_1-`?ljok z7bo+VWCH=8js7u|<~?lUD+bNd3{fGvI%JfI;|RE;rX$t8BU3_I`;mQdW{vS`PW80= z%mFd_JC&ou>a=h|?s^Z>KaYucR?=23A&~ictM$BwZ(do|XP7(UB%Y(T{b&OL%|gP2yOEw!a@DMoqL5h{6&hDR1Ze*PW&JZO zofmPoNukC~<9e$f1lSXJL;UCJe~Wp_nh=Q;Nho?~pnv%#lotX5ntuh#0jBN-Q3U3< zVNH=FB_SpvZHip?hmSC`{Q`S?6hxRu%tzdV-g!X0@7r@zoavMQzV&phdOd&P7wV1x z@O*L{rOn2D>|XcO1H7JrzRfQ1Pk5fQUaEGQe$=lZy8wcSm%BTDfKNWa?u*(_$Is9@ z%bUQP0N`iY@4nCe=a*k6VE23EB?bVfK0Oe)B#7@d5#agR{7(8pe4o4WP5WVa(BJ55 z{#o90kaD6nsTpaU2OW0>S_@KOF0J5BmFk1bmoZZO;tP0^586egr>CKOCQ7 zM--)Vp9F_pxvUJ2`qu)ZULYT3kNVI0y8<-dV1V$Sstbl=z_Q;W!1K%Z6X-|mYx8UE zb#5Xq8nEuJ@}2gL_+|Gb0Hi-5PzGrHIsCDEnL6ir>-+3G1g!X8cqx88eo1`K-TPhr z2m#UnYJjxw*KdN}FaW?oza0PoTzQlJtp1aQs+Fl5fdHNv%bxH1_5qi^-{>ev##bRzy_SO>4+YR_juETC}i*4yY z-AkYB2z|X8<#!^PTII^Pjnuyh@KaHMwK3Xg*Fjv%&p6I{34vL-(&f3L=p3EEb)0zK z9%a=vy=tk6?}yh< z#vws+p(aTzlVf@HJ4I;@Rk@Ce3Z_Yrlapp*s`fR7gz>tAc(};h9M(+cO3@6XBr#@9 zIQZW31CrchfSi@7!&SO7rDyIx0BpDT#5YkV7Rkkh&*WR~?!=6({+WUXIyAHp}bfkpA>a7!_&|<{cfFt_# znyikgviTsVa4~R2WKPlWuJY?Dcgq1@I7CqH8`j$j%gh3R*eydyg^ya+-cU=E%kf$z z@jY9HBEBowR?dCTzx!p^KYyJ-U9$8M$qgr_BhS;iUG=kbqo~k7~Z&jU#h6%7A2X# zrFoZYhQRpBBr);KrjGvp7}3PwbM~*1hcgx6&x7?`ij!c|!F)5!n$ki8l848^a_M#w zd9sPP=_rG<*$LpTUShCjXVxw(7S<>+jk&5iax|=m5~jN}0?aW`SOVRHo}9qvG&3lA$xST=-wU=(4wpkdPqy^Y{=&8SQHLoK%UzPQ`Eooe0Y4HVh%XU*)g zC5#UudPsIT7dcQp>G3!7V8`$5S91YFqxg)0u<_7yZAkKyJCA^XhAOBD;d8EP)q?!) z%1!9uO9eeqwL+?*m8Ul-#iaVXWT2!AZ1wT$JywaxCzrfY*8GpiUH7@{Jvajrl4V-0 zXi@0lBi22fQ13l+9-KB?TILVaS9*&UX`hhzhr9z=O_j%?K$dkWBnNx|oeGZ7Glx8} z;Q^M`v83XjU_O2rP_7u(+35N(_9KV`K_7CrYfET&3Fg{}a?%V}vv_|l*H01=bilcs z?^@$NVWoVC<(#ZjR4Ma?71qb0y|Urjn=pn8bPQamSwh?(hBq1B2;;g(p)WZSiqa0t z%f!86-MRMw*?m)(a%nd`maDmG=UqSOAERB9<7qK$pNBX?zcY<1FwM5C&I@yT<@k7C zwU_yP6LT1o=f$K-m7IxJL4y`v3yc=34MvV`pH9S!0ztJS^OV(9M%#}wNOkqZn~dPVSER5bAR6ZRmK~8aShL`VgY}BtKJ|^EB+Ula$#Og z)<1z_ze2G(1WxdH)`w0i7={DBZHD1DEcfIK%s&3zy!TAg?jmv0%slxx=)&GEZch~RQNXUAGz?aS1 zdsglQytZ=cAvf$xfVA32AdvKQ=mHw5saLz!OSp!%2lNB5Is*a{@%zOFcm+OrJ4f7d#UEAc@CZ0y2j0et6&y(mJ>9UY)b!}$WMgNf2ED?-Vu`f@n+z~(?#6xDKm75C2V-JpC$@>I zku9(%1KdD;q{_nHQCRTx&t11E;AvJ^SRsv=&9Jx@WPg?S?W+NU1Orr8kl16{+!eZR zUu)6C`X;f*w*3kqDgO%bg2)D^qP%+LVk`@Hl{mKr(#W4wMv^kOr%uHEm~|F4q8yvd z_m*Nw#WK|QK-BzI^NIj&EHJemvyyTa;_mbm#?_77F7VibZ_N%W5xXVDBU*Qk!$d-W zSZ)$Z<#fvayRb6KS56oG(o4_NMaX*Tnh&_$g6k$66t&b)ExY1op_-}@7wr$dh!f~& z_z8Vi%oqgc_g`u%tnM;l+}C#4a;(r{?o;8jaRvecv305W&1h75MiZW0?Bry&tDG=t zhy*1`-|SmAc=5ismDPlQCTW(Rh(fb$855UXFf|z{CpaRO&9H-vn!ZQ|TNl3OQ*ych zJx|6qeX0P7emRxlt+vL$0D*$0pqR1|Px7Yha^k^eL7XEhSrEwwYCaymX z4;{Xy!Pgn=H#1`gAB6RT$+y z=cejoSMoy6nOCav-C$6kJx>2R&SOO6{%(b_ujSBtEfY5bCuWxbaFoj&n6x!k z+DF1l3~^9r_voB}@2Sz1-)#o$c;;$94zpMlE56+shc=@C2E8wF*0O_Tb}oLO{$^== zf!~p}i^MTCZst@&`yiKH=@&UB0`kC?_BipbRqSs$jrxVrs zQ*6b)upN9r90sa6!l71^fzZI)a_4RgPlY13$lV7DZMVs2KEeXU>r%-;p^SBVEk~Y& z09?`|k6)myzi@ARg8lMJp2b<91x2^+PQ&*BH%#gPe7jJZ&yPSg;GESX>C|#zR zlT8K0oA0wnMgr=Mhr$ICvJwm}>Y&u>vBs1J%1m9$tpzogaY;&!z?Sqjg`BKG2Xvl? zs}!Jn)r}f69zGD5+C#&6p{B!>cv-om+TdlKpX?>5vWHu7OjPAb)24%`Yq>0?=uvYw zqg5xM_ggO}J0*Nn-WM!lxTCMAbeM#ISYgRBDox=56G?!zwciN3%9oedKU7~s!3}=n z81$hxk&M|s{JHH8NLf*J(p_jsr6xmId42pSpI8n@5v*Za;~*AHYBj`si)FQNC`s(B zrpV(3UxM8QyRJ$|><26R9y=05>X^ciaAycunv8_J_QTOQxBDzn*FFM8Lm2Fpqv8oQ znlOPJmdByKGvFa&l9F1E8qwbTuISc0@o8@NJznYFL8xB1Ia-&?Q-&TZ5nL= zxKx8wP4TBx+V+=v8y~wXLVt{)yEG-zW*qC!%q-k)hF)63D~5=-8^ll5SIcyNuJkEM z$2=WE8|;<`O$>?Qcf(DP$6DoS;%tOY@a=?+T8q&j7D&|{ShwPTFQpHB z#m2o^myi=e)uc0(zO_{^2<~}Wfq{w@lDUKBXH4s47WEji`=aphn(?mWQb{jNvhL2a z0VVbM_FoZv4sRmL#5fY`A$n%`Hx?V)Fop&89m`V4G#Zb$#Q6Gvy9CC&w|<$}?(q8B za?<%Z@>1)yxJ!C#I2IC3OxdCXaQzg3n+j#D`Rv}Fod8D_c4LOqnp^Bm#4;OIhks45 z3lUG*-AAU}W+A4;u6IWyl|0ZB+e3A9LSW9|(@i&K6oi6B@ss+~svy28XnGjNc}3e^le0w1ua8KUDSVLkG;f_UJdF=y-G|jw})0#XasjUp`t{8 z9}bO$R(mlo*@}c+B0OZ=E5mM!%ht}sU5`Y3hzRKng~Ks@U)>;FS6%5HAr2dDcWm*N+0@5zNR>~J1u2ESjb+JY!ovXshBtu$h)491BhGiG@ zzzPck%AW`h^FrIN4#F}N7IEN_oC9uC_K~ouz)joF7*wA{El*T5K9EZoa)gh$2pv^7 z!wr-@7c*o8uko&8v+MV}#_|Dn1N3qopMPy?D%R2zb;QQHn+|BxEW~LgmP}ddcX%xH z3_gXPNYZ>F;r#q;1ga7X^)x-(JyQ;;#>RuAc?IZE@-r^ep6X7 zAXmgRjsp8X3DCD=BI-Ap8o^**AjNd^_vS!A-txrJzJvn5fi9EONVKw?;#zAn78lt{ zWzK+H15sl3{j2FLD-RjtCV{+Zl?-1{7~%AQ3^GVrWAOGag~=rEe&=lcrr17UPp_Ph z4b&~lpba^aM$jf>0~Wy%Ej?*>>%D@C6<>ed`^v9aPI=_6SDSEq zh$nT*j)-Y$=0m%NI{&e*hzge;G*GFu&j$y&jO*1>5!u)ouS$z7etOQWi%0W|pl1|U zy?Rs^^&UOBwB$Y{&wyPq@>tzJ;h?_N*phmpT^j}`fn&XEPB&5&1;sv->*10vFLouONDhcn0l z#%r<7Irb9lAhB6lU5wnSr7|FBOVeF<8ZSRi-da^D$)2f~U8jVTAN=alJ+0NW65x2p<`|5OrGk}-s08mgNq^Ac?f?; z{*GSSm%|@mQV*K%kAfPYog9Y70T2T7e|XEYqvD9EJf{*S;C=;`ld&}{HnJb-jSi6F z?Y7}dP%Z|f?gpR2Lq)3!ZXB9`f}B6lE4-!Kro?V_i;AFCb7AUI=YfJ+T*HG&lFe2-t#Mq`Z#jvw;<}I6Y`|w+E$C*QP<7dqB&87sW*U@#$y*)#Hue zd(uTX;_LLiY9}qu%OJGd=b-$mNS(uEN!X#h zY_KG$;as zVS@PJYLoWIO`*8vUFkM|WjC?R9mriSOzMcsuf)`Y<@soX-*obEy?X|vv|f@qYa5HB7NR8* z8d`H0$bR7BCLQ02>j}^R4W3`Pb?tMy$X(){W$^tRwq~MQV zd>s5(qSBrlL-0g{v(34VwS?@C+9Sg7WiQFVWv}atV-@8T;XhJ$MRo0od9~mo9R*wY zx;~B?kX#*S9#*cC)&!+$T~n=*b&bRN548XbA&maA9;Q*GbqCetiJAHs>VZds%<25f zRr%o2P}h_qC#hmSuO!5-PY^U_a+k>54~m$_lLaYj<=Rk$JD}7v@?#4$@7aQ{Co{Uy z`WrFyqh=R}!yQ{1D86Rw7TG!-i^Nm8BsHzqOtyabxZPo;8980yFk4C16_0lmxy`Uz zE8-+CNRoX!!@578+tzrBh_m_8GU8PK((F1oRcV5FNhV-S>0vURzU?RT_#|Vjvw07@ z32iURtN!tFV&K=;0aID7)9l2iGK~o%ot}qSMEY0_A0Yn-j^(*&48{z9WOxg2i4G-U zAUTlEGL7F{)J|-`bE@C1{wq}1nqyJeU|RAxzXj$D&wGR)|z#^zaV$uhkGE7TkmzBefO=`);#T7TLurBGT*2dMAkvO|P&-LbI zCd*n=L@wp~rvrq9yG`I{;pw^OvfNa8*Pgfz?AJOO0jax2{7~hZ9UueQSu4jZpW)0mI>;JSH)_9Z7)O%UfZV*5KK zkkij9d#U%iV#=GUGYFf->(i>*ak0a;^WXPm3`&1g>anj)3|EhvZ?uKLiMAIW>^Dj3AXUh+tySi5lP1up` zu4^r6m2I=dI9}&iJQ&RQdpK=NTLffz>QW60vP}lbGK4hd&MhTW5nD62wGWCGd+96KW@Y0mX6HZi- z=h2rE-hqo;Wh9E|v?CBkX2|EKmjaUH=jFKH>hS%E1;2cat$k*IgraHfU@Gy`tzew} zuIt*ZJ&nl@j$RV|G@*eWh3}_-mn2pWQ)l6xj@pJkw)e*EfBISW1+aaeezZ@3ii7fVAK$AK5p@pt;W#_bhWZ^`J7 zA1hGtCvr+YjDm$aW)Ym}M1i2xKSBx&W=wZKFRbh%x8WE_Vh_i@bxD!iz@R#v37{;#xa|wgf{!-jJ=%Z23;6-ew-|(I@N<<*?K`s z?GAH!g{BBH;?V`%75dFaOtV!T{hZr@H;l<_VxF|%=t!lLAfipHd-E;c*OYlNp)GIX zpo?Y@>AYT99p!TYiV5flT%F$&;LHfb5OH->^ks5vH{ccBXveNQ2+&V(98a8PM3vmB z@Szel`^E1_XXPL%VOc;*on_59TY_ZZK%T%`!EM=wePP5w!j&*|GFoVY{b~Qw9)A;^ zG0IHr#c^czE`Tkq6yuq81pPI0tuX7aFB(eMQ(MS7;I!r-Awl^=-|a@BJU22luTBh& zy=Tm61jV;rNkoKsYdzEEgATc%II0KHdXI|nd-lVPoles&(rXy32roC+E7;Z>r}og8 znhLE>%_xiJk1=VNB;%1RErqRZ;cgtkF=UMTt~JRgC1i{f>T|x@cYrguD_jfB0sKn+ zrmRW{_A=ZAT*=`QyUa`szQLaA+;@R};~1S|y4>$%sKYiRdrMv_K}s6|H$IfO4j|h| z-%H3W^Gecp_ai`0mqH;G1BzLsaa=y42@K!VML&OsZu0ord{mybzkmDt+O#HzRJ_H# z6Nw3!HifZ_=`nd<`Onr>yeBe+$Y@;F(akRE%xp&m`TKU_I>r(gAI9fpR0Mi_AL4y> zZVvk8vR*4?z@F@J6`N&xJ|&3cl=Ah}OkAyhz~fq5zYK#1oVl`|Edhfy({kLpNcC`w z58+8M7K7ZnTv(fcIaqkhvdU@lj{>qj^D`ruHwaq{_g|6)(jT71#PQ3icwB`)I$E|X zWimPrPYlD_EmOLzgERm7%^m*e$+x7>b?(%Um4qBW+oH*JRWPE=ZflX6On|)R#HHV` zOZO8(e9=XST2S=qMrQ?F-e4udO7e;W0*jx4(uRA=pAwRKj}}-$$T?l#whcFGAT>Xy z+UJ^fa0iaavzBG)^TP=N>?^F@uDaQGtBOTy`NRW-lr4c=MO#7`NUFj2_!=A@z6cuug}=vTkrR`9%~Vf zd_ib!D~>c24JXiWeW0e)fYtB{k-MvRlOyHo*Xn*8WXg3$j;mls-|s@}M+Q`mcH=f( z>uBaR{ZiI?Q3q2033?=AY{PJv(f1KhiJZNG}zb525;K)VCf%;&*Ol~lE zFS%^YZ%U;uRjPoMa-Ek135xrL^9i`i1@1%P-4-QkV~BkGsl?|OA~{k8#<26__ezUjI%Sp4zDj7sJjLZYPm< z%kFqejJa>bY3$b?9<;e)osGJ>84mpB;ZmtbXQmL`g4^LVZC)q5Qq?Rx$E7PScQ`uuxjV9I=-zF#K6tUrjxPWFTtNOIQhZWjGLPyR^+hABu;TP_)_LWwV3Moj27A|bEl#Skv(W>vS= z1lf(IHDM4z-eMl5cJ<}s?V3QMD3t;+(_1h{>=(zVw^u>JIUttAj3;Cy^etn0C@v;1 z4LOZXX=9x#o2PM^%2fljgcL1UIHJE@HulLMxxW(tAa%{%Y#Y@Gu+cS$J}&(vj!rnl zz5ldY&bxZm+66vcUi%9!wM6Ma^em)XPSv%qpmXvXV%i!t!Qd_I0*xWEy*;QTpKHR8 ze$@;HhxM@p0SyEQ1)oe$;p>0U_7zqmt;k5<;M;oLe{$ENW=05hQveZ*L8q!JEmHIh z9S&@+M6cp%2rf6%y9mNd^Bh5|b-FVvcm%X) z5NHk-VDH`?z;t%nQc7^2U`1myVFW(JF48b94iZ3y65ks6!%TC z1J4Tex>Hi1Jz=P!Pe%mYj0?9spN|07Cbk{vul*x*h2bRM7CC$k{9+b9h_d&mJU}(f zG@|ssaTEf{VYwd$p{P89EZxk`#Z9MlbX#76zDsrX=zWLXpWP=G=NH#Gy14YHM9h4t z{L7-{_TJovS`XwtPu;(%&rP&#o^_9JA^AKhKd?5OImeRgR!a#hdN@e*WoW9+lg4a$_s;8j&1QK?-iyyTOv%mfo3uhVL`Z1&b&3S~ zc-{Bprn?R*&@&I{b7_-`jPqw@s&?scYoN_rUe~55O!cPn*bF3}Z*`1*u)#UVTVl)1 z?ogr7jO8CoPtW~a%}xulMYp6u#S$7NjP4_SN&_a1jmK2i^ok&vvI>TFSI}!_{ek+I zlu*(yVJ)0^BDcP;{(|mhTx9|6FY>8N@lD$o;tIjxF?v9#d z7M-7by_mzGF~vic(-?+NXb40rPtdR7hGB*0&_sE*o$LKIVthH`#xlpgDb|FkYOsx5 zAhHZ9Lm}9!IA>=v3Sx*#U)tKU1lFV3Or|8cmIhV=fbE`2rD;P^GE~D;Pes5#XsSJ& zvT~h5esHUIokBVBw#x*z;o$(ydUQ}#ahoG0;w`34lu^{2S11zpTtZ(071O(J zIwBHU8&*b*#9$!F#$5Sr^;AO!PfU^w;M0=W=_>xrSO!sq<4%E_Af&*vd;V1nnigZi zye-@Qu#9a#T!^tk4?BkXd)rqC_SxJ>9Loowm==V|(%?7AZ8jIG4HFv6!jx>V^h8_% zAn2*Sd2>8|S-KX?cIShrFk5V(zl+1|(efgt|K#_mIpgX>471W!qTTYhJ%>LYWyGic zE{_f|*jH3j{S=UsV$fOs_yxMuZV9Hxf1;%<9$J}`fqUv=@0%Q1H5fr|i)9S^fKKqZ z#fm#pigMv09_s6Hr}=fpgQ!oI#rsSNmc~vD^tpj8I=c2^9;e13%uR=#fWR}t8Kb!= z72};Yj9o1hXmF`7-dFYx91!io>#pHRK0fiUw-TSygI_tjal?pQ=?w9kI}o+d0*`?K zrC1CI=hypMq_#QtCn z8>c`*w-=t%2_r;}Kjbok<3ztd|HisK5w#gxWIM&kw|3)6ysXiojXv8HZ57+|?|GfQ z*!iq8IP>vaVLv~kd#*FPJE3MmVWFB40oh1UG3M^!PKCLB=y;QA)r0MunjKY<(crAc zK! z>et@@vw{5ERCU#$FRnR%lUimhvTrXo58{6<13Lx09x)BaXAl~3{!2F#`Zw=sl23#4b_m!ws%%D8CNI-kzS8eC*}m;s)BInABHcTC{1eFc?b302t>H% zqVSN83X+hNdZb;13z4D4KHi`zJr03pStCf0LCXCdaFkU z$-jU86mrFbrv@5XxPG^nUuzP{o^3tI2T9Vo%p?jinAA~155f(EJk^3lz)1MkdDamu z^oN)zI(Tq?H`?)6uZY+!o4*<`KMgnJCX@f^f$#ih7A1soNnx-X|7Na?c!Jd*17)xZ>)Ar}`vghO<(uQ<1 z^~&@*o@TsB^)SYq8++gx)7_?bF{Nouoib*14kKKAdzM{&?|(iE@@s$v`URppl4Qs0 z`jv&07=0b@{!RMK&2^8UnCp2o>AcK$9eC*Wn67}Itv`Z{mC}#&^6-sdlXMx^74BOaP6Y`*$od1H~YKUu9fN~>#14_5a*H=PxfZP@fF znIn$Y=&UBD65&U)a(NO|D3q3L!csu(Q!%bcf{Fu>koY7{>CLQC=zu z^lfRncrC~XAQP=c_H0@L0LUT01jPWn-R6i#kVR#0=zg0q;lxd>d^wDVJ{I(Mm(mbM zrQfk5%`3HZ&{VyOn1;2;*>3*F(_IN2nUx^%18IHyd|~#Rvyb(DxojxwjLKUBb-|WX zf3x5efj({M$0}nA>rq-%8H6a7u!&^kxTVejj$c7aMw_pbttl`Yglgdh6vaI-s2=@z zfI*zMGxprrie7vRZf_}WWZY_}KJmvaWwnJGrQ%WlE7Y$0e+oLSl}~8%&;UgP)QTIdb8$8}f+$|IS=1&3B3PWI0sp3GK3ajNPd|p5E-OC8YpmMJ zyO*Ya6x6GBB@BKUkO|H1Mf9Qck^A}s69Jm3HrUgytU%wz^RcfNf z13burh;6p02nO}E*W?xAnHAgYzEenZ`8$jA5s3RhMAJrAQ2R(6e1@9}Ln0ZxX&92< z)N{5Qa|v4p_q)6>9xnM%gw+yDu>ml==)$QDx-?!v;*gBDVAk^p_1p^z9_*#i?3a1z z-IJ@B;hvcb*;5E6V2!uxg@34UUX6Lf2wgD$2)z`<{fzxlM!CHTJ4&ELW!`umQj#d( z4D1=a+zUH4_zJ+o7g0Q=&8#d=vI1Tq3ekhLBVTC_Br6l2{es!g=$xU%^G-%@p3tin zUIB;EBFZ&3G(s49hFM{DYmg}M+>E+8ADU)`CtBw+9aG+WgIb^B;iqr-&D>!@f+v&a!$UkH$$R<1sD=Zq)AVN4O;IoY3jiL%H`z)@B&e{hSQ9OJN-It=hJrHo zY%-B^u!}37y(mE%SSkcMbW;@W4O(QyWm|3>4D4>}Uh`{$O)#J_25)fUu%(I6A{E9k zTKKR#1CInpGrPbaXvi4K2|7-mQar+tzD3M;og6r?$7uwWY}MXe^YxGD-<$`HU;Rf{ zt=>>iEnN&A<||++32In3cB5wqN&#xp_fBh=We0xBH+^in4%ZK+&&MXorgTu3Te{A) zFjFE*+O7@OG6v{Erd`(66xvi)#!HzB2B?#8nI5wgvZ!G~viwO{8(qfR7v@H2B!ZhU zKN?P5cJ(`)nd=w&a3xT#3`5>WrETQ-8=3R4nU*$-1mtzfoKT^XQ4EQSTe9A-*?VRC zFQcy?ctc4Wq%tH)0sP#Dm2_NDWCYCN_)*5T=laUFsSU%89@!LjJhl?k~gU2bKIO26-5s ziT`XgR$_gZ_TCMTGI8bWUUyB!kk<%`6T*a+3Q~m$mygZZV2i*wA+ z%ml}bzky&=c2lx^Oaq=%db9y1`BTR&$K8l}C-lo>M0q|a4|RC-^`iJ|>C1cEMzS$N z%N+ArpRVo$c2xY#`?-{p%OC$1zK}_~ zrcM?aNBaq#k;uWH@|o5;BASt@IqP2}U`88|X_8UKv<}XpPQc;IPT!=TB%adol`dC6 zFrlx(-M<>WT29`S0BkB&N*MJjc|{N+SX>eBgIuhSeXWiFx0jFfBF2kcpm#ghi1756 zoFv|>8~g#5M8R{kkXxhh{IVVh2)gW-^`GLj^~h-9yu=OmS{W5&?67EJ&$c?a#>^2K ztsI>d_t#vH>FOxA#8?m#KN;u0&vDUW0glfrgdbeiU|zl`GVkpISww!_{6#^9F&-&) z1`M$rd6KhPjal9E0ftod5D`#?sea$J6cZQT9}Nd=go8!7`r0TrP|VoZV;<$YM!0SQ z76g_?tL}`{(dEU=Lde0R%fvgJ|H{x1CQP;2jr4~0h&jT5ai3gfPh}Rs>|^LocXa?0CPP`Mg!G%W-XW?Cz2l(?e;{}GU$ zG5!aTEm7a%7*4%QWJef-E`SV^QGFSfq1~;vaCNFxA^?{8%KI9G5x(FqFNE}BbOQuh z&(WTvymgbog#9nVFllt0+lv%RoZGv7xHITtEh5R4b7GCzs^WfIc5`?yY%^X>-d>^l z2*MZ)Azo+qPD>9zUGya4{TGy@ql42uP5(-8iHqWr@8s}Yo zdvg{RrBS=D#$=vHM3#=f933|^NM<-gE)DW6v}>xY8$EdK4`MeX2pMLk`hz6bcfed8 zCM1o=DA)kpat~YTzjrXRWlzI*!{M;#3Szkbl%*RQ`1Bk@Lsv%v`)Gm`6Jvbn~UZ? zk=~R2twhg!SPZg~YbhCDv5t=Kb1DH8?1i z%>ARTkY%-#%Tbka>;_aIm$`gh>3Z7HB`#tdkLY|)^`r^detO9?b+NHDYY%}*8mk12 zV7U#m8t1hPr8TOe`23Bu>J}%w7AaaDrq~6 z5m_YFh2M1-#+s6)Pie@B4KbqRzFUz&ij%o!VnJY`HVwsEYmNaqx=6taG&>9YnpNET zh7ST0dp?jV&3E-68iQxRqp4jU3`+wVa>ZX2ikFjD%X`{P=Ik-Esj*99^;lwXwA#(b z1hZ*?eZkEAL9!K&*?coJ6e0gl$nL#t?v2!dc2c&=rFx#pkw7i~F+dw5w4hTkt2fXc z%5uO-sZ12O6EOiCtqqbSsekeFwNr35t(ASsm``zt?|aW;MOT4%QvGo}>N;lp-cZ)g z_QDy1<2F@}7JYJRN_#qCfM2seMX%X_eJ}ahi5c$>q;Pu*l-H8ZBx(>2*qw_3r~Q}D z9~ReiWwkO_QJU3jjnn1qC9i?f+AB+5j z@OFsf1&bn1vNbXE6f`*B2U{`WsVK>h$>zM~X}46fsSiE!oK4mC7F`=t9?26oq%tdE zvI}v2HS8)fk;vitBGJ-j@fmOxd(%ogXPw8eI)IA55QPbH=Jm$JNq0KsBE0Vq* zon~?nkkZnF;g(A2OT>gM;h1x_LA^`q`Q>Su5pgf93~U1vlQ3>4425Z9ccEJzcZR08 zZZ6wc_}B_-)HE;8R2*0rvTyK1FIHfeJ}V;#n4HiI*k7m z>E5obG110lBMMppWVg2rdHh1X;w07@lmhMC=bg|E|& z6d-?VQA)IruB`0|8O! zc&_5v3S50pM$Y!}kHc{_Xvk%jCxA>5F(~D*%O;X(hMK5j&ssGx)Nq2+2e+CBu#%Pm zZfGU{NIm?LgA&cz&qE%3QE70_V?>Gb%dCEWWA1Egmv~qP?yHQ1q6^5zDrX#;Xcxky$Lwcw6mv1q)XSv2L?>dgs=ve7SxUCsk0EsW zaIM-lBMC1EimYwwXAzCFa16rz7FxV{O`C>7QvIujou$x}czqUd_=%74zDhF~y_S5H z*v=4z*$wNp(r2oB@{_Onv(9Gs<>L}+-yS6k{HW_7^BHeW-=pla*7Gg!?+h>mGb7eU z+sby`H*~kmQiuLkqpOS1QY(lxY!pYUXc*S;-}Q9_f@-z`a3|U3$62%x2R70o+v3k* zT}i(Y3L3bBy3P>Hw|Qq=KrhcVkRo@u$OGI^1E+AByQ;rF@NUgi;2WTAdaiH@tces% z#09V#futYb?rf9x(l_9d{GPClJ*$oQ7hx-N-ZI+E;fXtQj1(U2kPG5mS*T0(S5SiX z6MFIE88>KCGJ7oa@j@PHx}pilN-i?Nl}6k__+XgA=dWR3KF3r|?RTHHwU6$cMWG#a z)pt_W=1xg=jB@U<57AvVT@U7Hu~qxN*bZy^SHK-Yl$%18#$5zg=WY4$*WGViTnLN7 z5|6)2^18Cz!>f+JoG$aB)0_EyB9TccVw5+WIsYZ^$snn=Bj#DXey#LtPH=^}K~Jq? zLJG75@Tu#ud5sQFb!@QMRibYG{3XWDLUr>Q! zQ#aTWpl$X7`Q{~pyv}#kmMcWGmhzV6R$!;(3nSFMTh?3!&ZIf*fmmL=>!c!FhKAfx z04L{>>%0GIm(KfR64@me#~J#Pow!&D*+x(0+=K1vQ|;11TIVarhiK{_k{E#=u?+PjtH1AM-27(xQB6ux9j>r$ElATb_;XKbMK$ zh|Bz_FAvkeGKuYEUMR*&)^Hu?=%?QI0?}KSZHty!y4IvcqrDc_0Z%bZ;0E!aXUW5+ zyEq`4I#3&u96ZVNt?otMBgZdNIJI~wIS++noAu6F0f`NO7{6k-cbvIJNPDF zo9P9DXq+{fp3q*o*Q$E)8r#@k{NQB8TO&&#Jj3T>!58+Ki}($j1EoHz(q8>XL$Wsl zOG$2%$IYUfp^!ol?<+688$AX;Xor3{(un#qy0FCv zY?yQ8^-ctUwsc|^OlCh-b)UJrC#iNEC|{3YDAt^cubhfmNqfw9<*H4JBH<^9C@eB$ zL{x+nV)0C$TY@x!;e4`(p)bR;|M&F(NTP9I0JyuxeQl5E;3d+lBct#gW5e^aTACy% zLf+O_X&&r4uvxAcs1On5GPHG=+cj1>DbgPem_>&h!My;F0>}`Df3ynV?z#6ew)M%taZgN2J3wVzUlD~A+*!8{3D%(!dW28 zSwj49sj}$~fD1R;@*YuUz&-sj4dvQJOb8Ve6qpH`Wjv=$aHC$peu-c7Y&3fRTCP?0 zGf~4wO~Fqddf`Q8iP-WO_QCxn@LYdC6xV8ViR*YyJMN%18wruHT4;000BX>mXJGF2Xx6v{gD{3LljFq=E%9=wJmF)m%1)G6f!&^e#0S>QkwV z;a}YWcJYc#e_n9MET}50E-k)_&W@(LfA28(fIc5$G_osef=1J2W_l1^dML1S%{gC4 zHYujJ)$0g=MXPWSA!6zopmh|dq-hj)6-Vtqc*N87mOkVI$c7CYw%a6^g~k?fLZ!m4 zNDN=JRahyAFmLR-@c^l;GC15~h;C!n5deWFJ{Lp|FEsiG9N>};WL?CTuw9gT6&N1O zmigqQ&VICz8;+@$WT;7ExX?%6doy002#fak>Bi diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp deleted file mode 100644 index 2920d5915b0b6a555f424cda53cd39942ce8f4bb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6912 zcmV+b8~@}|Nk&Ha8UO%SMM6+kP&gp$8UO&$VE~;0D!2gq06uLnlt!c@A|WXfY`}mG ziDPd3e0wVyd?F{D>{q{dqj<9^&qh%`>yJzS*}qc#$A8r6>;13PkC+cQulv5N|J8bM zdN}{i|NrhA{LB59|Nn3g;h)cc|NB{g@b*Ce8|gvl0ssHh1ONY8e@OqL{yTT${kQu6 z?I)doihR5GpUV$VkM8__`B&`!?L7wmLG};vpVEJIJs|$0`0wU_y?^69K)p-;JHmJS z55{i*tjqgn`EO7!SiVL6Px^28&-$O$eB(cX^b7It=pX36y8h+;0DmR^Y5vRm&#XV< zKg@WveLMY^uov;~>_728zJ6Q%Cw|NS5BwkcKl|VD{hWSn{nP$;`M-dl<=@l)+<$%l zJO9i5AOHXV|9SquKXrYR|7Cyn9yA;0nWMbB7+)R2I&Ri&8A}4;61`GdsOyIkzi7H5 zxO;$RI4t&AbiM$TQsYcbm5+T3T7BDNB%s1JkdktM51Q9{*K~ZBioe82O&F@eiiO1V z%_y~~v2cV4g_eza1lxZvPdY%sPH@K9sazLenwfVJoGSW8cb=#cM>#~=T0+f~4ksIC zdq~kz0TMs=E#cjsp(+h~01erPr?-nvUBlMqNs@fi%88kHob>rRA7)41SU zev`e)bN@l`9Ei>~b%PO3KpA3fw7YJps#HfkG2v&(wb!;KK8mMpy7dpM4G6nErc3Tj zzBOD{gIQ!{-sNBMYVus2|LF7P*0Vr024F8 z>3g1RK?8f?F2;X~C-5FCbn}s4(VD?*4DZdLdK-cH#H4A9`X&^l`G8~#LLX%4!%Z~< zj@+W~v2c^A)Il+}O^Ua}V~CT*Eo|j$QAq1-jL^zw|LMlM?!PSin636S1?zw7)0{IN zK5!)>B)x-3)@*JA+i!}KC#xAemvx+reGB5xus5Hj(G-~-yubkdwZTvapd#Je{*8r& zRw^<7hM26KWHJSVDYt3-A+>ew9sG#yaC9wrjrFdEMJ_EMqgIjfHC?d(_M_0@^@xmD zx&LKqNoUtYe{@!cUhGvovuY^wfevDOnz$TH!SgJS>i<_oF`$G#Vrs=fnn5D>6sY~S zR1Gm5CPEq!I6DU`bOo;;-`ljn7BC1ZndM~B>F_~!(f~5v8?QmtkP%r|!&!c|oa`UI z{OVIY>^7sfPgprjDTfJz-z*Pl6Xx(WV4KL|zeYuJocW|xJim#kXBS8diVJ0);KP6B zJwF0mHdT5hln6EpK>XzN{6gF}a-16nN$C$qj~6R_2OWJFV_>2Lov%S3F5zfd7y}Dh z*SYd+j(+S}!Db$+M5e1@uyV);1aSOCl0~QE_7FvRUa;j3dVL@4Vy&+cf~B>60y@<> zCnUS;8xRozS7Ajm8;)x7=FIlwV4n$>1cf!YxpD31R@R2(f#%&Z+Sz52}fxRr|b@zC*RY6R$08Io_hPd2V#+Nl3k*;MUq-3;I; z8$XU}ctt$&+llsP-Z$UK121YjknkjdBLp-EgF3n=efOfw zs#R@4DoS=dq#^6y{Xt}YurJg%r$9BKQdl{1zzV2%^?ZvLnC)A*5msmO&P)|6NZU0H z8;!hee}JH;8U6A3p3BnDROr(5j(z_gOG3G^Jl9SSg&5|EQF|;m^?o93^gEI6jRlsr zHO>bi+;wgy7bS5ar1tR~v?Z^k^XfJho@B}=77ol)4nu}Qv?OG(JEOn`NC`Xl$2%tC z@D^zG3Mu{*R{I#>Xy*K7jw9>s#44p&#Q+y>EzG*iO#utz2Z|hLzFczPw|+-`3!qkX zlgY0rFDy-~zDs~q&UPf~3RJxu0QBjr%>uIyeLEUaw36UWegY$OAmHyG%Fm(!Wf)6Um`toT{eU;W>Ulz| zG99D_azOnrVr^$VN%|8uMr4gg^m)8tE1rvl9kZuxM7!pkqz66*JHPhjrUmg#*%DWD zqQmPeDhH^}LGO^+E1?whnHyF!Jy3IZ{YB1wKmsd8{n?@(Mi-9nH-rwVhL?+smw{+q z*Tu8$$klEqlF?Il*J^pqcFO^XziRvF88f&?8Rz8hF$RHk=5Ha)`4ZNI+X%{k&|a&&+E(yKIE{bW?+Uj0&( z$9sp^h}}|&a0Ex5S{#z^+#Y;&LY!k1!cPY}6xv=mIPyNC79u|mG_(scGy9&r-zIhN zBC?NTrBO*8ci*@!8w_p3p>BHSgDPPI3zxE`OI>)di0fqx$%g)svoh7|V_x5%rgVS2 zqsTE|TwtVxfC$owTu{)v8~-0<8IWl#OcU**G8Lt-Y^EKnfv_x+;=rLkJExe4h&_Q4 zam)$(_A;1FM-xyq%|BjIQc^M2uiYyOup(Q-PenqohAOlqyf6|N-9t%Pz$MWR>z@T@rI?N9?QrFe`}6#RvMqsg zbUr4LS7>Gqs*BV2KYW0TkAdx0kz^%)V5(6YbiY zwvxlOp!qmp_Ih+NK-!k2Eit(dPxP6Z=_S}rZuoH=ssO93zzRbsC$M!^g>QMm|L1d7 z;R;sWkQRIa_)A7X)gf!b6QK3%H*@TB4rNYP^^X8J1_xNsuRXnU2yeYOL+iO-W zEefq3z6^6u)&6b2jqQlDB2IR1cXhT7OdktOz;aeY~zPWP^H-+O342 zH*qhAO@9$fpy0V&n(hGgTKF@i%s(MN^9!yDDWr-2-3k2-{ge1aZG%l*MgP&W5i|+| zQS--G>17cCs!kJys-2HqCjg!Lc%=`N33vGKGy#P(>V;a~@4$%P^K*DohN|tmJp`5~ zme*?5;jQzdNJk=K3yIUcXk6lH(PWcUD;Zq~5bhkZsiLPSMkdbGRsby->3@!#H`({o z_F%u<%j?x%ooXYO4Xe^~ishh5u<c z3v?2ZLkXy&YkOznDU5_R^_)`a0FofJ2bd6(ZFB~o2u2dIYqZ;W`)%$ACmF6)nhk>Z z>tj;X{CKW%u4}3uPw)AL~FuEYjajL$!eO4`#1T0 z`}HH1iMkf;2&P;>v20d25wpeud(g&`lv7&5*33+S`wWhvH8BG}jdbm^y-(Bo@J#KM7N)TEJn4y;)zN<+XU6p9w3>@sW34KLKU{bGMY9e?&27ML=qHZY z6}$1#?1D=n1bsprxWAxiTwy^pFXHka((a$T5L&lj^fx>}>Z#SFxJl^|Ja3c?YkiD$ z4nGy-34S2(itWF=Ag}!3+A3YkXzM^@LKdW^-&eh#v_9q}x}c`z92YwpN4u5>oxUltCmuCE3?%P#tdS*#v!**2%~ z;`63UX4rNxm}6nlB`0DB3EIzq`%#IWny;v&AWsX*l{>vZNG4u?g`@>@Q}v*vyzV;l zz^uYzZ6dF-J*) zggTs}?_en#GWj*$y=_sjtMAPIcU#cZ?Lx40vZI7F{VeWJ{CeMI19@!bXQWe;Bt}`% z?Yhf3hQC?ku@QO`@wcTgEa81bo=81`gr%tBeMx?9Y#0ocUtZ-f&W*y=VXGjg+SD2~V zf=s`bGMEid=SxQ)EN=5KR_*srNJXIBTzZ+U6-j}`%bX;-C-Goml$cFXLXvaLm}-ZS z9U}ClP$7xIJ_lI8x}!ShYBu?aX5MHCeNs1 zO-n00E`dm^{5B>Zit>7EjPwv8fPu1+Q}nuiC3(H(9>{S`HQYRfqO)}KM#}?LmvPQ( z3N4pL1uwxKej!}MOPEE**b7s-{*Yf=i@UQ{cL6h8eaLo+@B$;G>*&g$9ED5CG-}i> z)YQT&UZP;*@|?Jz+Vq^e8!M~tl@NaLQH(v_NzAVk?T9(6ne#yJi;@i)C0M)H-h^V_^jT7D ztT&Yvb#fj6QXZt$UycQ;#IBzH<{80QUeB!M@)L_6)OlgocQ^J1;ybd-UoJ0g<=Nvo zfD_C&*wQ?tnvg9%>3TL1$+Par)pB7rG!96tdmuGZkJ&-NMHaDthTKxcKl>_Ic-LWt>Fl_@8r8)x4inytF$@M zTd3gU$R*H!pKeRUO_&ZO(!8F-#OHingC35#&_C=H-0mdW@!!{C3#qw_^f1~#qy<(LQM^(RUop82ML(*gR@UU-zEhdYLo0ujt8cjlRDL_YAm`%BnFf54o-v9TS zFi>k*KR$Rj48xt(?T|+`6f&UaLNl`*R=Ml8iWpz=fuv#vFA^~E09jV{?ZN=%2#cFn;}MxfRba(O4sgtn zkBl-0)$?}oD06+uX$^rv5}sC-jmt!)(J*Jg?yxlnb?{uaCi>*FDB$$*Ft4hP&Eq%O ze_9SEDlc@sTsF@WdnS1>*t|;YN@k9$?bB;P6gYcpx6D;Z=$*LreI|(PYgTgO!!5jO zb2kE>?csQ1TREoIPchcnBDpTb62-djKd1%LKY;mW{0{~q3Dj!x)~64VZ@dVTe9*3>5tu}Ibu*Lk^)>O^C%1}#z`J?3c~erTMf4t z81SbqEcRB&6P4hJWI#xwb&{BR8LgR}Up*4^?82%nkt+OmlEq!-fCLpSHP6A}lxe^= zxzt$7C}@65b!cZy33vP>z$*I%Fu= z4fdIY;=cT?4DvT(Pu2Vnj}IWejMeT8?Q82EVU13(oDTv$NKC6%R2{^<>ANgn9*%^C z@E+7wg&JTx_N$FP+2Hgt0?Bex5`W6zYr0mu42(<=@|3U246J-Dt%TswRJ&SI(V_j$ zeR>wce{EMU8}Wm+c-=Zc^P42JM;f$Tyz87LayzItRYWGc95#SduvxgkY_QGEBrB)8 zhDuUPZ?brnIX7em`#FCUZIgog4D$sX{_ZG0wpf+A+H^@^@O;{^e{%}d?OwO{EGHP6 zpqA1#o7`_!JWdZpd6R=?sG`iHetK!t=~*YQ`RMqD>^OSKQ@G@JP5M9=ubU2~o{Gkb)?fdbRuM&_IUxG0i_$`L^dmzx%S!zbbhWRM_RAc4BR!`S}i2J8FTh)sxwTCGYrLUjb)}3Tg6|B*8zu;VpnOxF7GR=4O^sZQlZ7jK<+Pfq#I_N6k@8n%AZ?mWizt zi5f24!eWQZQaN<>bwW>l2y#zG#b?u;@D04xN=%DIE;xkwJDu`!60)IZMmlQb^b&BU zoDpe@P=P!AMZ`aK6L3&%z(#}Kpz!Rr80jlPY}MH%rrxd7l?F#Ki;w0%5|yqI zmB()l3U3g-=oT?)zO6oPH~D-Cojw;t5;vqs$vqiTd)7tRB7rlOtZCrET8>!#hR#&6 z!91IT_=#!xGi@0{Cpn-@2{3Wl)Q*5e7+x;QWHxBZ6lwbjK>Hn=G5a%7x8$q+0O6OH zWdN!(l3x>+JBu1$vyCbFF#d)U+zZeR-W^1WM&EG~lY}*QM8O6Ch3IsW@bqV0OmAMl z6#N+jZ^c5}#dRJ<&!l?Hgmpja9BpB}3>M_ejA2&aptOtBnUyZSmb>SWn70Ysk$Qnl z+Rsw#paggnX3yb|o5Ojs=;FR7nNMXJ(GOz-nkFU~3j3{xc%`M%>g;H+zG~)n;9s!g zl80jx0f;0y`99w@TjeAgK$s=9{D3RC)O{(1ozqhG9<7bBtY%8WlwfI}1*wY?`9G@F zgGtJ^(k|LS(#)$YHN5)xk6SjC^fM|Q9L5%|o;Xw;kVF7_Zp*h6p|}Xe6&uYis$J*a zSR)P1%Mmc0fE9R>~G({63l*(A8JQCOiY0Ycq`Iq?{OE z53j1m2SaN2M%Oht`rT%T0!7o-deWD+xlL?+j4CxDp?hv7nK;MnI1@%0i!|K^Y~7kmIOE{yb%?qfjz1 zKsJ!DrJo7X^VcF!YY^5g9(7(ACG@jP<^FkdU3fqP7y~CGByN{ON0a<;Fdh~}b`Oqm G0002p1%3bk diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp deleted file mode 100644 index bbdbfba8c28d9427da9661b6b5cf8d34e1260a6a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 21850 zcmV(pK=8j(Nk&FeRR922MM6+kP&gn)RR93c1_7M`Dir|)0zPdpltv^YA|WbNTu^`w ziDho#an36r02(C+Pp|!E?m@=>sp`-6pDmSX>xc8aSH4@q|M-8{5AA;jKhl3i_5lBV z>Bs$V?gzU+>0j)9M1MN}CHtlCNB@J?Px`M+4@d9%KmY&hdfyg|HuF2|4HgU@_)Dg zqW<6hNA?riAN0TAJYD?P^Y8PY;{PZ@&L-#-6u{qy}d?H{4P_MhTCM*Qdczx*%mf8@Vx{=h$ze^UQ}{rlL@`aiKgO&@pv zfBS*(1N{5@@BQENACsR-pVNQp|3&`8)4%9H=D+lRpZEy=Z~d$O@Av=oJ{H4EATB>Sr5)jKe1|I^6i?Diu)N!p}_4Auv8W1X3pS7D@W|&byz7?@!9q`dt2N>U67Y_ z?+tCZlVEo|)0-!d2OOPL`eD`+7}>@j)Ld4rj_8kQNB)Fq!ICTsX#lra{JC1nbj=Dw zTME`z`C3t3zaBK+zGjC5dPB>YuqLKQl3TnidvTsCPq{i$`2K|TdvlYHa$TypKb7D8 zUwT8 zou06IpV}SRsSi=dTOEx8nU>v`kfIU&!reO{i;*phcU=04m9_7By0@bLWL4qLsh_NZ zi(%<}6*spT-S_|5W7it9%IWoTMqnHd0If4D;z5cqsRgjiyxPY0J_11;jx^=%`*X0u z;F4=1ma9PNOZhw5-v|$v*jG7#LRh?h(!bm9p24AGk`d|Qc4=OHSioO4Le80Vi2DxO zxhkWR9FBKtNNH#N}uNCc^68)Bcu2b83Y`WX(|%r z)JXaLa+%thiBm85%oPpgdteR(*TLGJpA{@0>s4@nEH{z7b%jV@m9?!5BS25E zS~gRNJ+|rHo?um?6F1y2xA@VEstNNuQ0}-F?gro4M+3j)q*@oUA|LkZt&K}9U;ZPN z+A(Md=C)$ZOjlMw^r;Wcy7;Xn=e|5gglFcHO@~aJ8u`Knhl;z9A5HOgR{Ve6WY`YF z{2C#{Ev1)OzmDLCHazhCy7ul8`P1?5uq;V0qQ8JC5Kjr7D-#E-#&QKpReZ?4RePH( zg(l7^2@c=JB)?LZ9oAybCPF*st*@UT9|;YhhCA6z=km5mJ|O#vx7-z6c1SX?LGLE( z?L_hbJQ9MvESuoeY-)q*{rXLgTpCTDc90d&nA^xzP4vRBOs|>?9G9##Ryi$K;OehO ztEYmY*h6N#+M1xGy`ef((ym;X0GF6uikXUqM`<*A~oYk$p8DC z@>`Ly7-N%Mi2v+}^@?{*l(PV+Yr|)7CrK^fnJqfV-SnYq#!5@#!~NWq-AT~eov$DE z-ge@jzNBYlLcx6aTjhJ0rEr^qlWa)w4IcjLD&|cPvw>GO*_be_(Mx#5FAFnrkc(n$ z4G6s_lI;Fm5C)F?wf-p$3`TaRR(mjreRe@wR;^XUOIuA4 z(}baz8-ervj3gMY1Q!W)MZ1S%(8JYv46OY4+$;?6)H1e^B*`kpIH?^?*gJ_5&mcon z8)aHB$(`e(2J^&GlL2D{JJ69eqzgVEfm&1{f8Q(|a@jZTMHwF5WwYl2U`+TK4gDre z+hg>R2riSkLjcjq*cq$yX=(Mi&V}9GXFER2U*3n`f*?@Z8hng#Xn;ehT#knre+XNi zLcxngJwt}k2DBSVLrbNk4HBrNzZ@j`NW8XP1tR?J)74z0z`GLIoaT5+QqVWx*fYYk zaue>Fmi(A0XH2gUpfw5-7`SRbxIy}_M^Q0&$?RRtUcR%~%k&EY;w?j=H-uLSo>^L7 z$r>cCYkJx*8}`tP7>DJs+|`h*@l!YcKAq+!(EF+&zN$ zdRb26&Rzww4o??x#-UFnwWR}*62k8mpYn9(ovM-B|NK+p4VtLg_10kp}}N{?{=jTvn>k!N6sbhAHeoa76; z^C|l?^xy#g;1M6e3zuSZ6^b#>Vvqn47Z&EI^+_AAln=f^ZatBp?iM2%F=TPm+dsg> zfB_FY5elqSzx%pIFNZLes23IqX-l_-B^niR_$|A&J;%h>N>m z#e~#vcR`8cIl!P^%RNJo7J30IC*dTaZ!d6p6{&+izdRmd0FrS?62!nB?|QMrSfI*5 zp0qAPjnvve7T$2Bx95#XB@PyeHbSXu2#=MT0|1}rQwBwdM4UF}z4SHpI&*hnc<3={ zKSLEuFhAe%y}3+S(L_?9*&|N<&Yo<19uQTpQs}liq8@Ks-GE!gH4gp7MJHeVx_Iq$1;ib<(o4haa$!vcwyZsfEgKj(22XM=a8S%5 zJrUi{GbeE(*WMDYb_CM5>oVgqf(Q_lu*OcMvzD}Q<@RK{=8+>pjLyiAEtV&Q0PwG- zz#%fORKn8^A&~VQ3S?pO7XCHsp4pv~=YT|88N5D1*WfQQ9TkkLgDh zLe+jrAgjw|uY`Wf!xaSIT(d_ZlVEn!&rl!5v|psnnLD;U#>7Osp?=i>Kq}4fKV~bg z9&q1gf(!tUx_s9}f~voXBnIQzL4tg^?F{+y*d$R_<33RuD-6#D#gv^Av9GiL=g zPUf~8ve(-s!h){;vIA^}i0TnVxe%`4SF`Q++R~u}m2!lHZC@c#JVznIzN=g{Iuhgh zE>%xFyjAK+za_#Z~3Ty9HtMdM-ufz-F|$TZ<)jW#Q6{?`@u63HMyD2ZWCTV;4ap$Kfia zD2^ipXd0(c=Jt~HLnPidN0ru%5Ot_E)L?blenq}b{V0*2l|>nKNSCTvo&7BtGfMLJ z1vlxQxuvh@9@WpB6yk=3$#m|X>leAlmuxA(N<(O3P9W(~1HCea3p~jGD1A%Oq%erS z+T4=(^AX*ap%HGcVL%~pxaH|0*ZkzVPw8OPql^dVvjLD|LXwW*3uT8zVU(+tK^03^ z+6y&vw93r5vQ_yIPaR|1B+&l$1;bRYikET325R^x;sG>B zR#n-T5brLO`!%=yZMKPor4$=%rDT257-59HPL! zEK`c?pMLNaM9s2%Y$Lsb-Sk<$gMqm26-asY`pD-hj6H7DT3l>Lm(#<31dIU@<~>N4 z4Y_2lQ$g0kU>u}{qi=i5zHUi=Flj4jQ)J;omtx6ZaJKa;x<4C8^VOiRz03o;CtWLY zXaF-1>fsj=P866Plr%U;%>82ovcPjmc?og{18$5aj2#rZvGys9BDs`jTDN z!8vNu{D&iaRCfRIv~xUvF~?ANFRTyXO(5{&TrV!$-(=EMtkCs(?YeRh0+MIGXL;B9 zmjUGj;3}8IXj^e)l9^t@$E{+rHsyf11;hW=(53qDQ*YtVcYk7w#|34Tn=T3T^&;G= z8sC)5W{(PP`8jw$MmlS614#!wN7?x5e+e55i?zOJQDP?0N}yXG;mey0s~dJnW!NB8 zTnv^R4e02&5yS=6xiBe#u)#0Q1K1o<_gMb9 z6)#gJ^XWNwG3N{K43dXViNtf;A})=9uK&dOASzKKDrZt{dnGV>--CDEOP39l-weso6KPxkHPg^7?rD3EU(T~ROy z{b47H<3P9w*C!6Er8kPu=XriFZq}^1PQ&7vW^<7HXaHmtv?kDcMXK0{EqARgD|tgV zw2wI5ez%{L**o^o{BWdfzNsN2+1K7Kj9y-vF-(hgY;c(wNmW0#!Rm-*VwzV*iXYIM zLMpg1t__K&V+jkcg|`$1*GM4=t)X$ys@}zUA8aQp<^xQK(R30va=G=h$11k)rnpSL zcz_E=a&P@D+Yjxn7gKPt**93;dO%TNu}>Iq4SLg{E{zKY?{Zp-;U3S-j83)X=r^tWI2dwzljKW;6MS;oX z>fndr07EcZCIRY&i^@U;+VIfTU#wB#cU_#SLjn^@7&kn1t{=$Dud+!MSQUDI8l%n1 zORbOZ)g&Jl0D)R}{~j2ddON-O);ue2GHa( z@F2Z9-Y5h53v#F@E~(*`MvLYS^AcpV24;gN4c>m!ed7{efD8igD}Rp-k{{Et92(hKwvTXJK)~Dd+w7Lb0~lz56f*tz8Nx#Q1?PS^+z^NYpCRPk z0b1Lf4{O!2qk?@+Ap3B^02WayYz#G-b1=gU`y#aiGSoj<^}~2(PXBPu^99Rc{O6B zu~%Pe9#Aj-@~EKVhZ`(-j@tZUTk`gxtJ>PAVz@eX7rat8NkmkVY10tKol{H$SwR*( zzV^^f0ahs)0O%u?0|F#vA&d)4lHY>@4bpob<+*!vS2Fj=&0X^U<=#)G|MzFe;tT*{ z+cm7lbp8gQ>;rpX1dB^>9v)^^(ryA)Vrc7PbH-q9{MkiI!B87A8CT@XD`K80?G%~F zMhdU+q7G+ap#ZA7oesjADX z(#z3Q^pK;}X-aK4r}THK+-yk(#7?vf+rTm=ZP}g4B{3)b3ldtyW?j6pliwgdt5Q9J zxbe>lJ-Dyv?aN!*Bbz&CEq6jSs~;T)N3MzD*aO5Du9KPV4W>c=Kj3F%#EqaTJul_z zySj*?I;siwNFYS zBFV&F8m+n{H;@@ZX;){nR=j9^gDSWXLkI;~%zl+4GN{Im$=6kz-Dg_|hU7)2y0S3& zh9{AoE=lt=23F-ZPPc}fQYw@OPUocduRp}FLG0v6fR^+I)6P9Ud4U`3YG_#ME8;qp zfWu2h=Z`Oz2m2)<@bV-ns8wPG^yK>zEWKKm?;T0`>G#*~^!%$MvKp!Kb@_@k2t^dQ zO=|Z`*^_!R%hvS-H++^=#rjNnjFTpU2iJwOIhLv@0-s>wC5X@UV&9R`qT*z zb--@6rf9(qGaYlYgN}dPL|OY8tHR@+sBYF3 zG@gztl3HY!%FH8ia=u|I%cJG3PW+*;LdZ%=5SQ!YKv*t0H#3X*5;3ZN%h&{5wRtpD z8WD}hNVH)kkkFOqx{)x2x&T8S832(aslbhGX*}l8w6&!?F?nQcc|oegsvBHa5duQs znR>nJ>m0B^?xXU6CzFe&ke5RX)G@;}z2W9O2i<6O@MKlF$=(iR*5TH>IBsC2S^;fe zw({P@8aA}~S1Qd#d7nqw*t?JKjb2h+0+)TzDNbw)Gq3LJSiBC#&LHyMdzFaz8pw!{ z@xl1@L`QMJgkVb8O{dV@?v7dSfog~V8(L>NSw}4%YH$7qZJi6Oi-|f+u96`H5iJ4M zi^G@6>>bzhn1D_qh66WEK`br`cihG)tPup1$W1x`kJL<<_69D z;~&eVYJC^39S~|F!aLp%+nLp~zz&wN(L;GP;^uO;iwc|}eobhGXL%V5a*S`8gu#I) z80+;Za6>BOq#e%z+U{SmWn4%?AW$Jh+Ew)H3=B1A6!0^Vl5Te}tx@&Hdf>&>1it`TSStC>j31D?Qil-QQf0VN8>~L#*K);%Cm27D+7-pqJLo zx}~}T_dQ_wu(DwR@Z9yrnsOB!h@pfZXW(&l!m6T}b0Q*{|7k|Hv+*ESAwYf%>br&S z2Uf;b4u-oZ3ein8cOBM&Glz0w(a}gejkZ(;(5C!>7w~drc;1+%N|#&?b9&7oB#-N! z^cIDzr*rxF-k$BJ#nmheY>YXtDd8DRhd-Z5d?afWJy(6 zBfhy!ky6pSdVD&$mHJ3tF$g)V+SQSBwN+w8P+nwlIK~bG5404Fe+PqWXriDENANh% zWMfCZASo}qw#|Xt>|*-R|OS2yyCw_)p#K{|V@}NL#=f zA#h0UXNG9I7?SLz)=@60`MXsYk>FUQm1n?_NPtHW{_l5~e5@hi=XOFtKauc|+o?T{ zi4~=`EMbNbvm6od2Mg+A)Ej{1%7k)Wn*sn@Ktt54*1~V8ifUg-7LV|M2~ib5`i*wk zP}{!4ZrIk=?R4A};!tIM;<-rd*HBE(8ApZ_>SO+?ZR!aFq-m`#qm=S7?&=1f$9XqF zwAW@2ZCoAYZlg@!)Ilvh)fCMW1jCa*eOee6A|rByNJ4KQ>HQfB`8HxSWs7IHX-~iB z$k^6KbkwFR%7@)awr-_0z(;+%Fka4Ed$JtLo|7M|PtRF~)}IluZRXzV$OZ12=tkh32HwNbF%{X(>yK%9%anptNUQ%9cSgRtbapon zD%ObyV0m&zUdhjKiPwlsEYgyZt|ed5PZAl z^#yLQ{w@SG$qU8ycLp3jk*B^}o|ZJJZwmle(sI%CTprLO=|iB&yri2j96K9CH;cnIdh9ho=dtg?Fg$Y2U~ZRkULV%$7k!+uQKzg{6; zXqn7dhoSVfb~TqzmM5Lr%CkczlTP9x=)7umuN4ecE1CUxk4VvDyZI z1?VYn6KF=>lS_;Qnhe3kHdU7i(-8Rp$mX%}IL_~T=#%{{;-{u`>JhxE03feCP`&xw^#eMcw>5zz4H+`O|kSv*P zplmEn5@qS58J1cEgRbgR70tc zLd){=VBj@^vu;i!x?A>Fc>fz@cTcyq%$5q5`=x;2Xn}VQ2~i(wGa^3z!>guq=&&I$ zd_wcI(>05T`Cp9dgtN6QPiF<_r-ahNsu8y}D~kP+e?GtxD#|dY-dmus+*R)jG7Pmq zn@H+<16z5LS41gv^)|H^kohbOKtKOR*vDFuf2RTp*AKsv&}Lp^s6UKQTyl`CCFUz4 z*lhwF@1jl^FFkSA7;!q;&E)FP{#i=QdQV?Md-JqI#V^x5OhY?D4@Z!qEj?Qt?f`oR zk;z{QCyL_b3>}N0JJ?dIkPLF!S8ZQSg|v^`Ie9;CQqJa%kI{k9-utu4rgEs1s*#QH zKn94oy1U>f_O#nqtHPUM7*a1NO3O9wiJGasyeBA0+D8lzeqczOw2ZSI(*j9q1ZYW0 ziLjjUZ`1H3&T__EQ}Y_QaoafvJ|(2C|3Z+}+stLWEgVdl!KeyJMrL4!M zqFD@L%A2^CL#jsG^2T=y`O<5EVO}~!^h-zaZ6EBZOW$C4{b-iC<*g)-(O+8951h%YZ3TBb=L%63AVwf#M^-fmay=z@OB zEs7I0DnS31{@}Yxsgmj1x)$O7k$e`oCELk7I8Tg*F1Ogig5}shf*ZQpG^&#p$d%G* z!C}dO>@rW8UrqHjnFu4Q%C&iYQ_B0X4pGxQSNb1F2YMoQmrh6HUPz9-PhC^nhhH)K zKj=$k0{$qe%fT*RM}Zab;74B19}AS6ByqlY3SOY0QZoL%=%7*ym4^_J^^3iUA#|G( zR%NImc+lN)hL06qnB4x;nIE^H)=}zuk22C!pa~Wfv>+u347_k~+IyyDSHkRksB;d(9f$nK8#c&lGI z*P!Q}=m4ao;*kA-v(=L;O?87$H~R3yfPjlk< z6&B-h-JA&0LWJF36@{r5?O1ns`MxQExWo!^pn5%$zKaO1E|3?uEG|GQ2*>K+a;>wA zO{u(2@K2PN?4kh!PzzpS+4Efonm&{vl;P9V_w2=iTB>li3Tdt7L#_2|@B2T|Ob0AJZDR^tK@th%diB2X|viw)>|aj8R2Km2-`#M+@C;k%cconsE&zBeZks z17(?TR+nK>rF5{l2im5jJ3hT{azM@)7IJ=jWj)rVJ>&GyHaSU8D~_A_qvdijupIr- zXrwZDvA9mYwPG|oj`Xpeny#e(J%Qj~f7i6=1%?(b2rlViwj}CeJ%77+))st#Gi4AB z^o2)L9ijyHHrrOD#>mX~8KoJ^kT3E#D%~>9#m#!E@YdD;Nw5Wi{m&xJpN)A$4R!YO z+RZ(iGQSX7VJO9pC^I3SWEmT7hRzb%E^;_roX^OluxDzM>`vOIZE$h^@ctp+5oV0f z`#FF7bth-lyWmi8Z=$FzjhA%NCRb_{fh&^1feL8^MmWzH1b?dowf#0*4&XWc%iVmn zQkNm%z`kS(@5v7TW#z}=V2a{J^g zM)P<8zP>bP_=SCI={2mi{}TgD+=17uZT2x^n16`x9wLChr5r*zQ

^#f*v_X=j`IU)*xo$bi3lr0yzFJ$O z_2xd^mrX#-9KrSSvAx9d8TDg4w4^nxRP}+hXgG+XxY>ajJ0O)5k~kR<0*$9+QL6bz zsy99I(BtlY(o_{(=c~iJjHEQ;_w?SF89yod)`TvqGOuVWI0L6-l?f@$@Rzyoh-z~) zp{$_43-xr-6IO4@iQRPSZs!VR|H5n_X2^^uSB@@Ee}p{{cZ#;!!tYSx`>Js`r{Dm? zyeG4r0=&Up6xS=%;XlcAik!4(_jy6OQ$tRA&Bs@cEbSG2M8y_Cat9WNtjWXFiSf2l z2HpXAj2<}1^dVb&Noi`G2uVp$$VJ5UP&i_l8fkRYKznM0b}=65h*!|7?0AMB_VLCiM{f>mPFrHQn?aHzwvKkDkfCNTB2syz)E z*&3YjHksjt#DEHr3}c}!yW9JD!ggfX<}|vDMQr1 z9N~cnnPZnj`j}Cq>a5}GI77P+UzFLButmw5IBfTDfls6?@5t_Ua)&+RwksS*y&sWo z5!<04z?zo2zY9fj8xXkgw>NPO{9vHyBGn{e49QR)O|SrNvRd;0DyY~oL7&&Un+9~s z2_;MDdCFP;%g(0YgXA?_e_tog#h5;E0q?!e{m`Ga;{Aj8!8@A5Qx6jhg&LnC-L{-5 z9pwM!i>{k=WKC?M^XC)@J$vJ9`z3IcQNw4Tp!S8?&o4kzpMNZ@hp z;N3ERKdkJW^w%0jJe|t6%npv~`Ni2fIlU%i@ncLQk37-XN7#dWxNEcV!_hpD{CrR4 zpss?UVup9+^lSJ_Kv3q@`+Pfm?Bof_5L6|>AqXzZ1MS>xypfA4r> zWBgQ3>N)W?GWaJ#Y<<^4Q#g!{(C{IjbeK|Hs8nWnf-Tu&ok6L&{tI3Dq&s=s3<^tk z-SuyKq5!u|FZI$AUGvOY9X_4%cNtyiHoZ56YbFz|W1XaWEprq2=EF3n#Eph_sEK=4 zFE3%LIFlSm82&4GL_RZZCrh6{wB|UybGjleA24vxY>{=4#uZWQoYcsTB?kGNk%l={ zetwCwh29*{t(mWjz}Gqalno^+(;Xb7z>egbO@urY-X$hs|AkJJaB{$YAzfW!lv2e6pMnq zkuO@gQH}(>AREbr*UmE?W%pmb<{{tkE8qDC4nFWGFw*o3pnP~R%9idRbkLxgG{Ete zI)KNbXb}9p-N~14)eL7b2UonRkm3`0kT9 zHQz9z=YBW}?{=RQqubjb`Or-DpMVmn4gvP@^$}trOXRdug{tTU8Y3Dk;piJ>^a^A( z2+>X;;z(dq2WAF$F{w!SKq#vTB0|fsK%E2D^Q|3o$EZmSSA3=K1^W=o%leDDq7z9( zY~q9lR;m^+cfnuoOnzHZf?dKr++YByR86C12`hNo)O1H==-#2e1JV=?E{`Ci|1WeO zzhm>#SvVQK>R}lpbS4K{+L91%aoPPBMVF(C*g_xNsGTY=Fgxr+?%Wn+Z{I2tS-??6 zhw{g=XMB&Eiei9I6Yd|__MLU10(a-qvALV#ru$|}c8~eH#U<)9U5U#em{@$~{0js> z(`*^(EQll?2H7r|K=($Lz-DyI%&a_2&iw894jwTrk>Cpi^*xkm0u1mhf`RqC*5&H#Ag7m=Cuk2l%&v49w{!!1F(lubfE$L( zZBKY;b8jDbPZFTBDAaV(fqc}(7r7hICVagNpZf)Tmk2As>vi`=R}rXHW5m`lrs5LA zn1T35A&QEa4Kj(wpX}N|dQPD7VJfX|1Lum*&zVLC&Cf~*)HT`~!D1vpT;eM=!? zLH9OPN-)J_>|}tx zmBTgC;}`?i{<4n`FbR?WmH-cP>M2u2TJ9hp$T7d=%tabD<^!PBk5V9{oJ71$jB z=J;BLky@m#0pzVe`IvS<8|-`d%Y+T%{)&>PdDcw-WGn;xXTs>jsu3n+ zKmVj);!N5r)Af{%H_*VNx9^96?%jE^xXTGRibdPB| z&7>oi-!cP>LSZ}!0sug(_jgdmUheTP^oq7Z*BR692aleaXwvL6D#>lMZW4E-h>Oj# zLA1{p!$dDNs!6(4Lr%j3SRQgpZcdkG!3XCtYdFAB&VhSG`lR2JO+1DNpB_$IV=y}y zbw50@hi;CYZzTS868XNV_^FREh1n*Y`bIJCmGY-w=I$%|TsRayE1HXL(i}*lsXvq2 zZ9e=Nh#H@q?+VeQf-G8zdQfRiGr}!s=OIb=2!Ant*p~H%k7@GxTBr3Y-KI#=n z8+W#se`LGgqQD{&t|D_M_7tKiOOTO?S|huzE>EVuD3C9Y59NE>x_+?<=wS8K7%C0y zV44Gg8x?OwQXmZ@E(osb1~y)2xA&h;%%S0p(+*EGOwY~ndVrs~| zzn37DZ!xO~C47HSnssz{+;3GSql6Y=0OgoJfjMO%$^U?>L`njv34G8_Lc3%YWlD&$ zPNn;ogsPv=h)LnHDJ|UANA0l|+)cVPtwcF9HwK^cd|S+8uJhN3?Ig@*0s!ee_lwR@ zetKr(sW{7Tkg|rAZ2ATO{IRX9USLm+ddpUHQ?zP>7}lp`n7e7CS1g?kk{UU+-b-bI zXupJ#k~=6itdx?bt2qGT?M+}!XZ8+r3T1H_$W=54^S7)Ud*$xu9x4c2f$F?yzIN$p zsc@7Hd|PTiyn|HYL;0T@;W%?^)B@bTBZWrav5;*dA&4LYC?(=T7b2lTR#Ve>*z zfwmn6-h{H|76$}Kl50}Tq|ZZABZ32;n*f#9JtokUCFgpO%H1RJZ9;W@hv8~ITg;&M z&RwL2n+jlTl)_tBUn~y zIM8?n$l;B`Pc3$LCPf2+C>o9jTc5N=<$54&a!92c1OBb%21drVGBV<`!?pAtZK9iq zF6^Cn3m=g!Z50@OKU^f$3-&Bzh)sH=pR3J;A9(|7F#A-*Ew!x*((FshM`si9+>RSdy&m!Zj?8Gm%>$K)}=Rs7xyDM z`NHLa18`nTu#f(qD8gIy8rAxz62k54vYniYbck4@Uw3M-+MDn{7592F37+_?=ALZ@ zYM*i4E_Y?)%=A?6AHCFrHfa{?wN#Qw!J^qsYeW6w%&JGf+p*SK76qIiLZ#rPn?6lYaG7Hh}Hqi7y(vCbq{Lwd=!G(DZHL!dD?oRpR z(5_r6V6^6%4=T#?MtCxKMKJA|XLfh}7-5bEi`I$-GXvqYnW8 zCAJh<=o!7W(v|ak7dB1_BJ;v)uKBu3~lWzhOMm0o$J`j_MQxQjpO7vH)x5vee-WFaE8 zAAU|#*!T;JJcL2EOA`GJngfTwqtZ3!X{#QL|A^6a4OFn@5P#b7`8+pF2|~eZ3rVaJ zv1nR5cq(aFK_7<{>Ra&nTf|!u2|v{i=4+s~PU`>ayD-bFLB>5;00N-ps2b2GW=nWM zE^^YjtUD7s`Q_*3`QwmlNCKNZ`e!(E;L*$HEj0W6!>Bshxp7wqR*PYK*pBo#EUY=o zG$+gSbTCH%$TV9?#M=YTmaQ8!)H^5nWkLB`@Ot|8>ymS%PexWmAQS)Cy>&m~OI)kVvOG-1 zsP%_3ck8XvU1~7{Mbmt_Vth|D3*wDPwN5C|lH2{iR7T|kj44+Fas%#A9mGloOHgtT zSat561Q=UAS6k;F2oV5<-8Re%|>rwciM|4*i*9Tzl!EbfD({kWZ z=is~p)T|FfeE#&cs2+od$(go4P`e;dmZ-?HBA#*L z5Y>je1)3+u>-EyXbHsCY4**|-fxnS6WeXB`%?B_0ocG0m^7VpAx2H60In-BLR`kF; z@a3>CKbEsa*Jg)gWz(I21SKHL#K9vt3Du{dP49+txY7w+cTFzu&Ncsfi{JI*na#L< z$yh0y?x6h@UF^w)L1Vp>0v$pEpDk*?5SuD@1)m39dZ=X~CZUmTeDB$*SCgi3(mM14 zvB{#-*xd77qzulWeF@mN-4G;f@3_~cvtg~eAP3rb6F*N#lr{0`eoYBhc6SZ|oX49} zmqo)f8>d|yjr)!L?J*8976gN91!QZ+KqE|810F>S_XF6mLtMBMgG&>qpL#n-kNo}I zL_YCzNp#)3C*uxoE5bxAp|CP|f%04HZB(xlePZ8^OkR)hMK?GDams&1;J1EzFej!& z+mtT0!J2`ovL=xH zvs5E^{k9+W(JAu|KkZ@9ZD(1h4qew!>qms9_2U+PvZbU6@x1eb0nF`lZF0{HWlNav zt@0&Cvw341-O0c0IQq3aPxkA>HyeIc6IubrZBxLx5rQ|SUgGd@w4j)&?NtflPE~kR zrPWn`_p7Bl^-PgsZ{1^+lZ%}IpCNy*))+0+OdN&?Yms&Vw0E;4;KQcxd6sT@hb}Jp zRW7Um?M1CYa2+G?yr6AIBAYI#uY7=Sy$6?}*X~uv%RI$k5@M`L{3ka-2}Y@0j8Wyz zUIGIR>PfxCM@LSqYN-pAPAy^^J?D3FF@uecgCsXdyiWl7E8f%%ztL4UV?KP{Xv2W5 zp;3F|IK62O{(eU&;&b$6gKN5)frvG!?4QHNGUJTl)t>HxF{Ne|S3%ZW^V6@$$taH$ zPXuHYK$;jUU+6oef#FHLrweLru$6rZYPfps**lUGeRfo(w;n65V{tj409136+!>}} zQw-bhF~4sAwU9N-)6F~bTdfraJ;%31x^z%sK=IeXBI)rp;C(Ro7t4Rnf*8XHp?j^ zB~BVL%w{soo~({uJxHMl0hYSCc}LqqJ4{jTtr1uizbuYBu|prXWYXXKD2_| zx3rd6$K8K`E*|$zBLi`=0cp?```hUSZa#{b)TuORpBTfm-`+Puh4}mS?hAgAv-LYe z3HU%%`=ZBmQPyurx*>lu%mtB?91CeDYnqmb@QE%UuK_4!-a!+mhXdF&24c?JReqjp zuZ@i45RxmGIR$yA6X=Gp_R8Kqs|^alO`H68Eo*M46f~-T9NxqTW3|X}Vd}L;+W)pW zfQK$elMBVn2*bRdTBbk6t&#u*6$)~%W=&b1H>s{yAazCiWpp{E!abS_f$zqa3Hk?X zfh=*Kn8Y6~ZBa<1Z@CqrEB`OY@JMqfx*eM}qkGRqq*)$wD5(GbM1FQR$%mvkGYct>%tJ=qF999D zohKHXQN&{3UWEo1xX82wdk+$O>%Qu_It1DVfHi9Ym!W)uW{@?=L)S2!B)ndNTlqh4DYf7iW~tw^Ttkz( z5L>TWI6E~3V;7Gy&{>iDuICXxw1rC`(n&Ss@M2Fu?!~yO6DgkbNqQU@0|0fs=-0Kw z=3?$r5Lee>Oq}6Nc>s)r)0Zxu^YarF^TuVmU%rZ`8bChC1Pv|snuOTW9$a+mHq$wJ zlA@`kro#}@+Z)*~+lTs9UA1I2_sneEmWfjGqQ~bG(w^u-2VgQbKA<;osRdM?M~E?(g`~}35hW*zWX&daf`;TV>4}lDNe6Rk6;&+f z$4c2?eSkcmv_raMe9xJuRlE$Q2@_7vy~mPeHbX-Ua4lsNIG8HqrM)DwybkBk;xH8V zgYe+fispvz)Ws}e6J+BvSxHZz3RcX){`F5f7_>@wLhFO1$2)0 zkuO`7J$>a&fHeSM2IOY^4$(zyrcDVZ*e$)NKnzN~h~;OD2POGkvcq_48;qFVir01a z`;i6pbiHGGcu&>UdvjQ+y?PI;7+KB*%m-+ogbcn;^+W&i%~;r_lXqfFOj&!-?HrSC zK>e5-v#d)me%4rm9KD)O0iU3eXt-TGC>dSfTBtK|u!eO5CIsHA|Ee3~+APHAs8L+Q zGVf6rQHJk{zFXmG_OyZ}z#m+q4C=Ql*fT5W)m84}p5Lz69dXTFPr}!Rzi7W|5}-W} z)vR3GySqb$d{(%zB?uAE%M78e5L={?1|zLxcli3Ugvj}xqHhKjR^AmL#Bmow@x|5< z)P!^bl@RGr&EgQ8_{mEErq zd}t2%kw}PrYEjt)HMKnop*=tEp`Q-5$8uiebloNp@;cPuu~3vi~=xq~ulT9sF_b8mWKjv&QE*Va>_6 zDY@)I55J-DF*WRfTLfZ?n>P#r>P^SlF?uXn6q_nZ{L`5!SlfVtGBmmCw=-x)xi9KY z>D(YQAA0#V5X59CB2lAGzNLWo>d9i1%64tx=Yi{qGlaVS*wsm`{+j~uqgp1n-EOY+ zcXk&l6`wulp5a^{R=Cch9O>x6Qc$Q+xE?2F#B00Pz%oTJ8$E&t=laDR>dyTyy4w=C zj@U8##WI5Ralm{o@kmzUhLILC{0R$RVw-#Hq4|48mc342#?-IgH6FXFXd&Ct`UVC4 zviH0G0ZZ1UCrH#LFVP>6@(evQ#Zr3~VU33y-|^_`P+0(3qApHR{I$tVeMA;0?Bm6{ z-qRtu5p@0abK~32-NfB<(4qn!`@KF|G@$`Y6}0N|ZIk&2t8OH*4f%`CfAPET)|e(O zc6M6dZ6P2n`WuVCI|X|h@V~PdJArvR9d;XL_AXG$J?#E{YBOwhV_hr;A?a#d2(|UK z&gnl&AERrh95DZg-`WmFwmlTL{UC0NDAu$Sq5v=5e?HctqnuGzdZNYEVbOT=lEQ%m z?eU$Ub?o{JKneMHNQ#iHu#sNFQXH8YWO<~3SG_y&I0>$K0)WW1PB91waSth9YHCgF z9;J}TWadGnQ7tEQwZ*C>VXVt~Y(w`&!>M$8vPE)LPH#tHPYj-a8T~pM2aJx$7Ix8g zQPW^qy9VQ6N_@iYNX)(1v<24$z zFU9bi{39&NPAQ5o6*^O@6Q2?mc?1I;q*Loq<^=Y!%*|O^9)?~H!*o?aPa6ycl40%N771C{gJtj@BK?oRRX-7{* z*DY?+1N3ho#vf*+eVzBV|7x51LnUD=S zrs3SF;4T0Q5WZb*(M0VIfDmynf?K=+O$IrgK=`NSC@*%ekfw!N!ojRvp{57zx^ z*(`=qslLU4iOS(Ox{TGwr>gfVsHn0kVh$=a%aJa!s`R{4NAT8o{<`U(fqiL~fEq5l z{LzG)qvaW7MK-kb82c6U_ZuMn)4qS_B1ENh%~D`n==oHVh{2x>LGo;Fv%RkX^Po1_ zTfvw4IV{$dsA&Mbxnj4H@%Q~Sm*|F@(L7+3e-FZ{wQ)OzeB65P5nd#S#s~`YgCx80 zmpRoyb2yl-hr-~v^Zb$CX3asSEjy5^O(j;dr)vy@q)H^%{8j=3p~$|PhR*W#A_zZ2 zMwI!QBUxjhXj|G0zd}Uyc41wn9X%$&)wBDQ7}OEu(4=B8!-ucVOs&Ne{}T68v+7Jw ztnkcs4$D>@$jvXPf-4fRralGvB$;I^RSQZnXpu?Ek8lUvhw8d>oR|9swl849FOKA8 z`nx#quQ9(79T+25VaBs?>^>yrJea-h)-5jaj5j!ai0)Hwl1z~?EBtXrDYk(PU zjNrZMH2*IdkEo)Ecy<-n7%@y6!EQjyri9dHKLe~#!;ad6uRME{Wq9w`DiR%Da;eA? zRkCK@4^;T6fG&apkg z4U9adJ4cmLclq?{rG-6k4f6C4e$iMN7q(Qz;>kr-)%PqhZ9-qAjdFsFVHtT=2)+x> zX(gv_IU&?y1Kr1C&d$|{VsayY_3su$VjF(M&icP|B}0p_21LVY2k4JiRLyx<-HXFl zV_!G2=jD)eES&SU+p|iSl0NaE*w-r*b}!roa@0Utv8>De-{RyIe-{ zfV-jAWhRza?L5eGyQgWJ^Xe83QgtlozRQW+TY?Bo+k%{8SM)oC|L3Fc-W=6>z3_fE zJXKy8N>aX%``(n%hjn6A>m_Wl>xg*dbj2p`93b=UbY7nZ{G|BLZ}J-x{!UXKo!bCV zpdHUE2@NgMJXh-s1Us(CZ-HU``WgM84`wPjdAq+$cb5`IFEnE*u z?|`S*>@~vf%x1V4J)pF5tR}`LQ}7}5P!I1jm_cyxAN+Z8$xDU-<10*LAZgz6=?Gl} zL-TXLB5gEW8N~c`TD>U`AK|N4+h8Y?VV_oi%{*j?w;sK)uQ?$R{esHNSg9>vPSl4J zK0-0DU_~(@)$>;m*ytRwwFmMj(_^mnt!Z16Eus@#zaj)@BxtH21Q!}K-k8B4nZ^qA zJbwY&fmgKZU%~fwIs7IHcit?4o=V`ytQN^52CS8vQ+70JEAe1VV&nOGHZxzIZF?U- zHgTYEWcy=52j~&RO}2x6$KUBG^Wfsn#+&ZgT&9aLWR8cTWwxT!t>{Bx*;?W(n z@{ILq(uI!0#2xTL?ZLVMJ`)4^je%-I_7vy;RKL2pE#NT}?JF+yBon5pZi`Kn-g44{ zPa$%pf@9swP~fK^DhMrnbtJF!6_F9KC^NbrdKE(U?%Sh1A3p|}z7f+j_ou55EDINK z9MI^Q+`$EG?@t_CdazeltqZD%&=sFS59rf41@rlcE0S>5bfs&ZT&zI_x)wcKgqUE{4Qf9hdqtJW;gOg79 zp8UHpp&%i*_pY?k4fX6FOGLx%E#w=9R>?qA&K}J1U6$VvH^i~^N+i;t8ImxsRG8$B zesm7VNN%$b8vw%^`Fb1~XBOfCzvo*GrAgnA(N+1J*Ao&q{R4MX$my#2pbd2V%QXl7 zlr3*Afi6Y!a-CShwM1DU;EkBkB_5`$R6J%#U$K=lqDtfXhDhChB8pesYP05m2jl8N z2p1KPily*ywNY}AkL~lL{3d^5GXD5!1YBng^5oBMWv%zK=E(6zs&zRQO-CZT;zgYkZ4*8i2t$UhQG&ggij4<0q)V zL%g!1q!NXAaoj(9YNy!bn*tTSs*E}WSxh6ay|T&1__nx-ymmAx=7X-VPL5^DV-eI+ zw9<$028cyEesu($+T(la?_{rBWweCFj?%i4ajo|hLXJqq7m=C57obBvAaz9WWn;3u z(+SdSK&4b3AAP2?`h{%#Grf6*sfT!p5rkXDJdV^$W3>-?{jrnXm{J`x z)#%&tmN!izzU#Tm{-L7^Z>g zxnaH!eo5kp)^5x7;n*fQ(S7wdH^Ms`zrkJcPbEGGz=xS%f?f0%Fb+TK|6eY>*9>c)J2rTh zrM)UO^!;=&Iehp7v9)VVqYHS*R02?tQBgwG$>=ETI~29ARSJAEWB(j2?Ugp*s#=Lq zWKilwURsY-G^Atu*N!1qJ?ARbyqr>>4h38pNWEUUq;VN;ak3t+jBd*urev-Eea-dZg5m%(H%%TiHO2Ge2vYb z^v>cYua2`j-F|HUGOa4J0x%Gg8ffXy#}Pijgv%p?Sn>Rsl~<{~FSN%njq*vq|DOZ0 zucWelB2r!a|34No++#?8N9TY%>&10uNCt+&D1x0C+!XULroavNF^$fBUJ8S-a(h;v z8Xd`aGnGz+C-o**$XU%UNbY8mAX(oz@{Ppw6cT5yLc`Vp(E61*hjEvTdaM`am`CHm z+6M`Z+CFA(@H7;P-zY8&l)r`7CJq$Bq~h?e5|!M>DoqcN%r9$YFH9k5mC*Vikt28W~R)ZXa%&j1%DIArgKU=a^*bQ=0S%b(ei%g(us+J1?13ssgl5Hisi`4(I=|QQUPgORg|N-IoSO zkjFrZeX^(u!24&iA`!w(#)$WU~7c9k~&h>c3-dAiwdX=I2G#zN2ELL$g- z)Le$56Jk4fCF_b4)Ij8B>0d@8xCiKORg)8txh_Jdw$nA`d?j!&dkGkje_y5a3#%fF zOc5XFw%iyyp%$+OT5TU%u}Dt-6C#I0p*G^XHNj-da8V>MH<>q%#C`tB_LzcaS=sZEaJd;byp(=a zrJaIBA88Ho~EHu%2KH9~0 ziNf;djv@f40NIw^VO^ub8c(l2rHsCOl4D1s3+v$Qv`E6S7GaaUe(`xmLEw(sydtEy zI)a+ar@A@nRt4-5^K2J&0=^O49JG^EQL}4GJDnI;9>X~|04gT8#?=8t9C+?mffxnE zR=SmI>%|V{>n*?69J|?llInd^(KzBPE)OI9x)zScDR()Uj0J2+3&udoDwr4vyh5>+ z2rH^aLj)&ZMmwOWg2O8?csRI0^_%0X25RPcwvopKyTo)cuzH*? zFSXc-msmcB{D3?Sm{yRLS}CV|?9o!a1(rA0Brqvqmy(RtCZMV`P=ExTuLVg9?XQpv zwOhO#&7hl>qAowr75= zq@NO%Y5_vrP#|xjQs>=#K~`DRn>37p(HL&sa0TxlD|AGPcPz*yx1TYkHsPC}@h(>> zRm#i(taCzCF8uNsKuXfs2ZC-T)A5H!JC6ipaII7*DbWYUgtB2%xrMj>s)Ff&OfMR3 z+C_d9KpDvd)>l6Alv0b<_qhB}EbfUM*;E0t1^`*`n6O)*@8ix=Sgq|4Nc?xHr^8?3 zt;O=GDY`}ZEcqJvoBn>>Ro<*il0L*H1HfV=L2RH6DU=1!>w#oka_#ar_}{E>oPt78 z-3tE-gT!)#YhI|=m!14ArlA1}Vpc=WV0!rblb{R61zw-WX#}1B-qEXB5ipO#0Ty|) zP8FSBm`d?(*F6-1b8F-awFSFZD`@$Q?6Gn-+VA0+CIK*hfem!?*mNy~%Xve+2@E~~ z%x@ouQ}-xoWn#yn(!)Z5cZD`0-?31!Z12UyxI1{}AKbnxLzLTCbjL!r03_4=YE}b!Ge6=!`fh<4wbeYgJ z@Qfw~lXn$l#Jd!j*jGT-;ol17{EH!iN?oDu@{30Qc z3vP1H4?Y|ap2g#bx);INt?r`C+8|VA&Z)qG$2B3YoL0d~v+3)bRuN9c>pk5WNUnlb z{X0;8Tmkd}udjlttl5L}@j#;h9M6NJ=5Tz&|B35`?Wry>o6nvg-vLcvh)<3B54xOT zYYbE}9wW9uT)4PYsQ;Q!S7eKo?#!*^#8gpS+7_88A73@$F~JxVgDT#YaQmoH&ZqFe zy3CK^@0`i>c6Y;MA*@n|%>m>0M-Q=mGWH4njmE&N&uriclqNIf1o&nsp9C@r-j%Jf z=IaxZ1{Y$BeQkmtzmUE@wP)|a^lbsf7+Tlz&L+)7hSZG4lT=vJl`18Fy9=$Cu+lwB zOSg5MipokI$l;M55A)xl_gCvlPb4XCjQNA%WV8aIbFV4hF)4?bnYg(N5drr^4^z55 zR=IfaA*y%wPEA|&;+*Iy;4o_z@@elU-ju087_G{m=X7W*N)}OnNQTy3B>wN7TOz`D zpJT6aZkiV}E>0mxn#bujmQr5F24o8np63CPGy4nxt*1qR+M}!+jlBA|O;)l(_js-#0fr3(m z-esRnU}?e(jn@@`z+SWe*njLl_8nwo5c#RdU=Ty7H0IG!6V*j!KCSPr$pdqb|;uwIpn`Bob-+oZnh#|$BWcLEV=}oe; zkN^~Pg`!cc(OpBJAUpOS`;YxM?)GxjP$alHYN$5-amvtKPm*B4sG%awL6LfB$nkw5 z>uaJov&$q3ShWE`@5{u7t0LrMp7L3{Oe9_k6Pp&RG_R}KV)ho{e<@wT7`>plXk2(T z$514=HOEjL`s2);Kh2)=Pp3(+c#ff>CU#H6{$u~K|J2q43fiW%Q9J_h9?0$!faecnXFaj|-v`)#?7tc0coxd82f(93*+uA{+?QJG2Y|OPHP&64)zR>- zk?tt~fxTw`vH#eA>_7G&`;YxMWlzLP0$V~eD_;t75YrkH09H^qAao}H0Pv{*odGJm z0;vE#Z8DWdq$46BB$ND@fDMUdZu}XSWXu=f6Z=HZ@B{P%_yd{;tk3WFe~=z7v!BdA zXZbtiE~wrR{U41_EC0at=l;+A=d*9qe!!or|EvDApRgYH|8+e;e=Yvo`$g|1|3mhx z-4FH;^!~sf(f_-8#(&`UNdBw;d)Nc`SN9)T&-;J3e+*yVzwG|j`&NJT)_U=8^8%`vv|-{1@&QoWAuxpY;X&llgb~ zU+lk++%37U_wV(-pkAi@*Zqh1Pu|b&-i=?x|7!Ic^B?NJ-#@v2JNs2)Px`mx zugIU}JSqPB{=fEP;0O6f^)LB<-oM6v*!?R1A^&gux8&co&(1%`|K9&E{;T94`DgX- z`2XI&&wJPZ|MxHZtN;JqSN1#q|NWz!Ie#T`itq0CSSq~oh>o=^XsRBbhH1+ryNV-M z7p*&2Y-F8LDqQ$5SacOr#aXuDCMwOh2{Be}xJin$ZNf}dn{EvKnH)ryyGAURW=cmPuA5L|v`C1HR{FTddM|ZIz7&g@+w0-<{4{pqV39I7i zCUN^10Jr$~N_}ne0y8(?L}Pa4Umf@$#w4y=B4joS`no{RA$wfJfO|IR48o~k`R|<; z&{-0iwV!xYS=O;_>HY*&P6!%KyJLpK;S#NvKm$SjAoN|>@$Po>MyqfF2UIhCBAV5E z>Yr|nIX{q~!Ys0eK-3-$WC_1W9Lzn`hd%ILu5W8ozb7aSq$Rkt?t3?051dpfsxCO! zkppsjx41G4yX4vbbh`G+Sg84Tl~2Fm_TyZBzn2tQK(cEv=TN-$(Yfa~2J?=Zp4~4L z7D&n6*ah9-zv~vZoUTvDctpaP=9QHz3)r%*7mIg?6-R%3h7v<0Fuu*xSQd0v2Eaos zCoMv+oZT}DnbFx~TkVvaBF*x%>IdQK5rS#aw2bOz5h}%W$t+B+UDxR|=EvaAQd*HG_YA!e zyJf+pYhAKP$ZPUc&QjM@bV7MY*hELAG_YD*-#20&2Ocxovof0TDUqzzRm8lC|+m zG#>LY^G|%}*G1dXIiH@*iT#f~;jyKt1$!ppwa~qNQ}gC-rnX~4=&$XvZ`wSm8hW$FsWt|;5 z!VG!nd~4}9n(Gb9ou&Mh%W}|LG4aUV%ThL)^nCaP%WK=Y#w4y=nmbiP%d-}~EW2cp zoljm2tQ75FzySXBD8M?UU5ul$H0}9cP#}qnELjHHhgCkXHJtZPx^lEaP6jg2eenT& zAi&Z#j5S_xnYG|3^(9gPk{?0lxU1eb-qSE-pvNn!&fgh{ql@o<#~xn3s@E1ay*<~+ z!TnD(%j@mM#gGk}?FdzWqWukx7%8DtMGjc|;x@h#I%Xvyb949p_eK;V+5(;Hn(Qc@IZI`O zN*RV~uYdpm09VVUgzz!fp*q!9>hq?Vxf&5*z}9BVCPm$O?Rs^+%WrvCTN^1c)?SPoEXIIs`qR>MeQvlqovGKRd_|G zRhnoen3Wwjowl^hg2jh_TiYAdpo*>KrFX!g%xtx}2-uRT|9x`0UyFl>7*)|Nr=&l< zBpl}Ma!I7pxP`HNR^TiH$^>C&MP0STOcGU0>(MNL1#eip7FB`7S={KOZ;@zM2`efN zRpU8U9|mEbA%1mP6@ZN?C!6~4aAQQix7hWpL!LkI6}s{}`Y&P%=gINiGfFKNUX*R> z%wA6-SF=e@6)DldZ(BmOG{?soz7w@2E`M76sZ8{iNgxdaQfAS6@t7+4nHMnWD+-O) zaCMMyD&sR-dTBd0=6j$7`GzB*?pFWR1ADQMhDiMTkCL z2c`N@Ld}o>UsZZozLM-YzsZAyI`>i{Eq+Pp4q@Au*?Q?Qhcj0$^X;@n`HE%`}-=PWg z#ntPq^F7l~(_}k6zAg0s1EMXZE5d-{?o2Ck zHC4u|JcCB-VU9hU0nqym9-*TghlrMStm2fog2YSSneeA?fS0WVmJZ#2)T=O=sT~c} z!9H?Pv?+34gp$^&PlnEUOkCc4t8+u6|0Nj0+LuZs}wf ztf5?lt#KsG&^d!3uM6(;o@Qdzo&ywL@w`KdSK{gH+v37fjyEhPVOd4`+q;gAXb6}K z51U+{*8-`FO1f0(C%kHRc&0J8mLsR`k+ZVV+7KlHYVPVJAY0!$CaPHLXqQ!r#v<@u z7jhz6`Q?)fB@l5R`w-9jy$HX7rX6& zZ)WYYlz`c7M#$2_7gE5gPyz*Op0LXHtB_?N7*`vO@4i86sGO4Cv^2}>jz$)NfrpGR zw0yR6_}*+kTO}6}NZD?O?jf@JtorJtImkpm5A~S}r#km{=JLB^={q=0f`#MbI|K!4 z`AsWXb6g?i;*< zh$JS1g%z_S&#|#ismG1F)`131tM;Dgg<2PS8OlBYw1%SCFZOV+eJ}3XDP3?g1yx7FbhruvFW<3T)zH z03s#`keQDe5yRC!pt+x`7xvs%(-~X?Fj59Rbfvtv@Rmq?$rDskQVblFRLfTpe_<7P zLFF~ItVP($moO&6a|4Hb|6#VCWZsOc!3opSm=ZeI0qJ_Y<%^zJBRVJ0Fe8hpS&?)I z5jYu&xZF7vXo-ShvtAT=!&S)QNxIp!%NAI+BFLA}ee19_r=naE9|OangnuZC`TW~z z0ezSxwNF^LBe_pRscN7~)`7Oe?_Ve7he&SoR?rRIpA{E*9P7Fx!4&?m-%G!vLUWUl-@S&Ea6Eg1V4tb!fx?bojM+bBX=~Qt>_w_l( zW~F2`O*L6^;q{hBa+)anECMQg$p@fZ|4hPq|2zxhqCOY*wj8@9s@t2~01&Z1rC-lL zqm~+OdLQ2ieUdeJ*c_!lX6H%RP0l4Xv2~#4!%to107Y_<_4fG9A&Br!1%-K-z$G|N z1DZS-36(yq1(e=D7voBaJ+y03jn_ra3ugqFaNGrgBy|^Us9$}yb$FFOgk?r3_8%gH zuV~S|msYMASEe(VLQ5#7zwdr(q%IYlZub$yhX2hnP&#vHA_Qr<6#KKQ7+SqhOCfwx zzr6Nl05_@_mL+ko2c3HJHi3}Drqb{+1a214#?oEh4{eGzvFhm*&>=0v?~AKAbVw3d z4lZ=8j0zm*EN^-rO^3_EMHt*#^c8^F98z)3M-tomH$P~t8+_RjFK^*)E@^3^U%nf095pEy^q{ec;jNe3zn;`Maba{!{)8wO@rj) zs)8b2H+k(nXHescwr36ir;g$!jRvhyFyq?@?{7-0jQkq$nF6q7>(#g?C3~BG?h5?ik6GZk!(}_8uvHf>MnBjyF}H;W-XWFX zDaefwWj{A?=vK}Vl`6h$TjoA5gS3Qyuaa;Ro4@%@XVei&ahx5ZxjpxXbqmZ4bGdHWz6wH$Bbydt~HOI9nN+zneGlF z(0nSCfUdNwj9alm$wp%5mEF0)7S{(p4Lvh{ggmwmbwOb$JMfN@No@^hGTAp7b64Sq zAM+NoR8X96#O$L?x#e7$7j~oql!UX?QfLwqIGmNFYbsd%B6rkjF#6dXHo=^d z;~KvQUlV7~zZ#%}6(02`U-luUPgqi72cck)ARYt$yP(-!d2H@4U2DqYhDmdF1p^46 z)bLZH3YP%titI>}j`&HwJKoU|zI9{|c&4E^dD8g*j}PR?j)7Wn4nDY&@s=MY$j#-S z%;V6~svIMfBZ1w2JMJX54Zz0K^GFenksF($(!qX+v#QPbuJQ>0K$!C8-LvC{6wH86 z_B=kp28(Q!1x#m1I~ei=z2W0QN7Li=cUvnVaZhxLa8QsDjz2r-pQ3sJ)mWpcjZKwq z;fA1%mJn;Nm_dCSSEF7_e5zM+F$DYp_eCba~=?Zzl^)SXrH4!wD^ z%5`Zuzd>xZdBGB{*2*uLkq!+ttebmt}1)n?xChI z-dFIdR{2+2eyYI5a(N_+gcu$oHoNszwwme|<42%ly}m9VZ2WNi%>-)q9mJc!T08a{ zoOkz&Shnru!bVOxts|kGd?Aqb88U><_O2=n1uJ~w?HrOz2NOZ*UX^cORklm_U>aE# zR_JwkYS5%>6Zh^APF6P^s-1}PpEhl&iFnH}@FZ8bw-{<(F)Bp)%aMf17pl?s%*U{uj9#Yy2fIbFt=TnsSeGY0r)RSWL&;w0ZPgGZCzfZR-Ey>kMDa~Go-0*t$YjZPG&}L-p860DcvB|w>)}<6phMZM`3{{Gjcl@Sv@v1FTfy*@xFX~X;TOoeJ3k|qxZ6i59 z$!!iZy|r7Qc0)vC<X<@+`2>gHNXF`0AqN7z)3g&_3#TL*xd z>^mT4t7e^fUWE>abPgj@T!3-w@-&4MjnMnLhHQvBn zq##emc1ZGXJG)-aVZmkK?(RLMm`ArTpv9vc&^`K7j+vXkS=M^rnW|{`K@%;Quy!?O za{LW&4XHze!c>dHE4A^)?6#@V$Rq}4!&B9 zA6VA%a)>ST4YQP65ZmdQ3-)Df!Z|fwBS!k+FXcz~LuijYJ~AVRrMVoqCqdN~c|VZG zlk`Qa4e&|rJgeNrJ3eRnNV|=L;y#7WZaYPQ*gSI<=?+}D>|A&Mw?0Jw4pz+BwN}K7 zn4BZ_;0T5<;~{ctC+hto44I^jE|G=_Q6#Ju$;4D{WGtvA-qpD_)7~ z*Vlkh8ZKZNe+FDpp=sv9wl1`cL4b&~4fkj-*fJ_~s@cn@(GJ006!H>IdIFI!X~EYq1#p!e8$q&!3&qOARPH93w%H+qW-mxO)FxnuRbW7tUq_$aUOS)NTAqWn81fc@O9e(3w zq@>%UgvJ?*rjd6Mo*CnHVFBQ7(uFLD;cqtlxQsB)#CXAs1J3#l>eE-Jg zGSNNRl)LczW{9QMUmkGBlRL6rk#t$%96j3S+(@AuB>;I^pLqce7OFOw%ZsismE3p# z{Yn4-M-~6nkPI{Xc>VcKRw6Ehb#JBg)i}VO*uLOP{H?F~d`~rg0tC$*V%((#%zX|W zD(@EtbA1pxcn_x?(ZT9L498e zC^|(D+Gme`c-2Fey}juZg$v{ZwLJ_+;L~$0h1J0Jr^Ed*<0tais+FqDAN|fWld7RH zkw$n&4O|kH+ch6d3QDaNSkTJA_IhdKpBfEQm%m?CG0kNOQipP!`$TS<$?h}ps{9^+ zEf0%1`}uQQ{dxlFFj<#UV&uB@+;Spf+ZXb{o;nY^=c+?RtYkET#g zt^ylL>~Io(B`NY`QK;9Y7rbD8fL^O=f;P{#7e@ukPjm<&3+e}B=lS#skI@Qo+4B7p zPj~zFYEaqRoZl8D``XrD3!)&d0@to~n@iFXV;E+|b2(ifvEyCE`Muj}k((&iR6ae< zs|I{5ZVl!>ldk??e1^@pC$1gHo#(rx>MbSn>;ZYzvi%OFTSlt#fZ0UJL|HeI=emat*x}NB#qV;%*+o zJ8fA2vs1yL`rra?&&F03}gRR}2 zZ^La0+SHtL-6pzZ-b#ba0!pzn6rw)5#blHmYvNNv)mBJ1T}VM>fgl1mSq)F#MOEeB z&w{c_n_nJM;M`Fa7I+{qV04_5fPSVmM7FP%i%1Knf%dCrLtUrdwV&VhUjQ|bhsXVdV zF6-_2eJojsMF0zA>IJ!m9_F3@0XO#n_me&h_uCIuRKldimH;*>BIj(o1|%D}{#-0? z-1}cGIj+?W4P-9&bfmjwe8cT%L_)h;9#9CKI{$x-1gM3ZVO-Y& zkPQ??FfwTCJ&Q-(az;c}j*i9}l9P`4Nf(gAV)$(A&%#JyKeV23?R+x9V#hU_I-TY+ ze$+u$j;Gl41{%3l%LS{VgMV2rtBM^CsenP|jwmJtr86Oe+ZYNT&?G_jGqX@xYj;`i zhTVx%0M7wvIz|g^DEbp(r;2f4s7N>C$ExOdFZ7`qIT{FYY3+xONOay|pi8p)6iSu_ z6Q~82`Z|kD9URr?b--I$A|;0z|df%>nc z8~7QM`Jj#PnkMh%9*DS4hD>|mP$)3BbbW5>xzg#~oz5*d3wscU7J{31w-Qr_+#6#4 zMwoF+4zTutx(HgG|D!Y;ek4aQp_zjl4x&;uk2*mH;U$n9g^Vq#N ziE_l%HpRy&Kx()^iJM|y;(1_y;*JKw@LbH;LXw+T>T~>s0>vX&!ZW@4GxRArpC=!ZCCdD8ND@ zw4t~}pO6Aa(nUKcev6caJ`9%}%9F&%oD?tt(MqhIpj?A3o0NsknPzqvW_=PnSf|>w zn|=qV^p)GTwi;Fz#L8$qUZHrxsHR-7&NM;P5vG39dA2U2`L)T>Zqi0vC`bF^=~E#+ z(YUQvxBWLHb$J87c>JU+n4V#si{bOD6`h!)`C;s){eXdy6=!3)`A79gg^5z)m`Jm z;YI_1A<*<8ov7zPwJth})#c1UDKjHVBtVl#U(anB4y`Yi6rG7tH5Ql^2qVE(UMr?$ z4YA00uGG$~1eN31X7oyrBO02t%0lbbeY}?XE&o=G2zGk@kfiX!IuW{N7=M&mtUX`k z9O61xsycTNe}CfNHC@T^|N1}w{Vn(ZN@ZatAy-+%ufFkx5?-nypwC0a$Op%nn8Myh zMBh?OghYT5fi5OqMQS zA&C;N4N#keOvN5pN`HJWCZ|99_=g#PW6MEd}N(BgUIsh_vrBx@95Yz!Ye8Yzy?HaUi+-4|m zOV9>Tm7g4+*rA}=mD4Ip{5j#eVuapf1oD<((e7rdq-)#ywwjczUhwEc zsVu+q1@p{`5I+Fj^_?|kSP@_(L53z|P1U?+x{@aKh9O0%Mw~5S)B&D50nPoOq^e7X zd@4x%)_=8{vyl}e8I0c-=BSu;?ml%kEHItfy_8R*S9jJ*z_#QqE1VkDtH3#gr%$e% zie(7SQSx7l65$yNP6Hibti=6(H_DXP17=8lV!uXr-_0DD;u+u0`mOGG)^h6+#_PCM52tbSF&JF8=_>n*^v8roPxJec4>evw3^ zh-Cd7_FOU|!yxsakQce+yE)B9u>eSvAIPX%h_zlH33)$}R_uN>jA&LRpW}>k^{eUh3h8eNhkv(<+KaiT`xpi&D{uK-fNAjj6ds=+52kaf zuhP&jR_@#Yd~(GHEB@92EIA;ELqIQkCY|k6vLA%7@ojgo;BFBudk^QoNC6}qjvz}E zPY@Y)f!ztUBDN43J+9$B%6{xpT*TeH@92E$UO2X1eua2;0eu)^x{oM_p@lA!84w?Z zGG|K{0U&wI%=V1fYbZ#jv~0ftmw`0l0!}mv*9)wzpRzDmNob-u5 zU2SHOp;w_RCvD&lTKj?SGs+H?s4I@vQ8}>l8epyN^A{eI;&hQ>z`7LFoi&H!%F!T* zMj1}DbJ_}zCgL+|%{Z?bE`tDd?rM3YWE_99h)|bx>K3TjIl(et<9O=6_Y>%D2_VrZ zBHj?_lMy}n+rIY%Kxy}ivYK|_r3|DYa(?9*U!?t(H)NM6mlQw6W8tS|&WC1(=6bT3 z5{s@kra1Y!TR*C4L=?7pf$bZn;4{@DD@G#piwavp;M{RDIL#{i{nuNpxy9PjC~01H z;4<1`Iw04}rUM#=Fe$sbW}*2f_Fv*4Z8U+CV-CWM01w!CFkWE!KXDv&D3p%SQ2kQQ zcaFSjXVH&5LKz?p>(yroxZnzaDEdNo^5&~3yO}Yhg>>rJ`Ju~Y%~#VbCT+abx6|-y zvRu!9p%t0_a;Qa$9bN8slueqAElJSi1!T|65y1JOSip>+a$k-Kz9nW=BLEs$Gr;I- zPHuOdirz?t;h8JD7QVBU^fzzSkQNNw!t}%r{7I4(p z6qX6c)7Ko|h5&S-<~LrbCw=ewy<%^EDdX7R7~D!!HHoAa3m*r{I0+#-Xhn+fg=InX z-hOl}J3_V)hD98PuNH5RbJH{taCn7Yvu2V{^JzIja~q>KWRFpY3GgrW#uc9N-V0zd zJ_GgTmPvz_uvZ1If{G!096vp64^i;;Y<2!{l4H*T`t44yyxF&Mmvbk&#W;l_7}mp@ zQTjGXTqVDrPyjE5fP%$g!q|5lf2Q4Pa3gws3p`=1&Md1<3>qRQqug{3wa{r&Vf$l= zhNGzL4>bsE(?X7hMAXJ!UytQ&(zXU);XJGd-ODQkx*ylO!NJwNCX4jvaeqLSI2Ly7 zz06$HpEFq;gNxSbX_2rbWzF|v#ayJoxo49T@D2)NWD%NAas#hZp#PY=`NI(tZ(>$a z{c}J8j~eZfVU_N7-|R~t{rPRn#Ea-)MzSz7IxbjsPmhmt!-Eh4imm@aF5ZLiJ9)gchDT&7LxJ*oeCiJudjbk{d{d8}bNP}${ni1gh+DGKiT-!*{P9}L6= IzyJUM00#e?8~^|S diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp deleted file mode 100644 index 12e12b91527de22ee2a2bb3cb3cf36d18deb9a5f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 23716 zcmV(|K+(TaNk>TmS%9MM6+kP&govTmS&D>j0erDjEUz0X}Uoltv^YA|WettYCl* ziDPd3Y#3?7zO8HJBxWDmm+$Mm!~D8F26B32`Og%u9q`xa5B@Kx2l`)5U-Q3UJ;8aF z^Oyg*>c{)nOW*vj|Nry81AnIf)Bpefli(xx|MYMF|Mk7@Kl^(m|C;oq^Z@_q?PL4{ z|Ib^$LO-Z~TK$Foec{LT@9Y1wpV~bi{Ac9i}Qc`f5;c)Kga*O|7iW={_*gU?VsrX)Bm6S zgYh=XzqJ31|2z1r@&)T($bZFuSpOye$NNXNkDUK>{=fT`{xkpo|No%>82+#Rhx~u! z-`EH7Z|7g@Kga$?{3-rx!58O$E9bK4oFI#*7clS(PPS=o(WpY!bgM*qhErldDJbYzS+Y!MEnL~HcU8Qw08lT)ij2STGH2F~0-XLg!Q4NjMnGQ=kH)zk#yIHEh5 z4n-xfFX2#rd^d1od^~Rz(NaRs?z4@|?p08m)|3F~+W>|RCY!c6cZCgu5$L>ct+0(FpGp&l1ZIo_<&CbgxvvWmkPz<)Es!ys%JAE2@U=gG8q#UGN5R#_H5i>Zp7qj%>(`Kh-2< zAV`~m&amBH&`pZk?;j%=o36?rxJ_dQ*2kTXYCyj_` zf;!tOU&!VYW-%4urT5)O2XHd_VWG|jE+Feg0I5q~f;pQDK~^7;8zlev18B_*>R~+} zXBIL$jT^ti^>rhspYKQ5aN?Qf^k!ytb&L6vg#lpdW0c2o?G6LkgtK(XzIpLxpoo>@ z{xV{W<5Hw5;p^%)v?xc)AVr#04$$r>$E{Syzj4IEQ-I!J!pYt?9{zgi%w@znQO1Qep)$uQ@ygGWD*6{*h#WGCEuWo=P zC^J^SSPp$Tca7V>cxS)3`?$rpX5FUUR{tp>+SRKw0sn4V|_NAI`A=tQEk?<7n&|_ZJYn zWrscTv9tT|__1AKB2T(xfmvlI^XEoo{a;WXba~>!8l9Nh)?oUy=J>r}7ZKr%3Tjy} z@BUgxdu6gbd=Icuy2Z7$edg>(aP%@?ctAS2t`6~vN~QE2hh@}J!4dGz4$sTf8c8Uc1_dYri!n7I6Z8~m5p35N^rpf8{9igiy%`*F-W z!0dU+@hzaZ`H|<-LbFTwD>l_hc!b6+<#$}2joKO){ZHG4sJN+PY`YW=Dr=zsJ^;lw z7z|P^?IWG9_zHa^(xG-FHRu>ilFh{2F^Py*K_{9aCDfMy$tI98I{m{Oj zoJ~$Om6YgIne&`Uq#9x&-fyc!*^Kf$L*N_#C6MRE(V%6;gp)ALWHL z2l>b5E`)&h`7fKWi&TFcBs`+%rQG7E{B;QZ5<%T3N#4UI0p|0tX&cFy!utrOM-FyF zXSK5Z=XbsaT(?{uJDL(rd{8*R(z`}ypk4W1Iam}LFSv8K+pL>Ejdh!%*=-BooT&On z@aMCr0*zp9{3?M!kFGFUt(G;W5gs4rpUeY8wv1?w9_NTL+)LpFseD5JLL!nIFo4rs z7$BcNoDGYU(RLPM^Ig*?-lG&j78);x{v20pHSBdp!x`}{nS_!|7uqZ&fyRPnoi%!d zl7Afwe!pCcrH(Q7k5MfLs3Aa0G4@R~cAAOj=&!R=D}ev=Z(X*Rp&*Hc?{A50^1^70 z8YkeT0=+^}Yn*yF5CG^%FGpvTIx-t8zFeyJ2hac-pN3S|V8_&H8;Ac#Upk6mK~khY zdWZb(dpn_LrhF5?+TJ4tC&?BW(81CTfWd@k@7$uw7vJ{k}=^4}B1o(f9o=ABaxra=T>L^x{01|%EdY$>PRaF zAt;9#+ryFX(v7K|B_4LzGgtsFzK`JyfF_g*zTDSPE?#BvW_dzLZ2TInibOnJDZKOOEt;{ST=qZPfcH zeK*Y{bfiA^jz*`zoU!@tln24+&<{6){gYitXBXLBEJS(bQ%$sofmwuL3vNT>$XB8K z&48>jt(wW+(W;?+JELRYARbeht}*Kf-2cyT`YAEy;<)hM!!zSKh*EhhwH<-H5%``m z-5x+gou=D(&gCi+b{5N;(jj;q`x>1h+dOFDoj5zmiIgsqP7}lNNhn~Xs6TCZ7p`L2 zGs;XV0Jvs$TKy`8>IyQhK}-6;!l`h4!r`Ng(sI{(wz{RC2AOOJV^Wqk`%N6I+pDUEE0?3(xu~cjsF@WGMmd6z9) zy?gM`VlbvbE~gH2zh6!_+IL^-0 zqW5`COHv{|kvUd#8==l{P^G))D1%!|`wBcs&TH6{iwIHVOq0}@DL~=uKHTKN#yPAj zMQ%@~SzrJSK%tK0rwNw|MS%}E$uF$pgo1(Tgq9UcrRVXH`6sQ>mvS@Wwp43@h;rUk zQ38CDO&2@PJs)Vp7CO?lR-W=(+;D}Eh5PSloG2rVyIOy$)Adm*82)woFvyoiB%Ni0UE?yG-?(av0; z?U9uy;pTVlb-V47b>SZ1Lblm$cjYNrQ|S0Z7QZh{6Rq4#7QsAOA_d_(7Bz81Ii7V& z3w0?-g^y!xwm0|wEah!2duW?CF6g!dEg#;f=D0hMF$64KgU3V)URV#^^iP4Qt4>=2iEr&cBGZ#P(#CrA?5IbGqx<;1uP!`?&%AyV*AQI{IZIJHr@C z6=j-jF<>$r&<8+jZLX-UBX_t;7Gv1$Au-(7Q zf?|wHdwxNX9`|HrfZd{vYJYlc_uA5fRy{?Em^r26 z(LEw}j-@1=^1CN24|iZVwpdRH*j%l}rTym>K9cUE$$fy@Yz>}}umxb>`CK@>%Q%OU z9x+3+Ar!717 zi!R38wUSkG;)Wg2^IOpo7-tCVR_b6QMJ?hX-4hapJTqfGYy2_T9C+TE5WHIgQsI&fVX-;4bTaOMopWNvhf=>oOaH(9wassPm&cB2o=>*ky+`Sxq@Q#bku^}+Wpz;o#uh_ zIV@={GKaS@CC1vqS+EvMiyd(tSB+>6d}#aFifwc8F;}51BTMaXfaSZzhLOo?+slI!m)k-BQ9FFhd@>8<<=^kE3LuCy{p!i>*i_A--;G@eydx246Ke9O&peV z+8tk8avfei00LJ9Izzp{%SYln-k`FF3zatASd!E=&m1Nm2<~dMyb~j=@g{K{V~Vz@8#9#>~_V2{x>Qg6yX!yI}x)E6T%3FBX~`VMCI8 zJMh91d1G`p7Ee~sp4`{HgofG2!3RY5H!Jqjj)^?u5DVl0p--4SyMSSeq+IrSA5?;R z>CNT~^M4GVcn3@7xGp1+p{|)yOtsiTF1O7i{t51n!%{#{ESG+7f^Susv+K3^qxk3L zjZj$m_eNE66ZV{uL`oYlkTG@wOq!z6?KxwvqIW}0BrjXilMg;N0XOb6 z;OA8?sc9Nm#=JwthJ(iE0>%zDH=xdQ1}h;&m3_)KQ$ajWYqPj=Nl~oqt1EBmjJQAr zW=m#r?fGf=N)M{^pq6)#Xlog9MU><=ychaIRCbR~_wmdG*@~r?^P(^+ieYa=I~?P} z4HOq(&6mQ}fE&9KZq6>&33#Az-X5x^owx9`3bsvMf?)CqtO-s?wpp+KzsSXnr52 zFnm5O^_Wddm(%W=(A86;E&);uL2@D*&MSeYIJDoC) zx~-+FqI|$ux85|$b8-p^m<)ss7W2^TA+k-NR})3SR#)bd*g?XXvb<6fWzD*Yt`AzJ zQC7kq_e7yf>P|&n0?3UlX>a;Q@bGx{oV(7AHYqIJWUefNtz;rvd&?vvwQ?dgQ#KLfE<9rG<^lcAIB3D3Z2Ne8jEU7C-`pKCK!@O8Q z_(wLCfc!U{?*ucg)XKajHK{618EOz%ds^#}W*NL)JX>3UG|$$FZfmp?ac|99q9C3U z=X@nBLNEo-Y$ZCSodg>yhzhvx)!!wZbB3-i_c-OE;Yfr+hbgOEhN)(djdDQf?Rp&M z|G(OYJKt#R#6%=iRVEnSzswQ_;(wbHQsTy5LuaecIi#!09!oogS8ruPTuSTKVhO{2 zTQNodw%gD402Y~@*E=+oY$Ckp043C2iR4)MA#KSGaH#;dBXO>F)5PJk1q~GvS=V$x zp1^S$tWH7Mvidr8;fPSh)wr!%gdeEM6jXC%tBM0&c?ZC=bb|Z>ZHP0-9^CBWs;~&n zs}v*s`R>93Q&!VEq1QV^T=V8ks6~m zd!H_>+&8~Q5D}|tUX-OqMDwzZD9;xCkTx(607V$bx`Z|KIoMs#jGx5y%BfpT(f~Di zbiBL61o;FOfyIcA;*Xes-z&IOWDflpp+%035`1(}^svzHax+z9rFrb70Sd#dszS%B zL~Fl3lKoKKwct=mxZy9#foZfKlOtX^G@Lk+a2OMt013ro*;s-*+vGCoVq5*@`_yXi z-G78+gBQT1+x|4F&%(nf+n+IX+-!&yAHNo-_zkmcsO?jogemEk{+G*W(U|rx!r%Aueqow!J4hh~i!zHIc zemHsvCx#w;1j@;MxtkG0EmMTav8y5*`$e(|ng&2dY3eogMM`6A0D2lcgatL7y1+jT z&BuXvz4_6ZzY`W5$vw=^Zs-vM2MvsKrhgUXq8hH6;@_`taguc2mVWCxo7u`JQ(xSnIre6&p5d&5P*b@1S;z-bxE3$XD21t17wb+X%u(P*(ZR6v3(g{9~bp(mPy zwXG4pz}Yd+l(T^O=ASJq?i~47s9Bf&8?_T1o4i*V*j$dptG)3btDyo5R^lV?cvDx)t3A$bl*@8 z){mFPqnrU{zq2Eb8CF{SehpT|A|An{QZ<*`p}qCaL(~?NtS%fMkSE%WKmzI7qv2E@ z`}yJ*TSH{T#@|N|fx{GR^a6i?Y=P6n=KOZJguB8+cDRJQ9mIMnS0l8OiM~F>9m4O* z=Df(`Vmw=3HvSc&+3`ZMmu4^nixW#eQ)1O274$sryB{X+53W^Rd)Cb2=QPu5mLI?h z8i_OGa+&;GWLZi8eH3EAXrB|evcy6B27@B^=vW|cs*XSRfU|Dh|o zBpvYwCVYXeYCuH(L(l0jY98-`gmT;0xy=MIC*jz&_W$U8v}IWu`!Sn!WJ77XsHvTn z{D6=pD=1|wWQ@W8d{94G)$5-xG##t-Q_~ot-AvB?N#wR*hU?ojX!ONibFfZbP8{cc z&4mSq+S$nAk`1;^70iwolKI?|$lml97$Ou3L=Xti=o0?ku+hOx7<=k01(1c@{Qgmb zCTACtpx^>Da;)(}$a4?OwB)#Da8aOjwlG{QheK9gqwG04?6`EaUHP`@a_1dcaej?D zV7|)QKF=2u%V@+zBqBG9q?~d1MvX{ogEcgB^ghTB&05{ld{{ukV-;xOD6Tr?DuF*( zDb|4SgTl~}Qox7}$ownBBr_Z?32k?_~xbZ8_E4H7@38T*=yp182e z%m&W6%0*>f#;jR;GBIkd#byu1ge4|89OOw;q~Te zVPL#FpBmj&hs@7}ytrk<1$h<~rdM5wIBZB)knaWZu?1SNr%)30fpuaZvI*THrTFd8 zX{;G(;Z~}`(e2pii5dKiqmkFecxf1`Br(mAyO=B3$PPB4_edXoZDyS zwv;Z;fd1i0X0g&5uB_&O15tIX0g~Ccr{LlTUtXl(fk6QYF!t{|?tv6<;=?h3DuE=R ziM)F;g}9neyqS+Iy=6E%o~v$*8onqiRyiwWY40Vy#|GEjO?PX=vCb9X>Uthr=Lt{! zkO%G^adg(T5Wze*5QIyW9dGv``ajqAYJfM(fv5eI94ycP6>m_BTUO=s7+6ydhW)W< z$#OPb0000QfNneG0fW40m5P9C8UxD?{s?#!vz|qe%Wm{{yu0L-4RX^@DpF!%bS;k!6@ygLUiVd-c3M}5l%?wcE zjSA4vOz6KT=rW3+?2CxD?&Yl%qiE~mX^UIRNL*_%%gkw4_qQk_v5g>x_8NXLz7z)&wM zPkdkY4BZ2~=yy_n|HEeMmYRf{!lJ0yzHJl3!OLNIjzeV5EIZI%(1`F zr3o}HsZSGE%QzM>gS2!G$5Ox>upG_x@`YYgvB6$%gj;>|H@si2;Z)-ikZaRvZ*b^qdGk8&H&{IrK^E2zPRX5ml012T6g_I4UVS_=YuQv|;*4;GlX2HhvKEw2KN zVq2(QcOogC0Zp;-maDe>fauPT&nLmWQ}&U+^WcOTm3;6=lMbc0k%*q*pw_g+9|&=- zsk3YdJe_*jJB7C#;-Ga(4)7HXl(#eX0~Rl&%}8({!4EdR#AJh~!jsSD4!9_{O@YmK zRCa&{(%$oCYxtopK0z-17P~<^Cy$PFzKI9aV`~frOlkWd$OG5oIYA!iSTk6IUeOFs z4xE5IQn3hOfBOjpUrV2YEqJ8b8ETRm!(P9LbOfF7VC9Cb;Ge*qrk+Ol{xJgqBZGR) z^UGbNI519?yqhc^oQ5j&(2CZ3dFYI$`;j}dszb@xcT)Y#4|0}|qbBdR6%UUv?^ENA zo$dMzn7U#XVV?EuY0tEgK1ky-8YhnVu6XLnV5X`drc^}m*j_XY;EluhpR7s4ae^e@&l;rmGIi2u7kg4V9j!yxmw=_=BJ}zODs}46fyPY}@I^lP=_Ex|~06aTxQg$S~4y6gL>k zL@!%Kb55`91I}$ieWbXv73h6Bp9wJz4StzyQcTA0Em4#e6CVmr)|Ys`8+6P6?jRc` zy-t{e&vq<)yrn=Q3RB*H$eO7evA&3FjhH^`x=6R}*gxsO)#?&ia&#Y{%I}bw;?9L+ z&m>kSFv>l08VE_)I5mNnPT=4Rn)KAN9h2YS6DmN)t~$fxa<>|xS=BrR%VN7g&>g%% zaG+_KvbrA%;7p_tc(0tB$odjMK8WC;g@d4fk9{0f*%3k>J&090$W3!Ns!~J{&zkTl zB4^vu@Oh~Ot#tg>@4aF+5nvhnUM-E^ZhT`k#rnzno9H==li+&d(1cng`USLT#qE>@ z_U@MEv;=cZJ@;f1Htp}PiOGk=ZtvMRaF_>NfPgk~AbVV0&QUtWru)KT{{2m5`{P$x zzOC1G&ARVylQE7eJ13|L?wovkd`<KnUzfcY25#ybo9g6>lr7vj`| z@Mu}0wG=!JP!o`Dqi}D133Z@wmY-^7&)Cjlh<+1*ly`hOIWbWBYbY4lqlc~SJB_B& zIM*1^TETjU@2xr8n`zSL3%{H{;FbNahHb4LLcKnpEv&BIK00i=8eNtT+ z7#w$J?Q}7OaW%*2vN4XZOSz+*!NO8S#Z@_&tfW_JPaLPoQ268?<*&`&J6!n{9QH)< z&3UdfAL#%2()W<-U^y@sn{M@Ttnl@u{t(`xl9SFCO-d{0w&yo2h{XqL?jYa4e#M7R zR9!{ViC00iE{E4rX!VVhi%U^9Rl@jh(H_S_$G0*^DW1Y)wU34t{0iV(){Slu_EuLR zlA7Ml5f-v(0<14U1o3fbEDN0(IJRvp)+V3&anAe=!YldgE-;doj$-6ZJ_bgRKD(R_ zX76*rlF3q6DBIz@si_m!*Q-^Lgu5rRA+0>*J^36F>a_yZHWC6@uV2VgM4J;3gzn*O zG~zr~Fu7sNUMf;9R&@B8uuP9a>GAcM72VxnMpA391tST zmaLR!Shs3qD}e1U=4UIpB*y@s?kXJC2U-@CC0ms&fU3$&F3xC~y0;#(ZS+Lp`M!u{ z8362<8N3U_fa>42#cG}lP9E)1)F6MD6DWLqI!=9mi>D2r*L~QB3u5H#b4F-k*yEW+ z&35E++Cg0vcm7ZLt(8L0zj(@+b;F6CUyGuts9%X|qRj;-W7_jUP<--%$1PG|ZLbW) z4QEIR(Ti9HEf-0dKF#!d)~|#ps9#zn{0HG?9Ef*=wZZ4$5@{#+r(~~L+-_(b@&F(l zFk}ZjaNX!95b98aZKxp+DEJ$?qX}k7` z-xXBow`|jU?;VbL;llVYTZc2V?7M`2;jd(tY~H^V{vYaVot}qrIk1YXQY8Gc(fB^h zaF_+>lEz{`$EIx`6~=8F6@$3pDT@oZv?ZrsWA()<^_K0E7?4#3bM+y&k)XaI%wajYfe23#UIa2 z^K6BVS<0#(^+5B_Yz)$~b1*=Hh6v=v=i@;WBFtRpN93=VVTwBNi8NJ}G(pSGi1HR) z7H_lo_zF0|BBAZn!e}0WvUnuC-4aa%=IDiErz}uGGgv#j#qFz!0u5WeRb6tPF%)!6 z!{Pim!uA=G_Eo@*7NZ-BoCCm;I^bPyn_%5Kyq=P_F6b1v$^J?R^WTA zviXc_1N*2Uxrz`z)LMYX^AaGmxiTwfZF^W48REw?ZPMXr1MUf0ZE0U;wN7#evqLoD zrfPrcQ1(F~PslN};7Kvtcfs%nu8>1;75%%T!pU$NETqR}<(^bSire^AveFd2crTfQUR?{My4?4JhN&e@*Tg>d%QiQ%7K* zeu)FG(neQYvuxVU@b0YJCQ zC2=yiZqR)IU*dqA{Mo^ z*MiHzSll{mWc-6Qf7So6>EhbJk{2Bl98Nu|H(R|g0&8OEV9Zg~@vsV$%Ob+&7z67R zmJYC9M$BJX`C*uHz{Ai@-3S88J6VWI+3Z{Dli+lG@3?dY1~B|+Md@%5J!A)SvA5Em zb*=5?*b12HN4gJCp*Ne(GOka1+&+|8l&7?j4 z593oMujzl&aUVUM>xWoF*W1NyW3`69bA=QQvc}!m<8M3Zli2#SW%1QnN4ie_&YYQg zED^y14vCvb(@?~Qihm<}@+{|D|0lbXFd~22lmlU&0o=f=OTJvWv(OeR`za``GfbFq zv4J6GX06{+$TIidqU~H`ZbF|vj^B8oEGn8sponM@jBx1w;}tEI1+E`s%Z_N~HA#dJ zKl*3G)_mPX7%|;aU5NDWC;!6*&dZ7>m0mxh_QCSOVJD>ZjZQL8dWYmtRrUzu*bdPiLe&MA-4H-8?mcW*h1 z!PSXo;l-sHfq$)g;Lk3Bvh?6X3K(-om6#?n9J91RVK3!1be<}1cvSis@2$|9{cGBZ ztW?wWc~63YP4|d3-Xl4*o}~D=Ri|gan4JbxQ!w_T3n2U>gkW&ZEOO8zZ@YO`CxDc6 zUu9_)4_P@*gy7)A!_VNIG5*uD{hPfBf1ggIR<49NU2zMlPcS`Rc{B|};u^JCx(+;( z1NFl9VL6W}cmTb2c{t)v`cRumVxv&Py=&2Z;+`#dD;$BJWB&ADN#nc)CaZ*jM_&j$ z89iwuk=5f*W%C(G+Rwwz1rHPxP3eqDj7r10y)y7eZdU+|Dr6;C(wUdi9jr}%?*h~q z3PS}w znnj=VteNR|l5_N|ndx@(IlqSYo4aJ$U1)+Q6dT5Fbx&&RNgift(?(-NUbu}%EC;40 zzSQBrH23N!dZxl|jJD(zsjfqo_1bV|S_{R#$cEAWi@8w{Ow9`QvD*(kjUx50KySFU zmc5CM@kmYgfNr7ftrJ3+`t?)vgn*2Rck4P+2;Yf4=JP1}erBV*xvOYk;oQ5ki`O8R@wbwkCE9 z1c-pEgW`5gks=oIGcCO`9k#mnaVR%JJ^L;yC8`$XuwlE4o}uKdD@%D0&$oGf+&r25 zPS{7Dy9h*;F7J0d5N~O1yfHsIc8D(3A8N*;wMcDSS81NgTvwC&1Q|-vO=I3kvQP^1DlMjON-t z?doS$@(WcUTg8tr7`7_{h!0e~3ew>ki<5zkm&#Vf6V-$A_QHn;2XkE7&9Ak4l&F|pMuK-8^F4>CTo9}9Bv|ChU zY5=s!{xG8AMGg}0Eax{i5_1ybb*%{@exI3 zj=Vusm4~yawL2uGkT_pknfSe0bkF!&SJgSv0{vw(QZS^q5HSn&cAs9WrkIcAi#NyRCoJA$#s zY}i22uzE7mU4qUC(=J%^PwIvjQ0?@)?@pZOqq>0w|5{-WR&+h69$B?L=x zddPHTw|YC?UGho>xoM}BEL*T@&{)x+>6$a2SAw0YN3?I%Lvy_2&)Y^Ax53ET0r(~o zba1J(u_Ao@L+Eq&w@-4~GR`vQ_l{Kds%V>El0Arnux6X z3gL(Gz?qXq?V-xbi=~q>Yv9Kwk%T&l9iwhhW5!VrUrYFPU@sYVtr=HW!-M&QKlWHt z5k)P30VSaO4)F7?r|{i`kIhZTWhXf!$`@n#wO*`!p)Ps9)0yeWs_+BDZwbiNNCABM z0CiOcmsEfH$ocF8K3-OD?dZ4*hZE^QrHynh9|tey#mt{q`j!T*6SU>h8?p0Zgk@1= zx8fGCYwvKs!p&B2M`>V-67FcNqC=y%x6aIp=kRQ#=KL*rQ{!|<61|hXh}V}byc%9v zoz8U!!(C_oHBYO&5lj+%6bah-uHyZ)-tbF*x0QM*J2-|&x6PZlAXlcy7}>|Bz#`cN za-l3ve0|fOT~|G%3Ek^{pIcL~!_6T}?ms+X*+_fcgiy{+ka{aq_A{8Eq}7njKIF61u(?1X+at z7|bZfZ-58a!F>1bD_$KSG2kHly}q8J<%?Gyxce9gi1$T;G{v zTK;8@8G?vY7>{Ry)@|g2kGag=rQ1({V;K0TC!k)I_zAp@d0E}BvFYA|m!pr>;8Xw@ zeu{DoepvNcHWRMhEQF_mc^&zr(a^|zWMo6do&Nl_JY}3QZkC^0bc(nc+Ddy=(Ibx1BUl=0R2udpQEMJAO5ZPwj2{cnQf31g4V72 z3Zi^-HLp~C91>4rd0PHZ6H?3Go}$3Od;Hr#;w1@?rP%g9pOab%y(cbK0Nr;lISI^VVmo*#l`aUli%L>P{YMFjXMr%n zos?K8IFca$dTNo$00BsupH!DdMh6|)`&|rS98GchER18U67Fc{FmRNZuRU%A!>PKw zLVF|#U^b9t#vo6=+v>i&)3Ua=-K-hTuClS$ah+AXSCv z0G=)N`io++!&)|-8CZIwM+T4=2EeiIPxOiR2NYfO2I$%}k-=6g2OfdQ5nJ>b=KeQ! z;GQd^3t$WQ{A~Z5dqqHXp3S3?Chk3h&_$+Gi7v|OtZ2+IR^&V<8j*|i_(VQa#1|Sj z8=TxeaYmyYrdokwn+m*-;0;_{0KV~S z8~}#4_POBhKjx~W1C1e*x2|<=ibILAbr$<{bOHrD(A+u+b13$e|7`T~AlHjeWm|zl zg>|4b43anMP1if;MN?1ES1D&rH<24-0}&CkBA`Rli{0e`)rV0$PXFXjpYW{FmIQg; z_Jo`w_|f10n;iNX{huE6kB-@s)s5vnPgUi?r>{{Umb0|doh&Ma&eZruBfhht+nRp` z;OSco+D9O;eQIe^)Cx%7YB=fsQ#XELoKM8@1!*J5?VOr%YNH2XzTq~3a!VB$JYq3- zJL}R>p*~$YkKoz<_wH7+ZNvY91M1f@RyZ892(?K0o{^UEG_t1dO|NSK9Xwk|0hN@$ z-2T_Tpoc}-{`dmdhr{5H50?bkA=gf>2I`M{pr7k2t4uIDrmekz6+$$?i3e`N_MS9d8BZAZ8p|lzxgW9C|cl@12dDv`dIhh_K{dKomjb518hoLsos=J zk7)#|j+KQ|Y0HMy!_;Z*x?3J16W+Vs=;fN*jg%jqFD*kf%mu9j&hf=?x@T)6Ux1UT zU+ONBGwV>$8|63RPe#I!i6iw&vZz`asD{OLwNP?-8qw}|MVGAFCUG5+U78>1h>1&<7bQ3{ZkSd zn;7u2@AV#otisnD4uI#fAdrsotgt=C0m8}auFnn+Ti^6tlZM#wh1&#GRD?Zu`$IBd zJB%Rz;|+v)_q^zkSHka&X7=3ZdO%js+l{*S60P2hSD}RAb2QI;=VLv)z+P#(c@Pu#<8}+suoXSZ0pw93Q$Pil6hCzL)152!zCScE zjOT47B6Jl`pA>Z(9+UDCpgRU?WL+Qo(Ir&zcJeZvD4%^TQRNBr11Vq}@CPnABTNtg zm}B|S7sM zz;7Eg;N#*&=8A?{%s~YKjPgZuP==$O^{~mt;^FUz1p?nJpdiPH-YoYh2c_ZeW{sv+ zJ8%%p23ctw#FBn->9skk?f%a$MjxireHW+}0hH32`g0S%@bM^=!f;S|52s+40n> zUb_(bZkylTVFk@Ibc0u5;L6ml` zI276DvWmt^^7%OBUGL}zG|@2(eJ4;)bMWOcN=j{R2OH%z(Sux!@p{Dw|9=G)yvuaJ z4zCV`jV~u>!pR*jdP-LRwCJK&`d-qu#_xBMOv1lJ-vn9y!h;%D8r<_5Z( z^iGdjcyJh_AT3CIH{(L)7qJ20zyMT zFg?N26_91bxsz&kUme6Nc$;su`z79(RpiMF^momh^|UyNga=m$SoMY1(d0NAyBQ6! z;bGsU;Ou#)Q)kn?6Sw=!yH64s_5$UJ$~AYo%wbJzrDjljz=dL6C@XrgSy1G)Yia`@ z52DRRRE?kEIJl1_67Ug9y&6w);m8QH8a8I^4 zmZxdUJ<(X0mdGaAU7N?)aXYwuYo-W+2e0p)+z}3w}X&BrS7%fV_pL_DERVBLnwz~u^aFORc zO`XG!$&|uSu-odZZv@%WbF!vJW-%)m&stjPQ1ACjo<0_5NKC3Nt8(5Mb5uqbu__j@ z4y%*X9HMheoZkrl^90o3x{E(2sg}XMOcdI32UIF1td*kx4h+jOFrgp=ekA^$N&>}! zfT~N}y2W{?QLrL~|02<86aV`HliMkHPdzSr#uS&j7?{IyZUNTdIBFiBJScY3f9?8y&o%tdYBhQoN}o{r~DHj*{blXNi;P+P;r=e%lPTgaer<=wj6EZGv%XX3E!# zimxi{gq@*7oge!LT*fSAF}++)^#FXqDfUgZZ{zV;d)}4AL!vx@J$YX#N9NkgI~l1u zzzo}C8ekt?9Y~q-w+FhSldyYfu6sviZP<&SR~8KgLsZj^KQJH1Iga<@%0B$AbmP8e zD_xa>_%?)T0*6r7y2?pK4GtVYz5&tmpP(v=GO7*2Rld!p`PoagO0@rNGE3=lK}+DH zYJN$dx_sFf1vyNx&z(6$RWsd;sks$Qr}yeiZ7ER_yrESS;GFgUkx|pA|7SA*CVHGO zKv8E?%*6c>zV?Q8poXKr(p`@9h80(?ff^e&)_lCQ=eR|i-5~|iwr6VPa0eI)n zn#u<)VD9x3OHg>Py_Ktn?~qy*8U?M?pxCA)xP%;FE{LSVY z6vyvqSk!J6Y1NHuGMV>|~tf_Ajw)+m`G%FEc6kbOzOk z*2O|94?*)JC^iw5+5j2{rJ3J0wbyM&nJphP`KO>1iUl5s+lymN+H&p=5_O?81-{+$ zK(@bNW`Fe4cc|pFG{=Q87Y&<{3+wTe$5FKx7G_~&If#y9;C^=SFrBVtI2GK^YAK0I z>bz=NRkz`wY?0r2&0A5Ab`LoH2%z$Cb`7{Ppi?z;t;^}Slzo@+wHxsPwP(usbMOsD zHN_Q{I`IW(1ivexR0!WVunfO8V^$7G9RR9QzNyZTC`8x6wx^-$One{?g-w?BzpF{Rip+jCa3ynA9A8kU} z)0Tin(~nV8#PHE>SBxh8ot<^GWn#N%qt%e>TY<8z)Mg25dITk}!<{W1ICaK=(v;Jt z=Lq!N_bhuH8Br zKnt8X!72yW%7ze%+4Ep(YNcTDG@~ZqEDfP2HvEXQHZ{T6>@|sIJO+y?f2qN5T$cJh zxKrOn9&XoWNr4O!LjS%H2Sd^d$E=qb1l%im=S=4kUDW&7q}M50Sz449;V<8XvDgnk zZxL(SCZp=70Fde5|H76`6-5+sG!*%Cai-=xY3+QgF_zvv_CI+a{OKx`hon?&nm3a- zR%_{FXLoWvG#Kmq9^hGCH|@yAT(%7DEG({%C451y$}Hb&JxF*wf+X@&i1E66^SqKO zu)&b&YIJ~%HksoUP)`!#o0YDnpI|I*Ts{}xXM|u3zjp5id|lx!$ECZoH)B}jY24<{ z-(g1LQeR7%%AA05=8z{xTdkt9YSA4b6jGr)`?yYZ-}zL2PX-7YH8|BN>CK#ijK?6b z3UZUh$e5AyzJnhk)kpL^p3v0U5jQiMDm?aYzlVENm=Ybb7(^@_{d?kiP#Bz8SgNaN zo>{NI*4S9*;BsO`ITGt_xP$gZFqaB)kZyW!fi_d6etx9*LC|_d92x*$sQqV_UnZhx zdwiw!^aT~6Uac_*Z)+3X47BvX9#Venn(;+!ps?#BVg)UHucaYjxy60#$<uw1&LU?`wQ&g379 zVbpLQ@eIKh6Hjh~a0h}+OndKU_IV!6=F?T%0&L#h%aHbWKE&kN(3=6ch^<(}y32Ka zhv1k4tboF{QTiLF43+h!zzSIfgMBp&%DCDKzV z0rl~)v!$_gGA0Ob>LRI-T)(T-$Fu2Rv9DDlzT>1eXyf7yLn@7Zxn9k##16xt_d&oG zy4OQl5T1vMU8z2Pj0~g8GH@_EWi~ltMIGKko>WtNLn~i?+uKRu4i|?D>)zOjzckpW*QnKFvVWuw`8WGG8MiA=%g6r89dUn$ z)6H#GREy&I_X*rx>D`*W0h4OfDj@zO2n;+L4WLsnWxxZxxe7~}2+|_Jy=rA7%&HG_ zCQ;DCdm8eOvvOG7v%mi^HvDD3lk%YRDE6hD;lTA0MBDC>nj5w-F)jbb`>+CKKw6_o z6#{-PB7T z@BNs!mh$TXKE9q5C^LZy(T)tB#vmA)+9-*{I-*l(2*D*3j4AG|Xqat0A>D?5otgSl z+F!#N@$Tecc81yZsKx?1C$I=w>_~U;5d=~)UQFi0xjb}7fg*93S z6;n}1Xh!i>JqOxPw5;b5W^0$X0qn~b?oeR~bIlVC)Mj&K&$gmxomt>11yXYzl>Kl4RG{WO7#MKLRXfx0(E}tpv z5q@pvr3+t6%$cActTsY$>jbB`CFm#)EaR>Hozq|n7D*uQ7~9ys&!EK|8>+?tX=X$e z)`^KH5MhZ_cn2>xNpeBg^j7~&tR5>DSi{VJt%zR|_N%RuFKndUjLEgWBjJV`SED|9 zhaw#c>g>-{CtUUURg~n2HZXNSHpjiGdUjE$GSg%c zS~Kr*-eJ}EhT?KeX`4H0)Kzjqj?HZlg|7hUJ~oryI1RhYesH0xdEe$=%jJB-2`$!~ zL?DJx@I`YSZgib`fI}Kysx!Ps5J>wvmJzxYA3{!x(Ygi^R_4mvpYg!IFLXimyTihT zs9>Y3?XDwt2R5e+{FqsR{CjeM7L_f0d>*Mg1F*%xxx8(2x3aKRo2BQ#a$E=X1fk2Y zeMlqRqm_5L$!BiUZ<4R$R($Gu(atG2HL?E`j%2p?sx?jy9s7M2o4YQ}=B0#wQ|UBX zJ7DgmgaDPpHu7rHLRnbXJexPHZYN(z@)_2nQ0Yq)_9z}>lJW*rJB4)N5?ifcLn&5( z&U(Ppcf!?&FboUh=V*dcEyyuCR%`S}xlIK(29hSIk;mATj||3_Rw()}cwZ74ii<$$ zI-m-2Cl+1Vi|%^&L_R;?30SjxlAd^WTVpzdm&_`g3N6SiA7Z!Rkg`!@Oa;U9V)GP;|SG(`xB+z(Gl)#khQOohQm0&7mW_5 zoLP0N_+hTvlL|#MRW%ZF>`dLutgC|sfptTvCCkdZC^+zfG2O?SjzIV zTaxV+u#QF&1x2o>ZS3p!b*CSOI=rKNw3Elm-Sj*om<<58G~sGDge0&Rc?JL%Fgh$>y8eO#M#B=akL<|U}#Q!AFb{%H4&gaZd z#zdmqfAa`x!IeX6b995ei)_H4K{v3T%%s1)8AOQggKT*)O&o zbmVyG$cALcVx1tlAxK1;d`JRu;o-U-yHr1UhOE7@#ryp97yVw$eW&^U%n)pzb$eUM zu>KXE!Nl5HA$D%zsw0SJR0iOYc2@(qFWgpaxf=%<)a^`NJgILT6{~#o3Zif{oI#uu zL&6Rg57h@1zBd@-4fV)j+&J!hScU!xXP&KR!$xfrAxG=){U2gTnPNaUqLjvrfMlC( z=!{Rp{V%WM2daPQqx%f=238ktQ{ZZmYIYiPi&Fjg%W83^Ms&qFaQ9C%C!I|OepO5^ z<{x`~13?KAfUvCDs*4Jqz0}tX>=j3XMYa?(OX^lr%0l$&lJdetrX<+a&m*fv#pJf* z!o#Mupz268@$I};J^!TvGOOT-W75HWvFb+HA?p+=8qBJBE*_$>Yd z33fr8AJtv~I8fNt;Abr31OcMd4T|73sN&1}1zNP0^Pf6Bb9z414HU+)cS|XxU!&NS zlRZ=iw@GiF$okIy5tL0PC!#?|p%Wbc<3!}Rx}L?;L>IY+t5`I5#7F8sxYewGL=NzVFoe=?6p3g#8}Ms7a+$gua)l2@##ik$A8P^3{d zp{JFkRk{Hyym`L3t$IQ?7w3YD|MvtY<%^sYTJ#AtijwlPoFwYD zFE|wRlcol@ZdGN=PVyZdKC<-HMpOfUqKSRmit7=+i5H67D03uny$Y;(>XJK>$WMq~ zUSrEG`c#3q6o-Kp+amPn$xnxT-#{e8Sc`>NuAafCl9k(F!R;TYQthlB3n42ybvlC>OO9VpUT7o>hTK({nj+#>9>@gjIM@AZUUE8 zmS28}q(zoYBW&})U@y3G(HB&Yqb5ce#2bh0G;f!EsoX#?(9>I=Y#I;>^md-%T2{YX zQPi+T4BgR15V*dCm)uWYqG4h~TLS0+KK!n~SZ403Q~ONUU7ncg`uT?58SopdBg;=s z%8j2+LJs45;KTOn>P}?@sp>vyoECDfvvk{SFr>Qmb~5ElKUt>_L)CkoJv^*10e4U1pE<%V~@uwhP4;NGQg84;ZSHBwq zJlckMt6C)I%DM?DU5BM9|l5qHDd{F>d6IjC8p!R(ZI#d z%RwTV44)pCUY*YjBf)Pu$pX7}ph)Ck#Nmp>_7UE2xAP#?&(?9kG0(wQTHum!$j^&m zvePUG+tURUyU;HOp`2|(Mk29wnf+25_GXbz?2Qgk+pj-jb{6f`$u98a0~otEk*{k| zmM5|O(jdxHR4}t%A8DWv;NU6TZt~J$NBe@H=bL2ue+xa|4-ycY-}iUTHDC2JR9hHD zF85tOn*w~$E6B>7mrt9$)?D{+5KT80I5ktMX#5tO=o~8w-1`Wv2)z*=MDhc~OkJ%) zJX?@_Z`E2nH7~=!z8}bz@)XPxpzK-PsrAo$=<8Y(U~b@gf0XsRXi8t0*OMPrnLbU~ z4Sw0ns47lE=c~mue^|GuOGg$GtsvU`T z%PGz4hCv~%=AI=b%G}@`UCSJNK@)%f0NEWBLl6v}{J0I{KQEJ>Ir5~ullVx^ zH`K_+cz5SXLgsmsBx<5;?J7Nu5Ewp47)-XAi0nCQ!qtxW;Qw011pdhsZTHmc^8|31 zNL^*^-8y}Xme9!U*;~(~U^J;vhg57%^7PfR7q1oNfZ9C1>Q23nFAh0zv>c{B4z+2s zuw(B9s~(3D9XPD%6Qu8hWETFGpoISn zD=98c%eJciDzP=1rxymgzySdK?tFn&s+4|3`XLWloxcL1gC}Lqa)r33Bh#?tP^A{{ zno~1tGr33@$W$Vvd1rzHy~lC2OW{LDml2HMJ4&-8VZZ|psW&>C^zbIEW|XNm1;^)m zV+HyYU^m1fv43mnlnCpR0#NdyRkP22t z-;rHLd|Co&AhrXZD7}gO2h0GIoqQguqq4@@TipW_%I_u^3-7=kLjQ>s=<&i2^G^H- z!7_TDjLY0An6CM>;vKJ4`ih!c*8(}mQ|tI>a$JojW^+?&rN9L5rSA2E)!v6Ht7q2k z%p=ddZnq%M=LOLg3bKv0ZS7-yeu|W0kc=C5LVbNF`s55Zi0sS*7aR!!Z`M6+0cN=D zF-`)o4x?j+wztcvG1Up(Vn3O$>X;dwo*flVmJCFGZ-^)qGYH`dRx^6BShLybgMv6T zGy!#(36)W$14j?3UYVq69CmFPbGlfR;uf^B&xr;zJA;r<7>d%Uc}Xj$|F0Aj^yPN_ z+@<(?dU+)I$u&mnY}@)ejWD+PTE=(0TTZOKI1z4rlS@VE3RZPOxogvuj1DGkfyHcp zleVtmx|Mfi<=K0@2a1^gQX`o4%QurHr`phW5e#@M__CeC46Y6ciP9=h~PWya$ zxH|0I@uN+WU1?#dkQKJIbK%_lELfMdR(*@P9-pvuJ`VZG85XNZ;i&mkCjWQ~fPxiWrcsQ9D59ACF6C}lg!`$}2 zWdX(secZ1G(SvyjDvVv{tkUc)@qHZ1An-I?%~LdeNb`p_{$#u=?eB2JKagCOkeK0m zsWvcv_h!66o%lV$QRslI%taOyU|x?j-6&{6_y#QGPk?r25_gPvznk0XH3O3&Orr9M zA7aNfkuWsME-CAdM3`U8h5Bn>LJV*B$Np()K{G&_K~R!7+74aaSU@JjL+%CFbbYIA zjv-B(W`;R7VK&YY_`OjFx*F-mZ*VfXg1L;#;FGyhsvq2&V#W+&GD5hJVC|OPzVVK4 zueuI9iz`%FKS+qW@FpE-2hagp3YLL*M<}n!|HK zd@FBiXL$X|4&^yYzpf+``qtf}tDwp+l2XA@A!8ZLx~TSAA+3vj#2R%J8`R(lh48Qn zN${W5NE}wOC4JIhINW!og0Q0O5hbAoeQSnC^R_D?f_UG%%gNA1R{a7O6VKV^XkMi< zgVte69@!f*n>f*r4kD>c$)Dib$hlH*F&^id1#iMJYY;#`X}yHVAAzb*&2N1h#`9}G zb%(ZKjS?DpcE98Y~W99`47&z z8#(y{c{+%-k3V4_@OHjam%^7kyz8NVu|-sPla0v!Dz5p7G8)7+Ry3S)t~n{3%NY$7}HWmlqw_0UOm)3GsD(PMzslka`sdr;aq=f*Tka;oNt zRjIJZ)=Q6VpJIm>U-~$Js8$9e0vYM~+ic$xF%H=bZf*&?9*ygnw5m*+&TI_aj>_)x zmtG)dmew7CXr=nVYiI?B#I2jb8Ue00iuJDixl(-d*Hkd_%@lH2wG;v=l`~##rKUGz zT5KdZm8}W8Xf6HFoN+EW^KQcmdhvG|XlMyAFoH---JGh>LJ{3`(^;zTGdOQw8P@WS z$?a=UQ7E~(I3wmgL8I^;oPu2>=nE|6!=yMiMnb3A7{{A+KVxf?EWj(=O;4ikGI{Kc z|EW1@J&_M)!$ymowjRjiLzbbavUieOfH~gV(7#ip+r$l9@JnU2D957Bs14fA|%4D)DF^q@LdiTV0q7R7Gl>LsUKial$cGd-S%m9CYj(vY%Dj1!c% zM@c1Ur7gxaGusRcQgWxN)bDML#DBx6!DeCqlN)+B$NDii{#pNYpy*+RC>LLFOPrS01r>FCL(AVnLQriE+_-_2dK@)bJK z8AJ%JbP$#sT9W$RAO6(JQ~j5{_Wnh4`BBl^GZWBZ+^kzpB5k5w=z;~Wa4T~pxf0!_ zNy}-40UDA1iHIHC@ye6xQ}yQC1I(0kRLPLdoPXmk;tF2(!dbms``mT$SjSfKJM z%U6T##74pNR>)|kpt>yRoZ&?_aAlhLdkO`g)$P7)WzYB$`@adXVEW|nqo~^|$DMh+ zx%h&C>;k1wp093G1*6{X&eEKFuPgBdKxd}AIpp2xWr2o+`bs$nS|IJjowLjV(OOzr?bB#~?QxG2f5x{IdxyP|z0lXe~z`8~9 z6Ttajdm3_3EIFm~OnUG^m@0WmfND)W<4+n!QAb>rwIt7;U!PW#ZXR-P^(go`Wtvg9 z2wjA81$A{C+)HjD_t3h`)4Xa>4&8>7==0jEd)=$G9~h;$+n#5rDEL(DU{Rj}v?SJ) z%2#4ewV%AxLZ;_a8pldY7cqUm!?=o771WE;BUjc4IfLzcP=0%%HUBH0GGu;qG>04+ ze@aW`c=8}j0d@U_a`iHSqg6KNLt1{dqC7y3!SzKRpU8M^mXvdrv7nh}SyCx*Eot_C z%c@8kMCO8ycEI$lV7wh5ozPLA`0{QDQl(J%yC)W&O&fq76G#X6L5vfL8ctj(`0b6O zkkb!Q3$e%{0$`29FN!aZ;v$3XMDUz_lz_wtaW@^dDa9AYGy8`aEe;y273<<(%;4Ys E4?pcy4FCWD diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp deleted file mode 100644 index 4c5935bac8fc546e2921a1a50b6f0c8e880e4b32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10130 zcmV;DCvDhLNk&GBCjbCfMM6+kP&il$0000G0002H0syoC06|PpNPhzW00E!{ZJQy< z`q#E?+qP}nw)YrUwr$(CZQEwgvg^Ibis+cG%+9Jj8=Vm`0TL^JPi{S4+(Pd^cV_Y? z(=T*79>(+^d;fX=dH;F;dH)@eu4L!p(!7pTXzyf=Ww3m6v+M~fxL8%URFGK%r1|P1 z$=J!~X!&>G!gI9TzR+UW98c5l0u{uprK-6jZvmB!Qe@I6x4I*50M!gqWW>vm?(K}c z3e+@5kNZ)daz{gv7IH){H>juPWms~7F`g*HT~JKoeLHywXs@w8j|HedZ7m^jzn$Cx6zjv#2;P z*8#(H(&t%1zuQns5=J|@1{kT2cDDqme;;2~5=T3^3K*@6`j@3qQ>Rvw1kz3}2gd55 z`q}$Y4_whm5=lF`6d13AihKS-P2byE5=uL{7?>2jQfq!j4Ib?&g<5`0j-4|8>6zS< ziuM8EU@F>gY3aXIv=0IMQ_()R=z=c@eQmrHavNgSb2E7u(|@d`0MkGJI-y_8DkAPx z`1dPHO5wXoe;ij@ve8W{IIWUor;Bv(f_jpzF485Ey)M$l-hZBLH+0DGdE`TqIx%P-zl-+3|g(a<|X zZ@f;u^dj}_)2@tL&Xo)wHr~ggUs`nl!#4x_uY3lSjQ_stwhXD^E3DmDC5FRU#R8pfn^J|T;DPHp4@u8_g_+1 zV|oc0(?Xh!ak7@vLedw=+5Z-Gu_})(D*YQsy#eB4ncw@*`_KE&`_KC?52Q{#a_h>D z!I2dK09H^qAmk$e0I;V3odGJm0<{1>Z8DWdq$46BCNewlfDMUdZsBdAj#$%Q{Ks-k zi}AnK{#gH5^3k!cR&UaHuk}Chyvq4M{rBBB&d>PXrhmP9fPZNIdH$dKH?E(qFR%}A zAIrbEe$D&K|H=J;_h0?1@X!1Q$OrVF_5QGb`8|>Ur2oA30R9>M$JTfLm+u$C|Msu> z|F~Y$|Nr%yJYoF1@;|_j?7!K+X1}$1Z}_jvzhwNr<Ke{U!e;|A+ji=MS|%&VR;#+W#}~3;e(O-~A8o-rSzN zKX8Bl`=$QRfB*l`Z|Lx-tzYh@@kbd?rMJUma`7Vt8e*G^!}+AqtyDV_#DO>^3{D1f zqI&8Uv$OG)dQax-ZkZPKtqY~*sqU30`2;hT&Lw;cQlO{Ui#q9T zTT6!1yc-p%SO(7M{1&*Ns%tEvO}ZuIB9w`z)L=%Z_lchNd|CKVzAXGGUlw^g`b8lB zyS4OJ_H0@UnzwdLyYHBFid6kkop<$jILmu5XQuUyt&~wo(XQYe%F`n)nrH+*+C@Ha zNe=G1F>ReY8W0BS`Wx8y8EzMOz9nVcapn7 z4`N0a6HGJH5xW1r7}rEo3!#Zl0=C=Y&h2CNl@ob5R`QghO$0HDgBYzFd-ifNZ@SY& z{(M`|mGR`m&vH30AjLbjJFtje&;RaN50AJ3OF(?)W*Ye(UGE2*h}96&ud#sJ?FPN; zsuMvRT?|R1h?c<^{COYSvh_J_TA!nJ?|4_&UI#y@K8}g|?1Oo^o=0|rOcnCYo#JPZ z<-JF(>z#4Ib=n4lb_y_W{yclnqf=R993eaq3gPb8Q(5W6((2LrBCzgo+ZUeRlJDha z+d|T;WfYv3&GbIWIjL%9LdN{6MBA|$U+RW5xrnpA*m5`-U%Mg6fP+NuqLH99pX{aK z3#t~do@ofdd&39lXNLH)xVx(d-2gqI78;WGbUB-Jc{P7sEbwNqf+t1W-~Ys@0hjgt zd^0VmmEdgQHp-++DV|sF8u38@&D@*k-(&M1tGNGTrd`?TLe7D9D>Az3-<8gs9~ewL zj5Q8o53V28%r`^TK*aj#Cc7MfICuu2cf zxS^(J__CiR9rn6NbZY3oQMOXFi(ki}h zY{>kHHe_C9qw{1}x;N;Zix!=pB+7d3L|CFWU6WPk>P8_WYtXgUXPg-p;l$0q%mNp> zJSr>Q9u*btj|zr{e5v;A$oqhdO@J{*0@c?Q!~e))>BtTPWb7oKm)Iao+}~Paa(VdC z$C~TvL@rb*`GJ2cwjFb3Wca7A(B=hDD?fBqy}FZTN90MfBl0BKk@*sA$oz=YQI+G^ z9^QQu3VMecn~eUGf(432clb;_&%%ZAXW>Hlv+$vOS@=-CD;BVARk?U^ypozj;zQdh z_iVouA$z03qP;i({{IvB6-m}_C24Q^vzH*hKFdn`qV>R&g9J5Q0XBMf8O6d9=$t-B z18KRJ2_c^djqUGzi?NHdKXax**Z#6D#ljxbSr-L=b@L7J><(H3@-^H7>>Ka{p0lC(8jsrMfc$Bv;XJ_l8{bAK$dDcYb zLWVwbNs{gkCL4Db9(DdnQy`H`+yWMZ+urz*YGl0>|IH)?9vP(T{CHyQ+$|vZ4MExU zLn_nENSTlod7AZ43>M79e9UlPHMhD}uA|4A9*{RYM2ZX^HV&o}ESSL*fXMZy1V~Y{ z{UWLhXFM`MwE`;cxeHi!LS#c6qrz_mpG99d1BbYkY5&;u|0NnO3s=o5K^5x|O1f;& z;u=}D_J;2PW?>?rQ%<@1+q;jaWfZT~zhNujG%oq!(C9~vnG z?K1MYmxodc6bbXkjz-p*nRRQhi!ml27PSRcIeknw(UUVKxN03r*%t=xPyPJth14-V_sD?enEU$u_B z+9(n+L>q)(T$4ip+16&GCG|JQJbcKFQ^s#Y}ohO{^^hip0q+YMtlpy{H_hN7D@K%;8TMkTWYPm1oy_?h1) zUDOK~DQub71umc5)3u7*{D{=72CjR^Vz}$FO3_c_|8MSoE3zIVVOdmey!FwCH;v!= z5((@;019b)C~S*hLkZh;BIo6~2u^_KAvU&sejIMyJQD7_ zK7w;j_^n91hhCdTF{CCZZ};*qWh>9mT3Mo{%+QmAKK(y2><_zeafyFsPO0q%!2g$k z-f=9R6Ix^_nt~}+nA~fzh;^S2BPMKJ?*nQN)%WCqqrx$|oHG2K!;*cOpb-teA(_Zj z9uPFmnZHK0*_Dirc%sq+Fk=4@L+Lq8wRdeZ@A@p%@y$opdMZq{Gh&a~#2$0_G?g(w zM8V|Et@7=A>nlCQg<+_gvP}K~fK2cGG=Ss=geDnlNwxeYN}Fb|v7rw2*&)-=-AGO> z8KtiSYmXZr^7j%7__@OL@0kPJe=q{=+h)(XTk(R*nHmnHVe1%)&hsH&xW z5g7at{?gH<+EI4)+(i2bU9QwYal+3{sx7rZf=;k7Y(GRs@i!&1#1E^+&VXI>bNVQc z@5YZ)zVJukbYQr!wv)^vn47q>I@uBZ(F0w?+hKGqq{>vLuc%DBp0T7 zMIHs}mgnjiVVPxtalE!lOr5y+0~Z%BhaQIqfOGY^{vl2TI{s|QJQ=>M82!KBAB)>p z8V-X~t#KacPEiSc15tjaXI;U`5q*MA5J*`WN;DQ`udQGQ-1BnXR^)ol0uqF&2{_PF zgp@ia=XPD?vu$U`QPh}u$P%2rB+^5x?;94Un^#OgMK`6__>ZvE2knXuJqEK%@l5fB zQ!0tFrg7c0<(1YKuTg&$VJ%;oc?T}Y##x74(bo=pF`|ER{oK+%+a$dZpPT;(04S@s zv8cWcnZOE5JXyeQU3q8d`0u6BvBU9JQHDuzmW z9MSar6+!C2$rJO#3?0Jo#S+H-L|Ze9^je!X^i|hi@FH$IEcJlSm&7@#s#TgTN5B(2 zn>@k7`B<<3A*g9u=8^ya037l4v*L^1#wsgHY<^-f=D z-*!z`W;e5s!J#w44ZypHR^@tza6-)5B^ZgT_{^MJAGv(+4+2WVtu3ms>^`gr1WhjW z&;LHJP%Mng)&r*>B#e6ItK}Ul%QM=GHz!2TYoB-0nsCt6Kf9Zn!v%&G=8`=7r+Qz~ z5qdYid^sfd5w1iXD5vHMNhpbz1{4Nn7R4L!XN_a!*X|y_t?vq0FKpuTf9el$HHr)o zFtLx>iPx!*v#>jxa+M*cs?r(k+7nksXKgy1BjS)&b3(8r!i&S6cHziR!Pr>CiX z|CM-q=Nci#kz8E53)IUCr8_*yMH0xRD`F^$n9Kb;DL$@!7?KlskT7W0zXA$T?YOtJ)1DqpNVbIkBkW2-;dTap9;`{D9|bW)S!PuM>XSy99scK0 z7(@B+Ixq$`|c<(iM5;AhPd62GF(WijhxckB>pXWtB}hUZ0o*B|>&Zk`pI zRaqTdTA2KCtbRZKb{_JxY2O)*)VoHm<=;k0n}z-^eg8w0ME=Z&Q0pJ~fa{p%v5*8a z7w3|HXUqqAJ{8Lc_78|fr@J-2B{zO?ecr^?Y#;tO9)Qq5Lev@VzN*yKJW<2X0d!&H zl`22sLn%tOz&gyTRK@w0Dx*G8WXz8H01MlQlw_22y5IAZ6m`7tIdyovwx2^X43Tez zx5aNP&@X*mIYq! z^Ozfb`|?_*z#<1Iu>qA`9{<_})Y)^>V)Al!Ys}g8IkF34KDZIow�~n=F{em`dG_ zPqzn16Gj)~0YlVC*JbEX-ry%0D;~MIEI3{Kl;|I3Cz-qgs~H=)7NdnPevbiBRP=3* zmB+370=F4HLYYtR`F?Cs^v>g4kI%DHa4mmmE~^{MHrJJw40YfF*ZFX*Buba{z+rRB3uQ7HtJD0^^Vy)QG+>3-G|8W$W2sTX6QKJs zQ%pE0#$H|wyk_zVpMM%l6RdtHNT|hE&HX!g*(Xq~dr}VtmZd0G@b4oLTYi{#ypiwVj1d{5j@31%KlESl<3x2wJA6aAxiRfjTmPzo-Av#SO{~ zwn#m;S0@8}gQ28#vdA9N!J!)?&w*TkX^otFci`9O8}EHC3f6q64l7B}p-h}3+-N)G z?Box^y1HM(t?Aoh%P|AZWuv*}WT;)q?{n<s|rX)^L_(%Js*x59m>C zRf*V6kbW>|?EZL(k=`W9mJa{0f3?4Kca4VHPyBukY6fsq z8j`xZlrFwd51=5eZc!2Y<0?Y74M&zgYDx^m$X6%00zm?&o%-|I>{0*Nn3B}t)W`9` zIL+lrM#1}T3alS+=$jl3>>P0!D|9C9NgMaWEt*j4oTp%{eLd;om7dc^=C*j+GO#2vbPR;HJPd1& zIoy#?jx|qd;<7LEdg0!|W1oGYrp7pHQWq^kB zy2o9&QI0mwm@j?(=pQfc=Xx@*`6$^8B`mG>OdDqi86vT3XQ}#E9OJA9i+)|sCCs=A`yt8*cOt?@X)nn||i=@{$De%=pm{wl6|-o}YAXl`#KcX|b8-4WY- z4_(q;h4%~`fAaUJRN9y((_XNckl;Nbs}}X4hmEs#U8%XtW?7J4NdPPT>Q0^z^3pS; z{=A7bse>&Nzu(E>TOA(r%PV%xAtkJ@^`32ou7@z|DU$pFz`!;)!d5h$z^HOlv0UnN zyr7@YI-HZODrX!Y&=@9=55%F9cymLR%waWu{{v_k@(}~6{KwYrMzy{Nr3-){4t%V^ z(3TkMU1F<($)Z)5owZpj)XzMVtUc?cJ%|XlMKVAZ=6V@2^kw{rAs@JRXUPJXuOSmvvJ^k(M9P-;g5s8>Ap0+E&bP)7!j|)yU%3P`D z@N0g$f{zBamh@%2P)7T;Ly;{4X4GPeN9MZ%q9tXnb;R%FoWnG<>R>5-{*?1kF=OFV zr8Q9YQ2(Qa`Nl6zSSnGj|NIb^OaMl*DudDj)Dc`mpbvO=0SNhS3Efzn>P2R}HL72k zk7jugP0$L(OH~7k^+g&W^L8{#y4kU9F{fH%mQa~{$mSEBwW}Gi^e^AoK6n~>B=2ay zbnXi)#(}8bPE>(}0dOB5TN|R}Q+g!$#M+68BBI?WL7#E*Dz_7S;*XND7Qzv4;O2^N zNs*1+&Kp#a6skT-PwR+i^KjMVWRx99PS=^bR zdKYdg8C4i-OBm3o13co#JXhdDOM%^vj*T`dU)z@1!cCGi-yolLw@%k^uKnYD`om?P zUdJF)17Iv_>=!@?K;B$|a?4ZRIISZSnc)@X%ch>9K>-~-PWk1}gQIeli)d*F0?oK+ zo$$=i$V3vW9HYz|{GpX@t+@Z(0wuzMrXtLsSC#6d>E!$Jt9iBF7^kM7F zzwDjNl13n7yHAQrH4fzoqiC1%O8Gd8r%!2=M)rBL*WuVCO3^>Th7JvY$RMCcPkd@Ldz(-_L{ zg;sJ{e%Rd<8skQhmQ+-C*s4xep~#xXzP3Q!uKVCdV%6Lgwm@M|3yc8%d*)toy00=S zWy*z|z>TkV?Fn%Huvy_`ccqSs{}t;~P4R!YEU>t%Q=kn}z}gi-5~8{29C;+!9s8y~ zbzBAX>mkIbjeEN~q31Cj$n;7P@1u66242gF4ib?lQ+VD_YPVH(h%uL2ibr+2bv|}o zajd2(!ws0T6`sXsaRpGdYl)D3myW7rA0#0o-2|VuYo@nq7!0EE6vu;q`V({ zu@D`c3=B(sQm+)54dSev{2H8M`7;bZi$e78^o0)Jr_NHD(~@Jc2Wpm2gK-3*+TseI z?md}tqH;z}i(YvJH*Y^6Uf4BkvJ*nTIIXo`J4z}(LS+x68Stz%t&_|#`r5MA4XE#2 z#aoO!+_U%TjslIL*u+UUh&8*MlSPLxt&sO95=!LcUn*1qJldOir}M$knr zCY1cF3tUw=v~x5XXZLx45xbQl06DYQC?R9b4ey<<7s*p~jW!1}(hO7EC?o!O_4)X& zhG7FQ*t}b&M%ud<5>y_2I=B!q&A$lFTU0Fw$?N(hai5~LhAmP2Z9Ql;ItLYtVSed- zMo+SO!ZVjM_Kl&(9a!&aHsQl$XmDmH-7n&kUZLLu;=^iv42o5180;Chs9D-H;{@7i_!uR+xrg?kuoczD&nZ#8kg*2ENt7{IR*W4qj&?`6Bea3aK|A6r5B4AXk*5UzqCMqTqsf?Eh z@lm&DrmCwaiafme(Z4SD65Fk>W1904xaC}5$_HTbD|fic&x28J%-dlFqRu8m660GwA#t>4R9>zIRDgifc--fXmCbe4<+6?#MR8k$er2AcSGybty44cFH00SL9~X z9qEi+f!K3}BL&a}h(!%!x~Zn^@t!ANdW5(fxuG9_wF%S$=CtEja|G7GIqvU16!^f( z7^Wa38rpwX}(%pT^4jE^*3hKck2+_eABlT(}%hynS3n>KT!Nu2K=+X^!S<`$U>M2bSSA;^g^+sB z)EJzFgv2(H0eRY1%nQ1o@hfp|q%b}E_Yu%;KQfO+heOYHR?gA&RMmJMX*A3Zi`N;8 z>t|F@zhhcDlT^(jIewX{Lh)``7Xrn!B2}$-3!SHGmYvAM)o}9%p_q`qZsIe&mw5*T z3(yu9J;$In^+0{7!(EeDbVp2%w;XqPuQP_cFw2M#B&VngPn1QcY_#(#`Uu!`L|sz4 zFR?Wc`a){oA&5#4`@1VmpoChxkbvuBJY7Q@(?mj%P%I$zy*#RpvF$QK$1X&q*5uYMXj_plLu z2wH!JYQ!Am&f5+YN`Lw9Hbg#jqX4hsgx#LwJtpHX(W!&qibQ}`H9)pakc;##^?=u} zq(0r`sAeUXk2()56Dn`R!n2H9M&vJ4c%uO%fnC=s&skb39TM2xzp@V!JEnoEg!55^;R z;w|k!`SOP9Q?F0mv-c-vNHHXARy;Wd5tOYLakq{DgXu5J3(Rda&$d$tDjUH!!cEo+ znn#YejJ>8dEMO>%04tW9xg#=cpO9<(&|E$e224^Y6J(j!6;U&{2(rT*) zOWYCO)j?{(Rjf%CD!FuQra4O%(nMuwkHil;O1>lksZofdjy4+bzGcbA(zUn!Y~9XQ z1!T{$=#RR_9ORR}$a_a0Crp#q{mvK%GDE=&s7VCad0Le9`sCZU0X8396_TOP<-!Xn zCld85pSoYeSn-CBOne7XSwfSKf}k8~U+S2)0I+L1O;BbgISWZj$N|>{M2oYw{00D9 z+w|G*nf)$Dp7am3*!Er^I%J7J%yi95=yt=f?t02fa>5`(rQ>_x$5i4v#&@GFrU!qyPuygi4qqG(u;7Xft2_6sv|$5!&`A>1qgusW9P5X} zS_*SG0=fuwN$|d7rQ(on(oZI(Ij5Mrc1GqXO{)T5ty4EHo7%<5RRoc00TG29nJ1t_ zZ07m$kkAW-vX0S6MHefG2OwWYCqtmUfe?kU#Il{5952JZN1-UzbF`)!B}S~P6}j-W znXuf=Pgb0ggC^ zainQ;Ciw?Zfxh4TpdBvobPdIx`m{i$R7H?MB{Epz7|Wq)F5ub>xR_9aX9|TWvz zogI(qrySjF)@zu_ts(+~G$0pEfn(U&1Ogdbqtj9*AgZu)*4s}-BA22wt;6=5i3X8V zx;m!S^8yP~f677{9ozM3;P2U~2}YP@MBN+Zd3HNB225<+w^fWb zV3~fj`KIChH@(cVxRO{Dtl9}69;;MOwxSW$dTM+)cBPtc>Dw7++nl!-Tfx+OS^IBC zHBN7#pV{RkY=onLrahlF0q;XurxD}B2gyYAFZf@{e&0dQ!)Uol9<)>eki>M#Bj zisK)`QWw>BM5lMGq_q#Oo+gw3C^`?r3X_r`HTkPGw*1Nl6?UC8 zoNU!9pPbjR2JIZG4J1Xw>soEN0tC}SUOq|z|3Cl$00heur=;(yNBUj*-+mM9d+u8u zO6iLlnmS(&+mvPdjX35n2`{Ka&sPnhrQ1YHRp02k%nmIB#E)t9Hg6w&xhR%FBC{aQU~4*5+}0W!Zxpx^^k0cm9; zzOI;0;)he%=v({gC)#w8XbJL8t00PVKn2u`eYO>xA%nN*ok2}~s+Cv(000G!Guyi$ z>SY-0h%~_Nyjw&e5EiZeQGdVOG3j%L001GJytd2D$LS$@o3vkCa{OxL-~a#s0C*7j A}d60k& ziDz#6+W3qC+Nlu@I}9c*05|e0;&D{1s{2XpZQ?D{Gt6)7N2=zUub{Vd2 z|BC+c+~4<)@ISTR*Zn2@Z{`2P|8o7+{~7Hylz&qGTmJX@e^I}i{nY)x_n$ex*nf@j zKk}d1KjHs)_67XE`M3K|>^`_3DcJF<|Ec|n_67D2>VL9cg?`!o2v#!{(tGc41Hn$$Ni7M zSM)#dKeD~CJtv5f7OBa2p%`}4RJK7nzBSuM`gM^I(ju_SE z?|AUJk2>ZOKUg6J)FcD?7IuY(%A-R~OLxZAWNDu$+)sy}8W zO2(yjFNRa7W1&(t%_Fby@Vf$@q$kKNnx6KUg*lsMofh#*Pokx|dfnYoz_=FbCe@Mj zBh8E+reM#@>&MvMd8Id)E6qzmI_M3V;wl|F0-UHepsu*$@x%8htV%)-MuEo+YV&uz zntiAwWQiIF95JiS-tuYgWCrsg8+Ya|w30ZRSb&$T!o?5oeE0+-j2!==#61RWs7fmqwqY60XuE%0Xq z?!3h_-7GMF_CadV-sf->fw|tf*q3^H7$ThjZ;cN(d&!5xizFhks>;MYrQoN@7nZy^ z#YU#ef3x?{|7^$iFF4m6yODUXt8Yf>?idmbU~jT~)L!u8N*d$$geAj1X56 zwkll;8$V+(wl1XWe%C|+@MB(B0?nfW`vUNeCs%#V2ylE~fNT-n29$(ul$V9?MiI7Q zn_P@&Ui?*#9OjgY8c#@<0#{$ez?f?fQ@0>%i<9fqX-jGNm%;8aHVFgCex5u!T?cn# z2qsx^u26{HhrcG7^>PR@amDRR{Y@n-u=NifZ-^^!;=F%_zsU2Z$K5Y1kidLM^*ov)%*c?-#EY}nalFPx!t4mI6)^Y`+*V}RgX?B$|5 z{f4HGVJim?E7~O8Q<*{$*UVWzjr+DU)~6r2!)I~z$G#>Zb>C4}Q4869vBDUr1j?PJ z`M^iDekxu7MK63nGrrRcX@y)+XFgiwnhvcST*{v13mS5Fs=V<*$&QnwfDul1Z3KM+ zSUran3l~ed| zo~sD!OisJMt}#M^R{)Sup5{JO*VcpReE{UjL9qY{EHe2t*XR-Y?H<*;DxHD|{K8EC z%v`krZS-Og7S98j8n+}uS^eM{uVFQLx>5P!O&a@cq|KVUH-z*3ClOa3_nr_udc$yX zCFC*25ej*yDKa$pNCCKFjfb$+Z}WC*FL3xomVK;XFqP0o1! zAmx|&N%nPf7O`gIQ51A)yz`&U3^9rMmql6am=i*BpYugO5+s z7X|El?WiPVa#-v%Oy%8@`mC~v^w!#?K)J6-ppalL_UC=@4JD@*Z4y{uG{S2aoYk(# z6!7DQH3^TB@OeN(rO-N1Db)hXzUt=u1!sMzB#ZE7#U6MGgnL+oJQb^?_ByO#%5M>6 z#XCB!r&|D}hZ_9rj2%TED$1Yt(j03bKe&S%c@*+vSDU@*E;oCmL97D>I=3E*{7$wW zl{0`_P7Qj7>o|mCeO;ycJ}&ZU_MABLI5F+5<17wk>PvpS_>Iz${V*43WJu6B;f3yz zv5twCZ0ieP@#yY?bNlT3kSO{%wvM8 z&Ibfc;f-D~CW?kWRlfitof_kyAWv{U(M5$xvhAH=Y#y3$l27ymNcJ*!J5uRnUm{(o zRnVcI=|A|cDF?@}rc1-3GY?4;H`SJ*>!>jiXiv$vJ;}tO(hNO?hzqD!(wnqJtlc8%^SQz-YXd9eIr6`=6q0%O)Y z545^0RE^l;nMN32T;H$~%X*4`)lT+$9e|cw)KmVdcg7{GYutP}c8d^r@N1UyNZb~b z1RVzB@Kos69RUuPMz`PuQ=?pK`ix;2^!~CgG0-)apgOf6q4;PBLG(6gE5j=vRnVn2 zIYq0P53HXW!0|zli4n(V-5<*FCNfMLcp^%5RBL6UWUdA^Wt#&syBjVgW9rN2ebA0v zk8NS51<}Sf&ZfoiMVUQCYKMwh%q@~B%rV@oF`Oz+#gRQpw@)N_>QVzt4IRbkxkA2$ zlMc6jGOo(gg!a0nx(_g~q{jpo>R>Uk=4s>2-t-QE#|(1(?|CuIn;SeXkH_7pBxLf9 z1CAOKHm^5dO*(gx_=<>GjmKz-SbObzIo`%5hz7f6w4}hAOsb;+P4_Gn#cZ`|F)a0q zIRmW+As-Dhc_N)ai_htsGllu#r^ep&l;OvV4#~Aj?(v_*O(eIe=aM9jbB zuqKmHNT~3y!%P-HH3<{&U@iKa2?j){!nyH|$Zs z?0SsmH=2bj6b&cUovZ>j0xO`10PVhdE6Muw%vEQ7s3c^G8V4LSCT(7C1?07tl>upp zRgV$>Sj z^e?Qj25)dxTdxXllf(o}=1Qfg)TQuWp2=Q>Y6YBDxKl2gF6}qC{jLT@GN&?xHdN+N zhRU4E5U;Np39b!ZZuc@fc+R{8YwJ6YpjdSk92`O6OTxd7%qC-~cDaAiqB0>=uUx0e zs6zx~Ky&i`SBf9?t>GF80M*TI}|&{go$`wak9I=%|R3{hz(;?HcM4X zre3t#%Cl;zRia5`^#ZUt&pyL2=%w^zB}(SspmYv6VHtaDZMt<%pFsMDyH?hc=U&d` zO2VOi8fsw)$bxzQ79nt+`}lvU4t#te_Cw8ulVqHCHB86W){wA2K1vKZt3Ujbs$DzX z{M$FFKy~R5gbusJSAfpdZ$t4H&=sVKazLaPM>xKYhvY#~6hb#t5EEjF??Q_Y%%o-u zRsH#kjSuq8?eE%in6o)UrFOwVZny8IundoUXGyvO9$3NkEB6QNX5!QOD%sKX|gBrN@%Qe zL95OxT7YT>M7ayV-rIr50sbX}i||EP!+T_)sPmd0El-(UNYal-=>G|1&$R=2o2(`J z>WZDJxr|$maMg}&7+-l4sCwS=d^_|BwfiruZVQiZ^+J<8Cg^S}^@Q(50&fTp7jLgOLfTDU z%5F4JdO~5dNzLI*qMbPq`;82=7(NzdnMsn3_fn-aK!}T*N7C+pNN=m7UnJL;<{Qw9 z0ISwGzh^hWR5P7&ay{M^jY;^E@!bwl=4KtnuKn9)$W;bm3!Ys8lGuBY@<$cA+UH}N zha`AhgWN~)0Rv!M*0C4%%fp7l-=RuXUmhk!R#1bGon_u&>9#`{7fStDtf3|Vs-E+N zTwO41Qwti6=wb?v!(;S(IzcKx(X6-k2|dw19V%QuYOeZn$00m9jIFrAJhNkda&q?a zpOQI&auw|zjdO=U0ou(V@WKb*>1gOLv(OI;pIfLN6BU_~(SB>HbKEVZd|U{esXe^$ zP!fuVm#_K(9cKYWm(I(|*9p+u zBNd!0SaSo8`%yK`qFx@$m8VRUphTxfjwZSNcfINo~44v+tVE zcc?*hkVx8gZ45TdXBcy*eOnJ2XeiydzUwI-RspE`tqnH-pF?D}m*6?I@T@xMG*P91 zbZj9>wgxIcWZ=Qz&`mk3^M9VmiS>q=+Nn~?TBc@jW9~gx?;s~Wx*eV)Od&FA+vv87 zz6GdMy41xl#b6-$oJW+gbkMDrGRj7z=tC%k%ZbyvERZ{^m8vebJU4}+;qDz+u8_Wi zN0Ajg5Z6&%9$Bu%JzEIMl2vi#CZezAOWSQm4XG2+Mm=^H*j|IUwp`AJKQuhwB#lU1;a-h;Mga#JG&Jh;Zh+&f~BsmzRxVR-|>^js&cy3Z7R7>-h6Ugey!0bxD3*^{C8h zx77FlC*qCqy9fsVEap7p$7FCWgvF2j@FE>w=YAmFzrLBfhYe+e5VH%p2%)A2g$e`+ zP9%14Q*NN7wi73naqYf*k8^wK??{QwI=6Nw^^LUdWIBR?iTQHdCtJa6@7mDNed=mr4*;(tm>@uV4%?vQu%wPZ#vlj6a(upcFT@j)jqFYfI6H%obCeFP!7{UEhoUZmvS+FzMX1;zS5QFhFuD zqD!HyMX&<-;t-|z+GUfJ0zl6vVMNoU>q#C+t?3ab{wNa|h*?204UMIQ{NfZpj@VO9 zf}e+`HCqbsjbdR!vR{-;-ddK?bF*7_nAL1eadVczAR_#tX7bdpz?*PMckmlE1Tlai3(EU)jzohp4H* zm0SSX_C8%4?aauZm=u0|BLgSzw$4~~u9k-i3ujP~q8D%CCy=2xgBFw|vMy?KDnT)K z)uoMm{M#HZTg(<)PU{YWgWYoQnP=SR(ghI?!j_?l&{|0GHTzPxEPd6J5n43trif3% zhZo?)dAAx5`$~MUYa^HeOC9(Ym$~zJCNh>fYuEF=DIf@&MD~jP5_>8FMN*z6svEa_ zB}490(jeTO|6;Ku$QF?tYpz)pVR8&*;%1vdqS32aPlD5(l76ad7Ab7sOhu|j>Y!I) zb`f=GAY#D!P;V~s8UEz~LW@m$P63UpX?M2xUUr49>n;VP*MG0mGGld6bmPIcV0+lG zfm;^BNKW*exU2bLU;-TU{{FC=$r*ETk{fYZc<+(CEz1@q&U9;Ju0%adCSJd0O?o0B zWf5I}+kpR{0TO;!ML9h{;8vy<8_U?f0U#O}(a0#@Q#ZV6yRq2&cYHfUdr{z;3inz7 z-*fL1sKTWZ|E{Lz4)Fyd5pUR&%(5CdEnOazYaXKH5|tWEdfBE4pWwdBD;>tq@nwWJ zR1Vhb*?+0ON=**FaMsIBL5^#uD2mWBl1~@i0wd!Ao8FAkeo?Gce-Q|RD^vBB2g6g8 z!5?P!$M3Z26kV6CiIZpvd~ z{CRnV$Vt=nck#3Jy$J$nP9C9Uj(fIoK);^H*n4~b2;S>dkU*D${nG@$gLu*!%P8%^ z&$sm@r-ZTO?o4}|H^!gUigfoVLFxoRO1*NHkd1@!3WKW!XXe zGkUF>t+>jb%pfSEQ3bWobdHf4*a7@tUIQg2dQ>4R<_3;|6~&_Yi_Uc=4`S7~`eAmK zc}fA8>gbde7tsR%47qvqNrt0uF?kAWt5BGWcib_Tu|u4TILI^e)Sdedg_E= z%t4xTDtp_(dUPvE?R8R3?WtVbB=z`Jg}G`xA~Ae%&AgGs_o{T7BJ7)QdF zguPBh4v;HvZYBFPV?T zVlu2$DSmI;?A6ZeIr3hDWUih=#V{ATHwu>CJSiEi7p~{JAL;x@w*x^WWDW~e=xQLu zK!dMbe30%d? zVk1oEji$Z1ig&!CcHx$}@)WHGB(oYd2Y818n{+lgl^JF=06AgkgxCS~e)ZegKFxWR zR!8iFSL%%S%dZ`U2Rhy%t`ACCUGCE+Sz7C7B+ILMbR-TCB4Rsi$2~h1aNa*QvIv=a z)@c;%GoNvb!r52{fXirN*0UI^ch>J~XXYJR3XLE4TxHs6xu~&7d6vi1&=XNHz>JPc zmj}@~yICCy>SaT1hwspUNZ3MmKVBG$OOOvbBH+ghnT%C3A5$N!QVs_wKEPEqk_3*v zuVoOtK9>qCmF<)7S}a$gH?Tv+&7smWyv_aevB%^TVs+POsPn#Y3VFess(Z-_=*rs$ z;h;OtXXeT!j$jLIda9}(f2NA-AfMdS~*(hyPT5c?{` zRD}G0V(1nIfH0cAynJclJLm@TIx{Yrmp*O13tmD1!22>_R;t!!a{~Kjf#-c|4#=^~ zUFutJB^`^pN5hWM5lblu&0@LVU_g9(C!Gg^qZJLlu79OAADcgu406EOmHZP+Vz!oItd$BllejV+a=nGXI8*ShmKRiFOPQG*% zXq||5YZ6&B-4hps*B`-5M|{#oW817ADfu;0J!W*$VQ{+n@?znWp7@9hTJ$cv{%%kbTJ0>;0`WQo#SLdo8*RL;s4yq&x_Pgr%x;<)@Z4xsH>xX;xy3L_)v@b&;|J;ZXrU$2%|T` zTqUR}*Q6eth1~ZvzIClb?BespoZ?&8YQeme19(Ig8AY7t)-4=LGQn0JksmRC<49YZ z+;mj}MlZ6gGcRY+Ibh;i$5)vi9?_Y*znpMO1Z_Mp^!I%Q$Y-~?Rk!d8?&_Y=$kXg) z=wv^ime`pZNU&@)E6c=glMwJBXiLd-%>NWF8?%@c@m^17-{O-1t9wLXjru|l^7RGg zLJ#uOS^o+eBDKtbEb3kW!YBkUKIF~+mEBAx=`k4~mJ1aQ5H)m#xq}&6rP)DbzbQ2t`lpMXbv7dB0E(18Xh3LtiEI7XE-FB*%mqpC&*T-sa$3KS9$j&mD^UEd4hkvN$<&}%pJ zF04N?{h2M=4_uOFA<#jxnl0{H$S8+5f?9dPf48M3*x(vU@7%hA>~M^271VIP@Xy+^ z00fH7d%nDv@>nw2OmI%VM2a}^mPN_HY6L-1b~b7fXvkDyuw7u#@OptB^j||q;%SNE zt6gP?gbOTPU4;;YLj`M3NbaX!8v)%^KozT4q>^6+UmmTky;2peM}e@&-un$AydR3e z7IR$@Dp=$ZaTaj#8vHzR2#*B7zPTw_UwI0HK&OlXwnE*vDa|||K1{fJD83w-?2phC25xA%7uzS*6Do5+f?zMN^dosfhX1ekI;m; z%8lhO!tiEKFT|(z8x(}8!a?wn+J+bNqB4NpD(OS368Y`V)X-Yb+{Ovv^uKn)vZ1Zy zA-H)woU7pkN|G&5MMt*W4h7+!Kj~sk6`14gF4w0t!>w)-+0XQN7=r0%aesp(?BF{| z;E(HHQ3Q2T-=u(DRJE|%gNQH&_k;_AQCkVZyDEJ_=~o{bB@l#nxDvM=x$YI8DAWk+ z`8!1bD<5mqU60@Vmk9E=N{pJRFy-x<4^|+UJO(1mX$xKv?vwSv_WaA$wcZx2nHbS25>e5?$9?l1vYC|+{hjj1{mcG1;cCe_}RQAbR27KN`VvShtm4DnG z)9~Bg6AS&*PVUCKuY>cqub+qgXTgKPYKk;E?tUDD_||vDxW2@iDeh~|A*`MnoV9O3 zE@u5Tv3IoH6^8)1I^0!g2b`JD{H%KL$P*XdA|%yGv<-LiWn%`H6p%{2|Q1wLXmTV0bmP@Z*-u^($c=JO=m}HcE@7{yngwe%o5( zQ{b~g#oVCR7{2tyecU~@SHhp~=tj!uYY+Ep4m;H@q*7{~o7*NPrx`XbJ5U=D*gj?L z;b_5^O{A~`MhSp|=!L^intt0P`0@yCM6?@0N0I6q%k9eO)u>TQJv+JILF!1`9Rc`K z$U=6yEODo@sh(N`$vBBrE-)Dp73TFoHYI=_xPbUiW^L)mjkEjWtT8ZkPpiEaU2*FR zsOYigwJR^3St{|p9@~IOQ z6zM-Nu(&2uhSO1`t?q>_ud$tAx2IMoEpm?Pj!P&-|CS)o@*S%|kqb#Bzai(xXg#zD zCX7SSDBr$|uC@b(nh4DOY?EeJ>#y#@n?W3zt*?>LGcNF2vUoSffC4+;ZOE68>br;* z6Ku<_2CT9&hd)o>DO5iD|J~nN8QjIY`L>q>jLsMAyvND-vbThxDJX5@_)yo!%nmGE z6D>-k5Rm#hhogcUklcpkHz6Qm@LhI%dw%!_8#fQ)vSCoYF7PYbNIF==rqlp_V9Ze0 z-+$+`+_&GvoVt22Em)Y5RV~=X7<$DP3^Frrwn&Y;80C99%cZLRpYbUBw+FaRe~I%J z-b@>c$(~q!z=6ZORMpKj3@ieMmmpT0ZY@cgSZ60(!^5+gr4(}U?SLfw>FlOi4wU$W za_D3F%swR^-y=8{5~ng~OS+TD&iKI_z@}Y5dA6a2()B}xNLJt4i15G8Cevn%EWJXc zPgtD)`O>wf$HKL4Yk;Yx?Bj^*z$xr)o1``cP%lu;Q{s>zn7oJCw+uL0JPNVmt}4~s zTZ;n0t{!ViK7#LKwK-BC1M!Q!2iy}?$lJGqm-`y9Vh%C2^Fnyij+V(NvzHB@qB86; zr%8H66l{^CCaI&-Zt+@<8t9N>%Svf1A|%vs70XVWy`)x#oKS#!=m_hvfWL%eX`pD- zOS&*NoDj-T^+K_^JQt7Q!!YJ^5opPDrmO=JPr&~A7_SoA6PX=`-TmFB*kpSXeJ(YA zLL4pvRwM^`K~WGF+!hN*x}ZKVedbwl+M9L)bTu?w z!G%5Mo=p5%3I~;#Rtd|RWzThPx1yFv_xQUa32J+$SYi`CWCA`W!z2pLpXd6B- zTc|E`^41d*`+kgCMK`X5k%xUu$=ku6U+bNr%+!-MJoNz)7%cVf%11Dx4CXg52bf#s za6ACzQ`5`jX>l%Pk@(F>VC#m>sH_SUdvwiFq>GkbK~)zp_(sDb@CLOY%=SZ??Vg(q z;$a^VStvz>owS5H?}ZHl#te#FWUBV_m6;SJx`$OEnruGG%ndTMuK5DQ-SI){<}M$n0P*5bQx=|!HwjVM`!TkeoJWPa*yN6q!c$_;jc~PqK`h`?GrIO zW@9I26RcuLW2&VICdni96>RbJTV^99u-IqOmn_UI3Vd?<1tQf*`&u{(U{f$R!!q-M zrO0%s=m4Lwe-%kKC(0LtE*+55-H~PA>w^*0euMXuVKyS>6zMlLX|^DV(TqvOnQM1_ z$L-QqrDjevtkujYjER+d$ywQANZ$1gCH75tB-%z1#;qkmED!&BYk+OMXjXRmhgDq( zQJln;aGpZE=E(R-^ho;Teep^mLEVOj>VvH$WP>JXsC--SMk{qCH!=hLg(*v+d(NY3 ze5aHl>PRA)p7jOdb&K;6jl6fDI%mUbm;p_QkK{!5(Z4ma;1|dsV`J;to6=tB1R675 zrWZDb~LOeY@N*D)k#eQBs*lt-expfNB;}lz7ghk&)LE#F4gIK z<7vTlIzgjAQwIbx5+H{}sLM6QP%{XUxYZc~_ZYKTB~H$?kjjz+RiaX6^Pggask9##sr2p?b30`J`_!_oQZC3ro%5mP5{}{fJFU zBnntw+WZd0u`1IZ$;)7fC9Tel?-^RaO>&oAd&uJN&!)?NDgpt*zm3Kn8m$a!Vhecy z!1<&}y2zucZ?edw7~YiL;gB3iSyY3Ehhp7LXv8CQn_|e5T~_o4LTUS?SqU)|PlRg7 z9xG9fXSal$m87t)fP?;bDpYbcS`J6tUv0%KsU2&(Tj6@&%W0`Sn*Ny{dgK6rySjFB zx{ImGYZ}*_z@`vEJwH>L2l;o?8995!Cn4}b#`*_7dhw8D@P&YDKmY}R=M(aam12*pCyR?>2ob%eWvdew-ZJl20gvRqRVBa;o^vVBHT%lpjPo*^ zpa2V3)bN_1;SFNq|IxNwTki2%jET7Y3ux!^oLFzab*#@qvL*+O?ePn+gn9Nd{5AJ2 zhy8sv{j!}h7(ucd1C2q_diT;o!~N5LD~*J-=Sv-af`Ah7Rx3F{lS(n+(pk9lN))+G z6l`_fjF2i?Z|trt4PM86tA*QZ8O?Ichs{M-$`04TEk1c%RKP8x$dxd&Kz zSy94SFdtz=+z$E#;6vBoIr^Rzg6rnVtjpPYLW{o_AsQgIH zDKNS03s&g6H4G$&VrjSM{8iXc&FMYv_rlvn9&MS(Q~+@C&7Wy&@&SOr$+7bpKf&`& zxihdWxIiAD00(EL;-KIPR9;538?dtR-b*vBYIUto12B-eaNv8eK9A#4-gDw};ALrm zIeJ*$SfcmNz8toTl63)_;U8HKH!*FWSpADBT)Nx%SRw>TcSz=+t|Z*si>zJ764=x)nzms3?m{4C| z9l{pklZ=Q?5jwk;D(KwqOR-){&)S!@ADR&Xv6Z%aaJ~N1hm^KRB_SX=O*1=>Gh_?a zhWI5{7S7NTdOts0iv@;?rw!3tKkPr(frmiO!euk>1OMLUjyl;9u_6fz>Z-8 zj-)@^pF!E7Q825U1#+vm43O#EP9thY@8XJc%0R4f$lN0*HJdeC$oZ`vW8P7ORTPA) zOs$eSb0QVKA1D_GftS9WfDN4qd>basPuf~M5qfE!I>RJl6lX0PYqp6JQ3vauKN;?&3m=Nk5^j7 zAW8!yVjqXsWYIlt9YNp9xRFm`5LGYdO>FL0Ab-P`=1QXn=mvgUOmw+Slq(|r@9ww( zD^`-P1+iV3vLE2yS+Y{n*Y4fpy)5#Bu;V`-b!Uge7wRlvaQPQbp9bAN&eEtLFG1(8 zi90peW*EgM_23ig?XPEU#OB$8tKMp7sTQ*a#Dua4j#-8fmX$ z-4sME?7n_n4%fhyRFv^ozr@3FS=`*@4l?-Wn#Z7=V;7Fx8h{c^Q~fdS zyDP_^5GpOdl*y}d9ah}I4Q;e7r(j*l*sV9{8p%MlmGi}Pfxp0UIJ^-Ti8V{F6#m;2 z#~>p+Q1Zn~_KV^%S)w%+42{2H7qAUkXLSDn$)aU?+VtPmt;JAavt+C``AkSNxhIk` zRG;@sW#@@*hwi~W_<@xhH8B^WtUZmnzg03H&4jwi}Z!#b3e zV(}5aq<$-$B&81Z&=wA2&d#05@P46;j#o=v3DZ8s0sqMTxJGU?R+bwF-y}I>gx)@UfozltG5}#K-{f@tG5$IU|fxty=5S5Sr)piAJKF=BWXBEAkQ}+mmuhSu2CUW6!3S9%ofu0N;0&;H^ zExaslE}&?e`rR{n(wac7DSJa@&egn>px%MECOAF`&RNN_K3?1-?qL<|SY9Fp0SHpi z+0GKqk8{{i6bO{2y)Um^)=SyjFV}~bE6$e6kbWJOwH%cJZ8lL_U$xv4J@2|VXL=Z? zX93Ee7lwH9IbfpT-&_7U-oiPs*p$mCf=w_~0L%}nD?6Nsk=%AVZsL_j0KXj@-QET4 zGtDDQnfSb4`RHH)7!>Tos&jBNSQkq zWNpIESWW1c3H+R$cgHyZN@sfLDD=Yyl-sxz1o_Sj8_WlsnFkZ) z`F(IM#^)XmN_ZiotTjn82~Jt5SUCnT|lV<7=5$X>uA{@{k?`yNzVu!f{%!bRxxoFmEt8=N%x!$zp_D zPRM1)?S0kU6)oQ4?xgV z9j^tf)O$LdrPc}Gqmn)m@9tdT+tI|>^DQQ&O-h=TH7aUUWl^=JNiD#dr(Y(`W+@3H zW^l+7UVD*pZ}6j2)IbBn@Jc=VH1w7xP$Mh0P{ z?rN+$tmfIp667UmME~2pLfiik5BcM%lacWz{v$p2^o9U{o#1+3bV&YelcMb?#&D3p z8)QeQ!x?y5mKDO(?_0|EKoV0J~#Z2U&woV3O;(sx6VqnuV6TDKk|@qorD8j z-_Rq@edORvbT~c`Lt}cF1vj?+smeBikNc~|$G`K^)e3r&zjbaIKBaH+dcA0C0{oc6 zodiwv0994LWMv;Lj09DXnG9@qlT|_TKz@3cD4DBC$`7aojpaE>d~Y!|>nxQcPC?ms zVvmhhT_Lr@7s#55f=2aP6L*hR)|Yl8?dY?FfnVO3rR97mUU+hRU0uX19I}612p97x zHDeHnlxiV`r!<@B4sk79U>std5x&$r!1m%H)CkM@e4HJf=XqB;|&qT&ml9xW0>x{Y%h0r6n9DlE@d25fuRIrG-fT+8`>wwA)Y zW_}3S=boYV($!DQy2!eewE{2pJQ)Nk`=iI-|Doc1^W7Ig=f)zLGU2qNqQe640Zud2 z7@@ohsdf_k!>Ktt?G|hMxAeV;4=WB(cB1G{bEoWTbq)dN&3eh65`?ST4_-cgT>&a) z@pfMlx;x0nf?cClMKOKzvz8t9+w?SES3;DYfNh$k$vsxBxx|&L$}I{?W^7uxG}lN-%s(4Anh=eC&|&_6#dQWq@?D?D z1ww`7_W@@``#Sb9r`|_1V6~pm^I6+cj&XDxpvIdm@Uv-9X``j$q!tD$iETLZiWYvuV_Q5hnu>;FD}4RYr&REDz3tBS+A_KPk1**sl^JRhnj!RG{DOVD;3 zT4^cS`-MYqOfjB+!J@JI`*3$(89#In_&ce_B9$C~*V|RRV1I1TpH!YLstVB&hzyM< z_f<9&x2oc}OFng%tW5oFH9jkX%SuF2zG8^oBIMrvK-YN1%3h3dC?HBYP&}e>p8r(_ zL6gol1w~-pgyH;861*1MBg~4Gs_K-q<^BKISc@$HZ}dscX;*rIuBZwMFJ^oOH$J|Y zT&Jz&%VmmwOQl<6IWRRxWi>`X@{vAOcFZ^5#GtD}0Ww3MXJ;Q~dwu|@vIo9rA*$1A zKn#TqSz+r#l6q)nmZA$ai)+5T_+7KvRKN2ND3jPe0SH)j(s3cTg2t|xh^_d&%emNp z#iCGXNw)qZbeZXLhGE`MsTvt~Sr0A$oiF|VdxHIsSXJwqKanfqnEtMUhrF(&S|Dmh zLZn#UT@Cy_1vn%XmE-?-cI;L$eTQ1a~C~IywZw6rpn&IXWm%_xM|WQ`-qN05M%uY*0B; z7>kgBwGpfQK?$*I+nJ<1WGX-BjLV;HEaZ1TrMFO zyT6YIe%NCwfWhZRD>1CaHY?%`>@~+S3Ja6PrLmcJ% zVIk$mXXgnjd;Nt_liV4*AskyGCp=0V+nHP}aJ$CWo?0@i`&|G)|7gkQii3`>@)C-a z@uM}M`>!Jo;{Vq;;NhzK=90qFJx--uibMEeGfw4cN|_k;UJR4AtcQJ4TDP5SxC{L}Z!L97Rn_dv87f3G8uCWKj@n z=9-F)9LL|wt5{yC62*@4rbWa;I%Lq|r#=B5MerJd6_s34<%tE81-FRmjaQ7h{yuVk zK^b5cHKLb+h&-2_jfD|~ovrlrt$kqP7b zeSv!xQ3JF)bCd@MCY%NY29=ui>|^L~Z};V4gG}Scc$z1A53%$2pMNb=AaZG4W3= zkVStKgI-r&T{_oQYBvJuR4!dDb7TsiW`tdBEH=M2{4QMUaO`f$0JLHH$#n@%NoHx> zJ2!hL7}_NnpYY`@|%5=kI&=_NE9tJpu8z|5+HBc)R6rqV#|n=h)jD?9`LryUc0G# zZ6Zg@2mT>zf`w7S87DQ+Hxvj_s$dzwKh)2wH{ioe(=r}}WU<_eUA^b(8vSdsK_LKc=};UdSUOl|l^_{BhOWka(05&nAJ_?T>Cm z(kj>d68he*A6GS*6HLFW3+#FPfK`X;6(-lF=J3q?5Xx=&f;7d1JpLH!almyX3Ok%I zdy7l%Cc~ReG3k>QS0`-kGklQCLa|O9 z46`PoX$TQ&O9(1^K0Rtq)s4pC3!>N;aqTjyE$0qHDDQgE5nz2F7d_&^c+d>>8z)s~P=lT%r3feQ~3J?ae zVAYqL$Jo*{m26f>N8p=P-IQCw+I@g-u&_6*`t?HG-McxkbMJ60`x^?~HYeDvP>>eX zr8BU6ce_kSct6#u!-+;-Cf7@G(9W2REm9SLv{z(4Dek@DJgGjZv6}cYd7pe?sej?^ zCdA@j8y^#OdRFe9l8;WVcVdOyMpDF4%VvfRUNaQNzL?=4c0?@yoMyrRH%r(ZY<{bV z!Kp#XK6J1+4{nPvGs^wU?YeZbf+MpUqa+72tHGBFs+?JN`zgf-TWn%D1W6>I!RT~S zm);Ttw25L2b$adq008_*H_$LWlNarW6<`k?RL&hpj0c~BHgC%4dpi&ym(I|~?RE~C zH2xjJ`pQhOb#P;WV;_?*b^y;{P6wkVoYJzLT=YvpQ4xuTZ59kcn{HKaB=?0#g;^c(79 zwC^++Vgtw?wz5Xzm(SP96Duh(?f-a`1C`~L0QPhLV-UugJ|bk}fF94UjGM{7jhBcu zTWt6K4Ws3v`Jwr6{MMv71ng?r&jtSxjJ)3N%nTgO*Fkt%002JBNdf|8R{3sd!3g{;t)k{6=NcQSQqimYtwEQT zOurjynbJa<8y|8;X|u_I?#fjnjeBL?7eY@(8|-mVE@w1B4d@5h_d?pGGJpm?w{0}o zvzGPVAxJGwS7}uwYYq6tcU{Zwcy@Ao(HCOS>MP>4l?1s0dnxG{Jf1og5K_AFH1 z!iagYM+8b1R&!;Twx-1TNpjkEEtJ;85w z3|c5q^{#G?<<}&j(Tj@;sPl#1`G1so59i9FJV~G54i@339s8D2bv-h^O3)mqXcM_a z3BRxmLPd?=&QI+UxUC)f0RCO%^oxKm6>_60pK%vWyr5NGpgVh_qns~rjRZHzcsWsJ zix}YKc-w{{TPPEG6V)4-6s!b?Pg7v%dtuT+Qz)Zee|YQIad`R z+YJh}Q|fT|BeLr@jDXC_4S#g@Dgms)(EV#$K3;B+#%tSZOuv>-@!aqAwzdesr{#~} zssJvRX!qc!pkbbXj75ZrBb#^&abp2|jq zdadkQEQMHl^Ao@7P^U{UBFQiJy#}|-EnXlZAj@wtxn`3+M7N?Xe{!r{K-W#opQ*=0D3x(`UF3Se)4)D?COk(J%pMb|MG0`M)S-pDaSB{ z?wO^KDi%=ey%<9rZp|ZEV!#+UHze9g`Lrh0#v*u{a?x@Ewb^h7YP$~Ol|HScUm0Yg zXlwRCQmOH&k2)c0`7QTRm-aU0eTFv03=~`H+DSE=%x%R8DPdw4d0wm`C?9SA*ML(ChlL&X z%euZ^NRdcU(`S*n@iohG%|8$%&TK5FjE{QKG@6yjbEXcrLCLV)aMmIjDo zh}+oOM8e@>AT*616tmvC_OoNLxik^V7bW z)#lP{`oe)NG81M~cb90YPq(Lehx^JT*>knU$a;0}OwWJ-4_&F;Y&+_iw24E_Z)Q2m z;rla`H2F)c^R~WRxKeW>brI-)J!BQk0FntZvaDnl(N72d|0tCW_#k zsJ~ZGXJC8qp7n|b5iYDg_v)L zTpA@LK0PErm(KwrhX-PPv%K~yZ5TXn=<`bA|Imo^_?5&nHeTPj1grB_i-$uZ0>vmA zcU`?0dBUwsEz3Yoh0et)X(d_hnjc%SR1i2SyG@#AdGSw!bC$B8OZV0$yi2Qg`Cvv4 z_IyFFKX8&lb+By=Y4nhfJn#PGoPs5<9$mv`g5r))4#|Lp9ToTpvv@uEE{<7!L4N~% z`W(ZG-&1sOs46jyrlnG#L(cfVBcl?HL(RAtB65*5vlKMNpk5tiFlI7|yWF`LTwyJK zprlWiG1LJZfFK8A$)(0n19CKrTTZ1E`C)XGNbZ~9#G?1+TvBun=lZy%i|KquMD`$8 zO}vY4@K%Z$rrnq?A^2ynx2Ny!wV9+_&7|?3+(x53>3W=oV7jd>~ z{E^lj>=RD+SD1h_;MB|*VmsNL1WqRlNWYj<)o4cY3y?Bd7TT%dWe$fm;d9|0QPLSK zUQ=Xq0+c+&0Qg3Z`_XdC_;8KR9Iu;*?SXqZoV>HvX8_#ddgM@|SB_#9}Tb!ZQVm>x&= z0jt(<4PLW<)uyY_rMrk*iF*n(ECGxPLAjo`wx_x#db0tUClo>QZr$svr|!QWxr)EH z*GzKzf5Bu8%-Khb3yva0VSW|kNbOz!08*aSF(#ILp2{|A4g16SkXk=bevW0!H)Wd3 z^<&*pBQ&8qHFJqIFW=p{;%r>5yVcLNk$8fWah{%cMeL4&dg1Drg-3REw7eWNX%{~V zQh9&%SHd472nH~UB}C>p(YI>N@LQ48@6t5x$SUE3`kZ3LuIx7v4`Udfhw=Os#~)2C zPpm{BuZYS`nqOKb2YYZwe(t9T{yJ>uZIy$-p`pcV@^NgVxxIH*8mQN;@GRXxI!PMr z?MtA4H;^&pz5SP4d%S9!T`cOfOZ><#&+o9@XBI;j8IO z?(WrH+qj;ah&9UIftBT#X$Cu(&P2v@EY{C~7V1I6gdRcdKK`2}o&hux0{$s8l5Hc$ z6*aF?o_w4_P1Fa{G`p&=qgfMcylJEn6(R?dv-^{#+1pfQ2@jHK*k0kyKBiuZ>WgQ~ zmxg4DOInJPmdwjHHj$(*0wFZ|Z$U$+RAuFvuS$wy@^j}WaO+@O7X7NVel?8~>Qe~1 zlf*SzN#N#vg7@T{?MnL94r8Q{;GPmxq-VSeBE}uOX6%53H|(4r+G|i_!iAM(*-bOA zh(c1AglrJ!lodsro!C*a#o}YgC$Gy1O8XyK3?5^AVSpT3)vTmYS$H{0bFj!wpSx9L zP1C(Arvkb&{rB%HdXP`SCU+0VkA$4|sAqT#lKT3Z09g6JhiElva2l#y0_=v}!|p@7 zK~+~lCpV1%h0RmeHMUC#yuipnajknlu!|WVloxor zys-dm>=8Np2_i;$9;(|itUMR2Pj(fTF~*!yevsjY)}a%SrmP9wnW*h5!3HIO<*fhQ zSi7#++538}D{MqrZc~!9wH3)IilwnU3yL6ym?Fmwx!YKK_5A_g0}q9D0)HJm{}F}# z<7NE)1Bum+Q84)&Uq!!o?fF=)xQa0V#)W!At&`(*D29GubFA=cv8Vu0ZC>yvd+dgQ z&jiGx`cEBMkZ5MzsJ(h5HR4}K=`G?-fRB^D&_w|ep(<;ujxl3uQD1c><5pCMo1y5m z)}c5SdEvEHaz?sU=*MZ`Ku#Pi5qv8HPa&gc^vhrIgj4U>-W@<|_e_esQJA1VJj5nz zThcc*HkB~068A2)bIRJ$9!_*MX8G;#zoT^hL>XDIZ+9|xQ+KbvDF?7Ddh zrJgCqKhYLP#KhU@f#km6PVE-3YCvr)a;XXIJSXUjr7i+$Ii0W4SbhU#W!cD(1(^R$ zTm{A0vHc%2(k6ALggYJw*y8Zi)<+|{jypEgB13t+Mu{%F_^h}|l}|wQ$s8VC6i!G+ zki-_j`LlSJTsG%?IVQK z{JS)Z^AM~3&TV=nZxZBv_c2u(ZK=a|1c3yv&`we&ioELg zlAS-T3&ifwfCOKDos!Y4+-Q1}>W8>q)G~#mUXs@6x4A|z3ExkNVX!?tkZ=N4j`DtJ z$#I=`9^JsB6PrcM0U%GbP~CQELiO>WGhC5`Y718b;Qt~8l^fTl;H|rzT|zDbzs;al zx9@}9X?w>@-n0=IIilsTtTW#LZww|pLNJb40(MuR)j3_LwH{r`x?53*OlpDx%pQ<; zC81!0GhY-S2F|#X&s@dih^;TqbY_M!Z1mDM*fnZ|^NK;t-a|kXz!4|TLjYm=@GfTE zc=SRjZMpnAnVR+1Wbf1Ag4L6^Lqa1E)Q1wJBPqiStaUp0w}x%WQZ=9pAd!$ds+Ouz znM3%JkrP|kkCh=+QI1vfutB(nd%^=u3VU?R8+ahpOC1_sb@Q^pY6$OE_C##v1D3&b zX}pf=x~B_8(8K&_kF^i?62gkF9Z~tIU}7>(cM=U)j{KB+>k}QFs02ny8h}yGX|NN!uC=Db{X!Cz zHB_P#7q{-p=(z^(g}0`??1hX&JZN?-QMs+%%$WXV`#YA*2Mw}8Mq6*&oQ{%Buafn-f!1VX?+r`*lwo#^rP>*9>T`_LIw8xJRh*%I$kJVVlVw-KM7}!9nM!>*Q`cg zyH1zgT1smQ6kfhH`-=M=`dJ8*&hPmJlOHTsIa@EaHJ$3N-dEdtF0*%8XX-ai)@c7f zYS3T09NcZ=z!fMDhC4A^3d7ikcw%4)`Gl&=nc^Awgp&K`SGQjpg+|iNCp4#XR{!@- zYW%&4kjJX7t~mv3AUmCGTXxV zBe%ft14-G6^8GxmNFM)vopWBYpPs7UcMxY0x9-Z5-xd@)A-QyH*wO^)`O{21|LI2oy1QbncnO0YqwN&q zWUgdMGf`R+oD~+*BO=Ttn~Qw@6Q1U$Und;-lA3@dHw>u+s1c6(n1g*+FxEy-+5(g* zaw=Y#TS0Ed6&z7|s+oWK@LwRR0GaaRsBGrTkY6y02B8gP&Zc&mReN@##OOB<8PzU&4hnwT z?|MH<{{rh#+$E{7Pdb0~4kWGD-vM%kvNlsHz`>NnN8;;sv}z@|hK6S0BR;c)i&r|= z2ZIeL2G)$shaw1`%=0D$ey;MF>yBT}YkXC-ufP4kTDMUp?4S#7QUZye2378__p$?Vnl*sX`v7F=haG6glHruiLSX^CgYYi}^A+=Yx^I5u762cIy~p-68mB?Neo)<$x)5m$Ala zS)p_#md}l^{Wd@k015>~N*b$}8;hWZb)G6bz5bcH>qF$XJ>afNJq|!5;3-z@Th`Ss;Z~tw&N=@yED(N~W%(^uq{Nv_6i!w4R&Z_)dT3l$!a%p?JdN~ZY`+(% z*d8mL+I!AsVp~1sQBQ(W*{Q$;EMgPN7FRxnXb_3-m3K5*X_&?-5(HFz@5%u$5yaa} z+kh*L8G%n1VR)i+B_FcWNH}gBv+a!~duW2caZddv*7+}-CCn4>g2KzM&_yYCjdYpN zn4vUE`@|T`KHsK}Nl-%#N8`-m5zFPYT4`ljD1Tj)64#P;uQ!{k8fw;++nn)x@eg!g}_NSKR>z0osJ zp+c6H?mqC4v7mOJ4V%0yh9Z%x(M|8vd=Wh8k(9GQUA_QP>AY!ws=-kNPk4 z`HjKMc}}A$(e|FYHKzG*p8Yc&`~$t*swozI0deb<7FH~#l16xKY`@p|lYR|CJo2v; zHf-)F{J>I^eJ)VVJf2Vy86|L02GR?od z&VQ)}45VWS7FRR8W3PhO|Ca>Bui_9)mJ7zJLXAf(_1TKoC>o2!_aXE~tB+lnRW?7z z5L@h?*8b+`Z|jCS;x+$gJ6dc1e<6kb*R-CCMVKIVc*uXH6&rs`fkTxb(cTFqMGK!_ zds7V~W=l6FnMc^^!)?t!s9j2cszm-9eAR-&w^UO`gov+N4H0;mfR*I_iTA(YPpk2( zRe6ANuc@0IDL(`sUsKGiA!ax`^MSb#Ce-f<2;X${+KI`i&DOv3-9Nq?7!Eg8_opEdP#XFopqNMKRP=wFd(%Jens1L2q`sUZT~IYU$Fi&O zxUn%yvGoqR{Hg!qK1RJ$BL0aoG+FDFF%K2mdzcz0tQl^FAJ4t;oZeyAl^%w+7vabS z8Z^rAYh42QxX%zOQk-Ok^*9BhXnx*uF|Lo_UQF&)b8L2fhcUKEU|2t7@^@SS#0&IjYEs0(SK>wtWL54`J zzK$)e(v4~COfdSO?%(@avX_BTgm2BH@6owWOc;iXw*snUk(C%MfT%8c!|fY61`=K- z3-P=Zt~Ax))tF72L0;$K%;@|Xd|CaKo2Ir*hss~2oF30FWD^c3&rAuwVJaF` zlAp8{-Es$1M}3eoDe668ZC!Km5>40tu3}MVAUvK&Y(=;KpO#zg8u$OS@_)kjq-{n$ zZn~u8%l|N_pXW42{;VYa7Jq9{L#H9TNJ{IWVI4;Qdnx??`l?Y7@bNho2l$txNZ7N6 z$m-LdtXS`ti=l&)X8&PJ<3)<%{s2galmJ0`Lq2XEK|*dsv_O26>XdRoef_A>Npr3H zP^Bb^Ez0(+`3W9&he9nlk9C|m(6$rDlc(%Eby(Uj2L|rFao$22d-WWU!J-QOqEfvh z(D)hJxY!kJ0H8hT^{LgXji@VjSl>Y-;3T$f-8Ea+u43>|dsTlIl^KOCUgYJ6ARK7^ z*ar28kW~AWiLn|u-<#Bzv|-F6*8PR~_bk=2sjPralrOjod^U%ig8PRQBzVueo~3h) z<~X*X#6Se}K|~jrhCMctzU~xw7TTs@E!dfWv(x%D@ThD;;{x)V6=PFepvY+u`^HR_ zdrN}6sPYT}>jT!Bp+W=y(B`f+RNFDt49xxg_gUGF_ULZ5u>g4s$Foc20 zCx*4JO3B4!@qwt|%%!riPEXl36z?gmwvWfilv~hxbcDev86dr{4LeKFB9s)K-d;3- zvp$=e&8of?OU#|bD9ZbVi=mf^1W7TcLVSRRn>L#CkF97Ba_J`}r}A^_WLNOY);5_VJ1}+^E}c zNx3AjpG{gCk$#^9ad$o2oAlg{ToOUAE`AkN?YQq_!g14CC0Y7xM~yFUaAmhCyLGoN z;*NE17!U>@^gljuH>A#&jSd&aMEdc5P|f{Xr1!m8R)g)!(2z*99ad~X#2J4V!rdD( z6BH|?AOl~J+fxAjz;CPqS%>F=71BV9JGnm1Um7c924=}PZ44{Jgro)uncsUE(DIt{ z89ux(86t9G=WL(Kd18I?xf{OavAF>Y`zrWuW4~6hXJop;Z@^#;W-+6b%WOw2@a5&hp0hk1Vb-=Vqvc zExq2vWa6uwZM%E@38wQhBICbM4)>bU*vQdI8VjM;89L;AHvE10jSq)s;qAOx=$u7R zM;|iUXmRP&B*znNhiEWCnOIUq@nlIPA67c5Ie9lBMK$sh#Y8&rH?`6sOl2lZ(osH( z7%v03hh9FDr0h@}zG!1;(v5so4f@W-#-K(!i3?&G)g zIFV2kjM7I}0IkAy*6H214xzV23kV1^-I{XI;L0v0AYo=C^9x2hD&)laje6w;RXE&!9sb!(JRyKxjoYN~^0Tt-H#?i)^l5fM0l#1K@ zuC{5obp>KB4Fy>Nar_l`0+B?=AkDpFNIbbuXRUh~wBcRY+!pCckhUoZr_HLj#ypU? z?uU%PbfMQEFDYD}l~*%n)RnWcf1`FA~F-CLQbi33B#^s0h@y!dC$mI#jTq(#s zMe7BJ_$CUIiiq(R-aF#pX`bL0@Pk0cn(|i^_PE5t%LFSMw@-8%)LC>mPhxa%45ykX z%{xeZF|&evyBYzrC*@)xd#}@Ql?a0ov9n=#ry}+UqCtUw(XyhjXI`m8C(hHmRm?IY z&lM*eez?sEb&Pou8z!sz78>`gaa-Uz(4gZlfb(;ze|{1 z**MEdH;^LXlgd~^&*C-YkhECkE0?QramFQX*0ORbr)*2oR2z2eT9q{?$k3&iL!poY z@0{uTu)mJ=C$+7Cuv8q3I>x!uRDKMtM55eyK=J0%)_xaF_S6=BSd*iZlx5dlMAZUx zY*kOf$&srASfrFp`L!+CQed=Azb_-fj9E>4SmSKiWgQ>U&V<@eU#;A#4!N4I=3#=- zOz-%7@zvd&8`Ps=&A#Rg1HVatxF|)w>J*R=SgtPlqI|a3wPXPedOo(MiqO=UKmB(F zcC3`d2kdDISn5mZMX2M4^3i@$=JIXTQCoMr(>zKFe4&`^*=5e5gATdgd;?IGv=<47 z71u`IJMzRG8+p#C^)YNg}MY<&9yjBG?0L1T+JIP}Y#*$^6^*+L z@CLUaVp)n;nBBe!%#tbPzx<9Fx7Gvc#(_S!CF+1{A1Qv*ki2h+bZ9lqgB{G)G_9mg z+S=n#CuiU6o0`%)U1F$ta;UD(gOhRKlKIl7c8_`MvWCsiI^RxXkaNkZy#$NkS)3JG z=2px{0|FqOmL%2|nllk01NwfT#rh87*hV$PdG^F&{%U z{?tiaHh=T5u(ATR64+sL(o>Qjy^FWMq|IJY6Orh3GP-m1mFDP+Z;LIvu=>|fX{2f8 zRSnnU9GudRfcM-;8JHz?>fLqjjb;}QZm$4{(4)%!#^$6g6WP1TBPMYbuTOFR{5K50 zGPmdD+21yDyWz&!Nhgqm z#K5JjoD2Co`vu%`Y&S&IFCKP!8bWHiZ$C0h1scexzN9+gifiP5oF?ya)Tnyiuj;!- z+}{Y;3BxLlsa$`uEhmiHB(`GEypQZf)Sd)-a7ccQ9Ej!{zgA^6^gW*7qP8~gTJf9s ziL@gjRkVq!%lzn*@_A|7wiyOKyPK_48Kg!TFlNU#`CSDPgzd`RFI-fpx|E{(G^qV+ z3ev1$bq`o$rh{l5WfZ%c;C8Y}y{t%+IZ+;W#gyD3B$C;Zdt&9*H<@k776}{|%G)tT z(}`4CQ2= zW+U;-#KHP9_*BA_59@vYrnJ}1?p|ee}toLMFnYnk}uKK>siNm+U%E$@hZ6qgH(qKpJcve@EE9Hai9T(FbZw<`#?*zIS0G^c5JmZA?|K?vIg5?A z{(WLa`GWZoBbH(}5K;E01e*kh?!IK?do_89!=s8*03T+><>;)*T$7DQSi6?4=!rgN zkeEK8rCo^+_N}S((tMf}N*z{Qd@Cy*CeevxiRacaoInr}^A15K2D^B@lksvuA-^$> z%CsgNeN@p1`$FUQxIqr-w0Hp1~6OE&|D3 zkbmpJkiW2#139$e%dUOj4L)Sq?$9y)ivtJ6AMUA4P;E}sGGRUw8gn()LEb3tbA-ad%-i;Nl`!l=-n)3HnbK7RDa0DI6{^p(hKsJa`SH-Y(UC|l#4~?6F$!i0 zgazvf{EZ_2(ngzu6GrBgdu8xB;|#yd0ojy69qQ+)y{`BMCUVj@h_^WBF2$Ce`}nn? zp$>*tj|p62lk&um#Ft$>{l*QZXK2~@=QpAfRIFRU3O{ae<3bFs0|WI5710|hm-;Ez zSaVWH|8GKh8-}CBWDZ40Cqjv*#_ka9Elw)4_FZVU6XI<@!ITCG@k07w|SFjGkFSED7BW%*I8<#3 zGPuOg`}TP88C$p1H0KS~Q{t(m?%2yhLPPLDy7w@pdc(FNZ2}EHD|zgp!~7v1Ma2RI z%`sd|vO@@(VME7Y6E%1| zF^^8W9VB^}FN?gT*A8+Hi4Nlli0qiT_*q?m^Bb?Qc!mYx?uUlA_5Ni30rZ$*H1|?J zjDAD=MmF&)(B`EB_1BigHD~4eX3Hfvu3xGWQqZMT77o;<@eCo4?ir4o!Orw4_A~1)t4E18k}4$T8dBr zP~Q&{Jdr>Ud5sp1xD*jN*K`A-YGg%3_-OvFVYKIn@bs3(DOYv}`|sWph=Dp~^W(Vo^5_^CTIB|^a85B~b?xM-;sPY@y>r}!P}brz|lUXa;+@wl*b zB#7TJR7}T{YFWMVv2QZ5B@{d3V3!xX8W$|QARTTQ*r?%eT9kP(0*sgJgXSNgb_nS~JW|hjw5X z`$-sAsidHUIMK0qbR+A|5I08JSBTJqPGJMOr=lG-q~O0Yj=v=DBS`?o@S~TAhkOrc zM5^Q1v}N)IBu{+P+rs-?Y;twe`Wu6%XFj-|1e*NJtHf%@Wg57BG(|Rngw@Q!H&Q8i z38V+*C~I4n5jdu{7V=RYxv2nm(2KWZW*RU4X898DB4@3#r8r8(7Wk=vS8Y?=C1xa; zK=wg72%G#mrpKNx26{8E1SNVtUb5O#?*?L0=EVH}b|?JD8qnhaP1F@ui-Xnw76`1+OLcl50v7|#qM>*Wg4M44(afQs zV_;Fj7^hkE%|&38Pv03zBFs>8K;2rt*_}QaA(#}n!HZ3EC7!iX7_|V`TOJa3H>scl zyyKjY$|%>0#9t$q$K{>{I_fL@1P~+us6`83 zW`6r{$6wf%op$sct@OK$^$UCrDhp`eXuBBG#n{b!)r4r&ER%H_uqbXSpizYv7K~8A z0Z(SfA)+_HzhZg4dU!8UkAgkHjU4#UoA9F`y%pQ;ib#SEl51l$YWGIb9o|EdDJ#+l z2%i1!6Nkpd4ZF<_m9h zDXWr-H)bV$kDN`{T$<*o>VX7{7lBeE91;q0N>s#2v6Hy861ebptu$|W7D^^WCmWs61V0o?I zjci6z1!DS4V+P`1SSaI8?L%TH-AZ@YH~3W;`sWChkvMee&W)hMYijsSyS6O{c2^Sj7BRdEf*AIse`qGmyyRngppNHC~5iq7K`&=o^XU6Y}YvngteX=QY zAJ)xytO2B)x^Mg^Y|I|8)S(XBLvD}C0+)@m!>cfDH?D?x#w@q=OBq1d{pi=|raMPo zsAJ|*qRqCH3mx(iycPmf=pynWugb=qP9xfbWTgay^5mF*N77tjuLtWIK;(TSkOg()uwDLb{}sb7T{ zA4b);1aC69-7#xuA?sviJo-|oro%R2C41{zV`$d*33ZZbm_{dnT);M(^ub7FGl|r^ z1K$IH)>#l1WsJarNaF6`x4tT@q}#DNNUkAOZoW{hHE(JIMB6ok5CmTEq+^+=NUqA= z#+l5pV?Z$3w}Wi>@**A?1R?S|5C|P~j>ciN(-C@YW$LeqjMT1&ZWx-5uDCX(kYr?o zq(P2ugM$N$58lhM!FJBpohdpcRD#u9`}jAtrz_kGak7vPk(^Iwd0>vP0w~B$>aCB4 z#t{}v;EGE8wT`5*n5XZm0(Uli4X`ooBPVI&hFxYo-knTK9=_Menb+^~K9$I3F-jb@ z#L^>%Z6Fsa`~!BBGHO2$Yq)(EiRh{EGPz;1c-u_{Jr)n()82Vfj2Rt4wACxGBEC_(+d>gvH6~x7aX(tTO|BILvjNCW5)yBfo>0UC-v|YOe{5I%EQZ2gjt*%?Gsm{tkpO^)@S9(U z^i1}s;aAG1U7ht;@-Cy=!>g~2fU?>YqZ<}t^%I%Rz`j5d;_CTC!<;O9ckF@pPgDc7 z>-~?l{y4!PhHi`#jwWZ<{_*wf?ZZzXclz-5uZ_u}UB}jSI}V)a|7iThbns7i{%*4S z+o*r){O53jzfbs2!~b0C3F^;B`G+egAv5j$ptAW11+Krk(oVF99aZ($H^rn*6q}FE z-t>6@fFfE^syS%X>W9(dOb`=2U&7#pWWeu@KmO&Jajz7Nn$IA6Nat1W{VE1`Xx?Ke z_Ld~5M?C+=)$ls>BxiE{jJZ3dKhz(O%L!riZt-+(@`PA+gU}*0r1{g&tp(5vzzhZ5 zIjdq^Q_&gsA?Qqn12fEr9{=3Q<>(^)kADFWPpzb7ER8t_lSfd+8 zZ713Q&?}%je5Phpps}l-ijIs4a4UE3IkOL;Hs&Kc_dW8lRRv!sUHtVE1w6RW{?PY+c#ZHOF)#D}Z7QkMW_%M*&ot+0hH%f<*Zd(q$8aOh zUI0iDf>EceIx(~TZ-b4lk_*RaU8$0BE|RluSGwrzj5EhqzVXb63mfe)nS3AC8^f#{ zL5sBgT7j@M!{tmA{Q_{4;;*c247<{I7{^T#RW^W>kmns(Jr50hTPzKd+50D8VEK9E0;}dbqv5O%VsIoWehQQGi3&DP zd2`*-&K~;i64`so1TJ0bnv)@naNyP~te8h1?KY4Vp3|hblsmSP|ATk+3&t&7Q%_Wd zxdrzV5YM4MM1*5C?K~t)O+#rRgOe7KweZ3!{6w(P{!zhVVSo5)q62Zpeum6jEei2! zzi8xXpu7}YpM!+>@*^AVzTORFMEg5$C)iusgK#30#*eMM;U%2btZPKcR}w5JlozrH z!gI8+X_Kbe62w@|v1odeG2OO_c{d+CX^9%;>lrY~2Dr;tCSP@Ch-5iweW-8`F!>?A zkAzM7cApm*?fe9BFP$BS{gdw2=!Em@jb%g}g9(CeRWEEtVGL=~4MP04MB0emLr+dMJ$y82ixE`?jM^c z5|U_6_*q9goQJ>KpZXDPF!MIOE{j+1q89S%^|DInqZG8{2IiIO+6+p>%btl?%MC>e z7vvam-r7npt z?hg^}kz85F^0v`{9@@w6xn`)UjY!yfWsBA(rFm5J4>h0M<5ljoewzCVpOfJ&1W0@2 zG+WjNw%58pF5BfcQ3O#DNE%9E(rKyMC_aX~aet{ctYmQQY0i%N0zozT$x>D7GbgEj zWMff9Yfch*$N97;p05UdWcXWO?#cLqSSJWL6X(Pi&^d=$?>w<)y<$7{bmVq^Y?UnA zzkRHbkTTH|pt1QdI3c}0&^TMra0}I%>s<@&l91SH5~j*!xmzF}}{ z&;;%;WA#6lJ*Ec9kk|E$7<01;j2AzwUM^%+i`3KT24cr6NpVPCvpw?i$wff{_%xC6 z*LIwUohA;=sq_h9Qh>l~=hu7#A8AD;sL(v!$aofna?*%!U)67(q0Fz&Rm*ezQt**X zIp((J7@(Q9mQe6d>crTW8T_#3>GdE~{;$zJyHYxLp;H-p^t|DS#E}`&O%j22yoLQS zFo`DfMd@rgbis;Us=BJj6#v-U;8{?W$#K9S zAJBq+R^iDkCoZXaj#zjV1mR7>$qtL(H>19pKw9LZ(43OJ3JV`n>O!VY+#-6PUXr zrL`$u>uO^pvoZ!3KdDmifJ_iw-@n)%t6*n0+M{ee{%$VR*`}{h?~E33t(wV|8tzSh zpBNBl@k3>$egMc~$j`+c1Hhq#YmA0u7fBB`5yZLGb$eE2_V{NIdKSdh943?AA{#Zi zo+s2O5~;$NdVc65W44OiIU1~nL10}I_dP5@Nafzcu_ftAK%4$f+Lnt3bJTfe;td7i z{G2>cymj1x%wQpof6(;^eq5;_9^BsGqPMb`Isa%#3UFiFYTzOVTzV78Cy3&{?RT)e z9vKmL&5oYVKj-lz5+C_qw>;+A>wzL)nIRSc>Ck!#k((LT{0ydeWey75ea&%PY6Ga% z1?y7lkncID+LBSKF7ND~6!a^$0Qug4`zPeL6jryRCL%t~WSAv92L@XktS~<3ye+@1 z^;Gl4REAIMWu>y!JwZy)fGwe_-{1KGt`hLcMHRbW@U=^efQ-bO(^U&UKBclh?=L2I zwbn|1;ES}arlO?3?tY+zJQDu$Ait)6A5Z?OmFb_H{X3-Tz=a}AJVnvsj(@@ZCYP#juZ)oN zC2j{$M)lZ1G-f8bx|`32kAjYC5>%t;C4guhLLt06A&%A72s(wVOz~-iVy%e8i7fE^ zSp5J!SLO*eP30jKkaoq2y+{Vpmao#^N4H%-37Q<&I2QMMkb%hR$M>yG)qqnRxF)(- zDhlK&T<$J;ezfb_?dZ*ZX*Ek#7wUH|GcxhPr$l7R^A#y8fkWN?0?IL;q4+8Js GHvb#=7_C77 diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp deleted file mode 100644 index 1f5150f477d2dcbf6bb8687b9e51f63720e8a783..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12642 zcmdUUbCf4twq@G3{Y%@nZQEICRNA&}J1cFY(yUaaZQGgi&FlX9^?Uug->jLnX3fMO z5jW!A8y9iT*?XT*mJ%1&Wz5EE8ZSL7s;|D!y60h|L&&4~N~#Ba-|RtVP*HsxhA6{1}*GTYtH}G^TarRlDFSG@~VGR^+15}DREzWAkgX;`PKgkyDmWW zk$TE@M>v?9aIf;HF`gG8aOfBMi1Xh0s_<%mWe_hws#xT371tG9c()k#Xl#gY=BV zBy7cXnvnFJvQ^Z_RMz2*er0gqF9hQ_t~w%?&}@yIj@1%aXF+Pz0 zyce2JYz@MSxGtJBsqI7me3g;&l8FysP;rfAWC0^2m71a_lz-cWm7B~PoM8v!5Rd$T z3G{O>6amjaxBK&DPeVQfn?>Q8bBYs7KwK*RcEOyMaI{}f>pa2z`DUK|ZyPTHTZ+0z zsCu*VTZ7wT9;rpb=mw{|-Q$PXxfaG&IjJJ)@V##+LKatR9+4KpSa!MIa5gA-Wti6a zD*_d%&%qND|eUAwwDU7=OtcvF?O}g)kmp; zOiS=I&(RdT8jivKAmlV@ImDmSE!?RQqtY`SU|7apyiF2rC`b!*2ZuD-xC&qm$qu`5 z^0|aaB}Hht8PGRcufREK5{}`HWL28R|6ncJzOo|_Ib0wE4c1Z8NoPCfE^f7OM_2IL ziZSvx^?Dh+bccFZGfdz~tF)Q_%(hZ~x_jZD0}>W}FoET_*C*bIztHVJn@>ZH+tFrT zaaQKyR#|J@RG7-^X>kq`B4iAhNNG{Y-|0v9%B=}~!_&O#nUsOz+h==xaQRuISu~~I z{QtCQ{YdYp>H_3&R#m1neFfvBVabgiR?$05S`M{D(6y7LR+_|jxsbMI4F7Vuq0tdvgEzeG0G;yTN?ntI zOak(TnPLj5x~vTE@thj~RfA2-nx=IqI7(5SJ6@`8ihfqjzMY6L`t4(8psJpOLcrf# z)(gu-vBV)fa{^3KQ)Vkbu80;5R0G#sjA)ok{(3>%r!CE1m*dhmGn-`HXYaBw`rxNi zvp-vS$OrH54(O|W5ow~(cWf$o>vhv90t@*`86WIZAxi!QlyJ~dC3`8vuF+saas8DE zljmR(F!7w|1rw3s8f8t#V9^cKjJDXpg6`u1_VJSVmaB2`*l(+;t%`Oet!RtOBKBlG z&A@pJA_v{(o)=V_=)1oRm<7CAiF>PdRo1O0$B#ug{6QgD_*4CnFVuh6pMpss_SvoU z!Jyi`e1`$dQP9gIW#hNogfxE1T{A6ga0co{_Ek7T4T>QMqZGE^N+3jVvDie5tM7pE zJXRQ9hs=2QpnQw7SU=A8@KPNY6gy@{>J_(VVodjFGUNr9+7s9NhnR>s#gJ#)hYK6e zM?M2`2EQYU9;5(wU>gZ%h8CKFMnP-Fh z_~=YTe9crxqTAA-@BLuVjFP7(#qcCQJvvleRion{z!6j3{0%A<-gU{Rz`^hApTi;+ zdiYCg1Ms$da?(Hu`7en;EH4{Wx@+ZW8FyZWlgPx3^ z!ootOJ)Mw1g=GeDyGRb1x$i?24ko>B+Wz<(bi3VC6%m+|*h?0QvMDsN_v0?ImO0h! zwS+F(&?&)J_xwB1ugUyxp?7ckKMT_TngEP}rZNa~L%Ka-sn1otMblU=ehi~Gef!*l zS!MHc46()OZ5wEbF<3X!5wE>utSQp?zuB;<;r~JA@_)|9M4`Y{zK0qAXOi=$+x_z))_QmYX$uH465+s|BATU z{0s`ZQ6*AXETvbs3CGsD`xnf0KT~j!BVk?d%P{fts?6V>;!{qxnjP8eB|#FNVWWaf=W{WS>F_L(p?fzu6{)W2+QxQ$v|@QOSgtB7wIb!$0Mv??;2%$&D&h*Jy~~Xa-n? zPySazY3^UfSt%-%mVYkAcC^F)rMNn744bh0L&0GYLAhj(>;3(j|3B4h|9w#UUr?bz zKtP{gv@X^RDMZXqc4Il)<-%C*jvdNysoy6NONM8SoZ9VffkDikqP^{2J-l!jv#LkLbO!dHww4) zS$6MD-Y5i97o=%(NMZOT9||#vA_aj%XotKsB<_%|T?{4`khIMD5E*);zd>w4E1ecw z*_NP!a3;aRG4N?V63{Ess5( zk5mk_SCEuy4YMr5x$Ilm zTP5)hx3OxU=HLXVsXyo1Oq=lX;Wl~ucpXLTY%*5d`kzuYYvO^o*4iG@v}`cY%{;jt zsV?u(p7%YiCXxL4%$h1Oh#74^0atv~s>Bt^63|KDri(rp-qCw> zYWj$L3Zu0=d|!8jhu1_evWK)CSO_1sUt~6IFr7|GG~s-l6>b{3;-{3PRK>JE z(#~E9HZufe^(%cbE6)LS$zJkxx?sdPc?k5Gp*36dRFDz|Qp4WHZyH|~)HH{nyS>K} zREv9=G`3nfX=poU&O-auxX)SKxoD^mz+bV7)!z6>B4CAd?V#q>uj?^eSC)rx>?ff# zugdr{LT<7A0MU_%tEdDl`P>5i9TWTB7s^gwsy>Y#l+yX}>1Al#^_R^lBZqF;TZEPo z(ra7`Rebd^%rVZj1}Y8<7jHJnlaGgKFf0_WyPmK8(|-h@_BZ}j(J!2t@dT^NjY54FTH)YmY%XCZYx8jE*lgOLXY zGt+LO{B%ZDmFqC*-kG0a1%rNoBjhY+p<(^g?;czA$0D*w(?Kt!WRuCe^8A=WETOIz z8(Ht&6)*7q)F6{bx7JnzagxKROvWgi?l@($Pk2qT=a*Jhk`n~*-ku}?Y1YCWfO%#x z!8j-@u)1Ccg!hnQ)~Xhp77uobXC&@DNDsK-b2%- zM-(bqUD`20beRaG@JK)0fn@eHu_SimI-b3NCu!*Az&e}b^LwZ(A|b^T23G%?K1W$A z$YD%Twh1(YUE^n8t^D)|61^&X=Nc)?Tgrh4pRJwnaSl#!l%m2*b7Ozx2)BVC#3%-wm3MA>Cmq6~ zaKoi4c9f-Cr7$g?XR{S#aApwAG%2yZHW$&>sH*C zc}I5U*sZp}BluAR{Eh~-0`&Jqt!OORVW!SxlYk8bT@p+BpnoOYfVXq|1;_dui#kI6 zNLMl!_2^+Bu)?U`vvrn|*jyL}A;X_~z9fD8gxP8r2t%yI1i6TTqZglO{L!apNAte@ z0lq@-7_K*xv@{amsUx22d&*LZT3XQv>9OYVb8S8y^iig6(wYXY2Kky>N&Qu|y8M*G zlXwA_!%)CA=nf8sx&V>m9Zvk)6w1AND6+X22nt7G&nCCJ4Oqp1dw879G?9#^53Lu% zS1ShX83N(YH~a9fU+Wl`Ls}&Vi4$@=WmdnuOla%V zHd*d(v?xX&sC!K4Z&37~ot6KfwcqV{9+qvVVQsKP_kT3LH5;q=r09p8Acnjp2Da%a znnp)8TYsL?{;bRH(RSmOF}6Mv6|-wjOp=&8+mwXo=Rn81sFC=W-XTnE&s(Afl^1g+FOQ* zP59I#_@pU+8eh+jPXzpmZsL`%38F$ewK>_R*9?0;JY5f)C(z!w3`-51}~kJxoJ2!f7GH2!(;E8f$hsx^?pEns)`&CQ;lJP-V%|(aNueCU>8TIRP zbppzm6-Hq312?zzL$caFuDNi~HFl-kLCPe+=vE|=e9V-*#<>E|n6_dvil6<>4hU{% zz(+)`Ijg$9h%AI?p+Ll|gxo5sbn`ywb*R7lUgDSPjZRX=5-jLE`$2Yl zAcoh&;ltCG+=68K^%a2C&$;i)UuOZ4vIyQzG0LOx8<_`{M~3=YM^4gKsE71iX2by# z|ILq|)(o+FRc|6jLX;{ekX46adR~&S?XHTq zxXPAp+?XxdKtu(+oAM0%JsgE)Ffp@!0)geXR6^bN0HVYrpea{7)HntT+?BnfOVRZX zOOh$hxVm(HOZ&(SPyFWWuZ|rNHzFPF825+?kJFcekn3gX0+#NJ#>@Qfgk7`n^P!c$ zjofWQS2x%10_{OOs}>0Ul)`wdtZBgPZD$eR@#yVCRI0$MYHAsKyX_9kZwPm(IPQ}> zs1DR~fcpz+W{b|kfv|$hQgT3J1;>QA_Cc@nopedKc{Ha_4mILH4b!`6C%l<^Bn1}G zE)@YVT7bqUxA2rNN8YS>%emaF46B>W6SH+AcwAPWu6@677gKp?cC&CahmMj>-2Mr9 zE8UYj`MPA?4HttdmT&7Z>*!s3MmZNzkt$;xCMaUNTY5m=s~GQ#qBv4Qf$cfW2{b+( zKiU%NavPq&IeD5n;ygyrC7-|OHIO?cBd0eLy57wj;s4;%zKNF4fNvh{qosKzY2s52 zi=gBMyX-9?jglAOU|S4yIL(I0a2YffUL@Z^RX*m%=2o55W##S`6uwJ8h?x{{eje#M z76dTNsSTAJBOgq)`BA$uCjbj?{|ze*2Ve)COOJ@-$occa4YfZp=P zkt&W4rXz0JLDl*ma#F#FYUa&I}+QPE&G3$ZNw=P1=~ z|D4)cdFUx*^s+bp6X9IaG{Q-N`>Bo6G7y)IF_KHisLNleQg~Q$_{6SXfC4$#+E2}0 z&A!$8T~2(wDOL9#_=8O-fo>j}m(B(M^(kJr)59C-JhKA|VJLzVHJ()9yFe=F<_w>Z zm{zf=^9@~iw_YSJz*UL>#y~`x`J2?*ds%Ba1_==iRIjnnr3`Qt87i=O7a_Y}d6S0y z^4;m{Tay)z()A3yX7vq=xP+>h%y68j+Rf(n>fD+3t-}h zWG(0GYZhT^=DhWRb)xG>he$~o&st;-+>MXFZIs%$ly7L=y6-%Lj*1z^Z}<0u?-(L$ zyOhjJ#ND@O81!ZelHP<+?~@Fl1)CUKL@;l;n!b!et%1h~rXQ$g)f>RqACSvL*+pru zP!gtBqfJy1sQ7~TIXcL^)d}Gvj+KVF^3N2GP(?56mn+=@A|Ek9NAf9U5)m@iLXrxb zb5x?!`ROKeR)Hk)%Zu4|`!}!ZGIXEOiSXbG$Y(o-!&zvzKG_*Z@T@S{=7PdXCydi@ zy~i<65_9rQ83wRQ>ZbvLH}MxX-?Tbtpg~hKoqf7rZyqPQ78H!=ve6`>5#3AWJDv)?nbvlkh%bcQS&F>2 zrkUI#Dk{=Bk5-H<>ix%|B8j^Mk?5@B%E`|jc87w_(0+>UN6rb<4LC=Du?^2_+xZa6 zfHWFtAP1eEPba_Ex-HKhdH`L80^w!WpL!&-#X23r-uk|f5%Er|k&3-u<(;ZJFIEnmd7J!7y*ok5Q66Y~ z!3bRY5~X|L=n|5P+I81X>CVz0qaC-fTGcjJEx~cv^~nJ<*@%S|jK;;!W3n#4GpzD@ zxs$g_nl}UnpPIpF=uo!*&`&{>=RFU*+j^gx()HKS7Ge>(rz1y? zj6GuMk{ZC#3h|p${QMz5#Mo)14zHtw9xW%fEJUX02CNL{zD7qeO-C(-#;6Q+js1H%-sQ3!?Ji)czRcYU&e!D74_RCX z?obd&xEpcZAdzN(d|E$&R^)DOK2T9{oNTg-WMzJxUS3YtihDe#(QcAOwBlfwt1p0-n{3BbP(T1XtJ*`J){`pp8hT% z(gxgy@>e#tij!hctjh?8`dGd^`ce&^juxCWMh!KVC-n1uOOe2_AXzl$I>N?TDEsV?D6tYN1EfX>zc zcAFEyAA~AP{ilpS4n@>cE1E~rkk2sTbftvP^nzdtKoCk0otJDiTtaEw5`wUf#=T>@ISHvnJjj?6XZiR# zG@I6PU|s+}(-UL`^+P!oxKO|~?moKu(SY75oDZJ>_jl7zHz44+-4W5scoS%as;*Oq zTs;@3kK$!DH63~-3UA-kC1OpSZ>!Cc5QFp^{-W1vmWMZ8gM7?^W)?#~S~BTE-7TOC zPMM!R{WtFD{FFQqiN*%&*s*;Hh-W`Qsc@**8{Ils;3u9<3RY-sXo7${49yZ-CZT1g zlywkh_IeK{bof`svY=iF|?xHRFj=NgT?Qo?cw z;Q!t=T?!b`P1<6&CL>X^VcKI->_VQq*~Ev$P73}0Hk8fVG@_&jyV=V?eF;9<`awn9 zCe*{v_-Vp3?&Noyx^oQ+y5i?#K0)OeB5)ohsoTQ~iue8ycli z1rFO}B1g0ffwFk@ln~$BRMfhvzke$xA!tq7@eezg);d2~j+mORRF-E_SKz#gq#SHrL?+_x9lGOpe_G{y;# zvepY+Uus4|v~w^x)spkr9??+Y(n*z~nBX^$CwSe1oTuCl9p1qSZYY4RqzugT%LT5s z)QiT%9lJ#1bDowxDb?!CxJ2uMMgG{j%Ga0HgO`neNkCp*r-mcMivg|ar=r&y&r$7 zl2b?bXtJAO?3>j#gzt zI_lDaviHD)Wvh(Ir}3_6AQPHV_vvMe9lG-=7;VmZryk@&*d%OH(kLVxT{FL9av?Vk zOkI}?LIBQ+xJojcb!S;sR;u)4Uv9B{AS3kMnElt_;Tk&D0f%DufU5!}GEV+U+Lqkg zn+D9AlZ3vRO>=!O5cmK?DwPk1ro<0*|6SBW+eL^+hVemDKPd)V&tw@)GsryV-AJln zD{v{=43YZ+Qb$bMjHYWcRu6R4+SCfy z3my_~2C@on_@ml`TB5FARH0wjvMJVy>ak(H=E16&RuRNu&y(S}zoZ8nuhz?fz;q_g z7-L*dC)B3)%N;!?{R?f*5M56E{N&ZWdF9r*arxK6?6C_sK0=sC!Cwmhv+6%S`CC=kUwi$B z#(#GI_ZR+scb-4Tav=K4ME>opNpH z31j@zXX%)_eYfJxB)kZvh7KVCugrqe=LC3vyKFU)K=ts-TJeBAZE8Z4X7NLhqliVt za>Yw1ko)X(oyY1;EnS9fyn?E|ut)o;(xbx-0DkkY!3UW<>#*&s3ECSSbk zf=F8`(RrWIpgRc*wTPZ1ei6y!EG8N=Icu{NpQ|?;?n7Xnd_B+W&e{gyYs|9GZxn}< zJ`W9zg^6!c=F<}>;iPmnUp$+?ZN3dEPpZ%+dyZr8+4zN7J#CqP&m~qb_kA;ui}{8P zxvCQBG?1jb2A-HHq8C~yveJc61J5{94`juC<-mwiFGq^b_2J!iba;0-0f%}AJ~_a$ zqWrp5mGG<*do+8_+xhiWm=S?^mmzzWsJ7MoNvXmB|ijV-5`V`2F>rRiz+HrPWk*0`pCwF*o0#hs@p#5i{!=4X@McCB!k7 zRlhAyk1(O(WSTRKimVKe?fQUyoB2xnHC4}eFNv|Z(|PLAc(it)b68u%NwkJDw0`LH z^3|hA6}I)gSv7*p;tjIMo9|1T5-I@bh^%V_bVq7dPQr4kNWjC3li&h0vgd9{rFj~v z9H5LSX#TmQi8xx5F(-xpee;S3rn5xf2IRMlcdF+6yM&K%ofpmfdsxf*Bw-Wa#@WOO z-K2PEGa{|w(}TyVx!-k(j6zS16DfZ3;f()c6R(SbpmcTc6>c?&Iy%GXV?Js{pg38O z`${!siuwp7m9-EK*7Pux-sVh%D*zwt>IyN%gVH~v~Fr2osH3V#t7$ESuT?(?b9 zu-@_*gs_Er}0jk{OsI z4-j65_FZYA!g@Nw(8ms9YajLc!LwTB)FXzBo=_&^#bd$;5%$G*2_jI>_cXSY{^{r@nh3kFXy78wu$DXQL3W1Pn1WQ1r8_ixL?QnuQm0*dPea=26>@WK5%1+-EprWf z1MP{Wo%mvnyiPm6+)zKLT46WHMMQ-QSq4Nc**A8V7vo-2QxZf!pei-A-dBUA(ID4) z`u&eY1$=bs`$>7|rbxbx=aR8(r`v4;e%MjrCkwA~2H zIhUXvY0S0NIKa6n;An`ml;IQ*&KB?UQ^R=&kR^~}_f@$@P@Y~Brzg%Oa4&%Y60|eQ zoy+w7#!bzq0pMtYML%B;WXkIJ%tUiE=T9T#w}A}HG1kOA2Ir@W{SSgqT1zbI)Q?r8 z>fLm)RN8mFKodF`4l=-ADuZ1r>3>5;Elr@JGZG0pRtn}a?7&b+*ZkPCvN*v%0I@D# z#${&bZk>j6Cj4Gp?d_W=#d0N(BHE$KO3x}cS6J8#OsdcmX(Ni@FPxa7s4?^y>0Jqv zZg)0r3Oh~IYaNgIT}|${*MvT(Sl$t*GtQ6dBlS2oSf1%ip%)qTacO7=T06TFe<11$ z6|Q6@2e}4Co9_GN<3h6io8%-3z50M$bkmF)P9A!w?fnwlxiNwfhWe4%nE|@)K|9%Q zQ|#%VhDi^HRV=Rsjx&61K`Wbx zs_+wCQG@$IIeR~k)a)Byjj>5Wl6mbE`1^A4ScfkyuU`Czw(1N{zi&e)i{9Tjr~<*M zU)9}40oTpDh0}%98CQa5?V<@$Pd6^OUSQuRQv_)!dzb~q*VK~uvzlWDyT`qEU2|b4 z)i04ADr2W5tHP45#Nrs}H`*CVSNUfuS5o%&EaGoI^vdu{)F|qaX}}$G+EJ<|POq#? zc-1PXVsWG_VxhDr!M4+YH<@49e^`_^_(ozf!RRFYa2|TR6LFZh8?-|->`n&#u3Z#q z(B(j31Lyg>{?p6}zabIvBOg|Y=_ZstnBdV{&@4!y@lEI$`)uab<0sX&#hq!IFXigx z5{R*p`>B<_+UBE(&Q5#)*CER!x0mWxFE{6{DCstjb$m+(iBFp-l+)tyhB>d4lnNPu zMh9w4kUpEDR525rkQmH=JOh;Lc2*naN4Q8uWvpYz=i-SVa<2jCsg5?(SLF$`L#C{; rJ$jqrNAnr5rpnwiA`+j~B0_IUyxv3MpWFwfO0|@m80pX3f4}|@64sPA diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp deleted file mode 100644 index e8f5b068784a952700d6ffd9c3de024469dffe61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13124 zcmeHtQo92{r2`E_pjTr{&fEG5RYzQc_rADBqBc7MS84__`NLRYhB3KGDo0w5?|vYzSQ}D zqal;4ISk-z@W)_v1Y$#FXLdhANyoOU2z1P zBM4Xf;m?jkZ|%Du8xEgW9RBXO{9VqzvwlHf5UUGG0V0X2W=LG)Bq4vF!&6;Dp`wwj zK$MJr}!3 zBR>X1XUbR%svdiW4XhdU^h?>iE+K6O%!a`{@u`oKuf>VEe@Ue3oh1OC~~ z_h4Ztug({{2Ob%i^vB$yaTL16iRpwd^Putr?pe&7n^M$`*oFgf_k~xFjl|SI(<_{Q zK@GUgrJ8I$MV$L8Ai>P)Fyx}){2eSR|?!cJsbPzBV9~pg~FVxXB6g(cyOmSM^jIZaA*WJjd1duUjMdmPa zv)g;RF7^X7%SOMTC7}p3bHi;aEBZ?x_+T{*&$Ael3X#Ld3Z?LBEKeft(j-g-rjkQ8 zsAC_Rs)d@j6Sn9EDGEAvzC5>(3L->oWeM+tVqE$uATvbwa@KLzhlIC8oWT&4#jVQ5(z@Mqq7U z?-^|S+@Q-T40|)w^T<0*Xasj;Y9|KTRs4&{7DFc8q7eC{0yT6U6H;bjl!`}Fc->pe zX!P7&;dzkv*PmeRt<)3CJ#lSk&jAbRc|l!csh7JbUUuIq)%F~8X;+#QSGRA|m9tjE zEiGCjc+XMx{KcVlN>et`d&{oLxKEo*%ZW_a{*xSr?|FNGlM4+|!Fdz6{}OgwQr|3h zcGEz!R$HO>;236)G;eiblwgh>q~`067AdkWA?9aUePr;j-Bd@e&l211G-V6jS7z3r z+%Fq(vg}7t22y*#i;Wx;zH>pXZjp71Av4g=r{q36;pN#CXaUse`4F8_Rh$|JmG8(@ zX(@4><{!bk8#=iR0z6LQT?}BBlT98qwabij!o@`$59gqYwL462XGFaeg;KBjVU>^w zk8t~S)t5ozO`L=R3GRok7num_tJ1N=1N56RXm;{L=<9~Doz~UIw z{aQHi5B>B1J=YoM5vBCP$_a0(8XM04o?2P%Wy|tQk;u;*WpiPcI2)(>du1f9aJNy} z{_{Y@zm1=aAxt0^^LMg`QW9wIjv;BTSbSgx;BbZMDY2V?5+u z4BpY>fswT=pykqkKPWT#6+(R4X?=4!Y@VMg6KCwSL%ag)5FZb1T9`0#z|jU`yyoim zw4L<_@c(Db7p>$Nqz!V~DZzEEU6gsVn-x@ZC~;V6+Xu9MOx?^#V_^DZhSYAHJROu~ zEyt48QG8oB>_@=iE0he#vDDWf`6W1nz_1a0rWiRaWF(Nx(}Z==*{K;THr zue|FU-NS3yTroxqv0t$@rFyDots9dN9~-$ zrve$JgbwC{KIl6K__{(w4Cc+nDn$`}g%M40;VBFa1mM-&^7aY0nrx=NMNJ|}_l@@# z8c)&m3hDTr?*!r`HZt6~3~!o^qwJPui0iS4N!Rd$T#c-q-WmpMtnXR4`Ybo!UG_W! zg?UL~>pX&zg#MK>MQjwLl{lrNaJcHiWCs2%#Xf;P(B7f9`U;yn_H4!yb2YbA6X<6r`=#HbABxZM!7%}-c zfjAmY{+gq;E7T<9zX7tq;Z>I3!w+v&mqfN{jIy|`N0C?ko0NS_VYrvnKWS}vsqKKO6A@xMO)chdY1!}l0!4Mk^x`=Wezf5%X3XgUjg7Z>>JD~1|F(J7GW zxWLViVYF(Bj(pF#S?<2}!In@A76dLX2=`}9wfe%Nz+-WNtIvJtB~+bRo|6;2?F~b% z!RRcA96XS&xBtzq53l|u5d1%(lEN~;7ylto{#Poni3I%>QsSi|Upf0%i5x>aX_xNb z;rPEG>*@*1)q~!=%Uc9vcVsaCCFbZ{BRuJk_?hw2nQ1UmqSGty^jZS4+M9wCZ z@V{~Jzsk=g=Xl8RC^Y*X@e~N<`iyrm=vMg4h(woceMQn$rzB(iZD)WC$-)k)w6c8S z=ieZYU+33*-e?aZzr5)tKU3BRe=|sNNq0am?hLsilEF@g<@_1*23uq0nW{RN_l@FI zOdJP;&`YO!>NzpA2b054{l8Pc3+v7_<40YY0Z_6OH1t7prq-mKxU$F|u0E5sVG*l| zy;QpW85-*F^hy#E|3+13+Si-hSPWjC_ekc;o7_ryUO&Own;&g{qg^*%$US|w!{nHi z{V*-~jo|xi0BfAAcK{bb#e0slhd17G@U!k89cN@b!Rb~;{TUMeV-2d;@d~0Ird`8< zp@7`&IluK+7o#f8De!0n2dla|b^?ds49ST|lK=ws!bNN8HP&d&2<@rk&JNOTVOWXQ z-z$*>xB@++8nDz2Z3@wF{+S0D8IO5++7Turq}8-4xWGj(tz^`RR1mLm41gsenK`N& zN$k+ro6!)RLn3`@-n=51nTR{_pRh?V>7KIxxD*vh-ily>uS;C-_qAqp?Vt@xPwV=m z;N!p#Hv4bVjZ!cvTm#V{VsWg4{=Mgku;UZhWe#~0v#8$`jK)BR|2C#RW=>Re=Mm>{ zg!938aqF21fj&>YhP&oTy&28PdOwSA7%HY2XOlou=#%|+JBg4ZfXs&e{%1mT0j2n# zVxExi6k?!_6nL{&Q4HTC2{SZ>aA)2CN;M)|>Qv3~z)eYxizOcI;rZDNS`3@9x)D)@ zLgP4JZj;zwMrNrfXGz^Tz-W$jY?qNm$J_mr+7WQ9v|eW_Z7k_b?LRE45F-;AwQ8^& z=Ca>?xoC5Vs;3St`907IIGqNoIL!7wzvsTgu9CPpBz}tPzfH}aNGSfAocwD5c7%Gi z{`{|O^`~-?$R&3?n*Zy+xPn~tN6vF-W~6%d52^64T=%E<|2O;}O{E_K0H0su34p&| zAb!1?+=~{I0{Q-vABzF%D{)g8zG1AsD z`?bcoTg&&3TW+N7JAe^)hm6+E80ry7GDigVBy5XSS!_ZrhOgw-lR7R)gSCFqQP9oc zZ@A@@g#152oi>2>T<7#$NM}m~O91Mr%e$VtAW4~z9e%u&zLZeiF!)HpY)j|Y;TX9D z(STFyZTW1eiF`R6c{`r=k^ON_hfuwwsv{(!U@1VI=!1_$ZoW=wS9Z~Uf$@BwjABW$ zw&iW*;M~iZGFDyesz_jSdqK`%1DAY+dMxUdwY#{GgXLb2p?iuaL$UjP!D5D# zerH|Om1&q!WnTSWXz#FGI|~*3w+NMQ?`sgfSN z_7#EeWmn zVoACu?u=dh`$4ED^J%|B&K47!7`m%xS8gXJ0FDl$GzuYzeW*NwM4Jw0+gfna^z{=L5su|a*mYOW=K9fJ&z zuOnIVO|d=Jav8`1vj3BUf7lQ7TTic92UF&*nZxE8v{%f75b6l0oOXd>ZiN^6xsC4r z)C-kKIO-1hd52joDp#Vb&1$kv44*|rNktSOa2jjj;hf6(9;0xG$V-=Nw~MN2y);X{ zu~&Tm30RtmR%-#fE5mFlnFl}P?mD}?!h)=+;_g`2>! z&>LyP3hTH#BH#t^wbPceJ|AKxoEo2k%3fplu**_Z;OJg5jq5d>9}{7Pq}d zs;5+Ob?xCu5R!PJ9G)3Ljs>L}5CxMJcbK<}*~~p5>JgOkI8>o$r}4&xO@#ubY{W{& zN>cOTS#ZS2^Q#w1@70rHELriIb2n-F`tz`Dw{m;fPM8wq*lBDoWjuE?y6+TUF7P(V z9Wo$T?%Mksz|dIfDhtu@n;irBrsm%0VwO17Mg0Qfivt9va^)FU*qD|aO(M=VSMrNF zHmL+Oj!TK(O@x->{rek!(;+PK5 z5l1xnfCZXzTa*?bl6x+HA#XLA!(mr@B{5Gj67v)kAuH*y)Yxew9||W49jJF1C07$T zh3S;kxQ?pISF}w$1_9kFrg=|Lb{H_}ix&>ON@a7%HV*QVO9p?&p;?sTNyee5#v&6B zpIp*oFShKtV>CTUuPnJ6{)F})gDVpMN4KUZeUaNHD$kB1pKc4Xb@0>S~BNLKt2eL2D(9$4d{ zws^fASZcIR-iyOk))P+HF+xKx-3kua$uOyZz%Ndyy7l}(1%=rTR>o1)mX2va-=|c@ zX$rOAUbofyz3tuS`2xkM!8V4roP_&jm%Pq;yowpWC$m2C&f3oi&ze zKBEnIt9vem_PdA;Z~1z=$0neEO#EbP`TRLtB_%7*DcP9mE$ZHPOrOJxxL9){37wb~AjU%~vHIY;XL$RYTCI0y_e z4Wt!u5JN>fvIc_3-;XAhSUr|E`#h?Q4UjHkzE<`&4Mq|D%C67+8d;$56S?`2nsVkj z1^@ODHqm++(nFv|@0Z5_lFCXo;NrEob#?P?VHSw=QGbfc_h4O^)2gRo-HMdtZ{y-`tAZ$DS{{POrSthdL- zNzSpKnt$f1v=N#&)u+&tsm=E)feC-h5>+w2r<8{Bcu^hYORrZC@M||>bL5OVOny_* z>?@dg=2#<}qWe1)ghQgV!#K>y757rqgb`-ADP!nmDFOO`B>64Gv?J2s(=d-BHl4@V zxI=pw;#^36$4~M!Wwl}dyWeAD*J{fQlDR6$P#ZFr75A3Hnc0}Gk#cfJP7Z^kC7yzO zd~dFj7c$$GDv%fL~(>WuP$OJ3OfK((~ZeZL=e&I~=dGTLvm3oIMQ#C~lkz*GFX zgIb}3aJspVk&PjSV!+^)>`ES1Zbq>>E7Z<}@(x5Cl|VQZ?6o-8Fl`219S6$2kmnf^ zC4xI}{F`d?RyVwTM`T}KzIPSCu*!!rZN-`N)>R4I_EiH-_nZt)zrUpLCp=YH*T^&m zK2g=5jaik6GOlaTbuf(F*6=rtCtkyzvsQt-chL7+=}pS+iucInF{qf4d0c4`)_n8a{X}1%X|>L2F+ZcR!g90E@y$G zqAKztBqr2nZRZ(v%GcT#+{NDv?p-T&Q;gKon8ao>p*;6Is3$)4_0$xRD{miV)E|tG zHT!Pb)HZ6qHdzCuNkGU0`EGkTRG56;v6;zFaVLQej{wFG+4${60Y}L} z{d1K}kA*^TFggK&U0cag>YLI&c*-jw3=J346Z8qf!~lkW)(To<5rI?5O=@7}Va9Bo zJs}Tm-voe(FaYG>%DhDz(QJa&bicH zBEsINR+2}bXhVsVnP%%%lQvbUrAT>UXv8soy5LXuZmp%&3y+JkH32XLb-QOZE{l;K z(P3mbckcX>b`>Lw1AInx?X-%*z%wfEU@CY-BmPMa_rx3M(=q-#WR zl&ATx)=el5D0(_w9;Zu`BHV`@akd{n60sJi%`0!1-c8lUOfqS9s%eCN{J3=BATcXm z_-*nmZDkdZzu>#1*XsOq8zQS@>OxUs!0iLa5(LaIeMA4XKDv}4HaSRLJMmHK<~euB zq{NByy)=6iu3DHEC6Ng&>%BcuHmX*0-A)#*<=aAQO?+qV3HNk<`SD0dsZD}Ecs)71 zjMcu4-X(#d0#C9ax+({o;}&{Y70oRBr9|tf=LKQZ1P7|Lmw`?Pz;df3g`AO{jEx+# zI-B3)^OOWU*y{0~5yEzzSjE@8UTdi9^hkdnT~l)qJlr>heMpWROzV(J?kN@Wm4zkn zCxMorR9EVT%iR>qdIyJP20*BuhY*zJ{5`x;)h!H!!XUcLo3sE5FDTO9NwH??W{iwT zOM8PERu(~7H>UXmLf~|oX>p*F-iV!Dgwht6n18cy}h^|BE;K`I+CV& zH>@X+PcKC{PAJ?#GOefW>F#UOOcp72Ni_QoJTi=+T3SMrEs1a54x(*4{O;t~zAFQG zpAqwBR;z^@F48H)gov^bE}7zwv<05*a!T4E!5xP_Z(WsD3ROGNcKI!i=yBf+7Zlaf zRY*O>k6*RvGWIRZ4Rw>{Y#p=t!+8TTTeaKEe?xmHKuu#{j11!^EW(bI$!W_x18!7@ z%p)bUmzum$t9O*lMJw6d3D)xlDy5oS~c@>R~~Tqei62I12oO7*9 zJv=|pp0&V-kzQThD1-Y;hG`= z%C&)h|3{_8o0l{ApbiO5`pX!ro9>BT7Uy0KT*?Sfn5`j%eiE3H(`hQpbo8-<*_@VF zu^s@9_j}GY0ihDrhaD=dB*fQDcS_E)X<#74xPdlpG$gpC2p4^K22FZu3a~Njce*Od z43y?do8q!K#(`F?s~?8NN^u=f3p>TQfrE1NQ6!7t8H<1tyvvtgq(mfkq0K$KGw`K# zEJxFL+*ZnwM6VU5@MMucLL@IVEuJF_H6at)fUzFL;|R}#aUw~0+<5y!ZyzEE-Se_!}7+hAdBw-U33<-sZ(zF5gy8&mE{lBH=AavQ%9?m=9 z!h;8Yx>Uj#8qltBckatPNrz8{T8`5wQITpeo{~7?K3sI8A5SI3(7zP zPCAC%_3dg)aka^!x6ZOpl=zv8(AK9Is)~DQsL13r2zqpa<31RDwise1b#4>NcYYe~ z!d;^T&xD6fww>U% zaeaqry+bLJ5YJv|eez9T z`ubDwOXxCL^5=r>+yNa!$G0vZ!XfgHbI0Zz$~&MyA8um~{t1XQ}1$ zd#jJS2;MIc8e}ZEd$d<$vw+}5z0ms5P<^9%emYGGnB_1my)_J{#HF?ojm-hRIycZf zadK9rX9%5UnA_p^IGVI@v*WCUjTAX?Kik91{;XT01Jx}@*I)r1?Gh*!9fX&B(V&v9 zrzt!hs=lcDu};Zy<{qwh%(R4+Mxz=?h+gybdG!N?rsL~_h_?h zMvk^ewjIj*uaN9_qrD&Mpua;A?m9E*7F)+#JeXzp(j?&32oE_f|n~nXwPZG~AC=MSNcb~oMk@@GQZ-=}U zBH$WptDQ$bT1muXg8odvVdk>=2 z4C*JW4D4gf@tP%Fj+X`(X^GGNN}Tv$uS* z`C)afB+Fkzv|D7Xa+#8T+^2)=oY0w?>Ke4<+O;{+iJOE6rhcis#JE8>N3FDu?;Jr4 z+gJB-%?bgThFwOU3}+9FIPwUI__}#Kzl{zyBpwuw2S3SzNs;;cQ{WeYC9-`j7G0ck zl9YjUM%T_heMCZaSqzi%6;SO@ti}o^6B8jAI}2}(9qNhb&e`i*r`;nhvt%{6tJlz! zkKslYln&d$zzKr7u-VSGIm4vZ+obH;RWtZd+Eks%BTup3PVxs<&R8e*3xSmRAKV9u zPQ|`+)U(xeuqE_c*is7|L4^Zm5R2x{S6PbsE>G$U*_PK%S#aHP>j7IY2IN`JR3# zraehl4*MNGV;n6$$?@Mcty}FVbBj`()O5XQI4u%;n7{Jd1Him(t??vN46bMKnCI-N!Kq#E;2TFOtY(fq$1qK=X$NoL=^A^7t z3m9rX@Bu*6T|oTpC*CPUOm#7^Xg>hB(h?b-c@w!JK4`V}0BZvIR&;empYUzq7WDu* zdK_47RVe7rQlMS1guIA+bv9A&hyTzlFp{Y26C3)<@L^>{KTK%Wu*rYC1^@tw-)(am zWipM5O-p+3qo26@Ye7dHwbx$zm*Rg~|E29O)xZ1x)$I?DKdb+#`@gvD{nHTmx3Btp z2{F0Z8UUn#I&DstB~ys1^u%hV@aR&Ou}BoWb2i$VI*V1M`S zfC9)lx*$&U(j~vcnoc}3OwY`}qk!2KHQ|7O>HSz5-+ni7g36fOMZ{4_hK%jA%MH4n zs-@wT0I~u&A5vHbJ+c+fz&e*(Yl2rJRvrXn6!`c(|F~IyzVjya%1M^wYkFtS*h8LX zS)O}%$NvlcBR10<#z+E|V5-ZWf=4LddsXw>2>4z4Rsnw#M{kWOp>0YX$;oSy9!{zU zJI7OU)Gf~&GU5k6;SO!Z*eeLV+!p2r4W6H96wh0O5@{w`ZSkveQyNfb@Ql!&^phNN{avNIQh=6@563X1Z4_G8vkt-DIVq7xDvJ zo6>)e-u>Il*-i8rUyey3*qXll#oRG8H3?8zo668kfdZ|f@-aGBn~#O4!pkB?As|=X z1sCPlQ`St(bRl!5m>=N*cf7?x{we!q4$l4Sn3tpP#wOlM?*;}`HB`(>rnHHtM z)wP(du<1QmK6npmz2rt>keAJbpx8>`716NtxQD~mbMgHv><(xKZbHloq;^C^!)dXx z69>8hrlX~w<}en@QhdX6PxxoZ0l;|QsRwcxR`o`<)8AK6yZKkBjvh&-Wt`0n!-f$* z7}qtBQ0&;mg^iS5Wz>mXZh}p72r#CdQ{5W26gX{cmdD;|(Spz@KI5`^a*^S*1}jot z0>ehAc!P$*zxTrtxo&>AV`t*~eO1i3sIH>LqK!E^_9t18f6}*8=b<2rs z-l42!8GLstUmY00^rQZwz`T4Pm9T963}rW2S4%zvjNJ%{Iw!-et_}czhp68n$ec5C z#GDa=OrE690(5y9Db*6;7RRU=wrP7jGE0paFWQA5*7N~;q@%zwu9cnkfk;8is1raA zg~RBZRU6&>q)2MsGF%(1&3a)aO&+sE%a)=v7g$bYG=%2?as|LcPk-}R2FbcsXEcre zHIId+oGcVDLy0RvD{Jb;m~4A*tjA`kXww{vK^-KwP1pSfI0YsKRb6oax{u-ulUah` zJ#YdG80m;#DqmGVaVwE5R<+5gVP>!yfFR=CD4GVEI$Qsiqy%0qW7N@&9V=@kDetEz zg(lN4A4Ah~-Icn)^zB3T2vvujxyY zqqdianEz>z3asw&y=*u#a6R~t>=_a$KE!PbHmP6=y7X(xOkmH}EsU!ARmeuNl-qdw zRf{H99`mc$rWVF!!!6C+E1~rQFM-k6@6Px;oW%IMEd2Vl8-BAvdR#6NgrBCg9!HM$ zk#)e-LbS{wZOgz8F%CX#JK#j=0)_$5nK0B8FeGo`jELI3c#5at!3Z!+%jxw&(vo+Q zKy?Bi6Qfr3y>v`KGr%>6B3Y6(o607VxPB~SeDi5Y(r;*PdexS`v+CY)WoBhl6`n;Z zx8=>EynKw&Q>OyrU5eR5#<{0uU)$^>8t*G3yJdP#rXoj(l!`P~cHS~XvKFl^ z?=uaLShT`N&x>f4J?7L-ZnFod?})fzHz|Q5L^pR=aK4AGdFYnil^bLgdFG|94f;c| zM_T1La|$=$Ax9~nL%N}ib@}D7bVCPXN|F(f%qabCrC4#eLL-SC1VR0y8NXw8rt6SGB8}arzQS;!jUoA zbHu<4LgN7=a%Zo`pkPG~wl`FMoSdoNN8*BIc)(gsiJ?lJs6jr0m1ww@Ks|;EB(k5R zQcI_8P+w$h)6ABx{!K3Y>s5n|;2y&j&JU#=x8LU18pVaJg4@dYA+@+w3^Z=G;sQz_ zLDA#-Y+!sm>4HZ7cp{^w>(GHzu-zW7jpb#pSp&Gk&7&fMAByOTE9bFTYFQcNnHZOpec{@l`p=lh@e-Vj%y{sE-itSjNx zba2S`A;US2mQT}y_Ys)&K-2HXI{xYQ>K_xW0_g3XjCIlD5m9rwoBAioNJMa-6lyjsePId%v6UrZkT{(Xv|Ly@p?JfQmnSeg?AKWk2PL&OeIW{ zW9ek5H(3Tm6|SVz7DOW7>R5-^VSUrHt?WxdcSpV+07(~j8JwDkz^71y2axMhJwbVW%ywlnOC zhbSt8h@Ue%sJ#}0C+_3e53^13u`S4U3%mCcT+z-ejt-?3o2Kdmz5= zAT~|kJDjzq6R!fj86{G`IpCHNKeK)IyuXhBmu(xr-}__uKWslEzhATe)Ap?j0`RAOf(&&400w>F zOh76IM0-FU%OA;NB*f$eM9LwuH?X0md_AQq`oFXbHCJP)CR&{6&`bXY8Shj57 zmpamT`Jkz~bH59}O-?k9dFQ^TzO(ngkGHiyzwfd?=tm|mE(KqwcfYs1!#}@XGQVUl z*;08mc=x_3FBD!y@4oN4H@=Czd^NpOF4tWx-%QGMu8Ob8yMJzNmE(VY!gud~mOmxF zX1~FIb{~6A@V5D#JJB;=PrTprd`x%$zo>ATBX6i8om0G>dY0iAL!{2vOr-;RjCzbe z`wN4pM88@8-#dh4SJUeXxkN(@ujoSCWIOfw$n!PZ>;EidRp{Z}tyK>B!A1bTEr$o* zm49%!{&ksKZOoHCvLu4-Do81fN(!ZL*lpNNA)ejdpN8VojK14C8ged`z~ z)Fj`@OqC~!>9O6WS`k<$m`wo0<>;L5bCE-FTuUPje9JKThaDy&w(q07!1O;ePW<_WP0 ztZOa&hkBCL!0&a4vkpQb^Z|FE;Khb2VRl?K{wXp+cSmzYrpIRJEbJG&32mF1r_Lhj zEE7>`n@fu~Oh+3xR5oN>S19u105PXsmEWB}U-^ntbeENgGXLk4TC0o^-(>|D+k&l3 zFngK_K1ZWyTu9UWaSmHgo>EiFkUE+hfuNhVf&aj1dB1bf@xRQ;-HnfaLv7hMz$o(p z?|}!`?d7d+J~W9o|CetYi&dPn&{ur}5$x#z?xAB{e>6kj){5rrGYOvixWW3pND0O> z9tLJ3OewH=`;#$Cs{pjN59R+J)q|3F)d)2~d2c=}e+C$gKs++pQMrK--zD8O;++FOj;DEU*GS^$de zd1qf12IRA_sK#^0kah8dBsPA}Ry+GFP#*7CaTkh3klJr)MQ>G{0Y*CoDC7cgA-iW7 z@A4)4d2Th-n*r0Af|3@DsChDYGmOd^R(ZDC0d)H=$Nq1b+wSk1hb@X!ePw=E{`vjC zPn#(brc-MpG=kc{)R&Ndptz2Q|7}^nz8(0@1Xyq-!Wg7{>(KH^OQb9=DX@%RY*xyV z87d*_6mm#QB)rt6cbH@f!-w^+C~w=bqQtp`d2o2 zTZn@;F34tAp{`&Yyhj-1HJ32<+GSu8!;1j7tBA&gKwFk!O?VbjtiWSf=~*Hq&Xc66 zSF+k8LdvURdm9UcUv^O?X={Qps;SDm(P}$}D{!6xJ6eDO_{oKxSqe(-cy8d@6MQX8 z=|WP_yDky~VeQO*Wf7TGsyiG%|E^HrzX*--*=k@s+zk*%`o@teV+sUT>us&RfWY>6 z2+Y{x@5_jVN{Q)Ud5G$jo-L>{o@%BK|0Pi>LqbA`dzsWz;Zy!jOTxluq@<|Gq7|WN zF*s&?t@}S0^ZhN>h&s)c_LJ)`hTe6yFqZh{4hi`h8l;2B6T6cTs zdbjQ9{~IE-LA`i~nDrB!DtrciMJ1&oLh;q3^7FyaMiyc$c83eKIk}!WJXJ$wg8yoP zbt(XZDNgE0N^{ss1ER+BJ6MH_07oL9fdc!Y=`09IsYwUeJCFN2GCg{;I@4!7GyzOQ zjwg@^RsZb7uDkg8tBDH=QV$GTqpZV+Dp7clQrk?i+crEHL@doOX&&|%g#j$m zJs(5v-J+K8`tOf!WX&xK<#VJsiGDMTTOVaZI$w>z5l38NZ zU@+s<)V|8WB?z#B7)LibW16k#ezNvPR3tBoGP|l?g(43d|bbC7zaB#@r z?h8H}J!New(eq4KTw`7xLWr&`La>sP^%+GPNQSH)GtRXF5a6cX?((42?VF3R4u>W>P zrd45FrsPOqL~oA?CV3zih{(Ey=@4NpFhdx-xrQ!^ca{-+E3zpKXE z_Kz?4fYBhk#x-!mXp-9E9C~21NbhirJkeieb2-PJ8LYFqU1G}(H{9H>uogrcZ68+M z3Zjj7j;ihaf5c40i3lPs?cs+C{J!-P5uKMywp zWr=_r!MSZHBZ!0hg1`>*7i_YdQfW#aFqdw-DpIJ)>Xuqt3coZiYHzu@oVxK|40hPY zsb$iIO(|pIMDiF*$AYmt#L~qhv83`DyJw3QyZu;0L;@ZYCAW|FRuWRu3Qnh8^}z*< z78Ae2aIyf(a%carmeSWXRl}?RJR?Dv1tZPgfT6{}0$dH(R});04F5j%*cwB6fut7` z-lkkV;WpezO;r8`Sqa)ve0mm z^+4mLDejXoLH}O*1DRJE0Z@=&f2d#@ zwKLGuol(c(5WmsoJ{n=uA4>NO^mLmA3gWLo3h4Yd%m0R0)k%z(8B*JAF^`er4jIbT z-)|utOG6hQ<)NllInhWv17|GqQU{X!HaR2)IQ*7g*M>bX=AFm(DsDRL_}1aGDzVBY zSxw?7;h#}bkSi6oY7;@sbm_Uecsj@kIr5zYKH$#)7OKK1yrm;+4GvGgX^G!I?V#4P zl+Ho8%GMJY1I~G|xBv)4%8%4Q6t`sl3sdO1lmCGS|5X_AL@BPS^5%nVt?tBCk!S&e z?jZQD)p}fOZuiUX@4n}sdf_FL?1EI=ckoi;e-jb?0{^wZyYe8|{<|a5QymI~k=ZyN z`}-$B^Y?U zD19?V-L0Gm>K-T^HzP&FK7tn$Jx_G8%AJBuqkC4+Tx*(S`NQNN`;Vm?*@d5lNVn6# zti8G+H$?|(gMcv3jRNn8CJwpBB90xW9umG0%~v151a zz#(Zt1{Mp}Z7ZR&?G>Me&!)Z3Rn?1E-}g5+3Go+dD3ApIDuKIJlLnR`{SiM^AN^VZshyI< zNV*uwuPzHB5AW4ZMhM)0WvcZ`>Z~FS&6EV+phPo-9ZZui7p$y5-cvp*j?NWD5?gTJ{$$~O3C)f zbFgG@gd7`+VuhA~5ntewlf<2PtKYl#2ENw90<2&T6nFGv7_ z%VN$e0?-b&5dJr=b85t-HQL@y$Ta5+hOM`OVHs@mrhCNV+P)uHwd$(U!alS==_Ua4 z0e$U+*n(BPM+N(_r@qYI6`m}Wy-U9UGe@>yIpZzPjHXQ8?OiXTfo2;~gm5dMGovu{ z6g<1I^r2y-9IDP?UP&KkWASL3gK=H{)W&=!g&;kF zxHThzb{DkHOrB3AH(ciIN{``%Fq^cK*vM|-KF$|&;jjjvAWYqfC zs%9exx;qNd?&@8V?N=tQz8}4Cc(otqoyOb`6< zWl&P0NptRf8yu1L@~hLM<6cQ^SYhp{vHN3TT0b|XxM{2|cIrhW;ovuuFjV;6 zr$QN&gxuw9C_l59P?L+Hr7~sI60=Y%S9-3?qJaaRDPQZukTWg_01*mwmrum{%pbZG z-Z48K-Rs{3I8EkS#H{yEME^g7LjS;`|9=V}*fWb1(!;xtM&<~{Y{7$M(IP>us(p2% z`Km+6mVhm~W_W*ji~lKcQtTLX2L2w5`%lkF^5XiDi}pC6>@RTeWsTcH(uPCqTbX;_ z*96=0uaNTZ0aR*%{7>TA=Arxq;zNwMsls%BRJ1bk*q_+4npT{@u4qral&Vdc!;_`G zg)%Z&BGjsTWd5cd|2xP#HcH*z=F1jpEs<$cOz6YXPn6=+ zCdQS_2tB5hvyH*xtlRemCYT9K>0P(7DxtAESty!6%)zan7hB^42NhP%jopxxVY3h? zhPS&y^7Iek{y#@<&8iH+tm^`=h=tN%4(VqskOU7t_T5B`&aufHMEQDvKVkENW%+9S zf8bGnd7*MHW>@CEshmcZty%)zPE|?q_GRv9-33@{H-H{jF;F)F#`7m38#E5DC8ifH z5Nx`4;ip5&Y)Oy#t}8~j`z9}#P>YHpe6PQTJuwN`J^NX=LGr)I{NJM z`6%%zqy;|gM$ok5yS%}_&<%HK#%?wTGFFFWXRLf{UHOrqF)+c|zh$UL(gxPE49@|D zum(6rYo;hE*}!moJMWY6BKF-aE6*Xq(Mw}U++7C$!2nB%10nexYs{Wo;h-7LLKC-J zL%>=wB7}INAZeXmi$@@m-nUYPd;JF}%(7?odz!-qjX-#SaHn4Li~Yb8-wNFvuXn{n zN+dEMYY|1yJl%;OK*EXE%r6~rpnU*M z^W7Zg`f5ntS*mL^{b!E)w-pkXOrJi&Iq~rQ*`;n8nAo&0^lgE{X)8rzKN^lF+ zdD6GUu8m(GulSJOOWPvHe$^*nG}H?Twr;fimtsQCu=uywN0(P#dUQ}??UA{q&y;aI zGCyIjLVfv!_^M;qz_sY9!=v6##cdBg;C>v`Jw+EHU4&IskR%Iq5%oWF6moCFgmb&F zEa!|6;?t!LM&qTc?XRqq@ z_n!EhxO(^Xipdwvt>{qre__JqFZl5R`1*F9`IC?P*I&a9>Ud2Q#k2@E*u)LOWs+x6 zm9)dEm*fVOP^|a1quYw~K5?IpwYS!yTwUPq>&$N}BBP@HxE7h*+8=k#D; zX&({1id}07<&z4n0ASj#jMtUc(04O~Q;k{H^I3yh3BkN^k!fVDW9CY55-0$ql0?Fd zAF2gnKL+f}XsluU06y!$p$V2Rfw=d5h*zFT#2Vter7Q!OpetscUdGHsTLf6N1oh!F zrpj%oG(yIk)MUaUUR93Rllg!Nx8w9%tmOT2XY`zSPHr5MR|U}&P>S!VQ$<&UUC|R4 zKGwL;hCUJY@q#9ry8uX`ZKvXpp{79&E}*#|Z&ccF9*2%WKsISG&R$iq#V#4Cp?Zuw zsFDFHyA>@u6HG}_0p8vhJ`;$X9a+7qL3=0+?ZICg0n;^oBVPNIWV#!0!D<08%zv`A zW6YATade_u1aNaW{T{zwnxc$+-A9faQFgQR$X7M=w3Y+?mB7T-C;RXRK<<#3o%V}` zXJ$swyEcPWsn`f}Z_y7e)8FGgUYVEpGdmaqwGwFY{E? zLRz}*9!y7YjE7UtLrz1T5ilDf$!j=<0p~|*@)QKxu`+0X?ZL>KHCIdDtB%(P zBquiVC60sluT`2qbW)7~LxGQ~mfV_rPsQE1D}%cOCH6J9=(@Sr@We8Uiw74KsQu`O z;_oU!4PD@2A4kJ!pePO_q36qG#TQUlJCtLb0nfxW|Zt# z^7@|EPz>x-Hs|hLsX_h%j6vyl|6y@ zR;q}^l1i&fT|tu-J@9Tbu$4|zHD^tu{A|H)lN5Vdvv6%)a+p1=Vc0PjmR_(DeNpiW z@4Q#E)_oUU(1N?pXd(rXC;1WPYzCyk7Jn_8@%GbwpYX8@d4J$XWepDgdu85iDh24? z$YQb8DpD@wOdgyPZeY~SYb*>+A2Of&&o?n2b^)s&G0IuiH_gwHSKun8>0dEno*%pV zyh=EmT#WV5&xGJ|k9&CO$1*&1y^2^%qfa34E)Qg_L?u{y`|V~%{6JOl;O;qXkDOwx z;AqMI!HAUBhWU!J;;sG&n`cE)o?tt^M0)IYO(=z6_!n%Gpq1m!8P$J>)}InVU^9RkL;eCt_hV_tjf#0b3w5b`n^?1D83dW9*6kK%GtMz)GY^~Q$N zq#M)jPz@HQ;SDd0TDt6|7sPxJX5105KD$m8zPu@;k|IcP?JermK6))OfKp9U%sa&xODJVAQ0#qbBUdU!WrRg9~@ygBYQIb2utFWZgVF*CChTj%SQLQFHQv9R!Zu z-L}ceR7UQ_ooK%#yVMOLXH=#5yaq9L3JP8;^ZpDJIgZ~0EZ2~$LTp?%tml}p&wc#72VTAu81$7 zvi&{a=gU==tAFJO&-q&{%&HAyD3-Z^@Dik|GYn{a&w@r`(1T=b=R&RE%iET4_i70C zmALL?`4{|Tcw;NFik{&ew!+wGA{h6+D^5zARnzR@Q}&RW`%}#7*&_&*z-Aj`2&0Qd zZb_=(w?c@7q4Up#ehH8-vWIINPOzpck2pYNdOykK7VD-9l9Rsk@RMwopenygnqz5z z4PhEVo)!nY=jQ6<1D5SxD^+U;415<23CPfQ<66iAZL) z%#M5$9=5mVn6{rsu5)sf>q7JBXH#!GUC!)O5IWLAOHiC|A2TBACs-o&kR?CEi*K!W zRm#4MuJKb(6O&|&r+=oS?vkg;k*T6@qG!wv5s)j7wxiRECG>eq2DNZf$Qjcq96(2} zjY2>$`1(6j&39KWfY?^^$j_Sg6XroQi(y=Wq*-mNf&C)aA|*3+SLQSU_0=EYu;6A0 zulp&JiJXJ%5g1UO6RZ;lO3JFD!&As;Lq^7|DjX;}7Jdm#d{T?xqj%KRiIWrbjWeg~XEP!|*?|_M58s%DOZYBfE@P-}P!zq! zLu6|{m&*Ahm*yau2GzONu2aj#f|$Y^PM|Yp!OlN6F`0+|u@N48Rr{H*n36g_@< zoFnDMjNOXh&mN!!XOjdicKIb_1RYXy`{4DW46z0<0IP+>y3zu|+69T0XSNJ0L%PB` zMs~#+D65Z$fb%fwTw7o2%+XOvXea4M7&hr`&K_oaE-B298RL+{{gk#cOPDbw6{;lI z%*=t1{n&Z6vnu?-6Ah3trXqtEne#djSPA5b#2e(Z(h^;49AZAB4Tx*AoK}Tkfj1MF zb_y(uq6A2hhs-G)l^Zxv${WkakL?|cr;nQRuayyVF@8~%ca?F42DGZN6KI~;)?FOC zTsDR49+OCqU}ba~V29zJ$rWG}vF57GKE(|yK?S$elV84-hn}Y|b-%k(XBm1#pWl-i zF9c;cN4@DBEb9-S#`>5DIL;rJ+DVq>3V&Un6Bn$2jfOo!7@Cn1^S%*rcBtTS1#jVj zny<^R+kNCZ7z|b8 z@FFwUwwi}{RA9gWTqnCfQmnz6O2|U4u7;R;ZPX}6H?pj8o=yXXw zTiKRi1$Vwd=D2IRhvJhB*Y4S+OB56xF(|7l5XiNP9*)o}Xr_B^C4iz##-4@-6uwdVvOG%7`YU9O^>|f| zWvYvNQ@d&L?Hc!c^=JKqZ8eC*(XOy%4anh@y;%E_e9R^1Qs(v@_vEk2HRTlGQS=?) zbV^xx*a-M1SeNg(%B4*Bh1XGW*38 zPp*g0Efi}-iMDb#HeWuJxPDyH{Tllp6@-VZFTOoiNYwh`u>D7dpOFDc443t;Mnan6y(qgG-_Xf3HJ#H zx7{YG;&W*whqMfx6HAe_4QzaWf@hvgm zop0M}`El9sO@Fv&U`dCa1Puk5mon99IljCAKc9DER!g}V&(HXXzSv7%k%z4|eAhgn40IilstFf8bM|8Tw2G3e2ALtT`d&I@VonCQ59HGIgVhB}3LkPdXJgAhc2-Cr#Ia|Na$ zv}i+3F1;BYfTQeOFXE~YjPGnnLeHN11Yr`9d2r^eHeJ!62yCxc$S>uL{_{iokm4-$ z_t0+0a%p3cflIq);aJ!=t@oFGRJU>l5)>|ohpDb|(`tF}1o*Ox=$9Vth6Ko;YV=51tZ|G9D@2tTRS&gGcc=8;cIXPP=XmOK@$@zS0Lwv+R z1`y6uk_fGR`}eWJ6smU_6m zKawRl2#bBK>-X10FXd&Xa1J#xLE@;TI!;y__#w1(S@~5}y!MTN$DT9UuV4qCi+Pq` zG6^s%VCt6QrT%hrG3g0V$r>e)u9ixgy6obNCt?-TC7VF^!>4~<_>tD#cjx1^Db(1{ zgIF3>4$wwy#w#7**@7#^r!$SB8tpdQR`Xz5gbVd|7009>c0=n&SLqtKpTu?UI>vkl zUE9?Xy~mDWPdphI5>arRsvh|m8Hy@PkKA$L7pv#Wpva(=6SFJep0gIlFO!M+B)`AU zO%1e5f4s}c-K*y}w2=|q)O~|=!;po0cb^Ek$)-Jev8%Vk)Sgk}^05jL6gPM7PS%zr z2k}-!U!+?t=pJ4LgTMsA*s|g1h6vDmwc{8CAz5kD^L8*E;I{r)S|xpK=ffgBUJh6fF`|BGMczQa-hjk~y4&=X zEm$XT5VZ_b^Y@?SlkC;p5S5 zHJn~0p$JGut*GU*%8=T}31cBup-I3@!qs7B`IE%^o{oRA9~PhkiA$=9BL%&hT3!8$ zU%G98y%QvqMn;K@OZJGU8|<|!!6%@d1Um7+?mEa3oHpMyr+m=W2Sv!t!(v9z8=zCv zjfhk}ioAVR2d~>4qrUgv^YS`e;xmDQuGlkbz!EZH5g*m_jKE zXZxhHBUb8+=G)BqGPQu<34^UHjQGv-XsjwcnE_GRr;Kjt^mQ$6>7U$Hg?P?tw9ztu zev;wewfh^qgkaxu_Vz;d4K?rG(AlXA5y}uOXAr{~zhaFtjiSq7A}mADy?FX%6@`?9$rM4f-Q~V|tNp_pbCfr#u(S?^nt8)l%lEfJPO( zofKxCF=(2Kp~Yh0X?*S+VZE@uhw6P@4)k`DP3Vn?eq(j#9bCQ{2!bQ0%V=$8d) zaog+3*|QJX--^Hhx`=e4bGCi@8slz6sA}C?3IZK?g#bpTI3D^3z&I1d1&!@wam0?3 zU)A2plmR!)L1&yt);C~VWn!a8{ENZBjS)RbwQH(SMhx=hXa^U0fs z!dB`h=}L7o`!R;rqei7I{4jp;4_B_+8a9UPhkq4O4BUWou&C?^D#R zPecgjG)K8InTZWTI;{&UJ1~ZY_CZX{oyF)u!`I|GV6`Lc+JUS@g;L~xIo;;=CHyq()144iGfXxJS%fwLBWKoqw6Q6z=$ z6Ol$XbF#%frt?gM z1*h9p71;h71%pT%L9s#`OkOd@3!Fbs7M%5=sl8$d&g-D^(lo@0z=q`~MsFCG?gxPO zdoyjH>+%%u(d0>#0na={P?u-!5(9#w_s2$%&B;s$QruPc015e+V6f_mr_o}K>8jTY zxocgt935HoYlT@1PpFkVG{-hV@ye&RrP+6_S7@LWXrAieXf5)ZPK4CX5gR z4In-LF;O6Of_G~M6!%zdZ%sStt7HmhFlF>Luq}{JSysSy=}Lm5ef6xHG|Ut1WX$Ly zTu+84T{#5gbALx`wCNat?{%GrFj@pK-raq&W?f_@XmTenc~ruiIf5z%-DsxHi)#wt zV`&k_1)6hWzU6Su!9oBn||01{K0 zw9*($r(A5rRB+9gokV0jR`3{!RP%#mQ`HX}J%rxWd}(F4Qe(ofv( zT9z=A1&%|-TcJBLVseoG1IOTcT(Ht7!AfwUWJs!7&hl8oZukgJIZuroA z8eI&Q8~WVJbM(HEHL(Q4*d_g@k6%kb~K_ z^al}!EC9KoKLNmKql(NgpW0#i^m8))Qp_OAk7iIZHRkp`qu?R`HZ=FTrI!()x06iR z!&Y>Oa!f*1rqSkUe7(RTKFIKO1f?9Dtr|4}P*$W!hF17e9^IQhwSUjLGofuRR}6`jm-f3l}$`#Em6(Ml={FyiMY66Y)cO27b8kydoqBasW>W>benR}C z)0!BARS%&AM(dOx%Eh!;JMc8=M5-5_C;0AxGw^!x_>)+Z|Yppa#<%B<|Ix)gKd zs>{{UFtv#s@Dyw~?%c3j1RydwY|>YTKt`vG^foo_eLO= ztoOi3ycFhN)=>~>d-{xmD zU#dp=c~g6x55UD-4a4}{L{QXjdyo$PEX`w=P|11e#A;5Jm+aWV6VT}MK*FiYs@Q;; zW3Et$)~Hg@II5C?k9MTt&?K{Y8Y4elE4f(SN^w07($izD0Y3Y=NODAP_j~}SCk%#z z8f-*V!d(b&FJGG3OW$Dwip|A$!{pC`4}9Ek#LyLNlA6HhpO46Dw;{9*3iw>4bp|NN zU7vmUlX!G+_N~II&zo0%E>r=_7w`*c6L@q64!kT7A3lVATWq&I3GAfT3oZtSKc8BI zt88ScY~^P8Tc}NNYr5}$@v~3_aYC=L5u;9Uv|38tW<-5sm02GB>3jeBPn1Fb=v}89 z=(2U%P54^=;cYE!@`UshD$T7kJ50r&fWK=~6rH`EGDDC?0-pFX*9HnQ~SuigFw`k@cWg` z)-yofq*@-ZP5U~_GqCjK*U&k5Qns1CduuN;n1E*hvEKB(8JJtkGWwTGqoQU-t% zFG$?6z|b~6pY_LNWRcO?*3(3}T9u^LE49h^p- z%*29dFEK@PQMI4^q{@SZIX;+Zo&bPqu~KtW`0S$wy$J8J6QI66PuWa~B+<`=*xE8l zUVwfW?uw=!j~0S9GfkV4-<83FAWp|m=6o^IH2DQy?`v=Dna)Fc%T)9hf>3_(X$bwK zb8|@wyLCk{^w_xn5rT&P<<>hd&4+w4dHN(V#L(lC0O5jtB^EaWfjN&ono1nKhfQx0 zOK>Z=`?&Kc1dbs1#;#4Hp&pEfPICb=v89`s4>wb?>Q?58=cXzEdu>^F2o+1SJEQBE zL={9Ru~j^h2hxr_47Uh?^W1{zVJ$_SR;CKQV8_Bvzbkhfh!UR zENl4`Qd5-7b3$U~QhtYTD&+bthr}CVyw~z8QlR?$@}_)Z5^d64^bvhuY!%8XttRB2 z*P0|-X=!3u@+1(kH&EB~?gC*0&2hwy)l@v{_|NR4<+Oii2Xnq8HlDgDetX{OdoF@X zj%LL%>J|9>B}F4f_(`_~=w=L3Jj98(HP_^$Ft(xD(#Y?HiLC5Xp|GSCdtBtxg0}cyOz*LxzNge&Pkd!*OL$rQ~+aO?=HIW$KJZ7A| zofh8@Xq{g`;JbtLDAw+hlQtbG1jE_it72ZFYG~`W%Me7ru>);l82${&mdho`*Y6<$ ziiuk!Hk2EAWpk-)!uCJliD;|?u{q>c=CLg7V}GU5`jEpgeYPE_T)$Lf^;UxAYVQa$ zODekTdHtTop?Q`E>$^{~b1G)~aj1Wc-CszWf1lXBa`5n3Hi{#(=_po75!aFf6~Y-%m^V`vZg6%bxITw56;-H2voR3_3{fb=0b7>|M=oZ zvUYIowM2L&#iy5`RW@#6thsKto5nVU{6d7}fX?IYfHkY{Q2H+@Fk|rze0yFXD4}uI z+B8VvU$`r5LvI+x3;7 zdC)8aT`9V+OUhAHqSDRtZF1jIUmKqx`D{8%)W)A}sq8rhS~4$v)cKQ~)e^A#lf|7Q zgXtW}aiB2?%GRhfBA3-guI+Fr+Jax;q`N$LQ>XsIWZS>XimXB*g>!d?x*5ENhNK(Z z`ERC>ju+bNyIvH7mt6A~bwDxbz%Wo&#KSJI{Zj*k32?osebAI+tgbH;<$qloPN|*n zz~_(Y7bu=V2OGgPc;b=KC5qD)U24XNjUYIFObwzjOeZ*#mK5R9=Pe`T;opq>*1=N)lgVElzwFgSa`U~L_U8xh6p4;wJ zmn?jqG}=IZ@W?v*H^h`{K@+2D(iJ1t==(+sK(NToBgueofZPZ}D4Nq#Nm?i=rr{(Q zsg=2QQ38G!rTLP-VkbjAAG9xP9xeJaOZiNi_m>dy*aIWGtFBlc^%>njD2a6bA*ddy z?+;)|e4*PBvOFrB+B2M(WGx9GEnV;Y za)US)Fd96Zt1kPWx>R(=oR^b5ztw`-f!^H@Eqcz1_FbjVd>N<#^0t8q3H?{KI};U; zM^I;|gtSC|%t7_xO!tn{vl15I=_vYbEad$3kiOm==JG^Dtu=d7yL!V3RfW~L*?=%yvC5^*FW z<9Yhht-y-Xrl_=1|5)DwPxk>3ft>JJ8{N7|NHipQ(KEkHF8X0XV+2!4Q3psNmql)u zJH4+w{h8MAuW|$wRJJv^^WGd|+_|Dl&yavpEnydgH(q3f{jHi$fyYbkX0Yd0q%1{b z__mrsP8J^K`q|n-^}08)y5pWEknWmdZAn&cy+kyh(f7^ z;o;h;lYOL z)I!y|pkw!2&Ki*n)kC#7c+WzkIq0bmd!v zHF8*KzF2W_S0U4L&;9NX72^yC2N%gcEUbG0s>gD491NE}(=?VNqw?KoQvj?gywIv= zw6Gi^J5{azgjTMYmY#KCy*_-nriagy+XgK4bL^fMcQ(cEg7=`QfFU;`w3Nh4eU#O} z?n9-16rN2~&bz}vC!!M6j&eg7czGPE>5kIuddzp{TCSE-wphn%bk|doaw&?y2YSq@ z-=Je)Hm9FSZyayqWvAqx22v+=-v7GQcq*{xZBCD%iK#S^v7+_*uJk&B=|~YD=W$=` z=x-)@4c@$m4qIs-KDG0*Q5hhv`gU;;KyH>|bA>p96k5~O`k+ho4KpH=IM_l3=g=;L z;nlCX#MQYWqAL~%I<88j#0sapI(fP|Eh(n~!67iPV#z0}=E`k2nU;ra%W9+&tWG#e z-m#}ZJMKd{Limj`c=Mo^NEoPY2urRcP=C1uSz7Fxb~2sEx>@m%F7Z0%R%3&)0s|ka zY=Z6oXy+->@)&sH^xjd}?Z^VY^g|m&qxa%l=xXt@HU}Q-Ri-4sIG5J{^ucQ$rg|$rh7U4rUJfrz zF1f8Fp~f!M4AhEH7nR&VlS83SO$gzyAllcC zn^!oEJ;SJ|^p+~wC@5;CL_Ohfi4+iM@(Zn9533L-(@; zA1l|nmN%#~k;=E;S@|SuW^^OEwKOW!Ht}25eNii4GSXc9#bRvmi$b7n&=?%^bu~A( z`O;TZcN2R7MJ44f# zay%=fm7i#%Db``3VYXw~+TPDf>$V4;`wzd1TVqplbE12U^wIj^`K{Q|B(to?QXam) z7bEX?VCM5Jygy%|jeWjaYrmA7k1T)a)AVD~yuP!VKYbl8Ru1D$5KziJiyTVskPg^= zzjRg)kal<9bSbZNCV|CM@ofQP4i33|Z}%!YhFpg=(#jF=M79d?dH}F$3LRRqds)nq zwdS)|0DcsTGgU5Jgvx-ssVCeL)Y6AlgS!F$W}Q{M17GDhdec^E?vZNqogc>j@}I-E zl{*L4b(?R^L06(;ftP&{i9a3{aNsf$nVmwmiAymFjdlHE6{j#KuvD0GF`OQ&GJ9XR zUKqPo0UAeijJ6H zYY2jWP}2uD|BTqp?uMMbPfclY5*O5YbDZIRb{OyHi1^AS7Hk=&Jg#XKx)Cg~Ew4?C zHCsED1TQvpw?t@{)-ouSO1P!ge7&L+xqG?W>-*_V>lVw)?0z_h@@(Wa{R?rn z@db-}v~TL_Pe{|UP$4F7j@A3qToKxNQH{W7Npyt_r@BQMjcqrnj(*lwzpJCihUPxPc9d5R4GYA}D!sXOYlw27C{<)2IrPC?w_@v$NTCCPR`3=s+7ufc#F3{(a z3S0@e*f>hD2gn@4IS^c-?mL|=@u15P0JNuC+}f*^a#}{&2D|(j4j7eYz%12lO4f{t z53w0HVGyKEb)OZjiWywqb1}P2xTU4w@(uW-zMliUXd22Ew+!9HFF%B$4GA99HrK;A zIUYCN7DWlysCmAgTDvj%{|bE*g6ykL7F8O5MpgnV=e99`jp0R~!qy1Cb#zk-qpf{Q zI}L5(8A+HI806?d_jfuFb(8Qnr zK`?4KzRswf=Misr8a_p-XjINjKQuof#7e*?@*zOELxhL;YK5V_YjgE>6|S=ArBS1x zcfC@bv2*5!!1@MM*Q<&@2_fuBr5jf}Aw|?U`f;^Nym_|+@8t=nD#)AS4+p9Ak553=l zjR``>Z(fvrlIQRHf-Eer~K9 zm#5#0n||L)oYxcHQ;Mcrm19&Q4Fj?7Hh)gXib!e2*BXAY-bkZ0u_SrTZYEeh00000 z0000009p;TcDkBNVq?z9IW6^)a$D;p_rTh>q~F=)kpguCK(0zkk5N2cK2hzwI4s zH>iYFk19uf@d;jlAh-e^#xfSbKK@IlnWqZcNF2NDU_E;{ANHN$`oTBP-$lpjGfrv^ zqu(Mk&2+=@JoCbjH+4RaJ7oV&^+zV)5u%X7O+pIn3Rikz_A%IhB$4t5dW067IH1L+ zABMx%C;GrmSnM=o(%Ej17mfP&7kP>l9dP70_cc2oU9Y=DNf+Jk zjvkBQ`TSN;@54M~o@0JB2RtHXzIVte+C0D0FseLMFPGn(YUk?ONO8{;fanddl|arQ zV`5Dv-3UvvI}Y@NS0n0 z@|^u;f!k>wJ$?_^kcOS9t8SW&KnM( zf7_eY3%Y7wRUIevdkV)7ICnCABFr_M~b*=SPkz{pGvE21e8iY$9TjHCcN4r$9ct})~U;pWh)-rczgWDh@Xf60W%US z8Ofc10rG74jac^I&Y{rEv}#jMOnM>eaSziRVY)72aar>8zdC}*ERDz^Vo+CG)FA?H zhaKFODK3(k#B+>0o;j2pac5wDNS!oteUXdg!qBe|_I$F}F6)#?^7re-UCnb^9!mLp&x z?8gGb@w!K+O$(K0Tpb^j81@+)Ue*lOsyuNe5BSFSA9A7TgrF57-xdG^QS3NbRn zwrzS+Z}r8zQp`mINNZ!}tyk@P@R_bVFZm|~Q=)`feDFVgnvGHkrpmv=Ajs|&M26=E zO;oGGO1iX;o@bT%+Fz_i-Fx`y>aF7=pcxeg$*%RFm5f(_Ez>AUwKnt@x4tZ3s|1ye zxdkSzP$u9yU!-GC0GF}XJ{3rM&~3SKsKo^Xup5`x~|D zK+#7Sp3`qwXD^S96uh=ZFIfzUp2PML@-=DjJ^f!CzAr-pHGB%>xLmw)Lz6gZpr1Bc z(|cQY{9l-gFobD)n6bgm(7FXI?7OIMAOi-d<4XV}1&xn-Ze?^fN{mqyn$(u>iRH<9 z85trZTI2zQJ8lnd8dmVt8-CNt_5Iu?dY$zc#aG;(sZ60X0v9<_N91}fRi%bGPMc%9P%(y7 z0u@)+{_*Mi-7D#TQvCu6ZRswVw2T7JpmAFUyo{;dk9J>Opji31ychVx(+_X7OQOm2 z!??xIU{xBMi3zO^bL6Ca&D8Fqm7`unS8nk0_K3orTUj5eoarCIfSX2!F4g?`ie~*s z`S)sIRB8tjehs>w%fDGUIw5;LR+`WSwByVfN{BDB=$WK{0}_2~d*=8XLptp~Kr`R~ z2@F`H6Hf02N@m@B;^$6x$n(tx7YXIlut29lu&ZEifO-;*Sp&y}1el%6cEArY4jd{ewB$V)9^WzaDSlIUPrKN`@^Y!)WVJW1Cd6&j?);OI|_SlxwHsuVc z*E~a&=?!w_$LkOP1E(J;*0b@r&~hS;RhfakFbljDv7L!`(@0PN>x_3K=nP2E67N-d z`#38QFy;#89d2vc(;#?389M3Spt9dyqJm^}U}YmXN1kDRIHq|=IF0FFWn90rUGTbz zE>%pYbAa)2d*l~psF=Hn#g@Eqdm~B*W0Yj1fhD+Q`n{dk9gzuN=wKpO=N*c;_;gFz zcNqHX>)N$``%Cg`>~wqFc=42Je}Qf^;^gcT^TV6yk+|6br1?CVDwsmen``BM0*E~X_C=vH(P99dhl^z^I4k@ww6gM^@@KM}H(2ZsNOh%p2UcJWoZ`A0= zNh$q6LuB5y4-qbQk^+_7f!DesGsF*bXLx7XSNuI_?Hh_11yoo+l)P!e(kuHJ;9{bJzjgn%9~`$fJ&TBaNs^jiefD^gAV(KhJWHao34v(XCE z{D#!V`G+PA;Ss3*MtZD)eJ3f9z&Nu^2D;LCHH%2mT@FVM3j-CP0CdN$-t+O(LZ{I$i!J66pD6l7$3}>TzR9h0@4g1vMEkO7Slbnx zPPTmqC(}I5P5g&4f*-#t35!sAqTdP)wl8!hUI&`v&EfP#;&PQ~)mN7&;WO{GzFHE# zM3ywPWN0Y4$|mT}7R1^>a*(rq>quRsdeGUP_w~#TO=<; z)X5{{h)0#XKU`G6sDe4mmL>grBwa{Nwbp$!&+7s;N;I+5v_>5-)DgSx| z{kL=xS?P3!zvQjk_;?5!LkZMR07GzNV3wtZ?KRieaSP?V{9bL?%o~1X&9YiCdRvJ%GPCM_}=~1 z#W!7G;hO7MOXqxi*a$FMyB!|tZ)@9%LjE|5=+|G8(jxZM%NcB<0+F zOX3d!icanW#H6OE2V3p*aCpLG2jQp;M&yeA z0)grXX*T0?p?f5f@w0}!F&5m!U8n#Jdr^mm6;&@X09q8P7l<5HC4=tPKrG22xH{!?&?Gkb;<<_y zhsJW9bmDLZT16SJ2db4T&HoX3M^?v<&>f$XE;fVGM>ibT{SjUIl(|XObkEokYe1y0 zfx;@F0DUVF`F8N$S#wb=KT0EPC^%l@aGRHQuL-O;-tCo~!L;Bd$zMM07gj_HXks)5 zc$d;3V&Jw1SNWcZM#}u6iK7S_aPIkl<7S>bpjst%281{a zW;r2wpdKKEcG%C>^z9ltd~Ft?S_v6$x5?7cUm0E`-lxx*8dh`EvsF0lzxDO7i}ddzNgF3Y9zTCWmL7aT=0w6mCsjyat#(J$dER^=w&|3H z`~U-8prZhK%~yigmyYh&U{3K1V{N} zWj*i#PT8k}qh21rZ7LT~L~sVb;@blwk=|S&5SIX%Wsa9J1O}@8m-%yn`~?mbVEWfY zg=p)#9k7IWLclNi4-tIeUh~YQnNln5%$6KT`KH+3o%_${)@W%_Ls-qN!M6DwgTC*P z)|cBw_VXY&HDhC*9>9)d|L$L2ZnLyu?bAB|dY)#~wI|NTIj#+DkLsk2XX}iET(w7G z2Y&b$(gynvmZ}pX?H95$zlo0d4jG5m0;5VxyGpdWoA6~|p?b2KudqLT%UtBguPQaa zoVEUoF<(;XKq6;pptR?q5n#UK3Ns1({>XavqFAp-4wLImG?iy#WxR+00000000000 W000000000000000000000002*c#q2f diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp deleted file mode 100644 index e1aef8a4b41dc5020282a8d118fb13c7beba3c3b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12866 zcmdscW0WY%mS)+mQ?_l}w(UA)+qQMewr$(Cb;`Cew{PF~Ucc#nJ!|!kS!*U&=8DLS zh}@Z9#@^qzBNZh?ML8J(0MtYT8-@fn1Z6UJn^oy29dcj=;Co>l%N#6*36W^d0EU$VGe2;u~zPR%H_MlrXXBIv0 zZRablIVC0eu5aJX+oF8O{dC7vI^v4r#uUViKN2vYBw&JxLj)6q2qXyN3gbrqe{JCM zUN7*YvEbRXmj_cz(ncH^BHNF!k_jiMsF3%zTyFp8cNb06A{HvMED&JCE!K5tTKpFf zi5hp4n_}H%TM%$VBv4l2`64*|9Z?n-+=*Cj$iX9ekj@q33qm)P(r5ee6~#X=hqz*K zI?W^hHC%YGD8TT>s3aXDWX)*k2VynuuwRTfHoWz>?-O5bg`>;x7>noKKd!`^ZpsDS z1VH(82uMqI+xEkXbPKda$+w?F5D4B#cEJAJh*0W*6eT|VLe>wzUSEw4XPS79SACKwcL zHY5%DX$7+xzPw_;dBwhSh`wjyzmG@1?+<)m@Ay7m@vZ=sW58f#-*)f=py;Q5@(6W6Cah=w?n*((1;UcJZL+;g zlUqttT%ee&>F{_tL>yf!c&_F0v;5bg?Qg@8@oO~A{D9G?E^YjZ^xFq(t;HK+HfZT| zz&gI(ix~C=L8tSmwr0rJu`e3X2(HLfPP9~8csJpl28=r8L2{|Nswld~L`)(-N^ec! z^`0%`(FzVlRzRM=RR5aJMu*Cs(LA%~cD9_*ke)Xbjpq7UYZBGhUDD0>L8o>_sWH_% zHtm_ql^il+jeM`1#rLIlP4gOZDc<`w^+v;5q?!)II`$E=sNUB-0S-=-__@dJ9RBMV zNeSIkJbCTC4cg6l-ec2fgHn7AC2@TDHsD&{2bx64dIT7eat6rYWdoG^&YzMSJ=Dds z9d{-c21Gza9m`mxsuWDaFuorT70bBtPi4+IEcmbS?^|u~dP4ey)yP9R9)Otb1Uvj% zn&;oTB3L+Jt^;kkLvOqWSJ7X7wZ(68K}|1Brj*`ncIM0C01xYup9i;pKhYp*h}dpE zJ^!ZwK#fb7)CDs=u(ovYTV7_IhvdqGTIN^zh{%i45tK1odGRhDK(zVcCdRF7%fODsw$FRD zG*;Z)1=7WQ#f$G&6~1Jiz>ox3H;zz+Q~kKIgdXR?BaU2BAGKZjJkoDOx>~_)3$Q@A z1yE{vIE=CNK-D@Z`$sCbjHX@LjpNAp8C00;|McrW9^zBlihPS$Jfn`7eRTOZn^%P^JWYn!PgRy&VEnmWY z&HahmQzW$x9zRWb@VbLxjkn1l5?IOW25k;!fIZx1#I#dA&53?=N3zywR(X6X<*p_2 zKQpC1ZP4QHOl1KFI%8oBk3XaQf5oh1Lk6OhKOB1r@l6s!b*?f+D9^0LI%59x*YS9| z_q0vDI`eH+FY4~*Dxkydzq2wJ<1-V8;uUz?#$*to-Tv@OKgF8a@9;<{@-U}pb;^&& zroVSp%o?qj+b=G!)8&K+>_6N;wXSu-oh;iBvgmW|3|TYU8u=Uj2lQzE6|Mf6{QeJ$ zAnCm6{C^}MBzS&rJ2}DKUUPDSyFF*&0C##$$M|pa9EaBJ5!f;>wNFn(AG%c37+&sAjQ{X>3OF`!N_4w~qL9-BS_?#jI2Y{J!_3 z9uc6r6c^brsSkN~hrg+wziX(!z%?hBnC!jGo20nxy{}E%O>*$IL;~#eh%^Cs5ThGb z$~SWvo~3?k{YmED`d3W*Q$38cPiH*AMJ~=|>qyoRnf%6Iy<+IG`sl1UgQ2Qvuf?+Y z)dmF(n6y)_9S`)yYpZNRv#oFypB5@CDL>M_(v5@TRmr7Q%K0yynV1prG+)PM!wKHo zyVixNXccvUHeVs|2?~dN25xYkYzr4+cPo3p$fyhY1El|L{6x0H!+cX6w)18_ve%?~waZnK&oRgGLFef8(T(lKCeg z#1=vXQvsM-!yf#T@DjD6ZwN*hD9S72j4ek%`W*7*6v|XK`XHEl^?QFMc4hEV10k??Vhl^? z#H%xKnQg*IkbuZw7VnfB{POMb=w?!Fmr-aYZvMbqW{UPEeZH7Amc`iu=_=pL{334O zSAK=YRCnut=P#H7rUHB$_y*8@Z4;2*u27id4JCjFaL*Y%LBCUc|4VWB?_B0ULCI|P zy(R@^w{0MeqBhFZKS7!z+&)^AalGgczPy9uQ#oN4=|qCY`wv<9&(k-a0)py%hF)9# z^)@f7BKC?%Bf`~+s&t$s*4$WK@S#Gk1$j^9l}Ml=xJC9Rj=eDt==Qfw;XjfoEFmEE zv%%43D%Ut7RtkB_$a_RybT|GPH-GyBu9VC}Lj`>#0b z|MN6azZc-^dpz!sl>Z+aaDDhH=Qh%v(F!wwEM1I9MIi;aP4s&MtFB|=cCmro`7yG3 zeuf-0FUSdfyNZCu;hJ6KAX$W`{oUU7YD=(7<1Rze5_KzNVNtKFMh~F2=5VTLbLs#O z`inH5FzzN)Hx8J*JRYtc)~iNGAdNeRW?uugA2cY18^~7X*pGLApe+@`?&;zvFOCW1 zKuAs)fd%FI_-M!*XN~x!Mb(mHTOJ)0kNw|}y#!~m>x75+J71>5wvILZAHH+M^K6A7 zbuU8l8g$0&vLiy#%$Q47oV4jaj|S=FNY1b_sS-wYU{!GIfx|h$7N>A>yd0 z$?t*;CA`nB2UjBC^7Sw-Atya>n0|sLyEs;PbNy2)PFhn5sBG!$)6=w(GxR#NFt1+ zeI}_N>xH(=m@=ulfKD&2x4BTi|6OUCDA8kU)5D~2YPZ$?&aU0xr361swz3D_-J1;c zgoVb6aW~UDmG3{C4KrA@f2ODz@^o{>X2s|MQzCsZ72vZM)Lmo3CB0s*iJFaE@4Y%O z)>)wKKCyU(xxRlAagV3BTfhbxRpy5P(O8b>G0sAv5~V|*><%a)KO1M2NqJn8>^#4P{E063 zJb3DXLckVDN#&PwM0gq+dfs;T57tmwZDxs4AQa?$v*3)YjNM&P5If^6RSAMldQfk# z;6TSEnWArJB{J#l%i|THt%?@!v_ZN?q0N_7e`viB{>x%Y^2xb2{l;NQ6XYzY5XE_^~7DVp?a?tHE< z81WC@nMrwANf}h<7DJCj&70~jG{$ETv^81sOWev#@~*|xJz0HJH)L9Fv2T>>UpQ|7 z8DtdncNz2OS==_K28`ok6XFZ0B=yx1UkcUxOuD=JsjU^#lE1{d6y|R?i#a6imYHG~ zzA)D0+zx+HChg4#?YTcTuK*DFX zLSc1=tW4t!*KZL9DBrcSFvU)Z>n=c0zzjg!HJPV42VKN{EoodJ-{O1cp&LS=6iMGR zFNTnXhaRU~af=M+>4;^kGMMYxvw9Xx`Fy}kj`*Y0$HgKd`N7!OZ1R1^y+C3NcoL^SPpU|H zSl%Q-c8RZ5!Zlf-p!R=$$WDou7gPm)*%WxA@&6)-wyNNc>=!lrF*gPk-uk}5+nX4XiwL2Zz!2*eu$yY57@Ttp^^;;{ z(N1NeR9YgS7g*Lt3p!gMjIFYMMd1=t_SPevq4oB+f$%^dJPVi(Ly~c484-r{eie}F znL-aly84E6rnCVL!M_T)U?Y zrlzRM7TG))cguL_Ch}Zi;!uiTTqQ)AN*P-L@p=(1CzRJxg|CdX>qAp0+`Z}{Gq6&* z2R)YLKtfHNs73}^E=xEq4p<+da9BG#!8>3M+jSB{LUo( zn8$)(HK1*nx|fDT@$BF#H=p>Sa{Cw19lyTtD{aEZ3p@uE&*4Ci%5KxOt&UPP3D|xC z=xZc_b*nJfs$LfUl}YIehz)|5WF3F(S4f-%cB3poXq2p9q;j+1r1w9|D$+%rD73H=kYu?m}nNO7Ml=uOL0q#!Rb5f{R)&`zcQE7r`B?7mFK57 zNp`#+8RuZ`deJV2RY+Phfq`FC3$<3+{)a65HzaWuVe)xzABhF+O53$F?W`u1*Q!0F zMQTfF4xld7F0mwb42%ExM$weuR<9JT$k_a#V?9HvXJYsi%f-&F z?00MNFtj6?EqG^=p7t)@Pc6?Z7h{hku5pWL>)$+ldbjmn+)K?`;Z-_ER!OM^^@>C% z5(31n?Q~tUWflRorQ*J7=7`-wy%!}1g8PaLQ?kQQVaX2pKpjpo$e4a#p*SELE+)VeJ~=-BP8%ss4qO!?sf+CKP)E zh`#a*z0&3_<8AotwQ;V*5+@oG;?r`PM*G7{>`BsRnA=_2){vrTbbEDhRF)yosbU|~^NP+?ff)jAA{haX zrsK+B!6n#y8+J>Q$DqM>yPs1u69O)MH-lcrw+j7nHsPHBz4c(GIlChekRcB0AU}nR z{88@aK@hrq@`%OQe|gF#P+$YfK~Oyd7-rlQ72w{xDbeo}M>yc%$EiMFciuP3hnjB+ z@LR`mZS$HyBAnlOv=_FqNIRiAt~m3hRA?(;gxgMsh@p-jUzHpn=*4B$xDzINTY*1I z9~9d6Tb%=DAMEC2Ed&aa@p-7>DbyN6G|~IS&=!6?9Xrs6{t7j^v90^vC|=D)fzPdS z++5zTL6t(lk!o`24KZ`{k>vvDnL?Z$hpjdo+?j4pOCJDY0R`I1KgC1EN|AORAcr9V zwT)m4qci2`42pCEk0sn?K+NqAs(-DS<1|JFD2xFAmUS|0!>AVPd+0Y6S?KtbBs@+6f!(UK;vs<%WR~*ng zqaqBQWR_J~Ix#bpm{P)FSWc^;iDjx{v!ZPI)(OlsZZLd2)ry-as1ZVm{#-&v$9QzR zCN-XAJ@laF*03H$#`tVUI}#fSuR;n_tUDMIP7Ou?V+~hb%-h#2=<91vd((;O?vAGO z(Q*#pdaX9aDT`Tqn1T$D&5Z9AerUAAzI}}m;+b{oQQrPR#SZcPDGz3CgmJ2+fD+@a zP+c~)MXmd(4bn8kk0^2{J{VNh3Y0?VMZ=pUzPAXJ=%etl+odaO!+w}@=YiQM_XXQp z+IvgXP`wbl>BU^J<{r+0XPRxlqcQ z*0H5*N&w{4t$*z0U24la0?M)YMA5>pApQ}%0!syZCMi;+xP70&@{|Z3bbSLGNUM(N z;^PvRIB zq0gMH0y_JYc*N8}S|G-Tqg{tjW8&Tlu`_Sz;1ZxYTh(M2o1PqgR4}3^D`nh;XoV|j#q>Ma=Bdq~M4pDUu;rYzHoJiq+pOipvAZSU=Q|-j zpUz;Ly4_f;8gX8rdPFHyOs9t^K{--irT$6P;sdimHBlygr-0GTa-Xeiv8wKgtVu^w ziGUX}CvS;p*8~=9uNTTZ90!*hIsr7U8)QWFfLvu2P+yoA&?? zj3KNg+KG_`=?!+?NqmYj@r7n*h`9XuOcM?qD7VOquAd5mZG=^I5Z!60`R(Q0#gj z5Q?3?rqVFrvAsX`Uft#-K&vT5c%T4g^mLKOfhTc2IN$e1u9%?L}Q>(5{3f@Z6hgo)J!#o?P|-hd}Yl%!ZdV6i0|yYjNv+s)dKTW%JruANwhhR_xf< za@IYel>iJVxWzQsdmd-+#$mwDP~7H`qAju~R*@+5RQn-AcZ@=M5M$@z!-~RbKZekl zaq(*2K^3!(%mX^E7L?oVYY7S*x&57h@2;oVoYG=1Gxw&p3gEl$3gy4Pw=cv1h`40tX-!Ga{iV8C=s~6)369U>Gs}sAZGKpk-$E8~Q}KC(PAkxbER*7fi~5pcOdAoN<()a~z+R-ViPY4IL;s`%h(zO=xgXB#xH7j~%{OXh#{Y4;PYJhHq zefYA7PnfS`LkIazWY~zj%1>|fytWp$t;IzWK)o=771w?S)3wOB(g(k+S}g>AHq1c^7u=91PJXZsaBQ*U~#7irNY^Q3Cfa zHxhA#z_|?keKY^(vQLe2{=Q4#(W&(22Q}iNCv4c%)x6O+3=)s!HH9si8?#7duDzCkg5JTh9tT#b*- zYR5-iKO4hrlUb%n3ov-XbNNV1@1SWQyq6R-mJ~lX|tVU}G{VAJYK z!!As8<)9_qhqL6I=7t%xZ|1!+5)AM5T|w3i&9F$&sgE=+*Mf$eMuxtKw#LQb(M*7Rw8XEG&PLfq?;XDu zVn{KKKyi;jZT*pR+a5J((7GFOYa7RK7l7Hh8QeX z0LK~yMfLfiuwvP5f`du{z7#ZRY<%H?{xU4N?-+-{B`=NRu_HRnb6;a9) zN_t{iYYoT8NaMBoS*o~WNed#1OS<(_6X4ci)3X7i7!=9FBUfVtn%#wQyI+f+R&qZy zz?d1G@T`*CXI4=@o4g@XpU4L$NTg;73Dc?TsTvM`Mz8`d+I5yv2Zq!{pFvw2Gg2w6 z=>Y4^z?2}8^XkZsgXJ_Nh>C2Glkk<}F`4=JSJ5R0+NaWj7u%)~bp0Hd5|ITsw0S%E z3}LL?9>V?5SK+sP{f7N%GgOf)NnA7)8dm{20o7(L`@;EBpmglj=B7QM|`Ua)o#S91QVU0?-uH z&E+%1We}r9viWf#rU83aBtJVA#oKX{`s z7=5k*Ts7MkGa~K@w_O;d!Jq5+b< zbrd;mdn}O70+fwYGL(!AS)r{BDH3%{N%~MYUivSg=yrMr2QYo0*TQ5@Kr0CK+@HCNJEotM-eevD-;7K^2e zkgT5h0XljF-_;Hz^9@ofF^PjGWmL23_9Qg_$X&hrqQ`qeB6+~hNAd*)GijzDE4AtQ z-uJ`^?6M*=C;{2Ao-x#hGZLi%3&CmTfxXvZmU@0#l@h=@Y3B&N%X9$q7pkhQ#Yu+F z#Co6OC^X5efd_52uavHpPm35&?j~ zU_fmX`_^2ads97j{d%!&*{O%MrJuZ;S}{rFc~K<75@62+q9lj&C|O$A$i6La0RzvH z17kLdq2Ah$ZSIDy-r>bPPkL<}c6(l8qM=7@C@$z702%6XGMFi9*RNaC%^Z8m?g;*O zo+)8m=ng?CC29hyqtk)lw?p;O`yExL-%K@+!_xj?z#ZTlzWlm>B5EE%$YgJ-dX$MI z|4(^BcXXhlAb%4@w&T>V6NVGjB^+9qZ=$PDyaJL4+TX<~F28%MJe8?dqw_wlrlg()bf+&%EBR=s z6TUQJ#=DOvxE$AW6o1-OPNl>kx+jCZ4zHP8Uu-;0BKNv0ujJc#E*t&D0)=q|^b_s< zG(G4ra2#!$n3TWiFr7Vmx0?< zjI_%r0DEJ9t930#w};#Qb{4Uu;0d#hnDZy8F<5RpLk+psJS<^x`T6j)^Dds_#XSiJ z8cjkx_Y1wPOlEwbFygKgvyTUBeu$7w6Oqg(I9GuI3%St`w%TZp&W|*$W-1^Q_UdVt zbbHy{c4>L&T51wRCGRjGx_bB?>tj7u=SBqOq!RP?=pPb1UmNYu)i@bP@%77487H}i zs_yGPZFYFR=nX(N+3UDgxwXk8J6^Y?1a1Xon7!D{{g74Dlpjud+NLDU9KFWpHA|3T z0>3TvBw3F3xM_(;s{B-EPau!2Mzf7Ne59pzsl?tD>W1XcNkAfgyt+^2ErRONo+jcC zGJrZ5f7Y8MSh@rKy0mMCy`?TTOu$J+J49gI-k7VO30j?$rFbO=k>rIFkif38`AMEL zl}a+DIo8ku4QcS$!(w06=GmkNsfWs;+E5x^C$U2YSzHFdWC*j)yitrRVEF*4sihJ#5O_TGKiSgXd{1fZAdVk(65ic+@;uz8A~DlC7Nh{6enPH z3v>(;t$(No8YNPqDmx+~IuF?c?|%DqYPx$rIM7>o@G5G#7{c#gp%Fm2a-BIcSwgx;O&m3Jr&Cp#8hlS_jZ*h3N3{hXKo*pGo?yWS?JV+ zf@y;h7&tJ&7d=L>=rcM$)&owPK+#(rN|~NqjRFFE%y@J+w0HH&bQb++n6C6xwGt3_ zO|<=5{)=8hz~;Ea8srXh!Yy!fA2`fD=)v&_V65vg!vpD82g1lm?^n{GNF~rhp@@C5m!z+E{6DSX`jlw-4JEy?80zSn5a2oy zCaifY_*V$6K_g+9)O)v(L~-(C`CJN=)qBf_t*yz~Mr9A8f7MwqDCTsN6csjt5wo2_(g-{36+c{qjsAEl{bATi&b>O2TV4$0=O|AK8!j5>-1eF0X+WlH z*Gs)%0QQavDzBRou^EI3I!NKvL=w3WTkS2ypIhqwOW!1mYQh9ne$m9`mKpPkVXQlf zDOfB)*=na_To@efh5*bHs?Yrn@pa}>w9DRvPyEBR9&8BbKCko{UtntsK?0)Gg*f(( zMiX1y#ys55J{jJe6O@cg4EjkK)osb6YOEd9U|*@5{puJBYwnPUK;xIm!o?IC$q8&< zxlJcQ*xdc@_r1CEN;)}4s7$dL@8~WaK^UB?ekB>H!1BrS7tT%+ND#W2%I5yPMq$ln zi>>G5SoxBWM`=@cAombXCu)S>^FXdvuVmZkC|uenGV-&#@pWadIjg9|#qEAQNED-H zgxQt~BpC->%uZ-3tH5$uCGhGpt-zdpuGfYD-G??HtcD-A=jfv)5Al9em@v|bdL*Dw z&k4yylnlHH`2_JSEpdozmZDhmSAFj~|D6*E&?t&v|HS1n+DWg4APumD_=z;jFUHEk pu6w_|Sy50zj6S&_eUq+;J5|zp`C+mSsNTOs)nk$0U$ws#{|nhY@0kDq diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp deleted file mode 100644 index be5819dd090ea3d3f300510272f859d7aa2b0c40..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25330 zcmbTcbChLIw=I~?th8<0wr$(2v@31fsyZzq10;-zX$r6 z_T9S$__g!FpGWZ3EhzBey85{If$)622dMM=^;Pu!bmn*9NB6b*L2+gAykpsW*W2Sk z_u#kVw+P63qIkXe!!YS*4WI(>e8x=y=Kb0LL0^*qj?>;_gK9uJ0Oq6gyYvv_p5e&v z$gj~a7BKitu@v{=caJxv9rqsh$e-8K>fQTA@xt(s`_en$iT3^Ujqt+pkqh_>VPCZ` z_pjL(gE53Ugu~vs-X%c5*WnicaQF1`z5@Yh2jl^=zLRz#-#DHWo&|ORQ+{^1fUc!@cs2|4d{LU>*4eJPTYpZuLX#X6Tbx#1K4;qlpr=#EBxuH+4KzS^?C_E7AQggyQ+`z?9%Tt;?3%!A}y z<~_^KO>cU#v?p=$;&imN6$RB{cvP1&UEJN6=PV)i#L&9t5y$H<8GU+VwL)Qv= z1lHK-CI~?~kQl}}#`5kh^nd}L(97B7*qpOTwoU9sLf*&SZOsuY zWD_C_0IJ!Uo`%~v(RTw<%un9xf|tme7N#uQV)Zf)tCu0@%j58=)CO_D*FYzh0sPfXnrrY%N)4@1P%Ik@`=+gBTBMmTC1seDF(I>f{O=mTnR zq;;zbw@~yS=Wmd$ZCoM;&uoYKR00Y!yfa!u5yi)pnldva!x6%5i4s@rC6tGG+zjR5 zM1Lp0@KtWnyYLX%hmf%bQsP9X>l5T*r?$hg+0Wv8scRou#56(S>HOa!6aA6vasUK~ z^06LLy=0k(wr_LLM%oTwsq>w8H}vXFZVvIn-YsnAM+OXjp}}=?u9})X`W!59blf*Q zFk6mWF$>9gk@MBqqzJ7qB36jxa@=VE&&CQnX35 zF;nb6og?bA*Y?JD!cAS{AJDGrP0uNmxFeS23tUmkvPI9au#8q(9lea@Vz<4XaE}na zrvKke|6d~znU)~sw(nd79AN|6z=Hmn_P_W*cTtLKFx|ogu4y!34FD+~ApU<3!Xgw- zgzbeI>;L33+64FidyxMg0pW;@`-qnFpRzo@rVK96K4!ld7->8gZV4)g4KxSg&mtl@ zyqS!*xL?=)_OFHbXH`^4oMV6z&a2>fRM3M({@sxkI1@*gTZ@H_rb=(?f5CRM4}5rn z$JI}D^(1`V>wlrk`0zS4q+Qhn(5i1bbB>gb%P*DZNY1uENx3-xOy= zWn%v`W&|eLmf6W*sr*aLB|xTuHXkms72sv{PiZkfh7+6n5s8l@9<4q7d!qkpgIDMo zQ+fJ<4AC!QtT0`TdACBtOX#3N{aKL0V8-07;GW2}3&ElG0vgx%!XMnQiPM{iv4N&J zO=#!lA5&Qnj3R%WQQ{RN9$&JGFO2|E{pm|8(J>t)-Y#3X4A~S4J^{@Yudh*IzB5XRo1Ty>pN;5~QME zhuUSAPrU^E6qzaGLj0QyR^U8X!0xP%od8u)A}hHx1Y?fbG8RA*Z+n2R+8SvroRz(V@<(fr}R<-83x)r}p>X^uGV5xeC&j3sMaW zHe|DnX&@iz)PF&LG^e7XvIYwaS3P>|n^!$bF6nB|0>;f2dgj^{@$*Z_H)XEsBG$>| ziL08LnrfE3qO;*sozJ6L%1Ocj_cMJQ&6$H#cZ?##H}x;z`skbJ9GK7Wf8aNO1x!Z! zM|n8B2G)-*&z7CH3{XUXid@EaZ86sU^GKBU0DS2)Zba>^O&(y;$ot|L z9Rz}5ByhBRT2XKJ4^}vTDLFsP%bLZLEc7ms$}moP|9-MNMEwlcArZ5mxz8Smir{!k zRXk9_wFoV*FZX&Y05Nk1EK{=Y|Imlnz#poH@ulS^F_KR(u_@_I=+y-*3I>_atb;xI z7djmoZMvWT*6OK}XIbKEs=$Sm=I9Pdy^$^~3eqC^UN%e9C7B&;$&KY7{NokKT7Lg7 z6Gj?%Y6;weJ8cxQSID2g%$TC5VGl-L7$M~ayZ`4)Ze9LJiXX2@aiDX^+zuROJjTS0 z*H;?yXyFH6UAdTCbkn3V) zxY7Shcm8FjP?)rq2mOky*t7oIjd{bOumM`#6Kyq0$Y^W};IGfgy z2qRlDT+sIikUd#cXJ^N$vqlH$%18^%8+1P8bp!9O*lyI=?EfJ7WXau#|IjXBrBh$h zQ}}0*ji_7}y&)|97Yt z2Al%cF!Sb|!oH8||EgG%uLVTAry|7l!@ni$Ujp=3(V{=L#-Ai8{jUG>?)CqqG4j%D z;PR@F)n(A|9*voe|4IOT+sF5?QE1ocmG;h>e~B%*We83Ovz*68QZW6NtIOZKI)`&V z{Z1v_zr+2$j@(mZpVC8u|I-Re;o$93HA>74ESyL!7Z35sEr_fE4PC@f8P@GUIFA^d zcl|%so(;F&@bZgdzk#M$*gK$#7)GhYQW{;gr;f@<3T#kOlf(&iWIBk*(s4sh-V?J+ z@SyW`v!Wr&ZzO0kiws zcfvsevR<2UCi+>6GnVCb7hZi^*?|7rz47SW6#Pc??gFNf$mis)O*>LGDjf7BhoyA z1>oBLe=z2ZessqH==&wz%Ng}2LK$UQc&h*h(oM0-@vLPBlX6Ndq&`jblqe3<3o-1YReFZJ%@6jo7zkH)DV zA%y#At1qX|Pm`RDoK>N@^Rbz}fMo*xv&niqc-BK^&H*J`vbD5HAxHH&`NcYq- zgm`zA_~0|RaBI2@y3rE@rd7<~G3mCri#0N4?^D^d%BY{dK9uhPnmGa7u2Y)X&6y@W z)0{M6hQt^l+PotE%sK&y(>o9PdSYb{nN*2B@m40Sk$wv(woZP1Rt8q5UOJguBy%2(F(5K@u7 zI-HA}k*t)%M-yUKs3LAYAhG|@LD0EWv5ZNGRPV2ol*QVikf46WJ_0v zj@aUor?-VHaLmb8?21;h3V2^Ig$nFWz$5;aBSkN^tji5FFixn2BrTDxW|cwc4vbdyt03Ct?|pZkhn2Hb*oJ)#9GYMsI=1m{ zP@ksy--0h_-qPY1Hb>dl02m5TRU5TFk%Lwu+|f#2eG1^thhn z=-5OjwaLCR)Io3s4&S?BdxTO?jZedAtWtAlCN|cD_+?+z6iSnVc7dmz!DORkRf#g> z1wf-zk&b1^!T|ETuOrZ@)CuIgbh(jCtKTh%t~knGg?e(fc#$nuuzb4){|Y&ox;gob zk!mIjFh?mtq$Bsxck?h+1F7w_XRVZ)+wP_v7}AU$VzgvDQ3K1QO_+EXDHu9YUW}r23pXN) z7{!W?McAz~$2MD6NKyi2^LVIC;OUce`H|kfP|!sol7~WF7!j0U@dSFR+Ll{DGvUq% zQ<{KAu0#9$%8QOKHtCPyvRW`}PWeqgODdGZJ~a)T^*zu;dpD6zm#QqOafs8H zwYtwix7<5SatUh$b(Q0l7&7eK%wH(kJQF}_UlD}VbI^UTbL6cpnrOWJK4W|#h8xgc z4|0Zd6|96vO!3(04x>iZp|s}_5hn(9WmGnJ;!%u}!R+}VJ8cJe14G2=ZF4b;Eaio4 zCoXK#SOs2kd7da1D^nE*=y4i?K;q7zLy1pCwf(;o#I?$p;G2%eD&m2Fi9&s(4BSx^ zZ0oZJxQOUQm`nBPa~K>iDjLiizsF6iui*rwP6U~lqqz}k-2359AJ)n^5tz*V}z;X+VmJ0!18(!JPc-|dBiBamoI&~s>NNB#MS9~kDbJ8)ku&~7(_1l zm_?vP`FjviEZ_7efv;FaD@h0F8KIGP+A!C{-C^2v$a|Au9Zojs&+`gQ35^3gZ?1%w zsi)M@Op+@-uus0>7oF<>1;>Uqd_w>Q_1llIb4P}OXlJaBwNT`0+=-A-^zN*HB3lO- z*itc21$)TPSkTGUp?kEQfE4(~?vaX_uxP>K!EE0LOAN*fb*oNh=I6q2D>HAXv#X7s z8T&`$+>(P~-Fwz0KvJ8h`eWhQH92YhM?nnfbz{j;i)v~)Us)ZC6lDS%ktH^V#$QD9P<>hu$kqOwo}Je zN$q5D{{gi`5gaFBIIgT1SWd`y0e07j;QS&iX|FTz>}^o349cG7l5Xb=u5Ro^k9Y=k z+9S3RjT~AjPk=m;SLqoLkTcQd9+cerJB~WF@Sj5oJ}h^18U8L zpFPYeF)EpE3?AN(uKOM<*|CN{n9me3cVXmI*Q%!p^4Cn$)*{AYwie$Mtbfr&^2nj% z&<|o&gNe#&K@o!F9)n54Z1^2+gp>3GH_qO0{1jPS8s>B3wi%%O12_b3YMsa4X7NQh zzVE2tTD+m*2DPnjA~_byjL}BBjMQh0d3O}LXMl2k_fvllWy{B3_g22e6~TwW4wWWc zzAh@7&a0RZiu$GVvB;DOo3D}ZyK2U&q(_Hg%A^LxW60I|f!$<|IBJq$Ik&+}%6XEF z<`sRKRB2r45ZVDnz5~=gld+*6&*3EX=ZxUqV20OMeHvD<3^-VkAqCg#c(s{> zxfoS6ISxf-k2|Xr%Os$DpT}qWG&^90UQg#MzxPnj!eqF_awUw!feqVPob6nwbtRTLl&ppZm zI42Eb@5yE+1ZSZ;|A{(^h;KJjAw-cWLlgtdQ!JNICbpc&ff6n9Km@8jH0eeN^POhO zS0?st{f7YOAC=OEy=ro~hW3Z&by;UR#M5nxjTjlo=zDyuNBP z!ZzJGkUeX*T6OKTLY>YDvBtl#<{#QSj*caORA}dG1Hxm7uhqR&J>TDIeu?(T0Azs8r*L4J zp^*^DN9X&?LEirG?r3b1cy@8Z*fncfP6pyq`{XLbb~1K}s7&tJ+v7eOfHP8s4S%jz za9{^kd5IZ!zh?0rBGM0bWBq25PT?Dq8pqolzzSV>84ih^C}mf@@J+s17#Cv-~6oaxk9340=3~hxbcnO%4d4^Fb=uho1 z-Q^+<*{WM-M#$su4i;8PCcO-!{f2Aeg=@#}9o3mO7nbFNocQ+d03g@ZYKs_1bhLQK zkK-!9tcXpcqeYF!4KogIF)AKU-gN&Qb<>KeJR#FU$_M8%34JlMQXd=Pdb2W=r7<=( zh+utYPCoi9cV)@Ib@hY`BjU6ds6loZdx2K%Q@QzU?}hO^{ryK!|BaT)0tfG9A%xhb zFD&=L(?fglnj!Q@q5*)m+Cf7-8&~*|^U&Upe7^Y-%?%3joT_sEoy8fqLD)JHQo)uc zTs?!CCkudl{AOj~egF{F#{O`8@EPksngIQyV>hE^6|Xj)|?YzUfh{76nhIt+1d`B)Z` zEMI_>=(UTOKWb2k*JMs^*j-`v%PW@C9^~!<#j_88m*C}jipx+SjFY{X&yFa5qGeM- zi<_)*+Rs=bAs!QhBgq8n!V&S+3Lfl-?=Z9xt@zBbq$YHaPo?>HX)u3;PtLN8WPGpQ z+qw!@QN{R#CaaCRXKKTQHy4l|F?FcXUMq2J!0%bNM$}tzPn%ER<;25a;IGM^y-)N) zd#`p08-Y98=a0470!h{u8Y{lW{XHql6=LNlib_^`k8(Ga-vO%8vop|1Yu!a32-*S8 zhRIG&jxKzZm=F%rNVFv&HH~ryYXRfBbt0buhSu{g4dA2o*VIOPzb~v+P(l)3aF;OlkC{3pq%1Ht5AbRg z8m%4+OK%EFfO@?bT(yR4fGeQ{^MN7uJ1213A~>meBS0Vd6q%dmp^^_F$Erf56{J8J ze#HjXTPduGXBU%3>X->C0h5Q9pu|fYMO87Vh4mnN5^1WLwu_5i_Yj{k5M?w8K(THM zS&Cs@>R9!6*IIxt5&pO|zSc*geES}tS!zZ;`5b4~G*BD2Rsh0m&{>pu+7J$S#exF=5=*~V7+6`-bNAn|C8YH0 zR&_%6GxFJWY-cZrrVYljUI?NlXBSSuXJ*(W{R8hphQcY!S^ChKsa$B1yNM!aPJW3Z z#Hd$;I=4md+9|&1nyY&>r$0g08DP-8(s&ztbacphWt>b>y_|uJ>Y`!iLSL6zggS(?rN|o#Oq{AcmdJ|b8 z&_X6X!LhiG(DxdZ%Ah62XZh)wmfI_VIu>;_M>Q&}trJ7iM^an(XGtGqSg@w&zJLv%W{5ddAqeEupAB|F zQp|N))fwFsA=SSjtmi^seGxmcb0#5hGf_qL=e6Gsh1?ulN3{=#M=!yEQ%MvRTU%B* zGF@23cXCuQ%JBr#M%*xEADVGjA0F8clSRijY*JH|2g3-zDboAQ%C0gee1Cc_ znTm(W^>^$(t)s1V-w^jdw~}gIYW`3*lqvUU3Bk)3^t_8*6%C6_X?Hxla2jB3AtJz~ zxLk70!Cf-z0P!7_Hd-X7OGHExNpXrm{r*Mn=W5fpju9v92UbQz zlVaaz!8yk>GEslh-OS*TK<}stiPvJuQNQQ8$5Sv;aC!_=ubwEh|2$C;S4>OQ6wE8O z@f@f)PU$3`*0xaR8PU4>6{n4aUZTD|1>JSZVB%~y#ymij*z}m{7~Cte6)X9RDnGtr zkYBh5$`|J3hcyTO;~K(d;*pKNyWLv;)Rw%T0=EfLH2SS&%j`GFQN?bL0kFN@fK}hp zlYj0wS!Gy#*ThIAl# z$pP|Qgh*{OM--%r%~*i#9*wLgcz))Z!dJ);1t9o(^mN!UMsYhBh(epq41|`0V2#9h z$ZWmkeYUGgGaJ7{j$qjxdVV`N4es_{CN|1MntkRs2RA2-nF7gR#cVsaZy;2vDz>}0 zmeh~rVyK}U`~C{~Qf57E>=8ccIlShx4>_Ik(^$<2EwAyN9y86|OTEXAdX0xP&X|-5 zH^u8T=-$ag+0?AnUIL*AW?v>GUr^UYpx!VI!n(#0ETXsP4?(*A zKHZ7i#*~fB?Gt@@s_fD(b9v9f)Ou@Jk^Cv2wUw+Eth^$R8ODhnCs*G&S6StN>h%$p zL6f(G>hLocMJ3O*e7d?GPiDm`I~labBT z)(N4!K~pYtfIBtKy+Lvmir$#@-aHOde@npLZAlQHWfgzfye^}15qGIySGIXylki}I z5d?%iZPES076s=owcqDMf8<#hT^tn{y^*gq;F4NZa;p-rpj?Th(tu4%o}x>#SpaL5iWQS5cG)@lOH*GDCr0wiF-wmBvlj&`hS~h!z zSsykBvfw$`4hpbc7i&J=I#I+k^DAx(S{kF&MiRjEM@XvmmJn% z(6es{Oqxsfo-1?S|07(rkTTqX2g)|7VkyLxXH(m-?sD<9y<8$b9FMGJc*@6)o+f#5 z=qKCvDSkw}WE+#y_CWHX@58gg-AHB50LJR7GugQ2R*LUZKU}%6L58%uaHX1Ti@_Y| zZK^J<1b4B8iswr{5d`E|$!7i(W|(yoO^l%dH4<1f*Ye5Mv8487OujB7&BlH=1k!Ii zw(jEnJK8#o7;V%Qj2oH%&TVTyqPv&qVzodx(G7bXS~2ncGndu1^ROOQQ);bZUJ509l9^%S_G z{QL0##skSdP95KXAnq8{E+1ncbeM9Fsretdk1f8mNWzum0M&ky)4^?BT|9$2uEoFBLly*(fA}hV1g40KDJ09IGKnn zka4`X_`R4(g~s}GNaP5>#@AJPANz&hjf+(VCXb8&_c3+%>nn1lJBGHXbQC?bB}I*$ zUC!-aO#ZlqYC$Q23OB#|`;yrHy-u2rZK)HB6VQeLuEiUB!{J z`Rf@sa*quITOHP&D;ksWE$)zhphi<=;%Cyt+353uW^b?VC&$@4RV_PwlPv0K;f}WLNR@(JWVl(^ip~pSOI(B|De`5h@i|&gv12-QVMH zMAS)g_?9N8+SFu}dV}27G%HZTEWDRV39&(fWav{;qiM3Mk#sUy=I%(bMN8zbD&eO1 zw?@rb=fmKeV>i6hxn9&s+N}Fp^^$Y^^h(bzm?JQUwPyS&s%=gdNYr$cZkjJVDQ>x ztzY(=nc>+H_lcSr?MC#}4JIUZZN{sUL64qRn6BkzFMFyO#%wP%i0 z8qdFHNB=8L2|)l2J*XtoT*Nmq&UKkX9y<`gm>?$792P$1A~FyY^oZgV22PgStje0D z^lqb9UYzXpsH|H{8XZme$~bpg3jQ7)zFu`L`B`9Y>LU`(Ih_lfDpN3=>yo?^lnkXL z0YenZ9;0{N;QCm2OFCM>6sMyZ#U`WTr>w1Z z3y1!ZMU=1mcyX;$t&eq(5trQqVMnDaJLsGWGM0yvI+4i{WUXA}hHc6_z3ae2{-hlV zcQpVu2ks(YFv6m<{;f!L*sE8}B2))n?Hq^!^U%taFEnG)1mnt@9?5?D3^5p3 zOr+wldeBl^4(B?{3=N>`Uh7QLOl)0TNZd=L{4%(tFJ6W_BTD`Jl9sq^8rnfQl-K{1e* z9TL6fZr35Jx%aQ1_RFsyd3TL6W#Dk8Ns@C6+!*&%3x(ZdI>E4ek47y0QO#5}WSMjl zj$lTUUQJhw9auA&Do3`TWlQg}h5YbTAU{P3_E>>N6%a zO?}5=1L%5ujkIB@tydL*6d?OSe0EjAINHEw18<0QV=pgflxelK_Kyd zGvFxf$`q~fATN@&BYm84w^kJ6Q)ZHv+YDHI8oCO*20&Lm9m`{VE2_Ifie-6x`um@3 zm8WUh{RHSHd!q3uQk`rEJExH*a&$<34j`>lRz!HF)%)rL0SUV)Ww{;VDuT_1u^?pu z*p^DcA4ThaIP@)pPgRb4r+iz4FM-98CgZwKgq}R~`w(Gn{NA+B=2-ak+4?+F7p8j% zdJ0yGd5H=m)~kj{*5uUGmHxF57vGgayteP*y@0@6O_OJ~cOAWl^=W>6iA%Kk6qG!s zYlb|Wsa(yvn{4ri4O!7!_c3G7)ZLH6!qB#iEVN48*nYTm9Kum zyvA3N@IBzW4Ck^B;O=S-s>%H9xeTfG8RifI<~HtTE_tE5|LM;heao!%#mj|uGHMrA zI!CPx86V#AsUcL3up{TxokEK5+N1b|FLM9EU*k;@NGZ_3D)ThdWQbQo`{2vMX04Yl z^7ck90;^Z6;4S90TW=TbbRJbSieSTJQ(}z`XA`6(*}IKI#36r}R`%pfV8bj8!DpGT zHW2~@HJ^IkvuVf_aPD`}+UQp&QCmA!v~$Lm6=;}QPvkS{9Nu3t)FJj7?Y?ifb-lNz z;w_rg#J_4Tc_0u-K-2n^yntUQ#jztlOiPcH;l*ZV8NdZ^unLkA9Cni8S;%k02f{Cb z>(I_mwMzpBNUe^#4x3tr9E<~jfe$-h^aYyZ4P}Wz|09Bmb@fQ0XA)fm4xF`1-a?gB z!!VGW%XOS#zz%!(_e&d?((Ch1>DuJf8>da-o{|Gg728PF|Brg{1oMq~Ak;}@-y1-= z3%(-BGfEyb_yK~pmD4wqix7jLD?7u`r?O53IFxF_l>z7v+})oLfKbP4i*2FVSB+Rj z9*p8Om7@&HfRYq|oNq-QGn$k*4VJ2Vuu*e4_10ki&{`YeLM!T+SggxrVEH z@pg^1hw~N@%P(|XDYUrg){98KE6XEMDUtlu8bdIRkWH1%cFjVC`Zw}w*s zUHM~8;}lEa**W-kElwdimzjU&9<9BZRf|r`YQT=qJ;n27_c@bH=g=(ay!Yyzdjz>E+&ZWbwSnLaQhfIA*6EmX_HG>{6Y9FJ#Oz5kla{zZLytq&%%I#?$aFPu;U1fA zUjA%Hjs3Xc5fXYUr}Lx|90uKqUatGC8g~`14dT3+9*}WyVQi6;eaag`J{(5*_>;KI zX6G254;p-uJPJrEM5BVEq?C~sRNc(%b29s@_4fkiyPVc+E{JEyTqxwQcdA-?czqfMLT(Z_c2*yYlMr; z`y+Ggm$++hovPRgOEx|gSOt;JD8}%00}4h2c5_2`^V8HD51XWx_&UtJFlVTbDtj%# zc@Wno2;*MLu8Zwim5M-nULbSN%_m$`7)z<9<Q8L8)ypf&AhNXkxWx~4d@v=q` zl1%Z^B9(D^+~?{WThDt1m3pBr?91rd>ZG&?sVv|K<}0hsv=2BJ*ekwy zR?K=l^Zm{^aAE|xvzZ#*+Re9MGd zO&YubrqHvMsuRPbaLz7E<{e;REBx|-DE6y%;gBF7#thI)%$m*DlI?Cu4*-q^uqu@w z4bFi9E~VWkEny?aqHC7vGZ_34mxTECqi*AjHICwTBa`p?H#U{_I$IOp+PZ8bKJH5# zT-A`lf&JcCPHXl;cgdO?FPbY=1Yb$mzVzx|?7%z-5}aiV-{6K)vY+Y-ui%1{z z=p4=F{y`j8TN{ItXP#`4s{205GMG+X)^8qE)$AaAqW-i#&&VjVJQ9}+S%FtFun>Ov zI1rAhdc*=N7+;5(IpZD#wJ~?2)~L>fic;^52nOWYaR?nm?yV907BQq5mKh72Y<#qoNv;F8WO0@A1b$T0bm z4ieN4{>UJ)Mv$GdkaF}_u!2i?e3*AC;VneFhr#caZChQKZ;XN0v`TE)lemlgz%KLPWgWIe5+8l%~H1HLlOv3 zb4A=x1r;E1WLkZ67I+)0)l4tWPbn7vDU+u?xfms8s<;CLjvIB|7Us3It{naHP%_7s z(lP*n8@{j@jGb#BMEgZl<3;(vZ8;9bq$s*e$5rm#r zVU2}yWQT8_fNCiq$T-_NzX~ou!d#oM`)e{hula}meQLJVb4UZl(1zMr#Nds4!2-cH zn=4N&EiGkn&0h8|pNCoNNJ*cMn$w-)T@H9x*Jt_iUP`5{nvY%ld&nBohD`QdOIv-} zWA2v-m2kYh1VjtAircFjQ9&lln0O74=&~rv-ZMd0m$-FXe{IGf2^O){)R4pp^ot*Z zQ$NLWwn@_vQDr)wOQ;kL;pajuyzCFgAJoamqaW@J7V99ezO{ejQ8tT5nJH8nY=*w0 zUd$i|#@kKHzR~3FYATuSC_Yb1faU~~u%9ZG$$$XVNfyab9hHPI@CrZ;Cgvl?Wj^t1 zLWWN&j(J1Bwqh#vDYj*zwMg;=W7?NE+8qk_3#qYU-j}gKhRd|358;*J`%;-S$^thXM8r2@;y^_LCLmovHAc zS&|G)-Y)xWt;-x@S=N4di5(dQ;I77ZtyGD zI@fj$_ug5ueA|d`?+(vG6R??r7zZR!rP_Qm zZi-c*T**DbGIvz?ic>Zg>%a6$vYS5r+~6EY4`qBgpWT5O&B5J3nnI79z-B*iRFv?0 zwqqCmrVYiXttru~OY%5zJy0fsm;Uv|#dG(_z;`XQE$lN1yh=6~4Rq!cn)#YC%317O zWx!RCj_QzGk+W{Xj$+p(5p4y-I*jWs0cZV1u_X^<$uX9SzIQG?>0il>#qTk9*?r7a zt8!fY*jO!J)y&w$AN;=Q(L*#J53%y`ouaqdnp`2(z+i3jG^w^r)@w?liF!gmP%wOW zU1WRlBNwq1jtd40&+W6ERB`1S0k89_I)I)&-H~ZHP32caJ()Zk7>W%&k#}Fg&y|a4m~G``Mp1Hy*K^^evxZL-Yi-$m3AU^(&yQS2vVV8@B^K zPMg=~v^Cg-)QQ25hyS@bKMqb03j=xsC4wO;A^+#zwey}2qbRb|5J44ApQrVjXy>BXPvM~J zAR`9hzc`uSeR7K|VrBByr<$xmVnlT%=b>ThE6|NPb!NOn@6Hs_C{8Jhlb=6yT5?=w zvAG6x+6<9hdpN(~vYtql&lIoH*Q^FOwrAm$&K#DJd>IVX7+8ea_JE#;5rf5K7i+wg^L z*XQUKZ*59-f!iGGN--3%OXP$cP|-+br$O`!M1 zi8paC{f$nBG!V~>6p8`T_ex07@YH4p6AqF15fWB*Ub9ltjU7$lMM`1kmtJb)%9O0K z=vArP9iH434|0^at(Y-w-;aP3+MwT#%Vg}%izDo{J~1tgY?Ti(2Q5&QC`;>9zOS#| zq==LJ$^N(%r^6`P(Znw8nmAN(L`yMRTD-qOV3uTl9=jJCECW;)!w!1q8Uy89!Z7k) zMs$NyeK7u{#>otU-~9I4tVqODJOwpM=+w~u%rIFsn;0BkkvWLYHN+>yj)vd#Kc0b6 zaQ^en<|;-`bt8S-mZXX|aG7LY%glqwysjJR+x*>lppC=ikc! zoHK!^uc48rfH{#w^dMH~iLJd5yM=Ioxf%PG4;QlA_Y>E5Qd=}t6yKhq_2ZuDv_79#b%4iV`idY{#vo75{LDC;ICXB(ytNiGw5 zuNyVQA5lHla5^RIHviA9KM;tURIe>QL6}UFy$r&2!HpLI7B%|n7o;h0v-F*{aGoqD z|J97V-91aYW&j;j)X)7nul_sIl+!;QqjP+Bn>Mm+TdSN`0&75{`-hlMi9@S-H70Pk zKtRcOmJ{#42;@=cOoJgh7lajfZL#jOi4gIaD^}5L62Weyw%U+#57v&NcK`kw!86_% zHCjQ|X*wHu4TJ)2;PT7~9NXN4`xJT+L`pv{c>tRh53N{p4XdKb`}fq{BRA8JXMm&v zell=*2cl~d7-zVo2na@gm)HtuOy8J1egFcV29jj1Klxt3_96vs$j$N;L7okW=-n}I zJ{<~}-K!&#=XanVINa_AI{PnW!zXG4)S9rpvTJFKz<>n;aLu#(kC#nJo_GE`#Vd&l zvNUK^$5>X@trKhY)fwOCD_=qI;e0IS^5?cfZ34K^z|*^qF);$(IA2snkkbi7jWewM z>6TKjxulmSKfb)jwUpBjAy6pL2EfJty7KL1U1}@O=?ab})v7_xNsliT+M;*#g z1qz;*$e1*qF~I*i1;TkV^4w`o@VIw}d)w=VcY>8q5!KGI16Q zCKB-axv8A87kA|Q;uL+;v`dT#v1}A0tqB(;Q_Y5>lrE9{LQTp6e8@zAl2 z-!9@`%i!!JtRuk+xsQPQGs+77_4Rn<((31Af~=Y542w;Z>D7Zl+_)ejbLdIkfy%g7 zcFr*&-T(jz3mA;2w>?ZeqqIqh9<3suFTzT;5drPSkf4Y202d?VC}2>bR%OIx0LPR_ zJzX`s_i(war|zSVBK8+~4sRak*Y3bK-FC5bcX2<{ON-=>65ir|AzF!}Y%-+GTLY>P z7uD}987K==*l$Q}K)h)8$~I|Q?-g$_>i}9{5>60KEy?Woq@}~1u_xa>Uz7KKPT-y4YD!opz5#YlrX%+nmE=vP0`x;3Khj zupfT*xP$IuwTt2Ij}pF@M=9E#tUSG)w0owssE^O0@jH^?1reQ@?p~T&f3@G?PHze_ z81iB16AON(r7rvmS9wu>s5iY?1c#O%zsT6_yM$c~h2 zK;Y;Zak3F^?aCCoV3d%wJsxL@qkm2UT*o-eOTGyZHoi68UsTF(3B$lRrD<}w1p5MZ z8BGOV!m1$>s=U~>8|c=Y$FYMHAAqqA>qmn2x6;iOCY4x`x8TA%9o7V&gu{#OX@D^D2s4}Pw4{u!2*)Poy{)fh}B zeJdjw)GtDF^5J*z+4nRFCa8>62d$(%6MxnqVb7e|gW7Y0yP)jgU(gk(W+x-8U!DI! zH&&yTVjaJTs|HFi{aK>thVW~wS(?Uk2|l#F9mx+AlZoI0@FH`e{qt@tHd`7jeP^~N z=^4pqU`Nc;rsipXOM3YPv3QK~>QGs57T8BpPJea5f*b*C?Mii=09Kok_ zrQFK1Si%9%+KE1SCXMVNFKar*s^X-yvh|IKt!Fi;d$CJP1MRV*MRD8;0bGL&XEZ4d z^L}NF?*jS?=KInhgaJ1o_nM|{Du{W$hE>sWRJ5xB;*1DY@~9jLG@88Z41!?KgK*RG z3@=FZch=`5OKAka!Gj zUI*v$a;5BeL1t8&*IwCtPp8!L63^~;R9zy%tXG_E%J?Di$tGz5M9qA#XkP zbtz_Gjo^~2;e(Da`|~PF)J!_TPQ$Jb(c)B4a6Ov)En9r$lsuwKd{&$>821@PKf-Gz z{}n(05wk`*D27giHKFZc!X5bxPhBaKlM`%-GYG zocQgI>&(R{a(KygqpQ7(#PiXUBSoNbNw}a&*+i&zvhgK&c>8~t2If@P{dmxBt9UJ? z2IoNZ0B;cfi|6z?2N>MVYgfzBhdCNN;^lsm(A>R1pa2g5K~6Krudjwec?Q^^Z&j&v zK_6idd+1QSZzweQk&*K%n$mTs;-jgVs*fe)g!?7Ha7xcv4rlz7<=k&eKgL@j&wss{ zE1%h&0E2fg*aE;+FFvgrH%nyjLdaHMBrjkD(E|QYw(0H zCzl(hVyj)(mDbAk4n#w%w@cEsweXCE>S0^ln$Y2yA-nB_A|Wk)(n=L|O>CAZ~2o0f627i6-XqjJH8^GV%m( zuMS)i)dtLJs_lc{Bg*=Cc?X$~4o|+@-q7yHB&j#lAy#cYWTuP6ILWYZ-MxTo+m4y^ z@{81BHS)MVOi*Ua=jO+%P@_kQ+r+JuJzf(W&t#J>L*hHFJHVp7Q(5nv`<@HI?w|j6 zWEy@V4~otdP%1j;=;{@|b7=?iYtQkOdUwNGTnjn}LwDv(@d6WBjt$Bt4mBfQKQL1! z^sv+tbl#}J@#2fB^^wxRaY~%0l#%LsiXDUpMmiDDGh%-N2#-*mKP2ky7J?;ZMaThTx>x@ z%Dh#ytHjVwD9S}20^n##Ge2AwVBooN-k0p?Nx{>+Y8j`t=nyY8EKc?38Uj*!^Xq~V zwI0KFji+0E1%Qjo93f7G_p*@~{;VKyaE?cnh?M($N#1(|B1_gA2%S-cgjnBrNw^AcYmtADd0>-@H0QPWsvY+3<3TsU(J66_$D}8XSJ5Fa1j-1NbdNQ z$gRqOJ783hZT`9Swjb4`l*$CG?rfmiRo6lGhqDy&3uLPt$*iqUrfVSZEBS%N$RhF*{5;Q6s?zsp9CRVGLZfui09t~5pM=-D z+D{j&1OQX}`Mfz-sQ>^1F{w7|AObW8&_E1e02E{Z03pYT=7C1==>+bx^)Ko2jpJfw zZR~pDI&6*U2268QkM(y++5;P1gY;{4!TlHe4@Tq=FHr&gE5#5b8ea1uL7 z=RR_qS#jVy(O2##nA-UCZi!z(fgHVpfKNmHk!1;1LnCZl%MVrPi3k5`j*4DFJSnhw zMmgmj2m004-P#M(hm85i)wf6SoTuXuQe>rwX^1qi;A6YDJP^R$1N6K)gpSc1x+D;I zoK}(5r5UjL$H5Ym-U4gEg0@BDb4*`pgv4y572uYP+u$J*3%(+D0tszlE?%V9z08y| zcX{pyz5QwS+|d6Bc-lXo1kb-N@PBCDbg|AM;%zEkp!7jSq@-Y9Fu|su0$$wIn z(~s+lI35yL?eb4Pq$dUKw|7uO=s z3X}fbC)R>rdczG=L{3%w?wf)VE{V1M*d$rFHAsZohKwAN&AMbhWL1t*J}?dY@4;sM zkHi$i=DE{XjGPX#NRQ*64>zqmqDvrdUAfXWWd3K8__Zq#e1TgkqS_zCUwQYH?d`l; zXX65746fxT)lQno5XdPj^-qx?u5!{tdtfNVUt?1O99@Ki>6?Z%6g_@~AP}JoTTFg= zddj@OY(%kJ=9{RmZhP=KUKJ}RgG1=p716janCE8xS%fJ4Birm7p-fUR@@0=Y)r=gs zvpt%E_(-;nx65PPVj7Qd<>C^awFUT9Xn7w0Vf`D`7P8Z=J%fZ+3I^pT7%8HGv|I|LGAn-DNN4rg<7Q3IH-ovzutOC=1{WUItOQe;fPsgEBZW|n;;fcs!HacE`Hd*$a`F|;H}HA17j;;aqD_ow{NX=I)t6lU|xTAz$Lm;__oWdrslI0 ze;q@My{@Amrc+qQ^<`?qOSm)}$}$Dh+k#@Yq|ZKF6*w_!*`RhoPT+?G8RW0VvfNG) zCJ+c4{o%LB|JOUXuD5B3E55bLMmvoVGPm z=hVD~o55Xf1dgGK86SozdNIrX9m10@&qJZ>WGFiWl_?UzxfRXk`Ls6scZLe=CB~{W zIAg}hw5yJrQe@-EPy5G53KdbccY_UzzSC=ZSplLUv)CY5rNl|eRSvp@3wkb50ZC>%Rquq#) z%A`t%*3W4Ja982HncW}0>G#b_@MI%S+ot(pQ(3rH!So+B6Bp{t9q_6EGnow_W!fUhDmiYmiEQDZJNii;<;BrB_Q!X*O%bkR`vc)gb(ZyfOpW^Zz8PUUdAV&0%!Vb zBy8M3Sb&w_nOjA=*@_0k=y6mOqpUz8iQCYgJClS~*rE`viIwA+kxM8s zlc1G}tkFr3XH(DC$ytHRXGIeaxQ|cTiLryp2-)!h45I)zla^c0tfnFrL`4=wwLBZy z1oQQsrYZtJD_EtYb|}1miAtfn2|*7-o4|b54bER~yi)HDjl3M$;HkR2RhffgI*KzU zQ!tiLbMLTo{e7gy(#n(5D!D;6A}5tdAM%LC130B0DaZ-rDl-kZa>A&&OIQGX9R`|I zQRShbJxSo2123&Wv+kkHoT$(Q_csDE7q_;e@2K|AE1kBs6X(x&mN(Gs482RSr6!58 z7_~&Z0iamx?-@+bT83k^SF$l&Be%&^k$|mCfE7@dVB9ixkc9+~*b4)qt8xvIOjW0V z+9%@nCdd4;6lbqujHF83YZo)zDpWCP4+eihMhW@vVAr5{^SBj20;+0^6lpvTuW#=!v($q(oq+-hq$}43EFAyOEIN{ned7 zTxir~@E7B5p)7RJhZSIX60dx4DdR>%+0fN;?A@=&AsrM%$Jb#;(JQPnnO?#&>I#YPfQ#^HB|QVKY`FH7d()}U1#l_#3(7)_<03|eq_z8L#fXr zh58qX!xL!q4?P}4O)u4tH<{J}d=MEoG`tW)2c;h+B1q-Ger$6t9C|JSh3!t?Q=gr3 z^(f`BSW!t>Q#&IZo5cvcn7nFQ7{h>{e5I*H-^zKI5|rdaa;cRWdg|)Ky|ZIAw63{B z6yr}qQKzqVcfI9{A&$;yX4ro#;KLYmyE}x#!_LDo>b4-C%8QocFRW3A^$Vf@!RV^2 zUW;|8_oR~S6QIHp4l^vO2k(GKtv#OGUy(g6D`$c-OCcas7+32CJ|V17ateIU6MJ_j zgy-Rq{vgP=55@`C&(q(L3Th@U_hnI@Z%%pPCdM=k2j11wN`Oi=2A;&0I|9)OR?4zx z#+J$zh52sZ7y+F*`MFQ!@*GUhQNO$g8&N|5X~yg++$dL!9S)OyYqoduHHy9nqu>nO z7W2f>~i>nzAGwPZk4;T!t~|Pkfbv)S7${kP6E5Np9*B0q&dagP?yLFvcFqz^Y;Uq6X@0)O{z9zEv`h*Hr!ee2OkK{%AosiRKSR8X z?69>cM??L^hb9ZjxVv27X$R+TZF{02tyr2c2l~^MG)DXO!j-=ZcEMJV=zO5Y>6n55 z&g%%Vv01gYP3c%8LktxYwhE~N^f$7OZf7Hg3WacQWlE>H>jK1$?6OXTEd0SEM+v7y zwcqSpCf?-=sNTuojUKuo*hW+UW|wYk?QpQM$vnEZAOPdWoVNtq!zt5X`Z2Dp?yJWi zT+9ea9n66tT<@ZjJ(f!282pPEs`CFoKnT1hW}p{XsiTRycG&QEmZLC5WX#qmtOF2oWnV>?qG}F{-hgpo>36bU;4ixs>1CSs0 zEo18hlUsHZ|B5>hIxuhBCk~qe;un!7upkH}7z9O93`_QAc9}ZTBXHrCpQV+WtjaA7 zWg2u)(@7Z;xS%;BROA{o5^s+rrDK`fRQJ3DCI6LhpE1r`WwlnZ*}rEdNlE2Sao2in zo=iZW{rsdxW(yV zi*iboGh#$LOAEkPW1 zDa~Z&PNc?$*65IGYp|ldUi~9@-3cgDPoZZxZ6?dLUSI3KXww@d6=XN5g$)Za1)g!) z2Zt_);-#HJuJh-<&uem`S@Z|vFDr2#?uOfGPXjE4cJ7ki+R>K1GGy|7Gf=kid4Oyo zY+p(MF^sn5+*x`LLotv)$86a>Er!>XW#j_z4Y;QUOpw>Fz2G#eh?if&$ImC?*!QW~ z8G`@2k`5-SuBucWBX1Temn4oiC4z;;ddN!`J!(ZR+j_2>+Y zjsOkykbb-^Tyfe?B-hAP@ShPDSye*&6ueU{exfMLTqS;Hq zb7f>oW*FKl5zDkU;WK~ysi`k-A_5d4hWOxi$BQV{$~JLTCI7Ikw)yQmx^AzA-qqgD zZ&!3d8t#StWVxARw}wHlzZTx7wIDxE*iI&9JvF-w9J#Ue0@m%a*w}lVqKWfOTwB<6 z4Ugv6e%i8wS;(uYC9e~?7RNoG9=mreIzED#N0&1+kkkViUt-?MVo(*>`!Y9n-|b*G z;vr;?nf8KRZJLzDdRwen$Ini)0zf>Se~{_FX4+I&R)?QH?ZngDMvceg82faR?U?l% zTV%C|-d(j#uErw*XoP@bEljX1(o_iJmlqR^0I zVMgtW)?siK3~#OR4d3TqHDP%BM<%@u^lU=tQ-uLJ)6F%n5v{1XGm=qO0r+YavmAP* z%<~ONSYY|paA8OJm3WNvjPXvIM(Rr`2r%(S8e97>?|Uv_-zf?KtQQ6?M4!3^;^@u% zXBcFl0@Gh14N?=h`BR1uq2pf2_FkLRKe^4*I0q%8AUJUX&niK<{<_a}-l-@U@$eq^ zJ6i?)`^^YV!RL9ejO8OeH}eZVe*qIzH(Tc$iags(9ok`6Gma`cP*n)#f(yuZ!{1{fh*2YF`R<(h+0R=?J@*>y<73RLdZwr26iP(J<+v%|}N(-E}fh>*J2m zEjTdFMW#svZk@Gr}jKcR|i?7oc;PIj(7_DJwG*8q5>xolLb<> zO1;K_JwZU8-?*wPPF-3VsX`2}3V%8C<9DdbX*0!@`mlB@SDjW36SC}rcT*Kxw zPUYYe30y4UU{0%`8NdRT(504R(buv8{_r=P!>&;2wq@&IknUW9aw#3cPgy4Pc&D#g z*d8h6%j}zfH3356CI0SRW^&0!cR0y>hktD>8zKv`r8 z4WKcNN1yof!Wva|w)taU0^-AZ$?hqH%or6xJ%fU-HQAW@oRM2HTzoguq;hQo#m9Gy zd-}O4oV*aOn$c;;A|PzW)WgvC=IK4IA78@S`6PH>70VvHLxRh`{F zJ`7ZR3MrmRt8wra)hzcN-E1pH&4|9Vq%$53hL*lz=(1W_$r0>KCknc@vFEB|A1c+o zjvi!5UIMK5s3{y8Sf8RFQtXL0PH(VWT}J~a+j=V>d@JjsKBF!}d$V~ZR_IzK`S?IPYI|5!*qyevZVbfztg;LewWk-AeHk~)f(2j(R@Q54aR z#FBT{2&JhEZP`a19+oIa%)HyJGF!k6-n)WTy!i?T)KTl))<6IN7Ovz=5H?YcR7k;F z2qeX9AOHXW04PeGF+EV3q6fbPqGcDBRz+dx(8w?euc~`CK3fBXo}(#8_;K)&0hDWy z;`#~@2hxZ<(77J^mvQ~<5F~*lC2+N_WAndFG}F22b{}NPzeV8GSLzzS7-=y7-+B5% zY**L0?nP4!uc`GL`CSW4|5vpXE<9u7zrbBsB7`*Db-3}SUgw0naq{O1cV5x zqg9uIwg4n89kFY{kI8>7kF7-64EZp<8!ETCQgpPE%jzQJ=aV`8?$K3UZ@l-{K4aW< z&)#S6wdR~_-g^|pfBw`e1p-nP5tLJrV<(XNx<)bw%><_MgG>hHwPH;XCn3tqBaEYD z@P!XEvwr8h1ZQnX#f~B+0px8lxw`}bj6cd}Es8v;;~J}QE605ZFeViXKKg!>` zYaq|)s}Tis+wgMu?0rnUwgDua;{e|W#Lux4T7coQ#hcB$4d8PZzdRf8QObA!hUeo5 z=shQW3jhF?K>=GOkO1D+&oqG5XZI)UJD>|c;xpjGyB^Li}c;$0MPE^1Yr5B ze-ph3S(2UTUI94Yq8@E^_|ySdPDO9F>hY65*FNb#tDg}!r&<9eK8c@qZ&9CYGu`6= z4FKaO=q>0z`mN0Y{yw1ACl1j633&i}z_;e}8z2ube02%`Rr<;F4tR~(?Do~w^0xU5 zc`JUIdh^-k8Rl_$2Rzx_b-w`G0f3k9w^!$YbG}}0$q!#2iqEvqxwosUn3rq-0Pxuj zFn(j%FMh0k@Okzbe+T}Wb_PKGcJvyvdR2(H>vR4!vB;a#S14e>XUeA!unD04%zivN zM}LX=`pVWe--P$dU!Oje0-ipLd%D-V0f2j66h0Hc$JgYkxHyuyXxwQ}3>t~noc#PK z{Y*8QkLsR}a^W$85^XOWA;Z>$-&`D>U{#T5^#*tb)1+t4)e|@H{{OsKv<0+GLdKfz zSNfO~Q}f;5y0DB5xfXE?p&Xt&Yo$f+mGJuoAh~lqkWs;M5#;JFBrb=%!}F#u)>^JY zDMZn zL+~dLCO)ld-Xx#OD51d37XJ9MtEuPJkhmtEKRWIAt1*G)8NIEKrl`~X!GUQ)5H^wF zqimoqlYT=RV{YU{{2W}HWlwfc_U8)E@{Hry&seoHE^U7zHN%v8Sy8MfQ#KE&ho;r$ z7hNNG&Q2lxuPF*IX|ARk$668o`A~Cpk=1rQ$Im2d&mZb>sVjSbfRJz07l$7B*RfC! z4SF8m%M|5xi4Lw?F(fqhu{qif9&B&Igm(VKp7o#Pg|6k&3MH-T41lc6KJ5$F*`0iU z(`t|X7Xxa!xaA-xzGr9*Fu$K9lCB|g2ew{h;ZP)`u8^zDtAz(NMQ;(I7H^A)H@+5L z(1X4Ry`71-SC#h2KOc0ez;He|`9oWwqFP6OrLhe2eSUB`$B+m<&fy<|QEBjaT&iP& zY6k#!aW|X@9V^Ai52vx{z(F0R46_3&B=%V`;cgMwhbbDJ2>D?Rxxt-q=YlBgblYy8 z>cHIZS*lbZFUU=>8K}Oq=#zl4*LU+S(e3|l!$@brefi>+1^6MCTrHvqO=0OXUXg^X zCYzcpbz@1P)3rVF|{C_Xc4D$czm-&lT_n-N9 z%-1>(NPY~aiC9$b&E40=fHzx6J#=1P!1~A1#sDo9tSRlVq*nb}%0o7tQ)!nRqsWtF z6O_(R@!6W=9#v#cO(S!&U@MGPGrd0^{H$u9ZedcflG)MzC25L+xLT8!((=DQG-3@& z{!`hjZLShk^lWQy5~GS+Oi+xNYNbMzWGk2`Nl}C9zj2qZZDq;vmRbDfPTNIn!L1P3 zBEM^BM-4M=o#`QfC-h_)kohkY`oAYT9=~el#)!Fdv|^b_xeai?!GZ}16~Q=rnergkT#o*y0rP+_eJu9|>Z#|x z&{xvvqb8;0PJ%UK60y4*m|0A71dhmbD!7UPCLK4+*IG=*uXWtj4LkmaCnJ*0L9f?q zKeY!{Sdo7YZO=$AR6@{3+14J2IDv#bfkZH_yQO(x8{&rf%^YB2Mo_UW*)&NUK?B0 z=|=G{3j?N(EDcluga?(`V1t-G@QF9`0UxNu@F*-e;Pv`C7q4*|KYA!NXX$+6x7Bz& z`6>H~T^Z&;>Hh*^U`MOIUI^A?`$vOj@%xA+fdE;v-mUNO{0d#!MDJFl+wzj@>f0>} zPyf^2`8|U58xX>wXNf*Y7tZ~`g9DbVkh#XO4WR4sO@RNDH;BL94yy@Tr_?e@An?AS zj1&GFM6tyG>&$L&DURFOh;Y&hhzdCoQ35M9kLP9=9OEZ1e8SgTn1vtwIcojS`QyKr z+gD`hX=PB?Qv=iQPHk1IMGhBrW2CsCk^brtDl9j_AW6rj8_TPbVB6&#vc1TE$rS&{ zB5Gx_nvzYqu9`vK2F5QUY^f0W=eanUKtSs*L`^LEXPmL$DMy+`?aan2_b(YcmWK%@ zbdl*n{vAU4YnsKVUo2<3o`)}DkhVi|fl!cs*tWmKp_cGpQKX1t{9aiVwc946PH^nj z@>H;(aW!|af-L;o_E~Ao29%cA@h^L+)bdbDEF%OhXseF$%Ktqkj9rYt&Nn{5w@@c1 z0;wVi3(|Y~fkV=zE4c93{=lQ6sisx(Z!q{@Cs0$GGY5m)R|d<1IC!hO;pS+e8Qe#5OtU!~^S4)h`)c<%9^V&a0WT zC(tcJSo*pI0Dpl-81;`o`|QlJ3h;(S*p_@B@#I zL7DZR1*+~m^if~G?w~$<*@nOWhjbz8Myx{C{R;Tv=l>SKVdByA_abR^QGm^~%}Z${ zTENi5cM}(#yQNNz(yxYo`C_GrJDN2sgrCu!tzetza+#5S5PP*1(<)jRyEz05%vfPC zmgyR%KA@im%TSZdg);Ms76?`iC5C#}{!iYiG0 zl0;egt^q3>-rY|e#nUEm>^qO^f&%|p_x9b2OtrGIhLMcxh=KO6Z^6_@uOq8n*hPGc zG~YD^??jLxU^J9A2jv$jbB5?R$}wyrh7!%K&yR}#1SXim3b2Os0~Zf!P9a|yPS*s8 z%)SIOV$}Sefu=QTh2Uu^rD;byZH2_b()Fi#@k+W`^)U`EqRUu)l{-dgx3rwiy z{!FMAJ2a_lQS_`r!mySy(X48OhS%Mqd@%d__cwUyi7+_UgU2?dz&CBm=5nJ24VZ$u zbIr1S9Ls}U*kqI0U%9UNWn&xgZP6RVMi4{1^ga%-Z9*af&cVl)YeNf0kcPrC%c_1~ zDpVU>%;qmdnb6DesqFf@1f->Gwfi04`wa9q`bYy5YdENilnL+@7F|q!A#eGspAa#E zTnBC6uy>ssgB5~t|FD9IX`&{!Ckzf z)KZZM((dGr&lx&wjk>!5O6Oqa16`wG&k>L>OUQX7@c&iCp5%gwU`!21b$1U-w=iO` zZBWg&*XIiv?XlE<`Y$6!Q2@Z?YWnmF{A7vhVi@qr8nKwC6lH;e-%jF$i$1~lyDev( zUXw+>)!C(S*Ef#0gJ*M32jgkqPE7%kF(qJ=4d0#M256)$3j{{Z#|~Xri0L;kk}!5q zf5Wgx4TJmAL&0o8213|^=D!|f z#!l6)v5CDXRQ+m;fe(kEa$TiJNr(3tNns{Pni0kJeCe2?2IoALk<4vExAn5|G!5oO zRgjCoCK`3Y5OUG%w0{2qJtBR`GJTy&u=U@m<&J(3hM5feV2Wl~^G5%5DfpfRVvSI@ zJbajdXlZu2*_%3z2iD!Z)dM3!OK_PF8(i3TV6%>lAW?bBKi2PW0!Pokxg|th%|+zg zit@iVl(SZwaEpdIjZc#{>1$VWNPqG1gb~LExn!&G{{O5N{ww$kWo%hg(^lown&ivg zyRzC1>VgL8Hd7>hHHZ_?LpAl@hlPW|-=^FO=O*bPFv^kG^{I=kZYBF%#{>x$r7 z42z#21FBWV`nE&NkrSyB-9bI}_s-^=y9b}X^e0u<64N&(7C7A?%2ba{d6J*)eHqO&~!`eLivMIb3w@D&z$UFOcv}oTKWR0oqd1{;joviLP6Jo8P|toA9()iikIM zQT9puLR-Zv6%E1-sAhPEBM607jWspK%_vhccMC6;GWO-n!|_hPk-0JLpUC z{XLmw!(@8Q+`FBnCRoad8iOC01u@GP>&q{>M$JjMl_2^c*%};~qwOZX_xUIfi+IG? zXTC$e59NL!`mnhph(NKfkH_YMwFGM!UE6;vv%i3_gFFz@Iw;E(mF5yfv4swAyHGdO z63bJ#KiR>CF3G>c5Mli83<)Rv{acDq?Cyk>o|;R_isW$BR=sP@lOE5h86miAv+U|l z_3Ht^qfFkqe`;r3Y}JW<+`wl4mHrNsfr+e!jII4S2nF>N`H&DDpwso{WsEe%b)AsH zwv*yS?_BH^O)`Am}OwTP1bj=^gqdH+P?uG^Fv_E<*U=juQVWgyU3NBurzCT>d6Bl&?V0kmG&ai$igG!b@qCV&F{9eW!pca z*5{SZ+pQ~G=|KYer{4adXK1*XuAc%a%}HKje{p|uDiEB*anEvNJI)ZymzT4v9hB7;$U4tb=Be@< z{OkTsoV1V}rlH!Qe!p=xhu2-vP`;4B`IaRm{jwW*JxSdA2IIduCOQ>EofcOaTP)36 zMR=9`A)NtFxL-T$Ol8aOPq_rTua7Hhy6*Yq--J|UJdE;wpvO{n@mW4reJ%c31Nr`< zi&EBMmB!-`HpS&Pd&$uvZhr(T+FsVt(ZO5&lh3@A{8n)+&DHoP$Co7iyYE!z&F!Tg zjLiJE6X<}U^!RTk8qeNq@IN`cE&W5F7cU7$<;T|4xHMp-f#WPPE3%UdG@MBOuVaMT z=6?zXMt$>|)J06m&S)T?)(PG~z5AizgJaJ$;itt-MT07+8>B*fgg{Ia=~X!ujL>M9NbDiC{#A2gp%v*D~12SLCyk5^lQwS-i2|( z6&XQ-|7m-;CjQe@{ksYAUmjYl@?+??(PS^pE4j~74H&?^~=C+dT~@JZrb4mqo_NLj69 zD-Qo$PcI1)kN?NA+~@I_3t=g!0{n!etKjMabl;)>o!+MC>cO&l%0F}p{vi5sNMFsT z%xk^$+=%?0!&oI&P^TR)eg~pePxQ~Q zh^U=e!>7F{ONN5g1I_=RM{7i*2LJDi<**+N4)K8wX_J6r9BV=hyu$ zbYLR&+{rblulLG0X=&;WVfKIm+f;v0^K<>X-R6I3M;GVud&G>c%3*O3taub8CA0^sZFpOV2LT3P@ zTO+V{?zLFecQ_kf_K8dxQfs9F0wXK z&8kyF>#hsh4^8FXFsO~1gR9j?JxI;{K$WYnAR`Zi5pdEb$2YM&H{o}ORq5dnNRG#~K=d!n2Mf-v4i?6o9tWRC6bINM9TT~(DA zw!Ie*pF~KTq^fqI%kKf5HT~lUhyYndH{IP`hU&mzZWt*DIi=q_)B)ZtHj25dkn>K( z;V}$4NPd_qY3d|m!`bs)=MTIMLQ8?eb_N)p8*{t|B}MWhZYx_M*b%OS-ZujiqcnrO zjQkk3^;c+=g1_L{BRgHl*b~Z7qIhGCUw0oV54o_t9V!{DimOW0ZQRz`wiQsCKR9p!A>geZ+vS#_cWz=_63JI)k7K zNF;{?0m>7$fvv4wmSAMz@}Jw%r^*cWps3NZc&98)BQ3Lwx69oo`@Dnz{ipFHdzMrT zo0E<5)_Z1le9{TElx#W@6oT8wdFG~YHRmgb5kc9=mAt5L0hZc)Qjr#Xs-y z13S3}>yu+wkB@E>{~p0YGb^g# zsfN9ZyWuF`&HV^cN$(G`^cZHJ9`^kr|F!oDARznio>bmj*2xiZgjk{APiZ4a1*K^0 zk$yR$kB1B7g88i~kWZZ^YB$sm+E8jx{ECrMVtV8?-1C8$yF{97opQ!-nZW%f0@6x9 zCSLVk?ypS4e^8~M#t6)0nr=|1OJT=YA%7;802w{!J-3$c#6|Z&`Q(yh0eneBi`^N*9Udlk|J%qe%}JD5ft{Mj^5` zvfXKR!Nbo|!xGz_1>;^v9v^n1&bP&tD>kXe!UZVOc-t2k@HwSZijycBPsK1#I<f;GiL(BRE|vrpzGod$~Chjr?TS+k-~Jo730p8{rFwpjl}ID8KGeTAKOm9 zL;6WB-JLE{-^fA)VTK-f`Z^WNnU3Q+3X6dJ+6$!UJ=W+1k3xZwvD;n8N4zs>#{=%5 z#z_qWFRNG+xEl(lE3`)HfXXImGBA1fAz%eE57TW%HPKe~Qa8XEx6@WBE5dhN)kKR8 zRv#`&-dyb7dwZc9=E29myVRjA94cn(S&P9|O;*DdYem5bKZ0PW%!VYXT{ZQTTXXB) z)H`?5(gZJ$<;D|cr1xhKg?aZfRfKufw_@kQS1wUYAI(<k)6TL&s`q+ZFbk9XHSx|yexjh- zyUZh=_10g1Ce-^T%erc-(u7bw^lt02;v{XJrM1k#)CP6#a}k?=2eg|{3T**0@%(YA zO>VGeljOEk9x?zpU6HhmEfX==NqVNYZeGjZKR$I3`!uqnUrQnE#ImP-eu0+?7p_su z6o2>>~q{dG`JGmo>Ipv3@1;jQf93MMpbcAS~`1e05OZKRJBu?$y zr24QmoMm+8E3A@7r>)q5U$0ot$9jYk&B)jutq2(My9Y$X;M?4JQ{|YS@d)+zR4f7o zWVX`_&~-`iIYZ_5pWAUrpEYipQpbC`qE15Sp1-%3)EZFBVNnIG7Qjg#!kq90cIg6q zQQtIY`#;Z9a74iES>1u2t8Z{3_!4Y!8P6xrXH)b z?;~8EScgts%fPKFG@+B65TlU>_`m^h+b5uq~@;e)cVJR z#H|V~nZV)JzkJiankt&@cvl(xsvC0rgj|x_{VB#DPdxx86LsH=`*q&N8SAOanB%1r zVGw~Ca#)hYGd$b^1?ZB?x+^UhArkVT1Y+#*4(QP!4JpV6sG|Uwcj><3{<*@pchp?9 z+H9RetAx#H-{8R-6*RanOFi6W~Mgk>2A@0e?1v9%>=b+m!0y`M() z^BW@+R;D6(MXyr|?Owu$zpUKr+cnyt!X}2|)^p%chC$QE_~ygVavZ5Ql&)L`KoB3p zUKYDNJ#qw00ik~m%Tp@UmC4Sy?w%7jKH5yWP(^HwFyfy0X(=T7AS7JRwxzFSMGlCl z3C;-BfY2t%1!uzRdkuH&^ms+!DxyzW2n!!Q8OATHC|_KNB?AaKC!A~iw2v!1lPD|j zMc-sFp%lx+IFpMgb7D#%X}H=~#jt*QRbzg4p(Uk^y+Ll-N&_Y#aG;+&lx;1i0R%s3 z`EgthAW*Q7e%94z7e8a~T7V>_Bq3n|^9J)Fzc;$!GkMwmhy^w$R`}IuSl54Z9N$iO zkmsI@Mb?n%8_iksGFzT67*}j4Mbeu9Q%C?#OAFChtBQ`f?rgn!;r2QI+8WjAs6hC|`0})!OS39cK*4eWCbMXI zxHKjLFF$EzbrylL6SOUgW0hGPsRk6R;b9LD5Rg-N9&Cu=hV&{|ya;%!F9kbt6~lH7Ueb7{Jnd0_pN6NX|=G+?zVBV zX=P!Ox*$$Ouj%K-i`@*?)0K=XY(L|8%>Ez&*w^b z-F}+SUh=5I1K zzx?5D%lLS%SNQRsgsZX$xN_zXgsd_pRydG2akLbcnhD}YrG!>a@dFR%_*OxJsAU8k zWkzl@0jrNX_6=uERT?)RD|b<~znUWRk_cHglk@sc6P2weeXY$n^)J4bBJE6973t5& z(x<8t_bPKhG}8d$(XWA=&iQ;B3wmc?`h_*47(vryNV7rQujP@q`jUCfyYkC*cQ7wbIJ?#Xbd*+;E^+uC11Wo5*=Em*8kYVo zHSDbv9&V+!b#!&J2#QE&sD~lqe!hKPb0W`2+Y3JqBq?ugiT$2g*%%5Vt^ z|6_PiCZQAt8d6JhAJLW(m#uN`5uOM66Is`F<0FpWd7H~v#ies(^zsMA!iFv>HQc6K zge4vGIDAQLXZ+=Dct6kbmT`d>>me~BWV7<$&*bV!E$nZzee}+96>EY&Q`JN}M~w@Z z<)E_F4uHfZl%;`u!d<9>H=yS!8V!f z7YF1yMe=Tg(Yma~qIc0jY)n_5nrgTBPr*w6i@O{*WTEth;rl6Z1>OmGXwGF!(;lkd z-PgI%z}|Nay){A zI%{&FxTYz_WR$Hp_Xv1lWaNJubg*vKYSMc%}znUC=n}u2K>!E|4++0ZQljhGpuH z|3K$fP9(;fLY6J@aM++lq~J|4%j2_S1_ujs^mD!gR1b)VK^qoonI_GG+7r0o&SPt^ zMgK7os%W5A)fnzQyJCKZZu-zwq5gG@x%YruJq88ihA43d*iv9eODHq4!C0JVF>B2y zgb(~tXN2oFmBS}wDz>QHCQ1gJp|IN#9Dx9wCbJl{B%E4aKQUP0oe{He#J$am|C%(P zZrIqf*xAPeW2nK}9R`&?AtKX(gZq=iO@i08$7C=8%Z~959Ru(a8}<MmkCP#R(1ih>f z3^KD>_;gj3t(G3_^4GQb$EYXzrTw0)`4l4!Tn7U8J#x0z@a*6Cr%}Q?TC@a!&rf&z zw0Wc;cUx6~3h8sA37!>UyZae&fbeHjJ!6?TO||>+c+m(NRK9)L;3P9qx<$G!cmXMb z6%X`q4zy|T*$JcI4+F}=tGTow$%)uW9l0h$pZZ{*IF5U=q=m;jp&0^|#y>I18x3xH z#M^^O@$OodGgacGI@@zxsd7D2%LNTo_g!Fo7FiB-jV7a|63NwIfjM9D;RvQ-aIm;A z2-(^F0vX3FHwujG2;EUY(EY5Yz!J}{Yoyw^#znO?hrkruswX}h;_qss6`X?cPfbMH zqrnlNmh6>ypggMcdCheQ#dCxJ1lbF{-2g|!b+JuGpo?NvE|aWTIN!To>IR~n<=Pex z8b<(t#J~Olv#$IcnqH21rc*$HvwVq@$ZS=xtC_z}c;fr_`8=3RJCcbx3PfKGH_(iP z3iz|q-^Tm;3lHY$Mz#jenH@W#ItiVFaSl$`7JnEDcqyM3anSd3O`jcAyx)mx4X&R* zHijc?m-^h`Zww*pT;lf~AfAwARrN&4s&%7|gg$p+_IY#bH=9`TJN;fM|)_= zrteatf>K%MD@mDI6%$6U+$qR6VGflrYf-jI9p$PYmhJ0SB3UF`92)Q-FOdvHLP3KE zC~JqeL5fGj&sXjuA7r%}Uv_<_2rdlPgX7^tFfHa4cthrkeq3+Sk^7`XcrKGty-%b? zO2Hch;1c9hmuXeOQbNSSWlLoUBgK-N`}ru%zVz+B*$fw#C_tLq=85oa0nPks3+C;L z62`_=Fqe{$UmX>7s$8z)kBfC$Wtc4Xs1{g?*J!hGIa(s`;8O0ftotTd7weXv$Jo-h zynZMl!5QKuM3{Ku;eC*gY|L<|3x&g~S(1{wSd}%C3Xg=hnygLC<9AJb(I%Gk7A6lB z{>CrIH>W?`D^mdFaVHpuOyG0H`oQo`grle1Gw`Z4B?klq-?J}QTPt|gUB5jET6^Z; znNfEe<$2A$%?XU%IyBn+=_gHZ@%2X%YKl)Eh|_|pY6@Jv6j}`B%6^ksNuQbf@#GQJ zVW&>&2stZPF6U@1<2AT7oZCCxS4mezxgL6_$fHgaJ_e%7Xf&h1SQeNZ>|Xdhtg!ZI zTBVo7V2@PXXbg-qjh`n$Pjc0fR&x)MrFpa)|KkUtIv!=!1{SDGn_Hc zV?^|m76?e~5Rq0$efP1bFDZL*rug?L{q{(2Ii1*@o`E~IqzX@xgo zJTGFwY~RY%;a(t`{RKbRnTioxC^%>v7f@0X&x;kRmlZbDYiBN0e?MWye2q=Nni;fc>LUC`+N1g>KyNPMiLf_%cO`aP9-hTpyZGh8awN|c6~c)|PksOVX#x3t%5 zIGIqGrX5~9m$7|c_^mV>O~+^!@nb~LAckWa6lKvsYDm3~==BnSj%tg6`X0XA!whkM zSVD{XyjwxXxcrX8YR^jBLOHk|_|QMzp_*U8~K84)# zdK?y@>LO{fg4>x)Y>WMWn%;!#DpC+F?MCs=<1J7N0$Ez&mO;oQ8mnr+5cXUMtx=2c zYN=(fbES$|7tKi%5X3SP7FM-4+K_4(8qEy8hSZKJ{L(w?tWk^s3D*zr4 z+NsvNl|aE%#(xnLNVnVT|7+%~xXn<;JvkjRWm*B+wZrF0+iW>Z-Dr1O*402ls2V3I z*7q?3ZX@*1(R)1mZ9qVHLKBfM(}S;g@nJM~%mR`jhp-^=#ssZrDEV2BHjz;~4)2=B z)Q_moFlD?&0TA%;{f==>e(NuH;!eZIbP8cfIvXmTVu0!HnF?!;Y+^ouLC@>p3x@_F zT7yt`gs=VU`wslM^ac)*FB4!~IjPiir=T&=jla{A)Td(_`5__D)mjiA3>;OZq*!;Y zj4O2e^kMEWqy{>IYGf~yA@qSZ!@TFG(s)`Z(<1t6-Sc!|W(|N?tHFl9&0#EP~e}a+`ILxF@r4(Z~t2jvVG}J4hw?E?)P!DZ_bW zWWHkmG&p>rH6_fCk(R`_jdFHVMeO9a>%@|0Ku(>IF z)bTaOpTt5T($A85DUu*%^P5vVE{!G*n{^kKK@*0SXr@)ALWmK>mE(^r*G_e(d9qdOPIaq=OAsG4r>!G+Inw4w;CS ztqKKO!nD<9a)B1{R=#?5%MN;a{O^t2&1aEEVAZb+^3%90=biIry(u9v`G2@;(SqV# z@oVYxV+0{Y=xQzD_)|silG}2`)5_TPv-kQ%*J&iJ9x)f)cOzIR;PXe_=?K`s$S29H zTewJ%9qcyR7g*U4aP!CkJ2OBZyt$%r7sHsE(OYJjNoH2Ds}|EAs{X;9F-5J!*JYu< zkK))=+L0NnY(S+Iy=g54D2+0$=HLTIS5!Xc>VzqhI&^710sc%@ojuD4dL-b`!#Hau z_kQDCZuVysJcG8WC4hY+ptym!F>&s6sT5G4!(tz%E1D1-#R?U@F&Dnby>+(6B{?iH zL4WaZ3-h*fJ!?;770QY{j{c2q^(|yv%1=q|<+~Ec`%nDq*$dv$T6E7qo&x6AFfuWz zToTpN)-WL9PkM9$dE*pOzX1ugf-z=e#x7g}Xgmp#M$}$*_u3`{7BM_9T;^Y6&2J974Cx(M=*( z?!kcEytT*orYF7J;ovdn08FzsKky7slTfEvk{kr=(dsW@x7;ArXKcEEM!$~jOYd^S zVnFH@nMh>)c7Mp|rc_oG3c3yEW!6HY=x&=LRBQ9SyJVg@f0SbRMSIN!J88t@;DqNJrYcy^c!2-{2TV>52E$!8Y5Q8qEn|bn)`T zrMdGO7{cV&d|d`Sh^o-XzPRm?mCkpyIG=dn-LBm+-AU)1cz<&czi#2&UCvATvSaU= z&X5RfceGus@NQq_-p5DPkGHO8&3PC6A!;;ABA!fxM!lsY?I0f=-#?v5SaVg!5k zZqB8OAC});NHo2LP;A~`nxjl1e~-NtQF9?Dh4ULE&iizSd+__W%3{^Z-M-cj)>axv zn+^@DWDy9HF8}Ihhh)o93niDTSOKQrZa79>Cl78%*{eZ~nO{6H^B34%XB!|Q!JYXI z^SoAmc(i|n>vxZ%ji(YbTy;{ZkHg&U8;fi}P+{Mf&u-^*iD=0t3eb z0mwdohrj@6`=h{|DQ%TT6B=*4T{&8|L}Sfbd8Bx4t}YmEUkzBT@~g2QsZne|6R@)E zc1EDfbviJ+D3x+vy%U218YqeCdghElrwy1b>7O8RpW+&wLsb>#P9z_?VX7YK8YQr6 zNW^a;IZ!{g1j31@e@yhTpgU#BA&6ghmJ`j4W;ccppgnXBHwptUzf2peKDTp*{~!uy z+bjQ$lwy>>gRY={!w)#x3{})`SB!S%1r@AhC(l-XQ754AbkpAQ0;rnZn z(f5jS=&#JZ)QwZPMdW&tJ6U!%hOFonxNt-EDQuA5qj8d2LCbL)jfnfT29bR?F}y+( z1{Q*G_yI%L5fECiL~thToQa~S2$?g;j5darucAR2fzE!fn}cJA&ti6(=6byhz#<3x z(ZdljvuuqOlqZb9L8E{OZK#l^kh4a^#!X!zKRlXhYB9?QJ|?5m2k}o)=Y2lPT4MXM z-kX((ao_sW3%wt2I|1}u>7B_-MvJO%qJJ1CXg7qgeqAz%I!h9LIF;~e#jNtf6S~s= zhN16nno?DEd#!~#P=Bo-TC$W!FwD&5_G&QQj3Koa#tg@lXO@ZEmQ!opDYptPfl>BN zn`dU}wfNblxZUwR#=P|wB^q25$H3)MNB@*6C8tj*Kksw+ya^E=d!NU*@>U$7_(NXiGZj(YFz5O;1)O?}$8RUzFg>TiMsiacKT2_oW~Xy`P?aKTm{+Yg*w$#iCiV#K4~Lj$kx4k5i(`fgi5cqA@-zR zLR5`kts_KNO4C4XBBU>2^+?X+7M^}scc4+0iAZ@zKs^H$h+uE zK#|BHRb@OcCQT#`k6#2>if($*(kj))OFi)^-ei!{(-dU5*cVkfAUPw~4hmA|5gCNt zE#ge2n`998CWY>phCWT1cU(AIXlezxYgL zOL);YUn!iLEtTZ+(UP_-{lM=!vE*{qIJunizpBF(f`&Zr!AkWj#3I}=+qIeWLzQ$`$L*}j$Pk|bin9rDk*U(s?VJJLDFt>{j} zZiH*7FEhNR0)=f#I*4?Vj4_`5FklW@=}4%Y3q5gpBsDH1Qs$)|40c|Xs-&aZW$l-* z&AC}o)`U)>c9OV7RntK(VJW!s_#PA|K8CYG_-F=a8`yeHxBe0L;i|V7=2~qD51EL( zo=~^2;p(+)&gvV}9hRkd!fBV7Uhhg)F=$UA0qNbSe%>KW+GF9t_t2};lRYYND4ExT zEwVzmB4Dq1nn(r+c$nD9)ZG%LQ%h=nY;!IgLdqfg=fiz6F~%IUsO>m_cfGgVWQz86 z@?}vOe@T259%EYk2!z)a{aKcHUBPdneh&70ca%AlhQ37@i=F4FmhXdn;rQ3^>%2eI z*h4&&SeuSR8BBi2roC#1Y4o;xQuh*nYFDNxK}QhJ`}4sTQr=mQlEpaOHmJHTK6*?r z3BvHPxeIgN1j2cP^BXDPp4c-N>M zZU@ZHRwE6NMC}0Xa=UDkoso*9;pQSKadSJ_dH2k0s^X-|T6)5mjy&IRl-7hHlE_z6 zJ@aKS)1z;H3@kO2+v^mn+R(~kiSDCP*Iv*5Y}XnGW9q@SLY2n4ioD73$cdpCz-S?h ztt0ZWib8l24+DcqO}WIQ~$P5c{Q(g;ZLS5k|eutiXz0?6KwS7coxj9i#7>e6+Z7P~p;kDiLKaC73nqHWF8)CxPYr)A(vQ>;>nPzRP#wTF^ z3}bbpeWy~T=F7e~f)NN%gJ=0r=Xu6@sHr<$&il1?r{SD=hEC zHfo<;dO?CiTL?Vyz1O5da}`|F`AgZox2@Hx>n+r0bUPviWRa94Xgws4$1y}YgtIeR{`90!297G4vG~WIO78UGVxY~? zqxFUrgpa3Tc3SF#jO>DIPqZH==p(xDaM*h~$)&*pYfhVUW0Y51`W0CEMhruZDA0pN zc^qdA+3wktg#Al4Vp#YLDkGlHVA zi_T8B&YSKOI}*D(B34F^P8PrQ_%zu>QFu|TV$&hAb$L~)6*LAt z_y!g%dLXwV3SQd2>}S{)0L&bPh{E5HxJ{Fx{h=Q{@jBDI)i>{?-g}&WoGg(`)k+SD zwi^|z-S{dSO=d!VGwUu{z@updeUi~eMg;wT07^i$zs?~+RS)C;%`B((+`=kO-s-xt z@Q=(SSZVbm_oKD;7~=7 zlXM8=D_Yfo55Cd2Wg}&mY5~n_g?WNYsW&z;?vn?E0uSe-nuNc&018}v0zq4C7D43; z0TF0ZkiXvt*>{jVGSP{p#d62V9>g-hFe~R5A{as6V87+A^Q8Q0&2Vq%<(+0511K2{ z@k`GvN*%6o1Y~Wpe}DCvfE2uoARE%$Wb0VS+(dFtJ1kDE2Whvzm!!WPLiQcm0H@jQ zrGg`BhX=tcP9?U9({WW?Y-PQ+v!0ZmS_g0A*(St_tw!*3aK7E3nqXUc$GrTs6njs$ zCG6Bc8v8EVte_|QA^k5*FyWwPB+Ue(9-2r6?eG+KT{!k#>ydN@@#wE~sa|SO*6vA` zUjSu$MN*a+dojWhW_9yOs2?V#`n7^fRYq-Q3fB6}ZxOzbb$OumKm`3fiX!qyC%0J| zq|OjkMieJk>R}#OFh>8n^<)sM_tE9i+wz!wxlA`}4Ti#<@jKzmAW2`Fwu=4U>d$`W zO~VP~RQR=OYNK$+^Pdl!LcoitD@Bva!-qBi01U%B^2E6nUed&j%R81YdA?$$W-F6U zU=*36NH0T1|G+P)B=BI=FR_?$+r5&DRn`;BO0;b$$l<2?-19v)J9n2p+oQgSOpBrF zEh40^u|b$&um2#$j^Unfwncnqe))l_s91W1_isP=uRyKZg<-{gsKW0+3oPe5t+ z0{A0&AUoA_k(gEg!<*t?4qlkSgPL+@>EG>^qbq(xfNKU<5i7(923WyFcl1`4;rzC7z9uhqT4X|G!RG!=HQhx?9&d zcVPp)>U}UhUwtXk1 zl+T=<+Z<^ryEKT8M=d*(DaWlVf;!zJdPDZYp<@*#=A?5usDkM~b)dsa$}Q{j5jh$H z-4R7-X2g!N3Sp$x+tSx11)1?8jAT7YEH6=Indz2JhThJl?Ek0Aj4{^(XZ$Qtg$@z1 zLB^cB6&03RIcbhV7h9dEYy98c1)4@6!w0vZ5b^|={tLX?8q$#8Y#_h!VhJlUW?_`p z7B|$zcu0uMV`gME&Xsm&nb008B$SUEoJx000gWbuFi{OL9#L#c&uwDSWqq!#bzBsa(RyQ-lam9r|6E1nslb z!qztcjBlG8H|_pE-doJ=^Bho8qKHqJdEm7TcS2r zUa+)bd`{EW)gpN8N~}uF+xd#K^um{}`cB#2r*)uVxR%NRu}xk`=mk-p0Ij#1Zj8y+ z7@>ELFQ*alLN{sX_}%@0)7Bxzd83*dFZzrmCe^HnGr!RnJ|*%{@p~c*qdAc5L)B_| z{66s$rHH17h3#d)=xC!m6`u)SvvoA?o;VZY$suJnYGJax2#R#3&VPHkA~dZf7~cIJl}$tbd8FG>+w%kPw6m~g}$2Q1o z@oq!(YC=2k76~VXK4q~sbm~--!_Qd?c zd^;cv%SS}<(U8GV-#K8i>HR7GnV3j^KOFyj-u4lMesoUorkZ!BO9ZMn`%DJ)(4GQk&ZC06`N?(H@KV^i8mu2zSo{hwSUD0#^KN=vtzp&@=2IjQ z7{=CL^j8a521`@_)M-P(1iE(bo~d#hnw4*|+o!|q3c++g_@F&EWP_!wuF=dov!<5l z48_dxa_Qb>1S?WIZxG7eG~*0C`!idj=5o3TY5q$Dl3kfKX`jZSyDhs$A{XpDc@LMd zLzhCHMJH8iKcSPP6@rZSjARS!xSrsM`Ah=fzD5c94gUfDkh=!cnyGf?eY+G|X*X*;qo4lmg9!Ihw_gB}LodquRav2`OD2;%)qOB*F9tsUeLnhAQ z{xLWpg5m`j{-QwDDE&=>+W5`UryGWl2&_x)O$)MW0kfQk^srnylXUc=&(C32nQ)jU z_x}rasrs@f;_%D^m5ru4<#K+$L2ZLct24=TO_dg{$+nY@RzTknt$(H}d|$40Hr4F= zOiR4p4duum?nONiNC=fheR$s28$+0tp^Y6JgXWlS!a^eq_Xhbcyvf_GSQ2ATNn}uT zYA00A*Bd<>s=N?4k~LA^G#`c4Hh1jU3f#(6u9){11mV|7r5Xa0)J(#umXp{7$+Y27 z5v55Ac=>=vC-z;|Pvf9>gT4yscxC?#{;vnxCq zU!kY=y<(tF8H@|bB;8{eNqt;=ZWUDC-5rJT;TD*1vl`Eq$!X%D2oT-Fj)_Q2*O*nw zX=R{IAqcLR?X`)6Fc8Tg~mJZTdyfQ;oz5pP!^eQm!^WCv}ob(rF9>Vy$+ z`hIm5F(+h)-goiB4T>JWU_xcUX$3htI*hg4Q#1wbxbQ3Wk;S~{Dc zeDZ0bxm_a_%cP-AX(wuMNES*HmVRJb!xtH(f<&SywIbq;o@3B-3hDX&?lZ6LBu!pf zv0#B7562tsRBntTZ48my_pKe8-5Z5XnnckKY%OIEVluZr1^QoREK`$gyOh=ZjqhDX z<}l!yhK49e8mG&`eJ(zw%Wf6igHSf8sqi_cTCN9dMz?2upk_Iwsd6t3VZK zCM!#_X6hR{V`Xc*L|eRT5WjiO`9Iy`HWHI{z{z@=;veo&8xZ`4t3mpnl$`EWmMsuz@6kH+Fs$23c zM^%>9`Y3T@2s7l1^I2XXCh;QG9oq!Eq}L}1V~t9?;FX&5Sd7f4PlhD8je6F%I=2EXn`Thx z=%~mkH8uuD#on|GIY3nq{s0?)?n(Z`hFj&oW zdMiVD==7^$5t!3$D>2*h@N*2E-%q7|$@24ng>>!y=|{x2SLI2juf$K38vEmsVm0|E z6I@~k%&D0&{QlL@gnq8ZZJ<0R#GKcXLL6;?YsJxdSjJsl?>>^OnspO@4z$5j*1XEd z#ULIl(fyoi684r)K){JGpU)$UWPTWpBnoJz5U^tq%Hobpd)R)@#_zZ&EJ6QYuR;A~ z;0cmHRW(@ej zb`Z}2zi?gEmjgJz7>5WpazRCg(30VirP2bIV>4m)(ddq1M#9l9o>Y8cWf7$15W*R3 zMWJDebJxFgV4M+^>VJLY@iF?J@S(D;s~&Vh6VXMTN5R1B#a-l*HGDC_PBK{efunhv zt#I$N1?~1VuM4HEV%!`E>`*G+EM@;ypnsv+E@)yjJ4m7T`%rJoT`vybtWMRH9!wmt z@-N&_EobOJeQ`*hK6EQaK4=lV&!+-3x+i{v{etXPE<26Y0I&1l%t2apcberpm>bNE zbjLODH>M7TS<`P6HfvOo5?W&}4AI^KuDeZpMxWi^x7u@fjNbK}y~aHkawjhLuV>!A?=aO>*b zm1k}^+22yS)$S$T)8&T3!C9K3dR^(cqRB4xrFH2BVxCZ+fQ=R772)}>o;1#hslgY5 z1<}h~opahPiy&Ksf{RGiA&>Wgf-$$s_ZreLB64$5vYD7U0~afzY}Pc)t+SM*cKK?lrdMKqi@(1?4yTvb{>S&zb&-eFcDA| zj0zZ@jC+jt7Jsx#rt4K3W;cw<=nj8W9vW-d@jr&7G&vs)UEH+r!H2W0wRvWbB4%xf zp1vLIxA*rjdj*M-97sD%cKy&`x2DTYF`X@; z!$@)df zH(JvQxX9>Tiq}mFvV$3FLJvY;>$P2_m%$Om6t2vz%d}FHAlQAz+#$TDx#xV%KQd_% zo?+(_pT6VVmGbn(0_BrijWo7ausncMSJwBrL~J*jV0Y~qfHk}QipzsaAEjeH|zjXGPZ!=7aqsu|28^v??xk1w78(3wNAz~O%?-v>P zckOM&)Xoz6&K520mA%)9MeONxpIOLf!s29gC(loNC!Z8t<{k)F4icJXf+(S$A*FU8 z4Gkh?spdCJv(d7F*Sr!Eho(w2k<`X^hLjWgeX5dVxJH^gh)S$6oT*BLSAZ@_Dt}-iC)`k+%3-Rw z702&u4dP6LF}>H=Gzex{QRa67ZJU7V6m_s{j_CcR-g~oZC%xPuM)bm`S?m)8sPf6F z_&hRD#w~#`pSgZV(Ew!eVHP_(mQT-*&0yBlio%wxJmm@>(Ijw_D<}cR;tgM-IZ4sv zz|xLN7n8A42eXGG2)^oE@21-w*4Q(IxJ;MX*ktsEy0@(u2|QeY52LKkWU@B`82LtM zRT7xmulEK#Zq5;P4h=!p0z6Hb3-h?@$tL9r^wD%z%*yXD$5%+>0m@NEX_9bIU5J3r zi5Z%oh`LcR*|;EIA7nh}snjZs$!Jo;=DPc&Ff=Bg^sc_9)aSgUSko0vkmS+7CoqG6 zrp7X0k^hU;xl|$Cb1m#5QtHQ>n^pvo3igMCH|-%N%PytpMEoYXN>*gRKrW6IKMxs*AU!iE^L(E+CRB zWYj{zG0xtVEt-rY49h@VGbs9=vQbAd%>)%LU^wAJdZ(z48$~ZceWpeYmcbqb1cKAH zyQ}b|A>O@a!+^mmC6z%eouod&6>Pfd%#k`tco1P>C<};Pl2h8rQ!7U3ct_crThVLyI#+d1r?Q_ba$!L8X_nlicKL0(-16u@MDLB&uc*d zQ7=Q~U_>itz3bnWP8{M<8s}M82~oTPk1L>CHuZ%^t*+&G6HTE$QsyUv@R8I_r4%BxL$Azm!X0?--A zA^XcWBkaW89bXPGPf0_~aPktZf<%Ar*#f<$arE`3t#|rxo(@)KlWL%2H>c&DzIGkC zf=|sJn{)(kVYN^YzQ5);%$HHPXz@JU{A*UATS_-(=GQ=^YUj0otZe9!hY!_E~3#*orwt~n>a1CXeDfwD7I4(TyP$v(#! z9ct6eKgCd!`n`(BYd!9~#IEkx{Wf+eeNa^N)K!Wrb%loR%#a&2{BOE@YS&&jqx+-B z=o!S$Tv&bX;-lo8U_Qk-MLdlXuLXFgCSTtH9*2Pl6V<15RdL?SN5p2Xw=+S% z)=jX@^YZGL;&X~kAqUeCEPe1}hvY|Yc{a9)`}Kc5zZ^_>VX@oD=kIFEJSf##5PH0q zp!bE3X{@d2EVS4B#F&Cuw_fuN-4b%)=O1|}3Fc$@bj9Ouw}zb4=c?ROWa=myB==B( zzFh+NQ5id>3@{uIXdg19gjYh1-ieu)j~Dx zKpZb}oGj7CYsgF(4(|-stiQ|1ZK*BvOjMK=4m)XAk*pY;gyUSG8DgrN8eBLpw;%7- zVE{PJ6dy#2B2J@#w)0LV-d;k17d-w%%=-*b(NZ7s6vBWvyGG<%5PG=qijWFJE6V@? z45 z&^}^Fi3CTwqA%S3N*9O(ScKrA5zr!}$G=6C?J)2&sP)-SkdK)Op}Qg;AKcHX&FUXH z)@>NpNcLrvjmLbh^MDPTq&fN14P+Qe=X&i8*b;81WNCgZ_>+JO^*X_x_(-%JRc zt(>YW1R6@wJ#H}~{}@l;k3SycB>Jme)NCz%2p+^u1E@_c^jE^}DSgCK*Rqq6kcxOB zVnw#@d_+}f;Wpz!8;r5upcwF=Y*uj`SY3PwSLR4BWmLURU%$iCMuC(>F6qwFl>bb8 z(36a+Y<^s@YW*&Z1-eLdH_kiC)VbaRq~l(UG|t^K*+0r%-{QqUPdT^LqQ&KTngt>@ z*Syt0nxGVhW)Uk;m!5zlo5OQ@&tj-hJc<}|khq^En8HZCEe(@i3Qz0kJlv5Dz=GLw z9r|t>P{P6bdycJ?xT|5|e%>bZjZU8umlsk>=;!tap7KU4CR*->~&B^5L16nQ@NaNj&X+fm;-7YX&?bN z!ER!iGsKcY;WsatqiUF5R?j!ldjQYzkICOE78#G|1tONN&q-d6T zdyimZB$xOt-Q>QK25EkrfO8l1P2@kvX|Ri&?Oo5z`#mGQCAct0W3~r zv2JG8{*@8>x!6WCsJb8nEy+JD#N`vXKudaa=_`9QDN~;Md&TDV<{oNyzTdCfuL_3Q z;QmPy3LG{ZeUX5VfPvd^`#FG2J~w4~qcJbUe;`5TMne`~KYA-fe6Pg0bKZR%R;<_a zwTx1y6Ofj)1bZZ8u32C@CD?H9N=?{oumpWb<*%s3>9qbQ{4y+ghl^ORV1h54!+&FP zQw0N1PM#(U)b!;vQ*NYA=Q)~jPuvR3Op<)l42P(km3auQN z1tWFXtCpJ>5YVJLAM-gw0xL0QuDMLO4^_w-+_X;jO&HF3S^-L6i<^6pN?d;y05oO+ zmmiMe8yHmw1{rf1_S!NG;OYrAq`^OH=sJ4g@u~o#$4zr}Ag$;t+?Of1jtV>e&{m-i zLsaLx9ZBr~4~F)h(s3mD1I1j=x8yOC1jh152FF($Jq9_|pnVoLkDTUW$CKL6z;=B* zvz}@&AZ^fjWPSaQX}tI0^2M2Z?eXh*$L=jR3}bQ{!J1j@)gZm1y-c+B%rel$Rso4Y z1ACYOOBzj_kE92AOrd4<>i{ppOHlo)VdyIWinqT*ik$Y3pfc!{aISmokS|)rS8&?W zoQ^ri;az`h)}YTgx)j*~1764LVhhBH&gf`!Nd;KzFOa1I3uK4`eyIY`EF3$5dLCYa zRTUTf74spcs&zMZebpt6RI$~ivB1h9qgNizn*pDz3*v!~E;CW{$(2y^_q0>85IW^W zg%6%|#nAhhw9TQuG;u@+!S>pLX&PQ!8fw6izQzjD0C#wPr1c-fpPdoVMctS%me5%j zQIIx1)!K75Cc9Wy^QU<}?bY!sBVl=oY=q7w5xT#WWBg)eaXyAWkQ#^Rm;67X)9PB+ zcq3M0C10)=;7!w z5Xm`ffCGrr{?I#8D$;~mHU^&#l3|YmgXmu$Y$Ly@aeIF|s=);OVJDgfsK@^x+6=o6 z#po71*RfImjR z0E-yKPEFPuTsj#+M+22cLTMM&p&jl2fU~u=2ba_d8(Qm)kLQu!Aq4+=^lWr}}{FeGkp zMiCuJtSnIOsub97h+qSH!wQAWxOHfe`&N3u6XP3?n=ZHSuFqQajq4t^0g8pn*Narv zzTNYPM_v&8;$Q!es@(Qt$+&&6Ka_3Q3!q3La*gaRiQL-ERo-fdje-Ur%WR14+ZX|9RwGR8ssc+S#Ys(tu9 zINJX*!$8+DO$u~x70*R~2#O;o-V|wX@ew8xsS7LadRBxAcO7}oyUlG%2$A%7_1FE#TPz=G z!pTKBXw2LR!o6GOGokg6Q59yY1Wx`v=2qKA%I5G>!YS3y7y#V29_HW-yQm9Bi>Q3+ zp}MRs$L$T)K~14&3~ytKvQwVX$02ez&YhdPP7#oa9E?_yKPe+rR5B_7dy2KDCZ^rzD4;eZD^7~aFKuu=u z`7XqG#t*3+Wx5uho_=aaS;DfXOZ}q~XPccT=hU%_Jq_6r6ulpq0Gs5MX1C-imvccm z2zTm2%oc;j=l5YcsmuJS6BCmMD}Epnf;#BY%-(=S9J5wyf{}{b&$=npc=m;)sfr^k zPH8*8JG!em|ybBo`?v$Sd|q=giKXs}V=kbDW-Rt4 z*6F}13;0Jq2*085WNAg*s*!%`jV>J7M(Z+4vRgxmq@ERR*R=?@^@hnz_tkN*?c!C4 zfc4l9|LvHt!5PwaG&=4Bw%wYcKB%i#zP-1_+?ya|-H6T36% zL9sr^FlG}E88T`T|J>A&0OF`3O#hT<@bfJAo8mDYrSuDvMC6`X{G z&&=FnRHjj}RUqV94tX`xGEeV5bVyg?$!1ix*rtPA#KMo1Cai1=Rv`iY%V$#Z6sXHi zJ+w=2+oGi_Fnt{(KhRuzN!+r}K}}kwl}?@6d)Wv0OQJ0E8-k$w48HaSfGVTbkbfFB{JEAEZujUcmuA?9>JRd7<>Oy;zU!nh_5ijtj zxb5p4t!V;2*C63ujYjv_8(aTzrXar1NI9N~J>k#T)+#O<#ua5-Ajg|p!laVN8CW2glR-p>qH*v1T&TOcR_=Y>D z`|0n-<*rFYi>o8OQn)jf^|rE5VSB4C$#Fa?y*|@`08^Y9IsPzE25@15SRFhE2vgs4T&nz5$g(NO@}@*HE@4?KvzycjhLVg)tycdYNx{5o07)O~!flYb`}cg6!C#>&y2# zC}tuM-EWPwnZ5R_ zeFK?VoSt0djRRNzBf^bl7xGAHA1Rygvm_KBm78ZhzML+;(g*iih_IG zv`tE3jgx0%nqC3U@dn|2K5^Yq$FyfT93ax3(=8enH|AJJht7x}&kKl2FnmM2AZX;K zK!JW+7S?5&zomisc+Je1Eu=WI9)wfw^gB zdJ|0{84d0Uk=cIIK!bNfVR@OF+kPO&GHdiR;AOURX!`$e#BHLRimLmK`~MwIb4h<2 zo|#q(j$SodV#1vK`>USB+}cw7ocb9om)Dr@qxG{rJ+|b8v95}J4fT6jafxdn5)&Ay zEo*DK-nZbMzDRBz z_paThbVV0MWS!;1UM0UOE=kI}#t6tkGp?CKV_>@UbKXCcMO{1PdWz;z6-ukTN++E9 zVxI5!O5Zw!KH~?3vU;|2X~U|HL2z8A>6C@7(g~O9{jY}(77RzVlG!ZcRh_wXCo6>@ zG~$UmcvXumueU5&QjWbYnty>HZ(sqsiyNEG$k1n?s<32cW-CY=vp@F)Rku&-mn;SmCjaPjMsM*MlJh2oj&1L3WxKPWqraEN+5mi9UJvG*l>7o z7IokR!T3Vxrd5?mCfY@EDHAq-qWm(`P**C)`)OHf^SrZAa;fCD7n1S_wfqKvVa#IO zGLg@|_>OXZZUzmNIwlG#hILFG(!{B;b^ zQ-mk`i`4krYON?ph;WH+TJ}<}Ei3b+v_(FwW)>R#&*+WzozxuO{tzQ|spikIKXFSd zp+ChiEnRjP330>WpIJT(_-11bGd|VT4M*tqQj#UTh@R&j?5CZ4GwSgP>tR(`NkBD+ z*+&QSc|VVeTR!&t%todxf=6;9$Dk-{b+hY#N>QqNp#KruOti2t<*?R{!>A^T z!M>BK^|Nb&a^=qkzcatxbc*sJyK^|rNz@6kjDHD@$m!{5M3$TyG+& zdS18wqUq*|L|iS$Nd{ZzuYFIfLnjCiuyEn$ah)!HghGB2?ofDzkO-KB{tOR|?Kajv zRxNdQK8SdGLl&g?CC#x{4}!*r3P*|PIMkzMzHAG{Re1cA0P>!2(v}r{bFE|MMUPCH z%AQsK$1q2izm5+x0=q$c`kBDw4nuNgn*qCcMdGDlXyo+40Ru_IsE!pB_1%4Prb1%1 zmuFrXAZf7cfI)xe`3?#HyK^00hJN8|Q7WrmM;Epo#Iu;cr~vpH62R|hzn5iRiR99D zjtkyf4Jef{=$}imS*GGUr;8C%7bw3pJ4bU+)h06d`5j$S4<|0`3VKcC_ywo;K;Rw{sq-=avPtHo9hbNJTyk}LPqA$*eE zN}!}*^bp&V4Zq3IvuyseMUArI_%-Sh_UQNsg;n4^u=k1{-+a0{jDQP0m~T{KbF0UP zilKeWf{AecB6!F)gV{5~_FZPhTNK z39lR|BRaJIs|Geju~R1z;1euNyaYq1m}fjE1Qi>~jV*VUUUdlHn781dARSSp6aMtxd3m9egKmdV>Aj@{0x((nE=!;yBz ze$Q~S5|wCFDS;=;SIC2Y#$*mlzi7+`GlNJ$PJTH<#?d4pV>1To5U+o2p7)%Nfr8w$ z0&+rSikMZ2D%6WA$AM#)N1V=T>8dcCe7^@fa`V1Zs}n$d1D2{e%i)qr4=O}=V_>!L3+r0PL?h~|poCia2x-4^Df`}$`9O8MLu>Z@4rAJF@qCnCq zmaO0Bc`LzUw;`Znvo*T~`rYSZM~^#VMDIU4{D-jL9aT{Jqxarm4{UbsIdAG(4WIl1 zkX%kd`^Bo~mxawuGJWi{6|O!E!nq^AGD|+NpR3Tp8%$C0d)^=2WL!7X&%ZC)&{OyA zMJ5q!At}(P4lWdkp#0bB247nF@Bf6hTqVRkaelg}wbWm6kh8(g+`Q+V^^-UcpmNnm zIebIE{>IFpCu#?TVfRGM{d>HC9OV!Z-xol;G~Oz1w$E1wI88)u06ps~YBm3U><7~g zZ1G+Dt5sz`@?!rMpaK7yaxk{9UT}J4#zqH`9uH^iS6jlTC#u?hF2*gfqdJue5mqkH zRls0jkfq|r*)=BT2&(T+)&hlR2E=C9vN-R0IA@y}LzJDF6W2K9QV;-s zLmr9~TP1@qkt^ZKjo4~)%$S@7M~G9hJx(RyqH9Pnm9}fQh76r%dSe|b_sQT0?ihKN zr$Nt11e^OZYC?mOdCB;9_U4;=Yc84BdI59sDSpv+|BKs#oKRea5|<7p4h|Z6`fOUI z_mBUotbOWtkW_y2%HhpH1Ig*M({}**)(T;h$*@PPgNlu`MZ7$relJ@Y)Pe!4IHb*z z2u979D2)x{;^rJ!Xi2YuLnfP!VZDkaLsybpZg-#~V_eZYEb3JQ_*GnL9TKUQF3fmq zwYzgh{-F*$GDzWn+;cS(HNpep*<^4yOv~cc;;yVc}-*4n%gljIR*oQVGeP8XJnYCEhP zdr(d&U6;(BjAs>>*XI8~zLlysN(Oir0gIz+414?0_&9~3ak`3{*^46u_vqoom6S3J z!e)>)LJ~l~XF46Q-@*W?jbc4Iut6J|%&y~%3WTK+Wf_&zS})wrO4adg1$DJ8vX3if z^#YFxU>XBT;i?bDd@uCc(C19DCY4Ry172SMFiVxpuMLY)uOA(+&;o=gqCLqWu9oTs z$wsK>A}0U#Re1`{inDsx-wE1U4 zNh(IRhdO%zkDh%oFUr%c;A5rVmwypT|cSx?(O0K%ljsT-sgst$V#|07) zZZy_YNI~I^N12T<7OP_C4OLp6RtfH#3mW@o2xLD1>ZHV$VvQNlgBZ#XGp)0|Fdq|{agS{EN`kKbBIIK!MZt>Q)tN%@#Q)WCN{ zuj(={Yh;#~nIY-VR4h)bmEMr2LO}SQG?dh@LMzcv8!|Hd)~^bcDGdIohWAdVs zTGRKibT6%LdCEzVG;>nhy?rIUH_0n(-PHs_cC_m2jy+U=CIewjE zL!kN^K*Ux9AcrcMpw~)TM<8z+wld6JYwOW+aopnN3saAuF(sMz_hB9S^cr`lRcR** zA7ON#)F`WOU9E2tep6A05SPt_+xCPE5B$ zGw!5Pq5;!=hUDTv+FgnzYf54<07oI|n)nOLqEH7f`cyLdmbg=Ll$%-*F`^0loK2R% zf!dVtKhmzjl0U>E75|k zsKxdd;v3kM^u086f*nx*Z&3)2t)llQ%V+=~`1 za|xU`hNMkTF_?)244 zPe06ALt+VAyvDYK{qoTq1?5a;#sl`}IqDsi##RX4X(X8|fd(HB@LbW9~+6GlWni!E;MN2M^ z1$zJ&Y7DKEB`^z>8nAy_D|kC4m&^AOtm5ceJ)gc+(EPD?P_j;uxN<0j)tYg%lNre4 ze%9uD@|5$fCmM&Mgr$1OMHqG!UaJQg)BnPyi&0>*j{8(=34tc^Zhkp5xk>Gi&oTE- z&TZx>LEga2zds{hv|lRh$!FDZJzepN(V!i5PQtGLf(FQUl5)l*Sf0-ynOYLwHG*Qu zBNUJD4;<*y-NH2HU~f6!hVQQmdkYl@Ua#l2y1%SlBOt%O5~VVn8BJAu2LWm5>qBiz zwjvC(lY-r;Yc6Up@v+WsAHW~!&oAL&i~wR-$$pYN*u_F;m$pUc`^@FUxf9co{O1FV zHSpzE*aP9RE$L-nWa{;gC&sQfp{CYVbq#I-LskWYbYeWzMtGRRg2L)OS-^foB?{HZeE8@;`f@GD)$#Lu0P-|}m!06TXl&wk){VF$Z zeypFBI7u7d&?n>T=kQkD0PJxBqs-Gj2RT_0Z3E%OoHoixrtGsi)Xs_RUpyrHk)YRs zZ+1f;s5eCDwr~btLx{_R&~{4zsFDxj{{iilOg`bqO8eX>6{(Mm?N$y7t;5=By6Vq* z@d)hjUl{dZ%q%m8CRaDrGg`&ZM-(S!+4JcaGob2vRq}D>NUA{f?cReluq+z2b*gA# z+*w1!LvnlsfUOvnL#6#Ik`bhYzeWlxn>C6a(||5CSRrh_c)U zy&JY{y}0XA47r>*o4p$f#O5X`pkLXvn;Duqb}_4Os>(RLu908SobXqUVF@@i_lX>~ zA^$@v!v6s;t5z<(cmyo!3n>IwLUuOO8I_4ZM=Y*`&Kc zDiV{{=u3+MU})q!3s8PyLg+w{LZRL zHpre|A@Kuqn8pn(tDg^EF3e-MScsHKR-5OXU$*@1k@448_(MR@$uQ;{J+!O$%$C<< zrA;oJnG|-g)i%I-0;Qn^u-EQkAOit2@Z<+`RPf8$UUk-KNdJvkiIaw}Ww1L#_MZ?b z=7g1M%(zTDx*{&v*UQzjo>p*e((x0CF>~+^)Y=`;`h>|VC}KOa&Kd=oLXaNwwN>5H zWd(P=omFtr*9wVQk=+uGm~I^p;g3Xx&#i4#R(%m2s-gPEuV7KwuXZNWWJ=){FOY!W zjY=1qh`H;K0)!2}GN2AdiOg7OOyQ+y9zVu|f|at=OLtOvJgb)6DWMz%w*UYDB{OF} zU>+27?zL2)`xM~GQsF)~6Tm?GovL3qM?nNkK_UNmwM7Q_#CfO-bAhsr%5CgMomhjE z0o2eu#7inGVbO=umD^b^I^6Y8HftIwqhR0skkZ4s;J$OujGV`Z8H~s(UlU@1zjAfF<7bMZAqH+jioFvB!2p`fSmYLB zj{VXw^XG0{xJ%;gjb;#OV815}Z)3P>%Wr8;1PEj2@>JYQ~ zDj;zwrHyt0B_i70MulUUb*V;NWiPlbpCr-|97W}>(u|}fAx52mD}WY#@{wi%N$v&}DW1t1?cPi#;B5rJ1DVP6yTYc&hG&y0Z{_r=V;6EbW1BoHy8*!o-ou$J_XV7$U=QC}S(K zN*2o4w$%^RZV2MIa?ONb?A@&aPBeGz(SJo8zP{DSckr{e1-@|KVq*{Oms(6b#mQ~w@oU>GKKaZL@2sxH{FoHV zT(Bdk^Dgd-6c9Wgv$VCIwz1voip0)~cVbAv(H;yR4hx`UnO<+bJQuTiUT(cEL;r{{?S3=)&8GLU}=IilEBF`XWud zw8)GU#)h12)H_@ZP;9W@2Af-%@DV5`Zeby!{dUYx%m`nVCxD@edIGO(0M#>Ir`pG2 z^-e6L{XF5~kkF`Jcxj)5osm%zs$G9$g_rM1|4IdMBs4y+%#&t`P7J21z5{@?^mU=O zrP~n(S;?Tr%E}4lKrXd8qk93rI1kOQ;OjiLu|AG$CPeRC%tuO*0x`yf&o>f zzyss}00DV?A$`iLGv7KwUwG2aLUl-+Wrg9L6n&H#uJe@8G2l_U2O6RU+=`|#7%tZOB41q9NoKRnpKwi_VlhXpVc@U|dP?qH9Xlnas6W`rl zvk!(7qu{w7gn+VAZJ>%|>PWsAdc><`HHXqQSxEbCrwyRtvM=yf1LbWoiyhHygejyz zxw{`jin4fxGR#m;YI_=$0d0%*qq6X6)j=ucI4(f5%5;eVci;G$XIs~CK@SZreh$At zJ1B+nupZ;FM}Nvq_fo$Dtfy&;H1UOluxvLTJ2RC8Hf+a`@kJZ4v``}`QQs(F=?{Cx z1sqv1XuN#(;>n9gus{?LczoZcON;6J#X2?o}n0hV>(44{O>l4cJmm)p85( z@u;39V_RF9(GWf1MF(V|R-2{XmP~vWrV1y2XKCYiw@ICxFJYP9gVV^1K~Ot}iF~hP zkuDthJgOG~Kx&yi-;B68aoX_lapx08<_Kb+i!DJ7p$m)~oo)fPg`?_enp%@5U7+jnJ@ z3T(cNp(rb=sZMKk&n`z%w8yg?_E3Y*x zKnseZDz+p3!>qb(;vhh-7HAp%m}haOaovpsv7X8jBMH9slVG5s)J`2&w*)BK^AE@G zl&eMOwd9`it=)V-EN_BwwI*(m_RIooAMEsRZ`rjXN5E`E1H2bMs`Q<}?_O+=LI|wk;fTZvQ`uP}2Z82lvQIz%s{(A+PJgRlR4EXu@Dr6xO+;t%T*XcZ6z%>d)=j zk)oX8fSPuqtIRGyU?m$H?6e7u6E`o~OnIn}#U(X%82p8Rn^B7`J9E?IT>FBp=cPr# zt>>wAb_nXR^qc+aQ)llG$0}bVWRTvMruu9SfWgtwL}2;X)C*EE=dVfhu|*c^>M!1OaxTndwuWeI&?l`O zO3FHTvB-uAs8$u~n;C;esLzTH+ggv>=Qa=!OpJG8h@w)nX}KS)_o3*KahQcvgSM#JGMG$+B+VQDqlbMS$0`fq|4lu`kVU ztEPfua$e3aY)^z}b*fEEX*|IcB&&yfTjb*S9zp##Az0SQ_dpVU@4L(6G@%X;I{nr% z@`ej|t|Q_z`;HXe4xMty%pO%*1nxRMOP|LoKus4Vejm}yE0tkPh)2+-m)~oo)fPg` z?_enp%@5U7+jnJ@3Rt=cZP(9%7>N|zF)u&bf2xD44(SA^8x4qy$-Yeqa>|&)vSx8& zoPXdfs|YhLs<{JAK2-M8_8n!@ZxI3oaI-+WP6*?rW91=pmA$EJQmpYFhCTG9bY9b~ zrpUhTp!)@=z)cy8%}9%n7{z*`A;$e!#;ktPPxgPTYW4cTL#i}O)KfkVK59K3{jYGb zDR?sHN+R~;6=J;Y|~R(ewTJ$tSrxh6=wt87Xzm`ZN8t4 z*wHQ9oIwr`|0s9AqT055IaJJ})sHfBSA0M7^%I7)r8-1}hs#EK_R&p|e8&k{k=+uH zrhk#S^gvDEE8UkRSkj|8X2ns4ohm{TvCEqf6t&xL}-R1xR${(U~5(MBTAE-zR^O{pJ(WYdtc~p-Q3pP~O5a2ME;;DoTB+6c zvSiO@XttB;)w#bF^I%mPOYxBbFd~{NigGOkV@|N~A{veeGCx6b#cfwX(z5%4Iy0S6 zKbh4@CfO6qk$%(D${)Pi}v50uFRFZyv$12g7D3JJC+7S zY=A=Ni~vkL2w8nl!Z)-?r@T3?P@Q-lPPEsDp%vVuh`0!b0}qfG9L2dY4K15Zx~Lk$ ziI;LzCfz1nBux|%F3p;D#GDdtP12nV9VI2Eh=%C$mfGhs-XK9Re4dEP@Pq_GX{y2Y zRBm2%sKG$VkG zzyJUgsmeIkYO>PcUcL$4s#V@w{&lN3P~iNloIIlJg5_Uh5i)1o|62!aA9G>uH<31- z*t2|KzjuzGeffTP<6bi7Kb`c6Ne6eKW9H(IWPHl0hYq$C;$yr%EMK9@z(UT+n#X(u zRE}><7dD07;x>E+3cQ@pP6eB&8c*E7H(tqqpO(1YlgmDRYbXAtkg`7~E!?~y3 z_}oM-qOQB7G}CiaRPo5OfGGepf3rrANB*;a2jW@|Re_ zRpsnThx?Ch1c!*1i@Ba_Vv3jJ%sChW9oNI`Dw@*Gr5XpcI6yLcqYJ3(E-;ofd&Cc{cB#@$M? z6D?ResDDLRn!3mX?63G&=9Uu}7_Oj`Xe+LQIF9^WV3cX!jS3M9&|SjPAg~d*K$FU- zaY&AVmNd6|+fq}z$_e(2N8OQr;#eBn=oV{C)j&Dqw^*mrQMByatD9cU(*U+)s~p1(Vh!AS1A^& zvI|ay+uFhq(9-;$DFW?5mBZSyH;Y8=cZD$;2OCE*?mza|B}oSKXAq_n(?4H${bLl? zZ$l)BB>7$y#a!vuwBcg7ydk`>A3qktbOBVSooP7KJql|`!`)SSo8A3ZufL1c2f90T zdaN90PyY&*Ek%OLJMB@dCIp+wx%lML#qh?(m9f3jRjcmhDRwBV|?% z!YZcVO>dR0H5ahR1OxH5~X|Xzzxt0D^o^M9sTD?avv0iDG@sBSnWC zn@qaB6*}rJ&2Cy@nN_M7CM_+$ccHoL=m`$5MoOe_At3p>1Eyw-F<=Yumy#d-behPy zY%HiR$Be8f|Czy8wy`gX1YZ$=gVs`cx2?S7tU7k^j&C0?+^@JiB(T zU$ld(q*!A@dQE@%6wX4t_Ot*9-?^nRcNtpT2kT%p!A%h*a zl*Tc%=oO6wsyYzNE^u<`LVsG>O%ES@lc$fP35YKzUReL$rB@K#Q0C1mAR2 zR)*YT$9$&x{ww#f|M1n=DR4j`R*>?3RQ4C(L7$8fEwm~`?Mr8W?fv6>uDXN?*D~BM zThG{zh7>?Y9E5pjvQA}zz!p-Bz^-3rRPyOrTx+e=`l3#B=#oJe!+i-m__3?k)8QB- z3x2HhCSu82utR^@=AtugTuU-4Bik8^Z#%Fy6LC1VKb7D?sR2%f&XJ&1YcI~8+OGQd zz>Q8YuEnaYg4cZ6{WS%GfIXhtcjrK?9QLl)graRrY8=eA?R}HW6VtI`y+dy!( z+2SfFO+Sk(d6uT7cjNr8hUtjTXAZrVUM9JI!9}Mp3iy>$p@5lKfI>Xjg6bP2=lHA#Jvw#lFi?DJIKd!@3|k#}90 zx3D6MUpM@ZrM*VN-k)z|7Qeg0E{(Adx%c*G?nV1orT`m*m%V}5@*Ztwz6SOw#c52g zY(dX~;z@>{fT?IfV=bnQNC3d1L|1Z>BH$t4un7U`DR|Ha*4|cEXrps!%&aA3^A4*iv_WlM4-C zyiSXJpxwDA%blnIuZ{g=Wk0IM6i<@`xC03(NnaEN69KpkveO_`z^lbZ^&;fs-exxt zGsY)$MYt(ROcgzB!9^ze3S*> zQVTHgihugEfn!(9v~`#W@_{{jOnUa1_3bh1+GE$W$FFIRUeg}EragO1diFpHOPAre zn5~%gWqJG&C)T*$Hg!~aiJn>j02_E`CP#n>Lbi(&5EhD?X*I6`yvOru2;V7l%&N=K z5RS&N08L0%8`|jhjE1nDf&}W=eaG93I~4cx)|G*)vFdzSa&tiW*OW$jaeyM8%o+L3 z_%{Xtq+U(wk8w`(bXL(m-SA%ZS`^k(LgaPSbb zQz8TpBFKDbh3>E{KnZ1$l#(^(n7{alLMr_zp(VCR7@S3p)xiI8JaS*DQgENSk(L7E z+n0{(^BU#_?YT6#xhE_M{JGVVMJhi>rX*Od0KBphxojzmH zEp_3$Hyep*X|SaWa)he{+Mr7r-4o>mT;_apd(zB%k3#aW4#EY zaLD6dF5vkG@!6L6zeS8u_Us7ZwWWU)0GJp0YJQeCdR)u*Hi);wi09LWq@B<+7j)25 z1Jru)2e^wM!=F9cmN5Q+9Uym?z_uGhEoao!RQY^;(Q7;zhgZWq^vYDvc~Yjd19_%> z*f>enR`_XLD`#HTWFB#RMc`M;@1k#n&b)`pNuX}HvIoozTt(*k%`3G4ml%CDsWGj$ z#b|q)JOPF&@lWP;$+ti07}n}X^C+|xvLQ;J`O8YVFB&gB)y~q(Jy=~SOLh?@;Lcek zO?IcABGObWTrz?3#i$jNQyvZaHlC+wA?suq+D%e;OZE!EH~k;T-+pt#(#F zm^Qb}gcIAJMryzbfifd_HhI+(83+1s&!L!zuqpV`s{!b7+B;EgBL%@PWH3!pZI_wXL5W+n-lH&fiRao6Oqlj?vQi zG9sp4x`aA^S^F2qE-pyC{0F$atC&vqoE`p1M#}3aEYa;t#H&2&ibDPR5vsJjl>^jh ziv^KFeRCDr#a8Phnfos)Vx7O)ZHjL(5$s6c{(-$&tMYy;e`RS(1!&|4^JifI8P7seHz_cZq8B~4?oa{%FkIdEsQ8Sb| z1#$(&+gvG`0Ihu}@AWPuP&B7#wZ^x!I!>F$y_(RZf7!FFu{7f6`mn}?ayUL%z7+PH z`SVyxly(TJNj4@e5laY z%G0dhzg<1FDeK@NLAivqe^`!~8cg3K-@xUm7||M&``4erg~0s-6S^8nQ7^?dE?%1v zi~le%3(3)g_veT*`Gw7Bg`#dJ%cvWnSFtd$qxV5C6760UXda1%PR4k3XBDQ(MgpPQjIoQ$i%*cmE>kb|BZ zkZCqfE2h9CPbTqv7$M7;x=Eol(Mb?+FN0yurBd&D?*tBW2OPze_Zg_*Le8C=B}ht6 zcDaq@SlDSMM4qmx^rFsyC3?sYuV%pw`MLP=lRHpWL?^k$u$Pr>RVLz?KGHvc57ErW zb;guIw~XNC^xftnoV;M!gL3Q3*AaE23sEdWu;y0P)F?78Y22|IoNXv^aYoJDGAXb! zj>ozHnd(7W+P9CH6w_gM>KdXo1Fblfu*JtL+Lso&!W(>$gG*FmR@Rxp;0VM~bd0y{ zsm)Oo{*u$nA|)Mgv^2f#A#mR}&i8R=@1UAb!qTVAgOVF62)>KmL%Jz0jrMf-lh8dj2D>vaFs=;rIp1DAn@zRB;|1)2Fu1fU2ZHcH ziX(ju5Yu5HULW?&N@&_pL+$V9J+_$!nnk+!vS_zL4O1pEyplu8Y|rv_{5wWS<+d8c>sP#*8lFQ)+5TjxELc$y(_!#sX5 z0?Kji5T4-!1O&Pxuu46|jLK4E)vF!nj+kv_6*2kW&)DPobcl1g2j7b3N6J9l?rm@ zj=ekIW}BYqh~&6at}J=ds#|mM0;Lnah`XZ1FlweOqZ2kI*-@bO8dj#eVC9M4h37Xz z!cCzf42o$Q{a?F7P7e;YwLcT9E;e-vkJ>K$PJZ}+4*-v%HXqB0Se+iRTA~5L>ZqJ!HI<-~o=g#wt&`FOgL|m+zNA9IAz*bU4ob6Oh`}Tu={8H+8 z+UIuDg?@OfMFhs23!-z+h`fzXth>s9lk^BHQCUIkYjigzlzcZCc;2IeiKS2G+U)9@ zy8}#h94hH?h4e(SJM=5Rei^L|x>c7)iq&^#(ys{mv_*r?blK*Eo(=HuGVftaWhGJ5 zwdDa;7rI5&d56uPxfjIPD9&prFW*6N)aF}E`4f}$1DFqsm zm1dduDg7ftbH4Iv4vMQ?r}G;3fAyJmtUqPXY8mpGBu~#MJ6Z9Tj~w)=TTV*KU()BiDT9>FZN~S<9NJ?G^H?--O>}Qns|y=;LaW=k{yE zRo!dH>+1>TbKDF5>#L3S4*tP+v)4N}Jg?Z-?L*W(;Op%a=mdE9R(tFE9qy&}6mN?w?34LX@0M5XtLJm*jmqQbO;%5(fEV>M?^EFo zZ*OHZeNStwSI|r6W9`ekX;$4Yn$L$1y}Ot<_|f!oFCs63k5Q+Ex2sl_qA#1ztG9j+ zS#4P%uOD9dpR+DNk3jEkuXt})mtXNcF<-XV6mDd$TWeMU`2DZNUNx`G_o!Dsj}6Z< z=h|DZw%m!H+Ap9l)_3?9uaB*(uRpE_$fvjmna9eL*InLwukxQ;Ck?N!UtX8+Uo*E~ zD_fuV*?e1ReQwE^zQL!lSj^WNbsh^GwRKDuN@sA`?@tzr(k5ZrqG8aeR_k?#{q;f_ z)4wzIZ39T>49^Yn*rr3^#*-jsK$+bB8i^t;yvQaRv6GsrlBHoU8uPX$neW+!UT7YS z1jLn?#g{;(9q&EO8 z`OKiJaGgtbcRP$HYhm^H{_?&Dd} z^YfOJ7jC-{Q#~I>kTAN>fC(Ee@b4agaVzIw8N}3mSy>ll!2R8TP!oV2No^K%zGe>h zfC~plYw53J2=2uVkM$!vR6(Czc((qRll?qyl=!na9pz(xbJdTkLBOD(m2l6lri)s) zrrb3_ti;so&8AD04V{f*=#FOI&{voyJ$&?Y_0#_kf`x`NXD9tQ^8*CuY`X zwaj<6@lRpDe_tkx2v!W_h~BC4XWrN-GQfiTH2yb`{KAQ_lp84ly{J}>KpOnqhJIlg zwU^O`etK?kyP{sGVCV0E_?NR1MiUHww23IO2Z}QijA? zX#x(VU^M)j)PK3OH;UTAdhKfDQZPIg(f#2156aup!e>K9@KYrDewg8mT)lXc#B}?+ z3*&bX;<-(50rzeEqB$}_C?Atp^_~NSEDY)yz(&rHBKjheDdWf_QW)%$ zYRFx2&tmZV+8^~Yy{l?%mMhKB!Qg7q@%*XizbyXOW|eg-{wNTVy43fVwyVsBgobfo z)(X<2K`%uRjeZpq#Su`ykKk(Mn-BJ1<@N(xsSbBV>%^vM3VCce|4TxyKb7@A==fi? zh7IR~DEM#&cp_zNZ}!f367sD0efAGA55RaGhlv5ew|LM}E3mW<$pr_e$x5y7uGfdn zT8DO0^s*54X@;53rpejAewD$%CO-t@MB2@!x3RD0hh#sD`)B zxeXn-6a3~3VP~`nl#GPDGNa>w%ggq00N%UK-&{(*G%GRpNMJDELNVh7g8z*R|KZTo zTg7-#=+RCWa%Pf**NXvhUx~gK~cdD_>-Y5fu{d z^6(qAJUM%abCtH3Iq*X)g`XPMf|p+y!E(+=UGW1MhWQ&s|52T8S$@U`??1H*wZG%^ zYu@}Y-~bh`lID=P7>(R<*KauP^)tl+|9+T%b2~7rzbhj1ACCUtA%wQMbMgi)dh&27 zE-;rJjPL_vDELV*7JM1s1dC_ccZxWEDHT1g(BC3|HZ}S#Lsovh+lMJLh-09`x2O&; z53FBtte3+*QnOSA?5{=i4`q?o?u0R;fURj`f;?;DHvH*laK`%0)_)qoe;+=+_(F~d z#Tiy#Or(8($<;dnzyKv&_3O<2F6f~IXPvAsBN-Hlp?^F4eh@T-a9Z}8A9ohB>u1LAN{SSBeM`6E?qUT#*iTX&K*CeL+k|r9Aw;kOmrWsxbzqQhESuoGO7^B zuNuKJern;jul?nc|C4M+Nq-CqsLeaSKl|*zzxO-n{5kpmmM10*iSS2LqNqOZzlsa` znti|Zzy8sG)=Y;FZ`N1RRztS@XC4T? z;(y-5xUk_OM+(2R-5&g%9sYVr*%M;_v)cmpm$m;eGZO{7KllGlIRDb~AJ0L$md)h| zP_(BJ`@@Tcfp}5z5wb+Zn*o&YztWYG4T!gH-~Yk^cN`ng$qq*RpkUD71`Dx5MU?y2 zMP9hF=CJJ@V>S(CC)lw6Pm}ast6Tfl<})uEHLLNL3E-cbsaYiyo^;?3f0%;ir$3^b z|H0e;OALSHpT$yk;Kwi|x#Q*TKgg|&d&W6ePWJ99JkZwuF4LOqXzUj(U?I;gCFQ(o zY;C$DUw%)UpCTlMn7#Q6UQ31JbQ&F(mA;dgOj_Wcv|ziIeiqVWG^6Sa*hS%l~L z=ExWB<1fbl3snCK+`r$I?Cat?E|_DWG<%|!O=JeY;aBmN_b6V7g+9F5_={Ziug>`| zciiN?thtpwY}ZzZ!L0u!j{j|Fat6G-9;N%OqGz5psc1jyh1-kN3Ovk@E|mc#zz8Bp z(n9cF$p`^F>y?px%1kqE?+e2ECBrwamQfrIffX1$0d7v&-gKfMfzYu^y*Dl=bF4yN z(;r{qE^>)}4EPM%g63z9eGDZxQ@xLIk^ZVB5zzP+tY{6ixX)-tX z*D3d}xnRTKP9j~L%#j#_q}Z)%vo-p1nJvC2%>XSe&*9)!%#ziIc&~dly-0bLj6&G@ zD9}U_0CcO^Y+q_x^}%B|7z)|0J;mI48@!)_%*lvlbS!ySbrs$jP<)8vE$o~NV!VAW zK?$}2cbgJbI&%OyR{f>>=Di22t^wvmcl|YN*oT!&RhkC&tIo^EDN|03qse~uqxd5( z_XYdr_lj(p)|(r?!igAZPE%(%NL~ozEOmz8x>xctXup$IC8FKwZs}aI&5fW+0e{8Wr-?9uA+*eKjZ-XP z*a169uI{%=MTZTtn5OPcK_v8cqKKQfLVnCRnF6w4cwM9*iP`_A^^G?u!8J6hYcYua zMMn?+obRa5g!T7+_a<(omc9tNlJ=(A=dS;Uz3tnV;&!DDUbQ39o@MTjSm`^V+d^`lB=um4#-ygZ2Voi{NI8yy)6NQEURcdoEu zX4fclqT{B9#u}g5rZ~mYn0{^6gClOFt4Q5`D|)D`&yfL*%IG(6m1f}*40#(X^El6|u(9}zZJXkg$7AGq{od|kKUn>{hLt1-(?S}gU6QtMr}R_X?$5X?#O zBj(o{ukMIwYeWZwGU>Ey&aA|w^BN$jjpT&0=RC&qq!imCRVvpYV+$DT^TgQcy*3<~ z-fZ0bSL0&yC^i_TrJ*1vw)FH~sbkw@aFS0wim~)|ss)TA#d+M@90KE;l^~;+hAVX6 z>k?!gtbM;VaY8e)RH+X}f0)iqPbk_~V7t3xYIs}1ITpnp%0F*Okop#nD7pu@bOFv2 zS5g*eKW5H5O=1?>aGF?>(gBpBHESGtP0)=jC)z7g-Dv{?h`CQ&UvjV@gWsSBXx{Ocu%H|a0q~mKj!*u)a=2{d27(m7K5WgVj+vNhHw+d z6m^Y17700i^SCy}eT(>3WXLR51ro$m$e`su=bKBa;t2{Bqlk~G=1UOocL-XCTqQOF z5px%g?6-V}!7@@7?{kdXH-%A*w(z@jo7#pRs%EwOhi}uMo8WFpF!59CmYGHJi_PcG zbDv?Itx@^}GrMgvkxYBVjFW;J9?b*htz<F!y0* zWS%+rSwN+*pqJ%#P1ScRowSL?jiQ1OuBHA0u!G5O4Q3D!P zvFSLgBZrK1V;h$UWXsU*wn-I;y?&U3*hgu2^&(g~CWx8D)tY z2L!1IXN)sfC1@I6h|9F3z8#!#2%pIYsLr}?>FdFUVLS|y43ujELtsc(iNqN9rk9%l z&4uQe`~hUkT}euXc5kFA`I_6irpahoQ*%(;j|cKR#v)+y=HGKrl}Vc~8y&=O8|>XA z8aTWz!Z##>(g0oXYf?x+J58+bPnwfRFa+eohPb=Wl8>C!@E>-CL+KN+3bjeE;7?uz zr*b33F)52z`rq4v8AU$f2&^m2S>q9OefVK>76{{wF`Rg{Fk3{rKB&&ovWXF~amQju z<9o4rnH8(4=w2wPwf6qFU<{P^j@Pb3%O}hCLzL<(wOxi}=uzjAp_66NhH<8L-lD-& zLr?~-HL&`pfv{>+qnuLFx;WCG)K}PR=)dQ44Xv*~tehv;Ox8o$u8kBH%}3w_v#jj& z8VE_W@^JWf+q5)bRB*|!IR(QaiLXV(SD$Na890YJZo*TT2 zGSu*hiQ=8NicxE!@wnA)EPhpe7KVS=l`dTZ+0++^hn6`HO!!ds$IBSPYHCERwdY&n ze(>JGGUcq`$B2^)fY^+FO?$W|17c1gn1zbtkaQ5ArxY=T{=&dTv&ar{*|8n-rJ_$F zXTty%3PMT!aqC)lv=`oKCtvPtO2W*SG5cO@#21120x_G-Ug^cFxgVqA1YfvvL zbvMR}c;)3>Mw}fVuD&wRNj0a(tyUfSIzqv_p{YCTGiy|=9rXy?F~A0H?ht*eO`cWi z)M!T>Bezv;K`GHN8>ty49uOK!=S}mCBvRkDE7==fc)NefAi>a+lnZ3)kSi|!_*JUE zx?wRl`-F&pS5}D>gyXF%@EiVmZu8~$ys6d9j(``CBT%CN>3eT*z|tcMPl%qE>-X!6 zF&+=gqXU}a5>oM#1oo(nV;&>jWr-*WolwNkPcq-YHbc&@O2b)-(qqG)#()VYMo$9b zXdi~pC5$u5x0$op$GJMzCfF-`(24uteNQLTi74fHkIrB>R6f#~HGPS^U*+_d?1lft zAfb$q1Rq0HBc^f10Xn(&`cbMz*E8Ag-9FyYjy!d&UOl;VN73E~iBM>TFeN&zmr6am z15VMBx7ex_;M1Z-;?-Mh=i2c}Pu_G4ood^|76;5zi_?`!n;x0mK$Q`jwvTK zHYRfk-tSBINb57bdHv=!Dm0Mf`Qhs@e{!^#P116!FJC^BRDYcO0flP12Kfu{5y&^} z|4~ZQ`tiQOxi;`bg*F6;jx!Ys9A1oX+=?10epx8Zy~z%0yM5CHySpZls0-7O2IdX` zu*1wbH+%maD*)Sx`HF4m1Ri*N=A{@#Bb1n4C;wIl@^Dw~@m2nM6T;1>C^xaaSqG## zZ_>5CyN1oNL2^4OS%AF>G=iVf>w}4i<4~d3Z3yaz!jxW}LlAyuFG6ZC6X?*z{teTt z?^5b|NCZb*ppKg`@J*m0BKRv;>qxM&H1GkgvdK<)k(+kggWogVT0Eqm9bblGQI~Z* zge|?#P{oR;O`pA1o6KGMYkEvQ3dfOQ*ZcwKU2_mwAyy*WI4N(pMc)kLQplXIO=`Lk z!hjHOaD8HWxuA(R_^SPUzPP&EQ!V7!gGdLMka5EHt-B-J5E@?dlhlDqse4D{p`;!c zW6|BYK~GQ3ZqwT|h5MAwAC+P{_u|enjk%ORs6mY*+lu~mBrwNA{4;=AZT_hN*R6I& zpP?_4o4S~;e>20Bn<$O^JDUk1 zn5x2@AgEY?w8nTR<=o`WiAE59`EsbR$T1l-YUr0`W<}7ZlqZ6hxQ+FmzSPd|48oG_ zGWx6y6|cxVwK<7B1L|NjddYAR!Dvle8w1H+vQks-yF14gGv&qLMIvweW@l zbIfV2EpqTh&HEKK%Bje$+(sd76Ibs(b>H;CYHJk@VDCnH4?o#u8!pU#ZDh6pJ<4Mk zL-(!cj)#X^YF9_#s3V5F>^-K+sgr+czoBxzdGD(pkY4U7J5quu07xELoytZP!xf2VRGa(^AO?Hgs?_!xR`j#>xCW@1^W_(sSx%14Q&5AyG*RR#?*3R}<5h;dhcG_KHlAkdp#yaaon|86k zfaxz#6@-#vv9K29O&5T&a5j`ZrOpRFBjfuaovgz8o#E?tey;jx$=XdMQ2t(*H|b{n zbKu28TXszTOa-`Fd7Wb7gd5ePylJ{TZs1yxezDeR*|mjC3SGB6DH3^NBdKt$_{<{J zjA}ERM*S3ZkE0`n6Bj0y)9h`=(vcLtJl-B2%o~L{O*S!x=VD@m)Hcm$WMfe)if*1rxQT|Xw}n6@3KL_ zon;EHN_<`vD->#kK55SZYe`KfzV}9D&5%?DPpoN5`LfG7M6)W~p>oq!U#IV{8$fDv z!A+%3gbM9@8#T-UfWj2ACO<9fD=W<6@bE&=TNg=hDz7%4@@CaQ+QH4R!)EgG5%DGb zOjqjJ_x3qU?6O5Mq_s3wvFW9?tQ4 ziDDFPHeZ*HHk?{U19`OrxvhqAcbcV1^CM6Aq9oP{-WW4;0tR07@V+UwLce(`j0+|k zFz5R*zSG|;GPUHQWij2iM;d#@AA1YaD^yD<5hQv$mAAiym>bRSm4*+_-U`4zR&r9IU)LR8Dhf@Da>OlKjgyU$oAN1YxCLCf>PMQNJ^P${*mXl z4Ft`{JJti$OiBe5d3B{k!1#tBV!k7@SS%p|o8cNqe+yEMKB^v*at=Bc)k%+VX;FQ3 z(ScFwczq3Vqk_$do_HB|Wh`;jR81%QuH-tAQ{s(TqoYnMbSy@AC;wBJrX=@(X@EK? zPnY1(OvbQ0-+>KjM0f2tVZcVGG2J?!Sftw|X1HDfCUGirJE^RM;e&M+7sl`l%u zzyaek5e9u2>tQhJxD)yu@zsvSrb|O5r&saq7tw{j}HJfW(P&7_O%o*RKUu3VzUbR(ZfoA^B~%8*I}X8GAGse z#E9O&zGGy=RYs)P(RH^eSQuzY)>IhWD^BJDw~WR|YHnfh_RF>IB}$tQTZu0Nf>8z^ zW%{rcbLv@T z?v`n5`WtEnN1SbT5GA)x5Ew(X4ey@L2JiVaWPDne0`?3_pD&P`^56y)kWpucxige(u6=`wUC)hEYGE z-pb76{uXACDumlklYEf-hI0S0#RP-N=)?~4)~Y(3QCG2!NafY9`WEJ(Rt|()IIgc; zW|HQJ9svV`5?c46VJKNQ{A>jP;PwXSyx~J)|7rFBka*0Z7f(n@h)a57=Xwl!8s0!- zOa}zmImUEOOYAglFy=1+4+T}Cs-+-#eH_gYDyJU7#HqAvJQel@fBxBg`%mYOK$1(6 zbUkngN)tjIBLJK(z~hyUl=c&F9F~zoE~r)gq{AT&f_o9KK`{^eqeG+HC{$>i8K5|b zt~a>W8@U~5)?lnVq?pN(_ko>o~fUa zH$nZ!!?4+IT+Ycy)CU%fs&gviK)&giAd`gV9BnQOH&wU%dOKIMMf$vB>Fstz>50y0 zEMhaB0%H5PL8jm~)AAYhy2k#iW2HGs@d%P+QRvqUw8%GmCU5CImHqf$6A#i_;d34O zuF9DX$_%HqKV2hK2EBGpzERO*c&FS)Fme+qKS5@xK`HpynINB4i()V0S>I1y6p4g2 z(`l*GLb%1M?CK21(!@Fm*dC)p=iC9Hf!ZC3K9Ghy??3BHQE=FjLniar|osuA%T z$o&nE`B$Q%AyQJ#!Z~X==_=P_g{S!**a9UgWdGooZ4Xcl+7sL50ecK{%OjO@WT2g` zz-HkL`I~3{x3@&*+Ocw8OUs0m3~`srvmyP%@}g?NmT43AT?NPkCc75y2PnFfrH)UL zXqxB}$e%>8Gbe^TvSijCY@|{;7TBT9G^uQ@f&?cw8rBReplL1jA~WRG<>{Z*HmI|c zc*!?)fp46pv}}cBGu-3&Ud5oGh|j8&0(vrs4jgd%v>MUe7G7s(LM)}zqp~2wlOiGH zvXpMzR45IKO6*R63ezQzyi~0htEK1;pYQIPsu0Ujad2+(gO8JPcG?(58q!&)lWuaP z(yo2(RTo52>+nC`>}w9bh*5Ak-M-1Y<9&*J{F0NsgItS5!oN^TXi301vIM=B(`HSN z*hF5*H@iRJ&NU2YgV&T&bW!F{TjLD6lg}nJV8L!1k)lQ2cAlBiOWz2GAB~s!wTKqW z66=xoPS$uM^ZUMT(5}*Il*7d+F^7B94Wa_oM4mUBIu!I=QZ|Gwd7#T#p^_9N0dNYrQzv4!SPAVC> z4kW626n2Q_scF8jRM`^E_PjPeYoC!_)l6Bu*A>6b69er z&cdo8gm$)!Wb@Mz^&0SbF1qOTjTkL&F?6YtV3x#>pCha~g3g-S^zu68@eSa)!(V6T zU!ATy6y77X$v9tZfFqhC>ay(llW9@MKzXz62NmRUD5Yd$;23M9h{MA!J2ZiGHq)l93W94fKag%P{e=9(Bo=;fuhqPNJt<&*#f(#l*RlpxY zg;*6w;98RFQtKZe!EECuX7OG@vR#dMQ5lj2?Kt`%mr)~SGv@0IzsjD%FDPB*Rkj?E zV#($W1@m2pIedv#N@|Om5&kX6xSK_l zYP0=ZN3hxo0Cv&GlCJHw8t)33uHd+{hv#q~j zoPqYt4PnV9=Lr}vH>eq4gE?2z@`6L2WeTd@EV`I4O1U5lJHyo$i_VMPy%CN81} z2}1eCI94K3&HmYfx;$ZCU<;so1h@b>{K?+*pLtY1cAD5jtB7P zQL5J(C?La^&WOV`rLkCsuq~foc(C=wA(E|0EK(Idjx4Pz7zCLn2`)p*%va;aJ?oDZ zeQf8?ja6s~iuc9ern+#LCU6WoK%(jt3~zPPH4{YF0Auo0oqBPE%G4NKJRn@ z8~}i`?zD#b!-s*Md(gDmBG-C-s{#gh{a;Vk@Ye*6*+3cInjen=fQcWYSq;Yk!p{X` z+x|L3PUhro&6cv6QUg~$YV!P}bc^bv--?TnTt0ZeV3e#1QMKBJG{@5PIEN;De!8#%1toQ~nL+8&=!~voH~M@k!n>VJ=}9Qw2r`t>SP9s9 z$fc5Q(zX@(W}~@^=RqK+#Mp6_F{aql+r5Iig>%ZbA}`DsCX>x=+I1Ehd6wkFsz07! zZd60LJS`&DhvF?6ym&4Aj<9nON>K1JIF?f{*1N!$Lc=-W%w>vZFBtUP=b8^RY%=;n zVD#hWYwgGUG(jpCe)!PM>M|{- zIoV@40_`j)Rf!1=hn!MZ4B5R@W6qDLH#GVx4H-D@VEgvfjqud1u7o+^U13!v#-p*2 z^y`qt>~3lZEIMCaoWXO&}#*%U4b&(_@+sMeB zd)4w6eaM-LE$G%}hri(zaLCt<%F#T35=vjDpJI7T&BUKt`KOmZd#Z)qs6=xLb= z49tXJdLdpb=n3l>SG(a@C7r)TFY$vR6e=hauCLj=pwhwYh3AAvj!C3f9R%Rqf!Vkx zmF{_?X1D^ZtKgDT-p%M}e9B{#YvJ-3Th;tLQ2pJ6b)8aX^;4AdO@PZ^}Bi@w_ z*YIaaS6;?^!p%|`a(7j5qRlA}?ThgC6+WcL!4y?ySK21 zbv9LF+E|zq9BSjIJtTW+Q5IbLyEm2&*@q#S?N629DGBU~(#4 zdC66mr#A}~bnf$Q%j`kCZI9zepl4Sc%Po-7D`Q$oXGxc|I)20t0i>S8U{k?Qe+z&p zS+EaM7m3@)jG18ouKFxf(r{Bs$iKd&>M+>N##x9@mVc5a$I+GI4fk~lk1JE^tKvF0 z^#*=wdJ+pr-{$S6`zcihn58F#WcVGek#k#VHzn+@LT=WigLgIsYq_gnH0Kwb;K&3N zPMj|J!k1@7_WlV*+FwNI?$mXJl|Mv8nQC8>>8qBR?x#MhYV{p>~gB5Mb7dO<`<-GWE7BWmwh-iz@eS+a=8( zPre6#QC%Mrj=7&eK4cI;F0+)O-LvH6j4dJ;^WtjYRlv!&=uvosp4V7HAXRM(^@%S5 zWcY2x3E#$CJs*Dw`e+_6YCInX>Vb?wr!4hYVzRlJy%##{ldhV8rnS~LII545tWaRm zRzeP;u*LF~Okt=R75vd?O=vo0IJf+Rii}n0Zoa~=7(+Xe>HRGZP-+QWXLQ@F7z7?y zJp+bX>SSnhogwf^XXKl~%ej#>R0B15kyqv3%=FAJ*(DfdZE{rvaNJ&IBZwc-y0gOX zCHwgs6YxlKnE04RFO)&1zyRot5G&Hh{_fTEB}a!j%!HIR_!l#eEzy2o$#b_K((UXx z70Y!wL*u^6Y~==b(>#M|>5mea5mOsu0+V~9nHJV*+4VlFJe&JYYgmfLhfp&pDzi&s zHhh4P;TM4zrnN2y4@KUTABHse47tjZ#gYD^24hZ*E>h?TW_>i=8MxK;}3$^DHvZyuEPs!N>zV$A(M%d_S}nLxcD>4|3F6SQho$?kmP9wW6sR51qfumWnS(AtH=jjFeHH^LTXxuClUKz7;lWmbH^->n?02qKbI;FxuX9Fk5_udC+Wx z@){w>l|=oTi*S2?{`n4(*efgf%XqXK+e1etl z;Si~jU`MrMz}wqzuLNt^PqBiQ^|(b1Mr$Bn zR3V$-**HCebX5WbU1WXsdx~d6qm3*`e$lmsGleuXdhokiL794}M7c~Sc zAzgMgA!B{B(JI59ZL&7k;+MOgH9`gMl-vb5Mz`@DO{J1mU(fWc0 zG9cIfTv9BJ>H=Fc00u8)CJgHPBYWFPqMwu9gnrK%*jepu@>`eMl?ghd7(OVuB0Ea2 ziy>TEbX8pBtJ#GZ_z5ob@5xD33dreIYhn-xBro!k+5PEcK+Xl^u#XD&T(x#~Lsv8_ z_O@oCCAj*`OWd9Yu#w?98MEbDVY@sH51CzUwksSDlD7jBW>7=Ck)DaSqr4o%vGRE8 zNvKL)^IfDoTK;4gt=)zL%VRQbu#qKx#NNp3n_WLb?T-tz_EFViNz7;&na=YL!!hfo z3ILL4Wm&h9R9VzbbwIdJPd>cNkk&I)aYewHxlfx52HMEQ6P%j-qLa+>Ap2=&Ba&!D zT8^NFJrg^59%6aJ&IJ_wagBroBO0QG78fas=58_A?;tZi_1FKQkI(JzzGi=qe3&!Z zj|f~cD|cL3o}vmAnWshA{vhKX;%PYr46b+T&~pmpn~BGeOHl>b@p+*;A;z3vJiR2; zbikkMDZfgVCg)wnEBW`)HIgh$DnBNgU~pOv-WlK0mF`>$4h|8H(bf}w>dEleb{%ek z81bOtAA8pe2n%<8dwC*3q^whzV>I=BkG7SUB0Z$jHg@zJvh6u=)%;!X76&x%Cp-%B z&11w{YM+r8_T)x~ z?XU1Rf?T(yGbZRw;9ovNE*vc|d2p^Thu<9n*f30+fWeG#g$d5H`2q(5qq(tKokO}A ztsy4!4gy4FDN#gaZ_YS*TAfAiIE|mk1~imn%{GMdwQet ztsr5I!2#9Zeh0qvOVAvUe^y z_7Fm8_{4>hcg1hfj|>WR6?0FxcsCI#Yso>`HZHa=t`FpTmJ9kri|{3=+dm(=IAFVh zE;&|Ml2i*PWr1=G9V#+6pw+2Yxa=twtGhp!*A4YCvo$)7H^wVpcXdZ-<`2R$-;6VD z7onvsPvYTYX>{+R_a9&*ZD%C$7br})S zwIDnGxg*H*8yA%~P%(pQ<*6Um34PYbrx}c39n~dLgIuJY4cy~IUWlmXE6LeGMQa?` ziR2Xc%Hi@uDcPl4#Wc}Se7Jl&Q0 zhIk&m(PJ($y7CsX!ruSO`mR zKgCJf;N!rC&&KcXVv*f^8i{XS;)1E-0JpVB%(A~B;1?>~U{Y|)Ar1xr?*uC}WH6Z7 zqEV-e?rY*_2D;z+g&TfnvjitWv6x;y*Q_s%4d68ixvsNsnCs_iuqgAce^_yC>uNB^ zd&a!nl*Tc65+(~TRJ%v-OA29YR((Y)eoxA-7|^d`c*j0#Y^IZLiLs9f^Wq>% z@hzjecpxBTWp3CyTM@gJII9uOfQHqqr)x(;ylwBv72wnH3w?$famobBmXDow^S>C} z!4&pOsz1|9PJ1s2pxf$kn`w#AJsJ5io}U-g<7hc;n#@Z_@4v#%Lf_p>Q&A6#BN6j{ zM?MRFZiGtzysY(_AE>#l8AR}ifYv2uXS31}&Oc}yE z4@5Hu#D&?$1l3{a2~;IT)}&dLNSFesdUvTFu>3G@CqrLg>!{y9BnSY^YHROpqa$Ds z@-`BR%$zwtjG5%&PU^vX7u;lOet)aSKEQ`XG||(zqDbKSsl;I;ciLH(Pyh^h|E7t? zC5k{TJ-cx=#9UqY(G>yM^}^#X<4WFhFnPP$k%m$(bK%wX#3AN@WzRLRBwq8HN<>B; zZOyTiG{e8}Q6>wTlHnR!Z{#CAkAxgnFnR&vn@#R)Tj3^#l_5WLP0{rhwMdBW__PS6 zF%;k#Y4I3THC0%6DY?MI*`iug#>Qoz>^BY$U@tt!i<$JixK|l98aDn7y85IPYhc?K zaxOx--5thyu!&zI2IN(!Ejm zCl%q>k)_iiPJMVTT+>*kE!a7uKCgpknen|)KW6fg+X6ldN2S_`GY-7K;TiiuOMm8N z47aWb^D}W-k-n#S46Epr3iVb&VLiAmU;Gm%Ly1R;1Aw#@s-`oa?W>)t4kJnOX%3k-e4c8tS9t};cL*q7ytk!7e^?P6?_?h JcJ{0K{{tYVLl*!5 diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp deleted file mode 100644 index 5b9d97b21bfcf4a595c7cb7effab407888d09722..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2144 zcmV-m2%q;-Nk&Fk2mk+^=WTY--#I~#+&3jnK@$5vT3vHOst;*zJLUiJf z5iFcT6_xZ;-t0tVmny~B5A9m~dw^Hll~As$xFRAz##z0}0H8*H*j10@KNnDa2%&mc z&)|$F*;<$(&34EcOuMDY2(w)v1Q9x1oHzB6S1PG@8^H=281aR3VYb2iV%9Ts78+!Z zprlX?Q6oyhjN1o?5OwuBeyf@UZjeXfyMD|EdPS~?@;~x zt%#A+6}+xZZ}|wBV6sbKxD>V-eC1Gy2VCOg;p<}j|25BpvGFCsU1gANY8}N$e39bn z+=iJ8GVc!q*vrMec{^aRKw4c|q-#MAJ?hf}JL*UMdK<;0UFMDa&>i2$6XDs0D2K3dTT~$@-%g&mXwowkh0-EHb)ei2;|!o3*u$-8}Z# zm|w|AxFw>cuLsx`{j5p%Eagr&OP8R`xY!Dm<&no#wKj@Xi_8YMD0;Bc#@RxmIWR&R zU0?29OwOU=gP+5^{1+Y_r%z`6mP(>dmLo#5V-S~AC9LdiDijL!vH0}s?M7D^=HXb@ zoEJ|F{hQ&rfsuQ6Y2rb;kMwafgmF)*4E5ZTU&O95e6xIDrT^$02x&H2tU#=U;Y^AK zNXb)zCZ1qzcRDT~KaL;|djUG3SxaEPFftAA3ty-EC+fCb62{9#Z)VsYP);DZ(%%DW z_9_l~&~AC1;4>f_ZLSbDLyH45e6L^+%Gg66!nG1LiWb$6PQL$?fn>{3h*{GV$%U6v5ffzhpBQEe?S`!N-&X1SnsqnjYhcMd*b}X)*llu?&;h?mG@Y$ACDGQToK5Jj z!nBq`dvTj9$XM(k0u_eT&a?v~HR~eh;CnJz!m+Cdpmp6qD*?^)Q9~2&$#LilzOjBz zV#bufE3R)X(aZ(2C`lrz0MOs=h7(3T6R&K{by92yKaxPxU{!)22xPkxJ?eS=v!i)@5P3|ksW?s7r`X9Ms$ZY@e zaH}ezE|1f7>Q()pliNfu`PSRfhu795MO?w-<)R<30p-{kPi9B1cLX@ zwM#eDtZm`>Y`akY35v*nm-18;_<$=Ht!aa`vq%c~VKtKVa_5{sWpM~;rlc$Dh-3dF z_jCHur@--a|M5^O!qB~GTX5bk5^>JEv4Vv0w(vtaPmfR6@Y|d#D*V| z(?=;VB9iCWCC0~Jbah^8RNDd{Z8gkXH&`W(x9Ixm(JW5gq}0^RsIhU}d=@=@%&8<9 z`p~k9OF6QEHVC*hatumJ^cw>lMfkLhC;LU;!A@vqRv_5bOaG_48f!S+Wc<4 zOeM=6|D*QqQRi{~BNi_#m&d`swlsMRoHTy7ZyT}%Q){}e7SI=*0V(^OY3CV_)gyM! z&w@`XTDPgQF$i1R{QWPGq@1d?eRU)`%5vCvE0i<6)OkjamFU)-%-uc)vsT%CSIdgQ0;tnHUoi1-v!_9nPV9u}5&c4Y3!<6$W;BDsaQ>^h1Gt_^@f zNC&$5xq^*$pba+ZDDPscx<@tnhy=Z)sOE*LJ2ex__gc;h3*Kl4 zuF?YgFHm~XkI|;;q_O|jGhk9g`rdx}-Sy%z!R!EcfB`G5jb)R6l7|LE_LZqlX$XRv WQG51paXqIYc8WADm;YSA0002ZFHsW! diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp deleted file mode 100644 index 647cb13de76a7fc2572ad85a7edb93b4513ec5c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4560 zcmb7EXE+>K+n&)&Fi{h|jZSpdMj2fYf@skR(L1BJh)$wM!sxvdozeRsdN0vNiQXCB z?7rW%`|W+n(;0n`JaxN2gN({uZ61VV%}f^DQryIu z5KY4ko@pDOwbE1F`E%}@-#Ui+v!N8ymz8gPCp|Ze?Ifc%jJ+kJ{J$eHuMSVsr@r3a zY-duG!i64UR+>?lnE{Cp0w|{|z`e|E9uj_gh+$k3P;h~E?}Hk;Uzv9t*ExaTNRC}M z-`(C7JP@5517Jgv)d5ovBtQA~DK4$%1TI!h?Hp6o7aL@WTrhPyZ3GgbYD}fIvbrWVWL@MIj%~I%&X9zxCTz zci)-1&jyBByh?`99-~4$X=LfoCPM>fU~iX8U~ITmhI@>#tZSw!3q_rfQ2mv%YOqS? z-gPF>V52-x-sFqf7qk$hvtg=SKncX+JR@K#v)X%9ayPs9dS_rk(iKE&9w&uAe2(Vq z1HO;igr^PABYaLzj0Z( z`)Q=c=a(-%*I{1<^Jsk)t3Nk#=cH2qB0c3W)k ziuQ8;6!9Q!`meFQJ5P87MzaPgR65iyop9MLf zcK?rTe{1TfArD>u_p$q5lm6?qiM|d&w9b|uRoi_}46qM6_HiLh_~&e{y15j!*4;$V ztohw)J<>nv{(VX3n5D!F`M!{wBC9t>^l|UkznR*7{b!K===8w?^-!XJ=je}!wPkPG zeUcw3biV3NB9wd*pVhZctR;G9_9BcfT1kEVID&)PpARe(*US9>hA;pC_YW;xXhxQ_ zDhg0On+RTv@RoN6K7jD>7ronkFeNGDx)v+byJ1K4qq$EY0Du-rb?P!X{R%Q4Vz^fe zKOWjP8enNQbjiFS0)!1CPe$wu-|VWg#;|4Nkw}mBTW?@C7WdQTty7jn-(6Z5{=o7| zX`Lv*gCy~cFbiKd1zk&Ws5sE5BdqZ)%&a3E$>!^6!d}N!f7F|PQ zDvIM!XI2F{jC$y-2yMLYJWl-HJ>%Kv`(P2p(i8pFbSsT&(wEVD<%-@>gntXm@~*bc zvt0LLf5e=y66oWRY#Bb1mg?;tn>;Qnb^C**3~OVJ(Fs%-C3Z_MItEqh8y)gd0_2sn zx?L5$c#kq}9e3h};t`LoJiDB{pqwmcKG}KM#GX&}>db28;xHM%ZmFD>)i_V_kY;v? z0bDDiVB{LJ^Y$FoRh|0E0!X@-y*!P?f`YGJfy)M za5evae-EYPSP>?t?8m!3CK3*jn-XJ-(^3qCe_KGKFg0I$nck^y2yYmr0`(kU#vDGA zDQJNOL}lzVu;{Qh)pduzG0;yz`Nu?pBH(HXuPlsYaz3MA_Of_Tb5CA>c)j!fJl~rc z8Vl!D9T*7hrMZ(~`=|=|%(_`DC!~LQz-=ZA6HQ4xk=4Gx`^DTqV@2J88@#sl=>9aZ zPm6XJ6pDB0ul&eWI!rHm=LO-(HO6G>zFj60%0PG4_(rjL_!pl7qHkcEc?>H&UxONW( z=7_U*H=yk$1Xo&ed1F+O$p4(J?8z@s^R?i)oOCthvo$JHUcBdj>f)n(-PpUh&~?(6 zfFLf!fDsDU_F*WZ13EF?q$D2q8F$SddRQC52@!2&hvU?*)i)iz)$k|V=qt2#If$7| z11r5WuRB6kFY^U&IA78wP>P^yG%uL@jHe<_0W7cQxwk&Kn|x96^#VMNng|A+L6$P8 zkn}u7@Ue9B!r^I;$9hAFeieCB^gZ18$^nlK=YkswZ&k*ZxvvhlKc!Ae13Uc5l7qT9 z1mThayKbmf-G=s}v}_p>_Hizg<@etTCBo4tB@m28pJ@X77P|`dzkQOY9tm|MH&}dD zN{g%?cp7TYOBaoOz=b?oS>Kxd!BC1nm!QcY_o(({X|&^0<{mkoylP=rpfktAe)fue zHT~z0?*bdu#$5t4*w2|8k~y18pHI2v*2%>hIlRMD-^J(~GA~p1VI8A#-Zx-=Lebxk zk8W!hs`!|tY4zvZlj=sxu>AjyxH z9&wLSF@Lz!I!pada69Qo`&2n~hpBHS8>X?@o!;;jm4}WBUS!^pFqDBwO59SzclQ~}N|_%&Z1<3u zvRk8KUh&(Ljl8|j7VN#*Y%=SeO%h&h>d7u=m)B3;%C^zQ62V#X3;M?H#G13V8uIZ2 z+cqXlGDzV`g}^%#j8_oshy5qhViHu>8mt6ZUqFjSah;atO*N4Y7XP?uGY$~U>XGiZPt|K9nO1!!1NloK! zTP>mY5zvi3y<02l_A4pHb?zMTVE=ANNLcnpXpeUaXH0SoXU+`R%F4`$Mo;y&+yZNy zl?~zXQB_ut-n)a5(wa97)9;m%Ui`ZD0ppWy!7(OgLf5}(h)`weZdX$_aW z?HyPYZCQ7-4Y}EtTU&hcan?Pr1jdh~=5o^>ZJ@)*TGZFA6gzA@KS`3!XIs8595E@n zd9~th6VIW9y3uWSZ4(DSsVj^JY+My2F_=%n#3!G?FI|# zzE50jC1E?+0WvVh+rVeMbn2NUAyr6F6d6fTwZp!}R4DV1B=viR;sd4;E1eq6iGylp zAC_KmO!7v~0)R zLIK1v6-nUzaJDi4w8HrrjRYq}`$Bp-WE&#=>?;GRSRj(CyXxsUE9dmxsc3?!{WCK-iHDSPHsLE*D78kva0nl{zS-Ls29Fw89`itEJ=q z5$4U6^@TBOD>W*&iKNG+L5DE$d)wYfQ+z082#* zkmWVC(|f~tkPLLJ;i2f0_cUJ`QRWK@d*a4M@+?+FS@a{NL2YWP6vNwv@9cCXP$T%m zNNVx&T-fPQ>k<~4A4~s~NrWyYlUt`QSchuWI=oD?*>bYRzg>;YS#Qg5n8f~L>Ujpu z&#z`!Vq7zo>^L3hO35YRQ}NqJLw1V0PuYf4Rh0Uwac@>_mo~>2aA?>_?t1~hKQBiQ zfqOLGg1aSZhBGDtSlkaPwt5HEi^%w?4f{yu+@siVAy36*p4SM>ukKoj@3=QTlCZHQ zit3JL$Tthn#P(cLiK03R9uOzdCs(e&O@_pzDa*tubcw)ni^yfy@<8UCV%Iw9NtM?K zV;uIXrOPEO-09K#Cm?*Fkj0UQ&7sy4-+rtyQBj@~XN_q798jew4vz6xak&>QY5OyV zgKIaBAr;L?$B5Xb?=1CtWp{1&Y^6!}Fw3R_AIsu_i>+9W_od=AMeD-2gFNyXyXq@N zq4+!0$$Sct=)T|HZ9EOS^I8g~W8PDjsHaO3$h@E}b&<`8TTQVsX!Z+6Tfe9mW?7(# z$=Y>Br;akD;kW~8e3BPLm~xkk+)naLqJBXyFt!{j~e*MZE*g?uzhpJVPB35m|r;8?#$z0vW;WuDEP9QDoh$^qbIkq6^1T}TeNN(6H3RV$2L z@`@qZ1&Jq8+7+i9VCe2*k_0CAj&jYY-)6;4oxGAih{fPRt+C)IY8|Mlw`$eL=)%XV zo=uSy+aWbjG~nQWe;G{eSa%i#^7XpS$6p0yUlu`1x>_@5Y|*d*TEdh&h@B^ok$+sG z-+kgp#c`BY`6jUhU953+TZYkGGIIV-q5aiW)@r!j!9@EsO>r!n<0aK~=d7n6!fMz! zoV7<{VAAils@S*Q7C(b>eE!_~MB0MR>LrP_) z!^G)CD=kGdyx-~6a?spqBag3xhNV^_lIB#{OQE97eQn5(k{G7G2KJpl#?RaN%!+Yw z*XEDDoh2|z;8mHc?0-~QYtJv;xk-}3XBXg62O1-y26wXtjVZRNd02nZmxQs0Nm-}wvsE>TBr~FRRa76BBSE_ diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddAndEndRecordEntityForm_V603.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddAndEndRecordEntityForm_V603.webp deleted file mode 100644 index 5e9cb84746c69fe7f0a4667c96657a11fb091319..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106548 zcmdSBWmKHmwl$2qJHdlnaCdiicXxO9KyW9xORzw2*Iac$}+a+)ZxIJ{7V7|3uzsW@S(C@bdK)=n{49f<@0Lq_?9@UQgS_qP!ssLIKba#A9 zA2Rih0X97SekOp3PvDOkk8~Au_w9Ln{eFj+kdG-(#m806Y&Y3=s~djffG0rqMgHB% zt=@gdcE^Yx05EU`{fPL$_QbbH2LRmjR`Trt?yd;|bN~Xt?A-_dssn;Oz6U@F;HOIg zfXU*AlO@F4?4Q0qmH^BEe)nzwrk{VPl{?P<1bFi62GpMd1MU}%ZXf|;?*J4}AD%Gp z2ac+)^`iKw9`heCuTMT_AMrJNYTaCa@bh>&d}4Zxxkg;Fi_^RI8^2k;A~*mX_~l#@ z-|{U2#sH20YCzQk`7mIsV;v9$Q243Gvn76+Pn%DN514mVkE?sWLLJ0U7EeO=dbfzT z1S`Dq9n=l5et=g1w<)@%lV-pifbJ>(s$**LspCqw>8bE31E6;oW8t^eap^wmVd=*; zCHGKu+;P2n)&aA+0XPKc06?#$HU{>x_xVl$`2e$fiz|_b&HJ!N#1p_?+cA%W@0K6n z`uSrJ;E5tI%hTr&r_IQ%!uImjN=?fQn`i%t`trZ6Dza9|_g<-?*VE{h<9|1gdalCI z!&v1^zdB;MKMV9`uPMbT`UFNrD{$hI4Q2V|0@OaF4OJSr@=&Ovg(S(S4H|RVW$CW5 z{MCQa0v8p+#zZ*%v1F#gjWbViASkVD7(Q}(r)GS1XU#@)Y6e5hWj7SxWIFwZid+ia z#E;gFJJ=u$kHVBz3O*0#K<+4O1<{sj@Wf?PF{kgPS)vD?mA?8YH7Dxjqw4*69SqGl zOyHc@s3SX@LrI@R-X>3KVeDqa2-woI;L2mOQv9>X`LXIUQ(VT=h6o3_1sDl0Ev-tU z31$Wqq1tq(7HEQAN3UCvctBL*a{dJ-NF8*aKb1Rm%cNWL$0vcPV*=JA^4;XNHFzBl z!R3(NiSM;JH_Tiw#*v_@zn%z!PGbAGR>XjIQ^Ym0+yy={1Wg>WPUS!GCX!=Mt;yK5 zVtJqyDqPfarKl-wI&ef*PXd2g&tWSfDEG4zAZJx$0tC{`S0>V9Pjt~OJPas5ZUMN) zs7ua`8OKw61R!L8Du>gP|4hU3gXc)XdrH%UzE0bw2>aj^9^(j3qUAK~%!m?*1uEnw zyW~LM7mQd3(VTpPgTN#l5_ZYpL&|AymgT&CoGVlY<|*KZw`#^r|M39)XYE==`>f~@kFGQ%X6kcJ+9&5teiIYcV} zbz}z7m#1jl#~9}L&h?Wk%U*-qo4C|)E6{quc6tkjQ>GE-iE!I!_W8DZF^^})`xk*s zrE0V#&7Gd3Sr|L@c%1t?+zLVi= zi&Qj=yjlPi0V66ecK)Cgmx@;r%+;>%@dp22E&+Du3>2RY4b2XgD^F5#$0i;KkM?DlF>=&N6wDDa z!zx$M%CFm%De+VE_Iy)Oi8T~L#bTEj<}iqv?wVloVl1e<1SRIY;N(=Bpk!ZvWZIKK z1P9ZLawL^kHS};I&mxplUKz$-qrBS1;0g$k_;@#u5D4Lzt9)vJ85eFR= zQ`H!uqGFVicvvNO8ZeZu-P6FBi+ax6lx3W-+xlsD_EqD;O2Lti(p45{O$3LQpEDNe z9cgg;Azb=~$3197o*xqOD<{^Zg;0mM)pu=H!b4{` zm7^tQ*#9?ws@Jm=%kLG6R<|FY3wSB{EqzKuChc^*d87Cdtar85;eVxEsWN#HA1}2I zMaSYCRIZduVI2RmDd>X@uTof2q2R?b3k4V!X3Wu0$-oOsnPu%3U*QR=_7fi7FBzSC zlqh_l)l;#GRGD#|vbo{H%$)OqjW`y)dDJ#_nCy5G-^4#8e|^=~wORKD7pE?Y)!NP{ z)v-}VFL{ACN;B5M2fY^g7THNiw@qkGSjDf~FY~3^!F5uh?YYAhO*pff;t`?HiIH|$ zr{y1{?G&y?j!;p|*18+;CA}#`m=LvPFF`LLT?=}?+=VCVp*%Pd$XhgnMU#$Y^KimK z&9~7$@s&;N%HA+kG3Gvd#=MR}Li*dKQkSxJnZx`dhXZavtjRF;2wWfJ{sFO_txivf zkjEhm3L8|8kmnKg>U(txOANEdKPp>RPIwGLrMS@b-rJgFaSbI{%&Gbwua1Uc@eHxi zqW&wsT!qT(hObz_f5#XYFRefM5)-jp9*DkTF8-^l{<=N0uS|vbD3%N#0!MVk7xnLS z4(_ROkQgMCe(l7muek!8A#>X22Jnw?|4U12;u9s@P%co2*3#zlu&=xG*A4wMzFWax z5u1c|d4aq^R`*${wh%?o2TF|y=ir>(a_k9eBuBz~E<&~u#=fqqA^Lv)x9)toG}m$8 zqiv$5KXd*&7i9hAo3jWEk$!sCxKiAfLIPRz1zQ@KryZsusfM0c3FM}?(+^t)=U302 zZek`5VeN`A&LZD@%%C4^zlVcVB5x@DiF$M`J9x0@Jt}CRL&{mWfk4F|P8sbNw)M%j zhi=75=a?o>QKd-u6|Yzh%RQ5M+I5Y>A>$yj;yRl}&Di;HWR7^|T8wCa)zoA}z32}Z z5T1T=Imt+UzCZ4Q_9u=`1e&*Sp3!c-o7tNDH{|Rf3=ttJrV<|S+Pv;8=yOVfd5y{P>6tO3ki-G0@~yNm_k?YLEn)6cXF3jm*L0x|S9WVb{~ zPAjuV25DjV8?PJAgGRbwh>53|dBC<yGQ=C z#ae-yibC&WxN_c&VTWqxH?bJMai1k{u;%Y0mHQh1zGyT)88_5*}s@;oD+%->L#vS;MFP=ujY$v|F65RXYPgXHZ z*Tza}>7uD(6axR9+-y+2`x67IjWe07+{Z$^R}c>VSgRz2Y%Ty7%2Zl1$eKDI3%xig_eZbJ4paaf)?Mw)Y!ohpCAH zLx9>VLWh;Fgp`U4e$GeiyBlC&k;CGcTdzbi)ZD2<0U#CJu1^d8JWn~V*B?ka3>P-? z(%c>wxH4c3>~hkwjiS_^?~0wjG`1q~A)Ge%yS%@A@HAxtMn600A+eCE0K=M^;@dx< z^&1DXy>@(ko~xId^fD673mueylT)0^7CYY?KNuvMPED650Sw!`t#nq$iKEKI4Xxh# z-a7xRH#vsX?^8Tee*Lp3{xI09=u6Tems@w?QUl13QBTP(%$xx%)SjvjDVs{Y4hNk} zP&F41c%R!c-^fouIAVDn@kVeGWMh4xv%O;!96CJKt5nrVq&7c?(W{0u4iRXUeN*Sl zdww#1FFuu02rGGAm|t&>qMJ7RB}RPhpPpAdqsE_22W9Rif&7!}P(jcK1o$w2Wb0&+ zXm8Dm%g-o3iz|O%%BpM=ge# z;DpVkU`mU^Ygip3n#}^15m4CdCYKqB$L4o~tJb4%SM&blAJ``IW4~8pgXU2;Rx^lXX9Sl7{C589z&^wSE#eR6JbOi zrfyZpAd+u4!;VXjC z2jJ+fr-TO*x>=;^2$`lPbNHLxWK($mHKjDjgG;x03mN( ze*91};Gh11qNAK499{!<*WNnOaBF910vr44d7$LRy;hKnEOucVc9Fo$0 z|FVMVLU#0F{|xLF41G`5NsSalk!3}nH^F^K-VMZGK}P0dTN!QvZcgFBWx@Lwyec`a z@rWaA%xbA)THQecH)(O?kh8cK3wd`f-e?&zhC)?v10wo+RHzjlB@!Z1lKSGi&dt{S zf}iSB{a*72ecb+RqX%N(Z^#MF6?J-nw{C~L&{yI_BPdW+NuonhQ+Q>{c=k1y|6N$l zVSUYDcw9i(f?uWvuG*MuBP7;K>Q-j$)X>Wo8h&Ci!y=!f^rEvPvtSOHhm7ya39%<5 z1#?KdC;|olj$107p8_Z$J#nuu6C{I!#^+pI_Yb&N8++S%!?jy1^U~*`ZG6+xrp|N* zVQ!v}1Y8sz)+VSm;|o^(1xYyvH`$9`yUI`&$eOT{f=GzOEl z1wQd+(@2J)odS*LQeE*T&U0tE7n#dR~X-CF~eOd_9)yfA>tIB~QpJB=9 zRGvDw$T0ypM8*9Wj6PcXg+eFmRYBTfjtIx%E1`}MB$P{3m>>CCYKR|?L9pOG%yg(c z;i_XFdZLo*S#cQJF>0ARiV|EJqtpl|X>u{mmrVIolQov|FWCFaW74beHxQ(#<--{V zMVsa#pB6({{03z-ZEb3SkSPVqT}3-ayed1m?zJ34DgR(|&BeWsBxvEzA0W)VD=KE> zX^R_{F9iD2b|JtIsx*?MybU6j?2BAN=wAZziv?lL5z1LIEgNbjl*jS+cb5vUUZ{3% z%zuUZ1A!BD0W#m$ydt8`2)L;eToi2{YV9n2#pifNrzIe%KQtRec#z;$@$QF`ZpE6( z1$!mcv7x5)P(m|<0P!KVpu1aCA|^hS$#f*E(#ph7Rh>l@4i=RDfqP#A?o=zZ5C0|T zkaW5A7_H@FHW-(U{yJ1gEdEI9x`AgrNsq3gPp4aH2DgeJMzAMe{EITWC)wenvI7se z(V{^^C67PMO?3`2L)_YMT&yK|~RI^(#1AtfHbLQqQt4cliuKjcfY3w}7gGvKpaDHx@XsB-A>IK?d>*!SrSu z6FBsNBvBsuMa8SsoUl+){}{+F>cXhZUvcsG(R-`^SCG!8Ng=p8T*#t+7zhE&X`k^6O;;-Y}iWw+CSXtb>tP;Of?s{pznnx2E6eW^P|SRX|Eu z0oyfWf;5_a-fmZ~I)ZU!Y1g08kjBkp*=p;^4wn&uW;djYubpdq@}&(|UEoa5rRN~7 zaDUO?z5==BYU!)`d*n4RH} zx(!V8*^tSiu@3#JO1Z+r7PE@YtB>}^k;OEf+w;y1=lwpIzi-8{YV#jEO!bJ!Yej~i zMdsLkzsG&jll;#@fbC@rXjk}mHL-7B`ZW*y^P~Q9kXYi~f1rId4wbb2)$ac}ka7BK zpXF6J)^{MHbb(tzESz&ns4(o?GLUIkHPeS|)}TLwT}J`=%PIR)$66tpWe6`9xSvBi zaI-j?7xzW2X=hJImZ}nfir>K+lWulGe;vy^vj_pFSYq`DRo|ypK4t*F2NrOm_V(Yv zWkVMZ?jck?nc!peU%Rf5Oy(BVQsl`Y&dF46+_`Y(9sz;)6|PS$)trd05LP2ZZ1Q9H ztK5t~{UrjCaG>r<~~nsp(R;HShO#HL%l0w`BTTaYW|cONJk!a3e3Rr?q`+r)^x za|%(U9?HZ22rJI>`~n{yZhcv4RoO>`rolRuVQXd8$+N{-d19i3ppcmIbO=A<4xv{` zf}5qvT?Cg@`fJV05bLwdn9b?Q_`}iI0=Hwd)7t>P#49{081NBSK~%}jEU?c?%+B!B zm_1UpdG2@#tWqAve){W#bsU3Iqk!6qrQ(+V00ZZ&>N=cO+;T~5_2@%)2<(sI)<1c9 zE)bEP94R0`_lWpX{ZI#0HUW4L>!H0EX@DzQVEL2CND zOntbf9Nv_`)*Vn_2DTGi=YZeJ!vtv+B*cf629J;CV!t)*ON0D7$;td!^-k|6*}sC8 zUiLlY*CzVS@Q14HGtI&R=!g#Y&2P(CgLuIo=|%$qYrWs#^zU!}dIEm1Vq0e1B-_8M z%KhOm|FbyCPXqoJ%<5mY$_}_PzF1Q6rEkdhLMQ)yROIJq4Mxcht6QWGx?JO*Lo)xf z=l&c8QVD7&$;(#IDUVAU9NIE*WNgCLj;a(@Bc}d8Q<3-{rR^1R{YNNgq?K?xVYWP+ z3HZIx3n5RUw*M;?aF7UXX}6-An1Aite@*Is5TAZ_Yr=EY3qtM7yR2F?E#uO*4hxIc z`FSp@zy8Du!X5G4M5GDL;C(YI#`+djZKcskYvBwr_r2{7_MT0k@P$v9hh+0w69s+`0#~H7X z21g94P36lS4PMA;dLQr_aX|}eH#<+jpNWlAf)Tw7YMq-D7@Jd5TaI>)YbMYtLCS>E zyHKlpcd!j5De@ixU(P8b|Mg*l&H;B(aU2pHhb~>bK3K)eHv*r#6GT7<$&rp-w#li8 zX`nw#W1Ml2)KxM@SD71`hW+(eF{-!S*cG0O1 z3fr9T)P5QcD9U4Q=?VeC6NiIdBI$M1^EC)xLfhDsYNtan6P%*MmViKfvFJak^8X0S zynl*s8GWb+=Ra(%>5_I90M@5@4-5c zwvl7*rV6=S=*fu1l*y~gtT6zbrbIo9 z;k69LHk`Q#(|DsA{7hUL-_^wjnMGpHJ*yjUH^l)#GyeaOEsi*8hGhO2NCb_h53~)W zBb3)MJ0)vh7uQ++oqdPgoY zPSIK5I#;NIjtUzoy>^}Nnfjm9Hl!X?Y}t|x z0{6g|MucAzwaga zUozF>yo!l{BOU9P&go@_4QguGKSGCJ%-5yNcip2h)Euf%4I=uU37?i7(h0eM^z}eYh%9D45@ck(h?UO{S>Ir!p+Zw?a z6}2UnOWSZ|R6va50LQ65B`|`i8Uq>%@}qBEwvB0Ev&Zlvq=hkfmzj{8I|xT8KX^HU zcuPmF8VD}>Il^#Ffw$FxlP=iBQIWrb2cq0fvrsdi=?ApZ>7zaG&zxo@e1LKyE%HG|%9=CBaHltGIU-F4R8v*%UT&iJ;d2WW= z#BW_Z^+#de5nm$bpBKW`!ynGdFUtXI4Og{~MdRf7tvXktN6wFO1#`#PRgx8I|8)Z1 zx2ycu=6)R_{;omz(W?A;5K5e)(M=MqzmbFf4D3JJ*8kD&elZtA-@wry!rtFM;#aFz zhPxS}VO#`dR;gxq(%3New5yD1?$qf~z9i7#e25Q&k37hFy)LhUxc{Jc>)ZVVdZRr6Q+@t>5IznLqR!6>L^-IHw>400gf_8Q zSKQSJPJep#sdD)>d{GY8I=_bjJfi%qvRk}5tIb}&c6GH0(yD$?pnQewtDuUvnahG0l5D4LcBksWS^;%ToC2W3>9`zNQTc-3xiWi9fs~BaHmwHl=F{9T;oZ;oY=SUUe8} z%`667+sF^(_S3tU@dQ)#WsGNYLqRNNkLK;1nrd*t8k!bn2)MZYcdu(oYrw{NM{bub zP*t{zWgEd(M7~2M!;Kl_kRjw^i1WdEO8Nx-vy@ZK89;83ZYnM_2P~oasV|q=Q_U7w zW}1@wu@pC@=m-Nuy7|=(NduA90y$BwZNAQC`5MmbRCXxV1d4RAKJEa1N$VSaC-r5j z;;*FGosXHkEK)h>C;9Ypvst_u=6S|-G^g>3;5TmNw~ppFHE@B`9uCU~q-j;x_vpSW z0~4&On(iO%W&RvF_%mtxfkXCNr~ZS!_22KYq5p|_pJj3^8QJ4z^#8ns9uoH##6q5M zI2|@??{hi%Qx@B=^kb%`NBjqF(3d#LigCUSiHlGf8!~r0^cf-YXTP2V?i^u?NcM@h z_Mmg^pg^y9auW@zh^UsqcGbT%ojK&aw{bnQmjb)APufI4%Q=WucHf_)BC~HC8RN{? zS$hv>c*)yA3XyUh)gRx#V1sFa8tR7^u3RD<`1p9?82N$0uik8!EfYPORt)BKze`sO zs(t!OnS;21nvvFglQba? zon(}2l5#!}rit%?s=(RrixOv>1~I8ynam_*uhl|?&9EcxfO_J%2K|FquzgBJ~T0*{8mqdkwqOd z`X2iYy%_L$i^ZU>2z=+2BOU;qLK{tYIo}6P#I$F@_=>T-JO?BiK|qcd z+R< z=hw;axM1Td*=Oj#2tqGM{Y6lu#)+JC+D%{x%EiX$>xAeF0x1`pDo(nzgSXK0+8QF; zs4mEFO}Iy2FF1FwmX`9<0GAWHd3Jse`+*ip)@G3%akuPG(T)DY-Um(9eI(Sid>~e} z4~d#Uy_|k7{Lu&UaTHr8pfUZQM+UZ{cus(u;4#SjM#uhrmPp)L8}w( zq}p^-Vw`W*fK2%8=+!Kngu92W$!m<9f((ft(u48L^=s{CR|LITF!)3jDGXMm9i57H zWe|X(uoW>ip^zGB+fXfQoZy4J6pP!sgnpBc^MM=W#>aB@vltDxD~BxXOgXZeZD?UM zi~T&JDlX?sfoDq*9xoI~`Ieii@^+z5-3Js3|{9KVIbGT)AdZrFv^*^^^0iFaiz zI*r*Q?b_>I-iZ#6CLHp+^H)!XRzZZiE1&Zoe?}kefRqWIPAP;Fh945Bx+12f4|KYy zscH^gxmPJQNadXm{{d(>0boD(9JO3qIbJXAt!IwP$>acCu%1HYc=NsT^qMoVY+Z-2 z!eM%Uu;lg~xgUtwJLU@#+JFH>9pJ^*UlMuxPn6Omt^zD8N`{Fap6Q|2<&c)aEV-cgIy%^(g zy$itvw~-cL!IM}=W_O@5dJ0Q8q8DzNcoDVjL;c^+NBhO;pTRK>BPo4Ta>k001RL+3 z4*gtC1&j}3^C!huoLF9SP+yXkhzRur{U8esfj7G zKBN;WMO=eEaVgo)`6+k@Fd(W}iFMF^7KNp&BUKR7(K-*wC<__mj9;S@A;m%Y z`KBx9upy!gnXHa%*h-5HwSuZ1Zu=>Wlz<1Wghi5k(87;Ax6-lhE3<6Wj#3nIjtB+W zs+BVt7`hts*#YY-TwcTGE5zF{C2U!<(;ADGQcyIjHPB0E>Qt9&zNW0R3A)gaJLLZs3x2;&@(YI{4LSqH(FaadizRWN9~wVRpa)xaBLPRRbNsA2oESL zv}ggp$}5753t$kO(#he)Fkc7yJkG`kC_!v2!@(iz`ey;iuU#1gK-76?23}O~i^7>f zEUt!|+CUv8w350BF7#b*JJQGib(HWWjCGz6XDEDvRw#W`T?=whcD<9sZHmyb4!N-} z7M#^eNj>%tmGrvySD&V==EXVv{#3SNUtW^z1({RQ-M4xIYp!7*y|i zFxJU%JXz~u)CckvQyxj>zF={`p}}^yuMP;l)}HPA@0oIbX|3DpB*L#=+S3)0B>~%WA zzI3O4rGlT5-T5?%dcwh|R(7$`z6q24V=46a2J2STofWKQ{QDcfvHpGMCVAcxR^PL= zzv-FZU-AEWHyhieERj_TZ|pSCW8SI2kYVqhR#8_RkuJ(gEt<#Y_ZFX8!d7uy4+4{r^*e{#=jN3?-v*sCurxR)3Av9)}(NHN+UG8Sq>G`A+Nq zBNZfSOfm0$CKQm%4Hju$V17TZ?e9d%|CPJuK~~A$fvgjA3;7EM;=>rd2cC6Egk}^+ zXo<>^i05}%G69i}2d&(sKrxQRbHnCOAn`wJ90E%tfz;`jCwWiEdCV9{UZpbe$xMN`np7)RdvH5>C5Ak_+TuY zy4^qdLal}UA~fXx1H1v*oZpAHI*7-J5cylr!q1!prMV zIMjz9xfA;NWf)WlC6PAUO>0aN*^cI3=6tg>^&b(tYzdIn7o?@oQ3!icoA_EeTi|a z*G5O1HirX4P$$@2ROSmKb^~TFD{jh7jEO%1Z$T@72d`QBuO z_w@8L{x?zCw#dU~(9~dVuBq4v14^`x0E`AL{*p%Wr1C81pTr85vBeFqq&JyJ--NCI z9z=h_RZHzRc~_NTi=O*4X3Ei38G`$HQG`ohY2DsZ2lH4gp%TBSYEkJxki zDeY>H;kQ##%0NI*fQmh!|9n&t6RVfI-c3y>-=0;la6OtN+E-3$w-GT5M&<0L#QQPZ zV=?;x=2W+5Puf7knT)||TKc0EyLqO^5hlZ+ZE{mdyTq#DOO?YJP`tN-yFIDS4T@24 z*`@UdIMxJx58mWDDn4gse*G#7jHp|BtM}eY{6*dlE5fw+BPDe5vK?Ot8>BF1=&K+} zrcY`)>vQfXQh|giHV?jSCsY+uRjxxYzy{+Yj?!YSmV4VE8M3V&iIJ_&$p9Nxw~<;t zy-}093EaqpNBIP)pmVSlo7N-ezM@;@`^_~yTmKt zV4xOyV76B>#uc-hte)vLIQ3$IFJoh`$FtT+qWhScOs9@eFNnmpyb=tD5CX@|fG+Cq%Thq4?_t^tcq0`cs2Yv_tT z=BbYLXH=*_bXyj~uy3u&G%Z{vlU#Zik1wqW3;Xf3FxR!Vo}M%(B!G4L1R+1G<5q@7 zETgbG2#6K{k^Qm+fH{E`#md_uz+ZCkZMvHu*OG~@fgQZtHY@ram%A%L^H?O^ z9x@VG2y%3CU%E{+3G<0E28Q+Ol8J;g{@C|ix4Lak@bK*Z$*(Pf-i zO%<060pZQSFP+KyY$h|HgW&$+^T1&)DI!NH$7)Y@qizARbesiim#mg&IN@!3ToiSh zOz67Vok~CGGlw{yTG0@Dd3DsvWP0O?Q-w3+ z&T^nSsVXMX2QU^O9|HV$G$as-E1wu#$ufxQWid-lU%n=TLEgj&H$KKQht2W`+XG?) z9BM^blF{k7ABYHa0>ijDIAhP@m%(-&lV&Tz_Yi!-^jfr*crsQ0lxqJ{fuBqoIEA@4 z-79@Eq~+kvdG~wxMC3}nd&~Tlk@Ftc3sfFk(6Jjg(1uum*PT5Tc`tkc{R8f;UDivh zDjhWz?l2J{-i;Upd#S6(URZFUS=dzg3+?(0)V`iJl#HBrn_0^5xY0mvDDZi!SH;JV$sYqH%V)psxH-@(`K?pg)mvE(p}dJvmT=XdC<6D zj++STSSh*?-3^j19>nsg=>-dZQ)H&*TRXxs^N>Y6MtFEK<|+#+csAO$L2_-)e4MRR zd)rs1(uQ>XX3%?uROs3)wPm_1>svS;B)TM>>s&Hq$F3?#$7@cnd=1uIwic>RbGoth zJZMD`H(pJ84^MP;9>3e?t85Vh3yA}p_eE9p@L4Ug12v&)z!#&qX+EE80U~toIy$!E z6tQvHx*6PUDk!c{SKHSen;6;MA-{kBoD(QC1pWA~c*GCAXwCKX1p>@PNI$1mitDp- z3`z`M3U9c}+$gwb;3iBT2(*QCOiyyQr9c4Vd9{sbtSbr?Q6J%8OSw`F;9&5K3OvDLz{W>lP)qYsB`Ci~ z_2h)oQchep51u;Uz!xvK6~ zkstr_vhqcEX>1&97T3dQ^JwvEkDwNL_LIReL?Uy&ziy!QjcG7DN=4q=Fc}01mZc_) zF3JHlti@`xu7dumqBtlpZOm1#!otg0!45kwxLJlcQ@YT*dKnbcuxy((vaVQ5O@dU5 zW#Y=QK_Tz>S;;3O1L@6-OT=>8m}9Kov?5>j`nV$$6LL0l_Uh>!?nwB&^9pzRxkI0F zwW98{XXlxTd`R*HQM}yC>FfVX>D2&QG(H#HF+ioFX%xU6-g!r`KEHNa27o}S$KpM>)n(`p{_*qQCtOEAuz_iot?r=_yVezA(PcKH61|0qlT z1E@1Pa+h^GmvGY*HMIBMd16R)?#Ttz{d94Id{S_n6WVo1^n;ze)~=P|R5=j7aVS`# z;n5VE+>t;wDkIACXbfQ3dt8@&(5Oclw`fA?9lKXr>~^%SQMd~pn#F4Xq$YD+i zKz!{O#8{dudY@SS-YZHE4kzjDbOH$|Qdgn4j`3xBPYLzoWf_v`Y|U-+*`RiHca1la zig07{cpZi6usS3EX0GqvuL$Z1k^;P%AZK*LM5*YRu}*LdlzS=bw=S zda5jJFC+mL+xIf~;YY)mXOBUI`=(-_-y^Xer7&dq=J`Au(muYq(xeYgoSg1ZYDDi` zss>3pQ9p)$DJ44$hdc5JkjosWfI#6StC1csFo`24m+wumU=hpZ@m4&4>eIhsmjDwX4-Ia1jiv{Sx^_C~&u9d>WS` zgSM`Q+($KEn+NcdoO>z`tM`>O@u_gJpw5I->Ni6sGaA!0)%eytANzTN!;2QKd!n68#BIY7v&6qqO z)N?6+%#?W4EFfb$%>mLbe^ax-MVWNKhU3Yhrwyq;a}O1KHQPT!XJ%-CaM#kS!^udF z(yxd-P*m1Fc7}eMvSl{Ph=*O&jeu} zv7>rrl}(d!kk#_F;(Re0v;39-b~uV_vZF`l7!ZP#RW{}pT|Y*is}+yY#t4hfJjnam z*v~LkU~4EXC9KJS?oWwXl+=Z4{VFd<_4I9QYi zLCV6l#x!a50I{l`laj@^2I7SaYrDf10d{E_b>*@;St7>?y)(04$qbfhERv6UWD+ zH?R=Qurl}T^*s)(av%{9uxX?^eXV}eJ1;B+sZ$tjY|+EyjCa82XjncFv|pn=jNFG( zp6gh@tqvPVI^mAjQ_2bj^Sq;e{$hJLt?yGJR%taxQk;Nf#p0*akkYWZsH8~8uvf+M z=`v~~of$|q1ZtS{2OCD#8cZ&39w7D}3&aLo7)Q_wSmZ{t>(VbXi*6%md~S#rW` z3JGrYb$N*hWs?p?b5enXt=A9w+-tyOIK!Jt-ZM6cnM=XbRVC=QSSG3{!7Sfirc?m> zUKF#=Mrd%Ys5At_7GWl5()r`z*mR+u8b@Tr2Lp#TevN1ZX|OyEaQexp(mFMrKsuz$ z9OMZxxB-f~cxo9wa!5bN;VT4HG)VnhVSz)7Z7O+YAd)CsQNp>N)#s!2%)w5|y{k?s z^@V6R?~o4PUxv9Nbu|Uh8147&-uMhiBqF_U-6sWuQ7Ozsx~5p4A`=NI%XQDaG%=$9 zH^6xpygX|!KKLk{OB-g?eKDILPeNb1-j|6Lztv!y3uQcbslT3rVSuPoOD=Fp)(2Fh+J@R7bL<)$PJyO5p8 zfS%yYr%`}d=<%uQp+6_2(-S7fC_ww(6KOfG^q1og01DbK$Oe?Tp(M)!qM7B4Ak$I0 zmE!!b=-&x|_|4$UXN!049{l3XLf?X|j8A=z$)mAE2e!Zr`UTIVQE3qEr&%7A5K>CgXR+Hy3S=nei-fqYnbP$ zanOf{xb0WLY4^E_q2!Ivu=pulMyYSxlMaA*@(%)DhZ$y`o%Cc3o@64yx{(kLjs9`e5&#z8WJp;xug6n;a*fBpK5oYGk z9^BB78PpRVXCF*%EX$~bnxKK-(1hlTWEx}XbhAr6zBZR9Uo=r}}AqZoXq{dP5A60nymu~)=kR96p&@Znc1+M)=1}#&Ccp!^1vN(nWyKPFhZ^F@qu5IZ~VgKHjA@oDea*r_7fpG zPk@({84-(_%7JAiJTIvWTlO%>OPZHlW1kI}OUM|axCJVf6l~I*)wf{>aoo7NZn<)y zwd&~EAb{|P%y6;-aoYsI$ytabZIN(c?s(BIGh8-VEvzjM{y*m4DOi+XX%}3!ZQHhO z+qP}nw!QYU_Ofl;w(Yym`ClgD#!TFKn24!|itebdtGctRGb^eyzw|6{qH@Zl4jNit z#Z9!`)aCdBfSUaha+SmP*gL$~@D_^A>e8ZZ zY&fLHV}>NenMZ$Nutg7tc^CVf0If7hw?tg(#jQmPsqV;@$jY?KH*(*)BD5lze-Ag# z1e%&KMFw$zItE~ml>wn# zg1zKLZ>ZF;>dslb__xMpFTYnVcPxkrrTNXk<4^=F)SufwW#c^}Ac*j;$asDex>_X) z?tbs$H7Li)V{l;PG{|~=hrtqUA94IxlVw{J zd-+pZ8O0q_bvCu|W%xUSEv0C(&z@5CLih4h2QQh&;VcTCh;P+D%F^2dZKbT>TPE=O z*3asZS~b@*M8~&*?Y|cG4=Q()>ovi_F$vk&s77woTG4%FSno9scSFHQSSCBkR^$?` z2mwRfLFy?m{X9mvjQthva!m@rc3)`HFY&L8Zcr#HN}PR@gpQ^xlslWqAEuNIH|Gh-wsKHn-YVer$ogn2Zyk zG$L<&M==Xbc9yXA7JIIOsSfvs9Q3w@?(^rSpY|1xCMO$F2I4aZ+V4jyTB4j^d^8-{~wruvSKrNnXwU+4tJ zl9B~hpE4D>=NNAq5?#%j*>b0$n24VxP$WH^mgz(qlR6C--nDLU+|{0!Py_bM8)ZdqBRGuH_ND zDxl9Ym`S!{`8o9f`r@F*Pyh-1gn0O+&LNqhi{p5qSp_(IvmC|Y5kwpag2MAyq#z@6 z&JKLjl>}ZEZ-V$p+lYNT-f`l*cxpv}&($Z0ocB4^Wl{R5s>jmi6qu_&^T-beFlXX> zOACk&i60Z4oK`Jj#=K5DcGu16~3}%3R^Zw5(zYk zn1S@RK0;2A4FztItc-J2VD~9MEUXU!(bg!+>+xdXdB~hDJuZm{os7pL)0*qFwht@c z95dWjaFo$-6n-uzqk`1X$+q0Fy+8lZWpw5IaQMpnvWr;4gOpELG+1c_T0Lam+T2LJ z7hM$=8xBWI@#p2-mdv1uNXNgLilb{kU&D66ut6I)4b9XJ7G_bt9zDZu93rn)S$!*x z`|g<8))`5V&zeE}aZQuCZ4J8O30|GpwwplQQM`)FuNB-${S;p*NH=r{-iqkQkHBxfICC-e3&c z`QD2OFh@61C{a+5AXMMfI1-?ts8p%}zqYt_v=LvC^Jpc$P>$jF z-D;1UIlGtZSExiQwzPNKe>rAbnA&}G0)gVPvO#M;y zh*S(dYpr%&b?urStGw%&Lg&G3`LkS+O!C92slhsR zltOQUiE!VCRGfGbMfVbC&RLJ7>S%ulLOS=ov7XYS z0P?rxk_A-_1<%mnluVMUmtCxdRnV@oM2gmW?diwnlWIf>$W1Yp#j>cqY80L#_cX4s z$2hio!MQi33r&2d;NjMROn=wHJqfMFLEryO72Ma?OH3Y7+akHrv}(~XEi7kqxWO~L zHCWUYc%>?se#_j3ZurAJ#F|g2*(LX`?t(A&`l9}H;(X|9R+im7yt8d*<%}$v-lLkS ztuIFr?txIHaHdXHM)FEC6);I6NS?jbq_7JLP@D+!17aJ~6twgJj+Z9lZl~OW`>@f* zHdnFw>LL6VWSk^J?!b^lowE5qz!*YugXuL?bMi&eZ(tjfN0M%h1#1HX>&#}nbAzj^ zR4i{5!!%P`61nzLw{31m$UM!qriVqYePonBUBTDIQ!Ii2}5 z{r))lD2{hY=n$K(sm#3&D?$VW0^jRE0k{gQ3<)MF5U1Vze$&N`p1SqQ`3JUd?N3}^ zjDpSl7<-G9d&`~o1`qZ}An29VykEr^ll%o_I4LD#(mdOqDJ=J+1&XaOTf(AfU3_JS zsYEtngggJt`Zg5IO&Du$YI9C+4`TFaK5M%B$E0A zK=Hz!IBacn(Qpj9INf}$n{6tMAH~=R*21p&@ zsVK-IU7s!|AAEUS@mwF@?fcih_Bn*0_ezUaAPy$m7L@nQ4HDk~7#)rYjfyN^ACy%MvA= z(ol$$EFMxJ$J<@7LPV0NJ@UJ*WKfpu z?{Z93j`vFouaw64C)e=e4>;-qkJ&@@swx0BJ~(Xv;A{KkI+jl^vIJQ z-rvT&e1V6fPRnFcM<`hdOf3_-@AZH1u)4=uTT9*NPGoY!J;0#+oHw{WDIQCuhq2ba zn+Cx`3i};*YITK!fKdDzx+*I7H=L8!D5}2Zc85GPhkpuu2e~JhH-XQgqevw(257q5 zXCa%$*@d83GlBNL*(48O)2T%4R~p55#~_(NcH%hBAo)=eTujcXczR8%u(% zyg5S*Y8>KDz$lGC@K1Zu2IymswnwVE&G-mmhDG=A}u|8Q@6SfIq^O9vE{0L1R8v{#*Lf$-Nf zFu$vJEah?c!C}F13UTwkigB3RP|I7k{*Fj=aG>*N_1Zmr(eNN~$3~|h$EJ%}=V{B` zZdKahga2DRp?h#6_^G;9A-=M!Ed1q2E|PQ*%jC1CSyM+yR!aOZLX;;M|StDZA4;_emLtnj6WK&%^8Nj(h6t7-V9!& zt}$yQ6f)ZhC`p6|SPB5P)|HD-3WoU_9xPdOsFp^Wlv2dRfv@04{+yxN4`9T1BhQma z6L~w*x_AT>DiO={9@}p{Eh*ExEQhDp8)%?bX|AcKAVe-@9=9LtwwhvtUC5jHwImi1 zDQFqVVZt(A0TTvo40KAtuvOC6%4M{{$u8I7!F?U9_Jx#I0iZA3I{`xyG!DSQg;=01 z=;muyA)~DF;JcWf0sm3CKxvqq%?^s~)^B>tk&h>E`n3oZq{46T}=+^+_)~s zEf7`#N1c*PKOKxc07Dh`hmQhg8kRIb$a`F2Gq9Z2TQCo=;|E?l?(z>f6A~LZ-*uZ- ztHuF(E8rhwxK`tV?=9oj@+In<(#Nb`zjjdcX!K9-SzSCAtqp{5$o7Z(4SljrK=BLt zD8r}Ato20{>?Pcu55MOxJq@DIlE`hUim?K2jEZ3W?HL1pA@NURrVb3hyS)g@kz8ql z@`t?767Jf_lGU_0y_t`}5 z8n!1aHlcmxv7RODtz}vD>vsT<=-zA!GZXr-YXfrQXi$7;ZjDxiFJ85OW-f@bjRa8g zo07n~JTR_X&HS9nre=kc=h#+%r7G-Mpynpon<0PbTe!aIg;hZOdUHd)>qUd?LJ2AW zJ^TGFJq#+SlG^n0qb@*TDR@E-RgkuwdtornO7Fd)_$tnu|Ly%Z0&HzPlG1`-aA)-e zt7m{v*XFIQpjnE)J(h;2PvOT;9hxp*YptFvDoF zQVllXvtRrebk55mONbHY{bR|?6kTTVOyB%d9Op_q#2?t4PKESNwJ+|p()))pDJ-sg zueJsx6==T&idYkC(0H1aN)1;k!mk-SaBIAbDhSA1_J?RwSGI?2kw2)wAoz%-k}hZ@ zEISn*WdW zDKdI}4JAiB)pA>bCTG(tyIiesXil|R!c3OU<6SQxe=86dgh($Apf+uZ+v6@#Jl71D zH&}H=5pN}OOr&bP;VeCbsfVN*h?)8ij+A|b!p0b0?)_LWLF_!0FG{_uUoM}CaZ4yD zk{q&vT3wmM9$PgmYk30?w4OF5Nh)5J%$+zDjKQl1w9d^HQYv)~-GA8%%ccNkQt--M z2y{w-l&m!!C-XM?-cL-AYTb{2U(uYfmOXVgVb9{$?)yVoM*CmlHcN0aH9H1$L3{!n zIAd@7@yu?5JvlYG2ozxNdt@>e^Uk@!`!2@OUyNuOWj)WsZh|(ymu5QTOXcf8_{$v> zv0|n%@LR1Z%i6lnWIQ^b&mmo-hUWff{q}!T10FIBvTC$z{7*B`<>C8JI8h7iFi}C} zU086WlQ}%-UN&%003?baQ4#;aslS(AFMB`BAk7c>wNO{b!=l z-oKu}+<8nsqp42eSAU^u*y6kV0tF9_VnCm)$Bvn(TKH36HvuN6f;4E0P=2-G@*OE&I@*)xC6oS0fqUN4?}Bhvplded6D!cpmAeknA|r9FhQDg#g^*AOPf z$#-k4O;ST<$z4ljkXcRhD@WVKv(XAgwU%X%YN3-bOwGD8YFpO6m;`3QtT|RE6W8x* zzfNgY+FI|nh>oakh)M**9R$2~EaQf61I(PPWRidMK!^)6 zL8J8crRZWZ@L#|*mny5!W zs@b8c0VgC3Ws)y`ivA`8q((C)^^cahaCv>Xe{LGdA;T1(p~!Ddx~Au@*`r=7r96Gw z$EX$weHQaV{lq77d!Tz1^%qhdli@%~k=tmIshvS^Q&{Q)FrHpEFH?TMf1(%MHKx?V z@r`vY7#IdsyF{za-OINuBE=3zRFU7ZMl5gtUKgT7F+1fcnjD-o)b{m*3R#nX0lTS11_-!%@^~ zp=j%HD@5fv=)X5?AwxU(nYcth2m2&dj*nSr_s|^`3e;pl&Bq85SR}|flXj*-pT&Fu zP^nbeT4c;VdZq)$4^7C;QezR<@4_VQ5Jiso3s*}&FWF(T2qpH3!1%e=5s*D8>XkI> zSM9uk3qDpxt1vvy^Qfup_SzuxiR%ou^-kY!LM->l&A#brfVQ40dbaU||zP z``MIHI_9HJn!P~RdzbkLWBrpp3_ayv1FzvKJ%neC_v^KCHIDmjk+*?t1VfMx-{hR` z*JB*1K09}U?(m;aB~2{F11S0qbTk#mt|^_vbTqZO3NP-F28*2I?1D17Kw%W3W@kpq z2c+N->F!LN6`;*>R+7mup(5I+5K!|V-$lj;%M74&Ak#H&00M_qUighXs zaOyLrcd{->A0|hrYFB?^6eK%0uiW+_V|`#|=@a5N438yC7U^2IWa+M&f>}isO;P#Hw7jE8hN@ z15^=3=;MUzGxLk=no$c8fyYK}vc84JoaDRL6K2};+GzBpj@eV+e$wB z&abRFs2+|ojBMABbRNRYf7Zp2d-KB{qAq!~eVNwlpa1w%k<}(zecw36z>Cv>*btKA zR~$D6P`lTuD&>)xk5aA41UYNU6k8?<%&9+_< zMb1qPR;eO5yu3K=uh%9x9JW$^SQD?TvVr_Cob1Z<8&KLFFaWXArVr>u&t&oktZ01% zFPrCt+0@aIh8bWOu-c2)zH2;DKS@63cYt%qr|i~Orfw2Agy!4kBI)!i3fGs zuYl(sYDdbaJR}k7mC`E{b;KOf@W_8p>zf2KTHO8JhCHW_8w5Krx`ilt3Rg^!Y}_VF zti3dUfXXDL;wYW~pd^9?IFt90&h8@%{cwv8@l5I;Fge*>px1f{_ltl6K%J1n`DTY# z6Iod^tCw;SWE1e3W7)cHH(%?k8kR8gsCj$XzN`&5G3E0l60J8=Uo|V!QS61V^$r7Z zOu9bhHayAfskf(M&o!s3R3+L1v1hV`!y@5N=Py{G$dcMUtqD@c6%q56Ma3*DFL~pC zdRx{aDFw;03o0WrwfU2TYng8viXlY-=PC9YN!htbl_y@;I9lf}>!@hEFryVOlvqbp z(ZAx-_{kgWMd^6lXH87UR)HRgk|qSMtUUz|0Ki{loTeWn#p)m%RTBm2=6eGbPKydFciZ8RY9G-b#9tMz_od?5=%Pp@ z9%L@;tK4rJY^#Zo-*FHe3h0HI@s}b*I6MPYwoqfW_Q5T_1ccZ zYXWl$;ZJ>L$+3TO2$8dZ?zexyD%hX8nu{|q+)Vs!Dk_uY^snwn^f}1t{fxfS+w6^S zcA$!xecR~`;DTTl97gd8DBdHx@ZwLSopJJlW9>X6#?nj9P+NXRwPhxP^JmmGp$O*N9|MEvSx83%R>)!w1~!ex zNB0b7AgvS)=cG9?CSPu5_mNu#u_?4cKVrh;)|MY(6r@(!7X$kBT}()rzqkt{2Nr=l zHOF<7L?W`P&S=!}^go#G7Pf*eU%w&h8}AnfZjs^>Ar?2Q6W%MwH0{e}bDzqN+tAM0 z;~OsUU@M7!J#Qy%1&!8o(;`B>zq-tmUTffA$A(Qi$J<~@mCuc5(Hx6R?^AeGLPf$j z1I-%g;KXm$ZXs1Ww!Kp}0IabD)*yHhg3AQr<7O&2BBz&j(|4(r_#o5?qrHEb-E1>w zCb?HeMW0aMoY`g^J8O*C7YZgFCa(Hj*nhxwG4sd;TEylk2rNg%_C8+RN1mEImXlMp z^&5f#78RUyQd?gP-@@n(V{WZ!=MhKMWieDo9_VST8d=yKUQZB-biBM+)WTBo;9v4B)rN};|BV>n?~EHXH#_jpCy zi{c@pmKNSJDKr#344EZk+ogQj2~$UcU?n|$Rk>V_C)cX|H3WfTK4G$B35+eRClS^^ z5%vfxiw%yoaxD%suz_Pa517?*i?Eo2@YO(R61#o057A@PvIvGTabnumNHA;wBDjeR z@ne7^Aq*3yLyk^a>ZjT{Sn_c0*-p@uRI%GVB98 z4;``Q%94GEN;8Z!`WDt`mffO0;5P%kDgxr2SSC{WD0xLD9Ed67$U~qj*zvFPk5pXB z)<+YdnFYb3M8dcH=~i94L*zmU9&8*_f+QmZVjt=Pa74~f(@5X!+Ci(!+o!2?+spbn zTG(a8co3bgcxsAECAz{+fG6qtu*J|S;5gqx7-L!T0~kGBy0?JHKWxBRlb;K_n*14- z{9o)9M)=4C3hp>eqTayiHAvWGXB&<B0TG zHy=KH`0)Reg91?QVe}qokTB@8G2;*uF3(E>d02Ds@M2)u?)cFqxX3@H&VNZX&?IU7t4W5>cg6 z7%>(Hpae%-){3x+xM4lQm5?!XVcO66e4eB;3#THyu#-X+f7Kf8K*8YL@}6BLa?of& z3WxD4=m}Y;mJZw=WZqx3FHd?-^0r^8Jf}cCu`~D`=FB_pDq-xTmB}Btmoo4~eyAD; zm`f+{?nudd@lVjhehr6;Ph=mqRI5eV+y*A{^2U10kc}0AGV5;X>N+Kt2R`N~H=*Yl z4KWl+;vzUhe7SuS&QiDUHH5H7&xPAwlivXG&-@H>?BJ6@>5f{tFnf(~wI0gaG&9Zu zl&A{wqv0E#o4QJ<3>kT?{f@<|frn_~s3YsV@GH?n)uUSSv7^WQJs zK05v?(fe66c7LC?++xVzp10|zDJ`Yv@afkj`vm}i_9!VmHO5xAwO?dqJV$P0XK1l@ z64BlN6F+t|<+43Wd&F$_r>CI}vp{3=(7sb5<1E}qFw&{n+?N*!t&_9Fg(9Dds-h;* zm($>jGm1>~KAB##&Y^7V`#u*XJ0C4r&thU{(*MjmK07gwnPRuB89krDzyxYE zhMf;l^W>tTJ?ZWt%NnJ{K;JmhG5cZ3V<;-xxDlWSE3+@%$IgXV-GQ58pX|gt9FTdW z0RCtO;@JJI&&{urmrSYxwD(QCpM*=UjA^b=n2s{I>RUIuGtM^O-dgR5qwd!#i@KC; zUrinG>2Xi$ZAo4HWA87q{78TgtEN`$ILDF00_8jvbNl-$$;d$#yDLeazgqGaRCmoz zA|5$TLX5Mj>*cZaRrLACFAqCd-~in$nLzeWp`p;k$`&tFw|s78W|WSI82?_3W8MLO zFST)~!s};DAJni*Ljlmff>NK~%-4e3wc8{f?fLbBn88}qmn(;?=V0RQhx;&c?OYA^ zdh6o~;H)zV!Nex@aQ^h0GZz4oyi8}Wn^!Ykg1+dYEPq)pd^otJ2I>`X)ltwQiK|AM zR>IDdX)UnpsB-nsC%K^0jce~8_7>0dW9%=?0W%Q^U~I#d)Ui1#(yh_-0TFQVw=deb z2OB8HQ=-h%V<1FOl7~l`Ga^2}Z0t8PlF`)M?w@_H{(Km{@9MUD8ANg%?1Ul9+Zt9M zNTv229##tL+LF902x^__|wanuU@t67qmPm@cqjZrN|7(0L$WquzVC`%Ngd>{Yd?j-=@P&*e4W< z;b;3Lyrkm}Xozy+otx7f-phdJSlL)a$xbk7@f|u&3_^u3sS0Sz)*i8{B0~*>gFJs7 zSjM^>uXT&qBNuj*P66j#ILZ~Y|LhLCK~U$3q3_)4K-bA$@BHc)qmYpaum~kddT88G z%?XNuMTXpTNms$PolHwQoaPSy(J1P4Q=cZ%5uH&W-;*p0IlVh)2d6>{AeNQSlBoKj6!`HmUUJz z@WETeWtC}`C+|1X5-$AV0KXOMwkmq-@qD5a{n;om(O=vlB3`eJb6Q%C7)rX0Fmxm& zQPGBvzDosjtANrzM{tvJL;}V>1xVeO?!eS_I|v1j=dNiJc<pK?& zDB`XeGwfboVuRp93U)}=ytOo}0I!j?@T5l3TKDp`;#T2)tA8rMLtH>*YVcPnO6wPn z3&ZYRtSIPl08RXtd<_g@v%gki@~HoeAerv>_4aH6tr1OZ2I(s@JLM_Hnt3Nl_-Q^L z^V*h~`-RH|RYEo!Q1R>$!fdqWhivfWSXb1&BCs>=Bu>Z<*@MRZ$2oc7W11#;s;@|; z+~bB@bO~v@6Xu`GYbB3ciU77icG0^BClU$d$-uLAySVhFh{sxoA9x@%lv`(iJ2^~f zRArVql?s%wmsgJ8`T(4DT%4!3U^p60X&O84^ti6bFD%Av0Rm(Q)c!|7J^QF%OTLfC zRn1k!V6CO8+Yw@QP3mPCrEbP{<T|L>r5%F2Wq+B({W{eRkZck_1=ZC4MZ1}z^qDaTn}cHHba&3O&mixAcRkpP z%OaQU>y1ZJmgPyYi;m@A@F~D)rAmCmj&p(KN8%VW z3qQ1lUBE003tVpNsa(DTwvvj~+Uu~cBX*;$ejdP&7b3tg(82)_<{|>D(24uJIC+1; zGiy@!r5@0XI;e?sOb>#c zWsvwiS4pAPS@O$#CE#+fGe>N944qG26t}Mjp~#bMb#h<~88=#(4;5&s778LFHmYK;gup(Jq|I zUZNc!SR9y%WGt7B7DnRx?BmFZcu7wTpl~it&Yjw^v^7%p6FSR$FK7Vf*9zt z&SDdx&#j^nHh*{eoGD<01u3~=%YZX%e}jLK19QP~IO6JY8`||YWry?Zzj^lf($+oi z+|AFtsDWFWsV=@mdN<$*dXi%{S`bQ=g$l{)#M7VNiPngLF(VcYP_af0n`pFdxkg2; zQ%$U)7$hn&fLs8%0CEA)=2Iovj}A{NX?}o?7Z%idLG7Y_8OS_5$RO*0erHXYt7z z0LP>q^@t`Q-~WBcuT(|Ab8Jd{s@e*CW$(eXQ?ic8xdP~VL2~N@+-x{Y&9rHe7lB2@ zE5R?xsKzriDoMKW$V}qP^#{}P`mCF*^R2*ei^tEE;&HqLK4TjEr<{n%vxGL_b8NCQ z-eZC&GOVYnxd~CYB|JkoxbpOGzeZeIrwYnT>L*k2j#Sk%j`v!_@nt9tg&nc+Q^&~| zD~6V*YKe8p^?~GjKgE)9D7u~^4~Vm@%nL`xs627vgsxbL0+Y=ktvzlZt*=2PR0G%8 zu4u|Eh21*5CRfE)rC{8h=2O_d-kyf*#PGtFT55{aj!B#-~J)D(fb6k zuY6MM&{OG3g%eIB1H{@7;YPj>tIz2|fOxd$=*aF`u)hfU@K#og%dq<6-nvfhkT4Xt zlv?91FV{~_hLnpyprDX1BVFp!!MCCzNH`n7ir%|!RM)*aO!g9`9WQV`q;~h=osv>( zx?}7L3;!s%{HL{Bgq2U;1**q+ef8m!lB8o|D`qU4MoK^~IwI6&<-+zSrVx^!Vo8^F z9VsQZqnOJ&aGFaNn@L##t4C)l;#U1hjKDxWJusvXE8en&xYs-^Wo zP#RxE@C2rBX<9s?UF&Ju&YMOVYv7>%wPhwl{d|igwv0zml|=W5EWb_fe65IwxEB2V z(P9YI1{pz5>_5~0YaAg*s|1Hts}E8E$)i$Aw=yGCEC(PmBSckjFLkDhbsqVtPa+I= zh<^;~yWqzVii56sBB1VwXc~}a*>ojHDH%o?ZZ#CM9G7uav!x5NqqadMl18`Ec5q<} zWjeo?qh)~X2dgh;FhD2=<6WE}ppP*B_pZ)*9%HeL6}*=BpKnJytUz@FcQWy*mJkaZ zARm4qUpRB~I0KhMJUYSoKH0{TjAi zHzq0gCkg*B=@ZHCKZ|eqP84Ja?7{|PRvk)9Y9Te;_AwF@hQ=Q{@^!b|KH1eTmtgG^ zXWP8eKcrfD=KR)6Cg9eP^{;X!G(ES?oco-@av)?;Hr&g6e5fxqpR>X8B&FN^ z1wIbVU7V=31JvWd)eJ;6Jk2Ln7?S*PFL$d-ytt?+umokGy|x)bDwo$oMZmas6yUZ7 z%xs|Z06DV7haY$nRb1EVlOO7ZYQnUdl`%s@NpV3OE^a1z)rnqUQgca9f9F>4+o)u> zAGr)A_c9_NSdxJ57ovOThCUUA-tFWH$cYabi6!Gpd+`xtYT_-O!P^hZRovIy<(C$c zO)2Hz*o!y#IWo;kzrt0o-JvW2p$#+e$Kp&j^-`pgNCYI%`H?+(a=G(DR!$}6tD_9YgDQH;8P=Y)1N${o&PgD@@=vJlu;0sWiA6x~ z0XU)k+TdT$&bqHMe^J1v<=)p)iuwhFHHf83rl;4vl#hN|PMjx6ctaOJaRg9HHa$}& zt`G;4ck%cZ63r3K0I$WcC)U!v{AkS~M~>m|^eiY74O0!3YpMV^xTfFA47Y?_DF!Xux8Rqk<8>F8WJ6MI<+^SXYx$z2ev4Ch)4wmMYcvMVj_gW+6|i-9 z$2el6Lk#rY{Bvb_I&K1< zte-J$82C-k*^kAC{BhC8A*jL3^6EcW<7l!A{?4gbmfQ!H_cE{u5 z{K)$8oR8*z)AYOg0edF0B=_OdGi?xGg!leUiT@N}1#%(pX)5_5xOx6WC^$4-i9SLn ztcki?UAt=+!jwSQLWM?a%P7r4IQKvMuw{q@|Gf$TCaY9R@)#pB{LQ=5G^t_8Us_#$ z*;*rxzdY6E{I6w_cNcDzB=WlL&_DLVQ>U!wi5q3TwlS;~DmhmRPWlAR#zWbO52jH*;CFNUQWgR@CZlvbT|4Gc=ZR!e%Ev}2f6rq>a(sWBWc-YmT&xFnC>&rWH4NmZAWsH5= z)%7nTaz2flOd~c>-PVp8<95wL{npDx@83|h7LR|;8lRW%-K!f4))1hTHRjDP|BOm2 zm*x&3Omez;AVr%rezj=0Ak7-+u9`nzdiRX~T}3>Zc#;1g#iUs>Ifwikd2T7mxpXx_ zmZpjP!PMn6%`n>kFI)WPbl`JRDrRJi@ZcGGFNBC=!Tnpile{N7bkv!NLY3cl=`;YZ zF;47N-P_LiIV(J9H{xEWTDaz6Sl_y)^Oyg}GUPJgVVc7+ZK7Tl1U~h``bjNkv`-R4 zep!w+uFNKR7^rMY=r;MctC0*C)KtrH65Ro`LTdCB8#DPB+#R*kz$U`0JgFG93SK*C zx+UaFllayjJ=-fnWeMk2e-0bi<4t5XXMP6MrKCf!&-sh?tL51H6nx&S1ve@a?2nZf z<+3HI{x()VlVCOvMeBP_M%O?+K*E%G{-tUzS~n&#Lul}`xe`Ev1w_N4vq;+`GF^b0d*d! z%D!7fPjr^C*qLe$|68;VVS9A^X* z`~3m0&kngyh!qmkQ-stXG0J(-S%ZoEh!nJkhyXWyaz2RAg!}r^k?mkN`0?g&NGs+| z@7ym0fTTBTgyw2p^)ioXi%Mw9Q|*uojCl5)!Fp}WV@N-W@upvx9O+r|Aqw=EzwdLI z7!tZNUXiDAaPge3+|0b@^k4;B=44G_)M><*O zoMYX}is_R$``VGZ`Xsjd$K7cJblpVfIJ-+k`v zhtv}+bNLVZ7$dA}9kU5`QK~vxtmiZw@kTw;mB-HyT(uM57tBr3x&fTNG+M}*Ok`$_ zu$<(_Ih`-wAOo>NtJ3EZ(MZP6#%SQJ5z^Yskmj%Pg(h869lVPMY8Iy#HJcdd7Mm3o zt8)E8b^$`1+(qB0FYXmXez_=5Adyt`Q$PWNVQiTs^odri^vh8X8Zb791Q%eSK?SC0 z|0{e&yo-m>*jgG)yBqMPyUT$P;!i4W)P0mHh}-CtY3sGocU@~%aLUsrk8y)K7PAqi z{?f{q?>_>tTUR9#`!Jg#2Qj|PSbVYuRM=%KwccFu{#aKRAxw3=wpn=wIDahvmDdFq#5U ztBj#0kd$f_gUrq0F239-@nXpnF5+v5t;b7xA@Q}lyHui#=b&>x5)LF$FNA4R{J@ew zytzMs~-0RQ1Bg!ro4P+w$88>(>LaPROk$i=GngCJ!opf9L5nT zkvQGAy@RZRjC2E8JHS$KMt8t~K2l0-K_T$jBNbEl8`a0E*+P3za%<6l==usQ(8-hG6rA{c*&`_hrBH__e~7~M*usu_GtTYKLgh3Y{v;Uk zNrt%Ty3SSyT^gG+h}>%MhP0vwao&vJHTi5?i@Le4U(|`rd!}kHz_gjcMo%bG{c233 z2+4g(&lMFKC>LYr#Na^~q98u3Vd&v%sJ@=s%4~N)xuG}!nGS5>*qnm`0Ra96b#tv9 zBQa^*eNDKz$?EEw50omP4jXwa#o5V{4Dxf;8&k)y;^r-wucD*kia(%u&5(PncBkve z5clp&Hrfyv^L=*ql>?hQ?-{!qshWaQlAdsl&Lqy2R-_nunxkGA&jZy`{^T5gLr{~< zq_o^-c{$DDN^C9!w@X>RH6n-H?0Xk)q4$4(FcM(0zxRV&vG2Vu(ou1g{UQ{A^eL8; zXQ^dr*3V8;zz~#C-H=Rbl%WfUm^jW&qjj&{_14{0QBD?o0r;0C+PTpYmF$Ox>XIKeE;)mEPK0E4I^@<_5q|5N zUla7?vo^vbE1T7$ma-i(`tP2x@MXPa&3G?`)&rsm8KUsvob*n7d~1bvp%fVp7aDES zBDW!q?M@RWtxleOrxNZK;)o475a47wT)pbCNHqhrVEf;3Q4EK*F-g6Tt6ELh(ebDN zsK05(?n_ZlHDlh?gwx1&N(uF-)zxF$bBsjlm*=$!9v(7B_Q-G~)>cw5bU>nRwsJ&Q z$_~{ia!cv>2H(=mSPx@rDB~={?xKjZPg>$fC4$TT;U;$ky1C8BuJN_Y{pLQP_%$i> zbn5S+&UHDY9|}5@eNARE%znvQ2nTsSb+aAI^Yds0@t$0M6U`WkbcHKTNY)cg`nGZQ* zpT%_L@0AVxs`Q`sQ_8_>Zr%qY%ynS7mczr_L@qf>2+S1dwtfDdLpt@sG;O1EWnSR3 zYTj_aoc@G8!equNTGP60dK-pJa|yZ>l-IJY+x{s>*OPG5Uf$_a9b|uDxAT2SN-_v~ z%}POu>B1AW*dt~`oW|x$6zS~AE$A*CtuneBp-Uj%qm2^%Pj<~9tPHy@1^N%=nqeX4 zJEu{_qE-!w(yU*N@-l_BLT_5LZ(e3F6`Xji0lTG|3yewN&JUg6d6xTVl~(J?Vs~`L zQ6FtqS|isZZb>|M%gu^|rbh0Mq>_CK)SH8<-ph({j@epO%*Jm)IO`4`sz#7IO>Oai zx5_p8g&}$Y;G!viGIgW=o}%25dzH=37yGAwQhg$o@sntFfjE?BmB0V(Kie|31KDY{ zYKE4<%Ipf7aIa)^k_f{;1wCTcy(gRnB1Y3*@3vE-M!btsw^hl+6;om)sR{9(WN9j4 z-I=XnAy*{Rh|(yCrNb|9QI+srvzX)(M%!vX zBs&Bh0`RXJr17#j_S<|SvF^HclR0gjAye+KR9=58(t|4SiJU{SIB$s*qFjF`fM)hA z{;PFk4ne4C*6f>)tO|#|Q;$Lvy+?a`y3B+={17pTP(ZN_@c@HL<#4{rEM>{cunpYN ztL%60h5PADgmM=7)U%Nd2I|fb{f`-NWC&%80ZuWeA2-U#M{%cpFu>XDj+k(Qr~eYT z?MR;)GpVci@&O9~TQU{Wy`DjEh7scunuLUUa>oq=0GkruamF~CyDUJ_PoKEH{Js5@ z?@UrB?%ibQwA^3L&+(Fid5VRucq%qo-nhz=6T(_L1B^}Oj@X~=%2BMloclH$Kz2DQ zjEjj;(8LnK!{IzBg)mX^MTmv+B6$pm5pD=!+R_FgdcL8Z=~7^9ni?K_6X&X$;$Qj{ z4$+33kPJP5#kF1JSc(6!AOJKj-~`hwd@B zc~@Z7-O--JUVxz;x&omyWQ54vH{J$nd~6_b3fxaC^8;e_;PYvdN*gO;l#YJ|-qXbQ z;Pe~H=8yyMS?pe$5wy>|41a9iOxDxFAcyY9fqw#u0GsSZrb^o?cgwma_L|9=%G%%e znH9peE&S^8{GRhE!YGR`g-Jy!1Kmj?qqK*uor=OCh$QI@azD!RcY*ii(r3cKYFUIk z&N6o3avTxXgmYE4{ugEEuq6r?BQ>5x|Q8u@3Q8-FQ_$GK5aTDRjw-7_>oNl)qF$+bIsW|r#CvY z?>TOZsv;QLB)P*^z$KQUAl?iEci)35Y)B~r9~zFdh<#DtSULzdIThA!ny* z$$(;f2XrtYSIa3VSuqe(POJZND6XE|!~rMA9hd&t&&;&9*3_4GPEh)$<&F0~x&b0N~y5`L3<|n+u8y^{A z{0s(p2q59FX3Nz!+nWm$+rg@cH3G=G+GKJAwVWUa8OEw))qt>dTjyG-PUtftiiRNZ zt<>;5zw|!RFv&FwgV~4%x+Sv1=7t9GEHnA@gFM*aPw%-neBUbCV(aSfA`6nwa`RP& zx_n{WknI-~nNPWLBe51D6v`5LU&U`GtlWXr_$J0=F;<6 z?Q--H`1+*XJY$XQIlh1BLUXEGlM{I_w|T+DH&q0{no@LLm{ZB&JJO^F5z|zR!t^}* z0>|Kby180LSF^gp}V zyKgdBW}U;jpgVQt##f}Vn=Qijy({vD^drYPml@(7g+NH?id5$MKb z9aNZ(5e#{#L3U;9FLQabO7yaXCdBc^8j}z-X9j)K+@3%Wsk~?4_s)_dmJ_#gd43C` zbUq!u{Ayxk-Au;Oar2$KXk;(gCmRXAl}6B<6jRl0vFkjj)^?lAtK|utz~kI0H2lts zcho`#_~Lm{!DQ!PYd*q$?9G=!Z)CWmiS`?C<_)%{FFb5Ycul588M^~V%y!O?RL0zX zBd1e!MZ=O!HTMmeuJaU9Z&|LeKze1e{$0GJ72F*#go(#1)P$gVG6|rpMX+26zol5v zJD;?4+590NnP^AY-AxHA;1x#0YiTs z;#KCqkkGRPqWoA(jUJPU4=N1_1T4%=Y8Q0?RT^o-?Ucj!FBc>9aSP@r3c8=ew1X`! z8n7QsonTN|-N#^YVww?2s_Hai_g%le4hGd9Hw#{~$gOR~ZZ%pg>nGZD_mgK^<5dNR6W*Kk z3jqRFuZ){0x!5n(Sb>k7hx|lE*uM9E)&k2DqTE24RoEL_iz?%<8{n<2Uo4BMY81o4 zXh&adDR6}LuE4r3scSWtv#OE;yz1RBuyOc)JIIw#KB8m;` z=9G*rUMx$>g|!kj275C_g7G6)gtPPFmO#BRZ0AzHUK=#|3EXC`cg0iRdA1#BQNo$? zk+;5exE`U$F^!Z&cX4M3JP0CONES~W+ZZZi^qtJznvG#Yi7bFpf1uM_=_l1^C!7ct zvY`r>F;B~$Wi*K0Oji-qNDZPVeMi`bO_%6KP0l@#sH_wdU4p|c2yS4DMCQG|_pA9M zh3qV%!NOCns;y^DN6uz2H5Q5!gHniww`aaN;lsh)72?gihhM?5Z!J_!f>9?~06SyM zn|PKgX22A48p@V0Z-lRbErrQT*mozBlo-*58ZWr?r90l6N*g10oWC&kN4`$xk-y`#SbFT3X3Zz7}# zH@}3C!=4NN2WMl*^1N(E>db$ZKrc2&b7#JQHR2U6tGH^pWJgD1yIT1BsmbEZ9wR7W z#Dz-E7v$SOMC18b7Ulu0JZ#(r*7(UhFQo z^#eb6iO^#}5qz~}(H&i{+to9jkD-D)Aj6bfu2G}x&lQe7Q#?^M7CsnAStvkL1*}@n zeNl>{sEWJUX~7{)D46p`#Syz;pVDD;xe2Ty9G_OGz?xZ?@%fo)sX>!>3Im5UeINlZ zfbxUN`H&zF0O2{VK083>{keyi;U-*vF~7x9vdy68*_B$wJ%sg?S;-<^b>j9}8*&LF zf-&H9ctYn`P?m*p1o%xX)R`g=t7^zGcm}Dfi8%aRwayC&iK8W7ic;^Z z$uV0JZ)QC?OZg*rgTW`aQ94`+2=h9RYfM;5i$8bk2>c=8_p#B8OtogNE)sY* z^LZndo(k$oJ8*3tSa{VJ1(Sv56XjPX!J55XH9F|si5W=AXzexr`gmJw&L!QM16~=& zOk#_!7$j&N)29cz=3_MznH*oVF&qfU2s^5V8~YYAYb`49=XY-VFQ#mpb_RQ9uiYU= zOo0xv&Qn^{4N@ei)ifn%D4u5+qr5nQazkM?K2u^gt}P)^xjZLJVaR=#x%I2?q|$5mCtM}^O9LDaP@O{oKHt~yy|lJB39S~U>U zcglrg``{Y?dIs%*{#7G=lk`A>Ks|V0i80YuH_LUjtJtk#oQn-P3?xXVtK^$=wNUT% zyHm_e`0VTD5m1!qENK|RZMLF+(n?fko59g)+=m>XBq^4?VI^}KX|pS{QlX!$V7Qhb zVzRcCon2jpccE9iUa7QK0gbPFmZ^zIwAA}lDhx*WK8Ck~PPP8!0d=L!TsIReDj23% zB~pnDa?{5-6Oe*c&bd)IcgWWD_tFz|j}!uDy1^WRGPpi7v9K=I_;w-54KmiIGV)N( zs$X2Sy8qfdvxNLZNNsrTTN>7+!l0#B3XT3N|FY;dxqo0NBUIB?YRoZaKWKcTz@S(T z4JM>{de>MJiT&Iey!*oEzbPP^yE_k9vly#q$g%KVLl;p9T&`xt0Va{1^V*faf7>A) zHk68VykZ~Ydj`l=<5s);2UA6FZe3m7hsYpP;$*w6CG;s`W`Ax*b7!wPpy0nB7aLVU#OE>ws2tc@pwtmdtDtaghbkVl-tKSA zjuLzltq$IHuY_pNN9;LX{hPhc$-5GXcmTu+*<&s|5bDXhvqq3?Vz0A^I(YJ{;tA2N>C+;dK2P67h1qo4Z!6wY)mp*V*h=T1G;bKl8036{*4U$XQv z3W|j@Npd^kuBblLfGFC^Pv0)&^-ey->((_qI5*4Bt}N;^99VT6c@(0d`bY=i(6U~^ z^F+t8w*baWeaUjW>(S|y@id)Pb=PlWj5C5b4JDyV?UY3JOuiU-OCB?Vjf*%VvQo|Wd7I`#TbIL4E>#@M= zX|&hIQwd$~uPuHdp zN5ynWYDdX=Cc{?VsE`Xm`=`MXHF$cgo*{nBk!l+wt+u4w6)8HDRL1%k-7f`%RW8#g zEbRhH*ZTie3bDmsELmd?GW!T*w_|XtMS|h3u@c_6J%FegURZ|NdRPKhxF=qloP5WI zBhUYCXZpU1mRAiuj@3$}Nb)^d)&+;_a1|rbO6|jj$BpzD(mUZ}awOj*x;RaHqEy2WAh zB?U*GTNBkEYKwWe(IesP%7K~;e+2;Pwgar-wy z@)6tB$&Ps}hP;6_O#dk~qD8-8+S2QJ*KoG&Oa9X1BvTKvB2iG*u`vaVVDW`f0uW&h zP&;>2ZQ3HW`Mp4s173W>P}0LqIqk#xYkcn+s#)~_jFZ_@NsDsN8hNvZFv*OfX>AP2j-6k~o|BZo=$v4S-eq8JZ=GQ^74L7rhLhL_b| z)P$Swgg=6t2)1T!lf{DH)%=u>oR#1&gE~ zH&e~k=Sm5}c~Hlx6*yiebDYEGR%wcxPcWnNsGP`ne)(!B{%#lg+NUm`h~Ft>(gRyL z0E4lBk#9h%7+9B%KGWd*M0=F%Ry3znw^_(I>SH4!3*L_RM_nR!vqNUq<|jRO%hk`} zvJq}A()zM~O{BvF&M7YS;$nqHbm^xZ76~O}nSpKqH%L&Qg9C^0@g5oRE}jhReNx;g zGuhIz_5k%@U%uYw?~h}|j6j!YU`n?Q^^S9191}pY+t}*5@mLZ}(Cx~09NnG7G|?J^ zp$YAhcdg)fFWes|>`nB|0^XIodlxS9X7NQz9JKfawYT{H(t23dFwrVuLIZ0)i8F7M z;$NM+q@9ZSSu;I;Z08gl0{f+Nhxy#d-xR;D3+A{1PQEcT_+8xF1uhe-J7;&Fr%s4I zrQ#QxflsXjkt~)i7LQkhpPY07t&Ki#qgbk*V8*RBaPC~ca)PN0b8mIcDOw>G{~~=v znSdY>aWcz4uz^d)0fnsiXN%MhJHNq94c3-bEf`-V+bjP7{cMPDL4V7Rl(AvTp)zFF z$qWII3hKEssmQ;j14fIO_K|1sr_bQ=GepgF5VoHNyR{!%3sg0T@zaC29hr>twE)>5 z9+xqhRfBHq!54`buaFe}XsaN*f00Soa_#@X zZH7QR9fTLa|De8csjbE)^8syQ{WIC>A3-(`6s~uxFLlK@(K>VcqK4m-J}U6cZ4( zjy0aPb7wed4yvVN$(m?8=P}X5D;_$uTCQTA+Ji3tnHPL&uWV+d2>Onxbs4`fw2bEl z^cjx4$BXb*JusG4jdjG(gJ{=a(tR|<^e~@f++7p zBO6n0`+S~i-xgtuxeo>vg+K=nph%NJ?r7xcr3_mXz#WF{@!_D;r<`B}N?M@9!(cn=1?-7ag;PqA=mX0iXJ|g~FHbz|j7!Q!UP$HQ~17 z1G!PL{)HZx<%Ft;Y$YvbT~1FSKooj~o5*@=$|tVnf_|ZRETQ-i)S2*oXEnou^uYVM z4rop3vd3{O&P|t#g!4WrfF`YjsN6Ms;Tx7cq2|oVS5Vc6YKB*YwX&=kjUVhCWnPPL zsgscG*%0GAXM+%O9RaB~>Ak*LAVhIHv5QuSmA&&99xN>^rz{53#iLdlD)B{2iuIfp zjOEx4z9Rl#?Q7abOSHLk4`-$Q?kuBiQ0H@yG7K0sqkesqC+-7G#3FN~G&>Vxe6Amf zvm@qw5EZek7mCud5;uzYaItgNbW1i0ntW-pzFI@jCP>KJhV!uP73D@N+dEHhjT_xo zgfL-!kJ~E2eA;CLue=!|;3*~VX%Ld;!CVX#S?caxv5K@n&*oL5r6+|xxy)v0xCh%yMLYwNAi=HZZ1HLB45A>) zWu2ez?`enkOC#Z#?S&kBx1+_|THj|zN$tnC2HK&W&Z{DHFupk+3v$U6S;y%2ih(6hQzA${#a@X{z?mUXBt4;I3Iwv+6>>2PL|AED=^xi+0~U@hESP0j0iTZ5!|v!5t;iUXaR7(5 z(PV;^74-^mgWe&xEY^kJnZlRW4wQh8l1mrniVqz1A3FA>EnWAJZbutM*60%1j0cMR zfq&hUC5!;H`oXi&I$$D0(XX;7ZyXP=pQ(2?vl`Pild2Nb%Z+@~z^_~ByTl}tdeANxh8Wm| zGtw=A=uf;GGVbY5N4$$Fw?7^kz|@TPOQ2fHn!J-rVSH>Heva1vmO%r+P2CVX#N3x} zi@ytVKTwD{R63BH!f4huCq(1G5 zFYvk5JcJ^;tQ}!5@tgs{$%LeW8DCm5kBYHR6xn)GYXO|z0s4KPaU)8O5+=}>dOj%eR%$+SU;M{vf2YAK-92x8Y* z&Ts7@5G5|EUETdmS^-7LF_c!0%(cC)A{2Q$+*K#59H3JKeT z-g3Q%+hDnkTu%8CyQ~Y0BW0{2ioNF#H485#y6MS1S%{%KIe)Z$2z3-@53e%gpG@<3 zHN_!c>0^hHkFi+iOSb6SQiv!(SIyaGOND~X!;sV02|vsU>D+2f&x{!z=4!cDmi?S% z)smx*Va2k0+S197v2!AX!&^<>D)+~|bJL#Qano$NwEmDkfU-Vh^rkv);U3#-p6>f6 zsAs&#>%a7!Oxq!-z>)1Lw0Bc_2!S<2B`pqe-2VfW+vBR1y-4ZKqO%Ao;lxCdydcGn zC+-7y4|{mKmonHY`|S}Lqh|s*7PIOg8a>w%8>2pBGQWnmy}KiZIk@>YcSR%^|6(qg z3N6HOk{Xu+r(HIA%LN}j6*Muvr0-6nhlJQl(ryBk zk;MMbz-*Es(dSu|kcWQeF<^mV4-u$ub%X(fdd7I+n(B~;zzPXvGHU072$*0Qp-y(JSVX)POC8!=BATQnpaxQH@OR$Hxwm3V? zp1ICD?5Be1iEJ^78a;<6!kF?1otkJrD%U{SKpISd(x>3dx(*~AUv~QQ`WQ&pXw5v8 z-icHzQ(Ia{h?Cnu>$f?JS!Ug3+<`I!TG0f1XR#$SniPEUy$rK3gM-E z>#VLn^=|zQn>in~Mzfu%0GNTp(BR>N}oMzyvkSGOX{0^7kyT4I6ec#*6`cRpv0ziph}5aS!tebE-xQ!H1)s1{6qQ z$hs)e)EdpTn&d!7DZSj=(rDW~FoIacYp7#VtxQ1gV+Sr=cf{CY6+F8IJZN00UQ|wH zPjyVVKRGWT>Q6V2lyd>*I$K=*zjm#^kNAZ%f7v(=0&ipCOE39G_m^I;K^w@Sujwihv%Lf|ll@yA&tK?zjhN|g~fc#xwj|8^thBZsK&kjteQa^|X# zn1*TVz{TPWSQ^@`(8NU`>ZMAg8a<(Byi@$nm!-2)=|AD|;s(DnPqfsXA%AJ*f`$wT z$0RY7g58ry{fd;U;P96Jw)JN6Z5z=Jf(z(b$L7Po0RwqKNLquMG{i~I_k`62+c$Ru zctKH>fhn*^+7cutio<8ga$cw$;m|e zBZ{Uf+HqqPRyEQYYI6VWIS3E?q!~2-YYLTvGq)HRX+JpRS5%54s6OJJLtMBhj_{$w z40yI!S;<3bn;sO9jO-xZ_xc#B&fz8baPqZxcek0xSC5@ykf4nBPQ&d#1WA1W)NLGb)&vm(A4=RHtqNC;^p{-!%`QV$qJ8XlX$u9`4;PRj) z72>kIgwdQU*lx8gSerx=cWQK8;Ma402wJwJjpk$7k(zrH?ac^q&nvHuTnSu8My`CY zk+Qy?XS#@ z5Mh>$yC1Kp$1q%k?Mw*3iUNk0t7uGfib{!dkaUe=)vC@~52gZT27YW7u>SDKHKmux zWfT)Mb;DRl2taMFvaqlc`j=NDUcC85_@|a&wh2t_ zJkO*IG83rYb)>`j5o4ILR0}7Jb!u_;X$0qEIL;DVt^8?sHOD9OfEboq4(o+Qf=n+9 zL^e*@9;c_9BG7GXh0rCGqQ|cNp4~EN2H+e}OQi?VsF>EEu zi6Eni27@TaRe4hbYZoRhY z#>QDKt+B>-o$OO6pI!>ELXzRdcUB`s(}60eoFEf!)cT9ux1*sph>w%|7%9l4*BeZd zL8_}U%TMK8%}g_oHRq6XX+-aW%@J7a$f0{73t~kl02DD>8O0d`RB(4g=jQB;Li`6C z;MO=rHVZA`RcQLYyOUs|C8=jN@E_VM*sRy6)7B#Pfes9b4fC+u=R;Ap=%dIP&1G~_ za#)G+Bt~&Ip+kV};pj;~=%S;e-Wrs_G8(~U6r6bE75#EcuM1k^t{l1gm5YX`NFp1YqaI$?Q|nZC*#)@j2Ok35Rq&_qcHRV3#>G?d^Gbkt9L_ z03@z27Yw!{y9(=Mk^~!v$LPpv(5?U}|71A0MJ0^*9%3yWa@Up$=Q$%2DxZL49e|N1 z`j5~VLA#7|`YSvutV zQI-4hTV2w}kx!RYE>GF+wxGL|Qw3LSLyY8p>c16#znPdx?&@J?gZtP6AfvB<7Nw$J zkb2unAt$9T9vP%>yNP6q!qRkPweR;ekNXJZRPgWC(j-JlD`2|Q2|)=0u&;ufP&7Kw zr$3p?2$hv-h=|%wBwLQpMfd!H7HH@_^yoo*Vnh@!0gUviBqt4h`8?mML(0!YYO=A4 zqdmy?Q$N&;xmuz>;s_EC>dU5ezd- z93Fpu&2RP{pwm*>g*q-w&7fQ_dAmAK9hDvdW|2(�sz1sUqOoUsy6k0_TcmT~mkj z-Hm3hpzQrq@LY;Cz_yt}w(G|kHuOAL4ZQf}jJJ#m(vnFI15X`+E#FXqCi^@@{__Xv z_u4(<9uk4oZIGLy<>s$cI=I!3?jz^zydui~T-{a}=?xhoI1H^C#O&`-U4#wU&g5Mz zKMNt{pvuj9t4en}fis|{Xl1BWbVW|&DZsI+lR|YLG!zHeR=sak@F!%EZatX%fg<4n zY+{}(4;2LMj$>HbvT6pB4ZPCIG_o#2O!gbB?-v4gdg#hb40>0DxnOGKd8cLDkVY z0`guX+u|#W$VK+5G4<_rLUwJnD}gu$qKZDhl!wG?1J*s`6X#4&{Ys|7IRImr&-(S~ zvFmfS{`7POMZ54w2fO@q^iENyXE_6{#?C3ml+kK7ri*x#!noR1Gd3j~va+@il%Ntl zSN%C7qBiedu9wy%-mz|V^C8$um!d=$t=0uzR&^e+#dJ%|K4gax*7h1feQQ>Sq*hZj z9)Ix&o`xP3AT{2p_en+i8oT5>P3{v5n+U~sCJh6Z^r=@1D9fhKIU6yMl3gkJs4W~$ zrr5-W{5J!x8zi02gLu^LtwU$sakSJVuR>1+vD8`kxDV#v zyVtYHLGPf16682rd)^!iMCzqWfhyYcX@sMO$9yz7nGhIFymjsQI#w>aY_Z~MGY%tq%n5B);fk(q{ z^JrF1&mFyjf4##YY|?9wG@T+CK5lm&@uPAdFhC>^cpMBz-~#wvfHc-oBzmy>mR0#U zK-M})sV$aUcSttEMHiaJVh+Oe9sN1b!-%z#E)F=W_{1NSO3BT?DH4RRE{J-HXwm&- zbp^q*4n~t6zL$G7M+o!*;YGBqPU0;X9$Mj7xO&Y( zpc^h%;5&08eKDOis$KR_?&8W<0TV~T2{s^+JwsJdz?m0pDfp0YGfIPx;?k2}R*qHX zqtzD#SEkAv?Ijp&2fRifS@vHhtz0VauYy0?cTn=0ns163w0qU#$_ll|Mi1YtVngjh zLZvVgfs*JNybQ4hLa4)wT@A!(!9WwMuWvUq+0fQnoRw%Kv8~KIp zRw;gmQM+AYTW7Pv*Z_oaBF?-n_0n_i&qTT2NI!( zOJAbbt}%hfO;H0wGA)boWEwNNn_(a9DLRoBRRtd}dCDd>yoWb2G|?VMQcR9%*}iJQ zuU@d4m#{#1LcLbq^tgv`&Wwh4c65@sSbj8LS{};;hxx2r^45bJYH*Z9k+Z|V2z6iR z-UcA*9R_CyeCo;)id&5LTc0vc^TuS~rEu;1{34+pMIV@ssAle^9v@j>vtT^Um+~EE zE+qN1b;QXCblzr6TuQ>6uD|q;8*5k6ZCWp|`E&;_<_rv<^M@G_>&XEp&crBh-8%c7 z%s_*=u=#FEpCNWr2n!XLg(NQVBM}A)ybpI9Zi^>qK+TJfy_`K$Q{adV1QI zSw_j?N`Mvx?o-iH576GsY?nFY`fU{*`>rdTIWq!4wPb!EJtLmLnrj}${T7VH)9Ml@ zT1c)Yl_!tnZ{}$WVM%y5(jN&Aw@Z?VY663Io}z8Zyc5(kIR|oGsbdg{nDt$DR}8S} zC3NZ}P}Gh3ZO}y)SGAS@V#oV7z*8_Vd6lCK%M{IJGcq|WJ=fFazM&hJ3vtn_qhm7{ z|FMLHT@3!`_C>P`fa}HQ&f*Zrff4{V5Ta}z$BW;KYPC2G#&;u;#L-kEAs0Gii~=dK z0f@pw$mUuaF^5S+${Dzi<%nKtArX*vudqp;{H%8UBW0$BI@^~K=jHUt>r9yBgu{OU zjzdRMV<5KKU7Ax`h}Pb^^)k(>dX9UgUue8A(l=HT$c!;TvVL6jXb65b7x*2hOhW?(v z0ElejS7|0F7KgVkI7yTS#ONn?Lj!|_8R|?(*VH?#;~M2@*IU=1&jBXsYh6-~qjy&b zusQbtL=3eR>3nqq+Mpey& zV_c7V&05zMX>D5m#^7v#%t#s zcrB@Sa#EHE`Bjhnntbr}i*MbvQ#R9*9X$L*EKN5dOb9%U0aYVLn_|Db$hE}Rw8YYM z=g11S#Do4FSi4{uQhPbSq382L?d>-K|jSI4}TeboK9k^U=WV%nq&jy&m*G3O3}Y>3hSS1E(f_ zCPB^r&x@%aHFMc+`GARUO|Is#TOK+{AExs%Hil517^s{5OS#N{B>I9bai(sCDXE&r zejx{4p#I@jnD}24@W16u90y&X{_0kkI1ai%{n4#3aU67k`lnlA;yCC6^-s4#eJNX8 z7**x${MQIVxZvk!M=Y>|b;k~l%6{iuTM`P@0na0`)6cUtSIBP98LR?tZ#}H+9j0%i z;1R|i{F4Kq-#Z`uE}STjvoX@4T=E%~Dy~qPGXZl}1;Xc|bcjUme@+H^ieqb*Xz=*&*HC|IE5T0+kRaNE1gKU>dI(Sp8zEFUaPJLIZVk(ygFtFa32i zJ1x9T$!==+EvWwUgrJyuiCuNFN}=#Pg_PZLO5D zmFM%EipPeBHVz60EI)>m4ySnHqB^U-qpx4c+2O8b4~z2T&59iIN$3%X2<>mnV!#B8 z%cGvjJ?Y}4002aMPv|<JhYyaQa3Qgiiv$u z2?abT%pHho1*zvYLw615|CzZbEkFTi2N` z^KiSGztcNEmzOP63}_Shy0U`?HU)?3ON^b1AO+kDIs?kbvP5*j3|n#!$XK*E4lEi+ zStQDsbdZS+a>S|Ylmrg{|B-)zG_+3M2VVdi07O!egPXIIJc-E%5_}*sFX1;D>GD+@oVrS`0e$++);~(E5#b5X9FOdfdX!x{84(4 zqE#%WLDm;_SebjtZYo3)I#?*cm2SM>cqcp3;#Y5g=$gOb<(ldvR4k3iiR1~lygLn` z{NL08Dz*Ut&;%wFWeujd!plB<5>Pw=&R{*zXmvs8l0h}0>9(ekh_7t5XAvL-fR44{ zpN}v=myWU3idwD#IYyV8*;x<~43)jihsSs0@*W`YWvMoF-bEjxoQf&(HzQ}h#*%fa zsj$NzdN}I7O~ApRK1Q&jGigO=Zg2+9p6saj6(&JM#2WN+Ek?i*wcszh$P$SUHm*ca&Y1xys}qKIze0 z*5qBVZK9uC)+avzz+3buknH5tc=TU16HJke|2;RXr*GC>hVBYe-aaOVfclS_#&0O3 z)Lscfz#+j9@Kej!@f(pMsb_F!71qJ8Ao@XU^;D%L$tCImC^!U_H!#Loo- z=n!kE6WVJOm@{S*E%XXwi~JDcE~yPRU)~4t)(n=5Yuv@pA*gXWC)#N#H>%>Ckl~0%cS;PWfoa zgX6G-Sn{q<-qf?hXhTpZYkcxZIV(nWZ^BOUvr(`1$uo! zC+o|kR?RlrJ(TP0(MYLJYk^(@Fg4=BA%CQ}mLYPLPc?@j%*SV@TcViD{ULw1%}t>| z>$EK{4cA%xsnHb?@HPrke>;L_V>TvwrSwkD*?wvNLWZ)o!r9D!#y+9D+{Q*rv+AQwxNPbh#v-MQ=Nm2*G&*XsLC02wl@mlTIw&)?=mXpm@xJD z$8<-D_xMt}CC|jwt#b8!teo|a26F%8NA{$pp&1+V*i`Q?gFnkWEWo2@ZC7!j}sb>1#e)Zyi*sx=&K_T5J z4tUOZN2-aSEd(R>0|>>Iy{6(qWn{Jf)gEsu6=s?>e+gXSeI1oUDDXC#lTSWruPD=L zV2?eS1hV%-Lh5@fSpatcc8w|PWR48Ei)3K*4s%ae`>hxFGIywfEr;47b*Xeq0CAwP zg_2#wC0q|8xN_+wP+dH=*9-P|_K37qzQoUMpaees5nl9=!ht%m|c zDYf^>E`-#v$>8!Y`WdSmWIP_O>PcDyOoD48LDd4EjLZ^4LSO?nES6)vXu^^m`cL48V}T&q^>wi=EB4gzn~S9EHu znk+`4{e;*U(PD1r8369F`-<8y-|pCl0*HwebsrF4B_;+QsF>hcn>t?}u@CI9Gj?^} zCHj7#Z_YPJ-I?iwDN8lc9K)zDL*ba4p#WxyUIZ{k5PQbm`dm(svs21p{T@hlku7N@ zmA(jpdO8b08X75?8wl58vDum0FJ|6UyB&K2Lw*z}VVsuyzpv~}5deTakN^PkK5d4j zsJt~99qu}HKon{y|D!cHd>zMimX-Nzt2glND)k3M9K=5`ji(SQqPks*$)!LZ zG;Xo6<~xs#Ym8*YyyT!$C**A4c!Fx>flkHr&-5-cH>tmkV>A0VgJb3Z5`r4x zQ4p_(pM?Do6?C`i041tm&tnAEGxa`^7d$BJ6H}tQ5{rzW^ zX53VC`aU4qvxH+Uk1+qV{pG)}!#O!pOnPqIMu>t{O|rJaD>*)xkDwp-z1sDi=y`qsx$y{h5g~$D{@#%B9-OeJ5gn-LiWW$Z(t4*$k z=xI?(uRc2IqmK|zYAXyW=8#4YQOcE9^03%H|CS0~hx{DfD;ngn)!E*o;gYl^ElZ@ zYtB7r#F8Q`GYW-Vq9@d!4)5~{EUPBBJG z4);}WpQHwxT8}YIv?$0R+0XlwtM$gkiQrBRh|;VYcxTQyteh zT#DdZL>iU5=a932_k1qN^&K*$WN6qLco=p`$4&SDeu+e92bNuMPdjwl!3P}DY0si^ z^;-#vb3e@srGZfndkMVs-VS(^PXH_`h+ol<8%dLP4P&ws?v9#EEGj1b0h8X!Oh`o3 z==sOnl)CS&ycOYsFZY$lFBde<6S13rrv0?k(inN1u7HZsNhxs7BwNDqRm}4S6w3W|0`^pgkeYZ#5&veBG=JcW zr7d8apg(xTl`v40!4i5%DOW$@ZDB0sV^y;K+$*v%&3=DHUmVx`BY`1hZUu~H#L^4! z5lGZLv@<~Cft_Vk88LbszI_7@NYO)*VHp&#__|BwJ!$j4#Am&f&Oi0C4l7DK5&k!> z<+o;DW7c*`I*74djBJe|CHOLlCcuayZQ1Q~Rfg@Sc0kx7!7($)L1WVjSFmxqmbq>= zqD7`7C%p&rQb83Ix4HB2c_udb+Tl~O*yg$H_KdiAI1-J<^=4rRyw?v$Ysn=l&!^Se zJS=)g)7a_$xW`BLE8gFXtpoB}Y8I3W$l4hRH!pTvS{ z$vhFN%i)RPV7I2vBUYwzK+K!ozpqjv=0v50$_kpQl&Jp8-v2+`{bQ6YK@&EL_SoFx znLVD_W81cE&mP;hZQI5k+qP}n#+mnhzjf9*_vig}*Ui-{J2JYfx~i)(G9xPTc{*K@ znKZIb(CPFg6ovI!u?~q7$Q8?tb*&#v3v>tyuTVNc@NOsY!>PXxAQZZG&^bHu4NQ(h zJKk;XbuO20DZZ|QdF2o53I2!_TZ8=GUDh8$jPBtA`GXLu7LeY{$$N>xm;t$(FyM^k z3r#7Ei3+H=@%4`jmawi^k?75-!2)_!Vy|`o|QkL4;ES zp?P_2S35n_cKZMXzEJD;#4zgvjNIr{gQF9-+1y?b(u&%;b&;=FTFInSG5Ta*S^^1j zJ{*NDquS7CE`7#HlHt;n<(8zJjgfO;m`!NfA{)fkX|{UyM>i`&cQ_czZ)x}_=6!Vt~)sy9-ThAEz|dQuH~Eh;4Yhfi5XQqLqXT_ zFIiO@f!;Tfe9>KvsMA+%9-`WBdr)FLdJVVJ0T08|jC>$H+nbDa5TkH-iIo^kOH%x7 zp$jf%ZqK@N=}D8WY?V(Ox_^qkKFfPoKV4^XEZB4iAEpEYfG8CC<5i03uktx$UF)( zUpTfAynzM_zf)BCgihI;$X7u#Me$8kk`)C~V(xgu1rp-8+PyU!QO*tr1|qs&xQ?4D z<7qEQa}x>$h}K34!vN)**{)ro8Q8#9oA?(*+#jM!xUV0NEzULb{ni@1w40fr>rMul*3x#(UFA0{ zP(moKHJCzFeOtV9vII{a(8Kfz#3{Ka*Sz!OE85Vl^nD#K3y4P!cKjh`@23$IvaM5i zr#;*>%eQVibEYRnuXza!Q6+`se|^!tZk|!u&01A}1xF}dm(u3K*COomjj>z|Y&oqiv zC%J}#Dx8>@2sW)Z3;|@19xlfgehY9HRJWTPfuwWEhceaT_JPv9LtuCvCJW!UUjRXy zfT3AV%wW)T|CWNW5EaYjVN0{}bUGQ$hEr3FJqrO(!L}KDVvCWu_zJuzGXpxM1idl;9w;S{ZDKN}sFUP(9UK>2WjCI}J!cEHx1pm^!kaWQd8hilze zuKc(#3lfzn;ZYyFE}^%zZZ=iA0j&gqenZ^rWr&GI#U1~Ru`AeR3ATO*M?>wBxiozC z;epIawNn3I9qKy(Lx%0En&CNiXTf~>HM0XOi zz;oX@9MKNFSzV~XOLaC+w3~Xcpo@wd)d$ET7XhNYXJB@#XBBn0WT;;I%RQul&QF}< zmq)EbeiZj#U7|vPq~;L`4I8`4Jt$rE4tL|hVH-3N`~vHNw~;IB^@dFxsy?N(`Da2=823kEfH%jt}5AT?~71}k9i6FQEIfG&+e8^8V)89)? z6H}(}=w91TOK3psh14Iu&ArMyU1#NHdil!ZF{r*Kuj^39@`v2I_+O!ECsGAbz2qQ_ z!1o*+qSS1i5Ldu;WRq=7!`z*Ptr=4b-Z`cpi%Q>`tc0Jf|YuNy74jY`_fn8=()rLW3M;~@OWQv!Zr zH;DuOGZ2u!0(xW)ty!l81vZ*3#S6RjcVu&g3w{c3U}fZUjDon-8Dm>lc2AmUU%IHp zBeq1PF)LY*?Ncq`io){IwS4umM=7X5amgsMZiL(378iu?TW5)~YS@nn!Xyr>!-cku z2hZWyiCI;!6s z3*$AdNKf0`%T`SN+1F;(uX^!O&k@c-MQ7TsjTH_;LA^AMGCfXox@>#%lCB z0~66K$Riv41?8?zWjJ#rpVjwH{hPlN21y4S(f1kWl{h~zqU3fjcZT(f>8Xx5HS)#* zR3Pc+gox>ggH5ROU{zdyxPP{5<+TzSZF8TdO{*jJ0lq7`mvp=~st@#IoN&alfm3U$ zaIaGgp6wW5gXE*<+usboC;w9O^kdOgZMYBbCBdy;Ho&}jy}Dg-#3HBwZSl#dc+?pp zl&5x2@aQZjVj;PjPc+M({u}viwytSKW>ksPW6B^56!@2M1Wv#b3z?Pkvn_N13t?wp zHXh#EFGN^?T#P%4)OxzO<_~D0&C)ul#M3G3I2a@(cU1*H+zLG>gUbr!2b_SY*Ej}m zcRGloB%NBpgXZ?fyUHJKE+I1QqvFi&iuLB8=1v-2zY2>)?VSz^L#@-}>l|rvn;wvq z&b2IA_|H&eZG%pEnqLu040Ty|u(bB5$j!v}kSaq1SCxJ$QGXzoBu=zkqw>6_Z^Mwh z=5Bm8Ll4$|~czrP=TI59*AbinuT z@ga0gV*@;VBSQ=_W~_}X)1rPgK&JIkfo(Tvq3-vGD7hAP(m=c9yaIyOo-tU)9LtSmIs!tPzncp*2r;m=-{X5QE$_P4L`(!!lb zGOjGeDkd;Zxn_ZcFmh0*e1~{N>Au=LNzd**@$Q;h{%jGplz++Qvyk-lfwyv?b;zqp z!1*H~4}!7?-GJ=LAoQIw}c0}~;CVfwf6)-d&az2youM5_zEA4+(U>h9Id4NXb#>EftP zq_14YLV`;95O9nfcn9YID|p$5Q=!sPgLJ6B7p=lIbtoxi#uAj9%lV{hboj5p-%a)@ z64BFCH>29oGp!2-zIs>Ge4SLeD$FyB&$N#K_yf{?M_@YQKvsO>;yJy4?S|9>eRpn7 zEt#svecacq+{>rs z`wD_rh=K#Gjk<+v9Ln*d=beLZl z#V568mq=vtLIHy{)~2;MmwFVQR#|G#=ntW1sp!yz^k1JulSwXHOgZB1sY5wQP3ZRH zoZJB-@6$bD$N;eUZVzgvVM4AT@W2h*>*9&1Ai=!iDo3v%;^Y3E!`DR`6y(rp9HXGEt-(SmB=YqBbu+ zNbc8}j){^e`bt#Dw+wd=5F3zkGrc01M+aZ-Cqg3ZIcKa6n^#8A;ISJkTqp=Jb0V&KJro zRa^f%6KnNLUO;L9NJYvN$`8h3RV(A@RkQI1T`F9%D>WJT2be_aV%o!Cxyx>9;WIX) zj1Zwt+x}Y(*4J-cA?R`@{I1zb@0YSXYfPl7Jahb$t_RIhpWuhkJwWggcUvuU7Xp^ z5s#U^`_3@S_%a#U?49G#?a*g6E^?CCaZEx^6R^p?1!u6Pedf6l7<=g7?;P&a5!Zm? z89$hbw{TZ_EKe@xt9wsWuX6n=d#BVGbCIusXNFgMdEAv{(P0BLR6?>pDBNRX_KJjM zY^s9SU&K+m95`Y1wqR5y#;1uF0#IzQT-zCFQIp)$8Yq=d!kQUS0fCHmb4CG#(bRJ+ zQx72p4SZJ>NYwuG`uPr-0_DdF%+Bc&LZUqYAo&)d56mr3tMn(>dI;q3jAprWH$A)P zkJdoEXs!sLi?NqmVG50<)V<{qmE)}8MlteH7=s}#npF@GsbDj(i%O}p>)9pIa>FkXxpQFU{n8hTByLA8;;;qJ#Ssed;j>!uBF82A_%IRkYj zUL-e6rx@Eh&DjR!sHlmBR&g@v-9G`HKgPK;ye6g$kT7hRG6l&`F#1h1 zn#h5CAMYS>TRt0;kf}DmC5zXHd$PQ?^xO|tvwJBPdXisTzP-{ZY|u;$22z)FZADLHVkd` z4uC6FqsK)5ahlj{cwY?7@bCq|2v51$uAM*l92qYBjzRhHGJi@u+>WlL5&*~wyEsr2 zo(TYeCno+;BSKfM0<#qw(qd@$07c6u8e@w5R2Y3kDyB*&amt`C000F`&wq9R0H9*) z{r4RJ9aZ~30Ze2EQtcTAzOuNe3kmjrIvAd$CnMY!yetHwS_CedSxCx1ltM zZGCT_)mij#BwQPa3G;8~q44KU!03<{2FdxK!6KjJ6-&HFN z%F;Hczg^#B`!$zdZJf-MCzI`)@d`|9o8&KZD-q8J*=Gj%Q=#UlJ^B75J9+!%88i5e zkK)q)z~lO3Y1JE^2l~*eNMK?KzwHQvpv1Ef%OOHkCL}%&LRsTeZbU5Rn)}IegfT;i z@jar5X9zL>5oBvniUN)^ux33J1L#Q|sp-Gi;5@T%)%i>s1VYOYMi+44`t7LT@kjN) z1FIJnk*DPC<|pP~KHMa`1GKW~FBa{bedVmD=hhX5K&}8WN826m;V*iVgo8DszJ!(| zlsnyBK`nuS|)X>^cd09+g`_Xy|T*mvH=j|i-(ydFhva{9tB5Mf8HBo5VTS%Bz=REO8SbDreK1_q6WlEbxeHp zxk6(T;!DE5FEH|4oW*fk5Vg!s>%WoCN_q=k$vbmV>q)%8}kuAoS^Ydfj9zb=Z(lJ|| zQr_)rMYk*GgZ7*=OKqW7pZ8oOt=iq=kTjbwFyPB`Ti~0NRs00TW?1o{b4X>P$$eSy zmQkT$0$_LH$P(6tc9ZVH|;jrlNw*CFv1I1J;w4>6LVN!?#bVEEHzrHdSw~}ZI z$unPlvzeZ&xCX!DfGcHy4^c_)dN+ok*`_#SS9K5!fPl<4qk3!D89t*di0kI zCODu%D;DL$%XW%i6h^f!#Q1~f{ym79r$yV|JwC6W(tCHf!w))e4HFI&*Mf;dgMueT zIQKn5(o`aCHhKbVcEARdFI4!|j@Z@p{*?#f=yRIJRbx`_5gP3T`Jb(&kSWb4}8 zm9+^WvuFB*;ifxRkcPhC54qhaNw@PH4mYEt@7Ii~S*K2EUSBFzsBd`VMnBUS<q zpJ3DZL>w~pS<;lB^sFS-i?|qcRj`*1odq?n7+~ERLBz&(O1>zwCbPCJ1oe2~rq`XAR z>=6tykB9M%JUK*lnb70wiEXf3?t!D9qljPA;FIbCs|>V z1|c8jo!Z4|Hy;UEXxTBt#HtCkh<&2Tx0daDj@#OCRy5`f{39M>GMa#LGZapu}&wxC#*2n~u#hID-s6Hp{KE3P|0~OH2!m3O4g%TUc>G@bu;y`LE z|B(=sRg)jX0FNNJdpy$Qb}R91q7~CU6lO9+H_D7k*?+R`?HbKM+@DaogBPpz8-**{ zC}uBRj|Ayjt0r$~m$RaPEukp`(8D~@v}zS!ooXV@6V}8U$h1)f?eZ|MUO0Z$(wRUQEiJ?>3Vj@SN_oj92L4+Rc5;=i0p6*#5nl zNgrX!T`p7rgmp&oJgzj@PqEaOSg%%ajK8QFPZ-0pBAm5N|-%&*V-eN3cf^7ad`QndM7Hji=I*oyLZZh#7xk89E-ftj= zpxv~0cI~Pt%l-@!8G1u$4${B7bmHj}D4>Pn7}=BBc2VhYRu61k(A~?{%ean=Dehou zP}h;yNtwA%s3T6ip~5+4+WG^|()7d)ZoI%gLj4*wl|UwwdLwEe2VgZCcEek7w)(sp zE+_T~Ux$y1ffpVgh;zw3v7+=4Dzg36vqMK=vsj?u-hBk1dK;^UO-&jyC4h;gQ{BXT zRt&{MPRunIp?wK#&zdQnmERcDi)}D43;ww;pkubuNHr!&15X(6b7Qw_8voUUw7+00 zn>P^yY3T=5?u0Vm{bO0yB;wQ>az9oc$B5ULMy{wvOHSorKPX!FttOY{Wqqv)^NB1M zLp~PN$KYAqYu*w3ugT|KN)uWoo}I7A5{=(r^ooM`j{8NtXT39bE_dF>SxKyVK4(&t z-Bm~!-_C1^dCbZ0>4$Hq@fPw=gnHJ^bv>uAiV%`j26S3w>080XJPHt{3T*Qyp`eWn z_3rlNuzU_fwNcAm*@0e0iv`#5v`We z!UhUmnBN4^2IjQLnZNCzKX(gTq6+iytdFH6*mK?oTMoy=C|bUM zO}B$C^_KfgdS3h*dpl3R^xzOKSsOE@LRKYV`=of-Rfi5c>_f6w)0iWgI@rN>aGD`- z^~b-7j%jtBH-V0*xsHtFX2V+_%Kh=86A|$s?f)uZsabUnnRg0j!Sq3A%LP8(pD6Nv zjj*8Jz!3~EYjauE1pad9L_OPMidx&1VO6=pPkuV)g+V&28K{o6r71xs)D6&sKpSei zYWCiWbuI$)GH}Wie`#2{YOcg2h{(+CnopA;7c9lW+x)>zA%8TzrrMpH7n&6_WFn)? z9!6LWwh7~AxL65Mc%;H?1LM<}6NxqTMh&^9R(z%i6jAS)c1ZRkwG7nswD0)dw6p(v zr{tPMSsWwYxo2?VZko*Wll@wwR6YEzVr$*$K*B2_fYTy8+O=|`HsSYzskvFi0~!rT zDmkds81g19!jKo$If!1=S(%rl_=isq+{f&k_y8oEQO+*K{zGvppm;{JfT{*@o5eP+mxym7sfF$a#A%sc2fBBj&iYE1xUdIA`Qsl_6FqUl9)I+&YHx+ zQkRy$6EG9$d-yjPkXNDuY>R^|HRtD3nXjM>VqpSg!S)D(;C6pZnfLk`W@5P?{R_0% zrFt07SB(8WTAW{!6?qF#8h*kb=RO}X9=>~+kNYpJ01Cz~&v z2E7*{qA#8rQe`cvLxqorqgYBp>c!UvSogrr=@*63^{SVVNqCvg5PaNMhG6wx+K*RP+u&S)+aeGe>+{zV;5}VOy(cgv=pcC^#U9} zF`FjXL}UnmSq^jMvlZc5(mO_XDEtWyTM4XJzz86eZXz0@bx|Vcz7~<%A|U4sI0Z1ylA(`1Dt3b>RUDt1s0v_kKqPdmWbk8anu=E$<3-%cZ==%c zeKh~+rX2O?32`z$=~9x+%OUs!I_a;WmZySUpqUuY)4B;rNq7*rnIldM=hNomJa4MC zyp2H8TsQ*}_ofj?+qOPF!07v~mXa3Wn;DT1I4XZvs1uvtGD}$1ZmCa7)f(F!LuaV%+yzZ23a4gk`yM-DEJ#DuRjwaTgTW}PzdH* z`$E|Y#&979zOk#lv$GR(X%H+wMR)#&shq4V^iCLr0!qv>rttj zmEU3WMB2KM4UluY3=KMs19A9&pCVc|L;L5n$>`+|e0S&cE#DXGqEI1&0)3z}0o^RACKy9!|3Uh@ zE}e0JEMqy&Bd_*jpRy+^1eZEr(ZfA&53eHhtRUbzmsaOt>i7HS03P#k9LYK6uI zyb}0tt?==H_Fwbqo&S;b-|oz)&1d5Jk_q@YwXCPjBV8exd_rHbTI@vn%;Jb=y232| zJE8-Ve8!M!35P1PxaJv5<$`@a#!v(2Z%CR!!Z`Ll_{7#_U_# zI6dhJi(_w7QsDjYGI*Zp)8hP0=zEp*;hq#sl{1(*@52mQN9>!BFhy??_FG0u}KrfoVe4r4Vtq5QA^KBc#*ZB7)Ckd+z08 zM`M?4>o&;25`X}eOm=cK0)xvhYnH$alnC#<*`DBxuS(be!H4pT`VBrUW|iQaRw-5H zt0D3Dt8jA$*ZR$%zADKG#t9cPv~e}*q&F*$F==0|YlY1pK)=hHt(4XDgm;F)tTV2v z^h*a;R;JV1$bTA^!ZGaVqD|lBp-(kb03vrF4ENUlTH^@X)7*oK+68ZGz$!<^!lB4L zfR^}B>^vi^k94r+tz8ZvWihWDmyuU#v4UReN?6t<$&>EMK~br8@V+nTibNuFlF5r? zkW*Qw3rYR!iR8_iT7}u8$Zj1xhrfYuR$>gY7iIUhNd0UYY2X(&Y^A_~MzYb1fPwgM z3V~?J*V)bGNl^V8U)U-li1`pRH|4x;4>KFc_$xreg{?~-AggM-2i_fIgBA|Yc%yq0v5;LSuE3d?Afk?y=Y-m{AWKo zrTb59$KUMG%lG&D6`&SXAvU__W8!|rCXwu(O{0V;)>x7)2u&?WMO9z2ii3wV9{w83 zH;I?q75)}v{!W-ovlN3C1tr#UNf)VPdz&X@c%9F`w!;eVOGh_Jay)`$if~teP7}eZ z1I<+74`j?7hY?m5PC@3xoC(~0Hc&W970g+m#%Pv2l(Xd9r1IQ|H#krf06<|T7%OI9 z&>_=ZccOVjxdcXkw=k_xSRfea7RLL5Urrzrv;|i{x4#aMK0)D4l>1>0l62N^`lNi! zW&q+sG|Y)K0&sLlat9l;Dd^4WCDgp7pwJ~jW;*)xG#$qSQ>w7BVXt~%lIV9XA)xui zx~S9@cz-@e)HWzfZ>ZyvR_$i1J?grl{zYU)`)14+wIuQVZKf074@)lOO1^sTLKI4O zm`uTph;y74T|#u_d8!=rx&ZfxeF)wgY%@`+fFRqdTgs#)%f8JLhXgekAOR)hy|36c zg}&0@4g;(&P!|p_g9sOcGBRfz(V}M<<)Cm;GyRHApq%nQ@^ISjA1fPVd0Lj&s&DtW z$&NGuiY-?-K^1}AJ`QNZ1v0_8Q*cAN$*=6^ccWBuwebp;$8pcOjcLYudBr!#dkERh z_eQoP(WI3uxEvqx-z_F^qr@QzOgn}-(Rd#=G)P=fyrZ;8>s)v{&tDcvx?+xO+S$Zk zto1!Q`Ko#W+8Q$qBnF`p91Ahf*LkFP))dQb*Ino&L&PJlNd$}Sq@TbZ@l5a1;rz ztP9x^`J%+U2x)n5$%X>6koSh7%lc-$zHn1iXG0Yxu|1kV7I2uR&<9xW=cN!R zBd&jX`Q0cooX;%`jSB?*WfU6@Rg=H+tgjte0bSCT*`t9Kzefwe`lE`Z?Xqf8<-DOe z!mdQ|{aGkkTCAbI>gwH>BF7oog*XS}(p^_Q{~XqOeV|tQ(Xn^|CA3QJa;`kh|Jwn%@m)!C3wQQ(-!q5q_XtEdn;p6mc~ww3y(N?F@dof6`<@VMOIYiFiN> zw+)CUdpk?~njYNUONU{X+4V3Pbgnxyj|7VHNh3QwNO4_))vg>Ga&Wt}%8 zZ1v#F1VcOe{{Ks*`~hW{-<%9RmUm@9mj*FnFK0EqA(uIutT6FS@IE=iyL(FOH{8z~ z?%As@!Kw!U{05Z@gC6nx&%ysBb_f6OnEos4LnbMgbngH-@R+X))>OfT#~5bR+2~5U z&xNd#Kt>@yj7lNhl(S4IKSivz&ls)0}JZhfPgfn-As8a{(cYdIkskkRM#ClH_UfdnBY*7}v*Pk&9s3IA3sta9ruC>p1zn z=xu*R6QrSkwmQm?CkP4KwaCY4Ff!&rR0iM9@A-@juVj`#00>+)oA!vAZD(g)>Gps# z3f5l1h-Y6DTX1bcR|!MOR=%_Mma%5ZBjFN>pMM+;@jrLJc1TvMN&0bI_=F&R52Qlb z2itxCR>i`qHr8m0ylp7mes&R1bvP;W&`{gSJS12ydB5&yI}H6blga2x*F4xWUN#Vs zpK}7wQ~1Ew9;kqa!{W2pG|&9B6$l`h>*M~VUatD{gEKODTbEg%&95rw%VVp}sZ5F;0TuxMD4vOnfO{{#_pR`_g z@stw!MYNDa3R9RxrxobIY3+Lk;3Csy3!88&EFE&Yc_u%aqqde^Qk(F)*OZh91+}U_ z`%KRyY#7^gA~Lia(;&A+QSgKhm~VIV@5i1h68pp3X9qjyivh;#WR)MZ`(WJwSp!zA z!3u&_oKf#fke_6q{9{G{5);D!AE^Pk*8AiK;0H2MiwVP*C2iVAhKWL1uIG zVYblce>goQkUEGm>RV&$jS_NiW9z$RjBPlfxAA$7<#nZ(i+E+fd zwxi`1&rv?Hj4$?{T-bFBU{LE&D(jt+z`f*O&bbvi+>ekTrmM=)el|+5j-bqA$%JL9 zzbImpAwK0L5x-e2T0B!+iwf#GnU6BSg?hJIgJxGLy@7QfQXI$i2H}MZ;;DrS#1|4q z7iz%qy6V_B5APjLv7SqF9H%S!NVutB3Mw?bc3+wuIO$jKphK>2Z#*kn+V4i={USzr zNmnW^kcc~4Lgp2taEM^@i70}RSA(OgcapcPQg8eG1_0=@+iNHCNzo?f&`&Ol(oc;j z?VI4k#}!?QHKx#q*^YwAT2Hg)K9Eb5wkvN<{SD8U+v1se)}r3vpulCcf%>fOwRx^K zUk1(N1lV*=mlAUr?@RF~WZy2q7DYp*`Wz$!D#)zl2}X{&OpNQITH>aqbZb?;p7xaG z=FUkO2FK5+3wrmfIWmnPPMa56&u)z|t@nj{z>ZEicuGMi`?m$VDLE@-o)xW=NQPH< z9nz+9RkSR9AJhw`zBsB#|;zfjM@9znezzHhFSBW zVg+Q{E!faH*(zK>L&2ix|D~WCj_wh$MK6Y1p_ffnl3MOEb31{x^b=D!)|{8PLjv3+ z$R@;9PneYE_kEDK0#+R?8V7kJ1jA`s6GRSkLz0&3! zb6Nc;zCn)-$+b$s>`})2b@xN2pxGUSkQ_T{xbamkk5FK!1Zu(JB=#EVynZuPh-dEmYyrUy>+O#uVxBlJhn=%#CO{vbg39vDPdk2T#Kpx>#v zG&Thxv9cyt_GZ53Lb1J#XS5vzx-EJKBJ&IBOaN-d2QiyN&)?^DDMh|u@o74XMh6xJ zN$8FMalP-{k|W1u(AP_k-`0I+>r9x58*a&mm8yPh5!z9iD+In zcGcnF!CfvzvKJE;X?k}7HU%UrB;oDqXnH{Ra4@}wkw8J@m`T2BZ-OEr&osvh5@AeF z3p+*r9LE5)7nEOUeQE9nrDs1Ml)T31Vu|&h$D5do$e`-q{vd72KeGwW_xnd2zdwb! zX`#02E{rYgo-Vvn)>)UBgrC3_(`93!gni~{k2%!V9TzZbAL)e1BsLGXS8gO{3UV`g zje&M|S`@`Q^I8&_hcmi{AUgwogW$!vAjxsy;97)Ep+9u@4}Hrup8lloL63FC_upy5 zs|OBlOOdEl9uS{u;Kre~@+VkFytP^2V`I#nUh!8FZERMfpcWS%eJ?^`(5>^6)bm+U zHia*?*gH8GN9mOpdG$t9d|!A@1h*l(ATyFa4@0c)t! zS+(bz!J3+`zp#S>OAP$WAYx$dm)(2VHoYl5BzTizBBWk+1#CvlKAQ@z6*PO5S$`Y; ziIQoD9BitHw6Uu%-_Ad(ypFcTh<_AbNoaVF`gZw>Qe88|7|(>`@4daVyV5YXqBW3! zwGzl*P@-Fk+T#wBYY4K>{dUJ?IJ)vVZivCu#Y;o_wWCC69)P|)*XJwArpo-!W4ijV z_pSOAF|;?<_H6O+--@&e`x3WqPluI#uFGdAa+sXno87DI62TLyX9L~BdyvD^T=k~^ z&k0Wjkk?EKZ>9dZ&m*&j?mxN)gK>!!XF&uT!)4T7Xk!Lk{kSnz29{O?%b@@P=Xawb^6?ytgb%eQ7BnYJL>%dc!J$!L6~VCTceKmL2t4Y zKX6|FKn-14$?ZRrs-N=TVcz5Ge+?Mmv;RAC4Ff4uUd8=ml>bw}{G60UTSv_7@;JX& zoOo5#y=3H~@rf4X%4YW$7CZWpa-MH5r8Ot$F~5Cq|G!qeRpUW;{tJ{SpWnXu-|zl^ z*1$dg3v~ZS58U^k*tJj3f4}qJ>FeRpYb9H#*Jh&%%%=;8d~6bqj@kB$K?$s1JneR; z?<@UfQwWoyTZvDClv!X#4h#zM&SBBwU+U0SuxJ~PIR#UNbi-jzMDkV&=*P!I+a^;% z?|^zts4n^4qeEZL{Aj(FPK|_#<2Va-bFoy*gd4aRf4tZd&)_V?4%FFdCk19;miwqR zi{2Sag?RgiS0xYz%!w`QH20Q54D9EPpo|OSiY)Yv1nms%d?_3MA){TmxGs=?fMC7< zo&vl-sZfxS1g(FM^CB${yKYx&j<7#gKxZQ(&9%K~_*LK_!W4}7gA!Srk&I%U&h51J zfn8X|3BT~p%DCB-3~xlz+H-SbXN);njT9ELG#ZqV%C*AyQ%i%)g#ABB9%sj{#Q_V+ zMP(2@=Roa9TtQZS7%mfP)DcFjRmqT1)_vP>$e{bW7#nM`WT;bkB9F>ZN zLI^?F-s+Z0>;F}@YJ$qSM|*_vVXa~E#-3CgoLrh6JVk?*+A+v~XJ9W%3P*qH-X8WQ zug8%+p-(%$OMHQB)wPi_6`$`~8V&wS^oQ7MEOPPaHJ{?nM!+>7Ca(rL;7NMhrGlhf zhH2*rU{{zF@M2;(eUb?~Z7D%FNw)Vy^YpfA?z`f&GaKfLX; zYjJyv+C$d;cp$&7lQgBoHt0CRsZBzlm)NH>>Z565qN48W*P0ED$DV4!05wTEWdZoS z2+S--!Tfh{uo1jgvPD|Q&S~1g9#bIs(#$4i(AB>&lGGSDo_{mJ4fg!E3_a^mK`bIj zs=O)rVfiyI*?AE?ahr`PXO%ci(wXWdv*SxqWLU07tNx{(tQd^8|7vMknN(cWCq+7G z9*YH`nH(-g7}?~&{BuZgl*iv5l52a<#!qic3!tRLf1k~|NOd1d_AZ(5!iY~*a&1l! zYBB?0B3VN&cjU{OIS`ApR86xt?g+=BClG;$t9_ntUi#RmSsi&aznl)9!f|&UVcQyX z8&&KjLYX9Nffmh)(bI#TA-qObx;&w*i!-0X#1!d{Vo%k|z^?hB{?2;upDItGBPF>J zXmXk&j?K%*nS}k3LD%BRBx}6xY&bMzeT$h%~ z0W9pIo-SKd4(%k6AF8FZgPdGy^osYO`!hC)plB?k)T}IS zSa*jj@&qG_d@@~&&Pq*(SkD6P&SPu8V3y=Z=gpzzQI#P3!9a<15hDm(5UW%n1>l?oX+dLvmv z3gwCXf7XZnVyuCy*R15_&Zk=077~MJ2qh^)uErC~>2rqCqb)d3pEl@*ASd%i^5|yn+&@m?sDA3WEoq_6ALs_4t9}wMxl-k_Wt(I{Zq_xMj7`jsH@cTXn=d) zvR2@r^@m{U#&=DVP%98HZV_&QhQQ!uDe#w6(Ep3Ka|#kATGn*iwr$&X@3w8*wr#t6 zw{6?DZQJgiea@YSiMa2x9x5uTDpy3|A#3ITf0;Jqgzrbl+=K@P4DJ-P7|YHuHxpWZ zAC1!hd#c4Qg+Y`+g@=gaN5dzSs0W6XG>~E^+E1=am?En6k-hf!)r$#KYWW%z{R!fs z4Di<6LLr7LQ3=DIoO#|-Nieo*>Kd175ass%^bdY2DWZm)+hVAT(A&%$3jIic)d<@P z*nT!_Ct}cOR6Z9(`B5J>QpiQ)8XN-cK|DlQE$xuK+${P?y-RB^)>z?+NHAl5&FOC~ z#$q0i@d$2#n>beuO8s9rdrzS`DT4=rgkTzTXygG!$kCgD938{fNgmJ@+F*&b4{?Z4 zu4R$=Q(~un`z_2xMZ@AM6|LLy9D;do^uH(6vlE7f#ED>td52M8S8yKV@&?lf(7RR}IvFgijsP|X}r;hDMDNZ{bmWo*w(ArqwoW0W5Lvb6ycF{UkfyG5^n))N38%jWnUn7}17b#yP?iDU#vU2~ z1zwd(^uK&OyMF|>t@@YKxwQ+J-rVpKLk0+j;_nHe(p*gR(akO@fY6D!j=TQ^69{lvpP%Z|u+bePr3|^*92e32@^0 zst$jw*m@G8?1kNojw9ma>Jg<+FMYygBC`xHQE%R&tJih3ev4$;%S)Eu2iztGxHz{I z{7*IoIOq$(CmNMy9(>dWJ?@%iZP?4g^jFFEJ96j`q78UPFLvJ9CIlTA?u&3bC7WuX z8oeq(q9V@=?2Hm^&NtME?0bBYE?e$gu9b9~Kp}Yx*-v+HZj1QS-9>55kv6r8BDYjm zh3dP2I$?;^hl4J%)OYw!42S|BR@^?@NP=r&C~Zr zp_WVNQAcNIjhD#`+&HZsaY@$TE*v&umgn5IVUsQsLgEvC6VK=dZq1K<)Ewd!F9TP6 z%3}`-P;7}&O*k};SsZB^<>&^e{K1S|K%Qaya=qCVk9Y8jyRu|XJ1DOZ8#OG z&XNQciN(Io2b{V`ON}R_M`Vz(Uu9}#k6Z=T8rDXBsl0AeIRe%&Jq&-T17g=5 zx;HC0h+%x_!>w?N!rdtbTEUm%(dvfJ%1#PDmH)q40DEW}t1$^$&aEuBQ>B*d(aR%_3lmeg zrtj1jUd0_+0y2m%a+Rq(QH6`6ICr71zUuE-H@ff-+jzf1p@EQVr9w3{Z`)qYRc^Of zXsNB`y;?v=L5Wjl_*9%zst*T{Hy481)Ca1}mlShZw}~$8z_Af)ROPAx)uV(xng9nJ zbsi6G4_`m^=EC|iTY^W|j^|MdpAxQ+HheO#AP76dg=vrw`n&Ms^QK{!@c}v_L1673 zG$-B@<2!|`1gEJ{2czgs2~A)ZR?BN1K01s8=N>+rmkr{XWkQnUts;nTUQ}PP)=T<` zKhFp*uU%zT>p7!|fBr#NM5v-IU}tWYHQVPp(`^X1*-NJdZ5JIR?_^aeYLy|s4PBE{ zj90i*tU4k_rS$j3CX@=?h(Wn>b38pel?f27WG+@IqR~a%v^qZ+(OA zJLwOJ8|-9t%{R#0s4zgC55!!FQ5cj$h19}zToMrBDRJsHyp*Q3A;r9<%5eQD)`wr# z|Cz}Qt?jVRbJIrsg7c&xLO7|`<;UKzGa2IpJv>?ln`qigX%#*Ms-omGpy3H{xhzGG|c8;X_vr_~jk zzAA<)Gc3_6rVHgp9sNbBqlZJHaD0*|xC2B$9WO6>;87ndmsex-)bbtftwXZZt&xZI zA&u70#aSqu-Z|Vn@;pvGSWm;nN%8xILS>q}!C-Ec>KH&w+Kr~mf#sZ<_hcf!Gcd>p z>%2*=9}=4R_kTSjrd2~|YM#&#xW-U7k2)=8xymlD!2g?0d@%~XtLRf?><~J^4JHcC z(}ChSE}yHv-nVsa3mQUOWm!rY0-qu3M-<$qBWR*ulDVm8!Nmjn4^~Z8xmueo1UJD_ zt0|-(^NsOt_KNF}QW3t5_j0C!r7_@8kH(gH zmgeGBy6hNcpbGn?;_s-c=_%i;HT3k}MEG3}fX<+$RtUDxS&)Y4YjgDTC}z zK~cT+#CS9GQ_K04XeI1arlg=KD}9l=+_kzGx4{}_Vj?pME~2>@>BLyOhbxqsQ=ovL zeUQP-6MYd(A!1Mb=&HDq79(9hzGpSI@vi5=LaCcjNQ@E(FGcQ9zOWG z#4$`}7qr@hW;KB|8KGBsbAc=8vB8==8E{+g4?-A>&0m& z`~DroIKb21ejnJ}poHV7pI zvrd8^4jO#R<6K@L{Ua$ij^8g<())il-VfI?%sIH)h@Fj_nDgXzaFt znAOuz8{u9D-WB&bN=rbx{hA1~K51ISu@MgO^)VvI`63o#eBKI}i7N)$YJ#p=4#%Us zZ0%v>Ql)>+K{OSgT0^J+#%CXf3x(|%ek(8MBhK?E5A!xrXhCmpab`b0--QC3rH!^+ zoXDX$|02MLdl_u(yv2bo{;S1j`KrI8^&?uH1|2-F0}8KcF<32;rwcy)=;a2WHqKQ^4}E1KI5x1*An%zWMWoTHsE0VzPn z|J_5~#k@axD#Du@Qyn%etRV01+eV?EUdKnIS5IES3iwW&8Y)Z(JBo*X+-clc=yqI{A zMu3ym1o{zo&(yqW?Hu+iTm!V_uWs{9Ra>ICuu}O*QqFu@&@#N4={jHW>pYDVU43EU zDnp8#L&ui!wE6n1gF%m%kvGmIs8nW3G#-!u-q!Y_mb&X%yn_DA zF0_U9TlRD{xtC5g2!xL-#?Yg*y{Z>kh9_m)$PAM&J!_Y9Nl{+z($b1DLWH@vEf z4u9hgQ7i@NV*Toe4aI(c8wCOt1>Fg$ACQ`agA*?fi9VTBP6dg9y?Sq#LIgX@v03E( z0@3fYq(BW3uF(a!y8DfkNQK4etJVotXyyaqZ>6s-i?#q#pYmYXT?w)TUhN%=YEQ=y z2>ar_e?m}Jf>$vdq$qjvHf0UE&yNLosMDnF=`2cBoP(K$=2Ku!4MWz03=vh}nI~ND z$Gd$*hRFfIklaQ;gA(0I5zJVKpYggIUX%jgGN-3!+Tm%)AEKk=($Xhm+X1koxzlI{9n%F??IS@l-DaI_ddIK+gABDv2d8nE4{Rpv3k*0q{@H{%6?qEfjCRoB#pG#zwKXHZ~bOOy8_ zxWcHJu~l%8#Gjimp+r6f9>)eUyHanQkV)QNwgai})56Sw2(s5T@~-w++RalOoovP4 zF%EEJ&*{OENJo%FdJ8bQ5o~X=I)X9Cn3LCilGV-K-@$_AVj*)0Za#2&3=p6O)n833 zMMNm;t@M2zt#f`fH^$N!Je7Kp^BTZ~EJCXJd*}N0TmPl=5XJyqHa8Lf7+J?&jE)4~ z>}-K!PO8rw*MG;Vj9Rr@JZ=xmxugRCC#WXe^>Md`fmpD>=!*2=SsGDA&pU4Nar?hT z(}LV!(uL=+!MV9d`i_6cCY2|+pFmZVAH(M)2(2h|?9-{KxtH*nf44xz4XYD=Y9E~< z*6n7dP*6y4LjWM}B!9^VR=MH(Og9nG>)56?B4Ch(JKUT2Rb$?8+DtKn7m=@<#INbO z>sps;>UOVuvklB>douo>Q{IF$7lIVpQ$lJV1V2al1B7X)yab0Q7?&h8D@o*wqX3b; zc@1L}3jlafA6^>qXL_0cL9W3MpU`QeL7bPjF) zW{9Z+FY|La524;CdG@pVkC+TOKNGjYz4=M0P-h5mn0%9S2qjUnm+|~&dteBU;lg6n z#w_T#@T?P6P56sk%|T-L@LZ~j6JbDtP`oVb1pY460*C3wa03$qT**Q^1r#Xa2uaAP zpEd+|9HLXGwjKk?(=`6&qyNF35hYA=P)|GFmAL$;C?S*t_u3ipwmT1LAshf^0Ou@P z?M}aOEAh{g)PGzPyr#@)88Y0iTEY#jTIF+mCz-bn`QUDlpidGoAZ~-T!iOKe0FYep zE=PO-00-^s_1So?@P|@Ppj?qBg%9g#>H_|AK^7x&2{=`p9N*7T$H(`)M)mm%2`5Yr z8fvg;gG}`kg83`PUiS-ncD_cU_4pw99XOB^114j!s>pOAj&&K1#3{j(|KiEC!;cM^ zj>M@U(}+0LrP~qzKV1YuAXjnz#Wu(lsyGI0cg9G!d0v+5p{Q8zK0Ol*!TquL)F}%y zGId}8+`pUZOeUkF2mWZPQtAPy@z@&f?e%EK#W^?u0YK2ez- z|Np7VsYtH<3j+X8`d0jtn|kv(6=e=^oY3BZ=dm)MPKok3AP|vAZt&0Q^5$+n+I@NZ zbmcJ}J)$Fx20$3~RzhmE8_|K1S8`Yv?S<2ucoNK$WWJPabY=KSrFpD;&2$LS;H)!~ z0S`7#yPbQmtLzTvL8s}2l-8;;>}#`f$h+3dq7W2f!+Xp#rb5Asg`c>Cq8~8dEl;xD zEup4b7xfplsE|PJbD=WFL|+EbAY8%wkZAY!R{uf6N-XzdRE=Mr(t04q61sJWSlCQx zFA`QvDICqXPcTqs50r&zjTG4xsbCYGxPY{c#~OA8NJ9aNq@8T>x~;qHyx#ZS(y3ICGbsg(ZlZ1lWC~_0VQ4{S%+Q zMS=eaA#YB91My@VZVpjmxhjD~$>s{4H&T;69mM@=VKkrod;(^*=FA|zJ3-T0E^NId zIlu;}LMgw&;Y47K<60uVR2p6J0Z}MPw%P&hS1#Pa+h8^nQV`?kmqJYINs^KxiNUN{#NNT_K{J`(G+L49`Uq05&-lg)A3CF`Kk1VX-Q3Zb(uk&cp zBknHMNaQU=d8%oBusO;wW~VTZUjc0;&+2*FeHfY(sm#=T_VuVU&_s>JAp`u;@<2Ce zn7+Aj_)yshhZbsXGdILYDrB!^^n2;I8| zT$IjSV(rX#WUw67A;7pW*Kho;MBuL{mcCeDosf&y2!PS>BesaQ>QjX!wb-9}KkeT} zC|P!-kJzi*NqHO#cuWya)N>rKa0*)LgiPl@k2*A7kf%WHv~Y&y*R7gVNS;9Vxg{Ow%u3=s=v*k__&?ib8AVv z{qG;3^Kla{%#npvepk|C2TmuoWD9Yi_oyGxD-Lan$5H;KRBE++v*7Tpo_Ju`fZ-cm z&W*i99yps%NI%;X96k_BWJj)YN)dvbaC|><8tlgF8*Q+F(3n*YXLZwbyQa}M;*JSuk1}r5=(XIEEJ9WvNI)03PARZKbC_S&m8)SW1yFs-I#LJ!!3o#k^udY$XVC zro~n27XGb76UECxNjCFrqev@0Q){&7gokE&s0)|V_ndTHy0nAz_@!sv2M!gQ%V-^D zg$=R8x`9TdVN!`oOjwQDiSQgGQ85pg$@O2884k&_*9;db#B~_{R<;Ulok*Y z^LQ&E&PFot!YAB6mTl)YS1x2D|JAB*YQ0<9da1(2Wd!C*R^Hh7G8RCh3eI} z#+M8st>^MEzj5OZ@asKXT2J3$q!~87gi@jo{1Dykqbjeudz|Le1jmV2x97|Mw!h&z z=*xCu9N3!#$*9iNSCrpG1=>j{&%GSv((x}31-rHeIcm5!d$X2&JRZvkudQ6uFH7lr z&BD$0WNF{ZY0+CtgBDX5zi|?1>gIS-v{uu>2g3?6@^oQe9K*3%@>&G3eWN`Z2GOwK z2NT?9F%*d6G%AGbfrqXEuB0QT5ae zkD)0;BN^;{b>4VD7h-FQ2!cJF3{an~K@B{k{MY%ge0eeid}&>rm&rnN`*xvqXcWL; zE`d#l(-yt8*_8GS5xV^h%ZtqrsH6FhinbT_zt17?HRIdUA+2g6N@_EaW*Rd#_prQz zU$h6Sx^US^5JcplNeB#+)-Inju-2PL%HcWzG{lPEU8vo^(y9uuQgNc}m4;|)sx9%O zOL?^Y5UtOt$2$k<>~Bu!H+8oUc|S1!V)hcdA9xI^y5`yA{%}WXm28Og`Dy6-JwFhx z|0hzG!u~f5#uo{LA+?6ZD|6^zo_7JdBfPuux%~iU=Bj!_ zBQQZHU$d3tgZ=#xI-A#Kku8;y2}zIKLx28F)MR1`%`P4FU5IQL|LL}E4j{^^nva*f z2{RqDmTRth&2VBIut%;3T_)A0>os4m%7M>FhT z&G@E%ZwAg;$gR~;uwu(;4*8o2{2hlY&@so6kPO_t?=5yTsBSE%MAWmn%JCYvhN7~A zOTf|G@wKjRi$7;gr$9c2DBhD-qkJsw!>7zE5(AM#38E>87CzS*P?@<@H^H}CPEk&W zlFSvW6Zz{F{ac=zg*wVgp5Yh$qr!dfgVnJ^y-9N<7zHUTm%1Gv`rbIaWuOF;SpqTX zVYy1@4^H9$$i9hP8+VNhoy6kwK z&>;gL9$pc0z!T+DD{lL8(VsagUqC+1%?(yBG#;n4WN|s48pWI#M&UKAV*-9&3OD8A z#wL0_POpPjAAU{2pcdd1X$v3ZSnD_a??T3&bQ{*7+0qjgk^uXRi$19 z=9*De;KV{P3S;o-loigmC79)tueIC=ahwvEL*kIr0@QYo2gHGJ)sYtTfM98GSlT6t zR?-uSOJ0Zlc)=9E;n*bNG?O3V_V4%M!;)0WK=bWC38TA&fTzDwl`->xN(Jh0{5wH; zC`JoDc^HEc4*L1_vuuUt>W*J5Zob@Lt9Fo3X{(Wo?)%gA!I0RXB-in=_lrSAORdq=6A^z z`n}$SpW$z>S9F>UB|Uui|MR*nyaw|G|v!U_HH-pDtbpCDZ7OuB%bcz>5Pcxen?y%71KT_qqG zeUILb;8tG>KR@zt1yrK+n@t`Dl~btbb+iJZfwG^>(h<T#zq+gJq5SRFU53>2@=ToA9R2F+t-;A-@6^>)i z6b08UE*KUPB+dw-Z=&c`Dy+NWbHPn4{V?^D>>JHTGVkXlO1f!+WLbxr4&^Rhu35bW z)^@f>bc%_UqA14ZKneK4c9x>P9OYT92O8T?Qs5=ZV>$D%*ZgL`B4L!!Fz-<8}_GDfwA5uj)_EdjLL8edKm|y@kx}8u69pRJ)ifR zcn*U;T)LCurBck-M%ln~y{7Wb0$YH-GzeN#4T*D$eQH~z$*EMpf0!VQg2UnM{IQ@| z=h9R-6`C0F4`)Z(u=W%{EY~#o`btCsN=!HkgGJ=qLXd8hV^L)CC$jQ%S#4t`2R=JD zYjeH}$#v+ZTgr3<)hWx*&4@qgIJM~I+0TZ0yPHD<`M&_Rc%TuEPOSa%&(YZ0`=|Fq zsA2|qGnav3P_->fe8(c{)0CfzMR4eAyZd0B4KX#eYD6H;MYhI1?j!G6L737VjU56J z5r6T4SY%%+*xZrWk z95hFMpx>?LC261;1Eyj0HB-0RjWnhvfZb77q^4+f{O+huWlcRWcetUXh=BVlS91Gy)tvOk7-Wuwdfw${RE=tKtk7U>Tn4 zVhnTaH6s>lAFjEPEJx6onczEuK{+ zmk#g--a`VW`Oi;n2&lr#U-MyRj!(GQigcpYjG4{w)h+S@F?p_KIR_-SO#y2ja*sb& zZCzUeed8v|OyiJZ;2tYJCiLz=Y+O%NYF%lz)QV_SErBiK5ZD(EFnAd%o6pl`Ie90t zlNIM!#}8$u zoU@nRX2C&hfOm8{Sk1XvlA*eoDooWTB_{!<(A)ao7er`$q-ukh5F`7fqhpp?{SYE zmR3jGhf$n9AmsPpGvc-DCkh{@j?b;U3j{-uw`1DyaCd56l=Izme)rd#$BQEQcQ&nqBVPndKJ1` z=q2fnQVzCyJ@Uo0PZ2_?nhY}kk{_1&^~N2U4!F4@P&VUbe2y;MARb7Q(H=ldy zAaP2zA!mNoC#oSjRQ_fy*Va?gSx+(dDlJ;0T<^wrjm|PFuq{5wWSpIM@6gjR;{x%u z&1jum!8bVO*Jf9|83euj@)tWlR^!1sF$X3SyGka!BWP=g(jWAvy-Cb^%fUPeQJnj8 z&bIf@y>vwhQ2dL)28B1b0-zGdvE#lG!<9TgBh+XeL}ne4{f+g@vLuUL@yb4Dveb!I zijkuk_NhC4F+%^+X-cJE(lca$h8-IAu8sv-T6COtdM5v8+sFA!tn+n{6>t}wjHlzx z$I8*<`whr$Eq3fex~1t2KJY`%ifhHHh@6Oe*%G4ji>5M34Y~3M?UL-vJxhv&02HmU zv2hVqZg72|S%WTcWwCO1O+!7W(@BLEGhi|3T)Sg(oWvxgp2#Te#F;E(zQ`*b`?vuA zg8Fa#hqA%Zb_cPq^oE{lIWAQEvjT>NJ|fm~^bUwei;3$MPi(}ZPklrq(#BKW;2l6A zli>j_B=uwtmpv$OcsUlUmRDOcZ)W#`j{~z> zLBducPs3D#OOspUo z?C=_j%OXn>)Xa>dcZqQo2S6f)2hI`O?Ybn;%)kj0q0oFj?kmZP*5SeB;kUol-%646 zKm-IA(x~)ke%5e=+1&L`jTzlO-;*BE?Y;{i6qC z{h!;w@-}K&=p_{0SozK{y;)i3(-f}=u@gqxM;??zQRdDhwBwqqy*A zt_QsU28A`|1aHWo&8^;KvUasN=MVC7K0DbI|b-2mhDT+H@e#Hhd-E z2JB}5GPU(jHuTh_?qh-Tb*3q6deVN?ZR6Cz3?=Og7J#E6^dwJ7$zQpA58LM+e%%~8 zhayyf7!hBxkZl3*cL^@__*jvK#1w?iZ7<-@-_SO@x)Icv_oz;+g(I&}b^#ygenbCl zH4Av*=`zsjYpPM4LK=pQ+(Y!e+o)aDl}+G;4xBefp`-Zd6l85lBxQSA!+N_#xF6Zc0)^H6IpCFE1Tc{spcE(pf~ZKX^v&p9@y$maui<341-7 zn7OKVrr+04bfSIzl9iZVXUx)~bf5zXvgRC)V+B|fqanIX*O#w~zaJE!8-l|XUdOk@ zBEM!ydX703-Y^5trr@#`oU~^(R0$K&xNtHjUAMNsSw7#3Ik~5jyKr7lXL=S+nqzw6 zzpX0AYJ`tFeH@M_ zqX9fKU#cd)87OYx_v0oJVdQN))2`y0J|A;C7oFABXzY|Dw>asa_m)$Id!d>ln0g-6 z9T3wPV|4M4;^YS>A8v^nupfs)-47atUf(TY!oAq9@H_7T^1C(G-_^xTDlJj|%DpL^ zU|t;}C2^@js;ZyAmL86=vdhzMal?1(KrGS%{C&f?zi@^E$;ux~oz@=>dj#aP;534eM%g9}as(o2>J;BODH+d{&BZrsPYEVb-)zxGFY(*|hUbUzN zm{C<>Z%{}X12MZGk=FFus}*-Hsl9k(ms$uHVy`6|5X&j+oAPt>GSpX23#q$emal17 z!gZHq@)D5vo>40*yT787PYoQpJ5EGq?8geqK`~USkXm5{V_a?^bGcnLaVP-Ed$NpK zaZ8mW2cC+{F7KDx?5jRR z30elVB9PGSVqIhK>t1;>%j??ut3~@){+livljtV1=2h#4u)@IkgpwodF>tfOZpGD# zIa?M-NZiq?(olO9;Sfn}gUM^5&|DXAlF-e17Mmn5MK}ef&DH9Wn?Od}i2+I7^=_0_ z-$&J124MIGfGS*D@ZOGap7dF?BD82bza`kGnZ{ASFG?Gn9e*{A)4kA}vi=5VkQeTyT0dU-LGNAOG9`_xZ! z*WgS!PlxaWoiiMRy>W5;n;T`@4&_Ity zNI;+PFE~L8&ES9iIcMZBU;8p`F7%;NGSm77S22>=qN&rrfQ!=HN%@`Q^d_x_fv2ZS zI~}lMo*%n8n2slTiJ46 zje19aOU_+J)ei?mH%kKMmng?i$pQ(=2wgp`A|qLMcaRoXvp~Y5y4yA~r%O#5YL=Z+ z3gM}lG+d1uWoSr8(WkDwR%jYgX5@BZ!aCn8!)sl!@r6$({-``YD3zKV>A4r={jek& zZUs2Z$%9=T6xXVlmcXZTj|?^f$nNai=@;42KneF$i?Tv)tUbwD|6QK;?+l{QDz8}RJ9 zCTT>iN+4#K8zq_&2TAdgp-kt8STNIejddy;3s4ei1}DpPHe#S=J}hj3-SQI`Cg9r} zOcp%O6*p1{(rY}3KaU_Agk>p&sr`n?-meM^?yH8smjj8ZZg&r2mGJvihYy!*pzV3h zjcHR*PmO0LjQwp$&GlElI_YkgaLMicv&H#Y0hq@5Qe}x;ps+X+REh5Az9rMT>Mn3u zC~eN#(Rds6o7KUSmvai-Z2{u}({4Bq0n=;$M({)P0OQ5et;&K}3oo^yKbJW3mYWTy zH{?kJ*>~(YknkJ-B;U{X0FUY%Ay^zDFdJ4Pq1U?Wc^xe&y{Lv*2dIT{)cX^%O@4#^^;`ZSRKs+PO{9t#ja%yo-XwK-rT<~tu1*R2vr zJp!d5isSy~$#0CVQ$ApjMAD~}qg*xob&-lik*tH?Ovwh860ZKf`*C`RGS4J(FVSZL z9^4Z0@mDWT%cVn9@hd_fU#4|7`N7}SNu{=eJ(mCDASCIq>gKCa_rAhu-SpbzN- z-~JGkTpn{m7pa8`HyHzXMilAuiQt^L81Ezjh?Yf>4?YSdm`DzA%TM?moLl)O>mSPB z-s9YHnLk1TVYsWC1uex{E;-Z4Rb=9|94HOE${GS$zrJ4lHyOkNE^2N*EnJp9`ff5F zb`1f-GApe%H?i~!=GOX?K%|T% zSzR5`SYI@vjwxMaORyVLNKDI7W-kG_LeQFu4yHct6&Y|{2zw6q)h_H|tYKg4n>mbK zKxiEimGc>SZ~Tie($mlHl-m*h(*_ya!7MmFAYU2&b0l850fOK!=Vro8)3C8U_8Y zRD`AD_hx&%E@c#H=s>suSKlM|U$mS=^+Je*m9d7!O`fss3Jg~IDF^O=6D@pkknZFC z@086$cS`!fK}p5b-@3~~*!X4eJz-RwMNM4qDEFc4uP^`^xBp;R(MG8pXL@+L`v-nF=9fJV+vEUkEFa(dJjj8-+; zzCGc}W%{^Dc(fU55uYaj%Yw{8iyJ+Q&&ZR%72M7}hL?X-isK$dp;DrzxVprILqb<& zxv(O@M1d*8)b_=@Uso4AggKG|_ho{(qn^IIA>?Z>i5WkunQCev6Fvy18pyPPbrh$~ zUm%*1C!&yLS4SvOXHP6o<01T@Q_15MblCBJq%8Qa!H%}{<_~U=CHXD7Z_ag$EaE+ zPymHc^QNm)EM4ZVCFI*fu0Vm`L6_OvgJKO0=8$GMg%bb~V#AfA?GrpDT2tji^aTug z)FuauzyV@A#ml**g*n8hRIAE>GH10td>&l-CsSQ1czEuApGoPHW@6a=2wu*~TF}ZY zACj)6ug<+1O4}7Rl7_W|?^N*VKZ$K3d@vVA_e(WON zP8nAI_t5{|fPzMri4BH`r{{T{OW^ z@>o#&rcE}zK{HZzbl|*_u}SrL8~^8y6Xe)7oH*<&IgAwEz__!Jdf&RpCwp}B(7-ON_K2x& z&@VrJ+G=7jR~vTzwfOnCu>DR00PG(4dj^=2$vU&QOMb?JryrsQntChn#56xE*hzI^ zn?%w8NYx@7Q4<2}844;Fh9bx7W2sbt-TcRLY=`FZWvifS@I1NOn8hdu`k1tXr62m) zz;s)GmVW+aPc#(bhz4uTEXFMDXk_kcBo5(lz`>fSBk%tVM0(BuqnGj} zjY=~vnz#o?-YyNJXx1DvA@WLAdrQP2(YGWm!n8LA^pL8K{J$BfGSyW^PP;%1IUdGN zSKKrm{K@scN=VICm?bYDL69b40JZX(@^4AL?H#DhMi)yg_wbp==v7|#g>ASTlB3PL z@$mJc+6?8rUK=!{Kf+MP|3ryJbl%{9e#0EVyi) z_Y4U;@bN;#5{~`D^d#;-NRuy&3X9jk@iyrLQiR9Er2fo+GDuc*p`{3Y#bm*8r!j=5+DTPUC^7hRDX-s&D5HOj|2`qCH?Ey2X ztxmS0!&YsWN=c42 zcL$u*CUU#?Aw~Gh{4cB*GLnDL)<;Cjdh1(e_uQFJl6j+Z{lepG#xhle#u*wS1qnaM zb7r}!ym4vKeNoLG_k^6&#jL=NsHvg$BLILfeCi1(_NH+)>1&UQWvvA)dEr+?i%T0d zLtl8?K}tErHzQWK^D!n}g=Onb1%-&YZW?(lmdyBQ%^E_cXD-A`SnDWkn80iv|7B20 zr>*WKJ(`9siGqbrnM#8aEXcWC_c5zwWF^+tHtS}pZP!%31`2cHdLJnaM8_{)ayIz? zY44qSL~Fus(Y9@yt8Lr1ZQHhO+vaL}wQbwBx%<4|PEN8f&i(_ZE}mJbRLx2%Glfxe zjA3$xTinm}%UV_%MoZUw7i$fN_U$4D7Yz+yEt`y9OL@$v&0P6%L2zk<0t+^oh4!$A zfVI1;u(Pi43J46Ru+q;?_WpQ44BQC-J!m(~B*OKx!YLvz6jVuo26{uTmd=jVKk&2F zZh!#5!>nbdE!KSl49CoI8XFnp=)FQA=>=$#%jpESDrjIPUq{BN-%kqc5jD=rlGptMV3gd$LK$BRPjp%v#+9aJi#+AiWsk zK7N@@nte`Rmbmi5%TJ^_Ss;r!-En&=_&rHakUk0Ba1^ZmFP$bos*8e zhOr|*ZJgH&#VmE(y2pjSk)$x-&$u_vPHp1Ta4V_3uwKVOfz5PyJR#^`M81WOdG>60 zEkY5Qw%>wXLw0lYn@|<+f$rTVh*#UdjzJf9+CZAG>6bn znHjj#*vj6(_O1`A<3iP)>o7DZXzi_ri~v9Zps7Pqx@ds~u}OFy)NqyimraK74xCH{ zsyp8BiBtUv;6MnSpZf4@C>0T5O4@fmyDuR39pLQw7wvc#ZNrOd(Hd`wEa(ax3`Hp( zDX_)zXGB8^*9%1DGpR(yx!+q3VM#AZt|k;t0L;cXmJL-qwvv`nd0a35khL_xGzw=o&`(~A+R*OC(V|oT=5k*cX3R5*16k3w{IBgS;uPCy>5|5E>Z~ zlGzsf-?))l2upOjkLo;pN~@{&3n&2G^HBXEcZU_7BQl9=8XDLkzAg5LGyT3*R4kOLW zycs4y@~W4J3{p&%*zRsT;(%C%y=_Aiyyp)Am^o?`CeD$Lzi(S96Jh=}o?fg1E$?7mB9<=dyWC41v*`Y1$gpRWGFJPTX? zx9O~vG)GKVOSP~H##~F5;JQ6KD2ehRIid_p|7Y1@#wX%W;qHu1h>4&T768Fsh^R|8nrV2%Z*ORbhZu9NZa`gV}uZ?%h()+=;G>j_#;oc4b`dNrU;Sj2`3H>7Ivy4w3&hX4r77I=W zFNrF$u9CGRK>j2J4QvH?N-dyI!oWSvA%|K}U|&4by}?f-@&4MooihK;5-Sf6csU)M zGAW34VTH)B*OsK2i7cx6xnX<}5R!5u@ux2t@-)-a_l1U+p*JUCOx^2QPJH#*N zBcUA~NnYfRjJ^tUb|$mbxi;oq1}|gqrN$7l_ArnFR@A-G{N0Ot%$6wvxHt4o3gCGW zJ)<_eHoH{*`Lm6!-!TyvzL(L`e@zG0C;~J8yn9Gw6lc2TO7`$d5B0~LY|9q?N4MEq z=z<<#@?I3I5MS2GXyYXl48bB+Y9{?C67T^&Cp(R}MT~kQxn8n|mh+=x|8=lnKY_;) z&ql$gYAC8HI$;vahQk?lX2m0g$fQXRctK1yV zHi@Ol=d5mhn?Il@#8)*Th${U4<$BF~a^FU4L2Dw9M6kd#x1a!DchZA?-Zp`N^V5>1 znm~mkhMI){YNFW4Za@>G%K(UU(!&NI6!^K*Uqcy!3%oTYMl*~AoNkH=@t{g&6U=+> zkA$JpcYoMUcqNO)YqjN(kifbONsT6hj@M2;=#53GcBq15TX~6tI z?CY9t=2jo!4pk{uvI@QDA*6Jg!8iigiBL;bo_9X?tk8utp~UEW)HAjfk$s4vwvaZn zK2FlM8y(*%i%rYU;;b3#v1(0$<%U)kMptF2V0asb7?aefa&;nCMdGq4om+vFt9*Ys zVRJ4@p8C#5l7L(8ENsM7hH9c5e*|sFR0~0efxttXHurz&fFYsL&s)AoAP08PV$M~Z zQ}@Vx@W=Zd9t$!ukI*A3Ay9g`V*nAq5(dKW4AqY* zuQvttfi%+U^vE|Njf{o9KNw{V^%H8) z1L$OQO72&6L!|*OqI7yBIO)D8v|}RGI92OJM(~1g&iC1t7p2pbx)R{ojK(j~fAAv+tW{X9*}CGP)hlWg@`NLuUb8@q6Agyu zP344`)c^KJqB-1ko@c@~{nhb=ka#K$4SI|Vo=wvT{tp!Z05nBjS9*7TsPMH+=MBE} z#9d?fuo#uGH6P_H~+QDr>!i%|JA;%&-QLw7$z}TcDed3 z2ekQ!#UpLv&Sz;cIQmzk!oa+rEF}0pmQ8T}d5+;IUZK&QQdk#o0U-1Q_SVRBN=qtr zznDPp|7R!{6Zlu@W$o-rzkpcRp~RU}ERY{`@hJx$j2zo1#P@9jqHZe2V{Ea2E(|mj zOT$jcg^%4in5U%=7{^n37i{u4c<)w|p&C}w2NK~PLT_Jy>sz*Ogt>{*i)>kQm|&jA z>1L6zm_7B+=848oLFC`K(!X|=`Dx9 zQt0ewHbPran3A=1tuyZe%EVQ*v{6TPMW3`9F4nrm23q=!L)r>_*qoe4fENl*(lh|hpars!Dy_C{s3q&YQlxOj%9dfu$ah@L}00y@oJo%3{%nfr(qNw$L{|aO99fL^mTzj*g zz_WuZXj-@1qYRPCOTzKM>0%*VoAyJ}W!R3yd=PQi=fTE5JDm;!^)3q%*7U5n-5A${ zr>_%>yPwfze!PkynN8aZ_|29GQ2NCB=L`V@jw-Ik1G|sQZRt zenU@rTZFaWswF^bjzPuN?y%p_W9x160FbUuekv(Di^PC9>54~IFVaihR?`)(q_3@KDu$LPJo>C+|TfGw)fQPG$>TnkYZFCpE; zHKxd~(9c=wSsrkrgC{d0`iwfYx!Psb#31xv!TO_cEQOqPr-wA)Wy-u}1-8KdkKxwJ zFjIa;>XoD>sVa-s4=ggQoQ~{Avgyr?-^TVms(no?3 zqle*NAhB@88=hj+N|y_*01b;geBpDuNN=2%7W7-v9W{!Cbe`#&`t=#^9!T0pIm*D_Fo?;fj+m9}1T0`nITkA^+%koc+AZFmbn=!zI`lqWDBDNs|HY}LS0Govzg z$cSr5daVrgh%Ysi&C;{I zv;F-CK*+v@6lkqv0UOOp-apdXX{=Y{0*4fqqbxtDPIIC#y9*{VA^Er7%eEu+P>&Vk z@-jt&|BuxsJxK(hZ%9gLDlvC#(N){KbpTL{zzBGAe|1e-mK`1A@)O`|(WN*G(!E7N zg0h^caVmD|_5c86qaRu14Anu+D&J;!IO=^pw;t~n1!FpZ-Sq8siudiTaOH0wJPB72pr~A1TOk-cV zxBvn^GTN=3|(gpMuTcys0QufHaQ5}tiVYE&B~#0|c@1D`Qw>?4364XcD+;x)_> zfl%EcI1ubWgQfh1o)?+QkeaynzkPr<`kqfbezu7KWpzHD-7xWx&KLGsauQH=&zVOw zk00(p-b6AVt*P4I>BWDKR^1GdF>u4`9DSOgh8}G*s2NjlC)t}0n@57EBhVA=M-`{B zVd*2j0w@VJ`GUv}YJ84I*0h#>QG3(WM+zEYVh6ucXD>f10G{+@)hCk$hox}i#B3dWuVQ}z?#3J ztP;;Y4)P*S67igY7LHZev!w*Pmm<8zHP|DI?(4W_qek*Em&RlFhFbt<%B96 zxf358&lR7+2rCV_v0xRFyHRICASm?XE zUBj^5sL>`Zf}v({#0NL$+c(YRp{1CNMSGOoa|Kn29wd>$;_W_kWVDT*)L2LW z0->kalzMAu2crKSy`l0vuz(&iy_%H>^z&bx1ewuEjDI^CQKS|&T0rNITS7b|9Pl%D zO@3j7UCyFl;`|(@{mm7RQ&yGeM})`-P^oYrvuxoI3bPi4U-*oS`$(Lhd-nen@}BS8 zx&Ntl&wpDv$F0RZM zGho8L;=_;BRT7$~t_pA5=Fg!{|D-OUhvVzpaJiko<*Om7niQ z#pC{kG*;VSD)1s_#($IZA+m0@m9q&D6B5>jm}4z0orjRMa>he}yHSR2(VVrD53+i{ zicmi^I;|TXjP#@4WyW^Ka+}*k8WU&Tjk5;;##~!S>l%L$`%|p@iw86ePG`F|8xC*tO_ThkPTkvu)1_KjF(8{^m!@Il}mtcx*XN}W)b2(pV83v5d z(5=sDF2~QQvuS8fHVDbuddV$;o|nBREEyi_pCK8v@v2l^=&Z;zzD8EK;E!ia<@+Z1 zz5c1J8A#95&li_#R9X`q3C4qWgx?A%o<+~SusDbjeTbTf_ z_{xg^E1|{G5C7Q1Me)nadd@q1c2-m;p!~ZkQ9?B4*9GqZ(?M;6l%QaA^sOZtDSk%I zlyzr5ZwZn4E{s4;3~Spe?#m*>qoc2^vCc5yGL=U?CwuK$PGAXBIJ#Z#JXwI0DE674&+{7oYV|*9R?xsjt3US*CV^MXUKl7jrZ*PsPfnEYtJa7Ir{Q-t` z5E4#7au_G(${~49%#EWS)bh+Cgf_tMZLLMhx(MPOpcCh#w{fAg;p5{?5d#0)z%7la z>?_+c*$AC_zJ7ZtUgBWG<>K8wOL=symOScOTe`b&9;K&!yenwNjyT&uXL#JLt%a4| zt@*9@OdL+Mzhl6WjT;9xAx=8OYEneY3H3?$7K*3^1J{DRg~{a&A2DIm?k)>GS4k-e z69)EJ6yu+v;l-W)3kXYfoW{mCe7LN|tz#eB{->cE!<3tv3x3 zy>nDr&4KSlZ#v)H$+cGHCiXR?Fo#FjOQ0~x#odYb(oo$*O7oRc^^*l3ao))i9_Nbn*ci# zHa32O0NN?s4x#W?#aos)P&aEqq5`9{f=|mnk($I-voHUlCB{v_l6_J(aOG7{XDhJc za~r&utg5)3H?dSrUlrCQWFFhQhU9cQZ?4^U#MCzU<40-v_%r*)y*9hrrzF8`<=&U6 zIww$11iI8qPxFmtE?Num?!u>um^#ygE9rgSE5KB(4PCBAoW@Qg_jJsevIjx?4W{HA z!boV;@qk*~oW<&3*pMYrySpAf$oYg;{jHR3x%4vF{rM5Qp}{#Y9}tsZ>VKyKUFfMD zf4KR36d{uPfF_1?S1J1|AkQcdV$A`q zh6_CC&cH7J=&}-1?ET)zdB+-=>pbjVm=eIoc_+cE>5W#QP4xooCO5?%e+0lYWod}Zph>R)AJ{kKec z;FWyUCI1d=7&lv}Fg|gF^hqM@05voahlkX?RVC}=k}lGKi#%W`cRt*~Q#+j_XXa;w zgzz0DHE|KMqT+Y4EQ8{+-@chUHo(+AYoG9kYYJNl@gQr=Gsz<95CBht$i^F|K;(Sw zT*{Js6pukzYF~G+9%6GV(qwrpz1Z{t;+k7fGb*s>eo~cK-!mRvLf^GRURM=-&_Bk3 zQ8@RhKUeI4bkI_ZvKpkwj((J9u6UT{;&GHKa4pu@oq4P9@=VHf+Tj@cHHT6bA8!Lo zJ}2ud#E7Nh&vmD;e#sdY+vg#880491&{%K3kFs>|1)+NbGCR=-xpw#D^PWO>7y zqKL3lW+92?O3w@PuMJHDEDK3YLJ_u(dzXY;ysU&0-US)Cu9AaMHF_$In_fc>nHe!dPpN5IlhPqxe_WFF>wG%{}T}#`sy3`4f-_1wb0)Wd2-o zV-iy~v9Y2MRU;)8)elvl+&%}yIvv~8EfFX<97~e+)Fi)6HCJoH=iEWfR-D9V2X^^v z>??|#J{=rbMbz5hFpi+NGLq#YB47<(^NCHOpB|fi5pXDr>V|fdo)nLgblfn`P>~v^ zW0R=eqDs*KwDw;sX1uTjZ<1u?3ZWdJm3eATsU?xV!`b=OcwrO z0)Hzc$^SrcboGCPM&4hp;tCMHKjk{n1G3vr<-FRe#bUFTm_yg?W9g%j0k{nt_>>zX zMsL(~ZC9t1cVVC2aHwN)Rzey}7f>C{=agc-ZES1VP^{P28P2=i2!+kM-%Es+(k$fG z{*JB2@f-!P1IrqFS3OQQb8PbrzKFBA>1nN4-gP4D#v!`>tGxo>rO;y;%v&cL!PwuO zNn-m~9_KqdaKy{iY$EQik7{qhRupUQ>aWs#?N0{HJw@ z#+#w1Nd9_jGBLv|Xk`A2HKhM9EGWZMKKLJM2$1OfKTpY{$N(|XAe{~@)vforeBy%b zsC@&I#gU=stY52~x$AI!=39L$;GG$NsQdGZUvnMc5=^AUPeJDkb&BEyZbSKZF0&{= zHYRUkKTU!Gb)0_=9;p6_4__W{2h!UWwRnMk zdaN}(;h##e^Ifr+QIS)S6@=AYb_Kh8Tj89uU2Qm657+M_fz&Q*6WrpIo-gzHkd4%0 zx32jfK`xoj(Nq|Rt5p!Tz!Shq=g60n@>YnM<2}{(#mp6GDDHNf;zh%kYMu_>J6IZgO7vF(Mpx>gUzIA4fs2x&Z z99|XI-rWegT@Vb3423h?AXSZ$jgZbNSaY7mh(@b_SUwN2_G|Rc;%G-WZ0ZrhqGDdw z5yKp5tLYjqr=+RNCMaQ(M2{y?L=|0ED4D0;bI|QYnOU#kI(K~~aBIh}sLA-(bFE{T zdUgQriE6`j+uT7_W{1ul+H)}ECEB0AoPH^4CpqI|j^wbY@{>>|KH`+otq8y$MA&W+ z4Wd_GxOOyt@4q#vYr4EcfKFGQxQ!vuDN5e%SV7uBfRO6-mVSTu1?(EvJ-kzfg>-Ru zo@Bi>ApVgGu*7;+oe6GQN)TSpTW+f)lyR9)`(rrvqE0$+!0$a6GLdXAw2b;peOD+8V(s!tBB*1+0%A$)1fQZw~2Zr9g;$liB?+{F21%Z3poheX|%W?1^H< zik&f*`!Vj7cK#Cp{mDEQ@hN@@6~0<~Otoubx?a{jA?@4WsGu{`3;nV>o8~*2-0zq4 z2MGB*DeAuH<%`==j=gaD$Pv(*kKEC>;>2<5$;x;>jCT#ti!2fb?J`Ei?_fRDtp8ie z-$d~|1n$X<%-zLGkWtDkXl7AgCZgw^m15{LR!;}_c!ms)ZZMLOFHfLlkl`3ux-Z-n zKYg$y@0>rpZozgdg5i$OI~T*psu+t=Oky{H_&*~n005ACQn@!wTjV=hm;s_x_y&vj zm;sUeI~=e}2ad+5PbB`|d(_gh8O4VTudINICQcg{NfSf~9m9&CHA9nUP}PJ5b=nk$ zD|Zq_v7AH_ZXlf-dA3R!qyPd&oUi25Z-bF^*D!D0i|?KX^^>E&H?XLv5ABobMit$B8HV zzI&v;#4YnY=YjBZ)1(xhO`U$P0h(6VD4^bZX1l}ol7F2qEHXKABj5j&!jw(blOFpe z^Vl*?Na?Q8C=kLyW|VHpsrtkNwc~gD_dp8iUJ1GcoSZ9+CHTPXH}%|>r`R#=`%cNp ztGJ(!6a`Io#5xrH35!W6-1eGV)q)m8M9XCD&vTW1Xau27@)GgdFsP?4>ptE)b-(#_~YXol^ zld>Hq2u^tn(&v>UUWiN7yP4?~ncNUyDAhR~-7OM`){x6&YCUZeIay1I5f1a$1g3=Q9442OnL2rwbi|AWzIUZlxRn7KScE< zp~eJ`l##xya^y|z2Y|+^Z~%IolNniK9vHqwCo(mQw`aafYKSJ|p>mAb$W2i<-&__wSj=KsWjqL&LpZ*gRlJnf^U+*G z+Dn%ryk(`IDB1RShZiI_r_$5etu0)=(ObD>3}rh*Bs2nd!P21Fcs@#kp@*BAZMI zh4s*1e>z%@z|}?>CeerJaoDbLn`y*ee)R9`24c(0D9)ER%iPB<2P9Dyq6TqP8Uf>xJ%0~Dn^09cwR4)` z{$7njNz2u2k8Nq3G?%hEK|l{8#S9WWEzv8f)?xYmDY=GtY?tSV8IsEag}eirN(jU=1$)^W6}+*@B%$ymx(V zd(U#%X=CN~aN-?=m3e$>s%KKGO4>=bUi%L7)t>(IME3lq&McgKuVrW_SYvah5Fu*q5bV7`Jc@k(TL<)tJUN|vDj($o(ndokz zZFu#TIkAB9`r~wqA1{`FYTC^KSa7<(5=FANYYXzr7PG|zPsLv}!P6VM&LXtE5g zE;g7v-8`pscwu>6(}@Ui;<+82^Z=w*ME7=R3zl!qTycuq+v<+jzv4Ni$d=t^)*^bZ zaOCAr!*C=;4r6MFigQO4^y`Q!r~6kx#_zF;1mhcm#M4kuz}M5qnD$>)xij}7o`vKD z97J`mh|!P7|8_rsvDV`0;gPYFcgFY^OPew>~{kKfpg$N_h&+qQ-6J`q8j@Vy&SaA)kf-Hx?k zc?0GKst`a9?sNk^my5i-;JaH1p^1xq;v1VVLQqyYj_gqM zv{8Bx!J(t#*)xts%}ttKMpqsVGh6yD%xN8UmDRpw=afX1T-WDxt|Uky;X^eR%d_BX z7y-4(0KCVDS16R%oFCf4(n(l3Nco8C)zl!10#&S3$irTHJb- z1VW74#9t5FkhKrs7D>l=uN?}qU<8GugY%|@w&@Qjea?MdE^$0ywBsSqM`!%3r74i(dw!lezTX!^cQhE$P$e&1sF1;6* zhZ;i-Kv=*TxQRwnO2?KAd7?ghb8c@AGU{;Yop69CHZoHL0CET(?i!0bB(vyGy#l`! z-`g$Kvc?UQe;@zAG&)Uj~NiMRA%65sa6)M zHK%9>dGV00J^41kdj|Mc39U?BDW;JPzo}?P6{}TfQ2|r0)APuI=oq)nU0$?Z8eT}m z_=#-Z&cp9&5vJ4cUL1PG7yq<-No?H$MQS8Yq8NAjn7g(iJW*D)bp4Ue%fVC7o>@+W z&<)Hl_4J}g675Krc{m{~5p&Z~$QADQ@?jCv(LlAJTqjdhB1l}3lpzesV;9&!q9$a}T-Xzm zc~*n4AL%$k`IFeyAtR7@+;(D2ep>w`Sl2Pc{?xS^JA&GilT4*Q#vMEa(_G#@`hXtS zD$)sSafiPxNnCc=gDVkV5tt}kq~SHfmRx3fXvc0UPBuCAyfvs&;HfHHSo1Hz80z-# z_DM&Nnt5js;bK|i_o`Nqe@6l(O0zVyHztRa`6WG7EPt>^q)so$*07&Z18?D+Jm+WWBTd!eW zsACWL4oFC7ev*=#PV#w0_5(@&sQbkx1-RW!O_B;U*w}@lsCjGYuTlo1z5|XMn(DB~ zlQrd&4EQajPK$@BhuSGJEgRPUBwUkfqHj*|kAg?suVrZfqK;ogcc?ttTB~tzpIzWj zKb<(#RSqRjxfWkWi437)7skO~?*hFp-EZjzsT}dTnx5vWbD9&@Ckb;xMAPu1k-9CJ zI<_etkfF)!`{Om@|2O~szrhw_+VIuDODx>P)8YJqLP~g}1kyaqxqt@QHkq{0WNfXHONTl#$-VA$o(3 zx*|$Ro_$FoaWOXBhfPr8WAn3yo^8|izUeIS7M?H+JG_=T;&mJm7!G(%GsKHn0x%r# z@;ZoD(P%&z;Drqk&)gyZKmVte0KC(C0)sx!4gNT14+Q#M9-Dlz4(@Oad%Twa%Zr99 zP1j=<&hq)}$_;OJ+cQnJ_cJ2tm)3Z0@gzeco3L*Ca>ST^uipNj1ZcT3c|75*&^p-W zQ~BoL|6k$%EntItECs;*R|_vOAKTN?-a7Mt+5qZ|KugjO>{2zU35n-Y{*eA%Eu)}j zwp-@*RQHQo#Smvv`@jz*%q)T0AFS^-iCTGP;iqarj9zLp%V5IVXeFIbrIawWaUTg5 zx#l44>v{P|CLrMB{yZ?o63}4V#Z1jx>mH4o%RQ(ta%UfZ)?bVX> zI+&vpWPH?sxvVNF#94_=C#i)5YM0?dK*63L7QEo^n%0;aOvYLwn7gmq{S3^GZZ!hL zfp=SxBHDBq<(0Cg@&$xZ(r}!-&)vAwx*NS!fL-)8ZILI$aHwM~wwkF~|lky}TKH*K??DwObTa|n2vGj_8_W}$?f*-dhQTVaa z4}EDHrE-?}NX6{zpuwx4>x!Z34u1d6`HT`oU7`Bu^#|;x_W&MbtPMYb9s2t- zeXd~f!D@W^==CKpLOeJTkDhsE@SO?NFv$xMIj4NNgams!xfLV`M?D~1=wacCI@+dB zD*?*HPI%-v_geIll32w=$HJI+pVHLmrmS?Y#7oJM#a>u}V=&_QTR_0@;_~0mwvWI! z-aoI&{&R$Or49bwwKYV?e-X3Pg}MQn;(6@{Odl9kv9@U?*|0Iqn~-$qd!m9FF=NIAwQi2i=vi4)Z$q+~db zZhhy(Yi`*@D=4Z}>$1WoL4j)cnp&%lwh9!-v0N+!GM7C+C&wjtu4}# zrV8!t^6YFO90?F+%X^Z?+{%)Qxeg#~$@$-zy$BlA{7Bt%5XcbB+WkQr?5mv|h6m~# zfHy`1fBwb|x9|~NL-}kse70E&U~I8jbQX>2J>;#bCZF7r_ivNY&0f>|xpMy*U?p1! zx9cYwWgxB6Mf83~Z3m9LVQ^;*1Bmp>RA5}hgB?zH6v#E&aLgKE^luqtDU*hX@+!wr zm#Zv#B@?v~SzTIOGPs+T*H~)?*i0%o;Xvyx9uI5CZXd%Mc7KvP`n(?;2vPSj-q%#d zsCX)I7?4!_^kHi5dmc|=9n|IWOe`&AYFNqt^p1iiX-i2Jf^foH7?ryw$%6@9czb;l zlS<87C+r#3)%1Z#hB1Vw&*o1A+S29b|Mtz{I-C!wi*rgWk9UUFBuVc>Y`r&-i}&7Q zqYX!@{3}#du_&0Tr1YuH&Yx>JOJ)m83-RuI1@Rs10boepu2 zePf{P7&nu$s~{YDkpVZ#zY6^?o5~Xwfy?%6MsPeV37>rb6SotG@P`{~eqY5_>j5;A zMLPGi%HES8udcP$zSD)ox1PP_=)Bb%2;0@oO)?B&zKBZMm0ta~}iY_l*L=@ae$xX!%jP*zNCu#XS2$#FsY_zbk@z>C3}Gm4j9#6O1Wz8V*^h_ zpFY?MJFJmaxklWTqCq8Zz6&p8l=B zSqabx^$>_@{&X4_*@6~z+PXdCi{a13-VZvk){RVi$fP&5QnXsSH~<^2o{+b-s_tG&^|L8HgfMfIdAVOX{=j% zEF&arK%!Ssbq2R6Cw}Z#Hk)go&PMgEJ|qY(0TQ@_UOJ6$Q9Ce;EMA=C3```_$s}T% zSgRl-<+4Zx%} z>EB{NdT%_(;YlO>T1=K2BX3baZdA4n{mp6lof5#;3M-OV5MoMTR_mcYLO~(&Ko+AL z28tC}ImBFn5;hHd={4IW0N=`Dd5_THv;B|luF&8eG)5cNYqN&#B`nvYPE7S=d&dhcVp9Wt7G&(KVS3`7Azm7# zSuzhvWb##*KXAA(kQ=YsuQ3igFZEcWUQfln5JCw+KJ2J3sxSS7oUo`cn7CbO24MlL zFm=kOG}J6swm3cS`u>|R0r$`Wfpk!j!eyxERSAd*^s8aJ+oYcR<@nHDc^W?0kBYt44$ACIIVGCx8M7 z$y1P&4EFvw)Ie@hP9y<*lTHfBU}v*V}LSUp|H_X#fBK diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddRecordEntityForm_V603.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowAddRecordEntityForm_V603.webp deleted file mode 100644 index 3f64baa4c3ee191dee0dafc10a2c5a4ef45e0b66..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90702 zcmdqJWmKKX)-8;?JHcIoy9IZ5cL)K31PB(~-QC^Y-2%bg-JJxtVEapVpL5>sNS~bU z^WJ;MmmiFbXY8?eRXtT}%{kXxr6?gPDryJ}q$VOLuPV<$$o1v_ksqMbfT@FFlAw4M zD5FGkva^YZn37E2z(BvUx*vY$7^969M@J870syXRzY;uYeoJT3Q56ToP89Vl!-MwW z)5d7YQ^99|7@gyp+NTWv%aezO$F;MJBwpb=$j@?jfIYyJ`>hAlaJTkZ?;ddI zG4BBYL|sEaK7XKiJQ)K#c&K??10DcFw^RUDfDz#49^eT${PMXcj{-oz=@CHc2Iq+$ z0C*&L&9~UG;l2jw1^_M<9`_zA04KK@r%yn9PcHTVAOK(%u%ovK==QLA%)Hq+ubAiS z@^AnUJssUQreBp>W_$z z6iVU^cIgBFMW8o((6_N{spchFf=j+H|1&$6GwRP!0p7u!FPl5AQ@Kl=XlFOSyz zWvn5mgr#n$mJ*J4R0b+nmboAdlFvzNfQ>;|BBir$E{gE1=o3X6WkxG35X%aAB@?(A zcU%QSG5HV03wL@5HwvX_ZGm*p`q!iFHH>YhE@iPr83b|3-((<#0WG`=tK%+!it@MH z`cQIUL~DCQPW9qY-Q`7oCI8|yz3y|J7mv0Qf-lkGiYjzC;bB4IpSp$~sdUGjWeu3)1LNcO6Zk>@>=RrWv8bYx(d$ z9`x^aZM4T=RZ{L@HEwI6(;=9IWG?&tTbC0*snPS8k{wL62h|IRNXs14kQNoOz}WNz z)ur>8VPy%_ISsy<7iatpk`7B+`sXrWf)lW3hsNl97@0WFo1Md1$el`tgxp!D1f+

?;hA>c#siq z8wIm_I(b1XHPCbsseON(Ud+3G5s}q86+;Wh?;h}fH^@K4i|I%jb+FGVWGIrPDbkw5 zs)3dFy72KIeFm1x0NVZqzJ8oQkdFexv?1f2S{+A6=Jq(AcZXSOXbV`HzR#KGosW5j z={`9^k;#1mOX0g}qlit$1i5M0CbD0VeSW@1opVoi_#$iPEHCq%s*e^b;#`Gaf=7&t z262b$00XhrGl&OvW?7tga6~){P8ph$EoMCprUl3ohtnSf_vPOWLn3JbK?f-XX@xHk zyPik*nFG;_!oqn&ALyv)AOqgZzd+DUh=ZB# zf9tkC(I=`mtmj`}m_Mo4kx@Ikv!c44CIgIte){%oKa#>mc3h1y3?kh}VXkXId`RC$ zJ{Gg5!C-e7i_#izOlE)KM2=9`!-4IN*#167oJTb)JjOWO%D+5FgGACyo}%KI-X73Tvw;+R|!F2 z%+L##f355IpX7_59l%efpZ^nIr&j<8F(M-uxpR)&E|k!3`x!xxXlR?$HGuxV`N+NJ z9#FVm^=}jIe==j>8%{)Zhb15Ns3w%n(3nJ!+OYlvG~?7x^js_9#vIaJpfVC$vJco4 z4B%!sQFN38oSx6cmxF9XC5C}DMYpAbnPl~0CfSL#6{78cRR52CN#qL6e!jWbz9ech zPJu#v(*M=L{AbIehM+Wm-0o>9-re+ra9zBT?smSBbnk|-%WM3`>Va9W2>boimf+J` z_Hy5FIQ*Lb>njotO;=OBrAw{E&rw}1rz7sUuVCfEVDH^S>3kWWXzP@^&oc2-Zti#OrNct`@_F>%_VxG*d{Lprtoj@;8_zCf zxD`xMNB87GEXxD8>cx$(LF=ELA!7!Sk3@tx@)^b3FXI=uW}(bZ=BuDeVB7>*+f)!A z21r6q11~X6A;)U)llMFpU-nL5myMqF56@>{Ai*qTJY)0=vR3(cTMg|wYWt#->g7v= zWj!J(;!|6?Wy|RBj+d2&_c&i+?g6`mX#_^4U_(cF2<}-TmP=+dQ}RC-^$Ra>0Tq%y|p{haCKIo!cf!p!aD1{{D9DUthU3=}=_$E9mum z>=0>+NW#VGfScP?WQI*mg&a|P2>wsj=uhcQv?d7vJ>K5F_aAiUk2Cs(JtcSDmACKZ zs(kz@>clMi(Ud?)@yOdHgw|6+Q2V-5f^5pEqxbFgD*cRxFYokv=;)5;QnOzXV)`2+ zYbun|7i}eP=paFL@Yxf#gqNRqY9NXXxuWS@plU+n(;fqvL|g_z`V1t$;d1ON4RlEx zraJ8W1wX^=q%)~j1Ro~BlRkf_m!(e7=yeTn9f&$kZ%a*tcs}AqRf10?VOLh$&k;We zDV^+TXxx-qv34ISM&XJfwp67!?%EyUWEAo2Z19AllQF?`PRG&3KqNo>fWe?eL{Hww zfBCLecJPMuo&asA%Gm>Gg=?QwMQj1+n`2~q>2*OE7IdD@E$y+aQ|48*qy%YZ|QX zrDBe6%cZ|IT)dsiW%#-<)_=RkSsUr;Bb*LZJLdx9e3=5<+t;jiPj+$x+FHPVw%NO-9SoV*^_r=tTo2^pU&+>^M+AKu)I zn2Sg&9u&kl>V;?jmOva|GYS>OC=G<`aGy7lr;eDMw2uqSerDW_(AivAS|a={)KN+1 z9sl`sU}DUd>@}w*aOt&Egv?0JIZjeu?sEV-gwP`<^Qc2S3?_ti%Rq_V{Vrq|9EWVG z<2?LeASHWAK#nTEsm*$mL=fm2l%@iCeUEr+D~w^S$)|Im;=LkR1i}p3Nxiv1%b6iLW?tDW*_(ulogNm@GZ_U6Ok^Z^TTFo0v1XxqVPvoGPIOyb z!JgWJFs`?YmTGy|%t-@m8zVJF-43e-l!BMEvRcbA9K!^a2T@^0L2RCc#@J<0pvyF= zi4QSS{M)>SDDK=s_q8rit8! zB=%v#uhP?1&@wM}Xs7qm_(Z_3p5HhQi4&_A`zC6Pcl*>Lk3t)ZPc4(*xuTkE_?b@y zZIP7TE&=rmf-za)if%gdZ8xyP%i~eJYR&`dB&r#m*hB-if^wiEdr(aMb#C|r8hiH2=7$vQS%H2bB*fx~A3nAUUSFF4 z#Ph&H(Wd7{tyT7;UNC7(YU5*(4-F+oC2NJXp`q(Ssk4yJa@-55Pxe+8C(x%4k@ARF zUBvU0SqbZQ@bv&Ut(`66LD95FTL!W`lx6_$ZSkwj*`uhthH$OW4?C zwA>pTZbN)v8IMmNkR0FGH7E=*l38d&ao2lsxF+ff<|DHaI5Ze0m{8-C!9q<8F@zoa zrmEUEqFQK!Ti5F!y7&Zl<(xH+f&N&>CIl>g#uGtJ0WIbA*~iN-V4pLjG*5S&uZg?( zM3a9^U27(B@POnD&#B9(1D_=xdjaUP-%n9qx7j_eHa*`u6(IBU+@YQ9HireY(BIa_ zPM=A5w08Mi8AulPJMH=bWPVe{f7@aL!;~#*pqcN*JzQcj)fzi$u93eM)zg<^RDUdy z6Zpa`qiL-lRO}JDy$eJ=jtV`_CHCldOC!vZh0%yHb*VPo^P`v>&wI7nNNgNpT2_WB zv)so>3U)H&H3Flis7@P@4_rSE&p2DE;0gmd4OIWhgGVTa*ZaNmHJuI*XNqPM)K#UZ zC^YQjtk#IrOKThCy>e$CtyDIalVB9r4VFoCx=9kn8te{y;_rxjaBfS{E1k2$3ujc zupjV5uIKbR^o@BT*7A#Hp zqMsy9^r{uAw-wgH1eRJy_N%hEKLkw{|ALMeJ<^J;Mt-LY|FfF$l-RKKUH0@VGnmLy z*_~%@ymF2b=a28>kuM-x-w*4%L{_mIZqftulNaGu0)sq`fv4iNI>WS|E4!vZ0SZxM znQ^_Q@w!5dczu3V9Tlm?dIYx5dNmqRDjnl0a~$t))yNGC#$8|6QxeIz(A{PGVTnlg=F8Wh zMS60M`h!N3eHQQx? z(`2;vrhZO*PPXJRL^UTOwIkuLg{l5&!*Sve5X88Lig(IU_`zx2pJsolQT;LC_W+V_ z7=KjGiq^Ma>w9L z;FOsL0$0ET!rqVf`VUv-8@lmpdayXr{_u4``+k-1k8j|IMMsv=&A+Kz|AFGY-s)%k zXPxpVNATxmPjH5v^Ksq8)h#@64#7!`3mvl)nye#N(49spip*$@zTY$$943u=NK zvCv}O-s_gBs4firG=KG~cAUO5*1k7y>C9;5yo~ZHU=P|YgEAS;XNKMQhJMxt8d36u zLmU=Ho7K>#v4Ytktd!kcib2v0^OX(Z zKRn*j*J<%C7AOQ16mWGq&xQ_53XN}0-9cYNAQ_a`@OeGd)IK9$n~Q&)4c~_1W(fxg z|6=j}O5(xS;X~u@`~qiNR_MqlW<$;_0$l|%@q)bFysfs(h}&?Aal%t7gWMI514=(z ze39Kei+q~m{+&{lMksqBOowA#eQXoBBl1AISz=LC?wA-pgTG_O2n2kv5SKJ5z#qqw zkisyw1u6sMue!E+gRI_=Te@m@cn|q}OM&BHP>V*CnGr2JyXAg`{hgjzq!H3XTI#9* zuJ5{zY>~{XhY!JiAv)#S<o;qfZGnT#Q?f4|_LL=-N z-vOf*!UpL#0^4x=Kqfx?W!K1WuS<>s_(BCh+?_Vq9j9I_lm4;s1R2ud+l>9geDS?# z?cIXekGj44b7J4u*x zEhCMuHHdFun#JBj-1vIK4<+p!laVGajErZP*N@*VKe>&9m&y4%jgnCQsVcF6jAV~`w4w;rh!@LK2eS3Ei&J0{&3(-FO&>i*bi#=%1Y9pO~ z#aG-%Cy6eDf{C$9E>W_GC(zT#@{Yii-5NIjkoH~ep37ot8g4-$7=Fro9D)#ZW-u5D z0?p(0JU00jsu#<_@hSL$g)dq3*1xf7T+W_!R+On1S-$FmApWd4-`~Y=psCgbHmS%j zShjdxRe`%@rZ0?)dc$ryEo~$98z9DhW}qDhhYOqAFt)5#NQm^tHuz`=Nv;o8ZGM$c z4CBX0|5r2EF2up6+?X(T9}aYIKj*j0>?}PWin1PDvhJJEj)dNQ{rfV_q3E01+m5lm z1Iy%o`zc&3?|)-EBU;b5%9?~&{?5#QJv;%<+mc~FERKraX2Den5)I~rR`308NB*9s z|3mg*8bTEM1is*!u}}5shf2sFHNbDq-&giH@}XY?T;3lXbKe~H|HOdzkC@-|Jn@A!9*_HUJCj6s(>kq->O;Gwp1KMFp-jpt=Ne!wDZ^=H0urSEzKn_PeIAQWj{ zpEba5-8${xvkwIG3LE}Pqx?D|4Z~0MWTboHWx4RTrE^6H+*%+H;`=P+3j5j)7P-}P zqzLt_(tk%^P;v&EoAGxa#ifI8puSr8C`!e0|E&Kqi;i|R&R&5>WCXV0!#^X6Xe%a| zEtG%wEw!wfnL-acNy}wM7(Z2tvS^uLvmY;{-4At&FTO|N1$|!gj?G%EWpxbrr~L|j zV_c*;t%v+kJr^dy{bxeG{-KIJ1LwGV1$_t6pWjD%FOE*yi2Du6joBW3CpV;;)YWjo zhXM1v;n#u*loq*Hso{(PeZ%by`ard742L(lX*7@sC4s{x6+^mc8JUCVA-`7tk8EVj z;z;ByKw;?O;jA}6l1bx$idd(0?k1wiC<1^VBK-dA`KN^wCqjT&Vln)THTydK>;m|{ znbJ!wdjGbG!3tZrs2+GSFlM2a^q)$|?_7c~M<{D*Sxn`3Hl+Aw@dn z+o|zT!u`PFDRE~U!-lGMJb?)$#j}|?w*vXM`Q0y-T{?ZMbkc`Qju?VhbXFM2>~vr~ zz{e{Q`yQTFDVK%}NUqRPmGct?P_e7iu4T;6bB$6pJ$uI@%RdICn-_mv8zqfSx(}qc zL*(JV4(jd-Iv`+E*lUYCUgLlVI!2Dg`TMTZ1v}8UXB2x`J$2snI%U*gR-RrIvpz5; zC05zMGIr$H3Gqr!Bv?M_d-2op#PyHcqQah5SuT5%woqnMOXHlB+#PB4nWUh2aD8o- z{{_7$8*QjY@>Ja7R#ZU#V>x8*B0cuYVuSG$tgF;FE_dSY?vxum`w8|j`u@F?Kqe$f ze8*`{eM$d=mcN5de$uDEj`&Nkk0?fw#)m|905SQme&^RI{4YeBe^feC4sj-BM7;#Q zvLSs(n*Uuw`sd;NJ?i*Z--5iF;b#!n)R7;xG{D=N3wn0^N!s~KCcLK6%Fmpf;{LOV zYio{cT=m)!w`D=l(sMt8Os(ege=)*3y_*XABF>VzyjTB18R&Z6P@af;Dts)7UWuo* z;I=0f_4RSMR@resM37+(@Q_S=&ay(qNTMGHkT z$h#Y9O4bs4ksSPC-TN{Jr?aSubp$~PJU1<|je&vNZtmQ849-|{qMe3C?EInhFhzKk zngj7(o{JXcFKIjHtZ(;_~hdfnYh=!cT4>j`V4;wsrOt#fUHR#LB zpXk(am2V}4&h<~Na??+vzgeq(--QLNcM7cv|zql)tlf9&of7670)_ zZr9BQk9?Y~1$-wn(fD}tlqweOVCqs6L!5FHq=F$m>>%u1E(%ZF`W-?m_%XlzE$n9S zn>gb=t(R|tP$>~IDtz};7p-ycM{Jf4hA6kWMN8V(0dJz3zA7bb6u4{R-GXoeZ*hpm zLpAC0hcI3wVsk}n>{NROEO@N3m0O3fZm0~VLi-U#KTonP8$}60gh=&`!l*ulECaeY zQ?>{`r#Vo|$D%P-C==FFKakFu>&m$rQ2$XpFn%HW5&pvpIHDqBuxrF9U`|*VVsDH< zXgVM#|J%5ZRBrzd;OZNEo>+C?t9ukwa0L~Busba(RLja?<~sg%v=y7*j(j&hPZDJ} zdYc|7{ASlRDG4}e1-r9=oBNgRj(-U~tp;!L6u_Hy)P8-E^0UF{eNVST6FAle@}fO3 zZz395C_^=L=&$6-|A&nDPebK*$Vr-_M0i6M=_j!n=s(m?e%$r-6TcvH1%E)E!=L#h z_hCeEe9?v3PuQ7%WcU2n%6`iwmio^;@bh_@;asYt~d@lY=EUslYaC`==n@_l5Q6ab-BN8gcgKx29k?4ewqhe1eIfbt; z8Be)v9%l;ZO^oF!md+(Hn2WglyuKO7ys$d5*Em@27xoyr0(dI#)tW292`1%_*>8L*1?8N#xKv}mYb637Zhj5X^18M0iejCOg7BanH)n8(Yftx3d zzz%6PpdDYV(9i2rk%s zgr?K5Z@^v;dagLIk2(^x8ZJR}VAi_L2W{!UZp8n3=WfBCic$N6Tl;*xaI*b#2t;r? zrnhoy%!Kl_$@x!q{m=Ciw5c~UJK+ku>|A%g(Xr#rHTb7o^7l2b(CY5-djW?py`Vn; zo_J~A>^MIZpZ`wp10uD`TS9zsO&5cUrFW~oF?9sW-%~YyiCcQOYyVU=eyWHxI~W+3 zOoQe0t7K1$CiqM!wj@<->2;bsHP2^Gma^l$NrpmV)@v|ewr}h`DO}!E=@okl;E#0U zcC~}h$7WGeqL?y?B>uav?X;T;54!q<$BZweB3>p5J@@zNr&|GztnhP02o|viIGeQr z?Ktk7LW=A8*P1}W5|_^}u%njbau!@-%eyaruNn9EVcGId=BBFEu%FGa-v(X5ZY$r5 z%F?e^#Zu2i_7`^hTtE*Z9jTycx?k>Eu>r(eGvjrl&Z3wktuQfC?E4_1)nV{1#yqks zJyL!Si!~1H%_DoNal;al__Rrj0KM<{xL$AOk|&yZ_*K4d-+tl>KJ;XQIzNl9NWaeW zCR*{Bf^?k51ZS;NEx*`c(T>N{Z7T3=5Wb)5t(wH$6um^0XHP}0xvR!ICxoMhAm3Kz z%+=q+a~(Q6Z?ToQAgY?N`eN>5KfSO$D5k?0B zY!>P3uRT9o0y4ic;=SAXT}b@<^tt0%pk>X36~M9g6I$4aR*1V zW7f|4{SKPf#@s(+?EkfEKb7Gb#Jdi8%V%`&iyurIDnpN^M1U;sC#n2f9#ngL^R@K+ zr}5}Sxlp zw5y|y9~?QfyCE)a3-bMTBV)M6Lt5}kis@&ii5HrI&q<{x`e=i=vmPN~pL^S@(mrH6 zT}Wo3YM_#Pkha%*xGc$sBjGyJXL>|=pJ{FX+uDm1*fpj4W~oT&0jag}u3<{bjgs`^ z88)O7g&x$Qm{Qd%26Hv7@h=i%!)FUVsz^P+Sk{=Va~Ml5Plh-UXF19D?=-LiH%2q0 zmauTs@K;*6Dp{}*1R6+IOMe}E#WR=3MB-W|^Ta6~nzFj=>1e(`ek>z@^hvD^m$ZLe zuZ=Kqi11Ze0HUclP5m=E7D}tVTf2ciuO>Mk^O~OP7ZM+(^VHxVp1!>};rFrn7nO}) zdsEt9h?7_`A4jeEh;Raar1ZB+wjBlhf~iHT>-RVOZ}>o!(e;~LqP+ZGp*Den{n;K zXbB)aXHon9*xgUUKh+ub-4OI^4{1C95-&&-%9{YD;+Abz@-u?8uAxM5ES6Xb{8Yb2 zy+vj)9LKz)6E1c_y<1l6%^*i~nh4yuVik72uysf%(6|Zdur;HxNS9Fia!LA+CG5hV z9eKA)3tqm9kqaEQoshq>Ei$*aKv4!iLv&Iq+n3;0xDx!Avi4oN_=5%fA7adXC0-8< z(U&`QK7{(g$Xzg(>F>3T@yqzq_VV7~wDh(GF9abtNJReQ{I#`Eb7I;PnJB5bxKv{r74jJf11 zSNBynd}3~4tFgMoLDmgwlXp-6vbP+RA;>n-e`ZPl3no1;2MO*5aWX;?9bT;LyIxh~ z!P>-h)SH@f`=CeJQV9hgLV6c&$=D#Q>V{16tXn(*4L*I6mw6jC3nhG3hvl1KDYkK# z?qLz=18tDE_Mg)Licf~-XfIJ%9O}btC8Hd>+1U&uR-*;l!JU~-rL71)>8{yguO9!F z=f7!c`^$!uD#C7W7QCj^Pdu~#cRIYkwa5KjuX(`LYK?yL4ipDmNJ!ZK>9+L0I_TfJ z?AzgFmE$u1jaB65>p#C#Hig~ZoO6}_H0=4(XZI7}=<83p+zF5hTpRg?c3jNxydlnF zCY?zl`(M2YA#$g)AndI3K+@Unzk0*M@4T=7y1-%LD|7gF)aW1Hhs5!iq4%$3k?$^A z@@MxXeVy)qbapXb%}Xa-F7kbS5rb&l`-Xv@znMvXotTXXJPMQG@y!y$*GI3Pc@iWRlo z0w>9f{$fWU@_Gv9 z^^?!>HvS8 z!$Vb?*xoNahMWX%S{eVXf$%E>)9?L}FuUOI#c^V?z&+NJbuoUUV?IAB;M1ksy{ z{tBDKV<@@L~nK?GXsNmIE7`$gFt7CXlaAqJ5g&`PikoiI3gp9J%cO*m$Mja0(GgQ!t-By zP9iW_1i;)7XTW5|0Gn`|^tPahL7o;T-*1BL0Qlys)TmjS|26>zjB9F>yCVb3en8&# zu#)E})lM$DAHp>YG=+#Gdl<+gB;@gCu13+bwfpD0Kr8kZZ@XiZ0LzT>Rn9gXPjs@c zz~v$oY?x65ZX@d$6*&v>jo0Oh70+=bM$1pmFf+s6UKyoYm7F^H@4=*Ka`wL07)3>T zLIH5~Y8*;^B5S@026#oJsl1|o5|tbKtk^;x0jgwW{%r4FlaD+A#-_8OKDo$;*f-oM zVJi(JM8IhHSQR61r~Tz{Gq;w={7FdM&`D8}?@mN( zOk;#x9Mo=UB>sA>Gm_wvm+3tJ5!BG@`xIo$qnK4$2Tj+V328~Jr)$3TL`n>zHxxL_ z5R<0MOz*RDCJdGl&!C=bGUJI)V^1O97g;xLwbt4mtGT1BvPYqUD=k?Vx^!RL*wMW} z^~?{9YcJEHKI@yms)NM3l1$``yX-?04K7JjNuOrYfjeATzP!cpB?k3|dmD+Wj6rp^ zT`z-j*hifKy59YK55t1-!vxTQlp74sF0UFaD}9C?zo8r_0cp4+%2h6_M$5bRDZ0o! z9(ox?&{l2`#^ReX`J=m2f%uTt^kS7%NUbgmQw|RF;d`bHt9fP=_e`+T#+)ua zPSw|{WGsN~T}3ro2b%TF?B+lgP*^)}6qoO|U&(sOiFI|LSnNF8xg*_2>S3<&xRedN zwCa#10J5uoix$&ib1+ffy0SRrp>`OluAW=jl<2ZeAKu#b==0t5y*}p^brN(+a#Zx} z*3XBO{5slMKENX*YGz$ip}1XRoC(FJWiO<3D<~PY^9K`0;jRqLa+7*L!mEIX6E@6W zw?^!G0$}icemk-d()}eV&lMD0*Pw&?+Yqs8ifcdbRk5OFbi+?L64SgaS;W~HT`uhv z#!rkz<#+98NfX$8*V81cp`MT#NEC`dDuQuA&46m4NT6$%^Ts@9HhOr1(EPj$NKV z0=NoR3`O>xxkujDMX4&UFr4Ry*wBn%+>rNp1uAez*T!mE&uE#MV4nNlRavdf`O-2Q zb$V5GMp%POZ+G@6Jgaf(48bd-02p6Lon^o}mzeGes%MwR$jxyEl>4EXP%&vn2{E7mn_<^GMw~ese zkb~Btn8B?WDxkN@MkxdehU0QxE=1h}fEoh=P`cDUeBhu=1vEG|+19*PjD<~T_pK)9 z^kRPHBW{?|M<18_M|AOdJ@#oXe&JeJL&xn%A>U|U6tpoZT->FG=6KRu4nzuM`X4%@A z*Jpv3%TsMk)lufl@Q{5J3f(5nurJ@Kk1p*qf+lh(w!p6>v-)&K($g;$H~jJ}MPUje zK2SvI!X-13No@)RQhcctqHbhx$rFm-*aqcR-{&*>$YMDr@7TBZX?;)^WY8?Smu#oHy zoJ0c|fp%CzfBiFmKUJG+Y{Dk-$ZHIahc3(#0_6Xv-m` zO=MC+j2lFV8mP&)FdTN@gcaM3`rt!h3Ms0F@-uWg5!`hQ$?7GO=|v(i=gCJCyYN|- z`l0uZT)nQP+EQg34Hym7#Zw*43#@F*IdVR{ofYhuk@@;!>Gu2Y!lu>xMvKQ7A7;qr zUl{Ra?(WN8a6$I340Mc?;EP(y6EeJNTRj&YpVoTWtbcC_S-V7E9ahwes}Gif#fV|{ z_G4V>-cs^vVo-Fc3*FK!n|oGU;^5ocRT+i|WI13lAYgjT)pYsI>6Z)@Q%#k$(jE2l zYD13A0&bDd{BiI1spOJJvvRNGo>$%k_j)IIUFPU}wH~6;bOuk!Dvvmdbimf`W-2l$ zr#a`nfO*mEkc&GJrc3sg2mhlO&8zdYqTVYGRJM{x)~A%pz!>bP!8h21TcOnLIPsrP z?TIH4xrgmp>?Zb{l}S853-45j-GNiKcm^I^;g&4Z$vh4uVaug-Zd~}Su74bGT1lmY z!-n%(&gJ_s%KG9ElkWwC;Eh;lnT2U8Z$JQ>J|Ci`)(4pIo{>T^hGUoWIizmXxtMNd z66KLDCECY6;JMn(MvRff%HBW?qg%KMtyi=wj)fD6%v8zGy*sN+ONcS%Wd$HUzs$wm z-d5#VSYQr)fvS(qdZYjj(hRZA+_K3zm~gU|tN}&;vgDuyq9`z2y|xad45M7o|p4D5QI`RQ8OUYDhsr zr4@$?rJ94M+B)F#HFpK}$n92f%N(aW2(!OWIACFO=|$H#2&K~*V#GkdnYL1#*L&EL zoj7JbZup{uP+TO>+^YoUmBkd_275ZRlvi!)3aA$Q;FEth@0 zS7S{YFtb;#ncUy7aO zf<2M1ynL?y@dQJssU$%&smAUFc8X6`6+&Gn*{79Yp7W0mpt=$HvWy{0qG;vSwfLss zjAEVByRtgGfo80?Qr)H~R>eUvm*w_c3?J;ucj!(DXtNvm_K2)otjmFQmbQpBsoC!L zAPaG%S1X)k{K+6E*6nVE8cg0*yz3@9=-9!K#ie(Ab;y)bCUG2%_5IHjgf&}%q#M)tkR*A&c_)rx0XjA&RjT~&EX!eX~ zIQHdHFR&01#y!L@qbdab-fJ!hHooC9<`b2dlM@;OfWD1gscG_);QR#gESzp$Uw?s$ zXQbRgd#1I}q1gr^rP$ji-N<fB!*L|yt@Km5WR#ABZqj(#FO;C{U_>TbCAP9on(qs zOK(ecsU`Q|-CLq%pxX^Kj$nKwJ-4~W{ph9K;7Q-$!_H|Bt`j^C^!B3otB^rp_w2^OQQX2`s>o0q`ye^^16FUYnIVc55D#DRX6$pc@^R^cJH8c1@LL z@*We*thr?w8z5OX3j1FB7diI>ou6JFq;m7UC;Es)K~VM)7|cPAM-dwQou;n&2tD;) z_MGMbvT-MtZe?TaE1$gheQOw>p*^X4BqbD2+q@3uN>|BuXf#N+M;tI4B1Az{4Tz(} zSY(G)$-yn0CSnnHGR+ePM1>uBk4UJrfg)k}r`x2GPM(i)4k^OG+DIDi)PaaiG5jpZ z;U4$=c?B~5_Yv|84+f|GfR^e0jnjn2n+cLUmV@(QlD-^)Nn}9wqOV&xbR56X5 zunp<0Z#;E80-2dSO1~^=X%E`vId978%3>gEBN~~08-YoOmbqoLbqR14-o^>MtZX;R zA){H)TF!yJ)sSK1k(*UFfYb5rb*+zEt$2Y!6HfXRbH)bWpTK$6%univ60^f(-b%+b z9)`(+AT{39$tk(q=czu*%h<^YJFUU?T#KzP(FP{COFU?v^#VO&@&RHm;KijxxBH7| zz7mmyw*DIzv*v=*@^uyTC<<(g4f#<|edm{UVGGMrE#qsjWvMByt3tBVHfv_N0a6jr zog9ZIgclJH0XDp2=z!lYd;!V4BbPOHo zwHwy9b!QXgzg!k~fC;T^+}vJXV; zCy%rzA$@7#16Cvbf<5i3;?e#NEFp`RwFzqRGU*ME$bwKtE5fa1(6cv*$tfpV&&0aT zt&%1S4CM=?(_FcC1j3%!*0rl#*u9sLg0=}Nrr;(D!(Zv{%rFY_x3P`t@ z`4SPf)t}`|9E=xHQ<9&(Y>KQ&ZP6lI^}>pPU{koa$`aslkymE>5benwkHF4%4YG%T zZ9v5Gj&}*-x;WD)Qk^?qRzP-yE#x(iA9S0HOs2M(QXxYgcFeqgC&5fGfyV4W< zwo~EHdoS3|FnXI>JiA-4WJF2!WJ=l2ps|{X0gVIWJ0kpGLf8l}UT!6pySo7PE?|Wy zI~)0An7#hDSy)G-{wKUE{%OSy~QM84~8eP^9?h!zh7}}HpQ!5_ZY|(jB{;HqCB*<(`YRL!hQP#9wP9p>)mh z+kyK1-wMmkM_%$vHi)IoAw*Qclh66c4?T--fPrxeO4q?Q9%zDJjaKesqw(QvKr-gw z(L*-Yjz1eFAC)5X#JHD;rM+VXBdrPtYSOAHyFI$#eR_Y|Nl0;@n(aI84Y|}pc@7c^ z`UW}N>Yiqs*Dl+~cW@d!?rk7GMmu4*P0Uiq%F3PuBim47CRpj2=dZ(}YHVNOp-=kU zXJWmbN&)!^w-K-*USOATOTKRLh6|bGBZY(#>O%K{{)(?FM|7(3`_yFPOCHIE>)Y$F z(x(y0m;nf(wxk%xzV5{8`Uv{TnsJ=VZUh!eEjFQwwpnTvxt~|0Ai*%Z zV^tOUJA2cWcy}p<0Rl`0r69tl#w$nFbsXDDM6w;0QWu1NVz{iJHP=f)y`h5zPibJc zqv)%ozzTTcoF}tI5r&UT;Q=YRIJ-F@nfjTlqg>)2=e3f^j;ZkqhHxn72Becp)=dr@ z$|{?Ru-BEQr7~}}g^k0Ed`QjXPU-CeJWTp$v^=Yr#m(+c>z6&TGCVY;H&j$0v_qYFGqx3J$7x6JkAWEh`m92wVy%B{!-lns$Y$a7%`)8k7!ly zM*h*u2qGYghg2g=K}Q?=?Jax_CSR|ZWQGdBt&jRspgqy}DeUMQbJehni?s4wBrJ`6 zz5dqFWjjJ!T+TBU^kmu+Kd)Yx6WfvLEb&C?(6r_XNgqoSYBeI4i|%GCkMUb{hslG& z8M(;a`J|Y}W&L1IT(Y3#`k~4#?jh_KQTcp(X?ctRKr}od3eii$$r!`d8PcV2&jhn1F z&$xcrIli%(R}LCjZTv(XqT~Zed-psYh<>r8$#bYr1vYt-T6SpqDL}+65Xf5dlNqp2 z(%JLoYlY5eN<>xu^n3X~q^> z7_O@&!EI|(_33JtP;yQIh&0UWI^PSR77)_5Vw$enZPl0aF<82bcC$$kIcB0+d$-Bp zCWiA%duktf?nC38x`$mje-hNsO-f14ony}l>j6;3r5x~)R*OT}pH^0!HsP90`)>WbM` ztsHZNeeMli<7 zrBI@=;3mLIhIzy%nvz0=%;q1jHH8$kRSZ{9JABO76L3BXn-dJ2MH+n2%{^zbTu6y5 zwl#1A$klWlr=gjX&cr}C2Rf{|Q&GAu(J8jbN9ey6!n2$bf)3LZE5My$Q?zvfZPl4H zf}Pn*P_ImsUqh-`luqcxsi9V_hN*)*6WDvXo_(iZZNB<+NH+ngtLrd7Q}x)$a3qWw z203cV(Gm#0X-6XcAt9fkQw0LD)j6uhYhjMrN8{weVrk^ztslw`)I&FwR~Ea~V=QE4 z;e=Y`7$r{@AfGl-=~=#fgFOES`2z(7k|&1*o%)R7UbXN&@z)Qp^?a(;wH9X9>Kht* zhniZ5WvDUl*vz~?IeM9T^r@e1 zConH)S(l}LB38s^c#H8xWw==!I20I`q)!aT-dx+>+ZyaAd`RR7*?aeXHnLwni3doYuDMru&O9ts$k-Kr2X63o;q6j1o3oaswIB+HXUPn8R z;0cHpL$^lnF?rEL{#j3h#sirR02eNg=_F;;QEdc*7bSL=qE@V-*NUyK6uywATY77} z2?GfJKE!W}9!MvHBqX*6*m6~Zgv{#jkN&HFFx&9lf$12q2?SJ!hPNfHCLe(B85hyf zYX3Bgj5M&ygy$aG#vJrG>=n9L(X`8S3rDd1@8PtzjrFen$CJ$P77S zh`p6yD%rSqjQ+%#Bo(w#%Bz|bhb{R_~Th$?)CoA1ZS(1hWSN7d9wsD z&!^$az#;QhLPuF`gPhXmrSdL|`8&+pxh!ID*`L$OyJ~$8rQmCZ=${HTlRe=RZ*%;2 zko0tPYs9u`y5YToRB-sECF1`4qm;CXS1)JXAWvGzJsPQP1OC%n$RkKNcV zVOb8>LaC22l4*SF`KGaiuLwY3kGO*5S1JcLY2^R_ZTGJ2wk2m zVw%C(RK*TZn9o?|6>2o(_hDd^ZrUT8t)nLkZTNVuS;^v5~H8~ggnU?`-i^nRP)3XsALlbk43b4iwIr*EOUPF5iK!q z^IG0q1pmb>M2ey2L8kL%f)7hlAPCC!KMo0;0T2?zl@2g( z8U&|rqMmy%hyy+QiiMu~{m(V^_=wLyFp%0GyIJ|wp=_z-C8tkuk(~T{8>cUi1G#{- ztc^!EkOAm5>u>+Mb!m(aCVasU6#xGm=hE%)lR4~YM5#tjYFU;j&w z|6c*`s-gP5fN}*9zaII@&imXL58E_T_i6q(`SN$u9F4i~bqBnj)h&yrO`A4t+O%oY z#{WH;mFc03b%J-CWY=d-9&@Zq%T>%B>X4FjFb<(!w`ayls4I8P*j8#2>Ny2^z``|+ zV2F4OucoKe;pKo0vDr}KIV@Qk1_l8F1DtVhcy?C$p|}@3J1hNA+-sig<$fscbn_aq;u6One+L|}2hPexXwqW? z2lgE}aNxj!|F<(d5iAnGP0mcxTummi?bqX+33g7%PiZJk3Mn+%AZED6?A$W4`Er0b zp#UsZ*cY-B^nYQh1D@YN_v0`;PtMA*!T_D-+0NAj6<-Uo1xoLc^F{*@#Y^L4pVb8| zZ5~MTVGLW*AkC2-H->C*4lRWNHMyn`iJ5Kg_?FXu|!8=WR zfDX$SkZ~GDsHzwDC>6}Q=f8$35`$(y1_z!Tp4K-n?DtRLZ4y<_c*oF)1p!Um#fvr8P z{{Vm#={#{y#s5^jxQsN$NGD;q37oA6x4rzC08g>9lCxgg&shkjZF zK&S6}U{aM=Y=XJp_Yud*Zbe#5e~ASeKy&&N4$<%hd)m;kAv>UT6oFE>MAipU)1;It zacg9rlx(J`H7}Q-3XRYAM&@8!oD1=l#R1F>6IPPzf`^;{5i21&Qi>sipde_X>v3B+ z)#GDopWJw}#|F`wybFb@K)5}YU^BmnxQn#3JlcJ?IJECM!Z9z_V1rz`uG7rpFU^-W zdt-c5qsU8_yzBDCG|$x)^&#Pru!E0~u)2okcruh9M=NCT`{d^(6*TTM)VjnO&$zNg zWt40u0-E6mQ?Oi?T+1bobGo{4we4RBLU^c*@8w!%a7D+aRiR zvSBT%kO*Z=L?3c#d$pF>UJQrpqUOgdDOwuvFg@vPojr$9 z6tGTbjO%aC2VdOnfq3~Ho+;wuL)7krtjB=naogU8aO}qI^g^CgsFHkI=tY$@nMnEj zw*t;q1vNFX2xPbm{;3x+?gmbfke^-p$B}#IcSq;CysTKH&A6#~0EtS2pAcvRw4Od)aFXsp(a3@G`rsur(k0Cz(XhUw&68SL1+@+F2*DKS)3Mj<`@?F z0G3MBt0q7G=X;MZeMr$z7;(Q5Wb?(9e;2W#*W;$!i1X4RcWz_mmrB+~BX{)R2WtEI zE~}tpH1cHRFP<7KFoh(kv457GHnU?=k8$MrT*Z?#dX|8JgV&r(7ME@qCl0!IyO|~a zWw!#UT7=z@fx85b7pG>#ZWEQlECGBgjrGC5DqkqJ?xayCRG+lSCu>!pa_Kke2e-$a z@@iq)0^m8pl4W^l+VS(Krb`;*ji7O}g42 zy}2o(D-Hqovb3fD^?#h#jDO=2x}0M|%dP<_cKDWf1juy$S6KxRz^c}iuDAZu!(POA|tsY1{Y?iZ;_V|K1aHf%W z1lRh+=VnfAfeOD@}ruBWisC9+9JX+Zs+0FjE`gJ8SY*wXr32`uWM(@a96 zJ_`d-yQY8*@wI@3YT(Ix;IFAyV$1vz;A9`Hh}{X8uhlN{XIEE?-@SiK;AI4x6?_pa zeSm#HWnNetq6$vaH5yI3PxT*PC@tXY5LJc02=|LXFu0cQ`{g@+5iSLRrGm`-L*fb> z7s-k*xMjP7?~H-l_jdn82R%$&4F%CpgKS>(w$G#k_96fC z?Pf+$Kb~J6)>T90L7TQXOl_yv8i82SO_AsKNbBEo)EEbHI2 z8S_QIopWagsx&V=1wr|^^cWPUMc5L5r1r7-&)zQg?w zB1tb5vQSJ*wVxhMTm)gKlR~PHU74>Upi^Ql0;pqynVu~1g9qo+1TuzVDsV=p5x212 zz=hzadyYK|o`L`(N@31yMKM42d6K#+yxExL!=>=mTKNUSf{&QLL_xKuLPcO0uw`8$ zfYm~wC3FI`)I4{F%IRH&O5d>yjhI8~WeRwhnL>%0*?sTC`zAoN{VlinZzZV|EqjG? zegh>37~*YTHpK!0#1*3rgUGoF54>llZ>9Q9($Cni-HlD&CQYwQNVkLk9skCevIi=s zgL*mgUt}y3d4Y9_m5{$gP>P!R!p;_x*s(qWRo8-P?tF`ZN4~iXiTNTyLgcfg=DrIt zQX9)Xwak;;`>b3XEc*8q?-2fvTJra#it6rseB!EBUAf+kOXUq_36iw4p939Uvb5rB zqLEhTr=$fJn=h_r%t=8D_>L0S3MLWUsRf_@ocQ73v$TbEi4J#jh{;^+?tY5Kgjpj6 z9^cC-DX4O4SXh;^=NUwOnC~fr7z5hEFIUrIrK6XF6UcYGk*(;(bb*R!s+0O8gQps> zO5Ry4VU;9`RM6+IL>+wVzTs1n)L+)eCGD(%8W&bfLFa+)@=94g7_;ZUAg7tKxNn6P z0Jmj@$0ZWvY#~LPuc8E&I6QK`@}w5mM>uz(4eIQ2W`EFwUUJ(H@$5h~rNWGGqsBdm znK$pgpO;`fDjIiNeM;rw5vRMaa3MZEj*p>i+n_^?0RFQ+W)*&V2GJT8@ z5lIdqb7WaG z=zEAdN^Ta5EJ$6}i{e@DDR6`El)-Ur<{TZI2am2W#DqFJO+I9M<<-bsTW!)q4#)*a zq$`CdsLCz9{)Q_VG3e*#-(!yZN}WKI`Mf%)4hhc5C>Ag(2$*+(iF8IpjdQ;59+&2* z)5*0vH@eObO#QC^Q@4TW zfI9e)0|W*QpA^wsUMKpl6#kah`*d|E2&_R4!(Xu9&LKchytg1M#_I0FMI9&IM%B!d-KS5-BK)GEdXsINRgY-lQp1 zpP-jUN^B&tr~PEm+LHQ8G%a&}2BeYQe4R6GYiF*xmX(}?RxH0<8fzmtyeAjy{gl*V zLUi@mEM2NX;|J=MrT0Lp;{Nr^5>TTeJ_)EZs-DCJc2~SE7^xjHa7r*yRbzFSe!%Zt zROt)i*alNQ-jq-_s3fm^P)>)1$K5KV8J1yqVD%&**{jp*n z354c|G>_d92OnrIF>5OP54O`alSdG3I|5qof%n5-=8E_4G*spq6)Dv6 zBMR*!V)=!?kLEm?cIMB}?ngyg zU9MUl-3Y7)nRHz}00y!@sAFT;oV~Az0iM+&@ z2UqyUbD(EdB#Y;}S_BvUU8mmN(KKKY0Yj{jz8Mu@vfa!{UOxcl(25JYw)Mmbyo=zD zfo9Ysue*Eu*)gsuRdguP#f5OV>p(WGTT!o@1@|SSp5r(xp2`>tfl{_In-*aT54Qb! z`|zrcT*QixF3xh^S17dljK-JxYcGG;tLU%BUD$*V$^6BJ*u%HDUbp+SxTGzeqlSYI z4LWj7;8zmy9T{IR6JWcKJeR>K-)059lDGxGQBUl(y+H5Ge{t+T@cfMQUwL|`tb#a@ z(Dvz9XS_4qJy28yMdiVNgsJ}Gf$pt8yp6__6jUZ7z>YL;wvGw7O>wW&xGYC+no+{Q zK22;`kvXq5#uNB#w#~qoR_NKdxfLV5T^3B_<2L>p(YmzRg!}auP)4lO_8}wvs{WDT zqMLxGb)MyoZIJB!-1&S>MJez285j^Vo=g z1@(9B!46&aTW~48!V>TPg}7JG3m`d<-9GsC3*l?0kg6v?Zkn?Nm;znoi>3ah{6xi% zK5-7v@sfzgpX|Gnd!wlV2d#eg>Lhd*Y0IkBYaPHA0H#?2>_Fg5>%n7cwTmpM=?ypx zfCdo@X=(VTK{Hp!kcgJ(tl2Y@ku3>_BMOd}MON6?#6C9+)}N%;-Nzzx1q+f8h4Lq= zl)2EP#ZwAIY`?vw8#Z;?$s~Zy>tpTg3H0O)>^I#f@t*stoA=CkyyF!`*TGaH5JYro zUo_Sqpjn3!nMN65Srn=P?p+vi{aw}xW(tS|Y)txLwrR&-vDEkjZy@WXJ84ce2Go#z z3rzMVG%Y@@1QDR|emQJ(LC+v`jd3mLXO;s`Y&ko&3T1y}+hU9`<4XJ^D!dlE27G|` zv5t2C-K6?cC9+^9y#1E%Pt11F3)~nP)hx>_ivHsT8E+WueSh@K9i!~ke zQu8%=0&evk)V*Ddb9lB~4RH~|qWxBHYay!)W@CLJAm;934$P;lfNc48q^?2-VkN6rKFE00xM$>y&_Ug230QXtDaL5u_+d>UMi=H9E5S>4+@E zpyzf_W!Fnn4=~V{%?ZSY4u+gj&49?Fw%WA(d#g`Z{@pPvC}X@n(TwvLhZ}dLn9BcDtgXRo>4Ue*%{EVBugZr0)QxY0Wel^@4NbMg!m8ie}ZlQ83Jx>os9}G$` z+{C^z`j38m;Ft8gNAb z)@*@Lrx^!d$Nz-?KvSsBQ25}NLYXh3V2F0{x zPE@C*edT#ofl|6O2&^tfWeACZI;=9GG0V0}u@!Ej&})q9BLc@gCx;DZp>UbnrqxB?W>WG!d}qSek(kGKLQo%y@}Xd76h--WR5)uD z-}@i|t1>2JI-@Ms!-6H5bqJ=E_tOyP_l;f8F>|HYKRNhDbEaFu6g6Q!z0I?7v%0 z{1!K9t5eaSbSE!wG!xXpQg+SabLYrGa|0X3*INYM&=zl#eUnMpVI@v4@HWq<0dHm8 z8sT52QlCzF^rQ-*)#~UM9tM<<1?z{%;VHP-AKt^k?oy1JLC}w@u@;d;`w)vU~?)hD%}#fyWoc z6tYHkJX%VGMcK;RgkR`ui^OkzuPI+})Ym0S46?McW{U>BbnLL^e}*wHM3e|WG(lAs zh3WbT|6Ixbt#v|y;77q4cCQRLxyJPM12tPkU?ke-PQ1~yumyEv+d|Bp8NM>i?W8)o zl|pvnX>g*B_{wcPg)e>|gJ*C-N%$9YnD80X$#|DZ)+&MKE>*7Z@uhohoWQG_g4$;9 zkp5XHDgmPUUYJ9b~RKgRT(;dWdyRFUtiZWw|I$5*lq|BTLeA z+A|6ml%XfwLknE8h#RT9eqV8Htek@n%gKTdT{Q_fGDuBen|=M6Ha(LRd`0lE86nOa z$>fKGm{RKp(_aj+Zv!*GNrGRY9wqwXop(ZGDf zy^iT{b~`jtCuWXCgeISQqxPfl5xY6Hr^#&JA@9b^#iCA1>Hy!D)7zCndkm4aA?oy0 zR}-85_}kU`t|P{i4s0qwxfJjSPe&RFHC^6RSkaJg7PUB(J}>NZJ{WQU_}3gCwxbE^ zay+falNNeeK8>{|HCf>_!U^;Iv9=$0nOm113RRJoQi2x_25z;3ecdkZnp34P@F$P) zQ+WAfS5)anYoKdd(}cyzxsl9zk!6?4c>$&LK$K-(Uf`@qXtdAn=dM>#DU8fK@{2-@ z1DDj>2Bs^JZ9&n?;>WoaoHC99#H#jc_;*h8rU!6wkBGzrTa{xvMO&IsxqpH$JGXC{ z5!xex8Z}pGewyN;L`URboBJ;c{@rEVuk}kR=u)nWo_c(u zY=qZ!=T22F?zX%Iq<=UlXNZ2LIaaz=B%O55g7DS;3O~|Z#s8Re=$lnVM-}F@=*uCm z-?Hp=x7=LzhlqC#JPpW+4c^*F3#CM%egI)VVRIn2Z%svn7|SF^Q5-4bHr&}^U>LC2 zfwqS7&Xv4dpHfw;Qmn}kLZ~*>ViaoTY0e~S7**rLB1fa)-0n^Sjbj#ug3p zO##DYoJV7m@rhh9(#C-L3fBqj)?FpM;!YkdP=J^IZ=N+EAxt!xGePGUXqnHUy(m~K z5N(U>t4XzW6oSBFqyE*GOa{=jE+C4BjFXAFqg=XD+i@FThp-8^&Bf<&y&OT#pqIO z*n+>-@u%mJ2(CBeLhb{og>jPq{RX_>FJcJ{uCrr+45gzdXBME%#)A0qJsls}0`Rwd z+hvd@$&w_BuR&vfi}oK~eIqJohAcy44g#7ML}o6p|FsX!nA*lpn~a1&HZ` z#gW~`oJ`B1YdLk1Dv@^ygsxA+J8%owR61lrJ~LjN#`6x3tw;$IZ!l$7<9 z`#w&hTYtu;SE_Zt0Qwhuc!H>gnO*?kZ6n2~zmE`dC};5si6egVLQx!Zt$?N&BVIeq z7M0r_X=Q`oqv@l37JlyW`HV4mxQV6uKMxCRuUr_QW}?yTeD5e79Fu|yaOAzOjIyK_ z-C9HYxMMm9+&RnLy~T5#UGscirwRye)jdK( z)+fB@<(-JOzWQ5BMx17Z5_5!#Jc|)`?aqQM#zJ6Iqy)NQTg_1oXQG?1&=U8+w#I^VP%hY{ zVk$O$d1`SG92QP(-C>(_5_X>a-4PcN1zr?lxSm=FKm*YIz6pLCRH?D(On<$**+f|< zwcKa2XpSP({T&PG^f2Ks>D!t7$NU}zfMcUXgmM)_2Z{Sqm2~1OejQlu-@9VHlh4bH ze&_m&TY!~cZVyr!h6LI>WhFw>v5nS>GnPr10b%|-;~-F!Pt!0#MDCL|L;f#Jp zAc>`MWTVDsVw5V7VCO-$aTdJPckNlvHgS#uWX<(ZgE zg~#D#MZc1Vhdk-v3+n-jIq8JA#aI}=)ZdpQ55H8<rT$dy6vTfST^UWt%Bgx-2RnXL!3keR@KNz2;r6z&;Z=OG-v09_q=$L( zkuiTEvmHGN80!{{gIZTR1RNH4kFhbH6s2lQe4V7?Da;7R*KZG$V1;j}Je(kciuqj6 zSa82CuYEqtQ_iv=l63aB_#{4N>70Z89ZKg>bqNfi$DxuqCKLZ`OwaNLmmWR8+7kb9 z<5E6~S-pj4+#(#imrMe+d&tRmk0Z{*&+A%viRb}(SRRL<__*JGT_7V@S|6=XK7^I* ze>aX2ab+-Q6z@wJVMa7HO;S*qOlA84VCV`ZL)DCsfukL#4VIO^d21cF;nLTg{WY9o zKSkiI9$WR$ZHVN0rM!I8o*ANhJJuU3l>CL_kg+DTy*p5akzVjZ8iaq@5#H_>R;5My zBFDO@gd-Un=v_5k@ayaPj++oTR5tj~sv(Lv;$_kAGh?hC)$}4cf3f0vdDk1H-10X%cPfI z%keG_fv@|=Hl^Wi_If*Zh4C9Rjo+lDhG5ZYFwJ!7*hw}ynejw@y`5l3B9fr zW^HrllP~CT1`~T>3Pxeoq=A$Xo*UHQgO(9>{U+?_$PP0|4j#K+7Ut_1J~NZ;=7d%G zE(`zA8p4a?cbukJbL~kGxt)k1BwTAtt%bOHcJZ54-iH*r5`a1*yP-V5|En4mI%M}% zdo6pNS3FMmnT;A8joMFfd9_yGAzL^}n^QrIT8q+b z`qfInE+U~a-!=fi2#BKyv?tgo-m=n=GECF|YMg^$fGxMeP)9Npz-#dmKFcJV!H;$Z zE?sNZZb`B?|x6Fudabh}SNS2drU-KjDd4c@uu&@ z`^CJnt`@H}8#fHaON28pktCy;1%de8Gbn@Ziu~DZ8!zl0a}qGgnE zckg34(?yz#`GvX@zV@I#+O`7B%5b)OGU+cdU4kZAhWi{xx{uH0g|9&y|2+=>{CE;f zmqD^HgP5Hl@wd3^%&}{k4@vV5bmVBZ>EZo}sqr+fzfXZ<4v)mzASj5O{;pCWDK+s5 z;G@h3_?2Y`7MgYjpRACR^5qACSW-Ka!8g{bVgH&>{0@i98OMpw=?D@kh+UCc^s~Hh z0s{0~l769Ru<$_X^@M?s>=~Tfw{)Av6CT1ANMBWHi)h~FKo$e{N%*P-3QNA8>s zAr>3`BtiJ`=nep9js5L*9mh|V)2>s9rB-cZmb>=>1|So_BQ)w$kqodxUF%D_eTBgA zm|31qF^f2sSM6s(=(bU#7+=jo8VTVN{})+Ni8_(ogZS?D)*X5r_prnJuO?}1_16_G zR^gy&g!?+&q{P4}oEk^Vm&l~+qkK!Yyd;a%vqnV9fDK~m^1qn{P#N$a3!rb3g36*O z#i>v>J-pkvwMMo_ov_mFy_3;A#=bSGK>6wDv7qX z&F}Mj|2(_A4fq)1K?#Wgpmu^e%?|hpaspP05HuW z`0ro;pUo*QJ^kv~`tIVKO>u8D7@ZrJ)touszpGLFE4lv6YbBIb?pD5CF=Bo%id*^h zHe|#;Y11Eb?dI1jyr)H9C#b_gL0-xWv5!dsB%b;7Gp5y0X`^hbeT1>Emq@{V6b@D_ zl43c0@H}q)>Ce!yba2qGjPx(=Sr_zJ7`z^R<=2m@?})k+ZyG5)r(G@SVjISzj-0N0 z10FKIj!&mrLg94J^%OE%{20IqHo|nM%=3@*W$_)~i-Z6mH>s0IPIp6oZbHj{v5(Ja zXqnFVF?3a{LN)W}_#dMC`0kf#dc%r$*Iq+<*lYLr!}wXfrVe6xa40aql#Muy-4Tut z5CL!lBnA+x2*r9SHbTxf)4dej`Oa_Dx#D7(frX8(ra!@QvA&T=-76BZ-*%hEgB6_@KwbtE>7|U>QhO6!=M;_FAuA0fHvplxNFRbw4+I ze+^^r-8^++S4ydyU>CO9|fsFJV3dE2Y$4%YHykk2I$YL<&4n@gW{N zzxJrsTuJ{jV)dGjSG8q?9pTs?TD`Sly>d?mw(vFUZZND7rM?mtQ~zm1O;NTQQ_h{r zO|bfl1Sz-v*peCr;skyeU2yHJLXv>@2?7BHX$X|yuRs=&8n&3Rt!zOf|-jMpz`X!{qL6-dz|Jjv)_>OCqP15yLhj$dDh`r zG&`9W9NLnVi3nq6wW@?zQh~&X_ZMz{Iic#0)m%}YPnbs1FYNgYFfX1c;mM9Ncig2- z0227|Dq}N8c`^kAS3#N+m$oQdF$|%B)>{Y&+1?aU13-x{RAdde=N5?mea()H-qnFR zmd>y)%ZmS4kI5?1)Nkz~dikISdaq6JVl?b#ND1p?o-FoYVuj%54O&FqGzk=x+t6mF z$YFfF3|PT=DdGdEFkqtz6ZxXA=>3^#eVl0i7RPONp%ju`+I`M7&jXYRPEA|x-a}o8 zv-BsT&;(uPMB^rMR}bk~hX>NI`GvNtzqT?{Q_l>2N(0#HC?&gZe&&|>(ZAG^Jb-Gq z`zMRGm-pc1jWS5HBFNQ&8|D$ke~Z#<9_=RRtygUBgrTb1m>r=f0nxFNN; zLv&VJrwL{@3C2^|=xrsLTWP-c0IcA2BqSa7{Uz)Afx>^~ISIY4Cdk%CqGqa68~T7Q zIia{ZWmB6!11N~omb_LQghEmBQL8~gx5URAL5im&jU^!enMmU*ZwSVv}KlJB$O z2Jy2z0OZXZmVkDGj5{g#(C@u62f7QFF+D7QIBqa{U%5XUUWgG%%641R_G?*UV=)4QDfU{%|H_#L zwX@RJ%3~Qr1J}X>Fm(-Ua9^|OSG?$M23tA$q!&yqFyaa4wtSQW4$pH&VA+JR@h z`xIhgL2YvM~!aw62N$^ESanM;&)*Se&Yg6$%R5ZH4oYKf!^$8Tx(%etI zT~O-(LMBOs>L>GD!sE)8__vdkW)XLcyjWJBDf_w}${tF+UfVnfe$x|* zBK!|9K&f(=JD~}VqNs*|cD0r&;B*-B0D{ZT1~u3GK7$SI5Ra}GzKxEA*&BCg98BaH3eyj( zq<@SB`1W8CO#^%!M%|#K)2=+#xq9VBcr$kokDhIE@0fG@H$Ot4I}$q+((@+9i)Qpg(%Xsp;*yCB=(h%_k82 zQkt`=@K>a_u?lf_;rTcAgIGJ*alFf{{V%>}f>N?$4>nG{} z0Ok@h8^`Kh20CmE#4oIj5xZ$Tp5^eSL)Jr*X40na5ddKJ%uxlJ+b4!dDED)h4cRl4 znpDP~_X5z4y?$VT7ggB57H(`YUr;Y9o1irS2RTvIX#iI)+z>+kB1h`DJuy@+>JeYH zF7T5VyDcn}9Z-a0LZ?0nn>GGKSE*10?&Qy+R^JU=fI$F$o-|VzE1NBT_ZTF8hqPQJ z+V=4{Te)E5rD^wGV$**Y+G@}w9Q(ookmj1S;&XM2Qac9I`vi*BL@k19iH*LtNZW0^ z>~eg}4xQaTBK>k}(Ta?kn@LSIrMG@iO_10)ZJdFP(XG(I1+aE5=}m(Q(gf0O6&BaI zbEljP!Nmlh6D$PYay=lw6zGZeG}`Mh%J;69@(FAr9XMbZf_h{g7_NjbhaeqqWK=I@eThj)hWb!uCnlW+!-qR@q*6` z+t(I+Oy%7rtr(8vZ5aC|_Dget=Z>aNH$vmmADjp{`P{PueM zjbi<$s?1&O9ruq5R9D2csv#N8!|A!&*-*<~GAA-#!QwLYxEyTuho_k->4YC~`YcIe zL!t2XjxYr#;vyJbOC=s^v+itQWCuYUiyMd56o+tM`DWKtRbIIHi)yQ5 zZ~}^>pe>IBAFOZZxNE{Xef(DwxFr-F;~U6m2$05Xaz~FN?-t?>nVG6HEK11vAe}); z04dHuIT}e(Fw_^XAmb6)tNxjn_Mr2P?+sw+1iDRkoBp4%((|FXq9(}IdC%$2MuMMJ z{x6BYcO$j7(xzDVuLx)+mo4nY;HGi53F|8=FBGTf`N%g8>NZ&&-^U(ujsx0b1zd=| zV7Uyd%A(2Jx4Z=vU{mUBkGrLRD0KOZc9dX%y7ozNj>S98*U8Qdf;m@qC3t6zOM2gvkrfnkjM&GaUU8f6CvUHsHrnbV>9Q8yLeBuv7EdCBUD zzglu}k~TZ|ekqVE3C(7u^dK(_&}J>#KI&lfQcs2nhs(M$U?2L@rwsO|!{aixY^O@@NU+0t=& zN6pmHgP3+ikca{j*ASax^ zJRWr%ZaAMz4vN&7*biA74CWY+VvbIbWYKU*UuMcA29j)^lq|fgAYO}Dj{Get z4yHhMRaodNO3S=#zD|Z$jUw3bmnOt7>~_ddP7|LQ+)ab@R}~T z?VStLTd_p>sgtW_S?wN77cAts0&nU6@p!8PuAWcH)aCv$FeaylhV)Nf$PV}x+YKh9 zUQ2*2JTxt!_vND_s}K$QYhJiw0l6_rjFKH6+mqn7tJ{G70#&0A>4R*IJq^tXe0RV; zYK;+ja20m_v)?7MXc6gSQq>(-$&zfgQy)_F8gEXiZvmZ{t(amrNM;lP&0FL5A`JRDMBxeX)clj&B z+*!J9^d7h6I_PfNIR!kRqm=|<|pHBZQhHTU|x zZ`K$c?R*3WYYpqZb!*ImTe>jJR0pV{q-#5&I5b%>_410+qg2VvPHw?pY%;^+@rmmG zqVk&N`R`rZ=0mh{JPJVC9ZyhF@9sGvP$CaFES*>U1B%Lvz!UMH#I2l+u!z3w6nKm~ z9SPHn5KT!Vq^WBj=_n|U%YyhDHjV2<8PQ%_?=v?xjc!#-(yzDKXC-<#RWahHn1X%TieGWt4^^3qvaoMxQTlZ)4VHd&RuiK(g&wPWh>@ z&OJT3Fevc2!C*(qJ?f&ZDatjiA?i$_?^ECQGA_7XDu11{mfKOJ@f2br)nogu=W>h$ zyAI_i*ImN|$ziEH2>SwUF*3VDBBa3*hzC0FduR|PoIBpyVE)#GU6CK~C=LSn9QJG9 z%B`83#p-dU$0_ynU89Enl7}#)Md#gDA%`mPUx%+5>1XqZiTYxa0<&)g0$Ko$Ygd&m z-C!sVY#Q`A0qAJKyb3i>(K{_0bPo(5i5}mJ4-2D=>n*gc?OGRAxkHBIpS8-Tg4k+O=jPi63W8rtj3K6-R zT|Hh9p{DU?qO-w${{b}J*73ZuSJJo}dl$?-;HPhfh9kEB$lErU46u2&K zUu^#h9={iFSlOJm$Z=R$w-CAdGiKmjFT`+3n#^7w)LHUmwnfq zc)9WhnpB>EDn!NwAF|`by51k}mF;ZHJ4*!tV+JIFc3W=z+Fe??F*cLQ_PY`|#(Z>W zS2hu;!H1A5MjvSNYl=%SzGy)dXH*S3R!CH$}E}ZOD1EC?_mTxN08mv(_ zJja$YCnzvW4s9liWut{7hf>|wdcnV;G{Cud$U+%<^ml-z1sE!E#pOBojay;QuO0kBR!a6A|yRs|ME6wcmb^-h@jSBc%ud}$l_%l2)&*qhrM_=dyi0Ac|69vDbEjD|n7hC6f}GJ8qp*i# z4!Qv<_CoG=GE`V(Iy*W|qC5Z+K6L}+;7rV|NatEPc5vYo=ZO*AuWQ*gvHQ(*&M-tS zLaBG069-AzltUvFbgY7za7(J2z*Qk*NK}*vTZ8h49Kerjc1f8aFO#H=SIUNCNGK^2 zN?sqebPMXKRv4>dU9Z}m?n;vT!Ia?oq7;Z%qID*^4*_6&ZjXCqVx1F~2o#-f*C#{e zPAMQbCwGP^hD(#;_7lrfv$SPbJ%nKGdCV#A(<{;=)OR|d^9122_@vA`Va&ue3SBhAqTM)3k z(}8bfhyW_fvPfTOt~A6%=DT%wgCV?6x^`J!#^|+xNP*lR8@hXRniJ_3R;W>q2q-x| zhRBbN$6LO5yH6kMOKU9poXRI~sO)wX{vXEPDN2)I3l{#`wrx+_nzn7*wr$(CIc?k4 zv~An`=RfD%weI8H5BZR}a#z(u?TWQ4BSMtnauY8V);ajBzl!!;+}aki5gz0ai5K!k3KqAVG^c0-<7I_-ZJ+N>-Q7T>w2ysMNKk;(hP{~y!#?*(2PPy z|BB)-0JUvEXX*Nuv93G;7i+>v;|Q+4n_tM zV}|)LWHg*H-u*l2ldN?M{Y#wvMPFVp5=ZQ-N$@J?TTzR=_f5090g7);E z&%`xK;9XzHjJ@H#q+C(99b#-@H-c`MJmaOd2cs){E|LKl#=w$myDo?X9Oz-pb206e z;4b_8QADRE%>kgnUS%E?rxU|L!d7I)VOcWKe=rIenEqG=y%AbvpNuY5>Ap9fco6KW zPrAA#8Ka?~-gamQ3QCZC2scKEvcd}b}Q<*qY^G+`P{airl!_JDgIPJ^OB zTV}&f+ifiqaA5x`e2n)xA>7649T4Gc>hBw514o?Z$3?5*P0Ix#C5l}mHej+>xx4t90j7{Z2R+aDnCWjX&rLZ z9Z|5ARjn3#te6oTF!QBjzA}$&l}BE!D}zq$Gm+Z&@ZRPg&e$QTsC06o9|Ze!xN(Ie zLf}?wLnK0|??0gLGqhzf77xvxdXvb~t6upX?Jz#BGnB-x4u5{T`^M|=SvIHrK-dy> z&JSzthQFVVQ9@JZ7L#i4a1OadeklYh_DO*1vU+a}6lng7hUTO9zr2 zA7N!QqJY)|V`c__?Ba?K&v3uX2r1nj;QWAxR@Bvtb_?tcz)Mkc$rN_5TJm7OFJDe+ zHF=#zEjFCBM&QBsYGD2O^IHA8amaK@+NG1LTPHvB8lpefTk4A1Zr@bW=ky)sal8Q; z_KNEn=Ud~YOyQE~}n&ryqmBy3KBRMa@wUCaXF(WRO*G!OI>e?3Pg|y32F24M!N=f$ci2L$W#dD)# z3*RIT^J<`f|B;<3bwN|8WZ))S!}#(mGgIP5w=wS zp@Rhg5XNqSze@kxc?2K?Kc+t}t(R)A{<(Dd42XI#JuisXqaao3k51R^uHfr2*8vqY z5mfNTCnA$7UvVB=Kx|AgunN-+p1o6>bKhoy#a(5(Pam>TsIjtF&Vg@lTg5_76zG=L;ZV!vBAF z1mKwa|3zae0fpVbgqYK@AB<@#aW4XdCyybqy7`cy7ueaK8@v~~q6=6B<6Aw}g`Pwm zMaD-v+T_xr1i}HFW7w28OUN$s>kK;!OSMVvH;i|^>uKDB%pxvO@qs9MD!D1To?JUq znr5>Uxo~`9hq6m=T!t318`&ua;|?^0!ZIj6T?n7VG{EF?Q%(kqs>2faZDv_KqXNLi zikIImFq~|*3P4Ss8eeQ~kN*tHiZ$r5Btsyy`cNJ{28jFU z`9jT!TVe`6RItVX_4Gr3QKZ~;f9XpFSX{e_4=DqIQnKIy* zVE9G#*=4BaXWU0kHp>=f9n%;JH+jei?Y!hjbxFOlc8|`p*NB;z~|iq5Pe$>#YqZ%-m&`qD$HQY|Nc$GXnM5ewouJ!FF-n; z1NLznnfF|BqaAb%Mhk+jW-F2FvG6vFLJ;RK6m z62gH=*1bg*0E>cfGsP#m)$ao8wxS*5EkEnnEdnbC*mp01!f8UOe1S$422M4wE$P2| z+Q*u^)=;;6zEqg>!hqRoVf9f#YI{_Tznum?NaGYs-ZF?3o+Q(UWPkr!xv0KOg4jB~ z{4`a(x*gi)G(6GJ-i@|Q)??}{BI0`XRzdHJYJko-Cm2Vyj)+SSo@F=?)dH_*?vUB(~l3) z6y_PxvCSL*t3sd}?@M03x~|kXba^kts7TJjwhsh{^yl#(A9F&X{%&z&ZX{KP+#wYw z!{p1#x!Ql{VAI@N3Pw+L@h^WVNGkc#=noN63WUJ$<G#8H+I8?}t1zu;mwr7wF=-y(v%)VMu1z!hYR1Au2U zirG-Bj0;w_!nzBe#wLkJPBgusve0Z3>a}_$cxuCvQ3-UGgwWmuDUXHo+^N=c_0do?hQ!x{vkZoa3) zT32Ro(rSW!ZK09873u6QY!lQ~1@xUx>2)?E8e7j&dhy6mr3H8T8d><&@4fm;`Wvp; z+AlJd^g=YRq@<-=wlAwB;)4qQu5|KKPa50t;Ub;QeLV8gOv&g9e1zFyN1J@lvfn?* zcDiyf*w4LNh1`WiFdlcJP%I&6J}aQVlTV*?!gw~P+km9lLTaF@1T6*n&Wy^=2vo*T zH3wSpv9kGqJk2Lkoo$h*a!ke2%&kmPSK5rVqRc?QvwO=*<8dfFnshfjrfrK={J z4p#EAWn`jGx&zt}td4kdgbgRKDMjH z^uH1csky5`s6t`2HNSPV!S0kXLXNGx2NaLw&xZid`7m&QlMdWudSc{=R*5SV1yvDD>gV7X;EPBRoDa;Z?zweUZ8{v^mt) z_^@cTtk5XKWJ^@JBW>a898IcE`=wa5{eVm!4SF=X_?tr1)JK(XVRgQ7hv(O8A1(xv z7xN@pfF(iDxoyK0=08u63c1)AiPrh@TQgOfZ-`pVJr3V;4YmP?!kQR}UYKel6M~O2 zK|c`J#6+xDWPP|UO-JFXZMl>OjG|{^AK08qJagc69WP^7L$j6rgwqv}_I*UF``@k* zANwgf5AyDS>CLBGZn!&;Nu5_9F-L*Ibz8(1=dy49fDO(nx|YD9Y^h~m<4~{ifJmm# zoU8K%Y~r}TneRc)3Vz#w5n>^fkvKy(3k^zOk5JY{NHf~dt7`IR=wOWP!I(hj zyNrax)Hp9Cz2v{8A||X|2Ij%*=<|v_vUKXVC2acS(&h=2l`i`TRP^AGid*&JHLeQ) zk0?$$l*CY-#RqyDZ2=8Lf4( zhdjjD!@f7QD39om5%DQ7+85&7!iW6=xb?#kAfmMz>aW*TKFLiq*{@c_MmbU!*{$p% z<<`0q0+965D>xlye*ltNF#zD;#DdidJ}}{OnF;d9qB)cGXeV~`J!b~1Jjzry>lhDF zq_1ao=x`&yFW~}5NS*6uG=V_|S_iDbPiuA(8P~&V^;_>X@q>O=tO^zzD1UeP2V#)& zo95;lCX^886h%&8d>~msTDp^L%vf)|6nmf0@#uo0O$2|l2}$bW;fLY<*UN26wPHb2 zX`?+Iv@FYdU>sv4tzTOgC}asilZB#Mc zcDEbN^|rEn@dY_PcPUHaMo@;aqR#=IY8Ny@R~s_Qpzt6XohxF0s8bnb&q!7fve{4D z-U_{rvJ-$;?eR4nbc9NWlP=-i{1OLRf6ES4S16JHWshC=?VivIk`l#C4qu7JK}W3E z&j#^9CI{fLZ!&~z-({gT=C$X+Q+R96P$eDyIIP9ij2&LNS4&d9GD4GIf`Tohhc7=3 zjC|Qvdt>)s@q^?4S(EVP)Y)q&C)!CVUh)7rLSKBK=>C;!>^PC7{=M?pGxI#YrPk$zv?);Di1(K;=bcm^myTJ+1`0euZCM1O`85XVA_U>&!(1)k?C09b zG$3^~9z=SNs>RxPrTiwH9Fr+XRmN4nu4!`4bc(gs=9$yEuN%_0cr1_5rldY*sp*p> z?w_t+Xtp+hL(+c6AMgdKjoO#En)E$2^gBG~jm(7ONPS6%JjMLX~(J8i4VqM|utZcqMARv~iup>ZCl{guSgRhTBMPPIiEir;pY_?Gb*VOje{rRR9ye|z(pah>_mKPEeis5|^QYa{rRu@#5YnS=cM zap3RUzE?_EL&f!!XKhVRcAOCJd-qiY^zGUulEw3aM1}-k%lX7JJjfUb`i!aKlV*5W z?gvK}h@(C_N09?QLWz$VjO4RU1Y!7X8+z4UdT!Y5DI=tkg#t@dZPt65`Wp_4i1gV; z^PH0M^&%zsJRhXfjeVR~q4@Ah%c`cj*3H<$ar)3m$43pGhX-p#otIMI*_QoXOF zMw&o{=KR(kFL3e@WQk>V=wA=5aBm|c%|26x+yjI6KsA7uV_b9n5qYJWN7%;8$xNbN z4cj!zz%*>THzvYiA1CZj24I(p29=izX)L4WN2%`C*4V^h6(Gx`U0!WUT+e)h1eQRB z{gGxvbZm_^zr8n*b^7#8SV}{OJ$?lgf!Xa52ghu-W!Sl_U{3L-#lFW#dd+j>HL%=Q ztdt4hip2-3vf&4~N>Ad>7133TMv}QO<+=75IkyIASp>$4p|!j3#2+P9%u5{+voz>s z!po+I;&4xiyW$8|D$?*P`b3coEytHVHnCRl9cww>)M-!T$nYoyYQOn(VXKnrMh-7o z`OnUdiVaK0&?fnKBxnt6Xc4uF{D}D!FS@78RsW%yZ*>*+qwLi$Mw)=|`IDOV)^16W zB8EN%tsWwTce&dm3JJBbmQ`JRh;Jn-m(O-LQHG8sR_oGh0ksp&zOsMs-tXz|xbD@y z++367wnn%)vhQ<+=ATkgc%k3?nt2IdZhGphlF#hT;R2{Q+0CgOz@IzygzaM8kRFn#PE3IBFC+m#}_sQ2QfXCP3inr$_8x~1@J?+}m&cds02Fx>DfF8!jz^MF8%itqpGu%! z7@ME+FmFDp95IT&3$V>K7H49!CEOWfw~QfyNS4-x5+lzVr>H+0G(h-kR*G#$l)a)$ zr=m(uH7}{Qjs+rl4LMc&7rlHXw<8}3YJc8f#SmKznt3y&(m2a6j{pdO-vv($o(s%;a zV}d#?EJvD}$EXGZBHJrtHO#a~m5c&ZGOG|oDO_=? zz8M2ZQR~Utv|eAnSI=sA({7UN%XB2btR%~LgIMvxi`pi%j9T93Za z+V1fODjDO{iJWHgclhR^*9+dwAq}O_G^_)DC2xTgn4e9Zt~a}2&P>h|dm@EY5- zO0Oni)Qp%IU)d;wpVSt-WIsT^6k)NQ*I(>=7beIC;hd0s4X?7QZlB z6u{h#fWf$tKMO4crT_`ty>Pb)GJfC61(~f&S@uSC^jI_KsIkez4O;w1LhawjbvhVw;gDgo2f4fiw^UHmQQA!lzl{AD%9a(Zf>^o64N9kS;ycUW z+z}=}89h8ICCbELSx-VApM%n+=GW(8Z~oC$6c!|7V#$3ftG2if`FU2>{CeNVd8~rM zt<#Wo(B$iS{mT2JKhi#Oz<+Vt>G^HZi4cjnuziNe)j{2|`N%9kQc@f9oXJLXd)J=- zVsjgznex_@Pun}M2Fg8hu8Qaz!$xgUGpL>aeSTEj_NT^gvURR)*MuZW0oomdZ=O#a zOLWN*ptdf^oenVgSUajEGH!(nYiVLHoIb6*`l}~*te_#BYs-&oWvoA@PRuhjkrcq= zVeDWyKW?-nYNaeF4NC%Qj~qvMdJ%gNdBR;AHt{zgP2X#=W57y!P`2n&2w&Z*F^s0b zk~jP-fEgfo7eD9B}7E=zk(&=WtpwVr9WTVDw_X%Nz~-%U4U z;X%QR?i{XgITFNrcAxaa9wdtPT3lzM0Ow$$Gy%L?!M>E|uvhPDi9LE4Da=)-)bbT7 z`$%O{zjPu7oMyfdTC`j$}W3+zl_-suPqcCrc?qF}75NL(} zZP81c^nGB11P9L7jJkx z=K^z-P^>7MkgzWFV=A{7J?ILrdLaA&n28__L|_>I9FL2`A8!%KseD6JJ|`^s!i;Ds z^991BV&&q8_g5ZbWeFJZtF1@B`M@NhGZoaf53UF(+a4P}qJo;DP@MxSZkY}SHi5e> zG)b+hiAVOB1lBXNNHY?p!F@IMdN2v1!zoqTkc(efVNrz*BI;M>oF5_B%%%fq!PU&$ zbaOXlm5CI)H)RbyL<>KJO6q*Dsq0>+(m}}E>8p2Ok1+im+=03zK!)J93Jh<5>8LB8}20?jzYbXiWu{~ye!IBUNE=;=L z=sUhX#uA#@j?PP)=iQBQy<9+_))2uz^GWMK&Z0p(oRJ~q^W6{c;; zAzRJNyUGz3v(~so5?0A{I|ksxHSNN2vbPbdpq)tx)!MGInlnXYi*4#SQk|OGxMGsj zOO1NOaBWxJYBc`y_AS!G@WGvO>zRDa$-t^QdKiXJ(lJW}3ZY><)#&&U8^~w2bGl)I zPwi@ezmQxJ$*eVr?}%vb55LV?ciYS=v$}Mx5?0*Lxvk8baHmTl1kaY*R22y(!{(n` zl!OcqJ}_`GdoW=zx?XO2-`1+^f?i{Im4)?}hz+6ap3v8=#-A5B%Xy{LO0Zy~VC)!i ztq5{C(ypcN;-F2ihqA3nCC$pv8B7U_aJ|W6-p~bjA0^LR+|)u~zX~uvvO^*NhS(O*faI z$-k3-yU0xo{!&BiFEy3E;IopqQs>&R;uW4l{^I{~{x5=mtg8S0rTc#l9RA@Nqo9tl z+CQ5H!2jI^93~?PcLW0i|=J$<04uATM&piqMyUNmENP6b}9+6!*SMEfei<^kwQ%0qAPu&~&u9yD* z-Kt+OLN|K+!4;L9`Zwn|j5R|JFW|g8e;phP98egcc!CJhG)=xt_Q1`=M~wITiUeTgzUv zDMi=Q+^@J~85`!{^z_hW)Kv$Sbgr!i*0L=?l<^r)UP%0~b4-{Ik4=EdWJM&2h>_eOownXZp0kR( z&7t_F3yM?mCT2l(unT->6DbPtV?MfKOg84F5*4o0W3ur^UK&zl$zE>ixbJPx7d;}I z44yH2_neuID=t~IAi)kC|Mnk@d-h0Xu`+PeNEtEPR!3Z{xYVbz$5t*ydIRgeH`C#Z zkvt7NIO}~$f`}zOQ#77rq$L*|?#3;$TZpObw!j6{2%JsR`*a$dk85QX3sFQr6;KC< zK;OCLd!9LnzA*Nc^*RLj_elm=o>sZ)jR1s^WIF zvm21i6|EqPdu8}boH|6qWW92Gu^Ta)Pf;o+qCYG-qfqKt*T^|izVDJ|h{Mv8x)9Fr zh|Y!Q!EGY-RH~&TOxdmF9TD0Yo&(8T^)BgCY8XdoqDIB&`1y3lFZ5tfDCg~L86a_uSij3X@sKy!LfzVT_3ssC+bILT_clRs?zEa#Uzf91`(-6hV9DZYtRDn0tWN zJAu+&E=`3hw%(Ew5IAYRTrZ|HeNG%8=dAOOsV@X((W>T;z5|YKE~A4gq|yTLaJiM{ z=KgHbJm$r)om2CPwxQh(Hq8W%Wwk*%56@x*R64jeL#fQ0m+3tfB2WtK!NqQ@vRzPb zV*zCvY!kN>H466?tQ74YR+pY#ewL1pEZm5)CkIG1NUp&J&#s1yQa?QMn)|Jtj9?Y%r@aMs27wvoWZCLt?C#M9oNEAzm#H%a zegW;nv4cZRyKr6arZ)8bQ$Dj7hi=zA9jmWO6-ezy`QK6qdYKu2q5>`v`?MAZkr{HXejV1;4TbkCaPaBv=Rfn)=Ql;^NOB^UX|s!`ych`TX@# z3clxb7GwoFHVkA3XfnK6XG@RRLt5N23nz22xtKC5Fc)c9H9} zhcCFybTA*8XjuLItU-o9m;fX(rzf3fKXr8}tR3^?$7;YBc*(vLx{R$`dCoCPBiok$ zZ}MR5%I{lA%?A%=<>$L2`RO|Iq~oeD07{a>-dHvECbFQ)?}jC-#_|ukLC-VR7l!rY zqs@T?!!Oyrn+W5Y$ZIG6#Q}2{+U7SDfBjJPU?ia6U}!>4x-MVNCefOreX+Mc3r!y) z@5=Vod*GrpM{ovb{6lBds!T8bz#cXwTVfk8GK<@}Zv}2Ic}c@|4BBFyf_KRS51otx zrUc8PRPwfkVBxV?KgEZ+EJ^$kzY3_U+J_90Be!3jD*7BV0WF9SUdLuR5PuA*paQRs z>Q75+!k)bp2nasC31<+CX|I>{l1Tqx4%{c$y-X3s%~lM78v6nB#64}ZLJq20h&k24 zPF&$UX$gta@d)bD8c|PmpiMESiu{r!K;{x$1BA#9hl1y#o~rH&?K|WOu9Qt_If^&u z4XJ+gF|E~3;PV`5OU9wv^6h!kui8M(mXx}Da8NLL*N&v7SA-%OL$vE1Mf!WIYO{f{ z-CX6L(7I*U6-6Cgi#{gx$fYL3Un!zK2a=rskyYG>W>zHIa}ZG~`75m!-*h1SQx2N& zMnNfP_{adQ^&=umenK5K`IZl zS13z*yB%p})xJ*vPN?`;jSe62ejNw@AbNPO9s)n6TmVVJB^qdy{#2_QWpAMPN&>WM z6k9|qdsonvdIAEaGJFl}3A+!ZxW|L9E2KzsspbzhIeUNSN$xL&`Aw(O=1m?Sjip?6 zQ9Gk!J1;@A;clZGMMbf?C^Gphe$9}-(xTx;rv>^fA2jU)yZkr!3^9EAs0(X|7k{!X zGNDI<8zN!}A{osS`%NM*Y?k~joMv-#2`X@#p5^f57-o>e5$>3Tb=N=1FgI7}lNLku8Ky}%S z1mn4I(a|EsNB&ZNd4IU|OYOHnp%bHV7s`pUQ`kSH4Frj`2h~-rP@m0VGTjBdBv?Ji z``=C0q5y6+sbKe!Ogqi!9#RhcLiGgFdVaX_zwt})pKts~e7N6@{618GN^ISez8Xow zQ1Bmvn22z9VSuwlSLj)+#&Ll53PmXMfV#KCx!DQ>Er# z20WO5_R%$`{UU1od2P~48VJMgecztBHUe}AlcR0bH@A$$6P-jMN|kbx`_Cb_-!zw0(3O zIxX)=hE0%{4Z88fu}7??v+HSG#c&+5!V`y*oNRe)>AxW>KQ1(`l^Y~)eH>AU;++v& zn;-(kGJ$3nzm7OXL?LzwdlX7n+~6k^x5fTR>a62nZw5NnmqW7S|2Et8EE!q7+1Sw+ zyU#Q*iuHE1g&|b_$V73isxH7H4g6_f(kRkcN&Q&NG3*@FF?Z|UZN_w~Fw@0FI9DSFTh6~UH?C+@pph5|n!A>;Py#hF5Q>(2& zO%6ZxfbG)Va$ge>!#!P}d`7O_8`8^UunPW4Io;{QN&Hcr;qo0@j5UoTAHXB@tt<*L zoh*ndXvY~q*uhsn)xQw1(-7Bnc3)GzMuWrRuEYq_6Uo4}>*t_;rTYJH((2zZIEn zHd;t8mrk!-_OR@RKa#-as_c@y!^WCL+K(+ZhM(N(P+-{^$+)YJ9{ZTVt7aULS^SKy zEV7{5s3LOJS7zF?0rVhj^kXq^)|DH?%E_fZ8Y@j2#-3iZ3en->n3rzFfwqgb)onPVz; z=Dzncr5u+mA=YQX#JyorbkX%GDOLt|e^*!h2V=IU>=u2u)@Kix9PmiOORjPsMlq#w zi^N4d79oJSOE%XB)N9EEL$tHRp(x*o+1e%+l+f*ZL_>0!y~_ZW<1prZEtHYkC*YlwAabk};(vQp-2XIg?Hi|iauV{fL zb~Y3ADycz}-1OVJi3=O0dRPztRygQFFhpBJ70!ISMH06AW9GGW`#vR6O<3)J8=WaA zvf>c_o#+)Q1^o91skvYb&RPr=2tt90BFoX}gp_0n=;N*58dFbeWZ&|%z8C-9V+#S& z(g?MquGn2T*Z6ns=`wBCBB$aYi4@V<>QSh~wr*xp_Re%Nut1J_ia(nM#JaAbbbxpz zgzV7Fe<}qSOJ->Pe{05nM))ZKsu2GFPE7O1|DUy>d?;LM01&Le?!P5qL4Q)BasW&W zLQPn2ATbVWdfdwi1H(=hF&$qdqGKaO2>EzCI?}B-0Yv}*HTXWW^01XeGwXUI<5}-p zDtU0ntMzz*{p`w=RALPMOPlFWYX2{7p93O5^k!7h@q@WQiFwm2ez4rq?^x}Sb*Vkt zisA>zaD4A_wvP2fjk#q?!|L-x+BH7|BjBHu5-riNtYi=9FCE8Ck@#|v0O7C@59_1r z#ia?+6Ug0T_wf`m*|R1+(#=}V{AdFrNB5RAkAm=g_D%JWibZWa&eEa3Mdo7%!{*wS zMG^Y$(lPW@pUN!NS#z{8A#;hDh4j3st2T*UTt^AqMr;iKz8_uHwdMGZo=#w+T$@eS!sN-&5OP*T`tNEeE3mlH=}>!C_!1{cj~`vcYy# zI6$U~tyNSpl6J~ETK9&;1eC4szIjcvlnU3yaA&HRKoBvF{PNnJz?bqh5%l7RL530I zVyump@O5I(2%16Nx{0`qv`W-hj&^$#h+W@LZ_7m&-Z+&4CX*4KIqr3YJ_uiu7#>6e z`7Q{M^}DAx=O|p(JPID?E58t>Ga%lG$?+}%uhIPT*;LsZr9n+<1bICiS)CbCqg{6X zfb5l%p>s!LZ$gbNbY}eXgJ0OIY8M9H_F;7^IxULc_&QA?AD6T(=(Vbs-XT)QIQ;zM z31~S#oigJz9z}1EpMwsN6gy^bg5SN5i~XCi4)h4!TURU{GS%w^hA{SKcyH`g(h2eS zC>>dw|Fg|QKW`(k4@B8SFa^AR%pnyy)>xS)@{ik=CgSHLn@c2&AoX)f+017cyuE1~ zsM{r$qRMk<1|zV}=NiI4xiS@p5rPXf0P zs1!(%rsX>b`jc-eygQub9vpN_cx;z@3yq9u0l#Zy?spvB>5VVM0k@I4U|Xy?I{~^E zFIS8zGzKw6y(XXAigpcWKRLA!;G^?5{7^<3fe{xm>jnnw8~yz}$}Op2q$JO5kYMj! zgaui1D2MZT>;<8853V;f>eFkNClFR{!`$1+M%f2@iE>38G_D#@p7VGMz=D(Am26$o zvEjyS?mzzI7aL=|&HQNj#PCyl`W4NE94;?)tEpLc$Vl+H(6UC0Q}<6c_}+=hli(gT z3eCczVD4gyc%!|3%?x(biSk4!@A%^S0F<{ZUwkn{rF30+YkIXb&TfXD`iPV6&*xIE zS3_nI26qo34@r#(y4)K?SUQPtC{XSzJAA}}_bl&HD;UHMXCoZlX!)NQWD%B&?jR<7 zXJ^P`Qe`LR&6^BkbS1=b>A+%=PYbd%fSFl-u44r66zN!g3+6Sm->;jndKd5%=@>H% zZzBMCFFfDjxz$KvjCRL8s5cr-V$};tz=Gs&$n0ME{Z zVSEC_E@L|nVOFCfe0E_?@b@lZrIJqT92S7bMl&tvfjPo?jz!2f1a(NM_122J{uC)| zM{f&GJEb~H%=i~iAJhkocQ$JjjsF~^(=*nH> z5`}zl{Wx=Bg=ahf7ieuxw|}LVqSa*O{a&RlfthMDF5YUX3d;PcPP)iED#_;razNxT zbxe2S4bkZh*F-yZcAx5&O%x$GT84|NQajxRhGZ?n@iy32L6k7FlT^6o8qx_9@5Q$- z%v-Q-DzP;_WWrwH7W0X@zC;jzp2%i zeNA-M)rfPWdK5W!!Qq$R2LOQJ@Q~UsnO3~+hz0pEi#eT7>>WtioSf;uvgy)=OPsq0 zS-KXwkgGN1d@sBX$*EHf{=)dH#S${a^(>_b$F&7JG82!a(UF?#^fS`9d(+@l8V3t; zz2l5K8$FvT>R-HgP#a6Km!)Y~Uwq^@^J{Wgh;Qi1T{#NlLB(EV&xTQN2`cZ~P#@=c zXR&9Bx>GaX{G^vXk1$4!d8%Q^i~3oQs7KS*x=h|UVMp#L5AjQfli6egTO_J1WL%4= zmyumJY>WrRJfwprUSI-9a5b>UdaFLtR252F?eJ4pd`2snpzEHh2kIz35pfU8wCN@l zghN;^Dw&|xI4)QmHCc?%L<;Jx`XMtl4W4>F=?$hWTk_rIQLb>avC$|&0=bDFMSem- z)_SJ5mMw!OMm+o87?mShr7fd5C`cLv$UKcGX4Y$0^TI%R#JYI}OW7HfT10Z}{1lg1 zL5Ta#`#^pjF~JF7fiuere>t4@;ki+1N-}4fmhtNc6TTPGdQ9qjX`-K3~ZLL%m`fTum@e&Au}!~t0nGT zO6}L`G}x-x>8yF<7b8;Na35}>g7uH9T3=5bq;l%)9BMYdM>)EPKR}N{b$CmmAMt5e zc<$GO6xmt&E*IAUq0E=T(OS`9UxDeqEtxB1jms&<{`PPtU#*YEiB2}wQ>#)|ZJ-8v z72-Y9h%$PqgmQ`pT?P#_cxm)&QD@?72kSLx$A}hyq^WPiIHhRoeIUQE1qoyehX6RX zs27Pw*7E|h(*4cYTcysY{$X$A6~?;eAXwPV=Pr9xB{#eZ-#+R|K`;9Pt+ecm%~#Kc z7%`3Fj8Ru`qcg0up)GQ8GRn%Z#nB2VUm_pPHty4*+Adzzdzh<>t!OnDGt*qpYk=Mx z{puo{8tO5YdgGS_w{LE|CKnh>0CNDbyjXlAOgsQCRi|d;4McA&n+R2XKZcP}$^Z{m z5)JlK=r?wJ#bv*k{f-NzO4(3I&K68~TWAzPg-i^3fALJZX0Lg|^_w2P=1sE6nxQK$ zR7lpcy;w$uk5?hRoj4d?WA1s}Xgz&52a963bvxYTGBb0$j?4;j>wTWRqU}3X-3EQO zt8Xm+DYOm}=&}A9eAAYZS)8D9W9k|1=fO>JINNcH)OeRM>HRyaK`SPkBYLmCJ1d#k z6bM1F0sQXT30o&)UBZUupj;Vd$g)v8%h)~j(L(Z5A}vo(aM@~3V6VW6OXkuFe`FbH)=hxa*I(O_gERoQ5|Lk@SS%(<)8lLM8a}BTT~3 z3QbS@=`o!aoZ{AC+#qX{(BU4~qZCbYVL25fl5`^TSmU$K%rU@a`Bd$Awk~e5lx(Zw zJM@b2*=nT)DFx{<&JL5A7dz+Dz9WA5Aj@+@Tw>c+yoC@d-$Jv32TNUrY#GGud(?3J zIvkR0vHZ@dMC-%ZegxjTTXKA8joboO_NO4#XAS_+lm`uF{Rf!;#Uc4A10;uRsf)}r zr2oH?raqM4Ml7?a_nAYo3jjcjxQp+}10cq?S32?me1~miRBV_3ATdx~E;8bObXouT zUPS^D2J-)<`WFHDP>_}YU}`LgkbODJ@jvj?z3DJgzE?NLMVuBf3T8 zq7Ncq1qI65^hV(f0KmfD#)s7%=`TPwG(^s`)NGm1^XneZ>!5^((F8m^km>Dv4uchPF5B^GTufR*- z>iO4>Pkk3fPe%hS-y1LNJ@;}9m0zYUJ*C<&MMWLp50ZWo?~zD2qHOe@g6I(>UsQ&} zt9iVWyfDP6(CK^^eXCJUq=FUy2i*wW?iYzsrXC8?1Lz6#($eFf0ekUL#lTqe9>?Op z0oOF5(-3d9N=F05f7k?&5@M03$uOGdJ(9#~A6?nY6Z{7--NHB#(+FBZo?1|%u=ucC z6wCTvKxbk`2H*66KwASO&02<LL5!8t z$=2wF=>{t^@&fnNHW<2;Lg>1;_r$_w(ELEr`O!0#ggKI8Ukz*~>I*8k4-7AkpqDdv zmLHqO207~%9M#%ljvskmlwtV73rJ#`=|~dtl|Ww0TEh1C`GIu<*+79^wIn)f#uc17 zKjQah|7cesl@(Bbdl`2eG8=L%htm6(qzt0St!VYjVDkdBRy;oUf(Kij$c8Nk&PS65D^#c8l)l$-(dclJWaJg_G0x0q6z&|fms6AU%(3cc zqAE0zdgPXo9!cd=eJt6qIyrBOJ`8oPfjgvHutU!-RND^~7iTm!xAp~`V9A?BVu^6l zjg#k#J`;GTj%CbDmh(k7{&f(M1{4}z#So@4a1%6XTGnO6YXRw4Zq_mb<5}(>?l~@x z-A2=un^*dC*ojLrU&!u~-I(``%u!`mA%NfHyz}KYANu3l{ehV4+~a~n6q^}~1QqMb zp{@tQiz~K+bsXWotm&P3#nrU0e+Hn9cjz=qo?noq#QXgvy+WQNa(eS0VstwR$!eEK zI{$8gvanuL(A_+fPR5bHuBQ@F=#M}_46W{CZXRd2sPX?_72yHa-p`qr(@Lop=_^;Z zQIVR|nlnkwH>ndns-^&10weQOcj2~j&681Vhb>>bjK|!+P2-Jo3IT9L!+vL?uW=Te(jKc&mI4mpsd4m%jN(|rzbZOCdaue-UfuF-|p6K)mH8N)pfdOrhBTU=bSUod7f-vRX#--y}2q(L_veb8#lQ*hu&~7cKXgk zy9qY)a_xUDEG%Mh?osIfeiT?nic`j;htw85$aGfisi0>*R`jiv-<2Fc; z2nsbyk*t5S-;_Pv5`pk!9P=;jll8@)m%!X!9w;1H-Qc0ZvAf>V; zI}PZbzl5l(L&e)o+z5b~$-F{=CK zh+rFvlVj3C;eQA$s0fw0{(C27TbET`qcvM)=}A~}ZqA5DuME@Y*~@1z2qFWE7c~(S zM#o4Kz=mDYEa^5ZYvbhmk~y=6f8W$OL9pmD)VP+he&$#^;5O=%(Uno>@xWZK;pg%z z6G`^FW*|I#4EJODOK{AYP|Ls&kpcz2h(I-3CDcYgAg=jodZgqQJZCee)(a$aA;4S! z6p|x|$|B9+C@2s@^jTU1vm4xqC)}^b5 z7(~c|Df0PFjj2TPwjL%;SoF?eoi}PJPG!nz$vT8qM+r;3h&=j=_etwssb9~@4qE}3I5Q(j=H~8kSmdCF{Nagx%|teV4pg~7mepkZ`e*G z7g5_AJoW~Npn$E*%BLN5 zwl=&SKz4JZZBw9BM_~u=3q5WN*Bd9Am3n@*!I&REEy(`8^^E>eixD#@mkmtEhoe;n z2Ra3KCWmhNS38%(X;O(soN1VN)tQ9^3RtNm!i;_g!#fm{KO*vB5U~&LKl;a*!07=6 zfB|PtQ^%hq!T3gHHBdIWtaGl}Sp0s~w;p302dx>y$j}&{WmD{ow$KcN6w>?nr4{vu zJ#4j&E`N93?A80-=iY!M#|I;(NA1i+NVMSNbF323ix3MkRtg!|u7ky6GP~9j2Ht-g zNWjL%%;84{F7a#FWk1kEs9uI3Ts=kyT_Y_X^nt=77~nhPF@4egT0X%2 z&r1L25S0auLi=g*`ZA3tz*RucDsCH`OFBince0k?0*?I#@|rFD7A?{^UheNW9HkHF ze~L|@$^idYnwf+WSOnVVzt;i=|8J7{ziq;k|A(0vt1!f3*h`&XL~n7UR-mDK4fMam z0N|s9!*06&bzuK%0Hp(n3j8nHiht&RruNeT3itmslgiP7jA5lCXkvB^GQR%Hb-{R3 zkxRCVmKp@8>h(IXOua!gKRzdc76t`>;vR@kbsw19Yu56S>`-2Lk}s#{wDmfD1_2zJ z;|E=Y)m&P$wYBREnV5@;<4L#04}AMO&8&GcAtx!eR4q|)dq?E)$P}JF1d><*890=7 zR;_D{P^1nb^etI0vyS0Qh?Mv)UUG7a4bF3p3@R(uitOb`sh*NLm`6Jxa)(#c%02`c zrwG;MeVID8Oc(Q=t>j1y=pb1;N0Z7nVBF0Q7Vb>!g2aUc2m&e$FO)7g)*O*!7CB3` z9QGBbOMRKwz-Je5D2Hy1~$Zy8B$wOsH?gpjzaYLUw9>xyG)Q%UVZ{r-)|ad%0rgSLqx=dr)Iccgact`&!3sv4^v%ggo=WlNE~ z5kZL_ofZA+@>AH~S~g^E`WfP7sH*~QydCPs)F^-#B7W#o6cGhzh;XvO@`3F#NSDsK zf+1x0e`%LjM*b6N~r>{|6{Z)8821S%UW^-G2uo@shOQ>9dY*EF=td zj8B(kH1W-8RI^RFEAOJ0f)ss10)r%HSegq&>NkG%zpS9cjR?DW^g)?(wg0w~oTTnA zKokk!g&;aX&bv;!Yb@L2Xi#v-Cpa7 z%PYG37F$N+WlvE5vE_YBep$*|W-Nr+|NPl}T&MNtbQLk*&)$Fl+m4R1nhq9{2or6> zo8WhuEBqieB(P}(p!hQLcT119UrHe@&RY860?gm0KDjAcp7K>&h(X>V-_1xo>&1=D zsP$D$b&@TOoOJ^Chh_JWOO@LR&r)XRZ3t*AW&s}ihe+gb)W-Dz=x0}UY>Xsaj zh39Mink2iTR4#|I+bRQ>7j z*(b~?0=YSdjEb#GefLT?N8mjR=^28#sTx1YbIVlFh|SuQPWm zfp*?N^)QNWxH!J?F|Io>EPzOD@=Z%vDv@{=0u zk^_luuSnKtkFp+!&~TO>HsCi}u0lx08r)yy!gEu*%*@M^SJ=Lmu6M7kIEp#0t7M4h zZhlGXPO$fU`@*SvWoAS;fBdPZt*-EaT5nc@mXrcp$?qHy=9;R)ft4d?I1%mlQz zeCuBVIzM_ZRSvV#5|w{c$vSm{`tE$Sb$t}FUoGD4NydL;?5RFZycV)LNEfNlh+c;7 z;ngY*#(0N;+k}9I#P^vhKl#}e-_p9HJ_ZozQMaSCH@LGrVed&pHM;^B__(%DwYcDVZfc6+^*mz0#Ers z2?FHK^v%$oTvR|GgM9t(_X^PghzPMX(VJ*B$aKtR%;q6*GTgq6ww0#mw2U38W;_fW zB5hnYgT@vXp0X*@&Am5h2EK2Z*6A!~uP=+b_Q9C2gV^hdI?FG)vu<4seSxeShIc8? z=AQ~hQ5|4PQ0-vnTMwQQfu?q?wID^vb4N&abIArQ?YgXb#lVRchuSif9{w@VH+3)y z>Xy4tF832()eZkxXWMRN&o0UCb?>WJx;c#v-8Aqax_QP9Uu$RN@Aj{n_`f7eb+#5> zug7UMEJ;*%7Xsl<>+}{TF7@!meVdbRf0d{}=M;5e$AZ%U7jRuOD!FCb~c&@H%r3j~it6Z{V=3I{Nyp^iZO7QfHLzvMc9|Nv`1>o}s(2={lO_ z$%>u-`8tvQ-`)WLQ1IUr*nc}9IsV_7F`zgyt6$}x$~Z%Vid<-6pBrJr;8YA`OVhG} zB73#}DwJu^!UpyJ|2GU541VZ}Q?pD4#X8RI>Sh5Kml$4xH|`ChX;-Bd&vo zI>I!S0RPG3VWfIz5Y2U&EGZ%y+?i)r?+~r7>c8$L{^Iq44 zqCLM87Ar9coga z7cHY3#Y+mN)g}Z1#u`hDq?Q3!#E%3OWQ@N!7u8#y2}wyVQeWL)rhWxVzQ`N%xeif@ zPxHzp1a2rp^my9@@F&1O=+qe(|HvLID&MJxeAvH?HA!Vss@95 z7Meq0@bvPEjXYDVl72cylXFwY6xF>?;ooH?Z{D8@V7bkjcfnnQWpLz3AAcRl>xvmp zlAQb?J4N0+xfwBUGRo#JNZyU=e5{D$n;)k2^7_u6C)uIu_V(y6v&$}$_)!zol?IAL z@5+_;9g*Gmco%O3IlEtYn)`cPR(=n>u&0y9Rtric$s9YYIS1ruBdW5`klDZQxZw!pIo+qU^&U4cyJpe~mWm z#{;qa{rrPG2m^g+;-Vn7wE7Z}ggsHr02ElwBykma0Q2kd?j(!4`C~RO#B{HW!5U!Z z(vDBy61>0EC^6|@G!#y5xt;C4FYd3C8&nNklD{9LqiuTf&LAf{BJ+m~ zS6n;+IUCXTzG(U_OymkT$)rYDO{B#2LdN$gdPIIor@&E!){vA7a|Ri?Y*8w!bS}Ij z1?nllc=CSaUA*Ty5soU!s{K~Qcsz#r%cg5U*HiU?koBVgHAqJJYqYeBu^0kHjB6K% zrE!py;8_`jwNC#ay&+#9jrQVKOmVh@oC`6{nI(o#z=lMEv@iXe(dJb{BYgX%m?nmm zDS2POx&?YkFOE}5-AY6M^R0bby&KFH5Xwg$-3bR&28;c@({CSkQ+C`HHlfM+$^)DR zpPm{YO;-M+q)~V>GhB4e>8#z&4)m7K(dK-hQtASc>8rL%#8?2DlL|rgmkfvTd0A$x zJzd7t1|y9NYets$%#DH|(QPgV7h6D`pRsP;0#NukXTi^pHgHQrnNUMsG$J?OEtxv4 z*o3iZVkaNcKJv3fMeKi%vdWVEbR`Q)u1wk<2o5ySXsVeR7mMS~SJ2g|m=Yx_c5lg0 ziALtB!Z=&wl@rW=P@sUHr;i}k;y+mk`NJL&Ll!UGhUj*EL66S}z3@yQwX*y#P~bZE zUqZH013X)bPI(u7XhE=1*5h2u53y^-xsp!7Jpwb7Q;*eY)gTYl4vNteLs5wQ?qa|x zlNGC?#ceBKAr8e`7UYaF|Gd`B!y%^3ESC{tQShbevT>(gyP*bT=kkWUoet|yjrC2B z)@}m~X_{1sVj5ds1zi_QaalwMaq_ZaCr~bmb?G3fN}U5#=gGWNfy=HABSIVD!KsV5 z&*$KF>K>9zk%6G6JInb4wb*(-ds_tt*n4Cp*{&EVa+uCaO|QNwP}T9=4}4aJQzKJA zJ(au~ExheFeEZn`8P3Tiekebdq@VE<;kiA0F5^!mi=V?f6kXi3b!9xP+>RU;ev=d^ z`MgZBUvpMBBIr7PSp1=4Gk$|T!|OhsB(JpStdumfejHTpX=0VXKtQ?ZG>0Pk5rJ{q zIvV@?erd6}?DPimmEU16PJ0YHoEibdri$pY6cFg@gJp z)vh|MfHn58`uiVYC!MZ(o`$JeEzi)(v`QOlGV04`owq#{Zo;xask(2WE=v~ znCI)SP-R!;N;wrje9@I6{{&uP^InKymmTH%QY~{mDIkxUYh7fLJd=_9zZRMqh=ZBZcP{49v5fFW`HmE#kShxI?p%S=cC;2w8yRJd zt0kFnU};=UH4Y~wl}WxN)bL*kN{KydA66hAgZ4y7K1}iO9&`)^psAY|8uko#csl48P+ zMxt!n1$ajS!+4GQnI5#=6&71x-wQ4$E2UBgIj#hd9{`H41+&|0bB~+B3!_|6;<(@!NBzrkKYTJ5NJsE507|q%oqzAWe!J`F!rUYC&_Hb)XZW`8 zd`%C2odB{lpRvm6PAehk40v89#DbU#JbS(WIIyh4+%M%#_du!Z%}lx}zWR4c;&41@ zN|xq93`uHyQeDFdl88nVCaZWK2Mnn^wPx;^JLiC2;z}hv@?Gj1MrE!7ktUutx zz7Sd)GMv!XG5AK^?q#NE-JCIQzub$_h#+a6Xe#4Ht5$6%e=>q{gSK=;pp9kiT=EsM zsm^?QK2&bmf(jAUik+r*x>(N7E0eaooGqx^gN)&U6~%y_gIf|SXm%bpdkoGvr~R@H z?#xr8%z2jyMliM)?^k^aLI;^gtp$cZ`pu%)qfMkS38K>b=%&W|X6^75?+W8!d!tu+ zQGai5;L4rFRs_X}IaQd<=Q8)6&wfZj+{R$6`LZ`#4h`~4>Cc!>JXL!l$<1miv{dN8 zmov8&fTUg|<%}E4N~|zSPI}%v^^k}$nsH^;y(AI9zpaYxN4$bC z)e~>FfQLKFR<#_6Eo1=;7o7!z8mq@Ea^*o8>DBX?xg8EgLl|0 zt7b|f{6;y|lYTHitENwh_j+{7h)p*EaiO(rEh`8Vt%(gn=8e407CH#)DB_y$4{3u! z_vU~4O5-ZiOJkBC$z>o1{Un)#dTsdW@qzpz4vC=CdkM(^|5Y`})dUuUm$gUJx>{3Y zc7lqT0M0u;F|lc1td38G4sXS;ggLe!cLt-_65}@C7Go%#W)*qNzM_T=DtOsr z&4h%}tIv5Irv3^z8Ku$)rwp#}<^YQkp0{ZNWPbYgKq{o`P3bpt7IRW4-fOcg>49V0 zj>--=%{<+sa|R(C=Z#AM1cmIfa5dv$PrqB`uU)ZMC))t(d0?mU+-+%)DVrhC<84X^+ z>L)rksWUJsX1N)At!}*}1Lq zHyQf7D++9{TWp&e*e{w>H27*G#OJk0aa+d*NMw1jNCWbGlV1J_>h$_b-T1@a7cpg( zff64ha_=&N7q6T@4sSl7yTavdOY$_b@k7~1N)lp~4I0*gatpGvj3%X&+*F=(@X z4nZ5FF*16#37pBb^uC{IfF3F``0RGfZgie$a%WrPa|BPDmoYpX1!(P26}1@pG|`n| zC6|aOP58Gr(m~}i7t(=|Wef_jJ}`yY=2Uv6OymPk?dyf4%-G}zU&DoK#H*!bNu38` z##6My;W}@>2@8LT*K6MEkbD}ZJwxI9|1I4RgLTn{JP@}aFY7Garc(f!!PYZy6{1Zn%}YT zje3WEZ`A2-wK6LK2~UA^z~GqMt`)cUID#npc}~f~Pa&&;h6y35&0_YA>#J{i%-!Dmbx(?^;9ZIP0N?-FufY`mxKk!%IM+M@DVm02c;w{ztby1 z39{WTJ0q;pI1p@!Bhi$EvB;j=s#RY#xH|8os5`W{qNza1?u|W3xD3)}b9(dt$^+yw zvu)Aqqw-p&^BiVT3~FPE7^(mJ%C&ps&RXy~kqz(F?(H~J z!B#^g`uvi2@JJ9ewsm1M;LY#U$m4JU)!zH{Jk0eag;7MBz5GObzkJhiXsTdp(dhH% zpGksGzx`KGSR^0+G(l;=YOtUOj+JmuA_f0_RG4@Pvq{)By&-xy`YGbtD3$W&?JxHOKGA- z56(sL*udT&QTN_F$NyY4kW_5IuQYwwWF>-cA=R+Z3CWo4{!;0ufDSv{(ij5gdhMQQn4L4sDJZW&Y#7UCD zoyJYPU(%jM1S}oUJW5)Vy|eD$1(4PAX8A6E3tbY}D#a3yxNo8mP|l;q@o^K}XW)%-$j zam=l9zRXaGbzum;)r#huH1E{w#=pO`@n|9+j@5M<+og!LXTnCV52a?=lG?uc=sKoCY)*S+Tld%cgHb}^`;5Z zjX6I=QHnL!zG}BBRlz_u#E|X@bHf`tXcMn%p%PA%+r%h|YIE`)*amuXoa-i=Er?j< zsPH{MAFFKnM3F?f6Wo_@IxOjSLc>OYb#eeW3X7$xSW~R}Cw;ej+S1{9UmO4p${$Ah zE{>9b`}}c-4G|FBD___@eulQ_W))6d=sStpleR?biI69!e!u8QLkPDoXShTmCwA_q z&OIx?=9V^FbIDS#p0qn(^4`J747S4gTAzu2p@SAGe1rWmO?U4c3auY#Wk(NtwhS%S za$#PsJ37(%K3Rm(LlEK1TjwzozfX0M?jXz&Q;1Y6 zKJ^~HQ{|6850-E!;*>{(>>rZ5Z^Ud~oPBvG*1Nq{orAoFWj5J{-8vb1yh`sGN1!Df zsMI$7ss-}pd*)m@Szc+DD{LzJPAlZi`(|V=}0@G5~b1mf{BxH**FoG{6R_d>ODLKyXJ&lU zFA$4uj-?`@D0T99G%!=44U0e-Pc`1qB0^AcC!h#M3nJet=`JlXF%;nePjJByJ^GGJ z7qWNwLEbCrnC#H%XsZ!ij-k)$T2tUk zk&HS)uCwhAgMGhW47oYzM2b9d$HPgfpQYM;2k%a1 zo$@-{uqruxic&I7-)oK{qfE1EdD)5YK~h+7O1V~iP_rR6aA{a_9O9f)ScZOEN&fY3A)+Wz;0qH3X6)2>&ZXSkmD zNm@|JRnX{b1<3(n>+VeNWURa zljIb9z|#lmmK6L!P~NKL_Z)B}3sas(CY?jAbH<9YI!B&Ae2Z4DX)S!9+m#DWjt?H? zkRW6&J!Zy@$+!=~hTRc(1OV6!#HrAzDtq=%FN(N>8P=Wm+&3{2;{juhki_6K8o#uW z0JM#g2xTG_29pE&n;-cSRoFfsA)t@m?_LS>I4N{aKg>MEn#BqpXVFsj{dYfKFq>Ef zEnG7ioecxvLM;`W7nJF&BT{({0U?WERl`ukc=l?hq#x=qb86eoNz$iC$MTDqRSUCX*LOz9x&b-k9V9HBKa_oVVKt|Mq;)3}#3T@&qB zraF0S$l3JT2Rp+Uo1cs*hG`rKntk5t7R(9w=5b-GNCU213oA_kvEU5Jq?h}Kn>^r} za{5tt!1)pv;+N&iAX7bFAVO?u1GmZWsojj2C!T2q$+>=!*t8mUORkEDMmhO=u zaSPIodyV1zPRNcx9=6>Mr%|j8U*c|1Z_c~Jl>L_zvGueNFf?`yTm{Z&ff=KkS4f^7 zUqqjn9p2?Y0M^T*c1t$gDZ|Xd2sb)ZrBcP)f)B0*;Bvk}T&+z;HlDanXCOdy)acTT z1Y+cW$q&t{zj)LW@~dYgCKjJw!iB$X3O+)`iRui7c!MlA#i>)LPT@rjSnW4mEnsh& zD6Pm;g1n-sfuor26I5qEG3?5e(p5#^WIZpMEq4ir`s1JSR&um$ij7a%$P&sJC)pmd zN}!aDI7phPHR&ti^9G(E)Tr7xopgO0|KW3-1FHk|GzARNCwvV#XRA?s*_avujdnMg z9W-OgGJDOUK7BDq6< ze-hHjUpFEs9Q9TL2Kr)?(jlacIQvXpW5+^Dx{tCyKR+TIKV|t!6iE3b#7wV?*)s+ z_x(%I5-(!_dtj+XTsk3wt}FNirRm5#Y;S0L$I;`i4Yl@&00lm0WW`3Bz3(pRA?0EP znH86+^zF0!pv(#UboEB?NmrI=I*qi%i%Zz4lsaqeCmr;TfS#N~%cqPYiO66WfRRgs zM0T+vafHl3pL&Ur-0f#7P+@6o9@u$ve4dxZSb0&C?`SW<^@mdljg=w*IPWo5$wbvK zcif2m6mfDPnEEzA?%ls-SA=iWe~sr^zo^H@$8(J27)hVtp2h(&9+FT- z;p1-(7Z=N;M9Ufi686a&`tMuW_L4?DG`J}ktYKIXIQx^xll9_}kFGLr`@{(ysSQpo zx=;UG<(szO=5K8e|3WaU$h$LL-7~mp3A3LXcT(1Wi1Q%zC*HZ;!ZYSKC>=+W%nrg+ zm-5Ir*_SJq7Z{$PVw%=oa#Ri2-#yvuv3M-Jj*3n&v*bZ>`z}Dr`Hg!bA9CEKk8?OD zQm}djJ=mMa@P^?uVptZqcBJ6`9vk=omkP7GHRYf{`UYE@{pbcyzgd{QI-q4)+Lxtw zLc>Cz&US7@O)sw|-2GZ$JBieE4*`>r0W|g64t!F|;fnB>fsGY6s9h=0kdLf$tNEaV zkHJoAgh~v`QIO!8UDvHGPob)_C{n=0eDE&it~U-i{DKHqzi?BFZ{C{}CVH0q;b6!r znG6mJ%3(I;xCWb_{`NIq{v9^xxFFilXUHdux$R-^SZ4&nLY9bP`P!*JA!TpTGLPw^ z(=k7xcF1K)2)wD84iq1Bnq@>Hv7#!g3?F?cndJ@*rFDmjIx1Rw5$0D}NAto*R6fDr z5x$ikfzi?0-jXPzo<}Ff>c?r$06w9*+!1ef^=i5-Kh*-62M6l@GsvP$BG)b@SuJe-C1}20@<}wTeG3 z(PS`m`<-g&#D$!bJp|sJ>yp*Iei`aLT{o7posaB{c&!;3_A{Y57FFQ%9DtuPzJ$B~ zjA*k(!l|_jeN#~GVuE5zg@loCdLO}I}+|pQ%*Vpnl`msd^K1%`1$@rmvTK8wUoQSC@MAL zmv%}a=UMk}>FJ&N%GU&9?yFR5AJv#nv;EAqfwU8=lsaUNF@At-G`f%W(VZm1l5iD| zhB1egZn99G$e-!e6ZwORP+w3k(ibQXvw&H&V*gY z^|t6B^0$6cBk=MK_*k85#wz5iKda^xSoX9J2F7JWsn@J%(LSZP{pcX@WmC^Chp`xz zF$0F)eX$@BmEzQCusogbdAS`!cu|FvSP;S;pOm0fEE-DxvTz3y=%MmYumS~p%>V%V zXaP-m2Jqu)4|C10Af5&$)M0dn=J*2kq>U*me(*U<`}$Fj29|znu;*ujZCQU}7$X(L z{3Iq^7UT95K!P|_B&l{ZSX@Z9(e9z$TP;L}P7d$g$W)XE|DEL`{M!l+mHp?a`bvQNGRv^=7a9P_HO}?Vf9?sLbyzfu2PFc&!EMuaZn^HVV_rb}p;`d(B@Fy`FM1jb z{XU{%OBOxRofvf5trjz9su=EbXwzt+9w{XLrsr_&+DaL`GZ z&K7C|IB>|N=(r|wFC{J+}Nk^gyHBFxF0jB3(5vu}X zlmwWv4CLO{?AURm^*()tuC(mSW@rE={Qh=MBSDI`+ynk`r9>)T;W#_bXw_sH%kCjB z0e*+bnG*hlSKax6b-y&NMMgjZIRA1w%5B#I1~QXJI*`eB(n6-l)Qiq$2~- zNDt6SB-~7XP(ft7*3eB1g$Ad42D*HZeOs-ZMTCylYXhOOu$v31u@z*dDFTEpZ|Fg; zTigR49h7C?Io4Xgdt$O&;oYy1bE^1uJQXm12AORyQ^7n(7>7hrnIdb{?cVS$?>Tg7 zpVRO_>9i1-|0i!?^jZ|jcEmQkoFj(ag-imO+Y_E6Y$a8L#68<%-EN{tlTYG8cM>i1 zeWta#renVK`t1TW*6s5SVQ(|jH#oYaNa{VR%`>fK6<7-}^;BzSH5_HN@*1$Tgxkpm z$mS$gGbp<7Im~);Hq@nYRA}}E>ZAlM`Z(`_1Fgr=SPLE$J#5%O=D&?^ppl&oM9A}S zlo-6wN9A$MNR9~qtsgKC^_z23(@qa*+$u%(F1NiDt~qYg-hNxwBuu%+YJ1m`apQS-|ZUnrRxh{d3VS9VQymGKs`6h^6sV z(}GXf*7n-IbiSB`7_b$;8Jnqp8FFF3Xt2a3C?*PGY5t;zeZLloa`;C*t}%!~7Bc~t&VBn>(9HiC&Q*XKE_HB z<`ubBpAY*I#xdQ)K=$e2Y1enQ6*%Kw^Q806zTxOaXBi&B)%Yi9txGo)Lyh~D+}tQ< zb%!Jr^N7R=gXKwCtC$kV(1iAwKnqrKhH!|}a6c;I0dKMV3&EF4c2X0tSoK2);lIa= zI{?79Mp74&de31WlQG^6e;%QeswlQsWPfyn*IGTQJIv#B?PUbSVBXrdoYDS0X%~%-ry#AF*zNe0Q$y;XZZ z1m>=?ZI=$Yyk0-z9NwF;kT}B=MXX-?+YRjsXWrh%*^<32H-i(7^4+~|{O0LqJ`QT_ z!G>+)SVKU;p}}EGb2w_P&JEGEmZbFlm`MqQLGre>swsH#F!7L+v38 zq2-L8ozYJA&IY~knOAe6DJ1yXzU32Eov$xg#jBO5(PMY-N9vprt$;~E`CJi+()6=g zU8fgEv#&}z-HrY`U7&Tn{*XhpCgSkgL{==YN>H*%TT4Ux7SNuRsrD=FG|>N`AVopX za}k^aa=e0On|6-K1v})Oh*dpDXsIuq#2l-+yT9Dr90-{%fFWo!s7K=m?rse!+8PBH zmSCoXHFMzCHY?BH&tI*`CJbQ%a9`egIis8RX&lKfm82z}aqd4QE0+BSMGxk0UseOt z#2`E3uqm{sP#vuQIiV#lwceO#opY=RKc!IYM5InM+vf0rFpn~JW0Yg?_^E0WSeb*x z`+fw{`?XjL&MAp7tUJm%$%L7>2NQK-Aw*&Iqg<s640cz!0QrvwZL|88qa?FB+(cA{qbQuU z!m2z)wY-JD(v%$Z$8|K8nLR2ZgfpSrkP+9H)jp1kc`gx65Xde9^4fvTE*J4?oE&DK zc)OSK-QD!&&>?7!bgK9!YFU&g2gmP_l_ruB`B8ASE`oP-a(>}Q(ZMa-yI^SKw>lle ziebkjZi{9a^JyVnJQ-`)7=^f{AZik6TmWQfn zD?nta?EcKGUoKCL4pDfYy;L-=H`>iz`yHu(vCRGk6yWoeE*U3Uv%PnGfDc5H#HYQ? zqtzp1m_&8^Id+23bSSY8*`7fw@GjMME7p_TOKZF+% zdM%-peWN6NRgfpUjzXNmLE<4EPR(rdKv}Ovh4Jg2K~ls86LuujN?z%a2^9aO zFPy(Y&Nd%(XPCswKd2d&9K8Is6t2#SCTz;fg)}W0&-``c*SVAl{@!5=JG$R7e+<701j$jIx7;49l zR$;LFIpPVB3{crusppl6p)c&`T-%ZZa`B0X0P+Qfdkc6I8ide5#)boE5*h6K?6Mk; zHG)c|C1ni(7Zj7D=}*XHCZ)vuxrGs6J>=J%xNkihj@dsQ>9E(RnTAhfX4tr zmPPzsDS`!thw&Ap<4>@B>RLg=+KPt_MLCI3OeJaMPeybL;w@p)J}?_`BASiG3aKBh z?s}K_OLyA1u1#|0R0a<_OcLjeKGTDz-mI$JupeF&`yghfuu@ADgpo&E^E#(@Q*Pbc zj^9Con%Ad$QiehmA)iaoj!5eMo-2>vnGgLgmRO=5_Fvk>+Rj!O@jl=ehzJz95rIaL zA7NrWE&w!jV6eEisKJ3r*=Z1y{Wa5Y3bf^H=$3#uM~1C591wV4?S@@(*?Tb2ypQ-& zxaONaC$Zw1EJEUkBx?a@T#s3?c!YI^L^7vPSp&4+-J?+pUB!A9YJak58J)ul4q0= zt<-Ohcv%yfJ~uL+D7K(Ej5IsL%amuyE{k{o)uUC@d{BsdhP(cs*;WXMa2+U+H8qpU zy)$@L3~Zi4uiM)4QWrGREgmrImaxd%k$r^UPuzz^#_l3uYp|ZstdwZt-v^%G2=aA= z?OxAs{tObU&{!z3rB*}n&H%!g48dJw&Yy$|AS~ka{n9y5x9KD}ckSzvm~5PKdwN;S zl&D@r%t`BhSD}(}$W`$3d`kRTG~oJEEK=uOXp8FBkAD*a?sqtQgr5uJLC1NKzj3c{ zYzRuNS*UOgm{;F9H&L9!%&zO%;W@n+m~6xc)RSY1J;mz8n6tk2fSt_~tX=c)IV*N@ zL>rtX$BXU(>t<7Ot_N>TEM)*tY;8FWJN8Wuk8;t>&kO;+1TT18v(1OaS=YqkvOo-A zJ0t%w1AvbR@B9_pu*sc;arr$(-^O)7$;q=-R}=w&$=hrCc&95R6uzCGfj}Jv-sqXl zKD3`eYO$h+p?L86hQQIR_HU;@`1(SuQ*$HhG+$>i06!L;9oA2j* zI4ETkEA5ep-4*?u2b?6(0da(7v<3wbMUi#DP&-oGo4?IOI*R_vDbDV*aY?T3PZV;I z;2$MsYg1$g+`LZz-&J@mB*6r=9QM~8p4OtCZl2NgV#dQ)JfgA^#5j>Bpy%0pcHoHf z+$IAfHvzxMJviIN^@DXxHL3wF-+|p?Fpk*aBIa>u#AtejG!_cqmTaZd{GjalwX59Z zGM9fyAbmvXZU3+dSMiR6I>(XHke$a@Z7S5j7*LXHZMRS!#(;cT8p2{k z4a;!lD#OG!nUCF+IU2%1LzC}Chq=$3z7@IP8fYoH<1H+uPPMS3zN@#TCh}m^!J#1r z5qH)vTai-9w+8^YbRt@%v+8tRmhPsTVMOX9fIJUBZ+zEfnNZ*uKeEK`O6xL96B(3@ z<$y~^YDxinkphdyol7Q+>b+n==g_T%vCdDIwZE)d04pSZhG10|n8K-~@9N7#rupD* ztYfJQNI@p7nYj+M!GBA(p(Sb)q5+F21AOpVSQj}7f$57v2TQH-`zIRjqzzo>_PjK5Xh>{klLvZoV5m1EYIDYYXwq3n5bF9L4bLkb#6o9m>KeWGj> zezYl6WA&krC+m=5hL|_^AU834f|B^N!6rluoP+7l{!yg5pqJl-d?aAe?L)tE>dhNkZ{d9t+9RaBEhy)>iLk%$ z^^Ln%ofr$j3K^Cr=dCq)dBXjmvcKuMjkh+gv8TzFkDI1J6lKjsK3(b(F%$E{(yj|| z#Voi(JU@)6@Anwf$in*9BSD3VZ$=79aie`N()P65Y1}z*bv7IdSOA+K`!1&Jj%R^Z zj^d@I3Zb=14R*njLRQ6$s}*LxaTlUjTt!6)FRo?O`V-un6K}@BJK#7`Y!c+;rk#A^ zM@2!)vCEu|aA5YmM=icl-;oj{hTe(J3+YWEmnv@A{4N(n&fll7tI$FRnovUbYI@Q3 z>Zs+lf)*;kva>09Gn>m)H_f6?L@U^@yTbwefZtiv z#x^hFxKBB>_P*A}294cfbXHDBpez~s@9pCBhWb*ja`f`i2fufThrkuJir-!jgcUcqHsx4Ow-#IdSKe2OFVCmX1h0JS1ZOxD>x47*3J{HY| zq$14RcM>p9m$Z!?7Vozz> zYx!oWY#1mi_{QEi8Ub)z=N}0uw+;HX7(0ORoCf~;k(zeML7S!(5lAxqI_UKp@ATPS zjNuNd;4nzvQ)FiuV!K523k~6_LSpbF_qFB9tUMhTjC^z&L~Hy(1TRy|{f}O-?<)U5 zg7h%huNb0OYCfrFkh~X-5vSkeCaiso|4xK5lM3!Gd7zN3yP$0pS$${0Q_~TDzar4>O!}8TM`jw zvsBnd&iDjF+;qK!JhG^KK)Es6hwd5O2!BT{9oDx3NYY85i;(=hUa5_F#fb%py?pcd z^e!bf7KyW0!cLme{~Ciub{r}Ws(XU#|MZ)47&hpzd5?9s!Se;Wz>(Jup4co4S zedOkM1*wug`$-SKHpSTKOxfCwz`%l>`tQ_pqa>K*9J#*(9y#uYPDE-x6E`lpEM6|9 zmBdxLD^_JJ|3`QK7$iy)v<<>z+qP}n_MEY8^NelVHqO|#ZQHhY?)P~kzHehUVt?=E zkLrxduE^@>=g%#8Tcht~&g%q~+$4`SwjKo=2t~n%{X0P^NqxM=^qCd2GNdm!` z+>gCluL2&O(luhLx@VdC*RHuR?C3blSv(}qNi4$E#AEpGfbM|N%QdHE4ItaOultj~ zs)r#p!7uTXPd_ht`l`tPu~+Y+36@RP>y_VxKQNeWCXy$)n{81O;oGN{rq^OJ zbkQpwX1VHfxnhORghb?FsCJ&jrw8B=35p>$!FZ? zaVy)mv}~&Q<(<$+z*F?SkgVZCl*mBXjD{pUAWTP0Poywk(Ul}fYSt|-SpN-D0h(8o z@vg$mAgKdp={yxW{%}-cscTmAdrX1y=y)`Z0(e6C(x^6Q9-dAVo!Q?F0Q;MR@a$Ej z1Mkms-P)qPo%PD8%3m=2<@tYcm zn@o5`!V+VKeugA1txNK<_>pHgFY0!cC)~g#)Mknvex;*3voya6Gm}!ZTkofx z4)2UZMfSDQ_>iv784k2A5&abwe7;DVVA?T?F4~iI9gbTuHcx^0N`Yj4(;}_(g=}Ji z;A)A){XLV~g+{02kgFNBI{@JA{Iq#LEAjOHmC*TZrZ6J7(b@!gykww4*7Jfd{b1nw zi;U?BF{((S{w7xZ(WGYB;oQ1G40kLd924r&?RD4g3v}SKK3QxZUkMgE+u0-&P(-#} zi^WX|qvvA5FeTIjT?E!qpDWwII1TkjPr}Y+O14O&Qk>sj3?_frur^h>MVuPW(f&42 zZ!CG4^tZKn33Sveg5*=vkNv_pyMlklo-oM{dRZX+1=BilKuQ}I?U$H24t2>SK^Lm- zP0J^1oEd@1l{i!xS-6v#)DVdbG+DFhQbXY!QuNzjj}LN2^eaD|VK{n67WuTUnSsmX zm_Y?kg6o;I7ia{B7)6j)^=f$7zjNOM(6TFjRmn-L0Nn{O%O_seH6R^Rrk97kGS`nVOZz;sm*R;ubC14{DYeR)BBBAJfVF#JwZfqbJS=Kml?zAS5 zD;;H>OD6C}^#f5#kZP!ZO7)kEm+3+y$GKjdlYh)J22X27aU#b2^2sK z1USIpGBxz|w{y}#F`a40A%B7a#nFY#FZvq0l{wHrN=&B0Vi@mqIzP%OvuuSarQxyz z8Q}`CR}6uMBOiG<&EgZEpmx{9bMH?cb7C0dhC$Z9 zOOOkD%eu#=lp&Frl8Oj)#DUC~(~D?xb<@z?;HHpSknU5^ifZnC42&y>KG_{R>a#4X zCZc*;JwJScX4oBTT1A##<(!g&O|)$Cg2SIN+l!|RWALZ7Va0A zc){XUn^!Y(Xzap?^|wq(CFKtNtONs9%gx@`GF1r6DFHp$%e4UBo{C4u zlNDRw`KMaGV|1Dxy*5V1U4|QRHr^dJIs)hjM&qrEoRFd1BePbTT&bHjaR8fEFIJ9Py|Rw+!PG=t6~&%5&>pVRQlR z<*xZY6Bg3j@3y3B-!0EkHWCyjkBQRv1C+6t%NnmUT;5_e{{=y0%j2odv`FUu_#vWS z0#T%ntJ%USyni}<{g;Jm1ZhoO&*Mc=Hd=D}#DS(uwiqk*n$EaNP{0^gI(y$#pcT~b z2ma*88e5dFE6lgev#j%WkDvVt)<=E@Y1Xfby_rc8L8H*)FE! zKpyHHWr5o_O3{k%VAEm_f~!r(P6p3n-%!fqm2=sp2G#ineeltEG?q6bHO(`IvuI2* zU7-Co#l}Ty%YpL;2cU+KvR}x9dB-Zhq={oXagOcb!MNX_t{yLo&^JDPzuHfU(x>tT zuJEry0UPxA@?%r*Qm!Aq#1U`Z@l$h$E!KZw^$Tw`MZFS|=-{nE`qm5?~+RXhnAU5E<~)hGdl0l(`f1`ny58>5GyyT`-^ z8U%{@5{)x+OseFf5(^NHE0B!4+P2Eb7C*;jDNfi3_8MtSWFb~6#)6X>!om6i)W%C0 zS&voPx59NSO9z;guj8dEC|I&W=oO#&YGS!FF0=))?96w(y&mxus)eqcGYi=6)&@61 zoKl*+39m@S2D@2VYE*d_a&_tI5AJp5sNhzCn4FN41jElMI z#q%%Zur@k$%8M8FfVJJaYZ9b*-P1 z@D{o6qVfLV?G$Xfo1WzB21scxXRj*EfEoKZfV+7LTZ9Rdnu);c{KSA8$>1s zBfzHyp!~_c(Y)A$S&@X)Z;}?#FgUxY&b!g`?h8MqlwGxQks=`!W9paXL{R2cC~zQvj9;Qljsn#S*2SFd zhM^e-2d4DUltcDl0tDQbP_Kx<|0Kazh_lP#4R1&~@%koQ>7w$7tWY$~>!v1$JzgMK z)SMhCwwnUNlHYJHZO>y{db`iVp`TwGl_e4PAp%Ypau7wdy0$;`lzWA5Qo%;*q>Szd_G;lmeKCVqc<89u~v^{sr!5C*pA3`m&A};bz4+RF@Jm1U0{=BX!^&NK0gJhv! zd>Hc`5^}wJ4A=#;Fq`9ZN0vrcwW}v!F~YbU>5Q;fYty!&LRqkJ@dBg^Wdw}P!LbEU z&Z5+J@dP2nY_!xMR*Pk!_8ng_t`fHo>( zCGJPBZ*oi)D4CV^Ws+QVflGZlGo^D2s3Fy@dJB{t0~cHgW?-60LOvnk)p&P`%7Q|; zUECYOz-ZU4nXLuLu4(2sQePdJZ@_mDKo{W=FmY9TegLL}k1Y#^+*Nel8xh zsMWT}G%+5$gw^xson}#>MzBw%t8yL@Lwz@mKwpg{t$GRJ&f5N9F97(_7R(SO_%=}V z2m@yf*Zs8dPbCy=JpsG5a=1`z0@g5mdFlYyCbY*tNeWTpOi>DM@N)CUg+fz3kx-`R zcJx8fBB?M00y5v^c$seC9bj`lur?wpN%ieR-*oH)sOz0bvX})o0Nou5W*p-9aqQ!Q zX}cf%2%%Te-o5uh1x7%l)4bu_%5*9M1v_pn7)cY1<~Llpde1Ex*G$8)0U|Z+t8v}# z&}4F!{(B8XakM$nu1xZBqgtUQa;icG^`*7LK*Rtdir*3$ekErtzvxLIPYRZ&oZ#yl zi~s_^alPLd8~{KMA)Y%+h%T;M{>$H(_A>%_p|-Q-;9tRi1UX2Gt{)rV(5e;{!;uS- z{};W}X!t{kg+JRAW1onmHUps|ZF?MEKdhzT!{V9O5)_5)KSZZr0z&f_g@zRXAlW(^ zUuH~70_>yV1*gIIl^{(FQs)5XDGD1X0HD4`H+TY#-Br>-qS&KGG<%~Ga2S*j{NBZx z58HR38hvlNg}spuOS?9|+}ny|puIVK1Wub9L3(8|)`U{OtgG07`mp1Tf*nwO7RSqJXWh%t-fGvM zy;NjvcDFPqX)pjN?fS z&kGaIdFE>6j26W>xBRl$BF3-~imFwx99v(EsvE_jD0PNR9uw3jutC#UTz=0a)XseG z^9OBLVQ2r0Mz{$96oO_$J}}L_T@|b7pS#BQ*I#gbWd}D9+T5%bT?^mbAY&7IIBywX z7In@i)6`)Ui(I~f_v@mdT3C3*n?Ie<#Ecxl-ZynVjt~vDUEwe`$t10?-wj}=D<$5n zm1nG2T$D02L(}pD{onBQ(Qv-0mW%i&6X5=gpuS8JBFi@N z<|h$V05#+tXj*`g;!$D~mUr7_Oj8pRhdJt#HD2Y;j7Hi6(%&!TAvjK-PlUmZ7A#X| zmk*&pUm2FG#-!%B70%36GbrDYB6bL#`_m^J2%|i26{k|Q432+CtXKC>1E9nuvXbYJ zgJr(p1A!iL*%tbkB0kJx#XxaHw2nGrf!u9>Q9>O^dGu>2_;)rwDp?2v7cOxm z?8pmh)8w5xFE8tE2F7{;#Ri+!ds^6Ff#uR^{x15=#}`;J_SQ#lA{@_MrHb=Odv58D zslrfaDh-my4d*xY-K3*;6l3fAfw=5=5>!}O8SJiHgDg0e%4W*Jef>OQ$J4%UUMWJ0 zou=gAZ@NK1Hn6S{!d-E58;#y$erGEA;>*KIrB|K`yOSreTck65FTjVo@JUp=*p@~> zw_6WH`Fmahx_rI#lqs@1hZOH7m?1ZRs+WW^AqfQ+Xl-D3UQWIov9VF0*1J};{W=+QI#t9W&4}Z#1*VV{@P~{^Xh0Yzvkc4cmZFmW;)OhxoPbYnAH=~jgWpiT>*Nn=(=zP$^j%K3f!)Lur14OHKbn2Y+wZK1+PR zYS||=%(&CK8%EBgdu0oak8Z|{C%E$lQHb-PS|8L5V*zQYNtz;AGzG8!&c*_$)*gFm zLv-c~Jbp#S_Drm*Ma*1gu143z1U0r(x#L80P+x}?{6k`7y)c1zpqDw8r5hfd6|eRJ z>hD`z?isC`K*()(*nH<_xP^Hjai;5`jE)wxLq(y_>{W#s8GrcJI}ZX19iRO;z+%ro zG$&%T>lPXgu!ki@muvJCphEY*F+QPcE&8dolP%I*EuVv`grW4fgItRKO+5-D0N3xL z;kboMLfkf^_8?e)l!t0Q_$q*dRB3UrTk~;I7%B&7~#6MpoGfD< z9SDd#Db)0D89zmQjDVZD&+Fmd=8RZ&yCj~^aM;+@@0|xVD>0Om4p8!IE3V90o!JMf z{zf88`!_;Ptw|+A;agECZ~#5Jhgu^gXsY}0Gt=!2oM(J>rDKk8fsx5$9V6&UjSAW* zb@*UNue{8v&1*Z*FC`NQo`}3=8o%l{Fvu*SsGwj;B$oo~=s;aOkKQRE&>f zo?jaNjV68q?+++>C6ZO_yKHBQHtrabZzsMd783^F-UEaReYUg&3zFDjYHLT}i{lP4 zE@SgnU2xrK#iOQ39RxW|xo&`V^ic_Y8X$^sTz2`oP=W@qE39z-FNIaDdF;x)rkB#Qm zlA*>^?@U`D05gMg(Gwc$98jK~hL7I$J$Tt?YMVV9Q0B1d4?c179#McIJreWWpz}ek z(jco-Cq<D)arXlvezVCFY6 z5IY~uwY!X5cOk`9wm7!C&%Ua{sASBfUUoBR)=+HsEp6x%-!*J@w^GBQKh(q@Bl`~|2h}qmA%Un4j zDuhAGT>#8rC+Dgz_3BkhuMBH3Z)#~sHGpo;J?^b|6u`aoy06*&-ykw!w#p+Ym{m~3Zb5IxMU zVP9N@=%b$u`yDfY7_JU5P)Bfzif>Eq?G|N)TW#|_Ao?>gh#v~nG~S#+RLl6-u<598 zn#~74#E=Fz2#A``_GpI0;%{8cf&3O5etZ9HI8d&2YOIxE^p;}lWwdCC^EkyL|7G!q z#su53M~KK~V@tGH{HWmV97)Uxfkb1V4}sQyP^E>o4Y>A$6dO;w)jGKIpKh3zX&GBH zV1O6m-(NqCi7M2wPKO^Xp$UhpAZ_$gA6RaFp@+!$qd8|}*Np8GFHVIz($vw~r4cRN zp|Ljem4ROo&5fkCp(|$R!H-72C;e}BZb!0adz>6+TM~_Zk7S*IEjn_E6uOlIA`bIS zu3s(iJ6Gd~@G#vF&15kvTQiFK#%Ww;$M|#T`9e}+vk0=d8^3Air+1*)LT|jrci&~G#DsAqrsH&@aV`8be|S6>jeThk z!vM3wlz1q?hWoaTt~trv^Z*x$@`JI9c7Ol)ry~EU&iVK2IRbjFd!Rfnn}8LH~j9*10dk< z^X^TzH&wZSZU0Hf!1Wi`hr4$i`~(*Q5Z<-tz<~n?_V4|FU|?F92n_89<0_Z9X+6V! z!I2A~;MDo+hB(}oh_(R$WK$Hu{@4Eef8O!`g)lov2&&VfBmS31|DTkmt(w1V<>g$! zH#pSU7#QT-Nkh_njbv4j!{q^mSq%9BT}p(<;(C>6_L4Hx8M6T;_ta>!^>LxQkl+tV z%Uf6Oz4#k0`h&y0*U)#b4Q;?hfg zsk-8>w0gLBZ5;~_Q!o&VlH1Z`A>qTx<%zu5xAZTE3;9+~VH&|H(!8Z`wQ#Yy+xb-5r_6&*$%gt2{yy-M&wrjx4Ooq<21>;HTRlzIiYFU^tov-`Ad{FH}i!3Ryz^#3EA=i@}j1G zT_8K#z}qDyzIW}-9N$`U?aa{C9gDGkfD`mzJ~%te7CRPkJ0ySe`}rs!;%;O1&1yKU z_O=&&gaA|Up^ExKvxwgyE{ zqu&vi_oVkV8ixR@SLT(>Qw%oDray%{&&5DmJBisC7sx*n0`9W%VVsyg@fk9_jJRS> zV|z}06f-QUXm8TbF&|~vklVBg{w=4YW){;!FMh7SuR-nb<074(8>OGxjC#!av(P7H zIbI1>J}D2eU_Y^Cg;O~wns(0OrA^vQNX)6QYuYcAgZX#g{Hye`;GU2myORJ(#vD~g zvBt=q-U^)4#B}opR$s-%hBDR7K7tzhcMWV5%-jJ>45D|w0mh%~6l8WqB_234DgAwt z+9seWt3cO43{0K_##n$DgBK<+Go> zw!fQJ;C^epsm$z}TQ?KtAM-Mtq2R?*f|dhAnvAL{S)X6@SCJWFRSk1cyus>$IIwR5 zfW5kb39<{M->8h8n~0Go(+|m%+UOVt^aF}Y9$=3Zb2YEpJ1B0(u~*$K6l0FD1^kOQ z9v`&yY>$;4vyJl6NMlFa!|w zXD_pTMkltVFZe%4eyh(L_i45@@fLj7Zx&yh(a?jHDW}$rUl{DKg`AFEjTF1?Tf`uBIuAt9Mo_=L*xev8#SFcxo2os64Re-X z3?Hv#(Y2rfXrUE8%+RTG8S?Nkw;TMtLu>cOGfLK{9%}Yv`U-|=u-taE_UxU9q3(im z8y&&#(%tU(znNLzy+-I)45S2=_=l}5# zSQhjM#HwNePvvb9>a^)`Te7P;r-(7EPQ;0z6Ca8PfLUa5GZaK|(8gBslFT>6?F%ih zR#ymXI`tilRody6Q|{CHEq8nWKcSlcEF@3@A)F&XoMD7)8u5MZN(92D1nrv729Z(O z5JB-c#A_LB1hxBg{V0~}n?220V$k$mTF_*vfE=>?r06HQ{XX#YANkV66Q8s?Z6RdR zy{w0Can}5nt;q6Jt^i7*Sk%q!HT5o;RI(UZ_8xeUp$<6>)HH5+o4^*2zz)(k(6Thf zJf^{_5=94FbT>{Vi!WI~VBL7j!H^W=Ql^#OUu;Ohyo6Nca5Mey$qm7DS^)hoH#TH*9 zC1b3eX?AmoReC^s9Kg;-ADgLWx7Xul#KWwmSTuW?hQ@@C#^*Whl{-=4S7CV?j^XX2 z`S(G6xhqoxdS>eB@n zv>FAQLRf!`hXWg0XK*;xLyDf|R_ubok+5XO%7iVddTT2crA7Wx=$8&jnlBc8C6*@; zRp5v!jcv|yfCM3hJ&bwOx&UHH(Ld!jhOrul?9q)JNJT{ABDrI4L`fUtV<(fF73=&^ zQf4_JVH%PrJbw)ZwOjBFS49ebjAk(o66dE=A?>6iAPT`W*DrICT?%6@{ey*6=CffJCp=U;{GK9Dj0ru%7fclp}tA)R$DM!YH- z^Ri0|v<`YJ0ACmxAoBO@d!!Yua-;_1UuR9QCeiCW&C%4s)Mhe0i+gr)1ZRi55pef7 zdL{6n@%K9pg`>V31B6?tfiZNj!kHJ0+;s=-az(szml!kD@mb5)X~2M4owPwjM!F6{ zFJw=t2m|;v`vgE!q!*e~X)55;Hw@D6q_<^S&5AMHdlZIIbq!F--!T@_3Jph|l~2nf zrG?)>KIEFbJ6aOVDT6G##{9LRrY+Zxk?ti!vM(TKFLjEy_wtBbG;Q14D-v7J1bMo# zT(U+<-*cPAE=|v45gNAnDo=G1CZ_#bO1DU1I+up&H|3A@xevG6SlH2oK^gWamd$Rz zCf7)}=D1NSMQCPWC6uZN8`aeYkbKvq2j|gYkytkDGer?4TD4*nz?HQhp)7GotvVmy z6pq4+!l*t-<2mVw^=D1<>6bnQ{1ikKEOe|?WFJNBt2oITlzS#=Ssf_huQN5s&ffJK zCH7R;{|D_^(RJV2yr}fy59!Rr=d%BA6%X(pzoL#mUm<01@+aVWz2kT{^$euKv_&mx z<&uV^N|FKT=F8#Y?=8aE&xWc#R;v6M#LuA0A&&+zEkcSnIY}Ce*Qoe=!#$)_L{v?~ zd`#=$Zk@KF1Cs%9h)L=@67CHcpQCAsqhHr+l8jOil`)MF>PT54Ocg=Xd60~JwssCY zRsI!sJ|>&$cMvhLtyB}zeCzYLs{>o;A%530TWrHg36BPorLGzQ<;Sg+{~$ZKj*r;L5uxQrZf*#|%&!KJS# zPXMCEW)4@gP>2_DYiN0!X;s&CQHH_qJr4V-~#4XCWCP&(_*4-IbhhwjTkOn)~L#i_Pwio+8AQ5Y6EKsu5|Z zI}bH{fyB~X6n;yefWTBl&@s8F^ykXs$zrgd>%9zI*@k$vZxTqaBl0UHU5$c;(rbfU-2oLqZj8dWq(Dcf+>E5i8 zzNAo3aBfuP@xbE*R0gzmc`2S?$;x%AxXzo+oN6>cMg4DLDq;D^#$4(5A{G+rFp4;H zi7V%CL?( z1RRPQIprNfNqe5XpS_cJ{O?8g^}Qn9I&eJ%r`<|G?zrX}075*CGDw~U394t#JVZmUAtL}Hf6%3e$D#-MU30rOx4$b0!O#8?gqR&Fku8Gtp~LZ zD(sK%2_24RriY(0#ieiqbNRVvPU-(A8V~m+o&>#B!kPbhs{r^I_4z(#)X?#uwg7U| z4L0omyC0CERi_dNt5oSc>OAKp#r=!XrP^Te?%nW0bD;d-acH?IRC(kqvf2u+G6W=R`Y*zfyx&W z^!Z=?P~GgN!GoMG`{sFg$xGrmg^iq6Y1V+I6njsJ7Un9C0^ zKn(o>=9DwY{^8`4xsww6bG?KZMgAjF;f|i0E>ullf8s^zEKLQY;i{8rvi5&!{4}ay zvGnDH@zrya9cpxCr+hyhG42Ga#&WBoqC!%A&!~}H=;mHc+E)K(9togMluH7pPK3}a zbjp|k+}5&xBAv2czGuoQ*ry}A&847YeW}f@#q*XgwV>J_5}lX`VlgFN4^%|24poa_N_|j2}sdgIj^Mg zub!Y*k=@wxLo6M>!Wy@~Jqy{(=!Zt`Bs)2n{D;mUj)WaJ=MuSxd2EJz zgO`phas-pL1u@kA4%{p|_ix(~C;|GaY*}L>aj#s+KH68wDCY`i~IoG4v)4fzQHJUIl204$~<71b1OY_ZYBjj}~* z_%9F$0C1~c4%EM(TAN1X$_I@5oSMOCHvv^U)bV%`9Q6Xdv$U7R2h(u2Qo`2gCs1I- z?HKH~ddUydV1d27OCdsjZw&YoU!l&W>2#>+Q8+}-KR*70rm&^0-XYz!OC5q@mF9j! zRViJ7urJhC#QTWcwKfM(I2SKFehEgcgxAMmtn8?4HV1%X;)GwW%YQ7dhsx2Sr$tZZ zVpjcPts08Yo^K7)I2!xFfS|Wl2n}rOXka&VfX+;!KYZ)!K12L~gj@xDajT~nZ*mqE z%08gUB%e1AzZ_42l{J^IMJyIyx~g?v%_ zoy{TbimLn*izbXU$Owr&YRXs}l~v-N(q$Sx)m=P?SFKcX+2<456|!x=3zMP`@jT7a zi4-ZWTp&zBN&2Y9?~6%#Lx+>d46N(0ShnX8XXE|ImMzW0e;y$==L~)UV6`d+e4sg%7TsaX>v47Z0M0ZzgZ-0} zgu3HLjyD|26QMywmJ7Q{dVI-X>J$<*(BU5f7=DZd6u@9QiFYaQ9qPq~&>f)qBTj$7 z5$XB2r;6h86UMTQNpz z5lAU2(dU(j&?55P{Yf^5vd7mpuu_7r1``LEmCsNuY0prCc9u0F)g~gv0Y7R}**NJY zYB!jNdpT_Ahq!4GPR&^oIfHWTD;^^Csu3X8cGz|#oVfrHKwjJ~wlug-uzVt|WSW9iZ zhf$X-Grd9!Y@^Rcsc&C6@o92{JJJ<47`ukJ%t|xuDcZG0{#@ZFYwhy2X>CUz60ff> zW{1WAd^GLPqr1agto5hDI8&LmgE~rhQGwJU&{>90)r%La5ZlVL#X%3I5r>J03q@b` ze0f9obi2c~zFpIJ&si+QqnjI_3EU1lkK~DdG3y7?1ozEfZfTv;ztl1$W}3H5m>`hG zRKSE--{%~EzUFbBdgFbUGIj@G+RGR{WYK|*$U=&amWe5)6b)1M+3ORzYCEP#_eyXy zbHzSb;7+%zWj1Mf!Rpdbf9UyoJ(7seEcrHdi--}gRHv{c5B>CtK79BGQY7`Xb!D=n z)DP*Lgqs(lMtUI8BBj)P$lf}2iUgv?#)sr2EVLw0-1ElMR1*`^5qr9J`{s~W@SD9< z_n7puw@&Nh>izNw6gS@zq@1ungni+|1PE+S_U3#O&t?ARIPHd2ip45I@-&OsAesWz z6Kx5IQv~~>xq*KKB@n) z2KO_<0KF)D6CNUc)yyxfw#n~5TMTF*!7O3l?xU`r{+DW3)|3?!jHw&G9QLtrYkr*- zltvmoR?B~XtpQ<0yyvoe1K^QTt$B%B)7AHtrZTp@9-i^$zUUxDbIq9fjN-2Y0IS15 zcdV+tKmkTu=+NC+3carWj!$*ZMr4KXM#G;q^gPbP&bySV4;YYYCvOF>-uTA0flxf^ zUwpcBp+i6t+ZE`;!3T5qDLD~))6QkGQ_pp}DIOOu-$8Llpe{E*>`E;7^LLjA)10e3 z6Oc*2{IS%M&6|A4sYNiT66lgm>S0?1EayMyE38-+NpZesr9=*?FIQJ(IV9rP$!|L% zv}Gs%;9C!k6ydg<+Nf9ZX}bA^$m1@PpW9 zze-Ik5RG-$gc;A`sI3T<%d{SkyirvSOT#RY3i1co`IN`CxK5s{!9-ChXH1Cvve3~Uplz(|H3J`Qddc;hSE7~>1qnuC6lPf8 zgR>yiKbW1Lcr?-WgNM253=n*AGhoCzOk*?!zwCRDBR=rbVP(3?Eg=~j=P!FvYS_eZ zv8cI4cLhX5k?xT@w{!W^k^*L9*6an6SA-vS?VUWTD?d_15I1~pCS5pVL~3WS5T>+S zDaZLK)bR*!tS#O~CyjpL;FPzjtomf8gJ@B1tXI6jIqvmv=d6S;b#lah zwfI3Puv;5aU zzwIBKdx|NN{jm9+oYu&m8gf!wGQGRhm(uo*xTR^prSepuF{tPcD!$MPVOlgjekRdk z9pv}>GRtBa`IW3;e}_cK8QaDthIxW%^JQhd!XOL*m=JYtf2h`(cJCGPH7|1op(oL! zsJ1IzQAz(&{k@^Vf$u^heMr7pkVrBuAs2W)A18gGIBYzctxze%W0`WJ#wIR^bERS3MQ_vc1? zr?sR!MS>JJmN20^8xbH&F$a!>k6ylFF2q1|VXh&&%~k@%|M3fdlPUwBD3#+I2^t_R iq+Uikb-U*ZV3zzKM|4Z_83TYU=bgB|TXFu=^nU>D0Hq25 diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowEditEntityForm_V603.webp b/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/FormExample_WorkflowEditEntityForm_V603.webp deleted file mode 100644 index 0f22a6a7da4a4d45dbf7f5aafe216e3678b835b9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7642 zcmZ{nWl$VIzU>Ehhu{P!xVsDl5AJTk-6g=l0KwheHMqM>AUMHYf;++8=I-v@dhhLh zb^B9)IDM+l|985oTU}m8W|kZP(2@SEs;w$OIrNWxeFY#FhDiy22Oy^QDM5y&sIZXw zO0U2L6~)?V+pAivFUBlC=Oq2w5*E7ZDZfBr;6HlIKMi~hRK>c3E`WTV0dG-vFfTAC z8}C*3#p}-Z`KnkaeOscIz^xagKu@Uq8OE#1YdAFCw(k|%(uZua2R(VedQl66-UFb} z6PN{+Y3OlZeC}1?*Vn|isk`|8woK8|y)Il}94O=!>E3w_YeFTc4+6@3X1_ptu2W?n zfyP6F-{)Qm-!8)Xw4uW9-1CHsCI!&g_otV(_xP!$Cl!f4?)SF$i*>lihnxI6;5yK= z7YiD+9exkJ&4ZYX0&4<)zF)mN-&Y-LJl4Gecc5&b(g6E+hIi2JF9Hz%`Bp`L3+0b7hV%!1IqFVZPD1$|2R?7MR~GI=h*&T@1a{`i@IJP@Mf3y8ZYW@);k19uw(`%oBqqO#F~Q|%z9mExg@?YR6lBxQU55imXX)ym zT6g1~F@F1+d%5eHX`?C^o{Nn5df|N;@dAs7C+_9wS4_hHY4(3+Cz|3CJ_{f*%7ZT_ z!-+u8gDBM#BZBAJ#pKAoUpv1I(qQgS@VninJ9ILSyJP&1+!+++6`oi!G)m0Zd6a6DoLCG8IAGmTD}x zfG1&JLX||$t$@CHO))&VhmXEAiQ5TI{(nmQ^S@f6YSr$ZxQOR_ir_&>7KIWd&hcI1LI4wh_pigZg1m%@|h-R4$=!F z^}cAK@<(H#j5GM+n(};Il*-F@kz*t5)JT|`gx9AfsaWTT8|r*l;;RnkoH*HJ{{K4i z-|ljc`hwV`N=YsVoeWaCIh<*buN4Fnus7r={2hXQqlJi^^MjSpg zH0Nz_ANRbSIf?(#PTog?p#T&D;eH<-uO?^tb1K*;MJ(wx2%K*1QYKj6>|qg!8HJ}# zw0At)dD6_~qno6=_G@3}mvymh9SZCnt7Im+j8$P`SF^4I7P$%<2uvZEcG4xn?=y@L ze>g-3i8STSW|>%of9=EFTApal*!R9F3rm84*6IkTFYfOkTX$4kEBSW;YAVW6fwXwO zm3#NEF5EJ$NGE86n_Y{!Trj;GqtOF}N|N_eCH5cy46H9BW%Mx(%<-g4Q%9OxO6ent zACP3iuVWF@JtUgdtN%y_Ce5eNRHUF|Qa@=Qj_xHf4Z?}SU)`n^kLSoDrOq_(32Xjv zRNtPztfPmzG1qploWJZ&cOIhBF@>o8c@wjXuD)zTqg;#Km+EWWGdwE7h;GDvyzLC! zXJ;2f2J%AepyF&J(2bXM3K$kmPo(=49+oF1Gn)v_SC<7ltFqj))vemgbe%(_$eRfJ z-6~k0mmx}D=IZBuc2km(XiguxyaO?cpMbd?<YJ<14Z3J-qXm-zRf7Ptnk z^mB7;Z^XAK>ME8mT#T;rySYVc=V$c%zK)NY9;&I37S|ks)(8iqn4noV&b*`woS)+& z>3;(GHjPHJ3@2rrG7m(GcEqkgl*4qSe_FDon?7MWpg_LQ3NsVc#3eZTVcz!>&s7J0 ziT2I5z~0u)mHTh`K97zAo&oPrj7)zoUcZ zs$irP{GB~%(|(F0r8=YtDJ;Y{w7xj%w);rE#fhafg^^;^zoT>ac^kH)T@+1;1QM>) z?;5`pot=#9y4x+-*&^BQd3URq?bh)baeblvEBWw}*AVyATcw8HZI-m0jtkx1J<(1I zqx`O5LJ&}Ik?J{0gmD8Kk6Ziv>-dLk!bH=oH{b14e@X0hfv_>$p!{;(oCHZqk8MBx zDS?our)yIsxv&r@SdVaEPh?-5XK;y-tO{%6`DvJyXng$G2Z-?5csgq`zz%|3b)Ha( z%A!cLW9m@r(bEV8Tl{*&QW%vQk(WY7R~A+5wsV2Ue*a^=eX3tHEBa%1&-Cv`>#YcR zJSVAo+H{`PsbFP{ZNXZk4S}lP+}z#*dxm;uV~gffw_T&Cb=2k;TD3hydKcNsh~-U( zX4Zk7vndXI01V|B?i0`qeiszx*B>w-H<-*pN5T%`LRHL*liNO#3Q>+8l~rn;t(H5y z`gx*h#tih|FV&|LXvatdjN8zXx*%8N5$s8>kg-r0B$bx~jWhm!cADM(*wjH(3_BwH zA+27Ud^D@s?&1%Tc4bghpy{8DqT&(0VgndrXPp)*BvoZubrVb*c!lQO57+xD@&VdL z?^6-Wz_?go)6mx^CgM>Ss$eL(Jz9Zw5G0JXrQ0Z?-w4Je>Kp zdI$zTO?bHDDPJ~3LovxN9_Z?y|$Ldjp=o;1<;kmYMfT%fM3`>P;O&>;)KL?s`adzh6#CH2O zuaeo*Z#h5t!J!vSpF${E=cz_(2U-&|Yqv+P3EWv5Fe`gwvp)DElQ9$vSp}&d+O#u zS%VZ7Lfe9O3ALEq{w!S6_>TLy8IlO` zoccSMg^$w$&3M>iI3ksgP?|_B3j`_&izLkU-5&dgy2!i!Zdm(FHAj2!gDL{MMFe%H zbS)VGHEI(acFN2k(Y2oqb<8D5Z8Aa+n*StLkG4M!4d+2E>ySa5P|+qldro4rqb8De z;dNz+3e(a9`!PPy03Rgeh4s#fMk!q&nfiW5g164s(YQs@F^w%D=*Ic#%COZJG&jcr zPN`e0A!4jT&QM130xL#b|70@UDst)REgq|lDU7g~UCyLSWk>3-nMHB#!*7UgLu@#L>$LxeL~_JtgkRvY*}`A`9&_>?=eG`D}Y*P^9ZPq~qD? z84f)KR+t(NpBp!0^s-xCLrK=R-#pJQ-;*j|`Azi-deu0nM>7Bz9wI7gNttKHqHm{h zU(>(Gx-*LId4DoGXizFg(rFBop7a!{DzejeMxGbbXK&bPV6$qUEV7U{LmX|v$@)vV|ksvjK3?}dKH!M-#0%C99}H0-7u*xdjJrG(RPxRoO=sB zxmO9kr>2bceV4(IMI^e;b19Uln4hT;^YN=AAC6I;#}i)4-1FZFc7}iJ3$bnWVXi$s`yM@KT^?DH}kw0AcWz+!Dd={ z@cJ>8BnKkE03K%#fVrUOAl&c0`iE)*%un^^!@L|@+Cy|trUp8_&8Ne9d_laA{u22z z6pUwMyL@yE4^?iMGM2J8%zSuv8gqxrY}<0MwK^1lKyHU$PO!-#tIb!%7V6?ls(x^I zpFe2Q6ewgDqZK`V@I^0#(suaa-8iAd5Otk_;m5;~=Ji#;_s5uT-DtyJ)`s@vVhi<` zXDAugZeim@=%=hX(kc8*Z2O<|tHM}1@q{jsj}~kxK9XaZ_oa?~edS%*`FYt+#LMD{ zXkI;duEvgO-W$vs(Jab|*&<2Eb!=7;xyaRC|73teP38B4GB^NRCudX1JH2@)Ncb0H zzr?O}p?{{{>!4T*coqXUZzMb8hC z6oAMC?ybaL1ul@Dv&yk~6ZJ*(MtytsH_R$6&AwS+v_{UBku45+(!r)v1TP5PGulk8 zqqJbvCGsmpHDm9FLIdR~f~1|6$ykBA3w0>&rzeh_?JGMNr!yt3$TQR##p$C*>1L%W z^KY|0xzw{>sXDM4DAcH5Whw(f*rycgtDjCk0RZAbHN=wWFa!7h3C;M;u@F`l%ka-c_0q{fP>Q4u3RPX< zJFM_!(&jHbyPsQlsW7M}004lhr(=I7LLu*WSUJkmY0&R5G9u?!0D!#A(b6V>e(Eu= z2m*lZE&hG4`+$*8?E*;}BNN5w(pWHqNO8L;N8I&&+>2IgEX?Te0OGwkf$eTQp6_x_ zO?MR+I!p4;IhxIPc*$G|{|Z?*%$0pFJn3cj^1*Hs%S6N{&!K|^LL_JUD%ZOo(M23~ z2%?(b^XK0jHkTN6ya4P>ZFd$$(gm_AGdaeGGkd94tNxM(e7|QQUuOD0SN~Y-J?}0` z=wVh_-rhwzM1?1{wCbPT1V z#h{d8+q0`Q$|!`E5;YUhJM#7V@kY@&3?TnoDUSTcAhYSAA=(~wp#)~5H75-yG|N;m zQW1@tk38}|9f62 z(uQyBk>vgg=r!s=SX+5olla?am|p5&~d%3CAI? zN8Vya_6a;a^onoZ7pO-_a)|wlL4!NHwdR{QL6Qz9_v>Lz?tzLZn|6(q?pjuuE(L>O z;&XJ^F9s2Aj^=PgZ7~fiCp>Kkn-w|Sp&S$$`uZaA51dDrRQJM>8fwz^N+THa@{( z82NkrvJaiqvUNj+A^{Al2McfM%%S+#7OPedvZ@`ev=O=U z9&}@{$;v0K)8HyYx06&GmU7^SfKEOj@rTl*rWd$?*sBxo9>S2J%_K>sRtLZ7idltQ zL9IMIFV4LmjGIi3dkbtGM-$5bD{Se9wt<9~vD zNp(Xp9f(gsp?y$m2UY83wDke6z? zzNn37SW>TfI=*LpirTK%TMU!kA1o_`JqLNGnLN=zTWMO1;sw-Ug`tuCB6;wuqq!=Y z4y#a!vvIi6ZGR${N>}@?x7o>r{WQEYO@f<9U35`@gw0w*?04}5+fZjA$%=fSvb6BCUHEbxdu zq~@gIJ(Gl)T)l7jJcofsBX2W=4EMbqn4A+W66HBoV|jvOpZZmJjKYRrMknA0ve}$lh&5*eDH$@9n27q9sSl@0c^_@fU1g6g= z#qlP?6NZT3PvhQWiq{F|7@RSy)#@7UI&F z$v2|8Xc>SOdd#TWpSEG}?|+j%S@f2bx4xOaN=r?6X#7<{SEFs}oYk`Vf*G=p7`Ep8 z*5qGQJNYOrIF94sW9aAt@g1XCc8=mcXl8W#IkxUDxM|1h(>9dl!#y;+?f5B@ThVuf zaDcV*PqltUh7;9b^j&wkekJ{MZEM5!n;Wye+@qvsGrYeq>r=+|mT6*s5vW5$`cZ!8 zgS^rKlaTG&_}s*k`WdSgscv7d*o&x(D=~brGo!U%A>m&K){Ee)sB;}=(YIaf8(H=Q zNjhve9Jag!%cfhZ&M83JgBU*i4rt(S3@av(D zX#0X<{N0Um;L=4MIWXAfTh1h2%=J>xDy4g3XrbHST)r1REAfYEbDC~dy4yPF71~W` z#&RMNBk*Hol+&+{9X*mS>3jMK{`JJ1%bRK`Qm4JS->_>zBK&V&<`m3rP^yrL488zAlN zbATf-m^i^@dYrO1N?U+**(o;1-VR1p;(n?uNrsJ`I!lE6%-b<1N#%<_u&74xDAKtG z>$BoAXplFlEGyIhV{ATI1lxmDW}EFvjKtMe(Z3kqR7ifexSaxZu5{2bBAsyli2}#D zVI;qj4=Kck^k;-Phc=aj=Cz;>yZ;{B?LYpb^Th)0a`de+#GJS@F3j4LIVfn`1#Eh7 zWlwzN-*d>g$y`J5_;ttn*qc_r6Am}u+VzphlB);A&|8Zh{P6M4%4LzycL2b#b4UbQ z))c@$9(B1!bl2eCc7Bmjw42W`HDAO2dqq0RU#K&XmMlq-Mg-@WX+pWFYS5zabHqq~ z6w&tM7_!U zO?!FC;qqBbCL>G?lW>G2h(oJQ&kMl0#Y5|m*oN3tl8>*V%h;!T@3ki`)r`P$HK0Lz zE4l3~a_HbT6AO2hTM(8r-u-|~6;FABSh&C3WNyif9F39Kpq(q1LO z+^gln$FN@wVn5j#?*378PQ2e5oij}ZDaR>6B@eyH6&Ylfj~~#NKfUhqry7nTSo`dC zrDdpv`vp*PKg4EwSSp;N@fnn7tvJM9b`@*-kdONO!k%m!u$_(hY*Ngmg%Qbh9t|eJUXS|M#DB z?zz`zKaYs8_j=cwYtAvp7;DLk2@4D3g8-=rJ&{$GWhdac{`zY)OfoPfJtPV&j~scp zaApQ!I-zY|xHUACvE_xN?j_A-)g_(9PG;n;$(YL?n1Sh(F1DwCh=NYNAy#fOTdcTv}2cp+eYdsZz~|{a`6lqpaQTz53|vkzvOdk z1$;ORS;g-~II=pLEl*hi%r~wB!T>@5z}4)a+uG~`U=I)lFaQ7m=;P=IMLU2q0PmFv zVAgH(0&s?Ybqs(2$ee}E0@B=8@Mi%hZgBv;>z^eXUb(cIwmR1#bDM1Za4>U?Lv;f)*NIopZbR^uY?3c&4h_dNN$|19h) z?~2=;OTEfJy+wl@oyXbVqXb0MG#_I+8e~`)(uF#d~*(bWqTQW<#*EffiBH$ z@5JOP5rALJcDQo{xZ+vniEXR_3|_sxblVzhq#NQLcDw$7tNvsBO_eiV7{ zf$N6`91m{U9$!yu4cR6gzyroiETd=?wDlK zBFfdr}--Rog&bD((;Obr2wz=A@*?FaRY-a~)ii_=9cct>i2R^N~qs zN6^of9Xr_M*EP+gKuJYO(uU7hG*H(@r!ho1MYfYYly35sF*l`4h|za6?fj^dW){+K zljG=v;x{B|X@lq~*#%y?j-LyEu3#Zcg?%D;`Q@Th?G3sZC9%*>3PpW)^dZIs4K)h> zF;pdHC%$>_!H^H^Od3S~hfD@Vf4889PYn^4z&fLNoKx&g%1`sNz=ZnBihgU432vZ{b!#T z!=j}$X2Xs1BP>7XJdD-qUILvWflN!W(EBR1Gi3$keKjgQR^l0KnI)J|x{ZR7;}AnQ z^?19IJ@;GyO(~ZKwTB$a`OW;Zq`afa+Rov}z`;F0SK6l3XQm(1Kb3z7w;V-FU`z*n z>-g!_&W!E2X)%mVF+O`TQirRq-5JmHQs={$&p`u7X|V-+&}=HE`Oy zkl75dfdJFqfdi2cQSTK~F)fX()vgYy=H*zbZTUbOKMpJYRsrHcuREeI90|{!sxHx7 z+g=)V(lmT^3f_!@+Vc(#(`d?3LUwyY4fvdXkFVZ4sq$sdqjlXQN)Xyvl6{jNtl)+d z5AOLiGvE@$ToEhaIDKyaK-*3lT1BT6<$t7wTzp&$) zXdTwJ5;p3GpKk>T*#(v~!OYE--3);&-6@2=Al)wGF<@T*fDZK@jbN~q##BK0-9{gW4d;8vBk!5Gj1KAIN-^t^DeDe&2T9oTXCY-t{b%uL zg(a-Y;6omwy6wgF-Dyn10GMnC!5^vO*4X~ApMC@!aDS_*(I~NA@?K!y_CL!+|H<3` zmd0-VG8Ay{%oEkpuf4Rht?Qw*OXiRMn=e}^p4@RBt8%jR{oK-BvZ7*PCeBN7x!Kd^|A#}GeXHG%MDn%E&K9Q zBIk3!^ba zR*KDVjYjN}viWfHzwR%CQJ*AK{FmoxI9O-8LTp*WM6+G%^GCK9U%jbo(K>rm@QmrO zX3u&d-SIs3EGVSisLdrWr2J&bPk3ztiMm-CRC4G^?v>7A{F_!um3ZFnfE@$sIjXA$EXQZO=@F@m7Mn75GOJn>Tz2V zQblxZ_GHRCSfq=lPT7R0aSGJ*G)z#_l-2FbEya}jZ|ptJa-=6i3bc~K9%Z_KCsB`Y&;x2+1wiYJzK;4{*n*G%%sj+K^ zV7Cc)x1Z&@_FE8F?&cIVCR@cm@|mLS1oW6U#f*jTmt+shfZN;Y#mMpTB_i6YhP`NF z7UdKWZ-LqDArhU{cZj46VcLJjw|>jJCP>&iPq{Gm>`;r9cinY@-gT^jzZ3Hr`zW;k zB%rtQi6Afhka?&O0IeV(#bKXw*y3c?q*C4m#znhd{419W8mcJ!-RSg`P(2P#G>o-NsFw{I; z37$MY-c0fPe^Y^O6~3qGP#eK|^ZDzdct?ox&Q3B!V_$&O_p@mu%=R-Eg-**0g1=(G z6gJB0w5&>uKaj=d5(ffRua2=LFk`TMx*Z8bPs9^kQ+Kl`F_P>dL$DrcmT});kfsf3 zX0L~Mbv0ogy$#7AvPhoyK!vcC#ZDAq(hJ>cxOkeFKl9nL3s$WoKa$e!qVidYcBxQ< z)N*xdmySHkWDRfkxZN}G>%`*IbN*Dfjhzo6O1aouFe$qt7J6M3`2$D#nKj7^A@Qd} zrNBWT^l)~GMsEiUhG5w@rxId;D!t}d#JOHL38E_pJgSv(e7fb92NiUbL@UXfSA0bM zLdOcddC|oNe~Us#lt9@pqzO4^nfg*`L_O4((IQg@9^dLCn)-NdlvY+;_-L zqmR*ym(FEew}hnK95-mN^a5$OT~9Yv4R{RuAcKd}zh#orK3cIL&)`=xGt{=$Co`>h za)PtUf-3BhM9PbhR1b^uK(-!kxiftA**l641E&UX&ZYP#M$LM_l|1nsIgP4s&=8l$ zj5YYoZR+cvKMs|vhiqDPm_R(L!jf1$L%$F_E)uN;wscWV5Hsq`H8Mxn6gDMud)XV4 z>jAEd4ex-V{U!xT0^@bySCxq5WZa~0&t)Ih^qG4?ZfBZ)CtL6D* zG;^=9w5&c`&y-bfk5I0#7;bL}Wz98X9V*dEI$oYl5(W-4!9F1f3+JbgeIAX1TOhyc z`?PAxxsQWQwU|Snce%NvTJsd7?0tKpJQK2H#A1i5nEZZJy&_@-L2rX+Eo*n=e!cdm zFJ%h##?=_cfm0L@S@94|AAVYCtU=4jK`EGCX>4LDW+BV5dy7g*bnCglw==;6(ddVK zl4DH_6h(s;5C&xmXdq;G?ymaF;6m);E8q%3+WC1W)SGKDb)j=Knu?AeTY??zM-jqD z5*>;bh3#gFBn>B8&DTrk$>n3jr4v2a;;__Sg~xBs!jjs;xGfKu?t4v-$}JZESde0# z2^#$X@Z_jtu)n4<)^mJ!40lKM)*^V7+Qf-4BS{QNWZI+eMBsW!;yJAyiOfyo?C9o~p8)Bq!pnO2qbSqYlRwb+Sh-KvH zZN}q!F*o2O83~XKcthe4MHu9!1r7(@EQi3XX`0#ZhyjC$JkUO^Fpc>yKyVsI!%nZ)& z4_&O$zSmjwM#Y^GeUN~hruq48?|gyIFpF%XsyRdH%PXpJ3P3_J!?-sOxP%93AWhy|;YO0N*~IQk4^Gea-7gY+x(fumGcj^T2< zemldFfL2hQ$?Tj5Ha^#!V+Qrlw9{__sV3j?8>3V(^{ON^d!WaPWE%sI+mjJKlkBn; zwLIqn!!V!=*9*E|l<9H%P6juy61?j}lJy^C%tyaZm>+@GS?7CrVP18E74BAdTt04P z#831xG+`I&gbj1)Zf9H@WKKPB|~{^Q-| zoyreo!k%j|jCw~dem<;i(@?vYKg!Gt&1cls?9C4Itb92gK`FCHVA?YTi;AcBP^IMr z3wYuY!qJnJ#hEvxtT`#-hjpjGc<@#DYhv*)%p46fnc_Jl zm#|w@p7%-)PB{_yEV!(Zkgv4Y=rnDvZ|qAqp3G|E&hy@+%l9o&o>x|58z+Inl43iA z?}yVr`!?s&NNn2uA~2tapfgdm(|x2Zv-Sb!yTxcizY`+8hwuY6m`aU7qe)g6b~1~% zm=U*aTgYA+D8_qO+CW_(uWBK5;np+}*xOGOo0z&5lsmNgMw#mcSKR&Q(#5 z%yKIQnh)#*OB6Y!Y2$BS4rA%<@9A@vqo5$)tZvZxKgrndbM~vqPpq$2id{6l>?-*6 zJwI)Lai(wGmsAE&GuhP%4EQ(GXl}kc&d@sP6X`dLokE|N0kb z(@Hpbn{;a#87H|7lyreX3*Wz>sm*_^Fs?H!^dApNUQqgA@NdA|hx2C+CWD$3qowzO z0gSw74!=TL-hkpNe_N2i(-#qQDBWKUb0TMmTY6Uoke;$G9_oo-jTq<@No}vCuKXOT~he?`!)at7Vem zh6JZl8)Zt;b~S-v1XoQ$BvA(==5YRE=G|f74*il@Cl78!G*qLK?JMr z?N5Q!9wbm6iX-{NUkhtoLE6xfHg=w?Cq3MfTL<_wL5GvKb_`X6efx!#O&Nk&=p0KqQ0@wI+3TshEP@Dw?}%TV6=@5 zeDLw*=ek>pn!y5%a0)wa21fHo?)AXvoF)nv##KOP4e6co^g2n+>@~29j?JmcyEllM z)I671u_i2VP3=dj?RiLF(mV+t*OnW?mJ#vl-Dm)>S-6V0lY(%xnJP{9 z^x+7BI`tk^;x|0oqJ~H?UIJJ4wx;ee({!u1`>bwAHORhoOZ7UU4&7ciEe@)5F5z;R zuQE8g{#ihzxxytM5XVq%X(+rhWhot&BKvEWg+o8f-}mQTEB*?W79>k>C|J<@FBo0y z2oVBpaK$-rTMxXiZeVc#iui3eey+k0l!YCC56t{G+3x3d)3!YAH(>n*8U9Tk`W@IA z=Afysw&ey<-eNYd-!K+)uzf1T`{%2dX4srz`uAA<{+8DqDSmzLPwf2bVSKP%|(|6FE`tF{MB8Z*I|Kj zMSqN#%(z^~OPF%dFyn%V{cRjyzl1VWfrW-=>NZsGBb{gOqxy%7yd^Te!I~(GcDF}a zlc`e^70oh!Lh3jwBKga90V_~lNoYb?zktu}NMG7~QSJTYm=7T5q4gQ)MXENO?kH&N zlYPkr|HerM5wq#K`13{*+`3NNx5)67haud~%&ff52eS|Hs5O*sOSG$rOlN)}D<+a} zAr`u&N2+O|z0py3yoly;3%FC3n~U?&U&C?)D>^>=-XJ41DP7fk>4|8(Y$(AzT>!gK z3dX2hke9w4p+AKyme(UjMLvm;XzF*m>$P$h5p%8aSn>H8;3JF~q?Q~t6E@zxmUVOX z00utW@x$}XmfAVHQmB-pU*!4CT>olLy#L-5dP{EB47$I8xGt7hv>$n^+Wza|3hctt zLQed9-J-w9Bf}H0{DYkGJKO$KnL#FLR4}psL4#Y98h6L1(z6K>{zf002!W?io8=+B z7$c0hkGAj!*+T;j{p-m}_Fi&K39-O-#B}1NYl*$X$)gG-4`KcSonp~vDd_obKjmj% z_@gssZIng~_hMQLi%==zOC`;p7l}5?$cTG^l?f|VWh3^$&=oOkO5vQ!5(m$T6&FZ2 zmPOQEMnKe9s2UetHilO4sC-RQjc=lt5Sa#KMXyIgHrkqnUC@0(BaDmEow9HCL?A)o z6x_PcWlDP%zBS@3{Ma5M8qaWj;qZV-5|7l%?W&I~4q48`PlM|t4UeHtzA*vL&uRIw z4K(19{^qd!){bn)JGDo6a?M`>6zO5fDj^Q>G3oCnfF2BI*{;W-O1V8<$#R2f2F_WZ)JE=6+U|q~GdV2b z6Q3U#0Y!k2K+NZdiu7wEa2Sc|KcAfkAWe~MF5U(i2yGtGD%<2w!WLwE3EO%Jjw}~$ zr4w5xaxXHzd$t#-7e1v%MA4gvjVQA;?4V8lki%^}b|zlogv}~1$1QcOqxK=y8F|wL zFJNWy9r&h+(^J!@_q@9%v2}zX{J3nGx6Cf~NCj_F7SJCUx9am;q3yI)r&X|*aGM7- zdy=|`frh?P*iR>p3Fa-c2DTo)h~gzPDKoBnp_c>M21b4C^mZHSVvs+cMCB+9BJ!hj zg!R%bNlGtcbMf5yp57B}Nr|#L)3gc2L>*!bCr$)9+2}q6)F#lZwMHiUVydi|jXk8Q zFe6HI(MP)UenB(>Y1YIeJRBbuBfic+-=}UbYALPqE-)zNDQfNW+nxuc$6BGR^D0bp zIUsOxzE?-bYBeeT7#jl%-1&os>6fX;Arp#~HM_`zpvqT$urLSLr=L(rFs0a5u0;+J zJ!`GsjDsNbP;4-67G2xrDv z)p94Aeq_!}lX8=_MbX{UzobMI&8p%_)ulY?i)Ez=fCBk|AP?u>Qaj(7dfY6j%JSqH z`rw`%ug(}MVc;H~fWp>WyoghVi@r*DLk{uiQwSs$6zM*<|kz41^*vtD2%J0J|+ zSs;V9SZHm~!t9v{oqs3U(r!&_Ln2=PJi_i*!|tT@kn=Sgd&*z zhR*JBAKa@OgCC4RriI*OO8#=nweG!1a)5CAO@{ti82@@2M{TAqQ=7Mu-ER~*du>+pP<2EW12*`$Br_8}g?~jfK5*jO0}A zoGs$B-UH^;_S!ICO-qz@F5^g|S4UkjWa(Da4QO|y>~wED3r?rJ9%lg{jIgfN9nc6P z;xzcWNu;3qVlN31Zp0zF9zl8M2?a7+M~oz9U6+&gIqh5UA-CX`c>GsKJGc3?$&-yz zMY6h4;U$bz6)zDsjBjeFtK5xP{f<>TK4*Wfb}{sHB8}I3rCAxyXNUXME*GVk;-(7^ zoyC3e<_7uB7INVRk0XI9eYxf9__pY+wEKD0Uq`O3BVKWfH#{M?D^-fGFZdzaZ=zCA z;)Eb32gE;j1m1B5e6Q<$zYUg`S}$IC9V+b$eJCo&hdYCcIoXy?D8l^iCvpAI_h^%CR9?28$_JpcO5vCQ z=SUTvBc;iFv%KB#cy0vppHJE^c?O!#Kj}~tSa>sIS3tWLl=Uggu(LREuK88*uop(B z4R?qDbU;=lR5Yat-+V`Lrv7VPc*i?)s6IgO$=2X~0|BvToH{Z#zHcy%pJdcmGqDJC zo)!r52_ZF4;~L^$=oC3j-n6eXS4#8VNBN%9Vpdi;}?o4kfMtu_gS{8uScv7bN?a zZ)i)pdatX7lYCo62?mTxlt?0}7Uk~j{_w++UT-cD@&$U!2>LsK1qJtz05?ik=_}k1mRV}~>8yV+4}P2P z1p;g=`C5d-9EW77Qg2mlyCGkV-4oB)TyeTX93uaMM-WW3GZ`N@1EFsNq<-lQr1B_| z>Pu=-nE+EpFe7s97iC>sDdc4YS#ywcf9=_=Co+NA$KkCIpWeR2s#wgOes0+eY&;|f zcYmeQ|8gYvK-y!=*y(O*c&Qx*d}J^0YE`xv33;O|uJn}jXIa!Av}^&Cv{igjxqdVi zH=^Pi)|(ka#pNvj0N}sJ#~nlSo%H1owoYe+Xn2PP`q>!Y&E7wnuNwscKWE~<&!>DD zaxa}!{w$UF@PEvfDJU{5QPO#Iau2EdyUYE4OhK1jEd*xuyD9v)IsC(Xjc9kep{VXY z`=`{@Jwt_)rmh$ako&!E{pzi5(~ozS`x|{w$v)}JX(u2Nv*EXUF}!W&1JzAc_@&8F z#^#B9Vy$kgclR`vWN|4pe)SF5_fG@qnjp8iEIkYwJQ2c1uY909U)9L5i&79F*6raz zykYl3ilq|zymtTGjh(#f&}KV4xX;5KDfsEmC^@+mgq3@H4$38!lkx^`%V&A-Kh&!G zgTI}@zXv~j!aVYRmlpOsK;GsmD*`9TU<0br za6jz1@58ulJYJwP+!M>tMyIdJqzAT@wTy6SBJz|kcg_T1ZaHyZ6r8jAk1X@KcKr6QN+_Lxm$t%gm2i)uXcZObnPvXZXGbrrDWcKnDS%bgTr?l=V!4IE2 z)Wf0TUH=z$XO3y$0ib&{t7~Bf|MPtv!LR4PTV-y6sy~AXne>7azdw=-f4i+8DXSry zIQ_m`za^`I1?y&i5c6JaB85X=rYL(Tp|Jc9`m2zLd_YPNteDeDf zTsyJlVzOqz$-WLpOs`uTf*V~{p-kWyIh|B#%f%1*l1?;;wy)}xkVN;L90r%l!N07w zqO?NGuu^gzNz2=?O9yw5h=R=Il2K4~!cP)Bx>y&V@PvO@S4U1saf6)4B-cf)D4wI& z5JDz6I`CC7t5qW6Fp1U+z#yD`uu$7*4Z;Sk^{Kfmm+LlX_pvJd&K9{&%?96?Z%+oY z54vZ0XVYIn!q+S!;0leS#vK*|p$0KyBZwDIINT1v^U^Mlc0AtPK zUYqD&X8jIb|6W!$)Qpop+?&+T-}~yDtPpuS+;0GY-}B_n75@g7{sd7Fx(`m${)G&8 z+wc8Xqx~qE5eqNNFMEA&PyhAbiAZQO1J<7-tHCg-0N8%`==5$y?0o+Qqx?a7wjtuv z;ROQjk=?@4HXcB=TFN$t5dgbxktKtDH$B95{3@-_9HvEr8_DQSkNMJli$+FNdZeaq z?if4POZ%MWhXA!B73zdB%ciHS@da`3!>)*97r!XbqfX)Bwa=QbEz{sWmv?+8e6r~p!(M{$zEVjKCOz;zeNy>Yg@Q~RzdQT0> zLGj|D!rc^+Ex}`wPTV;04j4nPd_fU% zs>G`sML)#%;zyJEJ?)HLbCp|Zm!@sL6A7Q-^s7@p+)Ck&_E2U8qGT<_4D{i>Eh?zL z;K>k$hUqUg~$*b$0z{Iz@eP@?_vKy-gg)Et|<1W z)=TfqCFzLC>PBJs(HuQhsxB3r{96;cbv%Jh)G5_rla~ZhYZ&uxH2&SNe3KEE80c8M zSFg!Mq(c+FcjtuOA=z&y`#Fej4plP1i`ru1fxdakTQO|syvPN)Q_SM0aGAQ1RC9I% zgdTfRU&gZn)Hztcb)GJ*X8u?vIB2hh-lXBskF?o}JzH(l9CefUcm+j$n^*tUrpR40 z>_nldK1S}+3Gu{1J7AbHu{$1plVtu624?&+bs>Xr;u2WT%{mPCm`K@MP*5LVtt8jx zn}e(yDr!BjZ`(gTa87N96h6oSBBf?M(XNAfwV~|tIRS4Vc@3XDOx!Pd=kXyKe9=<@ zJ?<5l0$bGDq5!|`w6B*vqocJRm-^4b%ix?vfMF-&S)h)i@jIv#HjdGm-{_JVN*`~N(RS;)l61QH}}k*PHjg6|M!))jBW5U3sp=P3ck9}xM7b`L@Kz<&wEeoxNdReOsY)$hlcVM7e82hiBO zt?#B~jOE9bHRD2kkGy`%j(=~YcN7piw)fGlBz!-gg4W(%^HIkjmu2TshoO}SS|PG6 zB7IM&`-(RYGXx%m>-SH>=gMV7owS)}5+OTQfx|!l{%=o{z$Ndqz-|77S2+O{u`+Eh| zA35NUQ~G_W=`VRcI$?|<*Gq`Fi_uZ|D92t<=SkpBWL#3@0NRAR|LOYPTFdX9F~$oo zod{#$$rvr*M;+Ubqvpwo&J#EeauTK&DvzGTdXm=r+=K1P!^oHzhzV=@~&W~vD4Jr%U3X-{Wl2m++^=!3;v=6+QVQ(d> zM6UU5tf6qW$Ws?kOt9+pt-S}(FnTGi`8+0uO($;X1}y5_P`6z;{|s3CrK`1q&XDnA z-$SeYaru5xRbwb#$2I?T;%_s%R6V%j>km5k#!e+XPMy}ayeHP({qJER$?g6inC(v* zT465V<7B#hs#mY-CG79!neU>xA^yRmCi(PovN;I#2IKQDMRojW@W45Xi0-@8IcJIb zRyZRtDfM`KN?oO5_K%n6$*rs;1QK(SZymB_6tQ4eDu_kZG&j!s@@V+=LB8t|)`exF zblkHoTK!XBK7^)){Az6%Psby-l2fY;}3?=>6)b;kAQ$I zn9+c!?Z66sr_!l}UPQ`{DMp!()Y6OR?b>3|ck+NGzO3>G+K-s?FkaFUq-9kV>eTd+ z1&mB~YJGskzS+j5JeZ>-z9fPa@^v4x51N$YZX=}A?2=27Io(i?gXJ=^DYpD_OMi7( zO>?+e+x{YkrOfAtwhiLtSx>r zmKNqe*{N0&28<>i0o`@YerKx-hFLOuc*SnTTFIY~+aws2n3y+ge9F0_6FX%39C_b= zlX&$FXa|99RoS_?@Dl|6%%aFw(`y2{u@{dwa^AsqWUibW@*ZkSBBZ7m&35n+v<^b@ zd-d(`>0}9G;}vJkoD~SGoTWUMR1Udi{=AV z2TnzZXWu%q=Q7hj!NQMX!eIdf0c<3C&Z*XKXR4s2Smv+swffsr01AMOb5B3=; zL}DFm2kF}bc)c-U96_PXC59Ve495mII7%~RH4rG)N+@e*Y?=&G1BsfdOAe5hJ=Vju z%9i1<m0}xG7sPKVtNUd^{#NxX!^IfE6ejCo&QianCB9~smBIZorvwp$&o%?^X;wn zWPg7_<04LY4fkIA)<3(zf_IgIk-#A0Tvs4tw?^*J4w2+PKhg1XnPxM zUuNGfE!f1`jvzAC-Ft+WvoRKx}qLRPkl1+_uk zL*O;S#+!t|v zG`lFi0Nt>O4icE3IN02@IXznT!y)v`fjvHmO!S>2qD~P>_DK68S}=XmciTqt8~r?u z%0|W%cywPBDU5mJf=3Y_nFj0z#^tuCi&h*aky4maM|N=6r|LYBnm@x9lStxTvwe}H zc33WDPpM}RV1qc9t-@fF^jffEa16+2O#1Z+5Et<)2j3Y#ctPNak0&(G&zy|5%sdUc zl8^CEL9=!|tNZn{wTLlgSZjr2*dsdS07bBAJr@pejF06?&10PUl1x>>xY+dDSlF54 z9dz=Rg*Ysrc{G|~K5qZ=ZMlpda@9SMZr3o?@bsu*;fms9<%4_dOyJ3#)A1U6Tk{Ry zV916E!hy0y493w6LVxf~tZIi{(5ssQ&NWR=xESM3!5Mifj8wMuTz8>|f1cxri9LYX zGsNw~d7;z>qY$`%e}0wN$a2YzMwS#pvSA%0OmIBz`qGWl`8*qYqUGBK!0zBvtQTDW z8T9y_i)j88M)^H~ON_W`z{za8o_C-N!`id`S473X=*2%C)dBY*+>WRFozKAp%UPW; z))Z?kSxC4+E!?~b?)w!uOPQ3pHu0P;pYaw>a`ueF6j~j1#m5{RP0sIE4s6y1uAWaJCugL122#64UI?+laJ>p_G{Q@^o97~MYVe5v#D`Y& z$~_tPU5#GMGZ6KPiYD;n0H2v+8a#gnZ|mnazZhL3DflIUQ@!Hz=JWpJ!i?xAqWB}< zuSw!v=}E(@Nj_CewQ==w_42Ve7q-avyAoptQH0 z!P1}m!&|bH`LGY!{fX=QgM;E{MZ2c9*Gfjq?&TN3>pSmjGDD7~Iy`M)bZhT9cl?d& zxIUUObFVEM9fIb4(2sjMT9J}C6gbw?ciI~J22nERXQX~$&2NGL&>KPSewDnec956y z0GNk!!N|zEQEfB(9ijZ;)YDe+araDOUZ zIE7YyT4*JVrxV{GarUUm`haefs(Y9ea$7BVC#HdsULT*Ldqw=_`CnukF(3%gPI5jLr#BJEHFk3>FTCYrA>Kt11q^{w#1Ioww8 zj#SV>V*pA#p>^B7YC~{JI#fpXDb`1}$#3K~Z}?Jnt8P=7_Pu>BJ{s5jii>i*aZ9hz z1SfiMN7_g4>eb~ig}4mT!_<0DKE2b}14KDwo*QqNj%-3u_JWOO97fXF@Eodfr7es(0}glB#CNfaS43^01Vn-wIqpt9)XXKkoDdJmdFQJJD9iozk+e7>gJU?fd7dtJ2BA#Yfamdw0cnpHy zJmA1^WH(~RUG$JR?!?mYBuLi-~ZPG*Kg zltzXktU^m8_(G$RF8{vqFa)ig7SL$*dM`%!9r~CY>`2=4Nq}WJL(oxcK{M$Hpir||!$IQ)zeu6KjLVY5N6fvNcRBoTcco>S z^PxT+Me3mk&A0*mqgg;K=VeZ+gx{Ud@xI#i4`ViL7C00bT2Pq{qJc78$g85E4o>Us zC`kQcKTgE4P!KcD`5u)vp#i!YOJ-ePK@>9*#l69_hCw7|@qg`lIiK5CEM4D*^!-Mq zC^?YhN7EZyC=;YUdH)*+y#MW~ac<{>1|}${s|R)$y|^lRCK6|Fa*0h|k{mS!OM(aw zY>I7pV8nriq>o2_24SFw!WJkYs|3^6eaPykFJlhb)iz3W;QU)2av*C;Sjb_(Z8pHL0SGjPvpG#h%Wym_PV)KKNw4Ot{6+IH+>1^yaI`*lRX z_WuWOr$;zr!k@PcK^`5)&4iH8{yw5O@qgkKuiD@ZrT?Lo{=M7(#Jd*l|8^AcPfPX9 zv~s=<&!`x_d+SO{=~Wf9KdIIC#oLc!-3C@zhl1B(gt<^W0HbjF%=P($kWl3815W`6 z2d>f>ZlzM?vQQY7{6s`3PqVD>Q77Cr5M*V=>D??A)BQe63%@qHdu0AUkDeRZK`y%Y z6D|PoP)Z&@8rm!Y7eGTffPaEIlSm&VTObaesm3@CMeS-T?S6#DZ?qH=$aduH@p_#p zT`W|S?qM@U94W|)Ah5`5Gf$5GMr;|emBSZS=I8^slIapdQwGo~4d8X6L^p;`2Cq3} z=eMT_(@#Zv|3H%6LeRfJ%1rKKGO7h`oail8hw{mz7aemh@02K2Kb<*(hCjbl3{PIT z$9DQd6}bT^f9%{>At$ULU-NEVC2G283}za6oRS(#lvH941a!68jp^E)EAMjj^ddrK z#cp|Jxmo>0uaS+2Vt0RjWaRqTu*XFMS;g!!HiJke`3v}+TGOXuEd|e$G8T|yA3Y9X z4bpYs7!q170t8^89g?rvbxj#l<&I1|9{E7IQ~1O+$jI3qeV$A5Xx&a}7WH`$W{8#X z?)q?w<8+)5mU8&!QbbqV(yZ{s+cc=UDkqLAum06TYyw!J(W#ihJ>#pr!K{ilJXaR4 z91HmLpl7jHtoeP^79MedY9-)IyaM))$C=w#-D7POggmX{DiNPA>ioPP@Do-a99M{+ zYgu3E9^ivYnmY4Grlx;(MVR7>hbiyss~$*WaFP-hOGE4N9Nd4_3I~nwu>mQTic=F2 zyPA}W+hVeX9K4fs9Ib9LhYdDxq}sk$lp%#{_GBB8F=M=bIbTpdGw&sd2fX=H9y>%G&ZHe$R4i)x$>mpcY-)?72algVi|-I5ZKrj46R49%zV8Gg z_LXd)?=uH&md<+1#2ip^~M!x2UK@KK@t(!r9 zhr4@tGIXzKP;!yf#5qHp(8WX}H#EK4k!*xKRrf4|EF0|bw`KfTdK#9heHqulP@XLV zSadJdvo{^IXRPe6M#SMdzIxdPw^+t6bZ|Aovdo}{S);Vs?DMH-oKH5`;B?OV>gtvQ zM=we0^t#X$C8vv%$Bf8c4)ufEhMZY`Ngixkk~YR38Ay?Jv9^_aVK!|8F6UbD+%0^p z=Uk&tsh&|D&cqtCVo0|6tB3*60!h4S5VY%qF?yBmx0`04WVE(LTcvhT?KF3kAMDB+ z5YN;~z&da_O82bwGuWu+v{(8pM)cVqQC`Vi@EPpS5uIB@(qaKBb_&9)9~&q?>qix+ zw9qTq(iw22VgtJVBQaS#&PF3wvpo;gDdniAnCQCb19hhKWyG;Vk{sTU$`5MyDEqNw zH2p^-CPf<-!Vw@f`6Cfi;PmC|bAZ6DDl(_Y=u?bOkHTW-E$Gw0bjAK?q7Vd?`x&`Xf`7)U0g;CKb3YPd9i5TJ}IoN z!HB4R6|SJ5j&z6DR7eS%mEr@>^K|)~4fQIx=hQ`tMR6#LX=Lbn{$<&RIH#e z9S*ZGJSfg@pJuNsr0!c_huc zt*SlyI^M~WLpH)iYT^K6v1)glYzQM|xf948cc~|{N9H^wN7QbG1r;w zML&P+Wv7y6TrgU$^hACFlQzgilv4VIE3UWBS`u#@-kJ5gFR#B7kAILlpWl}irYhs0 zN)TwMS&8SFr^T|U4x42IZ z%(CE}PXWt5NG~a&;m|J$^@WI|n>HoqcqrvUYI6_#9?C|9eqoDDJ^qB)uY>3`-FgQ;QOh_?VP@OR#3S{F(Z2a~?Wk=;ADe$XeWO`8jT*;wN z4_9W_VQe?DRdK9)y^WE#SS{X)L}5UG&@`R13ZW`D-sx33OBTl;<*l%VJ(@G7EMZNN zbW!Mi)tUbyY5Y9THWl?^ra6HO`*S!{p-g*?m8Jbt=X70#+43gj2h)C&k4IkBoI^tN z9BIQtg4om-_#7YgKYKFA2G1dxmE4y(M4W|g9Wz}{KI!dhgK~ZCp`AEu8Ct0-sh*_G zNp{G1XirOP6q+IjO1)QCh}gwP7<|O%0=36N3?|EH%`hZOnvmKfV0gmY3Jh?;MF?aP zj&Q`mEwI*afLAoge8tbCcp@6}ok`UL;Q}Jrl-d}$46r&vQ`Q%194?|~%@}Y5fumKb z7%*d!_L;q(y@B24Y{X@1P7g5M-b(jKjzFA*8tGzrPPpa34ZHOwyF2qOR_u{+p5Pb^ z!RNO=`xZo2R+j-UwM;hB{M17Itfhbro{dIB_e_)n9_HCn;kz?>PSJR7fiU)OYFj1~ zar1`Kz_BIIpU?^eX;dZzk683DcQwHILvBgI#Oo3UoNB!Wt+D<(5yaD!<(pwwGa9TY zwOO!4qm~!Gx}ri?$oeJuVVyk(YSFWCFvn3*o*)<(Ci@XAU&wO@f!R=FwPEDS4rEwS z8gWjL%y*>3kketsl@awM*R`!6b&UIXo%7K?<94G%c|!7$*gSfFjZ<45eKvk}8b_86 zeGO$0&hSSYm`W&ii3#2eih!2m=i_<0<``Uu;xP-P(G!ekZ}WI&#AzsT|LHX2dLuB?U;XR#8nE3dR>WbD8S+E!YI_=FH z5nCz73Kz8Fk(9&tW#e*;%%~hakY?**WADBqWPv9nK(fYB02K;K#MEYg(cx5zhs*n{ zx$eJ-!%z|%l%|sX@u6#!TyrWnxa%YXZ15(c|2!*TtM4LW0Oi2BNHJ62xSnJuUYmXU zxVopj!0?FlsL|bSofl7O$WU#gg!kB1&vPBiqr8rQ_ao{;&)RNW?v63@1qxRbYK9`H zGK_*Mfey+z);uT=S$6RV(nB<{(WeTJ+!iC&XF~8wXrvfNSg7@7A((f2r(IM=yO6yLSyp^Yj!NluCtwcIaufo*4RUs#w26KoBPh@QzjF_j-iAxvZ; z%?Qa9&>pXFfGp^dA5o~0kPgyUQkL-qic;7qHLKWI7Mw0Wl$cn~3aD#s$d`W*6(+(6 zTuO-25C5s6cnNodp@Kj?%Ole zW7TV7!3^%$uDJqh>8IKastO@_F$8EV)94#)pDrtyKXpm-hjTB=-Emws2^FE+djN)w z8&fVGWzd_|{QB@MXkjBAzsojF7AGGFGX7Wd&)NpoDLeH{!rmKk2&?Nbu#G!=ayB_t z&Cd)RjUk2FP!ZcrSdb7qvx0>{zf+;2r(gn*Dr17=kxE23nIvf{VSz3Yt++u|6H z1%eLLXlL@`hACQQG2dN^n!(4|Q_qMi8oU6Z=qWPqs8zZWvkqj?`x&2k`x7<^#eh)Z zhj>LeVYQi_+8V(ff)!ww+irVdU=KtvC}(Tb5@t7Z@%ziYm6~Q%Uj}{}o`|k$vuG3n zWeWm{K4$^JM3w?oQyxLZv#vTU*d~>SR7lBW%25Jp~HY-f^N|&=5uQr90RP0 zBX?7QfRa577Qh3we2sE(1ah;n38jFo@S}Tc*thPEcz!~qa6Xl|H|%FbTMc(~{NScS zw2OMt$#zTZWCJq5HPP#xD4RI70vNaNv1rm%R8!PuWT)`45#^>3vM0t>1MNvMO7?sj z9_X4iaUXHTR1T{`K&7dco{G<}*ndFXtmGhb?JZ`Kuq3fa`508@qdb`ToCpWXW(Sx+ z^kxeua@}Z>_?c_}R3TET6SNO~&m|JsH9MorAQu~0Mw5p27v;cRt^<|Lb<)e=V2hbp zh)D-dsxR4#BdZWZx1ZkP&mjpB)$4N);1H3<&H=sqoOk&&2VW5Sn>J>*VHC|{uv*QV zL=^)|y&)*ePdOhXuk=#(J)(oOv>cS4xc8n@v*@I?p@1u3?=aj{CVREuNAF{&6dDrK zVfZ}s^Shs@siN`sGs2FY<2b^z@E~q!>uTvNG66HD(AvGzLVa&b`m(OCX?GP#tM#V; zoKK-LYHH+g_4%O@j$V ze}iN~M}g&IOMvG4l9d1Yt6C32HBI{0R_9T%ag!I-)Yty9+jwz$@5+sh9eod?U<0;k z&=kMj`B;ZGXDyUoaA%mEzGLRVXU#ndnkKipl+;sM|G@SBiK-q0raMbqA9`)0gDp%l zY6wGl;sY470sipWp+KWjGG_os;9tfD zgb1>-Mi9Q$F|hKK(5-|r0a5$(}>uM*sg##|G|t!3OV@O1lfVYk?AT5 zhKAJ%q0K2vBZlP^cmzgfy^nOj_KBd1Y`s{UaSTxltnlV04ASO94z#Q#yyEy{5xE|W zXf+%Z`evbRB*aYzil(LhTa?Aq0CZ_EEJ7vBHphXA>Wo=G(OyD>rtO{L0qf_fB)nxI z{CI9=xHOO;#WXughml+v!h4%n{NzPr^4%gj>&m_5a;|<#@tsD#h05dn(f26fieSdJ zqMso0R6|MeHCbsu)uZVKd%vk|H-Qi3P|(MDE#?m5&xHXA>pa%uBmHl1MHFaF>G48e zP^!T9Y~i$wi-iHuGuh+^}9c|_WI}X9j2n_*HDfk}LRbP`}bjstMew(Prpeq2$2y9%1 z`x)>rALM1>%^%0zT2)DMApwwT(zdw44SeSbKW6E=tHYC=)Z1;W;ANORBRp}B^+or> zb2@%iMc?C?(uG)|ElyRAPK=gLB~3NgK1k9iorf4bNykO_#>WyC<~){+SyG#PD4@5w0 z?MYlf^AYYYW@Y9MCtN#sd()5auPEOabRcC@O9pe?3M;LPN)*}zJBl=$$5r(a?@o@V zG*<#hDB@(q>wFYg{R_rU37xlw&GWIyNGVjqu{6fscQoJS2Hh`w1hgS4qeFGQy3DmU zgwxS}&zpqJycPzjyQTc^ciV>p9j0tr?WI%$a4^Ucv1}_u<^e)<&bqE9Od{OQ$iFp= z;CBolL%(%-p=kBFr?C%SDK*p!2{cvGG3ctIh|C{UdR>??JF5vJpvC=Rf}$nV$RZj< zBC*~j#-1u}adUM>^vhppY#qTKjV;S6pTU`%8l1UiV-z4hPrb-(egbUq0u1#U{yW~i zPO72hQl7a_k1y3rl46uep}Rp zX#JTGA7niCx0lmTSwZ;!?r@lOY)MEKfY12yFK~{Wu9CB(X%;G!THXN-RtZdH;>}Jn z?tR~`D%YdF$2VOUt~R1Oxj%ACrQ5v2v@{!~BKpGPz_}A=d>;FU=()y)&Vicz^SpY# zWyh!SPV6d&jEWN$s%m$tJGvT6aQR_nwy@MAmZ6Th!63=f>@J$zDbk_?7=~exSnD!G za{7kn!fL>S1-qqb&EG(~B=mrP1vhsu4v&$5*W*%%fTr!Ma9~Vm+0dgQ@WZc|c`vRq zie~j-_$}6BcD)b!$d0?As2=^FR1<^14h(b^B&u|!r!W9g*L{&n@v-f#G;}MX0#kI` z8*DL!%=!^fCyv|N!7v2DV1FTLG19+vzBW=jRDY)KjKZhxi$-MoKKyg&&nxDPTTEl2 z%iNLR`uu0Hiq;8`SGn83sr}&|$yrMaqS$=LA;6<)dfF~8a1 z0tdn;>iHct<s-myDQFk(HxGN@crwmgBi&v zX4d5WQ9(i{RQu~p5SZ5*PnPM&W7p0z08w;Uq9&TgyZ>p%9qU%>G5VbK+9{un$t;gT zrP2DudZKIncTAweu&Y^x)rY3wzF>~?E%RkM?j`JTA;{Qec3KXLjnG=k?ve)d zs2wh}Z!z(5ZRmhnR zd?{%Lh}-*_%66Qu=9`{s_i*pKwe4RdU>lmN0^_SPo*gWp#onVvp3062o(=9=x8T%? z0+4&f!gX6ErL_=qQkluAAUPml1dc!mIq&_@6D;@;R7tLdhh$iZ-kO+}OVNRc1_kA@ z>ZPecJupBj*J@aki)UWfdF8T)K!lVHhDMC4Oly+t-F(FKgrYlyx&_ICz!%RH-1a zs2jah&)>J9wkgMCgqu@imDU19>JL1CIys4NEe>gM>bc8(`b-?(>3Hw@4=p!3Tf`Yb zqid(qiaf1cMA5Ojdgw}<2rkPwoSe6$Ectu*1~E10R$|C#lKAjW}G8$S?EH5Ym;H)cwyN59JR zE+p>9qh7K$9@*Wg9lu33xEp58L@y5pK5wkY z_f)hj6C*AkgT1@9v-3yY*#cW8(kEz;IQ+mA7NCI|z`WLhvrsOZN8#*K6R()(JTjWO z7tbiNwJuWyJ%IV&ed(Jc#cbT2iAEFEYq0RMR>52YwZEn;*LA(BWw3?y%;%);KF3t0 zFkU^vunHS$O_s0>>kSj;hMyBbxTI7KxR-DKG?~3_%4`Z&;x-Yyclp;@`nr-qtzh5j z;v9&$Wz0%5?Ap;ZP}}cYw}2=j*MIIR@E3-rkhWkbjcARo9}(x?U4_25Ss;BtC#};n zKnnfE3}F8K;n$JI{mNuW&DyJN^tClrB0;Pr8qAM08*Lcc&rHTv8bze$-e1-Yd<|T>sjU*;KH%Ot9z}GDDhA=-;2ch z;0U1qH8h?>kh*M&cUvlx%IazQEfho^L(Rj z-#Uc+nOGJ^ypjko>Xq}r=J@Wq(T%P@MXTM*FG40|pb4jxY@cYKCrBfrb7Tm#K->-u z8#FOErU}FK{d-?+-B^LYRF^n9JwQhzmOfe8&fBIUNDoZ@eb|dsvtproVQQy-`7fJ+ zKDJyLuw_^@!e5^fVX2$RX=RFR0wuOh&{@Z7&N?ggiPXs>?p+7`zqSm$6mjK(l(O1Y)7#t{K|E^2tG2 zivoOr;7lmrk6^k{f6!myo&MUyofd0j%O#DDT!;HsNdv%Ma$OO2A61Pd>&~IUg(cUL z-qZT19i8du-*om{=F;uwWxs|c%6H}o*iPDLWh`H5?P|AyG!S7k9vFck!4ELxX4be8 zG5r?#Q|#NTDMzJn?i3&@&RrO<7;gTQ0+#2X3-T^-lS7f}d&7mg+ zAf!8RqoF`iZli*iVG^`qdG~%SP)pHT<-j35Ym_b2lwe95p=haqx_BbK$YH1bR8^yZ z=hBA3?Lu8zjaF^Hld?Q*D1TCFV4(#)O$K1(XRaR3Nf=d9d&Pt4`_J=BXjyJndHl*! zF3p-(P{AgYC2MK9FUpOYMw=XFH%r%T$jZMQvvW&W{0On2K0}J}j@&R)`FhK(Qy!7g zE}MWi_<%8j2*~kx6>Bszu?YqU?=eNXGFzuQSv24ZTdp#kq(Q@r4~o{Dq)8D7N3+YR z`ZiKk5q*+3T7Rf#o$dofPbnhlvwW2(z=28<`qxtEXbe6oCE-_5%h`GtV6CuN+twcR zYi~fodqR?zuq5?p2s)~z$+aBb&R#OxFxSypx9<<@3Xp01O>ZlWJqHIV5dLLH^z}Jy zH}T28%pJNT-c~Wdbyx?xlFo*w9@rTYdB3v&acqCF;Jr|d$y4@H|4`{ZBrpvng$ES! ze-g&sy2ZjfS6?a`P6H#LYTwv###m-#+g|k0Txr<)LElx&bEZ$W1fx@nP@gXerl4VxQ1lypO$j+f`3__z=wkG^(6lNL8?%tw7Z15&ZdLgUand=yPh=P7SKGo| zEMNCfaz_JXnJMB%GdjAsGm0=ePAzQjNTAYI3|L05IFc+#6ox1XNLEo~WX-J*kgUTH zIp^v(gIPP7v9>OntN4n4sH16(C}na#Tf&+8e};-l)@u6R=i|4F|l1x9&u1{Q4> z7SRvj4ob$csFOZm=T5OFyu#mqg{MZ0blg) zGu|>?kyN94gTuWR{xKC^T^jwP#5oP#Hi95s0R&Ep^p?a3lqU%2j#??HBh8_iskD|Q zIkL)t(th>;`dJ8 zWrZ|C_i=EM4(|1PN}43?d4&4J4DY}AKqo-3VHBV4yPCOhtZHU_#{oBGYU>dz?=0u* zyDFo0==P4A`E?>H`FB%EU9mAE`>Mg%YKdt0)H)Ks{?rTB9D>D25L~96xe+f)`WBq?aVvv5^sRsm^Uga-W!?kZvt`GgGXy>p) zQUveES@Ykkh)T2a#8LN%!@M}2&t%$VgfQZ2Dr424dS>eP-!%WD;0V1ZJJdF-Vmpe?ybE>G1n3VSiIn>OMpL%=0{-Dhfm`AIU0XfoO}$fOw@;@RaCcq z_7)8RhWp+jhJ8jk!vA=mTLqE|kYrEbM(qeXE{LE#_iY<<1`*2ewe#8@Q9w}DibiXC zck+k}X6$7x`9a<;DEAZUc;i|f(;IF>V~*Dtu5{ZYzmRiahf21YZ@}trp)hG|4Jrd` zZBd)U%)>eA&5h`yr4FL~!b52XLoFw&Z!{9%7T`$w!Jjf`9_jCIR{xUhMv~KbqqkS& z{xSY)^^G!A4>>6dP2{uxA{!*#4#NlYKsg@39?V_Z;n11e5Ii-owvH8r=wJ3yPtVP0 zq#L^d4sXF1u-3-piUV**#`#1(m<*ga;J5jPc#sDyhj)<$dz{lfXBU{@;PgDiYWjt! zkf)@kjxm^XXR8~2Ue{;T3|}C`Ji99@0cI4bL-lOG(Q}v2b&kv7Q3O)6qh>9$e*^)U>w>f!qk)!+-%R-HWQjzq+~9~a@wzw z%__vrU5_9scP$d(^g?VpZeYV`?K7`vm={uHMi+*} z6?@YcVZYM3o&m;Q{rkC3YCo1USWrCIW^jJLXF4fe08}YV9!C3?MyErD8U8(Ks_9LG zuaBF{ke#SZ2~h}|P~4DEdJvYOT&v*AWtG0VBCR7<=NZ z-c`pE_SrwHp(U~0+5#T(vj=m+9->0~N)2?h&UhrH?QDP?u0DZX2o*(h>0DWwLj$Dh zb}qAE5`7FeV~i3wd`lQE{ALeO93*o9Kwmy@L!59?m7Fd*Y4Ktln?@?__o!IN8z>jd z&&RD(UlPkbL;uXpg1gD}a56>Ep-cLkT6!euPr5|;r@}y0-4|PGA7e0mbj&@}*2BT- z#*YfU$f3_bOX~*%_n-rB$$mjygE|0gndB3&--}g7pwZzvuneF^3$wZf+D;T-ZTZ;Gf(!9Fic(f_`_|j^YCYu7yZ0Mn zVkAl6g0T-N`nn_c2W%vq^>b=Y5V3^(><#yZoj7qd2ff^#3o~@|!no+*vH1BIW+K1- zNU0=+_-fCxXV+^ruACkoQI{IeMm-0~xx=e&ZBJ<5C?^3?^ITM)g-`h@o*tf2fD~G< zbSb63-yk<5XJg+6Vw42Q_RuLsn2_^#YaoTabjrK{d%_&+D*tJug(FBXkdOqhh(wa- zGwuDtmk@{^?f4Ez>vM{*R}VxTl2OyOyF~%){I!~Jd*{6p)xt)Uc2M?;BvOCgHjqhw zP#;=h)?D^Jj1ZoRK{@!)q<0gk>dB_-A@Y#oyoQ7-!r=pFt?;PLpzKdxVnLus)XR8@6h1TPH!HCS zNLrIxii8B@*!HT9w_xfXrM%}iyW-YqNXfRkkpKjDQZ&9ug!NOn7Yy-jQ`RCKrkq&0Icz!-;; z8AV{~@|EOquvj{&1?wQgqZC0^W=NKTV6M7?#_c_M!?F*IOrzhut0fSQdO}+F>;{F7 zIwPzIXU~nivOTg4XA{?;XT-MY|LubDcR>#?cvBVF6 z()dDp$(${=*d`b=VavsZn8xBHz!nP#I%LuA#usoHB>XC#-HL1wHOHhwx79xd5lnu}%!!`w-@XQp$zdt8z#jOo4gkbhl(?C`*Bkq$c2}BlwnrN7wrxjmSwaHdsQmzFpZj+NUDu=| zM6KmM_B_@m;PjpxYa9F5PMGoS*0(}<%&c7FO10f-sPDzHhY#s%7WQs1PVPwO`a{IP zjPg5pPV&lkc5Yjv5DaIMG@7U2Pp(fX!Y>{_&hd=*VG4{BwR{;i8d9qj_eRxDK<3@7 z46GriT4C9#Ud&O;g~QW93z=-IZb$QB&WY+>Hjr;7w}^X<>*nQlbm=R2{`(16uh47O z?Tq2}ju-rw!JO%Bz*|bKZKV-HPn#}US66JH!r5bEr?ww;5=_4^WvddB1g8AFQl@f2EWXrb|803F zQ?MQ^i?j4z9Lyp91uZ%{U<^3`IHfX;6eGz9Z}#1!k25ezswyqMAX9!@sG=a zD)hpEe`B)%rb}4qtp4&-NMR{E(u;|$#!{GM|oU~!gduC*8yXlD`&8T*C1?H)>GKX(ZFwyg1US9xk(A;jq+L})%`e|yLKHMrJ9 zeXRt-7qM-~dtf*6$&#B`BmN6=NrK;rJ-VhR z5qO{d0fvt#T*YI-G9w{Sw-2%GGyucvVB{05y_GaCws)!_-cW@rBxOyY3m0wp)iMEk z$g*dCL!VNaWc|jScPv<)C4)a2XlDhFNGGCfVZ;aYDFMV^7|B8I$Zl%@Kh@ZsS9$rV zoJm(Gg6jNL6C%03ji*bmjsQoD(Y-llOX}vvz^ynC@&u|l2^q6ldsqAmdb~SGo?Njw zx?^3ZD-!E)T(@=dOV~{oBa*(B_Dpmbo|_Tj%YB^;rZi!ZXfZ;=SP+opP%&$?+GG$(_4owS{O?BxwOR7tq>eVgT;k z1z0vixCH4I(tiOvbL*?^>G5&n2R?q(CeOY~)G#aJN@@iUwWYt%N1)|Lv=G!`qioVsVH@X^6AYI888e`HKmW#qs5 zy3&I*B}cB+Ti|;_WU!+~jkRid^BagRugPvL(uxN7P;>$Bc6*ENKcrgX;6OGmnjKV7 zW(rankN(8mvFPd;hSq{qgqErZIL1*>bVA!>6@Yus*P<^D_$-{vq2DgVZX+K24=UMf=PjP|fkez$Cc&WO3h`bMYubXEstWcX zFYHg&%s~RXF##gFfQ|hUj3aNKDAMKB{3UiHA1KB$eKWv8naOtgpXxuNcQj5uQg|V~ z=GV`W6e+VQD9mqjrlS_`%aFN6d~L&4oAC(4)4_S~HXNP&ItLC$JlFaCOWC@X*U`h_ zBT2(lLVBclqtOBM(_%Z{#_BiOvKdK)L|E|hy{>p}uf_?T&|lY1+j4z8f~pJEm74E! zUQ@bL`S^~$zXYEx-2`WEbd$X_jP#>ufGqAR$*86^oVro0@>37%TEWwOOf6t#WEDrG z4KXYj;P7l%?c;W&f?EWa3Y%0NuzD0Z^B|oGX~QP)M94u^%NbvPNSA)ULf&6q=RBf0 zzYsR~1J0H39Cmi-(pg+>Z=C@`NAGR^nSs$%w$Gr56hA}YwDw`G*DVhIMuzfeRXuH& ziHL){>X`DhWqjHST>YNabW{Q9*|WV!jvrKiT&J>~OM{WxPL5VCMPPwhmty*O$&88j4c!sdmwC|)V8!=NATn{@*+HAIYJ}$V1^;`Vqcqk%BuVyr) zC0awED|7qIfgc;?D9K)LU@A2Yy`Y|UO4_w9rwL~V-!hq?RWL=@0 z=`%83enAC6qd4;X^V@;Kxv%!|6dp6$T z<$|qn9Z(C}Y5+8)vbPBN2S;!IWV&;A2I-ttS%ISQR_&sswwTXP_`K|m20a4|45eJ- zBc3!uelWTQtO-sTqn%<1s@ZI*2(}TaU^(SbwUpj(xFviJc-8fou5t_)8His0K*;Bt z$U$tWjI8;6))_nB9sngRhy3EV4<%0(D(T}K8O*&EQMU@`dJ&|F5?gvPGh1))Pbzfl zTFg|IS@0sKn0Zu<7++&%rwwrzp_udL;9)cfRl+L#Fr9QZ01)vGfgb>v{aSwEtrfO8 zhksY@d1djDO@?CAW)5jqs&snUxuZGGDUF9P;p)P6f`~3_-XDHose4XE@Il(5=g0gX zns);{f!FRN6`^)((T^MUHt0@)sfgvbaTK8%Ah?N%hHt$rp(=n~2A2zq~u9OyJi^S*7be*6xcbtAk%S#YjW{QQ3 zK!TA*$JpP=>-djFwyndv=D~;N%!t^lLk2C?XO*4<&qq<_7SXt@l#eW-W7Bi*>np2@m*ov&D96NR1X}|Y=0gTN z6Oy)ShJh%pdSD04yS?|ipTx@i!E$+uI}o|;G>qZ|eFMJbbp;_+P6+$~^>n#=g?9-v zfSEzW(|rgxbNe|B!ghAp=;H_Afvcw(o|ZIOhP~06fj!gywPuDDWSFi54>{}7ViT_D z-PrCiU40wo&M6%Vv&6n)7TLuIkr zLy;NkkY%NYpCCMN*i+PR#+y*K{qG8^s)nfi@B*Dh!n8H<# zZY`o5LP@1mqcO>zK3J;cYnZ%CKK*-ymalV!hFR#>3f`p1z@GWpX`XO1Q{16^ZE03& za91F!O7JMe(Nx%!EySes9ZXDxUbUR!49sWC#u}|#2cnijzx^mV7F8UCg*8fRZWo;5k2$V2Xho*4-uiXFOh zn5w(XqP0`SDBs&Q<>iFde+k(&J|7tr-P%XSl-9eBFe|EWmA0BoEwFKQk089#RNCws zO(tNoF5!93r_73n@RhQBxNE`M{63~;4}~GU*#Pw?D9}eX@4`jsg8Vb7YmgqK<`7MD z0EOniX=NYQow%DME|WtxWS-PayMk=v921jnGuY5to&>!&DA0Uk1grdpEGoVAf=(`{ z=RYhdruq(|_wod)yRrfR{z*ooYo7eOON>P)XWXq>`@JdUTPY%l%+;PtmpB0qYi zM!tjL)A!XeP7Wi6>4)P{-08Hm?Z%a|_`Q{vT)i`fCapZoqF8Z_7{+3A_i8ebKB!nu zmgGGC(DXXN)UYPGz1_bch-8l+(frbj)$im%h_Nt4*R*HP`?S1L`F}gIjW2QpslQq` z)k=H)O5?SUQ?O6{TNaS-z23cwW!~T-EnAn3>3-Y&#qouJ6gKl>_ATEa3Aa2WlY1=U zVWvQ|Zob37ET9w)1F@Js~y^G%JTFdW^xz!alLJBLV(LXo0c8Mh;Re{Er;Jt|kOdmVL^2q@Exr4p> z8K9v)t7UdHj7L?mFtSGmqFvNXTgiEc0Gr#JK>m6b1(MHS%0JBj1yiOnVcy76JeF`w z?2+_5y7tHr4VhdcGcOGDe>QQ~Ww{!bl8oNhJ0p&DP+?Wd20oxsM%UT&c272W?nS@SP# zF(y`7)+!?EqEv#n=R+sAhYrdBPbBRr9$5XUGS%V)%cB3LPZH9$mr{^s=)Q~=Fn=ES zJbn>IE61GP2=vel5*zAE`V;hMH5~z51LVG5Q?)U>Omi0SoX@sp^;OcCNV-<-4RN0F+>ZFDK;Lu^u%sV_iDBx7_GKlmVm)&tmpN@obr`D{T< zLD=N;cb@l`d|~az1)wnja&l+v4OC6D9E@-}Rle{LFZILq$2yqH651=v=U?zD^-xAz9(ZDspYT)ORU)haAC+d3jFSaeCusvNt(nc&?dErf8Kh}bJ`n{=cp(|uQY7| z=qH3m9?ec`RuC&kZ&6Jz_rj>Q$`|(on^)zQGMBr!q3u2aC}UwYzott9XdE8__bWPJ zMKfDhW|nPM*$PZDBiKoN>TlBaPnvcW(reChsq8syI;ZjYNIvHiWnDnkD#Da(7{(u~ z7aCtLXJ)>mw}Wu!Q-DT5CHOquYe{~V)uUQMEwe^F7ovzB9?c|Rn?@%3lWhi258>J@ z`pnUv+*9N74Hw|6?=eC$n80d7t1Vhers?sa;-mUNo4#sM9{}2iy?y#I@6pg-)iz3R zB0*jIr~_!cm5Fp(uJR{845@E(X6qml(^4eXI`I&-*W*U9*^~h%)V%Bi75orwvv_*K z$>?qy*f(N<{F~`#L|Ns*1`GrTi#_NFA`uJAqv*2?*jmf<*@YhqP3L)PvzZG}bHsa1 z0yU*_rjH@0v6d&RP-qfy%hW#c(l-bwPW^>4o1~`h9 zFV|F3rQ0=e@s~%3h!f>%YIVg}T{_`yt%7(ybYlrPDl#8K#Hh&G?%^}pK`JPS5%lo? zJj+JtB4PIB*S2jblyL;?g0uDeOK%5Q=v-$@l6{~ykh2@(c7+JOMVdfx8(Z$xQUhfKKksVm+BT-wd;Gvz^XfY(-eQ+s))GwIL|q?`3h7*%DM7^s&0h zZVM?5`C8xRw1<_2eQ)e=Il#>RpM@N(M^mTkA!e@sw{iaO**EkI#^GwGR-XEX6L56X zt52P->&pE}5^xAjtMB-2aQLMEYch+#f5ex)?+gRftJKIwfSr* z0m&`wf2_MrkPC%3_!qh&7V@pC zejWL1BiFNJ+93jU^GjJKN75ndVcxQ$=U-I+#Xi9gHd-mfv!#^_lwNy8XqvV-IOKFS z|EB)(q5`B@hf@C+255-TJqcq^9!}1XCQxL5?N&Nn7}T9XhFLc@p~`k{c{SregM|-N zxWg1=2<6+XakVi9!fp-S^N}tmZno4x_x35VMW!B}1w#zE;7T2-3r`zK`aL;axy)Y9 z&`{xXHLj7;Ffq_9cs>R%KPMMT$Ch&Yza!Y964)&A;8KBb5>UPN+~hmm;E74l7V(EW zK$-i3q=kq8Ie`+eby;Gzb#LU1y|wgZVq$k2DdqV-Dgf4X=ef+SQK zYyf?5%<`6Lj|A!xH7$TGp}a;}XFfzZ)D}ajiIGpw z&5vXJEv9Ord$1Ht&g<0_$*@8MULxRMUMnM`?{bL;Vq(A}B|s`yc{SQ^&E_10Fu$cv z{32(Np0wBo4rWcPJunoV1oJqq6aorhNszw?BSL^7%dw$CU6zw9^Yk7@Aap)@z0XGT zZaBe5$QfMZeugH_P-?ew7QRZQXzEFhQFSj>^*ekuG}H#fAt&BMc1c`AzI(`=^SR8e zCAfxI?Tl&x_#~_o0iR;Pt8+SwN;{q+dW_EEJ-3U3@15 z+LZ}Tp5gF^rhT}4_C@x{pJ*-7(5ZR--Nq*w>jKJcW^M^iOj@P#Cd9E1*^^fv6D`(> zN!xTkVSA`0@UPyz7&PD{C1l*_ClG2xjOwuDk8_N#gAE6_5(8DpH^b0#E~W2P*YEQZ z>icMCt?*z~e?w%QnzTssw@f`x2IW{mF5gg`b493rNSn*Z=W}8Y$KV~OxluC&ZAq^L zyyGLZ=;P~r#_fNFX&^%186%5yY0NjWS^BeoDJow3S|A9&-fW^`LPSV1jyWvIiCWRYo2aaJGQ20;LwW7!=`7L^oX@`&qq}P zl|N%c%H=O6yDh!~wr65x96l)gVnV#0_w4N$32-0o>R;E8{60D5bt?{@pZEt0XGhk6 z!^t4uMP$c`8B*f?piWv-1?luDR4G0~-H>vhjS`E!$GK1a(uIT|>YJyKh6H=f=IJ)pylcvU|aFeE9V z=oDm^GQ7-Duop-dV*2(lvYjPnH3mao@F+)UCZ7A9soI^FiDl*27~!WMp@i@UKJVoX zV1yhcnB*XjG2O0T2~efh(`;aL-5h}_dwkC{jI+LQi^5KdNN^^fw=``@p)3}z9`9j6 z0XfFRGU3n$zG|n*has#uL8A%L@vFmQVAOW*EGn(A@a22PuQrcO!8r*^Z$tIC{|5k7 zK&rn3PvKdEYZ=~z*G zCx%-#iGfuhQXL0)@n90No55WvavVqsr_+U!Z4nF$ucHc42ZjF2Tf7?FKbQCYDGkLY zp`hIp6@k4jfZada?pQ-&5Y~w$+GGEo3fNp1*l54XgUkeHd&bV+U^OhvUuH5Xb!b4R z?St3ef=jZb*OkxT>y_h^Xbm>P;<2GZXA$3lQDK@;x1{bazEO{pSRRX3(X;LL1e6-4 zU-E8zu9+z(0000000000002}D?08M+Fv4wRzxMVL${i>7x3#hmAs@`Kq?rk--3Xf} z6bCSJfa*=Uk*K>`r8xgNbU}ZjSr-MHy2+64Z>;yh1+{BR{?jdoJr_y5?Yr5Pp}KH= z3`$beo~It+q(!`I?rohCQ>~0Nn*!)n(~z5EW=r3&3(X06qrS5=#ppuL$rSnMP+Fz* zn}g7OC>En_V@MU+PjXQBINu}kugf~lN+ znPcn!$FK~dhR|5Y;s>}2N3=eUFpb_T)4l&1qNU7e~ZQtvU(SHyvhD@+bQ(IcsjOrgSh} z6-LlRv`v`LP$Edk8Yl~%0^(fDFh;F*F_mKvh7%c%A9L&7g2QUVRdscT!`sf_0aSGD zp8VNdt4Bn=w+gz`*MlfQu?*K?J&6|#jAWc8f?Gf276N0`cPqv~PqC5UObxPOTNQ)PKgoVoSyuF1WS5BdEr|;JwRHKTycy1#F00yJ;|AI!Go*@!25ga zId3HyY$kt<9X8zAp$AvdHgIz?E!!{nV#loVU`mv_d~=@MrCEqj@E*fNl*-)?g!P~@ zES+H?Q2MHDulJ&u&!moU9%?DWagnU?8f!B2cqGld+RznRte7q-YRi^AOnZCl!VMbRkYJZRxnnab-O`6bUwK{n>hI>I&XaS`6+f&}s5`3JX z-ceeLhu1v%8z=gzLanaQ1sJUfwYc0)89FpT!)-_@gqXl~3^8G(n7l#cg3SR3%fLZ` zH4a(FCoNi93JyJImnAj>gC*+~*T(*D<7nBz!1@kVsUJ-)XEBi9lanR2QW++v9&{|! zmaf9q=)B%QW3!o8F7W}X6_lAEB2O}8CAnJ7(_+c*u9V42uVL$yyK&)xaZzxdujQGs z=ocq3Dq^^y**qEPpMjZWD&sVi+@Ym4L`^umN!s3>G}tvU)=BdP-jlQDYTC3Ml%jiy zus~SXcT+kuPqxcUR}yKR92)Ftb;L>h%km}2oQHU z(j!!R{ELi*Rl#T+Yb$yQ)>}b-0&Zy?HUNN&kp6QPE$=id^;sI}NO0xU+eInEQfh)8 z8-Y23rkFO}a2d>%05_7Pd8uYrl1XLR<~YF<$l{GQ~*uzo=ze$$Q= zg+B_{u>9<=gl@>o?b*Na-M~I^Z|+`5lN#hevQusd{Nw;?_f6(6Vj7bZYmA>Sa_cAj zhB41 zoX51KvL-}xGW^D>1e_&Dhy1ymw$&b)bNIlNl*X=h}8>e97 z5gE(5(bgO}x|ZTX6>`0|>sq`khqmM_0 z)%(*sC*j?iVuji{NCS`5Y@Z6o2djsQh3zNih!#BR5+jv;(72+ITqC?g7Y%-~yEXaS zohdXB4uj9oMY-+#42{34Xq-=|`Z5DQ9@{1;ByCAuFDI>6>|MB-qKNNNx<|SPIpie) z=HEphMb@l^iy`TzHd9oJV{H8ChPMLWT2~kRCJIckk`|2Key4g4E;x?5Zq1tm2-W6^ z?x6*{Wdv^D^!n+w4Yo!O1$dq@O-f2hk-s1E$ot*Yck{5$1V}8xseQPv-YIIA$&Z ztID1hIne6f+XT_wiX}?Vry?!efiCfzV3EJHFI62ly_~ULZww|8V`zQ6Mf|zfs8!CZ zVe;MTKaP!?aa-zw%0rJ60^cy!HH&u%**!f%C)bB+Zh6c5;Q-9-v0(mMTnblhX5g{! zya~JuW^XX1EFEZB2PAI{oN@z@S7q<0mlJQNSr<-n`Ud_uc30y@;~`iny@(Ge7$O4Z zD}+HHLTV+1te1Z!kRw2>n^D>9>oGS}%V-7pWI?ZOSh)rM2AXKPc$pj$Q4UmoM_7)T zI{;XgD27{y6c?u*DDB`|u+!{2^?Z7u`ZSL96J&spMvDm)wUjXr5&7{^+|9fZIgk>R zPjM%`4R@8oOSrgu7Sz&>IvjP4t{;?OXz(2-;w@){Mft&VVLh?u+b!i94ycR99lk_O zL3EkOWh@CI9}wu{@QeZw(^Fcn-}UkCsJVrOBtwt%F7qAiV4Edc^m34FOG`zLxnmxIb%-(GK?p+3mP=9m3H|OV(Yfb0L z9e^}#cN5w!9B3Taboy5#Z9DO=oE^+XM4 z{9UbsEFOOa)c6DplZe^v+@<$CaQpa}RGU&(=565YlkRr@FMheUX%>cFh9@R7PnpDw zZ_jW#iKJMJr#=>{H45LDz9L?V9qhd1O)P<5496?zU`)5Z)5=dKcwpKDfu`3pvc0et zV04Ha2-_l;(*;+0-nd_?__-%0O2qhkJvH#0-J!WdHiW_Q{+p^sX!JSj^~I* zpPpDA0UN8X8Uh2V>Yj141jWF1ymoMjg9-Q1=DhKWzJr~oqsq4qQc6hCA&?u}eA9GO zw!-(^#pgNwksbk`-)-^s16&=e0;%bit7y_J0%z8cYv1X*(?4uxOtnVLBx0IS6-J$f z37)F`gO3}PZ^kvF@Yut2)rHA8eah}~kO+mTk7mV@1j>5~1^d0kG{;)Z6bpPI2sw3W zf!}gv$*S2ShcM+oXM6k39gF}Qa|gGkQf97bHv+xeT@5lQ-`YLU$AGOC74F9kJ=j ziP|zuQl|$zNUaL1pK9{C|5fR{XMH32x=|5Mice~pqSp*=m*|ckSGep!mfp&H*xM2X z<_c+{X@CF#0000e*ud;yygZ)gZRTl{n zdOuqGOs1-5?;|K;iW0G5Fa1BCu5`;58dlQfkaCs@lrZxTPQYKR<`@nXfkfXUdeo#* z7&L%Q@Q{*)l1Il_EwOqzM7=?f)pm~LLJ>$ht0i*_xp#JfYrm%Wo?u=mh0%`%12Lgm zSpN#`d-U4m*^17^6O58ktKs28A%wFI90Haxp1N-UpMqTEJS^)jcz#`^$=5!4g%MT$ z)Upg=cU9&gJ|5KF@BQJ_7B!>^>v&k@T$J_N-~*sf#eYla^<9Gq@HV)olq*r+{X;pa z^-hvqn!WWcdIm89PQjX2IRX1PihLFvU9kzRH-7sgf%tkLKg3lLxI9Q~Rx(wIWbyHn z)hIKSmi$r|kCtbBzs?TEWq3fjbZ^Dqn79aWJ`k$8Y}$lm>fe;74p2Zwgcr}lrcQ(L zu=Fj7CnQP}zKuhcEbpuqAge*`!^(241pIKvoq_o_$;atShYjr%$lhgy!cd{gB#YyqlaMebzJH=b9oHXw@Mo3DEH(Ag6V8mt>~hW?{{%2p zQ$C|w`)#C{Dw~{1kHHkR?h>@6mZ1P^!PTEj;G zZ${AWm|It_m9mO{-%PPO-#Hbe{RU{2e|r>MiA5td#(>e6t|38Qqm+1F{hfYfz4fXg z5NFi@U$~$2V|b-Wyea~vKSn`XwS5Zz5*x_^0Bt&d#)JW%RKFIsV=%52ox(FsMiYv8+BnqJfu%nGQ= zT0=f3vb@muNIbN7UEJknv1b@lWSs@Is-;sZGmPU)@RaTorR6`72(0KAxOH9z7G7pW zv1cn@i@z0#soM5-@mgSCjATg1AGe6S$^rf5fv2=yh&22 z612%h;sP^`Qoyihiv`SE`1}!ER+-23QY6EuR z<4$X2NyVJs-ICK!z7@FCf}I0|HzbUdsyP8(tLX+#0)`k-qp|5x zT)lJ+Im?LSUfvcv7wd=Cdm3g*@P4Wv2vDm56_vlo@YIv{F2=ZZ)A%TLSaAT}4Ft?a zqrbE%My!l)XRw>vDNdYRjP0X0m~%3+ScIsM00J|((y(dLieY}x_mh5NkEP62~^t6mw8EhNml%~KWwi{&)V*0(K0Z0xxXFYr+RH94JjtI^Wf&JHW z#MI};k#H7(<~_G)=ZwiKe;Q5jqeG2YatSvbcGD5~8kc)9SH5Grynn|o;nVXxqF0K! zwNpk(B85A10Tvt0bSg$Z=D9TN_UMI_!ZQ>0aW|<9{Iqp=DbB`ZWI^K!%oto?5nmMN z))NKgw=_YXf4cUBr3=ND5F#kAmc8f^JCjXWyQxSeyR%W7Hf#7n-94kXFt6*Iccy#h z`#dhO`*Kfkfj66bgPl!`@w@W&WEt17lR6gdwO~L+Ce93~a}BhLhiS*Y&i3d_TS9$@ zkpi-fY`xO2w`W0@M|~=c$L6XVm^wyoHYNZKesL5*i47CG9#Pmfs+6Fw7esM-$YXXs z94M)3kLCS;DT`S6vo~s=@?pv}w_(w%6lfliQ{WXQ?IFj zHvM&h2|EEJHINYb9)_=Xl%11=Bz+i7nAjDeVqp>u&Nm0uEl2D&6I31H>?eEhDPnY> zAwaBIv@nT`nc6>;`doYrK_K+tAs94`Y!If0u4bexDgFQv>yH5$#~RIeER;_y2VmqX zJYQ4C56{4MeM`oxZ~>qX5Gi6Des%*#;bZ@2_+|`^^L=QP%xC6c0-&(QoATOm?O5nn zL7T`HMa;L*?0hXKV#jBwbqp{4c~O#55d<5nD%c=)c7QpD4uuYaV??nvW5`2(Tx7)p zH66z(js6JD*)jI6I=h`tUP4_*EoHo+ zORWtKNJ9X>;X>w3<-}yBe}_#fQ3{CiO6L$?qi@)D zS5$%Vq(2+$)eaEb@}k{1Svb}0R`86-TQnz84J@*3#>z$O_l#!Ud(1zcKwhZ$IF||= za#T>9i;`qHEUIJwdnhxY_=#ZW&?^AG|1S*XP>vV!R4f z9M3=O=UDJMi{kHueN!YwJA6x;;&JGS{ zl$9c*PWYu>d!A#;l$DGo6c5hHqw)s3;O%&Sn!g<5J;Dz-&Y`g`VPmdd-57FFXDe?K zVA=x7839XcLVmJ1l;ZhAjpfHh1*=LKBjJdOB;AYIqK*zminH#{#g!E-+Dvck?vD{~ zi*)PLnR#3K{&Vy&={*Jb5k5*Vc+L5~ul*_<4%l5Y0Qa?c-390=EFj4=k4j)D8DEmW6p#>8wjBEkB#*fqn5MEH5zb7BZ8 zn-IKk;<0=FEKw7CzSc#DHAN<)^nAQyBf%-AQW|kvt)66K*5)jQ2lvhU&=w*H_6Jc# zz~^#0Cs$Q#MatvsTch>n{vB>r1f)mq2rT}Dn5$ekxT7JXpj8SNx0ZF_b~iejTRPJfiUwUX!js&bCZ&j-mo1Ns_-rrP6Nt zo=bhQDeyz5u}!oR<^nB(_!yx+-bfz^v?Yf4R$&P&wr@gi{#9-ml7<>+H=1{$zEp<% zwnQ8L6AqA`;A_!aqRkYs2$0XRv-6U^rZ!Gwd(wnbxN1OFb_P|F^!2^+@B9vAl?Opj zn!%55lX~(;PpPv7Jezq|R6nvA5h3+8OBzReS-L9(ThLm+9iSQbn4<@SP0?IW^kP{} zR;HRO`P4~2=lc%M5i+S;K5d^fF_DZiLDf7cT~PnQA>jKdFgyR2>syb&(FL@*!As80 zEH8x#4%9F6nV1BqrbApAM8_h^g3~68)ZIGSCKSm)BZ|BZ)k%6WS7RKSAuNvQ<{kFX z1#1w0m(`+Vhg&PU^B*?N6osRzAu^st;pTs4?E5Mv5fX4B!89SmjUr~7?~C`XId2DgJ^XqhlNJIg{oFX4sAgZKINbtEqa zZh~hecY#J_^+XI4R*af5rWkEdOxBh*jxl&n$;8>3g*~&wckMo63&>{#>xb`z8t`%b zw2xOgnwIckYo>TK&#^Y`S>ON-6?7Jh$TffbAVyi7RhM9C`9G&G%Cy%CTao4V%MQ2Gl>T4D^{l;HfXwl+|%`rw^Xqtg}%X z0Au-mOBaKBe8^dwmIZC!fut|47Qhta%X?}tHz9ve5IhOgk5jEkztp2&jDCd+C-POM zo)Y%+Qbkq=n#Dx`FQ5n@aXsw_?Xejv#dxfeHD@6>z)e$3K0?bT#CA;rPxk*S@e~KD z->@-X4Y1@HOr``kMO|~u9?gmo$(=H2ZxIooW{)F%t3sJMM~IR02IJ-UvMj$Qhaim( z5`U)3Q|zZIku;L45HS7EH07Lp1787laN?XeD6+OiqA^Hu^S1TN!|{Z1SAoDyjwM| zJpLG7M1b6-C4pzSQ32k@bYbV;_f$=j=$%P?wBy=IQS2S2$^zS}H1J5WKOVa7m7p1F zAfbUF+Ypq)Bhph*oTGEV?8n@FdWg1rXg$Ym!Yl{FOJTR?>5!Uk=7(Vnj9StzkSNW4 zNeqRY;C1&Z{;!V3{b96VtN&bjRz$zYY$e@302Dj%c)4mS!NO}N! z-!-Hs@a@|wZ>G!cGA82}ff2tVkOE$AmCwu@n(k+lDB*X|Mw1LzrE5EUV-8DDU_Mj( zu8kH4QMr{Kyj9ws99#pMH;6o&76E~Trak|w27r~ ziC)NS39DDmOKXx1U~b)eKwAIzEXX)3d0&0xmNGJI?*l0R+}v5eKJJ z+;_J}{C-9vGlyL%q$OJ$-nA1Ss)@iAkn4FI6{m;nGTdFfSz|B~wem19)F(%uNjiy} zyi#tHLrX6?Z+-8P?V?H{fa~#ix$KG6uu7IChR>JBuQ~n;fZ89(lut|wvmGkq?9Dhr zg}c7KCKxQ9p`CdElal3koq!*Nh#~(?imLbSmOZ8Qf-n; zFUQNGF!us`>WU8ZjaD-jiSQ9iF@)ep#q()3b`p4Gtz4%Pgux15y?OXod%*rlPfcMR z!-e1pK##mGEXbK5YAkp$i@B#8pWkkTNr;abuZLYE(zP%T;<}19W|rZPjVLHqf>)Ik zZ}+n|Y}byTuNaGH6N;zOziuWl+o*rVVNX@EDa>!wa$obZLO;*Z z4MWl8B=2}!x3s}_(NH-}rboxZW*i;*4i(o;Ki7#BI9(*E1FDY1^udj0O>Szri(H># z?%#ihC_>9+nO_%EEdwJ+OQ_+4OViz zN66|l3Ml@$)$J|uu=K^<4ZEYUeewlAsuaZZ@8jVdfPafs=Av7Q_RjH4k7gBM_JxXO zA$3}v8t$juVLJa;O*lSbssL(M+O{es)G@-`?Au7~7)Q$f$$=G*jIN+#me6gk^+`R1 z9hy+|F^DV$Ot$g_d>guECIl$~M3>v8&Q0z5g%4uE5_JsN`Z*u}V4tsVl3ux)&dslX z-ev#xxR%Gf3et__ng~OKCL&1V=x%CjC z3LuL|sILRsXURfdt!Z90(ye(&$ck3Fh-Lz*rSp7$2Nj1MyAQa__9@UDgI;__(EUCk zK~d$Gw;gdJ8o@^bUu_kv_*xqnK_J zRrH!iS^Cy%=y!8otD9v?9oorT#-1dXI5+2cHLH89y(pn{z*ep@n}2V)z`9wkzzWx2 z?szAdOD^ox$S!VN^v**=*cDkt0p)2s3?jQ2&uA~nUZdzW5~h&3H~3>phpkIB^y z_<6^ern?{jyj$1YpW6E-hqwF34kyJHtCoj$Ll~QYkTizX(DS3iq+6le+g7^DHWw0utj&Z2Ba zrq~G^{W`PX;Ngz?W7dh;P)%+iyMIQI<-Gj{A>rQ^&X83x)0y;n`4FsWxy&$?C|RUw zgYMu=v!Oiy?O15uIe#PRwTcI!lQ0H@bGB;z){jP|<-MWWlvDOlflNFO+NS@}qWz*e zh{%C>Vf(xd?r~dV(4a)sf2qWO-SXe#bZpR0g!^z5Mwp8_q-$68IDdE>{W69yz)v@- z*7Y>ftFkq$PL@=(X}O*z67>iSAF8SF-?9YCH!eeJ99q}!`1O~LGMuc7Y)UV`g&S$yj-Bg`{J#pn8 zSU#ZO&cfxWF3{AOm5#p0PWuI-4bwsxH>f=HfjB*_nDOF;5^>6qHX4*`6G>bR)P&G+ zWfiRCNgeeJxf)Euuv^@Oz2{;8FxG{aR@v^HmB(MSi5U&#iDF0(68&vXM)3&72G9Tq z)Ofz8jq^!*cxM_1kStS)YV+Q%MxdAlq$}7qoZfri?J9i`0g3;#@Cxj|O#e+R4kmJc zS@1ygm<~!Ie4c8A%8WL3=T~#>Kq}(~?4A)7PbxGu@f4xi6Pmw98_EQ$eE0r9aLt@ zYE!lcXc<@P3eBlCqjSPMkRaxVfih>AI+4M_r+cj0Irt7s*%Q78<4)^}!7FZ54S`;p z#h!wk4pwApNVnAqi6~OA`yO4b?Hv-SP`0fhsi7TAz&tfVE(LB0zwGY!exZ0%!>+qn zzJ=?1<`!_jDGDbED_2LJ;eguwwtMvI9^@{DOf!Vr-)#4*l>-Zyn{;?_!E|_KGYjS4 zn$~d)S%Jqj=8?Jp9`oilVa|k#{SI_HVNFvgVjmq&$+oB)8GfWUP0&D$#6FnG8Xu!` zRXeeCq<+k)j*IuCgO9C+kEe+ZuT6=fpyq)firPxgRD5?O;{|?o)vIzmOq1yAxZF;o zUWn~b1Ye_weJ>_5!}x(_UW1mONPVoS@tPuPzyO5DkN^Mxi~4D8Ze-rOO)*ZYtLUuV*mKmY&$001*E0E(IGn?d?bzGpl{ zCZ$`=lgxKtsMkvM=ztB}8DLqRRJzSWt-UoBBjV=g2| z_kRPP^!)N7fUehH=GbVa^cA8CK$3)7I5O`L1x=h^Rd`-W@so@RigBW!KTElVuLezB zFdnFi=jKEdJV-pPHcBE%yo-4wDR#vkWpxUB9d;W)0upZtA5mV|HY%X;w*I!r8rnFB zfYkpic>(S1jpRWkAxW_0U*L*=oRwd0J`wO6Nisxl7@@8~m5%2Tl$JZ3)B3Sm%EWb^ zyIZozVRX&aVr+K)wTj?FV?W z7znF%2nL>$Ck~OD7RrvR1gGAunwxD@Xx7si4Z3U9tjri2&3f;($6rk>y@T5AGP}S2m=3PJrS{1i$U*g0LAwY zmhHws&$E_xNU6b#lqT_|R?Zk%6jCX8*$lnIz=9hv*5ARN!&v8qLTRbgSIcLn}QUF$uvZ=<%a zvNCn?k#L{}Ok!Ap%Yi=4P}9OJqS(pG$2qNr5}Aru`KAaZxq8dBix)w_~!Bm%C)adq)|Bk zcBb!lu(|QpG4cE@71Ce?a!xR_T>1 zlx8&z`?XnuuL&enjF;D4FQF;u$mZ`=?0xqlN$(LM`f*$I(Mu@oRG`|xfUZJ|DQK9k zM{KA+BPZN36_F_JJ|h0mmfNMbGlfK6%*u$wdKf5@n|mzq5&xARj3|==XK^C?JG*;9 zY}QzF67>zRPG{`qYblBfmVP5}Xipexn193gH%x2^!mf#B6QleDoP^+zdS|dC$n+vf z0QI1jNZHNb&Zm-?Hr(Vq0 z#1uNX6KQI=SoXKRyA>Fb%GoGZq?qq}lus)APQ3QIG30Vr1gmAHSaVJD_yAFSna=7+ zrxElZT^NLIM#_}?qHo>50%Jy~P}NY)VatQy`e~wjRM?8vMq2A(G8E@(OZcxmh??)s zjz$WAHS99EgOqyG$X$6CF}Ff^ocxhP9l{+z{Tn9Zs+i~K^`&wH&$EgQHIXXT;^JmO zMj}ftN{;U;@{`c9+DfU~tXmB{yg+}Yt!+Cm!7MCnL&)kxcNPyTOl+HaJ62*i4_>w= zeKTIr@39(DP!vtgs0k965(xT!Pz@?UzB(&d^DM)M@AS^2s&Lt2nqV5tC$n^#6FVdF zatewFYnFfR?@-4SC<-xisQ74w;~6e#$d-Dzi;T6Fd<+*)&mBHsBHl?ks3Q@@Xs0hK zH&qL|G1Bm~EzBBt;|?po`+i`&_%^uLshXOX4Y2NIne26NEus7YTEFtc z#453b8M{)w1~TpO$S$}i4>E{*awP+FG+@bH?&_Of8a@P9_U7HpH5CBKW01)91 z8Dj-u;a{Y3%$m+_Z?GVY{6@mjxcl*GQ%cOICoqK@{6_nw#ue7Gt`u@amwE%(<@3AY z(L7c*)_RhrP5zWaO>Zbg!UaIS=FQoiP zfJsTI&fzIhyzv4btOyJcyG9wS%x);fj?6G;uOI;&r{0G`Is(fo|GnFd0c8(6Tw-pV ztR~Oi>u@tW>x?3N>Us4qIh?%QaDbK6@t`9kGM!X4H`8Z}9%Iqn?mG`t9AsB>-By{gW4Mch!R7r%$q88NCUHpDeKt))1-z~Jbgb*gDyhPA#PkM_k}vbV z;7&@RvHL`#4ry@6pAQIfD6>oQ{D^FUXaCF8-MJ%-L}o@-a;T?_f1uor;D!vXywB{VDGVKVH-Mu1NuuG-@iNOU;50le`j<~!_7EKW(x zA~&|j@J579F!_YfW3748gTLGn6;+PF6hVN=%rn8DF749;H}ou(C=R_wGCR*8A zp)*5UG6>?9919kG8q@I5?NlMLv>`u|t;nIcQSO^oL-VxLnpw#{X`k5vDP(W9)l=s| zMacv`fA~2 zyjwx(zfo6j-4DS0=M2BD-kC>TT9eNYf)Z|`N4BWhV`^NlwfT>C)^o?6jKpJzTOIsC zn#(i9K7doJnB<&bdFMW%EP~^3Pn1BH2vS0SHbIFI91UGns8@xdc-XMnW5JPu}A-lv7-QJ)800!M-7_|xmj*0~hWf%-P+>^kE z|5+wTjzX@{dT-SOPF8$o@MHFM0s{Yu`hiP-?surPO+)@NK8d#A8~pclXTc^*VS=^; zad$n4BBJo2Z+#aJeuki>Fwl4`EBOSwcFpq-pN`v3lChzYFr8!+oBE{&uSj${iFf7Q zkJ|wze&8?)c^+F29#4V)fgI>h5I#lUt}J=f-{|_p1lCT6BMi+@OTc)$VI(`3NNF>u zNHA~j#iHyQpPzMIz$Yo@=y1zC_JG;Z3%M_;`g@I|X)7Y_9!443Gg!R?9X*#7G7uB# znX6?uyjX4@$awz|m@6lI-XMd$nMD4rzVh$8&g&42P#1~gM$a69H&leO9P|AtwhqP(CMnU8BqX09iv`}|R-BbYamM%W+s870#W8ul80f`tXf6qohMtubD# zZkB~&CjwwG1Rr+~MpRwqwjStcsiZ5x5V9U$&Q5Aq+r!dPkxk!GcJ-V6LO*ase5Tz$ zx7w_akcmz*q@dL!djonJou~kr%Ms0-?%u>w%VNM>(?79t)N|1Uhv2;f03U0`A;Y@Z zJ7lI~`=)Qby=0?0n!7yN0r)-)i*w(@7Q*P>f-{o&@Qideiq>5u8N%(`aEsBcS01yK zq6tmpqUGmd{NlKbdgH5JUo;%*!U{=ZbDK+S1i5{^g20UQc8{M=m!2vKdnX#l{l%4U zze>{?g%{G7A(3gW2Y)w7`V8%?lo-Ds6DHHrm2V=;y%_~copKNo!D7wQI?BS?om0ze zvmp52Dg;`IRwhuq<@QA4x_)P3SGe6PNBi{&Q6{Li%LUwmMg|wpqO-_5ua6|Oh|V3F z6ztL5a4DK$BHVs@K2tqTTSYF*PCfM4_&0ovr}L3ZIk_CLVBMn`-yjI>2`Ps9;O1|j z-GEYW>ic&h$Z|k*It3=@8xHj1d{ogJoE?HKmjf$ zaLyp_?iL(~L7Tfax_&Qz_4;GJFR-!H#jNXfbO4@#&B zSBpKviBl}sKQ%9%UiS%xxd%_&pZ(VqVH+u17NKcJ>QtlX!-t#IhTIPK5FYY03Du!}MQh*KYnJ9dsYf&3laDt@;M0rmKO$CbV!S>rS8_-C z4%%Mt6G7Q`Qw$(4?^WK9-HPpwr;`a>seLiJ=%Q%)*r3;kyr=h?oqo0G?r4>@ z<+t5r$$r1{eF0S{TcTAf(U3!RGE2=SN*$QmN;@pAmJg6@@SH{bH0RHRjXW}jj%9!3g_^_=D(7zLXqOwU%d=6D8fi!hhj`94${iAq@d40K?WD&P6I`0$7X{PB zLm!ri$4{S~_pK3zWZX&$dZSyEaz>g-h$`_>L~pmmBsHHiLoqoEtEc?qVvd3r-4FRK!oo za+Ep@YJVP}er2svskJ=?zzeG!hC}W3*zE~cOt`>YZ=A>QfB+hqSa+JQ+w4Ru#ui^x zirq7RG*QdxVRBfhxyzWPyU&Eg-loW2CB(eoi!Zx2ghY?W!NPRj8LPwSng%!gy$wo}=qE5pjGuY_-Ai$C1fh;;A1L=Crw_brrNj^Q z6P=~;)hlfp0{ob4Dtvc^jd?MD7F;x^1sPH06-)xwUnp}-8 zhXK5t9E_ITWYwg7eAb)q)sZ9-?gFSq9V*?L-z4-VVM+*G^|e*r{%O$Uj0wP6u;T&6 zUQq$IGaIcxyO9>aJZT1Ybpg>TQ=E7t5w~&P%}oc1`0m~5&g{5p9G)EX;FuNidvxJ< zOL#{O+Z-Fci8+9=l&(q_-b*4-o!U`T-mC2`gqlCLe$MhI z^jMgydRgAgk}}WZ@O3UwwM4gQB+}mgl-HY4fEVhNk}S^{g+445QlFSv(QD-I()ZaHMS{-0xDiRFyLR6+pZmMdFek@RmD{-fQhgMF?aG-D*aU|wkPzNX4P!4 zYw{_$z-t4{S)6-W$eifdZumEx#R6+_hy>h4k@1n=^gddgHn1dAI2APn_FF9^S=mej zm{qLnEfu}YXP~H{EdTI%uq8;RA;+Ocp@dvmm#}|O=+Rigk0Bp@eErT5*neg|t%-*S ztG}1@$ad~)0pf<*7xcWBV^H-m1kpe1KbX1`6Hfp7yvc?AWA&57>pfDZaH+ps$GP3{ zWA49SNd0m&HiEP&vhuoc^O~lY+oDXiuK*v{X=VmJ*j4MbGd*E3@Maq0aPmD_)}z7q z1t@UGrYSk`M2eY#q^}Z|vg7lk=~pX?dR9sDg;V#Ng*R5>aiZ4+w2tjhg#XR_0lO9E zUC;mk04VHUIiT7vS#4HkqI}`Yr^#2pH+!`-tu*4l$d0Z&3Guq((Ij-uFAwiAg6)Ei zge%{rl@z}uk58EOfv2jN$HlOowi|vj{=jR*^P{zD4b5ER-Kjn|FIpL~wwc!3l(d3% z=zaFFrA%kjJDNymR@DhCQjU7fG(Z|KCJ_x#uXuA^>zETQleQq>;w>LoHsIC-NrINk z?uU304HTidWyCsXkogSs>WrpA7S{P zGPv(L^U@D>$9PJAqG7`Lzr}#c^m=sHM&jp95puVXo$Cwz4cpqzC68>k$HW9HXd_=9 zWu#tj$!1#ND9OFL1Z~oR@#=IyN$!hDT)^?v^Hz zWb>6U#1BAt^+fxuhWm8StQLbL(|bGVNw%$5Q(B9RD%@t>-^q5aP&)`Vj4tj3NQkXF zN6utl8Sdo*DQa_1UZrst>vw(4QA!07e6Hc4d0-G6M$v3#&u@1j)GE~OQb)%ts+l2FA;sh(uh>YQ&S%yf_6A=uIRn3s*^Gw9dPk3s zKYk)90b?hQP!0O%&}TZ_3;K9kj~U&e39a(oMvH3QY2gJjEK>Y&U*tW)ujjxxz7i$W zq70Ac%sY*5f*h~ECC6CKx`yX{&~aG*{MBToYUWflMX+!>JRm879iI?nD%gCacKq?A z`ZK)CZ2$w&*{2$Jg${yNE^D3%?>6uWIHlcVw)4aeu*m+*nQ*0QVgL<$q)l0$)|nX0 z>aiZdSG7(kgKM9Lm&v;DE)s)LIqfwSY#A#b7G7@bvw0VTEX6M&FMk{a@33u946MAB zR29&SUjhgofDES?c-{D-<`e~afE3AzUEZiio${9uQ-h3qRGw_Ld3bCD>ET=D*)<4v zJ`xR$vIIHuIM4t90Gw&EZ*WG*Zn3W$T7dqZ$>ubo`XmXwR>A6duhPwa=t5(OOpO z17LgXW$MtG5H|!lY}Q(hu2$P z7Rs{;@tCRreG-nnMPO_3JFzPO{s~xkTS%ifG;hg*L%JOUlC>=~v&bP>5#d-Kx$9(e zW;V`uy|B;kf_x^QdIFq3o&4%?+3S85lxy8w8!_$Yu1UFh`K-$(24?6nUCe^GUC}ct z(?Ucv5iIel4&=hG)6_{e{H=h6gw2rOW%b$0{$;}B?JmnKGNJG-PDLymiF#@}q7=%S zu#OtoF+nUly;3rh;q)cZopd9`ne1r#h-bzTyB$1@aNRIk3VEM%fUDuX0o4eEbn}a* zWjT?ZIH%SsQpVoUEWlOwFB(K*7>*q>T7*I19|nyl0PiP|To7oQHi&lweo)0eQaEIK z0?KWgUP;VDa^Z=k=EYlW8;yhIem)~>1lk|54ub6h+0zvmJ^oQ3l>v*8T0$PFN?yC) z9d%bdOj-dYnq#PNoJkrP|J!2cWv9L*F6sc0wt+Ae>zXgaHLL^fy+>vBc1G!zS)(1Y z@YkI;C!kvMlsWYEW~QEdb7Q%It%4v)Qtj;QWHfQhR>hL{r3FuO@wF&6hayJGHf-E7 zY{@kDu;>%Vpo!haZFkKGHg}))lMKJ3Gd-8Xq^` zGbKUJ?r#|WSYlpwf&NBVI}}^p6uxSEPOt1mBxBPEvl*Y z#DJ%O|AQ{Z{#|PIz3vyozmcg(B?P{ns>>!Fe7~s9O?}YldZ&x?*xRR>iCE4oU zS@%D`>Kk;8odA3=Ji1YKmbN9GV%(()jZpCeOwpZ}^HW>0BA$S8)V))1XHV4k`wJ(w zZQHi(WMbR4ZQIGjwmq?J+cw_$KkvDE>fD{Hv#wTGSMRD_y;t{ctnbIW=QzQ38f%~u z8hY4fZuo0vR64|DT-yq}#(o5Q!j*=z4e|B07yj?fBilQE*0oEu=buHW*MTqp^F*-4 z*6FeP2U^$3+5*w|%UX?&P?Z(M3hDxnu@O-L91c7$>HGfen@()~e5*ez?)CT49S?hI zk!DZek2zdHQ8amzD1VQr-|dPlR@=*-cbPo~ihCCU#Rh+CW2G*hn6EZwnpYf)a}~dybg;uO_{JwF^54g*B*}8_ zIVXKq&`>?0wPcWHByD~r#ZI1syTc$hom!Jtlvlt7vDgR9s{E-(?V%F*Hv{~S!JDE1 z*^VcxMBk=#=wA?O5_pGS)iU`cNNOe|j5k@8(NuBEry>qyvTr{pY`hCrpW0R`s};RA zCJJtZHSUyi)*Hvym-&H*!%C@J0{8bEHtWsr+6*`tG(@%os7{6>ebW2t1yd0k5^AoX z>i!OS(UJ~c0kR}SDHN^4^bv=p!t1Z*u_!DqwF_4X-rubY`vulQsJI3@80jFg@MG69 zE(!jTAF!;`NYFsza>ZAD)E7RiKkoc{u9*`U)I8vGQYhWO4HYw>SW^M2@QOK{dI#y?FMIG(ij5_H5?*t0m^KF)Bl(GR-GrNP-_VbRr~+Wd^`GY zX8qqLbBNYdeIRcfkPAee*}zLa?uTAzeq0BeP}mHDO3PB{bBpV{2D_y23w8qSev_t(SUjJF9g zx{=PbEj`N2=^@TazoThhLNKDcfnKv>dhB8ORla$KZX$ZkhX^coo4iAm94)T!FIKmw z8wt;AuVw(LwKAo7v}^ko5n@5-S;r1jg<{ZgB!Q>?=WkvN%mEz-fH7mYD z9OZ)IKiqUmXx?PS1)h&+F4f^;->j1K`>fCz;LbpCuB>J(?&eAS528doQ3;O-`ekeG zc-vRR85Poh6T27ei%P7pVsmZa~t!`NsJ>evmv1#RWe72hX9`3(sALgGg&*b*rJY$<0~rv~~%<21?%q3uOzI#*4RP`e`V7arWrgGBlkh4gI; z#1U!x|L=(VzvZ?H0DhLqcYHt#0pVd~`*19m;L+~-DQ==V^g)P0Pe_rS5-Bv&jUO-Y zXeV=zoJ&)qN%D!grB2$Qd=ROdkHa?*I;ec9*@;GOD~ZRW5CUX_K5~KAKFnW-4cjHu zg(5V!Y`A&up04UVyu1LZ0LNLNQW;7MqsY3jvrAiU3L{-Bq=4PI(s-*FDeA33$;C2y zzEZRb+ibxg^3lAqE;lrqZ>kheVaqegMMuORj=c#M@lG)r)LX@?%T`i6N{c9uDZg@Q zg^=X0+m5laGRJprHN+QX)Z+9ot@mnbNyN<03s3$AuZ(%Uwhkf}s5U`DUTQf{3+I|Z zkA0_Zh-=ud)u^@i3MS7^X=@f)7c+6H%H8QyIIGs$Or(|z+jMcfDgPd@Jz&PUy4p5d_>71!ScChbAjaX6QOzMy|5h~N7;Ro z!4H1)dd%K0aZkL@kobN=3T?;=fLbNz1~-jnDkcxAlwG^gDM}1%+KEv^VS9@3rnSx9 ztaTL`PJRJW%FRG-TN7-yiFLLjGM{|LpLFRisji)b_1nZ>!RHDqAKVxB>Y~@30_*J1 zJn4aR`amU*Mfh3ts(ZG3isp0uT)Il);g?#}rHI)jYGogU(`ReFt<_p^xEP|V=!%D& z8i4!s(k8c);QZ6I(~qo1O(v-e5!=-JHS`UmasYgdwfr?C#wEdNw`iEua$aXB?prPktn7Q-4Ufu&wNVaV7y*eC#TLc(wDN<0-SaSK^`L?a z>%Rr0sSqU5A~JgPZ$^7jksofYzqi|Auy(ssQ{s+WuBvX7qvj^BYhF(+zXBQ5j|pQ0 z1C5AEN+vI4>5C_W`YkW&kiDRHu2{d&NdHz|e4{%EFZi$+98VB>pcLd*7!^y!$Q>o# zht2&?NQn__L>YH+iir|$PAViXm}U=U+lMy(ouV~3woWi6s;%Agt9*B?oi)!?E5vC8T$e!~ zNee#qahNY@@H-Fzyb!pc9e)ugA=T)>sBNnW@nZ}!JKAqwv%Y#^mg*D6{FhC+X7rNo z0c09@=Fr9-4w_j?z^YT3Skv%O8sF8yd3cB7Dc5jWIsY5dqkE4iXY;Sc9E@qYbjj$* zMFjtKM1a|B4v%(y0Ye=1JSv5Nm2I@Yz|#$#&6N21%gMX5xm!1pjrG>;c5AhGlGYvx&bK{q(6twLVc>>p3wbT z9Vt32-w<(-36?<_*oy>)@incxhMaN7J~g~rBK&R`YgouSwobshAp zVd9+byY3}P0vrlwTuzAE_}Ib?|2)$9O~FS+ zU!)SgWNRg?6|BLQi9$q*%oH_vUS}Umy2<#b%mM#5SORftOF?x2pN?2=X9k=--TMz2 z3rOBz*x|KaAa-@}v0;*n(&(y8m04z#YSA8#=QV2Cqlap{qdkwbUOTnj=SVO6<|7XY zzZ$d{MMKf*(cYK4q5MfK{z=nTppv|f5x*x}U3JuD%wlgIYiBu+$K3TlFIeSaJ67o|; zn2hDzgCub-WLS*Le}`Z7JbbaZm*Tn?Y>^KEokgpnc#7b&v80Gh+fTHwI71#m)3ec~ zN4SN$XxzY=1wcWZSf)TKgoFG@nU+!k4s81S-&7(&ZQiQjQrhS>7M5V5h9FW~$F17m zKfs^3zw8}tJ{cUmn!WhJvx|j%FBVfe52xV;3Go)=FIP=UGc3;6Exuhi2M%1F;M!!* zau}0}iKlV|E26Vy-u1lGy9P*Rql(8jv1 z2!_(+t8TLahl{qHVANf()jJlK&Hz#j!isa1&0*FD->Q&4%R!FFry^jh#OEHr=!{H8 zCA^}2oA@b!#lJL6f!+jya2qm5vq%Z*E5PQ$a!pZP!tNLf$A`W&Lc}G;<6%H~9OKnK zrSXm!>kvdYm8CV1vc0q{A2&gjnEJa|94=_<#!=Sq|DX5IfO7B}9%fGs{r@ZA2k$e9Gw1_&)g(J2t%LVlH_4lG zb#D|OIGsq_fr}jJeM>d8rc3&;Cvn=UgzG7-ezsnKY$LA$Zs^EA9)JN(y$cV7+w)Yf1DGQ6Vy`5?SU_}k{0LDN(Geso-S*4CXxNvO`g~2!r8{vMA{kah5yD#k5?+M~b9DwqQKokmi!HjGKX6m}8WZ)3K>dLi;KXcg zxLH!#AV^yV#3VjON1vE&=eAGJ?4bdiPYE7Y_k)Fw2ic{N^QV5eRu8$&J4E;O)L`Tv zU=T5<73H0YD9-IZS$PUM(gl&h<95D_Mkzz}>B9#>0Eo1HssMK+c^5teRj{i#opqsX zu#;gY_>Im{T{U2+UGu3@0YAR5for?*oH7^Z_1vR#@hk=8guLLQaGI-1>tyZ{J01Sw z^=5RVIV|8x-_B97r1sM?kA@AlXVYP}QHjH^fbq;JS&}vO5SHrEG~BJETedmMm%zQS zH{YAlw6DTk=9?PN7z>++0nh=F7EK_D(YSq%Y9Nrlpum=zG<%R;#0YSqo7M?$J2jx? zoGagUV2en?{T)PD8T#JzathC9QtNs**7rM%eYo|ava;(X>w`y1-2=P!NvfKkZz5-P z`1!}4BI?V_E20nh!tE9`3M%#Bal^`A^m7mmrz9kCHyU&Mt;Xk`0mDzi%>E#SK=haY z7tShNs8_3IkItEAEP;H*IGIcGSGNc#@K6}Kq$(lmL(k92{X_X1n8@wR9P`k-ShC7}Ok*ZZ8RUD7U*}66$&fh~)1{x9XzIa++po zj7`MAjuNCEdD zY~UBVrB;diwFJbkN%Bd=}lfvx(oA2sH@FvVRqa5TUtnAWV=k8Y?v(D{okPpSe<17&dW zokaR$zS`=;od@5YQ;Lcgce>EL%~rBD+U6scgcR2QvfgxxJ@PWM^<*(~P0J zUP9U>iC4x|=2BZ4#B81PiWKmjfzces9m{l`?-}hwRfZ$MiFKo&Uf;)gJs`5ShvaPa3kxU>uS zDylqZM>HWhMUfB|Y#JqLtfp`{2!Cf=cg5Mym~xq^b=)0?}nLH1(>z)`}Auqd!a&- zB3R09IJ<_$JT=w!QzN3QFNqZknXASkj^fFYB8-wQm-lJG5fTcQ!#BVr(Zf4U=QF+t zYudv9%kwJfg^-1GXYsh0HIV|DoJoRo)k*3&^&Q*JH^vWw(AZ3D2vtEqNwRRVBbx<= zfcE_H>Ez83ig#^uZ*;+T!Tkwc(L@LBZV>C`>3A{Xd)3xKW=vLXtHG| zI9y;;o>3Pp?(w;!)~1?9D(2In$EI|(fQxewjmy*?XeNzkZ`=jV@Aw8GAjT-%1mJFm zPjmbNp$7VGWqNH;>Sm=#5ZRKT(*B6vh3i1kiW!EmAuLVSgE8VZ)Efvom5wUOrqeUyMX2KH#f@b4|6IX@_oMR17EUmpr z%JIw|fixfnX+~xK`>93pm)2}aBOmu0<2z|*-|2kJKZkrN}eSn>D*V!1eC^YClAAO|Cop`+9nUmtwokX4=J}hHO6vq)~tG zaIX4QHSWcGDr?IcV+r)0qR>s`I^50c+ z-dO5s^jp4>ix_t0d96*jX4j(we=tOO$0It(S0A`5;$9mo@B;Q)a2tQt7>P7oG> z*H1LARoxf&A0GtzgO3~qtZOq|5HQ#v!6jSbd#Ory=#--=*S1rA%zW^SGQi*`P6Xvx z-jNTLz*DR+KfvKW*s*i`VSa_XSQm!fU*$-!m8^uuYsx)&kyA}sW;XFx1S-SdoxEu4 zPqx4@>w0Gw*{}-7iKE7L_l@w0FSSi;nhyKvOYLSj4RiR#XY#{x(02~SmndcBL-bw$ z!w8Mg{gb1H1EQ5*<9S{xi{1wL8$U!`M2b({^oIYcJ$9@~cgJ=!e)cQtJGpwFoNT6h zQ7tdXE36uIbUpDEpxbDmAx(Ow$&&8zCP$fa3}x%}W**SVh3UdcwDhmCJ-r^dl9!kod7bcn#@IoLXqs zw)nvPFs&5}qyj3cs&|_5^Dm?sHLX31l9Mc;atw zdLHB{&wc8=+`$JNP>DsP6sM117Te6D$cM-yHo}19-IwAvsKfN$GFTB6*H0po5STVbNz6S1RNOKnaPb$0+;m*Rv3~eK z!1&ICpm>2j77Z-4AX=XBxLlx4NDk-sx$lvbxsQVTp{jjkb&M0{o$39sOg3u$=kDo7VNRxD+^6*WHbU4e2s!U*Z6QcK zQD~(@ZsF-+ySSv(-)`#Kp8Ii(@U4bxb%KYF^cxbpD+3gnW)Y$g2UD9}j}vcqW8O*v zyN5izG%bCw;>7)yI6TlXmkjA-%i#oXKu{o1wDSSadIn03QkTic+7L;F#e!!_e8W&W2Y63SO!6g=VOBtY@Qs@is2ZewQp6(>iC>@LKbbj8?RUkk ziJTnYWl+bx(lW!3r0ecHICZh^N;B&P-Q*INlenaCAUtAOyl=P`1(z?ON|hI~>e%B& zv*!I)QSz2!Fiu~8C9$bo8F3YcGl#P+7>Y!?t{k%-)PhDN-z)((ZM4S7fQ|umO-@UqVDu)d=FG{By_cYj452>7kBrM zv{xz7#Q21ux*b0DE|RKCmcHqWvSM$KJX)<*x9a#FR*&IB(8>3!amsEccLy}Amz9!_ z{L@}RT0T`=I%zm}qC2;U6?c4`ZwRs6?>W_$HZIl}t`CYrL<2{ah|F#Txy@7xY4jg7Mx-hh{dQk`aObV%CN?7uqQX?JjK=uw3d#< zBO@h2&@jtdvePPIvhc2G6ALy8qvjJrWlfupiBLuGm%Glt73q88B3Rfl$4$ z+8^EPQ+zj#6W4|D$pm!QSnz5xmp0NlH1Qr|H4b?m8 zfvHtj9?L8G-nUaI=1) zsu77>DLz%(I@lHItO6zfz&47Xob$6PYTMm(D{_iBCVJbWy{*@&$;&SBqnOnQ+m3pr zNSFDTPYl4G#qD^)w8#HNVcO>5ehEFGB`LH#yvpTmnRi&*+=Pll+20AQk67(Z%oi|R z{3VM38wc0%a9ktcHKshsuX5)DptVbL7}|}&i}PVXcy3hG}B?VFpZLq;Q||B_9faSYC1C+ zl|WI=loT48o*B89rWsYw8czj=JkMNivRQ2vD_Fk?SRhNY-iAtaf}R_QAr;J61EQa5 z@ZC9#0n0VCcF$6NRyxO2)o*XK`}~K-{>cmg#z-2WTh{;G;9GJ=FmAjV%4^txFAdInCvJ||_bnK- zp2)c=HZ|D{Lp}ZTTZ?A6Y3_c~(xp_s2z44HfM24oVUTaeBP`N^T@uV*;&h^kFF|?Z zx|$5{1y4JM3@!evcWM7T*V!5tQfjqc86&isy&>lm9EfU#yHf)r#{-Ftsw#*)@BYKz zt;qkF(vPm(Fjx7Amo>mZwdibIF)v0Cg{I24J~XH`5}xn}BZIM+4-_}YXDsFWj0M^h;$UViP0d`n8t zg5Sms1Qy*KyRdCWKo=bp8YoDI;&7Hgp`wapME0OJfwIZ;CVM%`V1Tp5C_Cg5CdR+5 ze@IHkgZ&4g`2xVYitd}k(%}T09cJHNvFDrou(=uDZV0-=OSiM?xz!W*#4=;{-A&?0-Xbv^VFYLP4q|WBvT<2r%v-2 zz1Ly}#Kx4ipeog6v}LP9Qnd64xj}JyixRW#p)*2&7)-zu;yUzBKTWir3zxU#GD(J) zRZJmSI2K6)$z5#dtK)bi{tKZu6f+|LKgV*aU^qwI7MOfu;*2P8(0R0yLn-W_pf{sL z2+lxy^=$()mp4T8xF@vL1y2W8SY$~ps8duT)fl(UFu(Zi_ctsj8Tqx+>RG(K2MV2D z{T(H2RS14jUxs()3+8h~v`g=2*p5~ZRZIROJDt)1oWcVI+Xj=&# zxTzty!=1)2{q{`(>XB!?KhTqU<}H@~?90R>Uk@fZIs^R&oMOoSxIztH8~3wenf+9e zxc$!&`WoUH& z;8?a)(ee8EQFuew@??+Wr8Fp@NILVx8TqDMuvS(z1b`+fiKSuNuz?`i-P0g{`-{f@-M~}*B^)@?yG%=ZkPpq0P0&WUi<9++*I;%L z?i_h%hV>7J^N{(=ML1smU{aGV7bR4$Wiis_1T8E3h;Rrgfszj$3ScOXZASl3O0M%D zhg@w7wchc5MbE`qggG!n_1*aHd*LT=G8~8#b)~Kko}HIIz&&@&-me$=g&(x!@&_m@ zsEEuk17O&n8$dY%@KVUjJ6XW&Fsdj)(ecxD7lT`dLU4{N#=51jb> zdYKP=&A307+VktBX$z!7ud1?R>u9lE5UHKD*lsQ$RyM2FJAodTu8ZAn;4j+iQzLF? z5qdTUFiZuRkgqWbi!OD_%nb;$IMqkTf}slhJ~Io!pHw<~H0NrXr(=Y(i!f3AFD$sE z?SGc6EH)!of?-^(Q!@66`ap&=-u|eiw&0nqZIeS9);h*eW%Z;uh z;A2iGZ3rS4T#$8yqKI*6k4X3~d+NXAPAFV{=Ov2t>R=o4Fh3sjPpNMulB#=Ei<2oT zroCD!+FftJJrt@txfNPFI12f;pTHq_<3G*~j3(12>KkP6hE>_g^H~2ve(0pLWKVSCLL6b6{gGvL)O}tm2Mq zPB1Xn!b(**PO(qAR}a<0GAQD#;LX((kep9hyj~GFL5>;6Bs;wvR+7*rnk;SqsD~8b zSyK){(5A+4upTpJSf$H<(I&N!>$JTu&9OIw<~?F7X7wU@I@AY%(>7P)3|SwIkFNXg zw-vNvnh*b>pJUunAFCY0Mj3ZScJI}SE~)Xq%6|7Z#;F@_RSr)a^hle@V`+x>;=07a zZT@4*Vq7y!y9cVNZ*W@ z<6q83Qxoj+!sun?O>=p+@CWjHQ4DVeahW!CYwvh;XtVrMf@;KGZKbBdTuhZ4W2wP6 z&P@OC4o3y4o|zg@m~kSS4Q^m2zvH8&h~&{^56jN=feRh_Ae7AJ*%+*!Pu-s+P>;Ip zB~2!XShQ6nXyNhA=ne^r53`?s$5oL&-$~vrD;VLm68mOj;hM6pp8%Lkir9)4m?yd# z;{~k$5Xh_u?EXtq24}4mE@&!6A7!RUSEob|M(;6?L$W+;yUD*Z&0>?Yat3A7rhgom zs=BW9Ab|C}Q%J{pACZu#IkSJLG|1OCwGHqbyh<)qj9~?CZH+lV`?u;`eBYp1hH^~)I+KpC^=9t0e<>~g6sT7uku{17< zf{yPnt+PsgnnT-5gka>yZe3z2)tvP)s!)wP3wGgy*6UJN5}vi)}xB zJbsDok*1Xx;pB*)QCuikrFWZ1PeC`esDP8FV67|k*dm+C(hMt%=3hyxiOsAp_==nk zC)~F<$xF@x-P?YVp&V>(b;K)G_@SVQzI))jfDa=>O}NrZ2)J$~RQzdIiKg`M&n!O2 zOWcshDB#w~@Fm-S8#;>z>ntxNE=G)d33h5nP~GYXX!DIp49wJ()zR^ARvg|e-L^!Q zplNZQzu^+L1hL8OCyW~u(Y_+wI_AyvgmN!#_hM!ziaeN?{D|?K<+}PuV7M2rYZ%^eJaK@;)T$SmtFM* z(J~S4tj`y_9hi=-ygbDiz*wN(sj z#rj}145H$!0Gm5I;!gtA+gV!GEd?@jov#ncwpbi;&&VVn+KTp-W2A@4Wx9n9yPIEK zT~EaiuO&)UJ)cD$m@FO-XldroL?_uU#kbL(JlV2C#k<(H9yRZ8w9yYgNJIvHm{n=p z2ZGUZxw4a4(Os20Z$R;2h#CoEk-EqxV^mEjtrvvIJX+OpLxZb%0@1)hz!E2d+VZjR z{2G=T8Ek^-b^JJwh~m0e>#}o5tsXp^XYkT(lVyOGC7&$YkmR(wg;}#dbJD6J!fQ2JuPQ%mI{B zdpYr?5DZ5h^$+w_5FactGq)vYJr<5@U+nDyC8YRLp1MbceS2TM2=XsXxlpqJEq$1~ zc_VZ4B)wsben_y!$1Ld}NPYe0va=y`w%Yu5LsZqgYI;*9$y1 zq|9&wS%%C7?Tsz49a-$^Z6;^j#uHF>o&b74u@NWK* zq4$*3;p8@P6Q&4r`j)hE(k^&m?s!f47%2z^(FE+vTIE7*Irv}j=y1V7&9w)R(J)Eh z1OGoCdLTDA{i9H|!Xe+Y6KYxK%chKYoJ8V5I590xp2(W6K9i7A+pxVUDi)K%ebXP9 z$j(OBN%z&8Tgkd#VA;G}Elf>y9sBdenaXv#a*f}cyqlIk+7RXL1Q3^PykYc9*|EkQ zpD5Ry3lNZ4{$lJ>ddNG(;_k}4lR@uN-E15f2|J!MirXs+`~p9*O7q0 z6E`sVxg$@3aU`w=2@-&`?BSk(b(x;9p%WbY;iaX&iGEoH)q2Ant?>ILQBn0_3C-n_ zqv>4$i3WiCs3<+5?gos6bM9x3!6fG)z#2c?e5)bp&oRi4l{!khm{0}$fsh3+D|UNeAVf6($x(fr5shX(b0&C z-9;g&?~mb!YE^)L>l8nA7F|W{zgX-~^tpJ2ewMM9Q_7j*G-?crEhMF|W8(yZz7db<)!TBft9CvVE1J9ZlpIy0_3NI2Z zhWCX*Fq_{j^_+Xm9AZdD+d+iozM5>-vbJ4iige~oL&?IvJss`V zk+=(NYTUwmzH-JFhm8S~KR6B|%E9}hVt;fM^B6Q_O}Ym_wFHOXJuiZG(Nst{NMMr2cIMFZ z8056RbF{bb^x7F4Ps>Bv&GwHNY3fL4)N+A>gFqa)=YqjT0aj@Z41?nfwP4=_n$$)J zo6K;B&}UI6wiPZ5yrYs8*Lj8mM4Ob#mD*gTh%JOhHoAQHAA&lm6bAporPpwQ5%kJf zEP2@rkq%Ir*DZApv$HCwa4x;bUfFJKs^hd%S?SRFkK#_CnM~$agvICRiyR-c(f=u=wDUEQYa( zMs2yw5C7mfPZAFzuj?27nAXRK_lPdnF4SZ&##48@Bdf~*Ap#n>2)^&PPJl6?U zQKH7}5aYqiCN}sA*s}Ham-z4Iw{(br^61jzj`%%WP*jP;B9unY8THOQOJ)b@;w~X| zU=N?4{6!=(pg2xP1(9yvXqw;4BLn~>^og`z>uhP^YprY>@nZPXM!MuzZ$o(zE*k@1 zeS{I;RT`f9InVc3At+sYHlcYF;S|1I7-|JaiB<4H}*5LRDYmO50l8Vc)vVBsz20@o0sS03bVpFdQjjmI;Pz+h% zlJ`ARMi0c{2$lWoY1f<;*WVQxn>dWK~I0{ik; z^DRjt;5>{L^aYqQ_Mm|wc6`lVCPc9D5ZY;>nGWd{-|m~{qAe$4f3I(NgW4F@;v*+& z*yasUbcdz>aVNSI6HV&TeiX}g4o3(8B2YZ8t&4A*&J27Q&|tc3dW6>8u$IqO6{*WY`{QOWR673GcU zLa{~(0Kk$wBqO?|GEW6rZx&jtUpRZB=lA9-`@5wCssG=aiKO$U7wI@2r)^r5n>`R* zO2$F74S;df$HgwIc7mTUf~Wc2jH>u7b1C#R?W3}w_l$aVrtMjX-A5RnE+vfkJs`D! z!<1oSzrsIPT4IYS|7z32 zoEXZ;Id;AbWc3Cfv1!9Q?J@)e&X(@@eOc{#6o?^e_ zViK*cOYrGb(#vyUzyL6W@|$w2@_@S-hy5!5`;uYwE)?y=-C zu!tqaiEpty-{~_U7}wondmKaNXdn1v_`ypKfnm?MxSum`o`rUT} zyhyP?GwPnRE<>PH_qt_1-7Q88tG;nP)8R;Rz`s{_>hEFol>2lGo#CjHA(#=|*I3U|BYY1nbeRHXZ~5_=(RkcLXx$ySfSnsTilz zs*E6VMPKhBQJL!Jy}y;!>M`8{!Ous26+9b`#5`V{2N5vc{lfOFl&WO8Cr9~E__=&| z06)v$%lwnd4ez@$Ok;*6?GP<3MlJcXy8j~*Zx=Elur|9ZsGO$;Yc$$ z4#}0>hY35S1T8B$y^tFh!53Y`qk;HWJY=XuX`VvK%xjrog%OltQpDv?-HoY>-jF^M zK}!qO>Hx=VEnWYg2gyNrc>!s)p{!Z*1((t}^tIlc!pR?soosYmg28CT&LrfpNJW!= zO0=8%j!~{0(=OHF?g&i)$>8@2mF5BrBB#y?4o8OA-Yb!&n3$>Of-P6V2Sn)nN)!0if%eWXd4CN&48*g1o33he3{!2r99b7E;7%I;c< zih;5TO;1~-710Wh(K3AUL`PPJGZ&C>1i9~K1+!_Wa_|UTVj%tK9LJwbpQgRh;EY}z z%j2z2?P;5)6xD#3Aa=*!nANWe@(K%Oh=w)xp@?e|;iP{`C%}D%Am^y{o|6FLW z8VD(YuBSx%-E>(|O5g^`Nc@$yoh8Q#ip{3Zbb&iV{qT{zk2^%zd(je3C_#QzvsN$acSz)sEXv%L-J70EVSKaz}aKGVm*Cv3!feH=Tg&&Tr%ziV|}Qh?ev+u@?cLGy|j zUS_ac{C!<2qKF2%>Cx(vk%b_K8hY?8^GNjIzSmT19-cvin!{SLaX$MCeX!_RXI za?zj?3gfYre7j^OYzW_VbwZHgxkhE4tk>nUT`5J|R<-d2qb~A08}`{|iX*+aM%Cg4 z?G)nMDn63Ja9Ao*++wQEN4aa!P$EQE0njCW&`<5Sf4wJBTJ_fum%j%OB{`EUuMFl) zY362T__?$Bn%R=1E_fo%pLutomOI;!sOwH7D;tiRy8w~0cvzsId^`wKkmbK0{+}MiCgU?JTU?q#suW&~DEj9XcbC(T_O%Vt)(c}Bv>p$URwts5 z3b7?jx2uy{RNGbv5i7lNY(weq&B6y)&NVbjm~$n2fd?xnf4z9-YJ_)JvRq+CCD?JW ze;w95kIZz1Dq*s^rp~fnn+@u7)lX@qSnXrBA)Kgq;)X;|@&i%!V}d_AA@;`8JqMEI zj|jS4d!S+-7b_1Xw{)MxcBdc(%^zb{y@N~7|1)H-Z0TTeDjL!Z2!gyH$zfrfcNyg& z&wW__T!QUz+}_)jA0DH?-{EAdiZamR0HWfW=jjWU@JpehKe{Gdn*PxhqZGiv*l+_5 z@COh-{WP-U9WafA<8kqBe0(0EjEp}lU!~wosEkcDfUW$b5eum)(Xu_fb!W0Siance zPhqbWd9m1;#vtd2qd!^z|3BNou*@E9D`A+*OIO}>4CpLTmfD9Jf=vot?Iv;c7;y)+ zQAOp2bsaSX0O-xR|Me&<7qyZ?e|H-gJcEW*6k^9xecj}eZKcB!p`jrmw5LJfWmTXr1ct}aAx(1 zk?#zRT-^MO$AQggmi1ps8Th2AGd3-(4E z?*4a5N5*D;q z_MZFjSYew^71|+O+XSL$Nkq4jvo~VDJ>9bORi;BBz*jD~*QVsWsGT>XR~#|!IvfJ(!Sz@;=03(zasw*La5;VFX`ZAT zS?r=FJ_UhTPp7jS=P&o&cVP>~b@L5`CCukTNSTYL=4ga`F-5RTxI&46G7!oS-&X64 zT>5E5TcCQ~E0slH=2Cqoy2s0fT}L?(awNk;h^8Q;b)NA4_G+6a*T+4C7@v$~N{IKQ z6aDG)3)!K{%!=4aTgKiZYZ9i!aJx2Ylce+zqT*`h@~#iBwD(e4yJ@i8TO3A|=18~t zvTgjVXb(f+s$V6I>3g-4C~TU}oz=>+TA<@h+HFOQP{ zw4&|$h0D#VNi|(E=6xo`6X1AY-TILYj5`Q(o=u0;6ksVTn%oe|S94;)c-W6~vRlIo zLvEr(%1^eo&wl}cNH#G+B1%FU%}LnrM+6)|jik7>jj(+QU3 z{#uZ&6u7Y0SwP7vHn&#s6lKGuA3+sQUzAFC%Ip+Z@VBd~84jv)1h4v4*dQmX1a<>V z@yE5gtuhdecbR%6F(x|Q&gbcT;m=XFMN5f!+8%K_{SoE}TI+%7?}J$ZKn8m^S{ z@!Oym#3q25yIBfL=)cWi8cN*5_5Lm3425{_&z@JKxaKF%94|}M!AFJ%BsUP+h6me- zADS*|h*MA5EXButA}vBSEj(cmJ6{0q4$s38L;B?sRL@d9kte*iGv7;Gbj$>VZha9F zgoAIlwV-ZXbXeHBU%o~Il#O68>@#+^=Yv# zFmntYis5f$TI;67;*#ox$RWcWdIR|brF)3c}% z-upFZ0G#x*yL9lUda6yB7ktFv(00oDA!Ac#B%qBR3S?IK2x}ob(f}GqFkll#H^t?U zgLI<7Wq+;+3nz(ojlf=mCYMY=y6u+&JH-_Rbi;)MbrZ3Ry}qbw0mTATzaPiPbaz0K z$fo}uSU&d1Zpb8&bTz_Adc*NFzz6~%{?$(@6bT`1@m&XJg~!lKuhzh<+I*YCI6ydS zq}a-8-4@KQKw{6|n94^8jN0~9B&uG;0;LHnPu&5QPFdSaGG%xdb5{05sgR54mkl>t zGnl>yx=P?kan(MskHma?$M{(qgqFfNMX`Cc8fKRVb|8icl#v3{O>dC83la0K{RO^` z;TiU*IBKEwl4$%tF2{s){VFfWhLkQnfHik7t@xS}a@ogv5~_r>LTGcMj&K9JWd0jw zk`6e?8aB(7D(Xyeyu8A3_|0qK8RLNSWIxcHA$FLI2Q>$6I+7S$BIidR^RT%6Oj{hm zbgU0h4VMlrZSW{gpy|lM%{&~3e8U`V#_z&MRSn2$zCznxm52R*32ks!#n})rN#rcj z`TSZz?Luvt5;WICASWqnvN8593nOFr6-oj(X6CGGABI|E*UNAfS=nBdzaggxslv6J zK@O@MgX~Bje!tG0IY;eRa#i%nW&3@)n`?T)Iem~ZmvJ*C@AD-SG<5^8@bIfTFVMgV zcK6sx6EYj$gNT4z9&R)*+mKf$ALmaMSm zu4|Y-E3z30ZcsfeX49$LH>db5_6VLP=A={!D*3&{H?xPQ@dtel=Ve0Le4`D)z#+<@T(C+;_C)(aM5j40UB=P- zmab?LT$Rwi3Cb%Z-kM_V?(r4_sfe3)8I!&+uKyjO#cH3ypugwlFl4z3_lVq{<+lfb zB#S^$LIu&JGH08v?QPWH(W|;TscCBiT7!0pVl>*zva2g`r{vuuB?xO|lvJ`b#+%pS zN!;c^4Z+kB7x!bi<@`bz=TpeOH6f83Jntl$Wv?H)G1y=jxBwF)_vj)N$GEJ{xq!n$ zJ>zW4u%7R3I{jvYhR!}ZrJj?4>}}KSyGM-ua%{8W_Mkb{=Y$OmgzO4@lv2EDPfCeD zAfPAo9p7yPN7#2ye)pafa%rX|ib?!-GlkMM0m+Q7&7U~Kfuz@y$7bar_%|rRD=q{e z`n6W486pDCbeP!4=TudO@ceOuOH0M>%QJqrpj+ted+9XZ01m9)@@-baM2Qj@E20az zr3*Hw)m8sr^th?Y%}6F39Y_(Oz>+nQ?6Mq;XJLq?MT%oG6N`Wug) z&tT>9;p(^xDzs@9PvBZ(9xjn=kJ{^jz96D-Emst4j;9(8gAAD8*9T zpPsrJ5laZK30z?7s>UNC6Ua;S_i4m|a8GFKWYZJgqb^6Bw(!JB?AZKTg@0+=cC++pNTGUlDl${mW2@|N&D zc(%ml2XG}%=Ep+VUY9%N&-;LKG&vCbb2swp6Co}+#p)g=AZ~#G+ghmRdQWh9r#@{& z0rx0c2Hj&Z>XA@02M8cDy6(KEwOzjQ?^2dxyYa>_QOSEc*#qI0Hmoa}lunms@S8A` zfiL-s(80HFSnb7fU?6azzm`puN#*;h`K`_K{ z1sn6xxr7B?W38A!jp|OQ^pYtA1S<$s^@UKT9?PMO?#O3`EW;2XtsjJWBWQviix7=X z$zJYG(6akS1CI;Xt32ek3(F%Nj<5mpmLup}(zs|Lq3L5boi$F(+#u>n>jn#Mrh?M*dpNY)*4+n0s}qImzsf#B1ZY zIJ3~u5PD^G5xjUq7^1CK_doxuA+rOQK;-gb2xN2GMRWvE4pOwaZ|u&bnlZRC!~3!| z<9*S@9Qme7y1P}#ca*^@H><4auFE=sDodEpCpHnfQG}4`qjNt#6mB*ws){&(R;oh* zj$TwPj2fG@$PKALu8F#qLHO`u8dmFd-rf5{+grwhl%96SxEm)NtI6f=bg`U0$VgaHDCGVBsL;*IVA1)thX0C9*x0 z1efecaJs&g-g}4Fk1LS5;UCZ?(3{b0H`*hikZTqB) zgygKBdyxkG0)#&*TX+`2J)>-{3mSkeIPr%l%Z)rKV*L^?qtCqT+~>vN7D*EWw{lLl z;t|)@Zh6PCHL5x-LLC~9L%krJxO#^SpI9pv=I}WXhy1Ygm85CM9oUA{O z``XwkH4KhN#>hch{Z!RBleYuim4hBRK5AxSmt7Gp7Kt`*x4r&$5AYEJR$T{C4UkBu zV~sjpEUL<^i+CBDB{RB14JZ;Ojm1v zGpI}#ZwQ#UnA}J#?_pzp63Y#_%`M?X<7PG@Anm)p!gNU7x)QwjL1LE%Gq}f(By{H1 zWyV*N;co3b9*F^xCRd|p*r@0jHq^Z8IW&`fcsc{C8*b#S<%=?BPp$b``Wp?M#eWAo zq!R`OCKpxdI=yPBYJ}lNORD6feeOy2)yZ%J2os;R^ygRNs0y)8@FMr5h=uPDz+24pH2kbRALXTkO586 zBk>gLvoJ7SClDEdd*Y~~NR4DsTf5FQAA1OQ;Y5vT+gYJ$`&C%Bb%Pn?Hd-gGvps%~ zUFkT~nO_$aG}B*aTpQsm?QEvU1Plj}BH_&6$$&>8V1O4QLp=eoAK{Av0#5C#gM&U=D%=lX)JGOJ0*;$=JP?)g z=>&^-O*^L9*_#h&R_8&QY^L8`)R=)j=#^29$3XDSOdvw8R=-%y89Ij{!?~xy2AfL& z5(0hR(B(ir3=c-rIpLPKJd^;DR{6ngssuBO_OGT1fytCyx$$;Q$XpHC(8s3_Kop~g za~pvFZWr^hUwgk)9};IrM8n3u+ie{Vm})1K`{c2?LAAeVc32Vnvb^O9jXgBhgUFUXzMa&Ty#yb=~)3=<*r|jCu|^cqj*Zkit(e4^wtEooht}D3 z5X+2Ildkg}g=VO71^aO*7+KR%u9N;vmP87g?}CCChUd|P&RK2TR1cIkY_cZ0{Jv_E zj{Oe*&T;$W^r_dd0GJ64Zdsm$Tv+IUsQsoqfz5Jw_&k_`R3LOg+AEp~A}A%%kVPME zW0IO+7-UtvTO+i*Ky<))V_Nd=3;+NRs{;3Q;WkxdG*4eO?lqh-U*|{}saZGx04#7% z&-j7KK$3xlY~%X1yMu@QH;aA~H_o`PlBCXa0;K#j{o!s+tR(2h5r6;y0qD)cDQu1g z7l6=WH8Tyr7=BLKCky}p0000F)ITe5000000p&U+aq(UN72y|!AneoA2JuE!2>oN$ z4p~e#j*!hIvh}Ituv+Oa?v6kTL!Cz#^C+NyIRMNS##aYg(EtFPW*YWg%Ua=oL(Xw- zF}NVcefnB>vyvDK4z5r@z;eE3F(;n zc=EOQfaduBu-=ag+??<%*C=mjJl`cXBUoT1q;XTi;qR51|rG>e*%c@jT9@P z;5coqItPp?)0{;58XK&o&>S2%lTLKHLf!i2OTfuSDhp7Ll#xN=I)J}DZ9M>fsQ()t zV0A}+i(BG;U$25(YDZR4VpC^-S_1hGC;`8ZtZXIC-IF(Uyl#KvBKsD z`VZPC0000kq^qq)xtZ4Pzn4I@E3Xwxsu|iMgicM^D5;n(ZME~MKJ=f6T`AG${L%-1 z>*UEw_iV>tTxcqR{+^cPErT)t|G&VGn+V&^M{cVtSY&(-vXgHdaT0~2T}y-mw%K?VgOAa^j$M0raV+mJND|sh4 z@R5~u0dPt2>j>igpjt~eK8X0+mVxo=$1Gqj(64b~mJvjK+nS!h&Ol9lt?~ytRv&oV zJMM0*noSRxdGKRhkK`q~7$0h$P`6g2LpLGKp^H5^Fim_G_yqAQ`w13M!98N)Fl4Ia zjAV2>wYdEJl@0cdMICR1;mDYcxxvkx(B9v`Wzy9jv*wIfP!c?(z zUG~!Yts_f1nVN7mQu2z&{3tBp`|=>bhg-1P-*VCGORA|a8O5zA9BSH07eo*tPyjf}N2J2Eq}p)>7p4 z_K*M=DP`Y$<5N$wLB{%MHLrDVw$;NMvJ-RpiAn%7ie&b(9&i*bW1n*T zJ6y4jag{1C2eO|A2r=3Daj`f!F@~LHtmDR18wmdJv%8=H!apmB_n`zT6!9tW)M|}td|pbk4~%{~&e_q~19%_Z*%b(8W+{_tLC z8-H1-dlYcdShHfA&Y48(NofN)GiCuQp#W$gjV5SY;))GCI@i@4)8M5%qH`|T10=z! z;HyBMU_VV`5EYNBH3Z-5M0xM8bpVx77BFR~gWBG4~nzJuzVw(5%%A za_114uWNfO(8EmjD!4k7vHe&o_!pyC*_k7tDK1u?rR+3WpSX7CfFJw$pn&_%(WCHU zf5zy+A|nl+YUzszHx{Qq(+={n%!y-!gb0r2*hCd^4HZag^|>LITelb>+GVVCP^7`7 z@z{8F+_X$B@*5w(Y-E{`fY@uwdwL43Jpsv`{nbQu?QBySH~FRtz#zqP(Z98^%(YVe z0LZ@?hMNy0m`vi(?6JS3VD4e`aKs`sIQR}YV-r!bcLp>d000C;l$hd-5v<=}yMzeK z#W0{q3!Lry3J+tENLat+qooivSH9)W&B#6xRQUV&qR zsG26~!ok+YdW~i0L-0~00*;I+E=f)@hg8zPx1Vu?ZEi${H|( zj5|0lmLQ+^BMC1L`J+Ih#7m+e>T>;=Lm<8`n>1J+iu?HKk&RoJiHfv6l&xG*45 zswYtul*n1&U@EFrF(6x=lf~SC6YWOuHB$6Z%k!l)aMdir-SmuK_lEHTJ9JX9{@sKl zlvT?Tt5teIlQm39-0L1ORveoMx*dQ;u)mt6Ps8;iq6<4p_6yS7Bn8zyC?<(}O$2|t z&_)YQ;*IBuSoI?p!*#0@dgXSa{B%8WD#GvH`?m^E7{N$UiQ&{z=uYF8(8Klr!lcQG z25rV#B5Nohxi`5&AzLZn$DZ^C$fixnv;^i2H?lbnWh_8|AQ*fc1-(xXx&4gntBI~} zE&<)GtiJYY_7^{s5ao{Dn_F=q07)gSM}kL6w96kn(Jo$wg>&7qY{v!SG$7&nO$7wdF*xUsx;@r~$m5an)rxrj) z+B+k0-aQ-e`8%&N&pDIT$p(vCM_2^IZu`+@9n2Y4V|%qM?ZXSK6}%H>n4j0C^8Hrg zh|wB}o=96x2q*yxI5J@#5REl$l6l5~yb=cES+#&W@0%Aj~xo1ns3*#m6n zvc!h$+hR!#5xA-7a>PM?LLPPqx;xF3!JGVN^1vrIlAPe@@;>b+>j`X}8ijgn&K;Ed zMhRZWK_K@5g5{eCUI;3U%v`2B4-PgrkYF_yvGd(PH^RDlQVC~(#>J#59_l5E|Dd9n z9A?yozwLH*A zSHVs;lfw+3XFL%lx^3H9pNz{e2)<6=bs{qDT45yPKUnf1`stgn@l*O3K8ra<^4|h_ z>mxL8qj7BeVS3$gA5w#X4UfNj5J=-bcTTc$p^xcsssQSLjR{nH>2C-E!AC`o3RMk+`tLmeZ`>!k!T4)Y|9-hwcixPb z2>iaU5Mo?U`>4^uu|-T77p(dN5|mqi2lubZ&cN}{3S`7{J2WK%LDqJ}UM5khQC@$;Gm zPKIxTUqeCkHkCQA`IzPWSK-XVu2%;Lhg1ny!rey z|IY^#Uv{*W&x{nNaGVq^EkWLqU&qEk`Fq7U_wyCb8F3D$pU*-R85>Un+cI`d$=*i>>Ss+pk{9 z(h-;rSSisJWLa4O?u)DD&j4z5w4wtjN&6S0z3Aj3l8k|wEKGoEt`}Hw^z2!6(>p=G zN7zL{Uqd0Msq?O^GK58-m{qn}yq6bXf@mx}n?#3D4Lvua;v~HRbwYpuDWs&w6km%L zsk8ULV+YgObDJL_*ApP8CJ^BBcWCd&!s~X7_XZkliQ^0SAE@{uJQl7HwDT5H zEw+RNqX>d7c#ceg#ylt-cEG+P3k(#a=T}=T2c6Ptc_RWYT5YthA%Fx;62u_GfKjgu zXNpk*17-C9000Xg4>o*SsZ9lah?^6lA$F%UcXS|Ok1%*s(saIyaIjwX_$n|Ua_IXw zx!+vZwmjrD_aHqON{o+H!T10G4SZ-)f~}wc05m!M@r}1|C>Q_$0000gOX7rqT0{Prq8)i`+sEs=u`y`J zya3$x7#$d>$6*%cLA~Is4=XAUhj!AgumA&78WfITzyNArDLdE!25w;aIzoDt4E0K$ zt_oUj#S6yV(4K9fBxo7-TaO*ROsQo6p691~` zzpkB&&ESmiYZ7g`RB*s})3UqnF1Lhg(c)Mc52l15GVRh}!#yD?hr9VD;UT)nJ;Zb; zsc;obx>|Y_m<8-HXrtJ!=Qa>KwmW*WHsEW)LaLLjdI7+Qwl?gfGN%bXc$x9Jqqv}7 zuVd#KeszANGKZ(%fLGE)@#)H#AQT-@USt#*tLg&B(=tEI$ji6-naVQ9L;IHg2;9Yn z-FD`_!6ReG3Tfa~r#sn_1@zRrM=I}kW*m6Szm)r3&((LeI@eH~>LC{{PR(jyJp;Lb zQ>PnS+OjgZIf+Tgi>G>f`!p6Uq1TURNWzJZz%8{!L0H$(S7g7wy9*#rH zUY_`Al8F{-Mp*lf!&RqB*3d~}nC-`u;L^``V4+sgb;B7_>dr0sXwyP_%k?2CWIXH>Z^OGU zE~j&Pu;{BV*c(zi#!}z$q*2dS5>ZBDsOSQ*7Dsc>sRk?0<{I&}2XMHwIfaRxQ6SG` z&}f{E0&EQ6X&t)%)}i}OS>qfF(@E*inOjqd>t;l@&1kK3wLm@&4eT{|2#qK+)$6sF@pkGa1Cp%iGc25sjwSa9@ECsK>k z{~bVndl%aIj{kS5*G+Y(I?z$pyXKftTFKlS^fVO!8s?^m^8&>x$!-+!M|TBrvA0q= z9InPy(81R%S>J#FKC!KNcMMUU?wS6rm?W|#p8l&OyN41<|8nAjIX6G!*G8FfDqGT= z%|A88@OAqD8fr}|PQ-wrV_?fk^z7l))h|9jXke&bCOX|U}j*Yk*x+5Bysv~*!(qI0(fI`K@G3YPM~A9h^+Nr+#v z-7K{mzI6Za?&JcxEbL1k{Otfv)D1!JGlMUARM;t|qL1Q2amD*>4m#AAA%pOdUDYc; zbOrDKg?Ql+u{N~h$(ojX#z{di#@@5MSf9r>L4-qhN?fwE%z~ZyUczv{E%#G#v$sj? zmgc@EaDZT##@V*x;GX`4 z1bKu3O9`|CD!kA5t7gs@d3uyDOMZflZw~v1UG5^yMpy~HPV1rY0E__D|MuxtOyKUI zgJTcyX}2ndD+`NLZ%yhq>qc)5E6c*k?k&tHH$s!HqrXBMxm-4$KW+t5H44zSqy^3* z>cBp*a?~@dVjzgrn;aYgWFczfYbOnHSZ|Thha9gWB22?Hxc3?*B-t0|pdDk!FjW4z z?1-F-Kw}er*b`re^AzHipgN{ZAg;+-CFj_?*Fe?JMhB9tr73f0HL}%R zpLz^;Eo@Or&CH0izKSgVt-*FNxA=lnS^o7XZ~wvYx_?!$l9hFxgRJ+%ewO+!IqizB zK@KH|MM+WUHkX)`0M@n{+pXtc%f$H(npRlsCsyNYx+SFP+uuuCU~hl`k4o;(Xxa9V zsmWO}F1{JFd%H%A;GK(VIIl!4W4v5tcf~Z6=k}Xw0Q^gPW-EnDjSm`|i=g6*vai&o ziA5D6)jUYD>Dl{DU6Qwah_Hl%VELt#KM#0h_VlwuiKz7*@%$Y-)tmEO)4vAmP+}Iute)l?m^L!mY4QP0t z^&efSKczoS>Eo2(B>p~GX;4aCgRir ztoX8|=oEyrmT3=&9_=f<>FCLIs)-nXT(MKEb^aQPMpwqL{iin9(ULwV(W{zpTNW9jLP5H`hd0Uj93Q~BQCA^5ae5sThq;UUZj5w-?@}y3Yp1uY8 z;*gT0BN9LR3@qZ6UF?pdB`@q6@uyEh@9K3NsI>CCQO)_%8Md&NJ!+lOTsbdm+29(pN_KNUl5vvbNHvT3A8l~#IZ{Q! zbI^lQ3o%Qdz=k1rcrn@O7WqJ(7wyXX_t5}zItGn9@ti4xRQ7b5eLe#F*gfWz&kcKf zY8_S$oRRpB<0-Mw8a&x)*Yke12XH}T6iwO)}uPxD(B%swUj-oPO&A%l zr~5@Ta;nqIC?`9udKy~5ZTY40nlcLySW&CAm_Y+vnQd%RqytEp{=HXtd{U*&!fcM} z8UQVZqrfOQ$8^^}sevP?j-m12W9;6COdG!OMN06>jV%FyS= zfN2a+QR77X)6UeqPnF62Ow9{q!IY&Ro(@Uiq(;X~-a$)PC0Un{L2&lI-zRvViTfW9 zXt5UqcWd|zr#d=BTK#lS$%(8OTeZ7c;D&af5=F=Fl2rux%R+&TW0-ruT`3h)Am2=B z=R}Qp5v*J@V1TsIJJ(o%v14x!%FfSa4l2OK7;-W`M-5=1=WaixF_ugcK^C0}Z5xW9 z594Q08{?U6000000YN0;wn@VP00000001K-tF05QzyJUM00+i3uS21V02R6o6`uF@ z+n$$A_pF_gAHL6vLrLX+U;)w9kH#NVOT}bLV|iCOu?_v(Kmy81!(Pj907mM=?-T$4 zWlJys07OYwT8(r+bc#ngs>aLW)-DxHHiw<#scy1CBIFzPhvGL_OLQpokjSb;V9j*8 z6&2a1Ay}XV*Z)GmG_Rlj`7%e&g7jQv5ZF0^h-uJ>Fox+R|)+w-{yNc(%eqNSxW zkncZ4`8%i)G}i>#OW9=z>qeRe!f7O4jJ%kTi5jN(`X`uI!B$qr+hkQVN7JY?AhcTM z`YC;m_g|9)XyxouryPjv)E5KlMt#$M3x*z$_|m7Bkh#uAY^qtiERQ~clqAPuy{<>p zYuNJcYuF)>M7S|Z`3Dby+%2Ax4oO$Z&q7Hx`@;Z7g zx-Lg~ekdh1`}V!8)Hy`1AWK`~CgHDw^tVA*k&?go;IF23?n=e6+96E~%wg<7u zA-h&=vJg7Y`Kbem=_As#oWL%}*Pn`;*$mXjby9BMi#4Wr z7brl~?<|vYAgg(EGD@=+6B&#{pi)()VmE_@GBxz~AS3SC^ce)CCx@FTN&h^ohTbw3 zMe!6v!0FffF!mH|Tkdx^MYYMjdzH#7lEq3=60l{8b8d39iB>+yS%F~y5dvS;I?h-) z9Fkqh`-}`t^f9rTR%mEJKaMh`XjpQG=6MS{S#t4Ht%yj`1TV1@auH}P5#v)4{(oK= zDJ^*&WWsGLK1g{wf>c}h(d0X@?B;s;v7N0@o2^RwgHj%V11(Aa%4WYYHu`*Rma&lz zC3h%U`P|Kxk^x-~B6V{_rVy}MwxPR^qd?WEvJ7Dkp;`UNPHKd2u&9WN>vc?rcbKfdiPAX>L&|J;rCBmK#Br? zvp=4)GPcHY_hPm0iGkhd8C6E~SXvhXp1^eC7E=uDm^@o^1#8KJ6i+GJFI_aTL9t@rf{>2z@@48mW;eSpS&Exxdbs@?}z{Z15+B; zmvFed7Lvd^qeVrn1P_(C`EOWdYqTXM>q$VT@y^Ln*F2b0bMZr)0iWYzL_dv_W!e+E2}ux56pJH)95und14 z_MeZ55Y-$i2Id6J0pWvtp{~E;)c9$RbWdOleQbxhw;y&~iWFHNc98#!&wKICZF9R& zsxy4(ov+!|hrqNR7DnIgkXP9;s>*I0!Vg49198$#EY~zR1FBZxY~m?nJgWE9#ofl9 z3v8Wpd)q~YC$VHcG3(mny652mw8JH{I=!UglX;fH3l(G8lUm~}1MUV+xqbP7CDcu| zut%A&hmst#4K@L|E_^GH5t9@R3ChlL-&^r9W{>UsnN{J`$Z&s>i7Dj*5gC)^T0FuI z(v#=5xt`{~uC35ou_xwJeF$l}@e+s2E~tQ~d}nVQn_oh#xGf&THoxBwS5Uex>4tf* zt!6Xwbv)#8Uatt;%lkMNgHzD?ny6@th`t9+d)TFe+m38A%f@6M7b_(c6gF$Z2OD1* z!``0vZ1p$RoEEa;IDsyve`p-%306s^vDgME2T~sL)QB&;%i+LV-W8YfULW|Dmbkpr z?$wS4kb2aSB_Q4Lcvm1ImN6bEH%sUr@Ftv;l-r$WlXp)qp5_)|q~!mJlpEUZGDOuD zaV6Er2d@A&eo_C9!+6c(sY@ZmfF^!}Yb&hH!BaA+3Ubu;TC<1tAhAyiiPC)Ahw&Cb z9Om(aT~&agpX|Lz!+3%3%miOOI+`6|kuNkT#UUN-8Uw+sLw|&*58jQAoe$@3ZWj%A zS?A}$0*zbubvC`RJ@|bj1T>W=IPy||%5DcQN6gxDIM5Z7fPF1AaN3DoIK*br!YXkGZ%gdiiWI>XdZ+U!2pAPcc6Rdd`e|iX z5w&nSsb|7=!Nt%$A-yfxQ7Z%xiFA3t3%2y}76T2=7`&awPdJU;!e)kuy%pS{2IT8H zrXE2oQ>?! zy_z?(M)qjl%^TUHdo*ugH@ycJcEpwrR4*6;9C9z*0e}o_ZM%U$zyJUM0000C3~OG8 zLlgivbHv$L|5WyZQqg(+IRDf-D8Cj-8&!)4*XlL^&17#j;wqH2m7i%vl91k=c~AfZ zoRfyVmlY=5adSzSRmwG{2w<*ufPtV1YGsr|@T<-sR-5={b#FqQ|AFxg2M zJOBkS!&^--c$;(TTsvfA`NJ%@$^z#E?G)lqh({!3ft!EMQkNzU#b22A%Vjq zI&@q|ysc)LQ9B*OrW8Ax7|vJPVxECPpTf~2+kH6Jnk1D0O%8Yr(zAdr1W^DmF}ChX z-cTMHZrD+0PviIVS(LqG)(+NFpBZ9jMLn4Yj1%9ubkEY^^34^-IEcWLv$rm};(+;T z-n-7Hj_6C1%m*>q;jimE>=fH#Gj!wkcqg^DqLcK|flByl>LlDwSMc*rCcQ>pbBV5& zTVUpy=NVqK0g@CPkP}NUPhGqQ+*88W@g|jc3)pPeSydlQ5kaw%5+l)72GhV}v+s<( zku1@qYEse%^mBhCoPMdWy^~Z4A&S0t<+qhC98SLOeB5MgizJM-0R!meRhGW5gE2ELJ>BP-g1;vM_+4USh$r zTTefOn>RcTJiTmu_-9jn37B0Br}Zs&Eb(wpCf>nEiV5IjKn4~V&K#G0;kafDp4G^E zf$2pi^vaW%z6XCkg@?X|X|l#YXip35!uH;O?>R1Qsd;1gp!TA#glw|#6Pl@y2?Vw%DqwLK*pRVM0R*44!~Hu-IHadDl5AQ zarrVDjrET#`Q8@gHe;95tF7cQhD`!BdW+}uMWJl?ZdMV=7WT9mc-tDD;avZqExuiXEBgq5NFkq=wv`bn<`RZBUTQK4kh z{?ae26h^h7QZc0+{pE-C_zs@6&g6l8posfz)n1z1F@`-oD%rrR!USpJ2hlF= zPz!c7tw*}~{_4sqfgg&qZ@i6grLz=Uocoa?yveS@3jWT1DiGlru?R*v2!8-Ss02SQ z32AYvO24kw!g!~=;CP|ik9)iElaF|U{&14=WhWnhcn2{M=5ko>>RAl%D5*@XEC27y zYrAj^c@R+tQ@uXPj3%YulXV*a8K@ZUkB-jsGEUiU{$`LuEf9Zj(!$5ca{_L(XbV_Q zA};PQ6(9hs$sVrsf-G30?SYb0!+l_G2 zVR^eUWa6CKe9Y32i5zOUnjoAmwV&haNlwK<5CyZ>KRi?-&SDPY9WB8=?kxwdw{}UatKbJ;AQWX5eqFF~UdZi2*?_ zXBELuyKg>57Y@4>hDUzHsjUNw*x+->%8+`B)4+I0y8Xjoi|3RE&KXgaRBz)Y>*tk+ z_^VHwLi%wo#*k^6w4(M{mX&>Kn2?TMNALEsEgrUC=T%*~X)BzqhWw=RHQW ztE8KpMVgV}-F|NUe%7RJ3-@`1Hsvn#-V#aO@(^simdvapp@d@@7%@dK7%-$f0f>C+ z{dI~V!mwGKbi0*=NHZD)I`yhxitfoi!X4QU(_H3?Mr^A!uKXDNhYTqQP#`%aFM#x8 zB*vlHM`?XP@nG-=5mRO|xm#5}H6vL#D5TVm2sNe27NHdY;CePES_YjxCm>e8cP17c z8dl#fU)GJbCx^T)hI)(Yf=)!V62$aTUGVo#RK_|=fuu0`*%8VA{MA)!u#&AVf-u}m zkKmvTuOGKuXE@E|EV6Hv^I~!PMzqRMz3Xk1Ji>QpC(@Qud*;#(FspocffTxSlZrs8 zaTHp%|8^~0!}?l2UmA%tY(yu@?&J*+VX;&Q>LR~gIavn&?7LaOh9{j%nGQ60?H>&Z zTRmBxz0FfuxH9l{Ej}ET?Qm!-`(1_sCLv`nIG6cj>n=)r-1@p}l6!f+aYq0Ol8iVT zC(tH#!h14v?o!uSL>H=RwK#BFAXq|EK1ABJLTt2s4d>ZhKWa$(7NANYJ}3AwN-v~R z+t~9#WLj-o#LcVOY9YY?9%A_|nJC8iKBD7@8C`$oCjvu%+)j!gMZrId`S9ECdu|HH z*%?R{!{$5rUWXVMUYGSqrYWnuss?c5^s{uv>|n-EUtpYdZg!}YP91IEp$nW%E-J`e zsJdqb>{nAO2ecstSPVluvA|2Hf(VEi;b}r2yRJU5PcY6-h}_DTl%r~A`LC0^=bs~< zKNJ}xiQ8TKlCaDecu`94F+YzRVm%Ls;B|Fzh)XOs5WjW`dW7$yXwK-jR&qfUO|W+? z&q1VO@M9w$9e2uVA8IYXj|@5SJM|&UK+s#lc38&a;*{#oERYW!qYwjTj66U4cPUU@ zm-r}61~qchj~gl8Xu^4NMqe3KWr99noff@-6U)9KmtSl{l39vOL20&Xt}ndWjY0%F z4GK{kH(!_co=n`?;sJ{}Fr|i-A70`LjplH&n{rBlyvnPDuCBKrH_`Z8O{P%^+bb>5-}($G}rq;ia@6%MGjp zESmmQfr7;>t;V?KbI4&t(3@v#KknIXqvtMqp6|14j;PD(JKS0FJ z2A!<3p9i+B-UBXWHz0HXh;Ygaq5l)9nUj!md#U1-WnB{ zfMfEsz*w0nu=^8OAI_MRyIFknK&pS(ru4xt8i$DIQC=$@9PXtAefKe6AiCHn&SLw;u8T{I#3*_tqebj#2Ib1etD3Eu3whl?nB1^8;Ejan6* z;YUi$P9Uj|a{V(NbHwBGj+m3sU;SM#9*YTyq=ya4D+9QFCul4v;byAUwtpHyU4 z;tY$YA^l6n(hi2fGv`7>_`a(-u8*6S0&|9e@o{rz*MR3uT~%2NTg>nln^8#~ty2*O zZQx;zacEx54!L_~q>xZB@wABC`KuhDAdfz@4ik@hrX^(%T^6v^|fou(AsppWY zm&5l5qWmSc5NdBVN;|y~rgPc}X$+`{+J)UExwWs$Hc-zBGEhzruYRoMy}iR5?NrXM zi?5GOxY_T;VFNy!(i)$xAe{DEedy`4qlV(-lim7)!3mQ1YfQ7w2eP-ZeSe~Zj592T z11m8pz8DMOYcMVhYmDFKwNXx2mv@Y}e~vHLVjBK+ak7|D zg47+J?A@|q^9x!L1ItTA?^GJzviHij=#L9L#?{M-qdBiDlJtkXXQ-;S}e6pN~h|5ysdr~v)ggHpD5 z$_5)u0U-vbeJFAlhF}zLKvvm)0_5D2@#p0bxcjw_44LTwVQ#RLJD`$)CgGKy=J#DR z&{0}sTBafbFaE76j~@a#{@XVfa&Rj?wvr^eeInV(ts#b6G7Oq=$9zATR%D+~ZuB69 z=tr72i}5z&z~g`z**T+>zuvnV%PLaEK^E|!@N?8xCf*Una$=8Cb#k(i;!ruF?zLqM z+eRu%y&GE^yNXDeS?_ScQefgi7pD&nJLGu(mIo_d6dw0Sf{Kv}HFt&HY0FRzN2qqD z^0{8|0!D6n=Esozj4Pa4-lGoI7T}Q+Z?Ykutu{)+YX^yqF1U zvtab<*I0Z;bh@xP0#gAGCm%y$96FhRS)P1e)!^yu&){BuO((o=tHI`|2x)alQ=)eM z!a?49bY53r@EQI{vo?s7%00%M#Ri$pU~1P7%6Rdn{EU)FAX{SG9P6sLjDv7##}CT$ zZul>*U>Fn+^a;*-e>32LOi0cIp4lUax6v60UVXBxX+1Y6L06@$PqR zm%)&3Mc2V)i=Vr0kf)*)lE9^ZNLS$gSX*_`if1q4)OykiJe<68Cwc$k> z^R`Hl@Eu>5g9>cbW8k;}U15GI2&Dox96_g$Izd<3&KXUfQPz+HOZd#O6Jyq%MT=s%@jh2fV_Nk(e6jKp015HmBDe3nT*2Zj2`Hv&G{uWzAkEk1g z4|nU4vx-u^H#!Cr`}Bj+7|HF>L_c)hk&mMawB%yo&>?3aBJ@v`m~-aE=GU#2L_qdn zfsC?4hAYGK>^C=#`WRiECdy0!*jM$K!l9_QlkzCQH#O8&a|1j5G%zn5&fh_@o5~oX z$DF5OY#HtC)=Y9q?^t$qpsaBRS;d~C5VkuctT2bsw1Kq~Rm3oF7*KSJ=NdoRgG2a9 z0un-R8#TC7&f)i#FsDpJG>7{aWMWj@o0xo;M>a~AFtFyH-v~h^$;mRFfz-AJqR)AU$;%aL4Fme~IRQbzObhFtyxeSUK7I*z+N5cB7rw#ABE^rV#xtmj3* zSdIPS>@MH(1ZxMzT)^KzXIs8&BhqHj3_U!%^sb&zLkOwgd->q)!N*WP z$|<44W6=gdD=x0NJrJ4_V9fq*)1{T&@_85>x}DaA=W%-JUwjOE2&2ekA@sd5s6&t> zRh$bpu<7|H`zP$!Z6z-P8%8BEq{3XoTvHH%c`gWUsR|ri|MJbkbdoP$r%svU*-O+q z3qpaE|2iTLMovX3YriD4zy|NI<9(RX|Gjj>XdBb;i7A0X+N0H0u*V+UD=R&k5)HP_u5q4D(*V^diPF5uAgS<8R;Ft;Ul$?&_RR}KnIqSA$BEiCM zQc6S&9hrF#)t}bNYE}GMW}39Iq9Jc8<(ygPF==Jgn4=S+B=Ua+l6PtqE~&^2Qh_!e z#Bh$n5IFs3`qNR^P7C+0fhg2gDDIgE5npvP=01*|6SKU8M^&K#2nbq(_auGn?bf|M zx#2X)Od7TpX>(SxRs98GS%RE2O89TY;B_N-6AH&wrM8ALroBG1I~J&;9Vw+~BWv4p zl%$zY^DwkC=%R%+>w~hm)A^ueARd(qs~Fh-_JtnHKY&C%yRKY%6GClBAOY-s*) zt#zFi6|zgc@}mN6I4I>qzaH>HME5RKJV~g!Z|CUY$|wftll(i|j`$&_StudF)E|J`C{y za793NBc~~fV&ySs5RSU{FmM;dUQAKPwh%9o6ggJj^D2mM)k6D6FwYBS1a@-bU;IR` zz;<4n93XvBA>RFCdH_w$*5p>?uW|A_LVd_QY6nfL-A&T%01?2OcK%6m;oLv%4IReF za20miAAIo5Cl?=GDtWjW&4~``EfVA(nn=i%d}T0ZI_ z7o5)0>-DIAtp)$5gahO-Dedmp3xS;!;_0IaPuO!wOrrq+^HaA67eLJpX21&oa62t7 z)ihk}L**OtazC-M@}STN>fU=*p(`mCn79kH$AHdBve>@Iq-R>RgAw)zvyT$T~Xiw zI3G1PgmFBJcsX}3Zj&T|qjZ?z@nv)2*f((lTYc`-uVSKW0&>DzB);+!CJA%Q>g#=B+%~HL zQ^=_SxX0mAxD}0o;GQcW$sv}2H!hB zKPQ|XWPsXXOx*z)QRID8)GgT%*2D+o7 znEx{{M+)5h#UZDRk4PfErM>uM%=#X!Jdt=kHhO;{6sS6BX8kTw4Y;$gT^!Pqsqi#dTp$ zr=4O+%}?2(q(O{Kb3tAkvPA$SQuo4&v}rrYwtc2Y1e#!(iAh!0Xn_r$KN@DknYMf; z{i-Lp!bC+~2N>Gn{Q$ocm=I!Md>wfW3Emb|>`Ic_Lt6Ggvshmc1=$$@jX;3B&I|)r z^{>5$fTd~h)n-jBS;=K8bEOnmpTfGbbETqnRf$}C3}9sp^A8ZRlLiTNl7^|r1K!X$(FKq_ zT=7M%1irumLDt!9iBg{#QCZ?*Uur=NLTH%B>O^6G(WB}09?TPU6r&YhAej)10FWAU zsvt~zLWvcfwDZChwR*DGtXIHM_k@1q4z%7xIrr+py@Owo2e#^kfd%PJZc)#RtEwkc zPJD(`k7B4??}>2-aWI}C_Xfw(Sv5>zEnZkYc8icps+UJ}8M0oTY|_EmnvWL?(C%%H zc0R$WKOBZtuSi)3IMu#BRv+T8sjVJ2vQO3Oy9^%sR*WXrjz;qpxBKmf+2P%?rRcM< zJ7&#g0FJpCx3t)t;ZB~=xKI_UN8NQEKx6jvm5ST!*w}riGew`k=KV2hd@Rj?0{VCm zR*zdGOID;HT$pFar5&)Xo>Ww%Eyq*!+w|e^=7yJH(Rz$?Oq{%zw7DHmCIj24cyb>< z`Q#X?QpIIUL0|j?RUVE?dmLIcy1n7w?<V@)|V-B&x1T^vj z9Uq8S3HiHA3%_06inzf^+zlw~+HdE~P1$APTY!|I3smT^JO!63@y`xviGn#$FKz1A zjph$5zu>N!G^I~7=yEKk2g-#ZI6g(wzA-yotHfx+rs>Lu;Uda~74RwNi4iQ#qW^j% zCy91xv>BTwA^n3XUN&NjJXOSL%2}zmNgvo*AHq``oM~_(lPTtz7^-N2$t;>N~4VLS~Ceo?|iU2lEr)nWin>r~SM|DcI(( z7 zyN5uwDp$OwB0GCwWG#YN&ZS# z4!yewL)R~ld{1xR>2IC&+%Wo1qnBjFy&yw$K&HJCRG z@8oDRnyNt2Xtvh6Q`lkozyBSTg(9yy(h0Gom2sDpsC<}*?Na7M{{i)a7^|+?eCe}d zUWjo`k9;Aj2BP^p9KDUX^22fnPJ-ncePmw8dXJvo22#wX7cP@-*U-5TV204H7bfqei+X5 zxedUuqv$|qOM_5K3n+PJu(y9+6NIL{hR)Bge2i{#qPSc#z1rsmm}Z-m?LR#}d7JOG zJ$wi(ZgH>9MB-za1BD$9DScVjW~`Rl^K6H*Tt!D1cK=`C<ikDjYm<&J4rqljimRzXoWV~pzfdJ@tPF!>Vvw&CK+E}MKfm6Pg@{hl zA(5yX8Y9(s^vyGZaT{`~9v8wzJwMTtx}*x|wd7Q4&fVk$p0YcfpRi&>W%}G_tGa;^ zT6y9vi2j4+W8W9ZP6$sf+G@mvYUGYCjs~n(x<)Zlr~S~v43tBRM|dckhx^)X2Cd$g znnRX=7uskO`OOh>4k44FRJ>(?u#|~cxp2|+a|**A%N$BI_t8gfH{IwR!fJ@K+PCF_ zf$5xzdfV;psa_(|+P}p*@Wfmw?Y(Q@bx^`t@eMm| zkUGCg@a?mP)YHQ=K~~nb2$R5aq?*PY63v*hK_@P>I%#<~l6&)YtOzYF{)K^FYtnE^ z`zp`=jX#F^TPEl#rn@~<_B%*A4Ad@bZ_!6XkiYO*h21;Y%ECE$8HQFl;Z0Q5nZR>C zEo)>F<6rV#j4x-ac-wFyB9@?LbYwlL!52EW&O0rs(hmaa1w;smi*%3cTdQbj7wMdfM{rwVJH>KRDXEpn1iYmL!HZgqCUsz_FV{B zHXwHXn;U9D>{{3C*0XBFhgS#+%;_I(6zZWVuSECF*c;RJ&~e z$k%xL#6j!XwA^Jj5j@>m1lBi5m`m|uLgrk3JTr-GA74gbEm?}KETwOtn)-p+{D1i?#>V3zY}^$`;ZU#TxL~YUW=Pi(%SuP ztpH`6Oc9B~XC7V7FjJDKLk@W$H{MRhbB7k0m@sRK-0Z<~hS1irL;SCVxbI#b@xy~% zM+`nIW~pr80Ebv~f>}r*=YfeODLUjU)&b03*@ivY5mG9N1naEtw1FY68iU}caR&R@ zpZI0+Rizns$!5BGZpS)Uw6!{6`Y}9Xc01teu7YJFSo9;R4bD@yy7mYMvQk=p<#`Qa z6;qR8VMXuz@@q}HLSrGgzVIPKe)qf3XcI2>Y1U)lXFaU2+$TnTS%uO+| zEr9dbQNYNyy{xAubG4xXdFh_uVf3sX?m8NE-@eYJwS5u z5(CG{!F&+SDhT0DCewAIgh`m$Jk)x6Q?IL<5H3~+;?Th$UEYyPh}Z5)_RiBknP@E% z^PD~m!F`YXG>kgA!Y2^Eqrwli*U0)!;*eZlIt8?EJD*o`5|-u*VjHje(4R`+XdN&W zQJoI`cG(wiwz29o}*{O7G7JyMkKu@ z=@)R|l{CE^%EA6%k=baFbe(>^wj;06d{|=ZMNec%7A6DN8&pr1Fz%{T7#m|!laR%= ztab@4YROr3tU5~KLh81#}a|Sq-d!CyPy}>Z|Hq`;j(%FbPBxd!F+3T!8UX z+!iXe!9CA^jWkR)LwK)Gff;JUM&Br$R! z(R9z)p{@=WMErnuFrxGUN&%airs4oNrW0G4DZ$thJzpCG?B}K-kla?uLvsQGJYg8{ zYt#I4L5E9tu|Itv^g)8T`kY_*7G!kgmtcOAZoAYK#MN#92$;8wPA&ig^x+!b5M{h_ z$m6u0HR)#pX#XIm0c3%NO#Z9RQ!S=>YYb^Bv+M6Z^(&tY%7)9cMumr3+P(e(ds!_- zy<3;aB)CXb-vSq{004;izh!^Fv+I=qCy>HJU+#hnAqTJ%vUf9l%c7iUI9A5+voSMG zEcQh*1i&VvG-gsmgm;mznJ~-JQ5OA{jf*l>L%vwXyd|rP+>+b(+(KfcmYQ zQ)#5?@IvPKqouK!Ok-WCKRat@D*-$P6NxcYSA?2XE`_lUaLQ8=QohcN?}D#i8B`+J zLHTP9NLNYEtA_b?koUyo69_L=6CxYe5{u2p84x+MWXW>*G-fKV*uNupxoSJa6aP75cdz<s>^OEN1)N@mm>QhtxLWD{rQ7|s@1Pq`^ONV=V&>2K zjv?jteG`AO*9z9#;1bQVga*BezI2CCed5AB#>V;Fzi^C?;>X?xo+V@e*k$nQRKVqc zFi(_nOPhkq$mPiTxj}ru#_08G$0>A1<|V3^Au0HINSACO{}VHtYmS{i#SPK(`KVbY z;9#QsX_a^|Zkj&)MilH9Z~IADEmKY0THe(C9Oq-xp2WQQJ#2IwuPI%v31$aj06kS) zi?gl;_TwZqY-H)iRJK~kFJpPss`)4z5dA)A+&Rw&Wwu({+R$-pp$7P%G1jH=XgzX( zGR_wObLq8E+X6kx6X9@?PVpj5TZDS>u${kuEspotbj(Q4(+hx|tS@HDW=9|b%fxII zC@~xAXd-20aCOT2#F-4Xf$I^cGVU8!Ec=A&80Oh~Qq_vRDaDw(3EiG@h%9qe5#&iT zgezM0cNM|`PeU#*mw(VOiGwAMw{zJ^mIIFWsaTkHoodVs-K~C4(~o75U>`nQ4E^sE z#gVhPO~$m1h%+m?=>V|OSh+T-kg>UEs#)z`RNXy;(r(NYQ5@ar_Qr29+6iqN!Cv6w zjsNscqYRXq`OG;a0s_QP^Pa-sRbVh#r$oh`F-D=*iO!!321YnO9&2YQ z@cNSeMWNtChCMb* z^SPtQ3)F)P3()zrc9GQ8kn9~J=X>sC(9I8my&CCehlv!NJ*j3U-%E7ipb!tEJ?i_% zFZFe-G%vQpXAMbhHPvKyWTbN&tN2sJ9N)|1FMVSA3-0rKeyG{Y=pnA=#U<22Jac_3 z$nrVFo{qUZ^z+y_&>}JP$H)Y};6SPP%$LXTWvF&yRa37~ftl4xw)G6(M(?ZHKxO3G zY~xk@LozF!(EZ}SYw(} z5)dJf_luL`auv}t_-l<{7U?lRS=NFl&`AoAa=UMt6D z@s|X&|Iqn}?x{g)Ysqtj(UD9y;{eG4J8o8Uj6}DCNdFrLNE&E1Y8e%3uM_}MT(+|~ zhDHhH0OqeeF0pqTt(SU=pn}5{0#QlPvpJvqLf>+tWoumh3)Gokt#n>G$jHa}x(g%x zkNS#7D5GR#5Jj-?95&;DG6~0O2HAyg8==09?yl+k9S3J~s|k~|qIaTIWd6?)d#Zr_ z6)KKqiuF`z6&4t@#*QYNd4P8KbQ+wcC>c#(t)P4AwRh2hStfJLavYDyw|e8V-wLZ} z9ke|23Ej@8DolDyp2xrisGM#

8n!q`9#?+iVUA zOUn)4sMF5oE%;0YPFaDNhmA=R%5m>x?;}4HwV#DsE`o%uY>*!*bbLO796TJWeacF;Y@lYcH}y zL&xlVyBJi`4Bs`7PS+*{CZs<@Y0GZZ-iW9wOK>2`;R%cV2w~=RFx4(YVbuQqWh>su zFA4G-_`6+5p?LR#5c!?d8Z1`)Fu6eetyq_>fCNljZsRc0OSPDO*Y*ehX1#q;HvbI9 zgtJiUpKn|2_glhrElUce5@Us%)m=aTX#o8R?I2A|S=w@}oye0e#C6yxH;Bdf5gQBv*h z)_+sCfhn^k4^z;!dQDHVdrx2=t@ z&_cEaM4<8R^3|F&9+=gwD?E}K8O2i@?gA?Dj4kT+N7aXx>?wY@dYgVL_Hdn5bQ*g4 z!D2CU?5edxvd?j}wdE?zy#RY+wjd2LP7TJsN%a`(_GF|s<66NDxb80k#2=<(h>X(k zCML&x9YgI*4LD<5%%n+c1sIpjK@%!Zl83X@06!BoLUC`@^3H&`0(c51Csv`wm(IHG z*uR(EFRY|yOE+tr3Ibgl5O5uCUW357o~q8BXWMIedf2RLkMM04002b^iP-Ya=VK3W zJUfe>Y*J)wXN_I5hsvRY5Qj3COF&~E%RX8^Hy9gl&=~UO*<&ww)l;Nxbs+J--h7oo zXO6&&s?p+#ygxPjpgkmc!xWKFJf)}N^u}!@>JBcM(N&bZo-@Gb!R--&GbWktcomBnAF49@J?D-inHS9qO zDB2`xMFoT>2DvZb%)Q2OI+oYwjtJ7J?U7`#WYcO<-DqP6GLY%3zTSyy$U!%rx`cd~ ztYXWhhhQugffhJO$W8l9VfMB4Hbgrb4euX{05A3H*r}oIQYvNfKmReW7HSY%+SAAj z|H+G|&(E$#Oj;D?ZMjD)PFDZXDXDie>aPWVSRZ4E48evyIn#i_WgwMwG>AsJj|OE_ z!J(rF=$gJMJgs|xq_Ju>A)>4LN$oX2)JvgAi*yHDntIQl<5s#F#<+nkn(WTUWa27h ze7a9sb*mID>SL@y6TUID-1J<6m>K0ZjuFa<{?uiuV+X38d>pa}fZ11gE?P%I5Rz5k zH591EjEJ_DSrvVn;ruzcLXI#cS#e~br3LRd?u<=ObdMMnPvt?|bI8fxnx|M7x=u9L z923+SS_UX0cJZZ3Y*^&6BPLgUZ#C08-M{RKDOhElWrjc zgqH=wVm^9m*)MUo9tj&zvTgqCmvHJ+qq{+T574vQomzT4*u@>NH*S(GE`VH4!ZUg8 z5-p(lZo;#Py}8MlPUtkIgUX;?F=XR7TpJ&8m;`BJ)Iqxn=P@~$kPl`PHj${REhL}{ z5L^v2$MCMa$qzc7j{^0PZObW6;b+ZeqZ>gbGqNxW4ND1X+Af6!sF;uS5zs0IDjHRw zl1}0H*9ny5k_clMiz$9?Q;&BahJW-CEQ1fG& zTi7N8uF1y{YoDS&lL~5V5Ke&_Pm2nUgs!R6q6U0we48lS*E7_NW(N?xJvlRiuYuQI21c zyx#~-9hi->uG7_$Wc7#9l9PAuO000;s-e^PqA4fi%*8gx>zXt-8 zC*G?yZu{?;0I&ZQ@VObpjMLE9JL8SOaqzvtbh_C;h4B0qy#AiP@jp;g@4q3y{c!OA zQ^ow>X!U>S_)e;B5_%fR5>g`}OVDO$=N7TPgP)%I*W7Nw0R1LBE>rR)Ndf$cNY70A z9KuF$zwL&zgMGg`2te~QehgC)@+fI>WrPEB3^wfXII+HJ$kJUYV&tV~@? zgr5EoV2g6an&#RsI7bN=lxQ~>7Lv3D?%rj)%ilqHl9t^o_B7<@%0+ksvnhGxsUu{< zk{qU=QxFj+bGKAuu&OjGL}X9k09aFXVnT1*WL2nPQqs<*)L_@y?kpMsdqk;^M#vj9 zLGSwgcXf~vWiX$0>^SzF**i9)=EBXsx4HN#N9KwDH3E`!9fdwR=ZM5Af0hv}s_C|{ zG?$vp3_7yhCLr9!!nPIff&iKCr`P5NJ$O6S2 zwnUnSuHR>zR|`%(m#={68>W-NOa3*{&UG0%en3r8UkmrcE__BZ5dng&6uo)# z7hGn7zCWF?$g4iGWzAF+DG!R!c5kD6c|xc^Ryk{#d-n=b2}m-ueN)d9P#89eUBTom z3OD)H_RM@B1<^wW@(1$DW||2r2u|qfi7>#*MX~}b!Xzme_*R0&Cuh00Bon#{hpKr} zp~(x)qc8gUpDHa79Q?ViS($xW zN$IymJUR@7-M{XOZm2XgYqIn)>>V~2*Cpkw5N28%X&0l+4?s$LmGtv1ihs9RFD|rJ;0N>1Kv;p!Gb7O zh|Q!E#h~sqvNYA_X8ulxvzL4YA`?|pq1f#0-PiZs#%#OFBx*|A`8?E2n&;S8)1!Wx zEWGIOgj5q9?WU2B1Wh~n?IiS&K?16DD0FB%0epWtt5UO4^D_3pl**Ocmqs-;nU&Vr z9&CKCkqD7!69c|AIFX#87C$S%=qxg7q-~ZMo(^)|zQ&I(Rh9ap@TqpCnWvCqPFTEOZ`LJdJCW zs^`|&BUL^Bn;){IJ6*ce@n}lW z1shhUpMR4;2^o)CyRpCB+H*=MGKszZ_5?TU!8oY77yMX5Sou-+ikZGf22g6x4L&+Ll?ruTZgm+Vv4St7y$uuXwD~@zai|u|3Q<*{E-AjtV9R-0hIL$to!W%ED!#- zJ`KoCnv{wf@T;xKOvda!q2@ZllA93#P+;sB&VT7>bC+?@A8WMMT-kQF7j*GIKzT(I zKHBm^h)VwlJV%`GOQl_H%ZS{i|JBjZ{}m8V>zvUg>VVtf6@VmwT8J=#`R6DgA z>cZujBGOqiSH^qu119$1t}0|J%ho-DAUx4?6qE9X#$uu43s7-(-QQsFI^{@6W!4FhikHGD;xYfxw$K3VEH*(rM( z;B4I$S(h4>cKgveS}n{tN+<|3ihpIMLrUz=>uW8uuV<533#9=~oc05gKD_9NBd+G< zNt#9&I}vk+0xE>^;BCy(Gv_ApHqvG zg`^tyuq18IQwVh6dLHm5JjKlBMZ>ASNnzRdOx}%ddZGg67=u}ojL1!AcSV~5L@NSt z{b;KPYG8^^6Y^u<)wzR2yb?>1*gIi0dgdd69g2gjkUBuyJDkn^XS}d051O4lZRmuT zy%;1@)(xQs@+ba6&V6-iSR%T4*@V5H4TnC?eHT0S7r!_mCY%EO*xvoltg>A8JL?MwG z42nm=7&n7UjTPiia1p?3qkT6aQ|9p!U5a4l?@T+U9Q>EB*81{v&H052gjb#*_1S@C znjY;|ijy8o1l$`!dIc$cCP283Ya7}%QcX2MQtW#S8q@FfNOzVn`+ZLF1$tkAu_-YpeYCJ~wS3v)>0Z`z1rjJ?;Ny2v_kne}^MKW*s-%hxy za`Ha9IcxOc9@uH+w`{_Rp`5U}JX;V~A>OJR6zlZSCs=8F|LuW|8K^a;?pJ4((*w1v z2G8`G?eQWsZK%xf&BC4DA{)?ecEK%|vmlf0*~KeXW8%p&XbM(audLnO`w703P&zjX zh|jiiZB;sejG2Ds0;<2KDv050Bal$TS#4H;$-lzYB_npx%_2t(klughcd=DsFtJML zAE%4`3*XYom1aH4XSz(@9Tk(sfjvgwEYQ8u>uBn;%z#J#!EkQ3IB6D?KeWH_R3Fzk zwiUrM1t0PcZ=@ZkehC#=K?vHKp4s?O^&)DcO)9Bd*!q;BOC3mY_3dH^>(JYD1O^no zLr{hw|4i_GoFS_`!Kp^y34Fd5u7~atsD5SsVW&QF@{c7N_|to1VoNzt^AhuL!*tmD z%GWAe<(tyy6JEmrf{@a_rlt zbeP-U8N$+kM(Dc_n)y#F`2ezag34t8`=FKKMspz=zN%6dd#%M|DR*VqKci;b^Idaz z5q~HSFQhI^_-{lA^2>lBJMxB{)&>s(vg#bQl~2uQgsD!)e6{*ygO*)!GqT*x1o)6N z-PF->ZSt%M=<_%indVERMx2gFtU{fDQP-$833be1^?{dwds+xN-bHtuiZ^eUS_CE! zc6#W|3p~%{4lz|W2ny(BTtRc)P=>N~VVw)36N&o}ytfjhE-GE{lYlhys|#6mTOXWf z9(Lt*JW@c?7^MQpa22qIo4*%0lhuHQZ-GQZCf>jA-ZYZ4JBis6^eUC#2VapXaHJuV zqYF|OytfFaqH>G3<#`1hxE4Y~2EJoUEuxUA3;|17?Fle74!Sh9-MA3zG%5aGPUL%d za`t2oBEimQ=NVGb4=pU0r+$>c`Huq_8B=~~cRsox%cQ8SNMxjOG?XF*)|%iygh#qJ zwJR#B7ip#-?*(tnvq2Iw`Wew&?gS?u+*}{}vuN?qG>%UggMi(jxFby#a_c_gHm3CX zfcC21b?l^m!L7q!;*<73ox$;!TzPvQA9L_(_tPv8bgak|&BC@dxUbG0fd$AZ~$};~K0Fgj$zis2@6dhm;_}f{K z3jG@m?v;Nb101#vq~vJTpl2$H+3kn8b}r^odJl?Pr%HWGh}-nr#NhYE-3&jzGjpNU zj*ZqgB@3JdF-vz(d+qdQ>L7vL=!m;^Vls*)POkz^qtAF{G`b+XV!Uo-ZhOySq1WyG zHo~la)6qlO3^D=)mj*5^YkDsW&$8K~$uGc*haDbs03C~E$|AF){t zq0SAX*@Olq$`{h;ZeO%U(vbtL0|(r>POQp8T9m^X_62exRma-8TiKeqrV14x9*A3x zFlW5L5=&!0C!!%V_b+o+yFO+mlD;|@>IMhd5%MZ|g&w1GGr|7kgv!`}jvdK7z5>$l zl=Ze_@eXX@n;wIL{r2q<@ER#?*z5M8CBmFd4q1GPWMfY)9~ydReEPb`kZc!|o0JD@ zt+whkIxadV*NTsVw$zhxR`HMEYP=_SuYuWN6`#rC0y#33{uU?QzYLMrz%ub<8{>!* znCR?VxlGp9^v#Q4Jpf_KQR3+e_BTs5)54cj&+od-V##glprmMd(eRk)nn=BqYdV?Y zxeTmWC2mF7hC72hZ4@A^zgHC(Eb@F%CgC->>Pj&Mn=ESZH zJ}|`vXLM$wDI1X|t8ZIayb%pV$}TY z%}3`SId%RA61D(;H5sfzck)tE&EtBaC5qs{wf{K2G}uudR@+i_u|p`f&xPko{8tEx zRKkGi*hAnfMl7{!-2Cy?fOGxm!(c*ZkPg_P>w%?`XfX>L^RZ!2?yo0J@Og~(B4$Pe zSO5t*Ck?VrOQ}-;00000EhMY06Rp4igkYk@(eH$Iz|1Gk2^hUWTx&`|hyVZpG9fFE zp_s|g;`v9G2zz`8XyZ{Y|d;kCd3XM9#diHtCkjS%(85VJ4 zBF(D}X0|CF+IVpP3*=dVlEvku^}oPIhV)S5%q278B#vRO)2L_xPIT?7+ks~qgHgyW z_i{3{CN6iqj+OVv3$bkE^AnJf>q7F^kdq;Wx#|4o!RhH))L4ef3oToj!7<(?w%L1d99&rh-({~s-%?5n?L`JU%NS>c zp>A(gH86C`QQ*qg-i{VL49R)7xw1ruA(~^mnI-+SdO6JvlI^)3IZ|hK*SyDhKX2V8 zNfTyK-Y-)I?8SqUWQJ=I0ZnSnb$Htwl@)5$lAfn*m~r5mBFcwD>)p71=&HE^wJ*>_ zJcXIjhXAbosiQu$wa2ZOW8k6^ax-pltlb{UgxaDBM=$Vp?yvN zJtKlU>b17WV_yZwBUqc8yP7Wm1Lhum2rH_0DKn#UTD!EveP=MId3{Jy%iS{@ge0zm@nLhm_OLa;dK=xLtrVN1lwmi!S!Tmr-zk}|v%^Q?II=6vkBjeAomNZ@GzW-L0fc_T&s+XD9ffqI41at9my_Xc1$!0OyC)FnAqLI@#o66zBz^N|+ zCAM~*@z?ElYNeNhP=-a)@fTJUX1~gi?I_Q$^Y2`4m6{5HdpgSj+5U4>GkPrx2pAC3L5CglMRxjGg}@WcS;_O zD)fVm!RSv)F3AEq^b^htd_p*9 zZF_#sf#NhcuwlgXSd*`Ibx6qYeZX}g@$+HxYV)5(YW?;`sr{P}L;B_z7f%yr)2lSn zz#&Z~GbO<0$Y;!mG6C3}9WFi5dFYQwbj3lWuzdQM-VE@xGJP>!czwpj)YlArzbQW- zvD!+^J`^jbk*nYOC^!aFV2WquO13}bvikfcc-BVIzs-|B9|n?Vz#80>=FwEPG=3-IDt(0Vhvt%Yph_>kq%cxokZ{y;4NwkEyWFS7eOSAJr#i`1617&^CYg(|)lQW(1 zR8-vKF?OxyUjV8-N&vrmJ+!;8k3 zAHNCJwX~|hc_W$sE|iLGBRd`P<`x?Jp$!+_bl+G;u?N8VZpW8qGt<2TEkE};{s2f9 zRX_^vb0V-D?ndK~3e|BKZOqd|atCN1lam#8hqi#4s3t69bddgg_`6TGTv~|WrNvaI zj<58eV$Ud2@VcX;zyL#*JQn4<-G{*SK-w9c3SI)3i6})3SENJ)?1}>dW8KG|y?bv( z2Qg#Z$gW~G{0huOeaWw`o6Cv-wPX8N=(4bPS5>|40h8-P)C7NFr)jR>NA)Jj1VD<; zB;oe&ZCQCvk3R-ugjPX)j-VeH2c_*tH_g*4#R%qy1Rc#WEx035`02sXjnF+rwDj@? zFz2p(`a;e69patZm~wDbgE2y63Tj_ijy;6=1j(6&R6^=?>U*!$PVBCHBp6vWEnLO6 zhABv8KlYzAdw(%zGX1PRWMn8PWMG%gTQt4P5V5xIO5LbNk6SHlhx4#@hkb^sTkX#i zQE|0Wjb#}YREcJ>PRFEJImnH1=y`4}32`a&fQbSXZED*ghe%=Z05;;PP2RCODFF3L z_MN`jO{IIl@|XF~^Ym`fjdccrvf0&} zqw1?>UEp2O2({8&%u89xp%J7afi=`3$hbW{0H9FaC4W1+BWQ*EVci*DUlK$jJ9ty^ zMlCS>$7B0kbqniEQ@TP zg^z@3OEbzJ$ojc-rl(nV-M)tif1XDBzW)s}O+}+|AXvCi6V14GKEwLcnXpb^EsTkQ zec94C!9(bx+K)`k>WhEkG>JY966iibWEGq(6_2z^oem_O6*Zf*;0*?!20-JA%Gvk8 zz>kMg?IX=_<^wFQpIC13H^+DgWxv#z326Ba_vFGORA;1G{}R zG2UPH`ROdpV)r76?;}Cm5It3Biysq5E`%C3ek(tKVlLx44Rw|*`HbS4BKdl=A5PQO zwCdxzkvVINO2=TE?r($D$XYA!BtQ(>+ukX)+8@Q7i!?Z@O@>nB1q^o|U*mk}xtsnX zafw+fQseVKgj&vH0qFSeHF=fe4*!-!AbZhYgGD>tS(+80cfU->3E-*Py4&^*92_rp zVh)9NFu`)O(Acj0Y}V-2nU{%iZR6gg*hsl+?=!)iYLsWo71vr2330fVF%i&(i_}KR zLB|@@0HE(uq9y2$RtXzN&r<6KOTw&n!^!cbC+cU??cD+SpW-Vu7d&4c@I-Y&%DJ(D z2&+1iTm$Z9Ud2*zo}E_Mvv#aK6nr0ssf@FuRgt22DmV(6Iyl~bPUcPs8@ep;>?MtVtApy`5O2`&1; zmkQtXi=_-49pi?GQ~orvRI?9O}KJ-OmSstZVG9M8;!})7eTxZJfL?Ge2t~NJN z{ld0X9P}oQ;U=YX33eZ z(r1}KziY!bwwTY;ZB`i=dl2fqCdhaskTni|BRt4rdZ$#1uM~6BH$H3ON6e|(?t4>n zhXY{;*`be>rk8f#2Okd-l)jOa6dgD|+FQImve4~SjbkB2P^}P7!do?oI4VaoC_oYq zQbm6!RNr`P)I7AXZa+k>{&GL6I?Wj%q6) zXWy1BWu)y)w_SvjhS?_!000000E2bw5$?!9@*Jp2MT8G2?BP8JP!lF;|2jn2KF_tL!qt(^G~2-aheDO z-*I2*6pJcc%UG}U*T4V(003JNlgOW>1_g}Y9zp}+`aAW_tKdRLOD4=D7;wkP^vpW5 z6t3>-(UO{~j$B$Ig6ok1x(RK+$4_;ZT4A}a(zWct8KiH{%9`W(l%_3ra1|YKN$f() z);0`lvJ(lfQV4LC+GrbN@)OeYP|`jxR?h#JDHRyn4=27~C00A01}uLPdU3AkZ__8f zg(ilY&!OqAX06QiOZJy2*RiQb!*Ibhf?51Bhr2|0Em_6kiL_kaoFt%DJ03?tH?Zn} zAY4e-L=_G0+;Q+p*>%)Lf0y&6yi`lexa<)oYm7c=*QN{Zam!+Y2AE!e<7_wS8V)N# z8>oJW^^ouoRnQ-$8@;Trj*hQ2?Z9#o>w8rZ{E@z;sbrtt`HDi)vZihRLEPB#{wKyJ z3NbF2NatA=BSKgV)M8AhaH7Rjg>AZ`UuI@c~~+jz2`0sBp@IuURlvB0JN-} za%t?I0J|<&=~(t>g1&RVSa%j}L*xHTDCt(lRz2?=IH^74;F}nbA`joEG);*>{?_)4 zR7F8Lu3T_TS@XZ(CqWP0l1k+mja5 z-spgj7g?ko3p*w1*;iRaJ?IGKvGMiVoB>}@Nnkes4(MHPKivBki`hWFBh>Lp?(s{; z#bM?W2W1{u@iT=EkJpF2yVkf!e>oQ|Gwb!t5MTAJr&MAw4S}JZG}eUSVpW3$$rHf* zzNxK>bNeqcWp+ZOlUIdGo{u`Aj}OkB-12v;1(A8H6^sKZJX#iDA-UZs&Caen8|!}A z%L`2fMF((kv1D=gHjp}9F#2_wo1|iEwgyYP=fJxSF~Z0v5a25>tiP$HHHbCY$&v&; zJy*3LHN%!=opG5k8A<(Kng1O6+M_MiXNs(A6)~_08g(xN-1WT{6$@`;o?CKBU7#xS zipvw#rJ|zC8%mV+z5Dk2w(*qS#8vs+ZCI}(@)qBt6u#B3)3KX%bx{9F?}ZOan=lie z?N4Z1b0DJ}E$VxcoG8+F5*tfu@;`3J4_74&{wC zh_uY!a?M#4fR13iv6NkR206vS$20Sr2oWis)M!6C#nd56BIj(8zJMq$**l65QYxpf zP(OoaxSWB$aw*ikq$Lt`&zG8(dHx2t=pd+fG%&#eQI%?;J<|{vE$5WsfZ>bIL`X#J zAy);|Vs9+Up+IdSd#JoNnU#7v|F^UK^N^4q{z)J6?^FaifB*mhe!^zQp7Ey1TiMKC zOXcZ_a|HX+MoDGL@uDDX&k%gBM)@+*yl#<-FjFz)hQA zHlZ=>O?n*#%nGK0JHnT~y*WVR9s(%!uSqXSOAv=$-92QF;;Gso%+?xwE!F{?g;YmA zXE#!ZPcb6QKbFPZaPpsgU6-Dn{?i-Im00b4{G099rh&sPUq*0wPkn{KM%AyQ-tz20wPHcP$hqqK1Gbe9cBYz!KdG;MuU6f|TcE|Si{7{X?Vobz z7!YybW|t3GtS@kYJf&W>U&ClKu{zlV58+l(t9z#8#1Sj>XSyv-jH0?O&b(qg^X(SCXfv$3mDYt;b%>E!YOkBJ#=1bKD)PMlZ@z41ONdUs16{ksEYOC zGuN`p;^Vg60SBS`GgnV0W4dD#%<3-6*T%%wwF)TUi;jYW@|3yhAE+1S%kl!YjuSv*=t>z!~%+6-Q#h<8YXg0qbC3W z06^5gVgB}kbBKf+xUK z4|i99u~BZ1o7|oY;lH{Wx?~8a(HUe4#tNSe0%(0l{95?>}Xgg5$bRrvZu(4~=_|Yl(16%bQuU zh8U&(qD^pe5>b6v&VZbj-a$HZ8LxZ*hfhS$Ax)GhJe_p%#d~5&{H`N~QFSm`!COOvL1=lzsK_NWvD9xC@PrXQ=Ga|NCd2{Yre ztr~qNZ%3>fr1a$0p#*tw*bVXjr-~ec3q};Mp*L)8yq=RZ@M>5Dz}n*oi^W}<2WEf+ znz7YEe2>~8%YS=(#g{}-af++q=MU9=5P9=9>LiDbL(czFwE0Mg?fu5OkO`DMDc+8-Tx;uf05||sLBeH&EFIb)pLx(;^XUYi@JX^G;WN~(;W#Y zdAt86j^5!1P?S5ffIzvEn~S*7U68LR;PndcaulSuU?B;>~zN@Q~w~Zn148*i$2^1Kh z7&aY~LZacgbKK)?utbvEBs!x5mmLMA5xDUSs6+k&N_P3jfh%Y5_%oNR#}n-M5qcQF zYdpRTG;%=nRsaOyZNRE@z4YEO@FaepK0{1I3uR@bedOg?IdMxX{524%$^EOyM!v7` zG)$be4p4lnD1@_gdfPK@k6wJ%_9z#ej>k5hdd{?G#Pwk|{iU}28F8vd`YO5TD&t4k zjqV&$)%NQhO`sbYNAq>eCb1*ZMRd+O?H2SW=*W>K$DChCInB4DS13I|qf zyMp`}eI}plhAWHO(@_N_S!`qQ+!_9G{j0lxrzG|axAuVwQZ?q%CVtv-K1U0~Md6=xj?npjSS zVaynm%RPk5X}CAO;)eBMfg=R3O#(V1P_Sq5mu74#I0gK0Z;|4TBQ`_}v2UPQADiq} z&UJ+3aRSEuW+3SwBO~{8x?C#_Pd-ds)o$i9(J4Kwz*hcwYu;%*7}cx@1x)L zRy~6dK_}N`m9pH`Yxn%&g%6?s4u^TFd3}#!vm#Ziy)rcl{BfW)>;fWDmKL{7rJVja zP3HROwlPAsrIZCn zv+_^hM@k&m1JdoBjQh)g+vxp%uFz(uECn?H zihbOTo%}Ta8ZJ(zKH5LgXJ5LE9&em&EMHk>l5Su#p&fdk;tvx~eii1~h^>l~^+q{3 zD~=;2GGXsRK`$&6(Z&?VjdGwd`V@E*!hI&a{3~Zh(Np7PO9S74YVEAN{ zOnEUWquSEs!}!f@bB&uJVAr0if1KfsB7U7?Gpp44L!{pJzp>qx<6wv72Nh7 z624>iNRz(3pzK3(rPdYLXG6IYD-OVR6&l5QYyp8DS-ca=&+OLHb$mR=UI}taF9gtK zZ2ABPLhsN%ZN$gW?epPRd4iry^Zec_A%(d zDFq^MDCOBL-B0^j4{f-6&qLP*rV2${ai~0s#VNn^s0QH5GXst>xeV zWwS4k{;?^9@Et6QZ>p~{DW`P6X$)cF7$HW(1^Nf)PzjGGS4v#BQL21kX4la70ftM! zdI3soGw3_L5Lb%vWo-*c%cHMiz~pLBs0H3la#O4u)6=6TAbJpn!Jph?k^!d19CfBvMhPRVjF4*n6Zr$8 z2?B_Iv>uLqrsXeYuhvyUk@cnWkUDdky-eAUlzkeHhd;khA)yu4;A6DJ+k5GHBD6rE zF#~V5s?;bP!};8wFp|(Xc}(%xdb&8X867BfawNZXDp+&uFr|Rj{=HbWkz_!qP!*wJ z29|I2x8`~59!@|PA|He}2)#{rggZ{+pkA~~O8YzyQ@`hA+szDg@Jp28*kfD5J-dFLdT9jDAuZ`Q5~K)v4J={NIW(Vc)hQIz5YJ61ze|pqAA*|yXm)zT{MNW; zx3O1jPO-~Pw~um~CQOQTnzs~!nU!F{Lw=Sy+aLcbpT;|pV9lMxZMdd;9gcigX?bVm zVHtuwIR+4#oW36dQ&vk|jEcV=*cz&%3(K{&?${<=uF@*|f+(+9HNxe;1D}zC_C_c@ zw#ETvrJOP^>eXpGcZNpc317&=PT67-s0(!u^{s780jcEhjlpsRzQPHn!%+=3m zDB@}NQl6TdJC9Ky_w#%LO9RWS7}E?=8ql+hd76ZK2^Hvm8%o*cHJpA5GNBryx{(+Z zyionsWAOn~=Td<-K32allI>oY0LV4;!#8=C{ zDr-x>00iWhNGya~h$N-PgFbae3RmFybEwj8-9R&;e>|s!@e#WuRMba>ic?WLOSA6e z4ZC;Qv`B|tAuoP0zEnRx>r&vFvcbnUA3-2?vEoHf7a3$7vA~K~AL;2VVwwm(vqgo) zOP7rSPYJmg-+=y!EsFlB*_Q7C@b6URMzGOQE4Eg6>6JT{-*H!dkW=>wg#{xoM znDu}0jr?YYN~jQ*S`@FQt!0mxQZeyE)di8TPixALRSMOpqiu;me;DD_Ii}Fhumt6$ z=*b+L&#^qOQ|vYtpK*E30Ubin^8an5y0>gOMkcN#w8IM`iOxxytRZ9a<&(KHCM^&P zD=JSTf27Gs3#k9t6*2&evxP-aPk$u_2DXE)dcX>;l@t&^?@IYdAoEu8 z?CtHIN_kflE9N9vd+i9Bj9j1+pIA|u%1f(Z&A|3F+rNqEgw`Ev&zxbkNE zRc&^r=Vgm#VHKaKSldg~oLk`1^?-zRke2RT8PsU1W@dZ@fQ#oeEZb5@U%29#p`*ET zg)~Td9GE9O-YUo0N4E>D2@jztvdr8zH;xJ6lXkp>l*_#mQ7{+F$ze=tHCr%N*`sQt z0A_HNoESiNJ&h!OHu^$Fz$*Kr#Lm=xrhya>Z2DYJTvzx^>OS-mEw(7fkgPmFWS#&76py(l8Bs5~Lwjns@vx5aJ0G z8Lf>iO(D>aWb8AvLK-U9&IV(8l$|K3cYI3|4J;aU%kKL_I+r#+3Eb2H7$2} zh4L;wX6E@bwZakuj>YS1+ldI5JY%Z9=`_|+KeVgW?(Br|6FCh*eX=xo8xIZQ#m)a9 zi5U-GGLfK?S;$&x)_N zvo-Js21-Ju@Vom&jEEYb^62gr~e{y|#+jk|I=&>hih%4Lh zxD-l@YN=3NHbY$AG<5()3X1i2vqEUuD9pi%nQQ>GqYcu;$Ta&f%x>m@_?<^vM^@&Nz!=ZqAwYGR;YHhg_l12LXN~wmbO0&Nwdz=zk4=$|Q7o-T8Zb7OW`IM_ z*aDZJ;(H4|Y3%nclqL^3&x7DE_(ML$TXjM}HF3UTQf<7~?%$f9pEZG`Lt0goFEs*z z#JJyeqG|sXDhBrLn8&1QSY0$ud%zPDyx_~0{;MUlJAqd%Mq9c^k}Mhh@;Wv{_@u~> zT9G_($g-w$Ksg^T&EiGX=T= zofbY@#Q-AvTa3m|6qoH-uU3S}IdeE{_?w&@f);H6@YODg*$aCsM)oVyT%&90D9)J8})p7WIe z8Y>YVYoSsOMzo37n+AJb>T-QgChbx|Hcja-ILryc534)+CdJU&x#wnQM+~^3PJ#?v zDFv$sLU;I~9XPx{G+aI68+gv~r>@)~A?cZ$ck}*<;Q94Cz6&8D&(qc1#Vta`Op?*~b0`nGOZ#XQ#6%|32!?ZiXQMCN*t(ARkJIwl> zCjj71JX|_6Q+JH{{UEYm8#r4LyCPaBRB{Zt3qznXP6o^S0S{l5D+lT+!UFg;&A@0} z%9DzaD0lz>xn=*{pQAXM<2+eg#(vscz2D(Zo5T`uaC!l8m9-gV1c|v<%Avyfp{2Q^ zECp6xpKCaY)_jVz*Q(?BO5--U-0gO(IYE+!uV18^p;EY10N?IHh6UP02t_b; zL+YGQE)E^j(X{|RDAmTY!%*0pne&4fC~sTy|3dBAohBUwN6h1>-wMund5%kt3U1GM zf?;LFges|__a_5VN%&GRJ5gC7PFWKpZ=Cx_oJ|3uOQi~hASnO1OanP-zaMGmX z6q@-s(Js3t)^p5s{NKm)#DXkZJbF->HNv6lulV3 zp}rcK4~6@~O5b^l?lV^{)u6R!5E|3*HGXWcYm+VDJDj}Bj7RQyhggz1Hj%%zJnIP+ z=zbeY@x%+A?J?eHfrIL}U8L|oDUggJ)zMWv{&}YNc;{`BWVC6}A62C+5~Wb@ZReA2 zdZfRkhSGjf3YG~g$1rGeUwEW1d-vE4x6=Fi+q&`O`ES;>WO_So2VJ;?F9FWZ>?Y*u z1re=y1&-<>gji%~MsdjqvP@RCkvyYh^gB>Dky_8-7;=0UdnYmZy zkDEETSm|1#@WIW@kgjs<3lh#)IM311I#hpWH>kGmEjz-(tHiQNX|<^ub{|Rg?|ZjT zsK|GK-kaBde)%KDh z?+hBv9y`a1N1U0AXQ34b&161S^8{7{pZ2o5gYS2Aio+i0Z@p;D0zQw~CJxCAL#O|Z zcx|??tF5nX1d&;5->A|CmE-!#(9@&7>d9cRs@kgcU`Rq1cuX}Ds)Y{Ibr&t5t6d!j zUM!a3M0c6EH*MKWbzNMMt1s?4xa^3znG>=P?%8&Bu>=~X@=^a(&R6N6Fh;Gt&(r|` zII5`ryJ_zxO(fOff$+Y?d_yCKYC=S*E4=T^a<%xP7}%;)RL1PMUEh*D>&zF0wjTpT zaZCczmZH)j)W$-cI86n`P+dBUa@^L9DJOYM>glK9l}$I&odr=$4eN61I( zafJ4H++h{qf%fXh*sIdP{uM-SI8?BqCu^H1awY)T1H0DzT%y61mwSA-J^k=6J!#2d zWlc&{Vj00Y+06f#?sXW~U%hq{wKU9WF#1HdB{Jcpni`0u79)M~Cqp=+({YB?;6a;Y zxV4WXdGn$p|C8s5y(u=TTM%E5tKCREC;*}KTjJ|(W68+@-N_ODK7A73Bf%jS(%=~9uCSdCJVs!G5zloKa6em0a{Oxw8 zi)QH8a^n#MSHP3)R9Cw674Z&z*OZ`xbwH|Hj&)8n@U%u4Kk8yt^@y0Z9OD53;imrs z`?VP`(<><4RvE1d!AbNXtD$cmAIv)zY0A>WHhTJ`5@x2AGOg~&$(JUdfm^^E9S;s!%4lwbx_tG4+%a z@dNAiSz2?(L}ts0G`ksrlKd0!!UF#>mDygJx%}6XZ{_i6cjSMr$z~v`t{MNs1$F1@ z`**jq>I~Q;0m2f5_!jjE^{Jc*-cU(17yIeWgHolN2xW!ge4ZAOqUwDdlYZgqz9CkS zgro0^r1rryYTLYKe}%w7xi1d`z+fJuN&`G8B5s47QNPN1e0_CQ{W0QoKh$-k9^%wM zw9Oyl*c9A_pMoPn@Mu_7l}(Sq=j{@c#W~)Lc#%(8`9hmMi(<#B|I#J~ z11J7RF@r!uPiER03gri8!ibU5z5lk|4eVo1+Bg}3YJqGTgvD@9zc$8aML;J;_;B(3 z?GsS2_4hCZ&qrT7!bXsfzyK&lf%qqfv{wUPd3@s58rjcP*o{xht~g(#Wj_wUm-lcJ zE<{IaOdrHde@gYA&)*+I>0o-5hMSZvuTJ9J zLylry+f7ds+FJRK!5q+>Gc|h-bHlQAYKzp%p1}6_I23jV#$n@@UQOQSYF^#~naZF)yn>Wr+CZ7_bi9ZK$K-!7w^Ajcv@TlV>)-I4xKv+Lsibk4R>ke>WY&j&dY?N%O{h*E{)DNx-Cz-wqm8o4zS8! zdV;I>qYfP$gg_nXI}KIIpG<3B&S|f_04%YN6AS$=nSAvD9;>F!S3%v{v@oP3>)6x($jFG)KywmL4O-p-aIlIv%4fY~Mo|L*q76 zF4eFu3-BfelTwcVPIqSksIO>|R zPPM}DY@7{K9;WIhwi#m>>UJ>(ccl8fiUF%~ztPDNYDs{Xc~w~Vo`B{yxah<9W*f6l zS%WF2kuL*muKfqXMajtI0TroAB5jmD?jhJBQXuo0=0T?PIg-5j>jgLml`AgZ*rPdU zPV{#G4*U$VyRi*U6ddUO5wSo300%Ir1$kicy1kblAa!$DIT2ei;zTcv0000000j7H zs4Ma`*B+Cbz3F1j7NnN4&T>M#p#VtQ`MIDAd{y3bnDF*$7pDknJ~?*sGiVYUqHL$g zp#T#p)?Z&4EP@KMt}tBJB=ftJ8Y6%@!pU)6?#u|^Le zK5#$qteSxHJo6(0OdeqZ6Dl!1hQdshw1#2!PCsujxCnp*000007ihAE z+1|i%yC8}e62JB^5UMr0P%he*_ZHtZd}H5ilZF5Q0001O*L6|bU#-9a%?RL(-fCA% zV)n-;s14DMYT%A8DuS&rZU+$q`du%SSVjb#7k)MYW=n>>t%By;#DG|9SrRmtg<&d| zb32d#0W|_>5sp4DXJ~r!x6*!?aaDS3k_iB>(f{4B;HhEGL11PPhB{1@l|x z=;c`!ciBLt#zIgR2SI{}O<(^;Nabs?Y7)69q)1?fiADwB^tU=gzMw-`j`0J7a_>KD zqE04+2m4}wa_quXkv82kvf%L&tBy zyn>+$oLpU|m7HF3v*R~Yzg`k^$$<3*umlGq;31U1&aOja3HAmd7nHKxw65=RpI-`aR>(02Cl?23Y2LI~ND}?Vu!2H%=7| zH+N_IPQPau4&ldnSmYR9Qxrlwx zyf%><%K}7SJ`z2-msThZ6!uE%a7L{fMuu(2F_AeSkwGDX=`g~=F85V;tF98lOm?q6 z7rL;BJQ_i0t=2_P2Av(@#(F}kuff(=Ze4>&3={(@>nH$=Ae1~(>3JFnU-vSpGFqZA z>;xGjl%+!5008)|>U-yrTGo=Y&J8Ao(0fw|oqcOA%>^m&Fv+5q4 zmFWA*%l5nu?K73v6(3TD^@Vq z0syXT3MEgC=wP`3%LwzCFHpa5E>_+FEKe!O*#;On_Zv?7doEK1K?($yno`>4SPiIy z^2HTww9zHH=^A%l3cw`b%Glt{mO;qQM1H)xS>iZX(*_Q5ui7BdA`^k8KTYtY8iqPV|}2+MPT;UPG_qt^uf)k z>5f|Kt=g5?eh;iPx<)cvapH--!?Waz(}uU1K!j7jO-0qYpaq*ty#qWeAE5j=CQ!s9 zB|+Q%9>Dj@%BO*XDlCZjFI&H6aB3tjCG&I}oqU&hk>cpL6Y*nG7}oGwRkU&P!$PyU z+_aZaoE`jhqJ{&xu!ljAmM)Jnu=|OvH1-YyJHj_W)5ooyQ?Tej*QU2^+qP}nwt3Fp zXWO=I+qP}nwr$P+zPX(LW@;uENoCba(n)o7s;l4iK91i`n+BlR)lnkfpkl1X>@|t> zaO+TR0pR({OXii?q6OnnisS=uJd2AIjMU7?N@_34Ao)oBlR^}BS>mqFwV-)vu~O4x zC<(CB@+)jjr_fu~b)a3rA3Kq{l(ei}Z%3cs9M4}@b9yq8Ps2Iq1()C!hgbk<8W1z6 zX3v2wa&F@1MAwp;@B9&k9XduAV#FC57=f&v9P&1S(`t4nuc6fx&opXxgi*n!@YtrP z^jinH-dsb;tEi4-VJ`H9tfT>}pvEFxHmkzzK6Hk3Yb2!e(GX!C7kz<oluL=|`smJ_QQiz{1pJ5VR_J^JBN4ktrc2GS51eFqzR zbcri;nj$5n3N7G}{)8deq%wA#NW7Fx&)6H6RbZ__b(ezh@vr;$hZFiN}#Ev^e%G8VdqDt1pZOUz5JRK>1*1{HfTVcMXK$?-l54X&SeF>gv!W2E;AKD|vUe z8n*Vs0w3zt~7??e@m;SFk(CAaolS|qC|NrgARX6+P3Mg$ zM4oBYCF5EBDg3#LW9Z1+hUWeA8BD>-hW}7@_7fiTFRNbOXy4^AmXk0ytf*zXsmfd>bF}l6A>C} zL9w>=QXbIsLURFfouPbuK;plWM%h3UZVY0jiAV50NazQq=5Xf>8q^wUjt0fd@5 zc`tMlnBoT^!4GzPIm4=?-}=Y$UKI$qaldFBnWtMtP&XY-C~rZ9Y$h^mn42UkFJXiB z+>DqNHh9PNzMH=`|0)I12jM{(e;!2 z9uAjgLuch${Khhy@#AsFruMn`dz9UFHVK-gg>tI@T{Ly?voq=0(2)ndm_9t4fat4r zB@0zDDyR8d%KV(mQgsg_j&7dRJ3D@ z26Yeafw0-ZUmua{wq!?6}2 z^X!|{e~UmaCDCwBnV$shJ&Ql{BDqfevn=L_Kjv5=Vd(_dW6`zhO(fNvO2{9IqDz~F zgJS-+1@N@?PjV$1%NuPR5>dGu2mMh9v2KReAN9n0#Y zzS~;I7oV5FRvwDuhuA=!G@G_z2MqV_iE1j+oSu&Fe{()h<|{nxJ&4Z4YQ;(>B!9){ zh5YDgHvOmKl!3*Sv~9c?>OU|Hds^Sem^5!A>GzK;?G^xU|8X+2&PFq5SY)UidF6u( zU+M8yh7C5IfKycpbS6!Y->=i8KCn!~grh{Dj&Cn&c8&T?9Pju7$Q>?bxPRE>8qV#9 zzOw+l(&R)Igu$oM*)wuB>5AJG4uDOpKELMM`yu+k?ZeB|6Ch?o2pvBY42NJQ6*!pf zi3`d26=f&U{$0&F3upoeX@V#RDjM-6-FzOYA2!TwsiKGe^I0s_x_bV-LUGfkX}RiCC{JaMj3L^%*s*$D}?JoTUx1n9!MIJR56 zZ=ZkzwLz|HcR|$vNs>V}G?l?>k0rcC`fw*Dm-H>7^>-L()DS?q{t*~)r{)Udh1}fI zthy4{6~(^4eYV-5nRkP>)bV0#=^0^U>uQXYkg`BvjgQijv(daO8w}j+Cor_EhadY> zCG;wKX~0S%rYJ9are+5uau=yTvaezq(EDpD%K-dHwpqpC{%_lLJAya|5nx}m(qh$4 z$)RhApNquUrNn$_5`IDFdQaXDNr&=Sqz&J$jlGq%+8#H@o(Xj69kv#Jsg(QklWR__ z6cWN)nzyR*uxha1ngO&-A4jBg$eIgiqqO=k1oCayF7l^6YN-qO?7Dnvj=rjc=LH%P zmAsSr$8L5!wolKk9Jhr-CkYET{~zz4bU$9Dp%;P&SA%$NF`!jRE?fVEIt>^|+Xm`VNdQ3h_x?^V0Sj?g7=uY7`ZTeNFy4as z*C&^75Bi&Tr9(4EHiUy&=G?r%X#fD=bPqXF_apxOx*pab)QCs-HUeP%)Sfc6FnDYp z*M<1(d^m*s!dMVdys6#<)n@-QaRnIO7EaM3*Y*XXfgeYKH8W~YATKtHpFVmm1;vx_ z;hlvl`lta#Mw>LBKu&r551T+E3w8gBj+a1x%#(AG5 zrs{%J>f`<=!dUk4i(9U$ z&aQhYQg;g!8{rHM8w1v9Kq4d`oOC7n&5bR=X($F^8P5^)GxqRp9c6ni=2?5SY59qv zn`_!z(}CldD4z32^n5{_q$##tp|Nnl_dPQdaTv~nxtHB<%At8jGr&lOkJL^_9jqbc zj1g9ThV19>5c~D1V>9=Q?upaO@RRU#{E;>NkA2e50ani%7o$Fb=y8rBaJTkAz0&by z^@X@LYlK_^Wo$xMo)oZ1D9~G)?@buTCCFihW(#BAn~Z~23^hn|HP7Po0#Xq*YsaoF zM$byoa?-MZgRNXrSggFMTT3Y1nK?FLYum(HUmvtlhvk~3B;2qvY+jI&>Cx=vL>8<` zLh6%9)}R(HEX8Vq%>Z#tnq3#PS$@7a#X9*xlZDi2ycV(Zz+EpRY z-uo5eut~LjUPKlV69p5BLK_nOZtO0zjUP(%S6HvG6EQzC=LixO2DSqq?)@z=8h*NF05) z(Vqa+R7t!2_}b9A^;P@P)nOC~aDV6oQT*DqyaxGeeI?mknVlE}uFupABdTIbUBt*F zS;ux7s=abk7=<(W8i;JG`U~wjGH{CYB&&%!DFA(8@XdWbZmQM$p3mrNOKHmwRlww3 zBIG4*Hzp@`Zj*@ve=Q%86$cgkKK_J)Z6hltn=f#=@nyoQ3_!iS=8+(YSNprxyeqw- zNoChv)M+05tjJ`%r4Id*PokD6~S}RH=SzzU?!3VEd<5G@pQ|e*EfzEmidz zpo4@Eu1ks)-F9Z26#~4(&3+PD%PSO}aBVjtO%+SakA_+fnF-+Nv`YfKZZQgAB_qMB zMK@>3Jat|5WszA?u$@wKUCT8*(<0Jvv@1BGBD;w}yU^zCI|qU);Ub(#!|l2nsYdcf zWX?LvN1lzyoG$Mybll3?{Q2D>$*#eoHsa%fd0NpV17;|qyaQzPQ!hC~!WJdWAac#& zvX3!J&{(IDAtl}SQYxgF8~BgWpokIH4C@El4QK~~lLXb=XTK+uOPPkCBr^iz%nc?} zbg0A)sSP)Vx2<@skoFs@AbLK>XE@Y^rl>w<37t`-2m?6MG zw?1#y6AZ-~LG7QR33s4SGq4YyG86edNS?)B6p>0~lom>H^L6jV#b+jDD4)1OZUz+E zFWxBmOYJ?a>czD}c)ywX38=9|Wk{L4<*F$A0j{%!Ots*(rx|msRdQh^&o8A?^!c(K zqKu_3MdKS^Y-wfTa&{IgxhQui#oQCJ7{ye+HL&HP*l_0DU?(a-=zLY!SBF93tCzv8 zgKdlR7b@OUuS${jg&c>MOx!_efJP;RFv?>y7qQ}a{_T!U!ROz#GayyyjFu32N{9mp zyas+6n#A};#13rm68Iwnn);KA86)SPYN-OKDkbexC$@175mtPn`sC+U~`v zcyfb>kEPn!0<)6e6pM`Mh>tsPuXvqApyF$>jD{Cs$>gi4iIy%3-mVyw{%CVjO8NV2 zx@g)-Tm!U4i71v9vH(cv+`i4AU~+DdWlUW2(MxIWfo|qI;?&!Wpm?_dbOj=deVr@f zWH;d#0*$fkTT^9tcxBm?)SzXH>V8ZXYUQV8y;!8z>fv!oaQ)-xO_Wwr`lXsWAuEVe zW}rW=blU@X6zYwhkrgH~|70a8?CNEWfxCupOPJkh9)}hd;VA~Kg|Nf-uOHt<%#aLarEBx( zT;5{JcGXK4hPLDpw98_j9nB#&>r9&M%F-8L@BnTyMePbhKJ0TjPSa ze)cNsZ3j22x1@awnFE#-5P4U?&o=9(YD!VcF{)fv?p&^*QSnn~Ve&2r9(w&VG9)qj znyMwe6@R?sQYatR3s&a92d9HVh=vR3dSVRakU>y-f=lMs-OqyURph z7UN~D2N7Z_=WUoC;cI3`%%1L$UO(f6_!^ZaF;OCr6z|P{+p5HH%?>;SdoRS>Y{M?w z#xmZfGLm9SYLoDl6hFNGlKg&5rfBfCsoJYB5a`YaSza7M8ZrFTuD8&sy2iN873vC? z1V2+8=>1#d)0M2dtvhem+uMt(6* zg<*j6!nL1_SEns`a*WKW-2=mn{Tu=L0kZT8;KC|ak^m3R4Tr+EdwFsQ)%Un+6+*Ej zr)2ez>;RxL)R3aEytlw(&kmi&7w3<77xAiR$2w$cwGxM)6?8j%b@<$9U_~O-HX+}T z+e~WN7sW^WfRvY1syuPY{%2&_q$GDRSR%Lkk`;VAOgN5AI)*88sT&Qvse0i|jtNY* zS5s(tmaOUS4*vd0F|dh5xaiUraQbT(=Dy6R3yEB^Mw2Ojs!y>mT=2<+Z~sIc>sn?w zMu-U{IkyfHFPJ6x0n65cam?=YOcbWGZ~zF7O~tzq-Z9#7G1sKNG}~PW5?PhUahpY) z7!IDv>`2E(?X}f_J;i}|#mudRsW$aCLesNb`c2a`=In`4w-@#CSqK?h&M)IM?PdQ7 zNK{wq^W)PrKE~|&bn(&iFWSr9Objcq!Y%b4VJ%{eU?Ren?jq=&M0cl%vDe-=pKK*$ zvIW&)KFuXjX*7vEr)?&x&{C~oNhdQ0OC!k99c3rxQ>uwuAM-zW^%S8GWG5g8acfQ3 zcDa2&_ov2&-_{Uf^3r!4BiyLC)nUF_0GhYs@B~0B;wz;R$yXk;I%Q+%D^5Z&Y?jgi}$P*j@-QpkER&?TiqU(zQ7J`>Q}#z1~y{! zYfPjAj;=h!!%}3jbqA)MbI&4XW8iw&p%yPEjCrO2=>(v2IE;5-ct0jfK;kK?=|4+S zq@Jg>ZD96_*j!C16)DiJ8|IVYz|f0RBP$>f$;FIUEv}*Ss3E|ezRO%$kZRXPc+5IG zS~9TV((&QD9Z_!eJmAs1dMQ$Gi^?{%k#22m!4yG^fR zfby6N^NJrUvbc7pIhBr;;)E%H=1cGGCmC926K1gGR;Yw0Z|t(hh2c4Z(zX&dK>Jho z;~N$yUc~8mu$agfbTd|my`9IVwIJP64PE&-{S6}#_GVRvfL!d)RB9|VrMDc)$X^Dh z{ts@wAW()qr}pBRc*nQup$}85h_OM!{leMlB_Olw&&_6DHJF`YyUJ3BnyUn0GyX=0 zyGgcnKTb=^&KJlkGCFUbHUx-uJqWl$O&*tR!v+dyEV4+^V+s3bFkt(r=#)tB9Q5RG z63?-1BX+H4Et-hS>$tMkSoiA%JxrFenzTR|QKD_1pM?Cn5d%$$lXHvYf0B1oa#-s; z0B4;zyNsJI8t`c-aZ&h)al7ko-q2=8(?xIL*uKnzId=5TVM{)y1!S4uuTh`TBDS-J z?SdFNb!0v?KkfH&4RpawfYCBHdMPP8TCA0Yi#s{?V`%BR_pN=F`VN2OBX78pu;y73 z6a(}U^Z*1&@8Trq(ccBPz%7(ilwK#}s2BNf$Z+_7H1HvOpYV+Ixw5lyW`;T)k+i=p zS96q=R_2A1jV)gL8C)ynY(J2>wT+XLh7oIp*se#Ph}wV{qw@M{i)RRH?r&VzUYzP) zNe|MT+25d+uskFJnPz$*nYFY*K_F-p0S6J@FU$!)t%0CSoMzERt=Yq4@d_`NNt{P8 zWZ~Hv(Xei~QDX=D~(K4`#{Po<17HI_tYExNcW8CSagH z`QC$m%^P+Tc1XnG#z!TNw4?2g+bmvmI=CHz)IFsErWEPF$mH#%y(!g?uhZGT=DfO!fI0X4Z~6zuc!}!wbxiwVVQ#0%2$z}Xshlm zT;1=o19W<%fN>pjN{xhx&L?vzn!1405OGhS{INg;XO|Uu$_hGrWpn}ydhSQEBD;FUj+1`Yeq_?=U?sxqj(_2mA3@XFqZ7!x$jp>UBRay<7sG7{ZB*Gu ztnw%!lGVRj&N|9kdm+lPIb!(J-gIh5&Y0ohmPLGHrP@!qu{RlA7*0YP%=EVYmUm8c z58cZgonuk!i|O5dAPoYepFS?vZ`LxqQ5%>z?i}wo<(|426(h`Fphwx!hZEB1WU-y7 zt=8_o11Au+X)+O{m4ZpTU-l-^a^2BpL92E%qYB?FdVlp~tyb(TGG`t-sHo zCTB=w3wN8=b#DYyxb2!~=K2L>EdQ*Kj0wKuqHV0GqE+Ut`gmqYKBz9%!&*Q@W1=v@ z(ed#dUDv3HdNiT?bi6(Di*h0TUWUR?$=nq_S}@w##Z@zGo|yQEv+#0BFdOI-|6 z=k*q!V{bR14_a4P8+R&v=o9>5!$I;K+jy|rJl!qn5}paUAs2yxTO)%F7f7LJaT47fkv{rz<3yv~4HW>q{*f7JGuj}0ls7g79T?L zl&r8s(zz<-oI<~&bTyT#fwD419q2b@GK^NcCNh~l98cV0h23zG6}9DmLdMVuCIwmO z4xfR;%5rm4Ja0GFE3K%XXX9(?&EMpI+|hcB8vEG~G?{(=SaobWp<{yzKU0I$o{i3D zCXz{YyWGMyIV_XDl~C!W;}dpKgoA{Tp&1noU?)icoNMx=+GgVy!+82IegwqKG?UaV zhw#AuM;^ru!Azj&oz~7J+Po-iEuEJ+_2a)RU9{u4L)gJ}abQ+3{UXWHk9Zc0eD_DB zF!U>ih5BH?q*lSafXJ*prp+N?>K!g$bD0PV=UG?+A`QtD-L(Wb>zE08)Rps^3-!k+ zc5V<#C!HthJ@K2tUtpL(DKtVP57GM}ZQF-R+uwwhg~v|Q1yRUc+T3Um9H0ixvCk;i zaiX@38UZYL{-}>sB8}LA-QQ77iFSG~!YD|J3RWbM6;s<}wXI1SZ4+bPe@A72?!Vk9fhj9cuZl*Izeo(Kw-jX4Gt1G4v=Q;^CW~DoAm5q3AuNU zhW1K0l2$Bc3BTqKt|ysO=GU~!A^<8hkA$XXL`{C{OXJVyxnMMeXUFyE{iIETb!1VZ zr@AkDZJ@EtZfc~5<{VzIX(-stUFNT>UC=0r@RYk`(byd$X)}>(uu=!FU{@XvM|tB# zGNttq8?24Q*8=09%>gn`xRrZVm+}@QsnzD^6Z3Y-qBSe5wp<;`;qSwU_(|RZjy`Yv zcR~m*bdCL>RgxCE1Tva}L3uwwG^K(f9;eQZ-r#BW3u#MsZafAf5%J^x+c82I$6e+O zH?QR(=*j~;Z%3k+@Gc_`V`6Zvv2qUuY8@yv z7%8T2g>oud9%^IF_B@TNI>6P6kpm$rr++A~+YM$Q0J?v5Miq2m@Uw@`%cf2%&toVM zO9)z5=?gZRz)+0MGa!CfDQ%K>)KiQ%f@7Cby+INSif*)6sb$ap0q7A?Bz0j>O~VFmb=2U&4$}ZA(B8wN^v? zdOtgpZ>hOobDrJ+8L=-%g;c*;?>t}x}bO7%J@9n^yJG+x3@%FHMnYD4oxfxqveh|ah2Xoi}>)CnOb7I zG9`u?VkkL6 zDl5LVvL7KhK+Cvxx(1x`RX_AB%FmhN#hTCU(=ylsw-ApX1Iq3LiCD;cCQajgD?sW^aNkCBk!lG3(|MOANB*;Kcvn;AGT6dkEGl>7Zte;7R;T*H6SB1Lp$a9b_hJjelDUTV05fl-)Jz@Ox-Y+H>{-Fu)^hs_Jh%2 z9}*yq5~-wYsE>P7FG1dkTS-h?uRN2N)=EaLxVtCA3 z$!`QQbA0y9$e_|@NVrvzB3XB?l-JUI`GrB`|jFQ>*Sf?|8Kb@qWl?}#DPlHg2Y0cLZW>SUy*lxW|`Jnia5F*}p&7@Cu za+Sf@Awe4gnuYKkugHQ?@b`#HVG0%~F%t zaYyVn9Y(oGH@E|1M&A{N8>-zaQV9A1lzh~G1+<$T+2E^sBmE3PXtwR;^^pk9h(Ws(8QBd2ygU5MRb~5y>cbV20s1R>0EAV-j_V33s<8vJ0@Ew=V zh=cS7p&nV_gK%`EdU4e~lmyqvBJxjLd(vg?LFQ!dlm<;cZQBundw03J%sP6vqhd52a0Jjdw6*%q%m=$We1p&wgb=AMZ4YA@UuXq{r%KiP&|BmR-RPIArEeHy0E~!1x$U6-dT`S9j+Y+-vWsD~wlEfezQJ&Xr zN+tc`4f24Ir@v{15xoB*$*~~JaWbPF1s#GJ&AsqOEUBsd0H{LA9)YHj{)LJq-{L9c z>b1tG>g-}7z$-`=@IRwldWmSM;EnfkI(G?CA_e1@5XHBXD}fC~a31<2N78<$0<#a( zjS%AB3&z1<L{9B5KS6#AkqS0FjsyjU_2-)0ytwI+GiKi*tt|pT4^s7q( z{0ry?Gd61Q-ksM?5)>rPU+3VVUEgN9+w7BeQC>&je0*(a+7)pE5QM((tjm=tM(~j! zw|`wVwtVlP<0(}lEkB1se5y1#)PL{@I!cI+d2m_&&0r)=dE~jPC$CS-L5Ik!N-2m< z%Ni?zRmye2lh|ETaey6FM~@kzYA?B38%_(r#IjqPGgXz(U-Cglu~f~BI*0h*e*4Rb zpzp$9baq@nW`sSnn=A4CGz@t4))I44vy?!*`9%MmprKnisf6THe}-TAEgc7$rKPQq zo(n%1Em&&dd34XN{6r0%5$CJJJUv+^=EZp*G%v`}hg~yv@y=xjhb}iL2Qc-@n>h8y%js=!h_fx5$?lIJ#{5^z=a3-|C6F$HaPl!^+Fg& z;~PtzexrPrbWfk9pDPMS4#!p!bJ|QZ-|a!-Jblz!B4>U)WvWXlUjG>?{^#u<xmXA}}Q0ylzn;hIW&UMSb4; ze>@II5)$b?fL_vQ%pw183)V2g((USBpGDg(k;8qeA0GZ!xw!M2m-X74N4uZhlfC>8 zWa2}g21+q+VKCxk?-qdHO+0F{PY#w?19+=#;~n`BI}N- zf=5%n;+6am9tx=`$kc;Fa^qk(u9C}sk#}_nqHW}U!?5(eNo_x-@#F5s9V!!KY@=b( zuE|JZXI!^aO_jT$u^rY?e@AE$@@~?49ir~QbDe>#Fj#J0^@ialftLc&xURO z#Di?(pi65$Rd>@gUGRA(n=kU<=|v2i%p^Ae3n86k(u|gWeFh_-S``!gGk@f3o%E9i zmd0b_cGZ7xtUdhM$+!ox0nYjaE`Af_9x;UW*@APTa&30!DgBa|rnM*%X_6B3tm}vm zK-n~{jhRA0me~bZ`4>U|c>0lNLpM3eIlD2)l98w}H8K+pu)s>d1VDVR3k{{X&Ae;@ zvQ)G}!<#r--xlNI19dq3*pnB~W4+M(A+d|P%nJt3m_cRlM?{#0oCo89$W|^fj!-=; z-%-MB%Skg4NX}#SNo&F6xUeenI*?99!eZ|eH~bVYq!VQmwPG8bR0*RccJU^8iwBwP zsqPt?)x6VQ-H%YrPQzS|ooRQ=94`Aut;YB+8KV(z&ks%9r?=ltk_Osly{QVw{W62R z7}?i`pKuXQ7>~}U#aC(^OG~#(t5RCwqKFaEiIvY%UKn4zREW1hmh9KehK6u~4}8G& z#u!H5{q1=3?@T*g$A?jFm25cH0ZF|437O*Y500U@Ib4?>Aa&|*4+P@WYM4e&CRmO7 zbj3?pLjCGvPTbMYaYep9#C?Eea;b5|i)W!a39U%t_sHaW%~&fPOKw@d6vGgmAAylw z?KyAUG~URHdzUjkx2rhRJb7p!$Z4DX`^U<95X!f#-2B=~)#wb7Bq}fHD_7DAP@g!s z=(}ShP5bSqi1Y?4HhBNp9c<>``v)5LnKj@?otEXJ11CJK8QbELO4t_atfoo3#V{Ge zA0?#yLsu+jJ3#5L4`p9}7 z6ck<9i;!8ocu@L*WKU~c3q&MmAZHqqj3NZi4a2<}d~zSG-u5X=b8q%($U3EFY+;l5q2Oq4is6e*CotSOC5A9JF%9Rh6%gi(9N|4qus(i$M)kIXrfQ)jAyJ ztVr=%8bN7AhMq&)kgS3_-CJ*Ba47hKf?2VZ{+Y22T_@hI+?ijANp3XyF8v(>cN)U2 ztMqD0u4IcE)jxS#gtn(;Rn(Qd(&we6PSp_^4>Qt+R&3sV6qQ;zz zZ1B6aiHZ{EM_^ts=f|0$J~WJt51J)v>9!9C*}T3JxWcV-o)8S z@_P+z0X$K$Wl}XeVUnq@(rJCsC@T5&2!&;DT#MoqKZDht3D^@MT@s#I=+)_`c`PYm z%yWEsKvUa0%E`w!*>Xvy&m*OOG*{}R%VbaoAiVbt%y{x|e&_!}=g5D58631~g-B|e z+3FUAXhYqK-=R}Q5Ar_}$+1}WA`6YVwsjK*j27c{U|_X@vXh}1$#63OqVPLb#uPO) zfBcG^2S8ck*(-Uw6?o6@1^h%|ClyNV^+7g%IS1x+7jeN}*7jH#{eJGE*Mg?;(g}1& z`s!Q);dd2r{j`iTV~8xTWDU@ey1Ws9nz zt)Ka~j{n0-1I+!%>#s&fRUYCn>ZyNSC+H=%FPpdHnl;Cn{YK8fjUxjfXuo>AY}N~3bxjtqRtbTKi}<;%_UeU1E|^TCaBq>u zG8*Z2SU9IEAHR+b(f-_6jlKh8?DHs3q_fNSGL=f@ompqg+Y4lP=F_f9S{dO92K(Uj z65!AcNGUTeivvW#_Em@lw!B*4>R|mn4(u54uE=#=<>BMQq!e{1ptc~RSr(MV2q?dRO#bPc; zUZ7a8%*Jv86qBY0UP(%U0ab(Y{RKq(7Hb#F3q3w3W-UQcCAG2AXdG?z1QRE&ISmfQ+Ny z8gL%CEmStZPHuK;WTG=bsQ^gtjGaOfTZtOV%YPPMjdFKxJ=088%9u0a8n z08*gb4gCcnJpY{A8SwlP>aGRQl25qZvcrD?Yz5i@$5y9q=x-1YfE(_&F5!UiyRp04 zOa3#$8=(9BV?Euu03QH1=X$`rgZp86`OjM}__+YS?k(=M_v58sRBqy4g`byR0n>p; zfF%A|;2BU3aQ{(2OC{pA_IAs)`+MNq`){gFho1tEmTrIp?v?j{CU1fRp8|nb>FE5e z{DTktz=An>x~u37yy`r7|2{D6PHr4eX!xpzD?3@mcD0}=zcZ=M2{P5~1D z+T(*sU@b5hhO1WV#0A0zU=uLz z{s}gB2Nz58?iK(XcVYnI9pdfKK{_#Es5=Ru>n{3M{OW$WYqZVWt%1R}c{f1ty}Y}; zyVBFN*5(FRs5{Jy^yB*lXak(z=m2d1?02ew@Fieuix^-Jho%O`oKawpoS?tSi=z#TyH{U!Gi#Py{q;Iz93kR6zOn|Hs$OLj|FcguhU_cdVf zq2TopF!|(GUEaTF3FSMGR#PhoPK zy;h8m-5!Y-W~GiCppIK!Tw74<6}&n5vmuZ5CUjfUxUP<$#<3;{r&6-0PKvj2IKVBL z%gLy&TfUrLfg;Meyt(iyV?v%pb(>dH8+#Fz^#=6ntlyW>*C{N?@g@IzruEEbE}mIG zeqc$Y6MVxa;7snB(aZYr#`LmIy1N>gb6$tro$J(k;v(yiFX>#+?~5D@jHD!9!O{dI z{qr?H)1Af~3DEL2Hgik zCu824FRi0gij{-%AsjkgD%9Mh{Iq=(G<+}bHe#JBgaUXyp7ER`KHZD*&FMu;;^84l z(Bn;@0~PCedYtCERFqwJy|iorxGsv!0!6_V_Jyn7n5ymr_>2k{BX z2rB)`v4u9(_3dX}C4T-h{eNIYzrIwc?SXphSIXn($ojdBKuBs%bdXh+$2n*POMHQN zD~SheG0g~d?V|||Z*F?&5p&{7QBCDhDfVR60UVf&WxLK>le3Er+qoNT){o|u{p2nD7c_~WzFV;*Ks;bZcSeU#}NoaKM>1Ap3TFWge& zgBA(Zr-0!CEPYTaW#RvB@BO@N$EOjn;~95|8_v2AVa?g@r+y}T$)2@3b9~9TTr3+L z!+<9wDr`WzFwE}+CyGe_&Bkw{L5fBl0v9GacjnO@jw)9!=W`mQ zJ*>skqgYr}@4_*A&jKj?00;4$68y)vNQQ$|gV0lx1zsr8nIdYOzV|A?GZ<;fcpe2iwoGFe?UX zV6!q^)%cAnOcd0}*2mSgoH{RM!Ts0N7#eRr$bjiRMkv-L{1;B_PABF3@%GI&2HhD| zNgL``S}YpTdkmGj*l^qhEo=n=Oh-Zb77eq-C@rz9RY6RecTDdY`i5+-#u~zTd!|}|S!od19h^h(`**cNd5IUO?t)U% z^<+wlHjrN=zMSml9+U=7oK7$_nynupnpXcykN97?@!xjfzcGo2tasrvNMcxaxCk@q z(NX}e%nkhsz9d0_;nS5CB(~&p?RBmwUZj4xE;k}`_T83#yC+V>3F%?C0<)Gg?g`rx zr^1Z<_?MnlOBF!I@yJcTS8m)#;3h2w0KNC5!w2nDFBqK{!uoEz6vZ>K11}Fc;dAfe zul`5F!G{3gW3rc^SMDGhg^GZJmPm#C!^oT?_YbEI+)6<0Clk z>R42}bnYWWe5>~lZ=HU;lNox~GtD9J@Eiys;rG?^&+#?d`TjE`+KCd;bM~b+_<9+spyyg8P z--1cx-yt@#nox{>zb*qQ@D?xX85z~g@L)ZBmwprDMh0n1KfdiFy4-5bGLXxZ`FBp9 z{AN>0A~Jsq=e-7Wz84Rz1qk*vj!EEU&|19)9p@fgs2*@n&{;?1Q4c=vyA(8O3l*D& zq(P1u$RqX!%@N>%CtEW@|1O-pkqX5)T=1@~3P!D@8J(lZ*q?J`?``)kR1^Ojh;zH5 z0x;t-bhM{(VH<|+?S%H-+sH66J*~(-y0@T)-E-%EVKxsKTkLp}bXApNQ$`Tk{&$1@ z1CYG-8Ma2km@t&(tuZ^?US}A-fy#Ej7xyeGoFBzNuu8p{QrU8~-6ZGr_yKG>3$)%j+X2ts+dly)|NNY}?ZDu2%mD5nf*X#FLIhpAV1(1ufS6 zniX;-eb6koZI-vBYttv$hFTQGO5f7!CK{rP_41^=>eP?;J~mabZFCE0j#&o{??Fd3 z`f?7~SdM52(q5-J!)6B_zly{&%PEUc0!_#SYwI!N=^pZ6eq_5ExdmO3zES1}*$<0C zyS;x`V-Y^C*ktLN?qy;sTRQ~ty|wbI;Lq1-aQ%k>cQ(ijUxI2MEF`p`W4=8+jB=c< zy{J9;p%|<7y~S+95~r>=HfzBc&T3^x#9%LC?~I^8jzn^G`X^sqcuDM(wc?i&5v!isXbkMZfDvi>Y=YX3OOk87tPVZ1Z@UwXLl%{eM&@+Yid5PLer?a zKq0$eK;`lzMG9rYwPHfat`9S*o#j-*KBf5Xhb90ix&!`0p5+9(cREf;@ALMZ^J|77 zlqBh_;9QjI_Xn%AIpmRgvWc<*wx8g=qDrXcdSh@C&F8n6Ut!H3`Cq=JE>L(EL?!$Y z0_dxUMaR zCi9ZR6oKmhqd@rK@XqiSEr&n=DKP7I9`V;7)Ov>GwLc19%u8FHms3-9S~HmzH#;^u zr{Sb&Cil$TWXt@wTeK~-L`(s&SCiBaS27opSWy zG08AOq3>eLDO~q!VRlgNqqSf+p1;N!v3)*K-6jv2QrpeCaIuC4$#?ttx2@a*Lz&PQ z$c$}Gu1EKz-=H%wq%N8<9>tL9i}a@#lE2*|!F$l--%Mnf9IZD?Z~oWS7^f)g~`?w<}c!Gmr-C>ZVBvZ^m_}oVEIASl0v9v}8Z}M@YLb{-p zf0@$xVin=>bP>GdDVWC#B)ELF#`y2h)p?V~3`Engc#a}TZk=tPNJebsB8Pq5k7Ygk zVaA7ztKmLkpz`zb|D1iXe;+lJlAklqSx<@RtXi3$o;k~=j46x_dHL>p48zreWKYDb zO!TE!D36Oup;R@qAMSwmx=UtYTYyRyQg#)_^XnJp2gQ(?xL7Vvg2w=&1(@c+qE(c_ zRq5P%R29%Eq((27I*Onu@5nt2>LAFA@(4;^+(o@CL0NhACnZVZ$zodMe~ZX|U*y#1 zn#jo{eGq^4ExGjnwU79dG^HUA*wLfqwnpVb?3QErZ7&bbMzWiU#s1(2e=f7mQi#z0 z=UjILuJdw-?7|EKnJo3v^|!4(r%1kM^d%_%C1@3>{Y?FC5861hU^H($rI)23Lo zpSA|{3SWrk?|=AD!=6d)qtPCgQEeaU%q-Oe3+j}sN<`fif$Y;3M&^3nmhCgbA)+*vyByy#QG1hrDtg)e6p>B3Cr@p~I4cR;#S)PeRK{D>xkmlvBJzXFh|6zp@e$8TmuW&na2?=?7!h7annj zfogPpn_m5gQJ%lOr_XoW!z`C4+T_oy2?=9z21||D!hg(rJa^xIoF%GE7`J{IVnZb) zq>{#V>HUZB@nB?O+Tz&L)olZ-6i#&c=6w78HL9va?9BMH|2W^a!#*0}f0Jf6*?f$w zViOH%CPiucmYOtaK&BIztq%Hrm-Ky)QywY~{kR6+7li_2D+4Zx!w&$hQzbmT^YPCQ z2UhLW#LLyUZ+$&tqYmskk9Olo$p5gyzfl~hR1JJ@-5>JE8(um@4&daHpK9ih;?^Id z=ZDA=1IjGW$2km%f3A~CUv|0Dy2q}2L{a)dwB%xm>La)%;PCmEq&^H8e%^X2o_Sqi z1$v(CjHopReBE$Q)M*d&T4T6iFJDN(qy|)KPbLkGYQ|b6 zmtQNh3ZdY}q#C|tMS^}drUaCU=br~x^V%^FN0fxc0+_tIOwa`?#gKq^F+_h?BHf7% znmy+8TDR4EiO=1W4E6*~GeSX_B;*WC8N|==tKP-5lZ!+F|d=G(aP8& z?2{-7{Hv;Us7MXxFex^EYwKofRPjGAe}07{Kc($Yzm+%DTs1+f_K0*lL9g&d;o7) ze&@HIOZYp#^BjNJMOx^@Ujm)|AH?jxq0zrX;O%5)^C-|;{f9*GVZ{CYK(^2Q|Ey3_ zP}}PN8~FXsdoA6a`>>GN4_9KHf{l*-`GPNTn~E$H<2+O+x!EvzQuU3h9PF>RM3qZ8 zb1V#mu1sW~#l|5&eK5lR^5VYw0SEO941B4kifHSANzyUob%l+|25x%>)3?q7NCfU75JTqSP z391x#(wWk81n<(+FXH#F32sifiHQN`NZV~MH9zuaoBM@)VHinNykNwCRD3>^qq%A! zM=orlxLa+Z$q~KIusrcKLGx6eR?69*%42dB7W*P`Mj7-h-;|N2JqgC*$i7IHWpA*p znX_m@MGQ%4GGQ>Duj6{uTP5#~7=uPm5o_}UbKGNS2>GVZp+1$dnzK(Btx-Rx$=YGz zvI=VF73xwH_XB1iQC<|i_~@N_&2o9q3`$-X6ZbupW7&OyVBZpK2A$tSPnbQ(RgjXq zQ>nYl5`yHtk0ex=W0TbaGJ;FXT)hNI-<$)Dv;_K;NGT%g_@*g>2=J-Us|4=Y>Xsixvp0`OEXiU{IN(CU5D}5w&u9#jk2qanTbL(63xDdRUTusMYZ|+ zrsXaU`y7&UUfjoPXY!x8IX52zCz~P`V$#Nz^Hk1A+}6OX+B)oFAgY0bCiUj>0+b=R z0aBA==~z-3DK2}CZSV$bAhOh5aX_tZpJr(Hu=-X`WA2myrTw}YaQZ~HMByhbprRWl zdU0ZAYWZS=DOx@C@IB)A38|Q6T(QqhEXH6{=a(-WY%2|@WoaRi6|B4ht~{8E%b97s zjwy*&xU46$Yp@k5MMaE-7wx*N3Udgo1^9B;r9r%@F!37X7Sr+9P;NE}4za?-HWu!#1B$) zu6+Qc!2`j3o$hFQp<(k7F`+e|Hab^Sv0Z-4aRiPh{XAfN*)eY-8hKbRTc(= ztwLrjZyUiSziPigh?a^0lVD5FzE1x35y$ym;%7*5}V^SP9~K~H8%*0I(~M4 zrJ6#vU-zmyILH^oDA3k)!slAfd`X?P#W)&?HH_>_gN*Ui2VGu{Y{=o;41R~_KBNUY+X zQ5&F~zDfH9{r~dfXHk=~?GlzjPGmAhgH^;a|9{O=JwP}7Nj~`yBlc;g>GaK~nR)2e$&Mo6~-PA$9$IB9Bs3fdlE*!n_FH$Et9R-zqan9h(z!v|5<^a(@`v%5?3bu3IFT}GU?WT=tqgmDO?h0NHHryTA$Ufw6uyxB^I!fAtWAd5Vj#S& zsmP^@6FkVVdx52x0bvpCm-#H&ceLKlsAnv^QqE71<~+NGW8vJixGZl@S&+_xi>+nV z?=^jTtHQeBzW?&s>&Mrq2dV!}+S#eu=|-@f6sghm7ZCKvn)w4nLpyoo1Bv!u+0!48 z{ZEP&pxu}MiHSiOMY4Qb?Z0m+Ka@6HjW_>=Htmm8xr_5p>Lw#}x%_@pl}*nK3%aGI z{@8vZPBC-dr9C6UPvDLbxfG>^%#v`SPGcZn@7)K}e?&_OxwGj)YY5%pQR!hBZUkLYJQEki{bb$*Mg;NHVNP9 z<XlO)# zEKlkNsn;{aN@8og_cz2`1vig`&-&RnTB*$thV4+I1zKN4lIO48Fx>aBE6OdnYazfP#7shh$!jh}rxZvyV_f-S3rc zwUY4>`sT=bs6jQnx0~KE+3^iba`7lUI`eWOWfK8&ZL z<0Ub694<219}(XR{8kk~n!k~!j3iYyJ9|0rX<>JmTF9@`Jq2p=k}Lu#8$MRCMfJ_K zPRDLN@uVO%Yq(<%gy#%;Ml0q#<*26jxyuZq?N6x|L5l=GXu3Bagl-r=;Tc@O0DJa0 zaqFmx$UFPr1PciEP4u%84JWiq)-FrRrLN1YH$WwK-pO-@=?QqWeNrf^G0Spv^DZZX zD2-^S%tS}NeoPc@>G;b1r-vnhws6XLsOJekfWf2^`xO<7J#K#9BAFNepFy zr}{khpFrIVz~0{MX!FP|{Nx>+67TnLV)`!|*=O@x(FDkDm&1o9x$+|+@za+1OauK} zs(XZSXyn^oT?oTL$tQY@C}(dItr^!JyF!nyX4)?MST54Vdu$&pK4)KHcJuPi49Zw&GO30%D(n8I2ln_&tF1N5Di(oy z!07EWJbmmCx=31%%myfuOdGC%W5`}zE8jIz;kf#v+jMXl_??k zll&!a=WT|P#-l7XAv6T>g_B1nKG3szaI&gXNR)8HP890hS6!)ov~GU60z%V}aK@Z? zxe-{u@l_&X^~~)j5HG#$wr;%ytq-CN1_GL`WTDzu!(5f2^^x}V&b!Q~9_buf7%U;~ zQP-rGy^AOkG9?-_)=k6^y3dS%Wrjvt%`E$mHu7iC067#9+@3Daudmodc0kdfCIfM+ zZz^kHmTDaCs~7nQWjcZu2s3xo+VFmTYat^eWjrc_=y3SWj!_0T7SLhjTIH`&SnLCs+$Q4h7JGkMvh8PY!2&?PFE}3U{-L9i`>*>Q{!5Lh& zmv(EMOw(3bqJHH~<_~=#%lcsxe0;nbHU;mq(W|LYnW%bhyu2gpy{etPVk7-@M{l&U zkD8ryWu*h@WO?|J(Yh!hePti31U9Qg1hiLlKb;)=+)j^#XJ_B!7&Nc*EJRGLHV}C9_2I)&b5lr*;dG97xREB%OsuQd*mGu%!rT z!y99=#2l@G3R}EcNw-&d8`x(2GwkqiWV9oh%zbneBHSgWpbl(&6$>gNx>KB(u%eK5 zeunR$84OZ5m+;6&Z@Y?{aq+HLbkeG-wdG%WR!7Ge|VJ3N9OMg@k@OhSiIM z&F;zqSl6HFC27QZwOHCpq`10cRJfs%3%@Uu$O2q&`cltm z)*&e<#VCx>{IVn2UzF$(-ClnR=)cGk&NbMD?oC2JM(-_47jLvz-XwzuP=HP8Um&;K zhI8V=8KvaFAcgBhxAIyhL(CuUOjKyjuC8Vo^hc)itDq1=@j8v5+T?%^n%D1cn<|<+$Tin|#;#!y}y%_X{mxmUJRAY9LhaMUhb~d%u$MLl? zgWO!IE^nqP*);}!;@x%KX{MJ?v&}1Lhw#!OUyI#K91k;1s(+F={)B^4R0xS0YV7_Pyhh_>+ zaIkbI!7PD^Q*y|K^XGE1_(1Jx%mP=_uWlSF_}j$A|+x5N+>E!{f~ zhh~H)%XFoQ$0M(@7JXl)a}H^Rv+>qH@uhupNZBesrOH5a^4?Roi&?~Yhasl_7_o+!i=mp4Za);D<|YELLBHk2m$RUu##k%VasVt-`r5TnoN|XG)zBqB_dd z9Tf0$EROt1T}aqqHG01F{K!k9fPv-$(u#?AxkB^RnoiWmEXU8Xo%AA^i2^lRlwuKO z3JBwxopzR~X@JOJZCs?Um5jSs@@PE1U-=~ex}qKrC4q`QLu90kwcp?QQREGM9v7E; zKA!mTD>-$BMajHfeRy7IwEE|^@mqNR8&Ey`8;1GyrG76I_#1h`Jxdc%a1QlmCgG*v z|A%s_d#UqgN!%nCi@q?Xrtt<*O%5ae{}j#qM|gDNshKMrC+bI4_DOTWiVk8OK?oKd z2e!u9LKN~f$1`ZY~K7VQYFKk7G+eyB2bsugsl&P3d%vw0zf zd;JEfx*~jyCVO{of^9%pvX9bj7LEqg31Zzu7Sgu=b6}8H$54UF$Ar=UYC=Cz5Z36a za!4vR%)N$KsC8fRBs02ZtMheqzIqF*EaALIkS zg3AZe;9q;jQmaWUCPS(2!TP^WJ%8ETHQ6$=BRPLdfBn}Py#09K2Mv}738BFu&8HDd zaoOfQYdwlvcdqH2dHim+faal;vGf)$cWt9VlcA+l{?f_~mW_kK^r@MXB%6y3xt-ms z0nVF~yt8wc^_07-vFjT?8(Fv8KR$q!e?9!c^37LbIO*y^`QVnpeSPe(LHoP_)~)pQTj3`s(UV4MDH;y2W!d4x0URl9GW!6mP;ri{8~k z$|DB{H3kYS5gt>Fd7HJ)M>F{mr(5m2m%i+HB z0_#F$%65S;`F>2qDcCw#Lqu>F|;8LEi~4e|^A2Lr56#e^xa21MXp=#52Z& ziRLE5ET}hg*7N;3(C^)iQw|YaS5aX_rPln}LJD_}8On*)Jx{f6;QO|+=sLi!v;SZk z67N6siY1iWB}t>+EgpKKoR3KQ8)wsLmthOYuWfvsVM`{EUC#4yT1mICZLTmmEGNy_ zimkp1_uJ2++OD$1hde1+EC8v*grWPx>`I7N}kdKDc_!^tQK7^jiA~BeK^Xg8IThL_rAo?p+TsWWl6b zt3zItFr$QG&^RTx8E^T`GtJw0IQnkr8+s4@JuC)q(&AmI;y2EE+cXlc;}_Y8w3MkY z>*ydl=*j-lt?J;t)aEu@(JyHw9_T_}r`f~Ka#B5+SKjPV5 zil2_uFq9OO1YnoYa0N`dp*yHJ;i|gQ8cpLuOZS^l=ob-C*wG~oJciGvLdfIt8mkv1 zt%^R+K{y}}=**(vO*C`en8CXBx1jrbV0k2%wlF{i5@R^Mk_wS<<#xrOtAl81k+YP= zFHxz(SeDmqHE(^JEQ?^KMT3?u!H=0e|gb148^yoRBRn_(AqqP zrN2p(LdJ`oH&H47bo6`s`Pm0XJ--{~TL7lHMI z>lb=#^cF~PcxiRf4iN9JQq-Nb zR%&%+2*7g-q-vJ>v2lc8O0u4$<-=yw$2jy#ta9toC+r1O(S<~`RcXPuz6J|jIBb{9 zH2qks<$EK~t=?VFumv!$ zkWH90I|MBvID$WmCqCz$bfH%ys{5iiXuD6C*F)5{hWeqBj+OW9YRfvZZpT1&od7^5 zfiKYz&w^cqIR*96v@GX?LNr{=2lou7NW7+jzGj@LM9YMJCxXeAikG3>RlVTHNxODt zsoaXDshq;OE#k~iAN{^DtM#nZY+b-X`uWL$nNU8gn5LxX%Fe}Wg_TaR!^GP!(vUZy=Ojr%{j3B(eT0xEf4d25(b8v^X&VmA=@b){%^;%bSJAXn z$)YhA$lhFic*2?5FVatk4>MtZZ;3E{^WgeZw&)VHVkG0{tp+8eSprNvs!XuL_O5+aAmF@cxh)zYJ0%Hp&-h-EF68KzY#zb4^X^W--5PG^nNOuofm|;?HA+RhmIv(h*!KE zD6-CA8{d9v{G3fS*-$0V)HGv>sd|_AQNQVHr3R(8Q(-4I2zTeMne8{Z!&fB8oW6kjx zK|+I3mRxzhPJaIyWa>aZKsl=#_(t+uefd5Cong6?cr%J(?B7ArLjV!T#a~Dsd#|5m zk>Xh`S(<7P1;ZhDtQ-HHl^bwE9H(@F$6|Iash{B98DO?`$XhG?50wYh7`U7S?4YJ? zwE9<_(H=AcjG`DlS?NDkE`EZl+O^CG-$ch=!2Y33tGB71r65*l8$Zi7yaFfc;6#RKO48w7X4SacuG7SOkg^T|jhRt*D6#!1k!_DA@6;a>!DKNMEH zz=W6&6ZoP&z~XKRDXhWlMxD;2PDOrkB#}|}Y8ltKgM?5Z?e-##`rvZfiBRsoqs_Q1 z5@GZ)ZYg<4cYxLU0krFsQ%o`Zl=JQ62kg?)vOSm2F7c0deFYqS;83;PF&lto2S_3E$ps_J!icJ;n1yP`$m{SuVn5h6f`Sri>! zK#Q$0LPKcC9FzPVn1rD=Jyb*@8sH9!4m`f>^EhzFBY~>3o^k-3v$2yJw3reESyB>8 zeo{Ruv}-~qYNJh5TK1(`5&;cSxj&_BFCyvpM)2EPRiCpEyTSEyS&g<}v)ZYKPj>VO z!B(&tS~|S44Its9t{d%n@=(ujUJVs5q$am3*7|cdavsZ1SzfNqL~9jfVZ*dC8ecHp z?|tM@%%x%;bRD6{FSFz%L&>`e^~nyyYUWH@4A-Vd=|*{?r|*X z?DE5nbw7>Uq?Q@1KQi>7DxPt+m0ceZ)nh+Jy;rj>ikq5Pe5>3WM*pXx=0O@%C0za| z?(S&@m?!q_>yr-YG(q+=&WDM$$Sfv}jXoyGf6n{QJrgCz&kU`#n&|I>=YNRa=di_*!?&;%=2}(L#SuY}$vkMB z9+98S@WM21g<&Jkb|Oi2i~Ey_cGQP!j4wjU3teAwAARR=oVBoGr)za-i%kOrY#ZK4 z0zWjJEz)v1?Xf?ycx?Qoe2>0qDQ21cjW5N^bwX$~pGy(;{?+_kixUm) z@>F~uu*v!$El$l#ZIjfluhZ&b5WZCM z0Bi~6;Vz=uR2j2n9$q|_vV%@;noSFX95T}*d?&Ws_-5frE#Rgxqvz{fu%=xe%0$); z2OuHnhGwmMa9gmE?hjq-gwSA@1mLKL>0sg7VI<)3ef$h=>2em)AQ&qLX`;C;3cn;3 z3>y9T_=}<5tr0t*wQ$k}{`{v2Rmy)Yq!)RkYW;KZ3()&Rk}GGhhJbpRX83bMt7g^< zS$CR98@X%)bN_5^zeqJfNTNA7mg2W%4T^X|4>VN#mXsEvDZEbN{A1?xK<(+TL+!fI zy~q9E6#e3Yq`5~>AB^?h182R|+7E&am1*WJOo6`a(opZSi0i+Iq|z2V`dO3@ZWP|C zw29v!alGF;>ps{j1n=uE)W;sIPe*0nr_hDj{k}@(+SJxuDn?~=d7jH;Uh_6O|4i6V z8(T)wC6Pj-@Yw|(t0>{~p63p3Mwd(GXbJXNZy{XSF3RBxZb=&6$g4+(;{uZEhCzBI z*g7TOfoECYsu)L>pKS2mao3G<#tOE%61|9(LDe^4f2DqPq005RX9Jko~97F^%=wOOo&?| zBThjO_sli|5vP~kd1MHUaB$aASlIt4y&MJI*7Agy3+-9M=unX9`5j2^kjY((F2JTe zyrLqS8#i@i*=^B(K zx5#{a&TQWAl$kg*T&J$rn6YIAt?sX{mW_MGDHKm%eAg}_*c~;ukkRaw8X~R+` zTN}y0-x5eY1Py{=5;9y;`ysZa3;I~AOOsN{RaW}){D_``ml0%@7r7KM1|v6t;o38T z=-F$brJtaw9K@go6TE%wfmqTH3iMz0=RQ0O_w8y2?0> z73a5a&}yawvdA?@6C+#lB#%A%IwW+$1vU+gEXehgDqpGLIXD-S!OQJ-A1HxqTq|9; zP^`?<)mTlaAcyKao;gPockzUvo>&zpbHMRW?HK&Fw|@21PN)#H-1gzjKeXe2?bKiF z!fqmd@q9@1F-LpMmTt$RQ^cS313!JYsDUn}VFhk(euc+0^$`YY9|+i(RUxN#154o} zwd=@U6oPgQlnGdL>I*2au&W7nIW=9!mYy#E5rFQ0FlV6%CVfyP_8`10#@io>1cCsK7rkW7npdD& zy%L(Y#q&94`Ra|)r3XSR!bK}Mk|7lxlF*a#Zi%JDeQ#i*6=;ZF0ry^Q8FwEWfyke( zkDOWm{kXic!1#`ow(D>kx5FQI@o|y$bnPUuCW5Qiq5n|5?K{$~1rt0TBrKS`nlL^e zuEWSivf2h!2V5kS)1fN`BU4;Kk8&?b)8MKAV%v6$-mXe`XEolQaVi<^w|u?+aHeWD zv3Qt@;JKh6aMSb(+MSehsVjEODDS0Bfy;frW{wBb_AiV*p8oo?_Xz8V^>bgfc2CRSJY%VM?K#Vc=x?WK;!=Q&X@C@ug^KQDrUu^G+36TPGnUSr{tP z=lH9>kdC!~pKd(MN}Xjg#4-g7Y)@kscwI%f{90g`-qorMyVZ~>saq4$ZbLXY{zF@3 zgQo2UT@iiX(WJvX*ly=rJs-#j(4dV~|NcdvICtv+ym@#U-&!l$ZVY+M6Q#p`@#KJm z$d84lL!NW2644v=66oN!fEDr556Sx)aM#@{b-1baY-q7nitO%@ujEX>OY+n^Ud;oWJq{E4@4jOTYFQeiym5y<30baaRQCZ zi^GOtHa|kC5Y9dPKF|Bny7fb_`R8sWk-$}hntyO+-*l2cvcT^DD}}K{l0S)DVKUyI z9?bF=XSV!rZixzf!J>RUyXADw<;rJt4Ec}Fq5J#I3LJ~w_RUwoZ?WNja0=eH(YL$t zp8t!J5oU;`i-FK$Z=!yGx*c0HD(=htZ@uKdV-UWX++RxzEVQ3T>tm^pT>HueyqCYv z2UXecTcihvw1$|>Ap3=D-Dh)!{#^sX`MR^C6O}4~b-EYl#9k@wZCvK2;l&$i)do~h z(~;Y8XyeFI{&k{CHDp`pma<7DP@xW8kUl(q`7RB-E3nBvcJGV9@d9^@yObjt1b*!* zFOz&?7wI>V)vLgi==Mt7cKn%eSyX$aK2hHGp+j=pe<6dg<=a*8HRJ|zSC%|`*N<(b zBAX~k&#h`KHW|u{I zf&en;L_h3Z)4-vKd_5Nm?LES8so_6+@e4wUjs+bmC{~It!K(z}Y`>hs!%YMN0CrG= zeEo+mYS2I-7#&XZ918xu*|Dp7#7ruO+Nb9_bMwaq9>+~V)JmyaW#-#zo7z1-6!SSZ zb=hJ*FIE)q07eLUnc(u^8;KA>Sh|?9=iYFyvY(!~AMVo*`a9nGZs42y%@XYRge@!hKnF4Nc8Rt~w6yy&h|Ys@E7ooj-^VC+OO`#8LX2& zRW_K^ub#fW7;Z-#1#CH1=)RbBy=#9T^9f9S&9Na-f0e&MoU`1s)#=pAIPF{~U_--L zh12#aWCde^dB^F+g}UP`;`2Er-=5t-sptEtYyYl0`dB;!5upc~>Y!|aMBIbKk&O~gWdH!dBrRXUy0 z{mwadMYkSxi0ZKxxsy7tm-m>rWS)jRE?%)^iW3W#(z8bSeCQjwWZVcA)!I4Ftm$2D z4>{ASG>eiabZUWsQ4g=LF~+Xth6ZFnfF}PaX=h=+6z13~$`oEP$ZIA-m}f9dDTqlA z&&%?bi`TVQZbHr&WPNT}j>cW~^_!gPG5}9_iJR;2@_qkg&r`hiqR+y5*^ZIhh1r3u zpzW8|AFV}|>#4dvPY*AnCYBt0HNZ!4&~#;Bx=Bg=ke67}87(B7xy8B`C9h_JXzR?j zyV&Oo+DGGZK1q)hk}_bod}coB51qGBTv&UWI*@!Jz`I}@fz3uX?w$A%-A)ks)SVkw zvs&^^=H_DGa9W5!UV(Uq0%HHP>NA>MI|&n-T|*(8Dj6^2Pbo6ZMu%x|T%)$T;)dv7 z1l%nYqZ-Kdl^2~V6d|(oMUN#(Wn7Z(Y9Y9+!b-5hyZ6~Ad;g}p?QqF67zr|?*UnL))%0pv|- zbl@`ziEDzq_|O7RTR-$Hd_v(at-?D;b|)ZUmbPbTuaYLl-6TVsK@A)~Ix>OSlwLb^ z-e5|{etS{AQOTozZ?K8mJ(}^P?#lszhE>tKrL8Uo4Pi{VO=Pr6WyYrlteh{$(sf;U z9}iYNr?JF-d@7XbGF+`uS|zvmtdQA{dN~s-Bj>HIW9ZuWC&KOHsmcZ_R+F*`WaNlrjT9$`^XQHwb^F z$pGr4QqX3R@p8qn&9^4L#WFb*BQujiR&9a1A3q6#sq$6IEt}b)^9PA74T(%O{bsAK z=&e=@-cGs*t!W<_E7kgrq15LZh47puj);VluAN9S{HUd^{2TNJ`ZEtZiNbf2ZaA4W3m>k~%G zXs6nIfA}JQMw2cpHC-SLYW|DP(t#I@clAwW#F1Kv6a!m6j!>O7P7+Lx)>5HVpr|A= zh;s`hZ5`$A!j!&24cFeJ{QOMzGlyQ}^c=VMhl~39c zihMaJon+X!#7245v1c)q=7wzjyN3OYHh)k^qVeaOSKPQkZl&zG3L%S<^J{3FFnt}Z z2VrpjS8Pwsk@V@(%*cwx`Z&dUk>zJrnQ^3E418<}dYl@`*otEvQryIzZ`ODtixx7H zBg_`Gvnes;8|@hDo=-i^*X=mxh%7XtOQwNdDT3AA4C0-l5tdxbJWm=j4a3ZHpQ*R(Uc>7^0fff(gDu|l zCsLSEaBkBgRH~yEL@4RxWYKhoX}d#Oa#WnL;`%D0`dVBf=;qu8O-5niT6z7GsFyiw z(CeDrYBkgiV*|)<+8|@CM2~YW-e(;97n4-&=+@=sC5kwc}?roY_P!{8)JAl6!PyYlXQF|D@V*}WV*`&fzOJ-BOPS>R1u9O)fLa}~(3cRz`cHe88oNl=D{d9gRi>0TQ?wI;yb$DMFnUcEa&xP?RS7b~8)3A{we zGkEfJZSLbh7Ay>&1;JW7IftY4mlv%bFqvi9BIc_q5G`+W$YLv39cqSvG74QSjSR=q zf##%-X|bO<>0sKcyD?i=$6JT9K^&`CTibup8+o$$$$w3H;_}nnZs)D2%p~%O#>k|H z!W787d}{mtnptsLl@V40pj_3mhf%UW_s$Hqln;i<7qr@EG6njqdD9xIhu#3( zeGP53+9=^;v{O8vf*waOs2FQHRFrh=u0~biGFFHwV_287*5pzFNo*9=7w4HWrk7-e ztMFJp&#EVE=W;I## zCY7$PN+o@|(|v;H>sw#DpGj0rqkv0W`H9=+ysGhspHq)|b)ZE#qeWWe%q`D_36_Ew zu}q;%jDrtk*xgfuf=e48Cq6z2=>t|E%mn6rjzvQ7V>(MQcLim#zSUpb^Z0|(PR1sN z$E$iF+&&R$O(pDkPhgZbp#&12D1dN+A6lTo14EOo<)Fsgn`1w%vvrGjSDxN)Vn}TKX1|5XFMyD8}a^+(& zt4#YQg}25j%&g(DYX^s3Lrc(iUWtrvmkHom09vy=?d&B@vr4p-Ytn87s{-66NtmBh zkQ7FWqbdozX~dMTgdK^LmNi+9ruyEW6AL^Ga=3i--GOOCf!Y2^i=;=uT@ zy{9|$wfS!sdozw%&mwSrU#puHM!owbtTKRBXJYa6$VVZms`&wwxzF;AW<&;DXe?L` z6r!JqlI;{yVUEB^Y3SuB7K@z4@;E=8l0ORid#XOL&bQ@jRVA$kh!RjmQ*v0?)|(L1 z_dMW;!_3rL#zZ~!6+M(^7^R3AQTuNhq8;@%rIx{v9tVXS2{Iv&!( zW2qo#Fl@6<%?1d5%#Cxycf z!ma3qLgGuYj^zDcMPo=-+!H8uw{^!`l!wISXG5@7s{r|gi&E-_ooK>Q>y1uqkRq>s zR1sKnd5|9mEqik}8|xiNAxtC5V(Mma?-ZVJArl9B(EunXhN$rwa#6cjI&h-|d;S$H z-AH2;`a7}6#IUMMSu5>I)f=RKrisleM0flU*a<{_!A~M3!)}vpz#`>6PM@i}o*(B? zgzDCd62pJ+4p3?jR!mnc|M^39Z+5Jf4PREfX|0T=w19~q3tOl&v8q&iEO-RoanI@Z zZ))YjCfhf_yE=j)9nOE;eTkFTD^H`I+=5H&XLlfkoac7EV=5q>`8JGCn&jT#k95@<+RE@ zli64T=V3DBK@z=7!L8GWrn-f#+@g;PvLP63SvLdvTw(9Jwrg+A!u=XE2%AHZFjRb< zwcFIwiFtp@SzI))&jSgu3jSZ8sT$%d!J5>Haa)nUXG2}V`Hlj7ITbNY6B`|5%1`_( zEGG7HQ`I=U6yOWbUpck^*+v7U=J5q5L_yNA+B#%#2!-fIM$Nb+N9Ot1nQ4N6Hyv=$ z7?#_zOzpnqc;66>n_VxbNcAc-_a3ON^TjwsGE6Z*y|J!MQRTObjI-e2fq`@QF< zMhYcuu=1n)>rQ7{#IQcsQ3iLF%ZHT(Wy*5{d$GMie^(L51W?K!!&q;1!}bPY=?iFT zr{pju-=?YVcpK%k!OtY*VPdD0+w9S!w<7I3=3wn^YTVv-i;NGftV-#S!!}qtfCu{} z;tULr+8KAK_tl1#cPHakVuO}6Y7HrbZl=&6IB)9%#px`NX(&jqosKZ)SDT5>uHY6X z`DPl2Tv9jJL1FT9by|$+T}ZpP5THtVfQz$9ma!y=!V77g+QX^i5Ty{yiKY7gBu#26 zvtw8gXS^l_=Pe;z@L8taHsnB$aS5Q@eop#)=R`H6Mp>h}U&)KJ-F)Valc3rb$(^Pv zCOC?KqL3h=V>SS_d`=Y^ixitp{*Yz#oF03S+n(FM{O31cRg;i2{8>BM@d>JCMZ{TU z89ij^Pf3gHaL#eKlSa1v%Gp<(G?94+B`WX-G(%pIMCC<7Hw|IJ=&Ael*$!R?b@bP@ z2(Ed6NB~&_1mdD2iJQY%JE}2}YK|5J!KwN%GPC^~6lo17u_6fWB4`M!gy1x)xn@$a z5&jvF^PqM-PU)$wu_OWCVR9@61_vofM}DGD zrRhZ`1j;~uHNBgk#*2JnzlL>^PY$ktb;3sUKshY1e%xanIEks3C$#Ck?)n>rFZLCM z7;ihjsiWKkoRT-IFD!Zb2DAUxFPuu)D4WL!ONr^aHNWtiq!;o+o~4)W)N@}ZmHhMN zu&UxRHJJ9m0dXE7s^^AhKh8i8uZO&BL~8 zr!APG98JSBJm(KFR}%RcYrCDA=gZh7(;021#ZL6|55(gFv_)3or;DFhS(MTKLD)rH85=FnsG!;$Bu~4euQOSHve?2ju zL8stIMYm1!(41*SOL1ltC9pv?sqv%sbO35u-n1lgo>-~kjv%G$UJBL|u@pD{@DFQr44z#ZqD{j85Zvo090#AFXeI-j{*t=mK! z*1HJ|E|flzQ4hdl6a1$M7FyDc;u>p|lWMcbY>1*0A-48#Y$Y$U;B{ri8aci-(TGD@ zSp^Yl!DN_mf~}g1fIwAOcOCIv7B>Kq`xtmS&G?AdetpmA!woak{coXSJ7Tu9qJM$R z|KSJAX_#6Ct%>HiceXYJIKym=pL(C%9!uuVDY{wFkz@4Ga0i4eL7Va2%|P-y*=hylD#J<#8JQ4FO4OoFfr9*Ku0Z>#GvuxrjZ9f_+7 znC@wvsWQJ;dGxC7j)$$QAFEnvYbriBO72NVpB$#=qM+)!yyKcZ#Aw;Rhkkws;ifXB zXzeR4_SB5mqo?RqG3$uV?|mty6>+BO z*A-o1g}BNU7G^pi7Q!nRa7iFIoyE)k|8hGVpyuDQtbs3gJuKm2@$y+!(gP{>evTCD zYL<~w4EfdCMNP5Bg)ze}piFEQ$w@+@A8#tyI>B`W2ovz5K9n!29wYn#r@&1G_DT0f zD55(R))L(V-mit{QgVe9!*8I-;7M^FqHZ~->C_WD6+W4Q1gGs3OCk$pEKjj4(oSNb`8Y_kpBd!t(T2Yf(-bi+Go{2+Ft${Ew(%~D?ox6C_4H+Q0l@fLJ z8^zpa^@+#-MLdonkm14I<2tZ~2zeEE^3KT$yi#vNm&MR)C0TVy6|%ns*>>I;m@hb>{kKT|$dT9r(!2(#FT{^c$JNGH$@d(xk;Bk=8$KDmE&nM7@8S?pbz+E4R#V||u9EF>Y?P)V>$#hOQ z-U5Psk3M6m-T!X0HpZnzuYp6Mgf`}ziUjy7>PLs8)2XR0(4hM(7&7Nmg@!>MZ;^Wof>}$d!p(7zclhrFq zt`XD5v{p!4X(N>P)`!c_F`mxEjKU~%g&AvB_9BwMWC>u+_@NqftCH8H_WqrYByci< zd;3PkWLW|`SC3sCCOW5FS2KnYXz{YtrZ~FmpCxI^Ez1IW#~dKz=QU<>X+~{$`!8$B zsB*8P$7K0pTlX%4jZ{EJ=CgIY-~Y=jw5An_gy+jW2JE-7V}2q~c39pMsMO^l;2RN! zY(f!@&o5Bii@+<$cPDkZBzo!!xVN=T#VtYhrb7ajp8wD0(AE7A$>!@9mDzDH9(fcA ze$HWH_7KR~vu$f#Ul0@y+vkQaVn>u5f6?OHQcO}#P&ueCE28aT4}Oy647?+gHzY6(D8j>{j@5hT}Sgy`vS zyuJicc+t)WFr51C2_NRG=zzf`0OG|B`r9Jg7kJ%*A*MZGui=Itfu=M~3$(L(9YHY< zJ+1Y^=V9r`^3&Es25u}I8~8m>U5TG@kMGhqJ+(5s@|thXhWhz+FJ0`?GxEvLl738vgGh3eX!zl${gm~QD)uwg8> z2`T?j$SgTK7Zt@av(Mv|EyyqD%|Oe(m3|A{o*cA7u7SdkE_ux68D|ml6z#r2zxwvfh zHOU5^b5?FA{bbHs+Qjb4Wzc#0lp0CS{rL^sXAREI!*K_u(#?+jRHgpN>F?a9ZbA@C zxrwFiX!?PSf;J8kl5b6^PRWWRV~4emG1o4}Z1QMY3BUH}=TKd^qu({nf};oBRGxNvyYmL0;jD)agC zYm}s0+XZy$t@R|XW6Rl^Sh9rXXZay`m`gOqbTE@e^>qB!jc{3cpiEeh7v;R(xP+=> zV5=1gkkVL)ngbTkAVaSyE^0a;vjb!n;GKonzTkZJ?-iRjCMQRMU|cFZO=wn*b_@@z z+I}=cgmoWi+f_60cv_pmQ1qV}&Ka)4bAKS)J05eI3*wCb@_N=~z&hX&H|@4weCV!D zm%~@6-a&TX$~q|-^C${|h9xU{9Wp-AnezE(^n7aU#(I%YrdDm?f$Npvu^r=lmWx(o zu4k`iTUFRTr)rN+sWs>Ol-!EBt)d&1+X0#}>D}6oPUx+I=eqZ$!$G#T!lrF>r?~Nk z_|=Bo=l#my%18gE-{W_YpsHNy!?E(=uv7=_ewk1b5ELJHv1!}nRm0I{txo6s>z}=e zTw|-)vKCGV?nFLtogR49TRLE7MIsh=E+aSlDghh~wQ1i<&hlzlDYt~NAg62@Jk{tp zN6vRhT8@q%g!}`iYV#TZDh19U(^uVQ6BTv-b9MiX)>ByhMA+QgN7DwBJ{iX$yUsxV zbiie)T=FBW#@2YWyUjypwP^IZrFpjO;=-2IXRF=teCB&s0ySN8e%!X(MXIrI*RVOo z>jwfhUwC!*=d1B%HE*x2g>9O9p!M#VDLC<2N*^L+-YO(rCTd=SaW;Z{-LfqBdARLd z4FX3^H{Y=TYsi1nI8kX@;sx!qgD6JoA|WG$VDXc;Hj%QkyP5uxY&ME>{7Yr2SK}Cx zdv!y!)K9>G-*SN%(g^M-^9PLvB#20DaD#3hlFn=(pW@of^?ipO96X0(6dzeNCt^I5 zInCEmsANngdh;ae^z(Fl){~@C+P)tc@?G1UZrII-+GJjj>U6FA^-+@QjK;b$oHhFub$!ne6ygm zg~@``hIROvP!GXi0hpuLtzTGz-7{!Og)LL;_wU!W<>CN?qE-Nfdh6>t-BrQ@lYyCL z75grCcyeX&9(Gk!VW9@FQui3St8U6L=7NmUjQZMig0_bAb{UsX#(Vmsebuq~3wc)~ zcJe0hxL3(?T4l19Lewik(lAi)=SmkK3rnvl<2neAQp-G%W-3BpDJ&#Q5jaJY-LNcJ zfA6B-Ut*|d*V6pQFAKOsJ(b6T7E8p4cd~{lo{q))ZSpL&vhP6=5Op@jD&xB;M$~ei zofb&*E!Nmp6DIyybl0g?1K%a^B2!*Xt>8;15BfdvI28ice_IDA)B^ISggqQj0x9d} zn297UGBQP>N<8UPSjF+{fq7T71X~ceF?5{q4KdEr%^W8S$&iX$u$U@@fImP3hU4yL;o(Sn>0rH7Idnt)G2TRjN zTuKBn+c2WAU3&Y=pyOP#9|ipodaN~&1D>bL7nf#-HqZ>*GSl=lLa5`!`(Awet#*nR z7tutU)Izo4AW!G66V3DMx+#S@IfE?*e0q(E>>IG2wkAbh{e%_HQ>ii za&4b4&_~&Nk`E>Eay?07X7F1=nG~1GShchIMwul$)N?$GU!*CplE)94>(9?T*9OGA zTtV|8N_9qNOC`#Q+cy{;4KDI2^#e343HyruA%$CD8O;FYOmvJ(md25C;&Od!2eT%K zx;Z}3@J@VLmO?j)m}5d5XI_^Pd261~08NWqGnDD|Q|2D?tVFW>An z0gx`fLlO`(l}s}&Ig7(^-&B&vfo=(t1}kdDZpj0-8jj?SYe|1IlZsqo47`h{{=CSW ze^Hhrq;VILk>L1A5cKC4xZXKagywn(s2~ZZjzVL8|QF z4E0=b${UZZoN=zx{d_cg*Pr*@!(&u}0U@`8C9=}`j3=EgYwqt3segmL$c5kV``Ir= zdqq+ds;)-LM@%Lb_{*`WJ6G@XZO;748L)Pj#j>OJ_oQn9a{QYYOL%hHSA_!^1bJrm znUX!K1dBo}P-dBEICt)~9ykWQ1%Mf4 zU5n)!bR#!gM?Bgd3iwx}tx69d8A7b5V!XlztRBrnNy)>@e4vA}#fAJKAr1u&ybSoVxoKkl=?~0HVUmJqg;9RBUqn zrv_5{%*#x)#uC3PSN1{5LamBuu-CZPC@=GL2S_dZD2%Yi0h?ezFjt-FVccgtA=+NxV1_SqX;M)Clkd6xMuv-GzJK%EINobgUTaw|m zs#R+D$s*^WR^4ei96G?l4eb7>1kV{Ta(BmNPqe2MCN^z0?wG%{J|MnLDZ4Mvj?*tU z6^tf`9FEfl2Mbxdmg%9KkYqn4Iv6S;={fxe3#pauuPe7<4e(3Xq-QEsd?*YZwnEd$6Q2A>^VoYwwM&4!by zxK8%D(!$h(e);&1y`C;w9W4I)PsOzA`kD`HY$5px+49c93&IZMv`o|Jr_c8xvciBS za*3vw!ouK_gHiPbnRig(x2ppnOi1)fyCj{#G`?T9`%&$f+)!7tDhz)aWQ!Q~VfCWi z`WY0+B7*{Z=3QjAm~7Ow!QTeG8itY{CFOz6KDdb-vvZ33MM)SSLy4-yuH!=1x=J4{ zZOM8a3%9L6(G2Nmcn_=_rBmwt|H{*r6dC2HM7 z(*K7j5=9;i^9NV%!Vj`doQE*{^u~S9Z}TR*PXPC>>_cXiNz`AlG_AasKjbtY?K*j$ z#(^V*k(nhD)g&?aGi{9CR&#$C`m#0VZ|^^WL4P|z>2;2&boI@+iDH2Om#jA8qyeUi zi-2ZB;PJ<1pN}KCq=;r*YTn?FA)6G8XRbXgU}#tzDnVd*SDHd4P}_);eWSDYrbjvv zFNr&xVNZCo?-`~Wf~U{A7#l)E4KQc_`HP;myGArm;)#~Lyip&d4)SyNv<>~6?o5Of zqrWil^K|X|_~VQR8Uxt5-}|$3oJkMD>c|85YP8mvr1_kn-DIuu@*Qrx1Kg1Uh|KFf z<&SygY#z0!b*#U=i_Z)bjCILjA`V?&9YO(okS(jYN2nh51ja75uyA}~WU;eW2ab|b zxGVc56+iep>vi`!ymor<7*!0hyHr4Q8AssmufEvD*?k0&i1$U0+r5ucP3>oV<`^~A1;7WBE(vsb?imE%?@;`il&midwG()iA}Cy@HYTKa z2mSYgzV|0ufuno{j(8Nbv4)0KIWj`l1G!_(YJIgboyQdxMJN4lP4>k?V@w|Z&RUOd zT&#t@TLq_9>o({&)ErK6WB=a}>0u0JhTIY__a zmyng25k&aP8xl(Lv~=tMy!kwXq!U7sDTQcq@c`bk&YTIwcZIlpG;S49b)5DNu#em}8Q1N`(yUv}Xqf$)u23BcR7L4KP?Bnpukt4Uz@{RfOi%;7 zMc2J@KNRZjH}dlv*fZG*aJ!XFFu-Z&n@Qn6S{x zJwYVr;ef_?P?Q7dJwfV^`@p}#*p)*58K(SVjfGU#?Nb<#2w0hH$qs$C-(DJc6!Cda zrrOe|rBMMb$i|^F3VGDLABR4ytvIzrE&-_30=Ee}~=t9f2A4KB(7!v3n2{&Wc@jR9H`sG9D?PX8+$MAPp%eXyR9f#3%IuZ;o`Y zKOxX<8=-BR)+Pz0LJV)I*t70c{McG~?)$5mpHTfTD1LUkB{^K_%&hd**}KsVGbvw_ zT2U*SAM^JAk3wl+jGk8wlg?&ND|D=*%{l{1T4gl08JY^Ex)W^U_J7)#g3byh4fS3X zAm5zye=x*jW+p}KLy0`^NYq!eAE(2#CVj7i+ zgx?cmfvI!>2JEGdF;0b$DdPq5oT*W5of+vrX;G!Pmx$-Fzm8pX+H(3-VDviBcz4C zSbfa&Q1<2k2oX!UYv8&BWMHV5ALv1~3>-cQdyk5cH1m-S@yTbT4(}_G=m{7BsQ_tG zRo^#k33Inb@C=;80j`X4b)yRzEmSb3N;I+}NNOb?q-#flqck()GG?jBfGV>1;7^qC za>en}FpcY7!fX^!TSx2>VWmSukkW{aftvZWr8;vIOd0dS~0Zi5YbI!i0( zI8J$i!cxT|eciZMJ_bf`(*r`G?zKlpT&15GfdN(Y8N*8P>$7{}j=)m3lx%mzR#(Z_ zyj7GHDt&t}l4!pNcOrHHD|&ZZ1hW2&OCC64KVBrl!Z|~+bDLl)mK0ac+-V~ooWc4V zppd{HXmMw&-VeH{<=KZ;)zErOFo9SGl`uE~D=OhWN1^?*mIGcJ`In*P@#a1V)ds!H zGw7U>(OOEOOn1zXPd4Z+511&sBDL*|v$5_w=B@8DdHnId*lpXu8AdLkq^F%Ym^l?| zp9q>KjzHXTs=sXwSB9q#BC^R4`P)dR={O1VsFgfE-|B&SrWOWb%Er*9OOBjzQ8@@A zuBlk`{lW41A;s@u5(xi8Z5u%VJ8Vpw@&V(0G+JH)j1@ z<@@P5UXtzKt1KO^H@ate7i%vuR+WEz8r#d0rd*aT`doW>ak+M&gRNs8DtGfMG{Kki zvNDt8^Ig@E)5S$~I~VFPJ5HU%>RJrXucL9JAjA$xz!RRN?ig&2q%0lT~Ur&*tl+RG{Tl zEWdS$umXz3`rmoC=Y!N74_RSv=Uvo3gkKoI5|*31dSE(|f88el>r^W}jQ?x0|1YR=zx7BD0`lvIVg@-PnXGcO!uf3FaBASftd`?tj$5n6#OKujj(0Peg9+#bX6TZTKvN(+Vdvh!*@ zV5K?^2La@rk1=@a#A8SN9)z#+3p@o!!okIm+HMj1gc7^dS7K_cjQb@q{&0sceROhm z$c1RsBNm@xtEy>cc)xx&jD{TJR*Y9y%#3iavUGmTC(o;9~%_IW?JI`YGAs^Ugg1%NgWVv(IzltzKtO$ed zqB-QJx)aqPIMH1Nu=X{fKKb^xL;@bJ@&rBm(j92HGbTW$VD1cTsXrzyr`m#utlO8@Qw zSw{e6`5sw*ZWoK)2*riRSHXT8*6#*K9Q9p>r2m&dFsbNR`H|{<`^X1$?!McTeLE#D zhCiuJ{S0o{P*PtTJs;U#>pmIsngTFh?_c8eF#mRFA3 z!zMN-YU6>4Zff+2otj~;EDmaq0SS5zIqRZMy#vYeKZM{etOfm@%aAZo;VlN5rpEs) zcTMo7M2~~sbreP;ddURV<~zb7-k^`^RygP8TZoM$FZOVIg<$xdcoIPf<06@}i%kN# zpMF1>g!xfAq@RoFvD0W&qL^+nwv39tLHYP8S0oq_+Oie8SEMnLG>Tf;F+z%>c|VLW zFvF4WL*_Ln>hKr>p`dG!`FtOsA=hneeF)l&cC`Ib)gs+S?HsL^9VVDGj~^_$mN91> zApe$+g!G_oTNlLzL3j0zvbO8TPq za^(TEo%r%!Z43`uXDtX`xo$uA2pg`6yrV=1OdL*`q^uqBai-n1iH5o+J*5&{iMrBP zQ&9%)ihXPSDuIczFg~Vuv0}R#`!R9oSKGSHU#`)-g z*9&~(0OWK{lUdOu`x|jfBq35PB!Sax8uBFQ7&n8f;PEZ~QIfR@_YDVJfOt1N+ZAc~ zDY~k1PGhw+V6#Lp&D=dLNfomPJH75D3UCaKUX)J)Acc4<%lVs_xm!MXNtn2TzERKXT9P#0Pv zZ%9vKJmV`fN5t&6M7mny+Ot1?QbbV~p@b>e1cUBY>`k!5 zkL6<_tWt^_LyT^m$P{vxF>1H|lV2I3@^|@$Yw*m{pOPadMg_*-?iQpdfLKO^GWLXIIHhsu z;Zcn~HmoT8d2U>WIOQ92fa0dVG@f0+Sb@J%4eli9k0isLM@Qe(PbzHjd&V5Ynt+z6 z@l_ox7A6#V3%?jL(W4C&*K)Tb zL;sUM30&7d0#92I?D(l3i@Yozmba5zzYd1Y$0UtQ(3Bhw_&yLsW4hMRSI=;`Z5Tk( z^;*V3ko#CbAG9knZfNbtvDq>R#$ebu7$9A?g&0^&+Em~&Y&JKFNa~gA>imQjP#Wp`> zgo7M-_QIYCM_4Z6I^3A~l@3DDI)(`UwlRpNynPQjeMIdOKtUU*&GfmVV&ZN09zx>*2&o>pGR+tH1S z)ehh_b~-9UjewTHr7eB(Anrdy9*Pm^)$1Vm^ zD*oF0!p(f@_P)qHqR+b_?ligyj#De#DJ$d6b+k#Qq@gS-Zh zzNkXy2szHz!6jQ{`L}E@`VETKp-RUxU-xI&laj0!qC<{Pl#Je`3yqNOIIsC&FrkZ) zm2i!T#S(~-+eRv0r3OSYJZ87#79#$4g_)bYvbLi-H*o%s;qVLsMi$nmQmSl-e3==2 zior;!5kq`08vU;T(>Ju^q5fOtgfq|Q#cW%M1pPGS4OEho|Y9#umXx&9E)@w|dfarg#1JJesY( zg8mXki%#OdZHuCP000!Dgl;P-V+EoS@nJxbzC)^-Cit}8bxfkaz|txm8AjEyKyUV`GAZtoO!QMt z=~+_7kTl=SI+skbx^>bw%EDp)9OpVFkRq!Jr*ZT9(7%kY+UI-YaM$RG-uFY2k3SC^ z>3~valxcHh97O@_#p3g6^xaptYB`*$Y4r}BWHO;_7`>(WrHnEMZR3Ps&c6Ry` zTCDGIM%>8QWe|}ngce{vh0t8)b6)6uV_PJE86Frze(;-Uy2A`a{c<%XaiAq;W(bQ1 zAOg!G36_540vE!8&dE7K^8=WEP(&7JUO*XB04?66g-ifVe3BJ`?cx7cu_Cgp>NDDMrqm=1p}Ft2K6Ko`>40`|ErUb=Eedd=&%W!O zB%GIyBQ&IWz3FLIm^BsnYSxWAY8g>+PS&M31w^1tw7(5r`Bt9sef|Z>xjk{ zjXOkg;N~>|!chw|u;NdApeIEt(O*B|pY83sHiO?Ymt%W5@el-b8?jXH?yb5%=WUMi zz0eikw*MFB`w0mE008B^?^R@BOCvu_mmm@>h;JRlAh^g5-1!{9@Ut4Kjwicmz|C1i zQ4Lcksz&Hi>cDaYWbN)Vv-b)LIQst!m0@-^9Oz(bx0?s@_1>f{9ML_o40yBFb zqkyxIQ^B_Z%Mp;hwZqKZB`DzR5tQ?7|9@A}0C%_`Slo#2E5`q0T6%-3oPrDE%?Fd1 z|DXAQTYn5c7km2Z13cvjbN{IA4?QTFE8C7k@35ZfzyWc-AE+d92E0T5BYOl}b8qMU zt-~Hf&GInk6=;9%rFAU3mmc<*8ct7^{pQeU9J6f2N94 zgdZ>n!W^sv_}aIzF2Epdu=_}YCI5914LB3EeAWSqTiX>b$R|ex*umv4tOO~jATm&V zo2pR4%HxCLF%~#VF>{_g9!R3u@(#co(NebczypnE`#RXxmRC_-x2o*G8jZD0vysWh zjt=CuZTg*S1Igc&Xs&@f!~`TJm_(2@6rJ}731e^dAwU0pQGTvA&}+snAq{==(#{{k*@W!d^;Y}2F(#J@T*ww77GAQXVkb>NotyZe!lEhI#Br} zPc_#mu9GllCEVa5fMbzz5n#hTA3xl;zf1!`F~6hnMY)S{eN>@;L!wiz21)r!r|6)OqtmF#-+K z82UtQ*Z|l2Z`-G@)=MY|E4a>rD%aNS0qwwM%QD|==MtiIf8{q2GlFrKEf{JsncojU z?k`;Yr!k&~fd||b>92is2-AP0aT<{rI}~q49=%t;4gC@Xn&4~*ZRHnp%?3CAJGsyP z*RHQ}YlIv?IYWIo(|$DgOgjkOl6hcFm z^0%1Rr9+=FOzFmQgsd}XKo8ctiS8B)XVs<}*7(S>93F8eLT=}KDVoM}gwPmDghu?8 zcjYv0g%Ld1ul>HN4?dWH%7=_rq5#n=yoZaRn)u^4FuQ z{QP3E>fm;uj9W?(Hhy0Ur#2&Mr8^;@C$4begzk?sh+{3YO>Pr%hDJS#PV|YV@N5r5 zi+c71)^cK05Eq9-v)!q{sVjB)K@ori>kc=k+@o!}8`|zMcWiyG*nluyPDe4E_ZSa- z_!$6T^I~KF`d{w-G%kRa)nq#lfT(XwIQ@CsbJX*vyjzTC`}_ksZ*RwDy(7yYIL9oF zC;C2PWyDMrllr{h(ZI@Q+d>|3pR;<%G!q5_87N$U+$zr!QBWwMPkcOX5JNw)s@D^R z>*<)md4*ky??chdes+(1f@KIol!S|$ePs}p5EQ}gz`jiMEECjVzJ=mG$LJYZVKdGm?Qlq+zkltcK=hcMFL$_W>aa0bA=~IL6#+ zMGX?WLbjq)m>vZ+VlEqk$Hp^SZ0PQ@*n|3gX;L@Cz1h8MhcW%q9Y70_qWs24ll9o| z@^|=rFJtJpe0sZvy5UptF^2snrF2r*b!3w3B(W)0f;ooy)*M91UNmXrNL=A~?2(JK zpzEca-O3Uj?MlwpO&x#;%Fs3WG{Aeg0cVXt!T!?@nsx-C%iBfy_BNvfi4*#3Yb=Q< z6gcqq^6NX=dAcm$te0+LzRbXX#h6A>gj>=XEzD_VRi3$Uj>SKDF8l~TlVQeLjGKIZ zzwRGgoodKvJ`YtBJrWWaGeG)Sz2?st=Y}cF5c)t{f1%W0n*|W}&JqN2>ap?Ls%%tH zkb#$I)=m0n;D>(h#zgrG+mdT2aUH*X-_1>IRRo-&w!ZpK(BqL6>I<7w@`?~_#KvXZ zzrpyAai42PvysN{OQcB5Eu7m@)7^UMC9aWdRy&x+qv+hbP6ZN~m_48>m z`pxayC!H$HMv`a(5^kZeWrSxTZYMy49B$926KALZEb6&`WvYBiT9x!up)ef6?G-2e zVQ#0_)oa?`+#wU{*`tb?pEu+HGjBjRy-VeWvfEsw3=Wb$N@69F24tzz}4SnAWwOwDlKQQ=q}=)MAzgBZA5zxq8ZR{ zXRrw6dVhaWiswyJsSs|x@2#;cOAXA~3ne+Til_0Z^j_t)bXpMRe?qo2ZH$;R?Qg># zb|-kHD)b<-7SUlj*8P-X`jslVz%d850BFL-US+5oiq2!2aDcH6_WP#;0_q;5Dt!cZ z8qOH@Ff_L6Zgf%cDPGRCC#es%5OR-=DBJ!fyKeT<-wXEDFcF}a|Do4#T1hHybM`J2 z0tCpSq~}n03wSOpfhQC%$m>dHXphu)hefDJ1!BPl+`j^JEA}aWr@umCe+gJaOqh=- zW}+|x22{vJa7|1oZ!04`(r&DpRc?OCQRi{)iiGD|qV$sHp)&H;)5G_)4iy zQ#@B3Zl+i^cVHp7Sf4B@Kuk63isyrDXVsM+`(4B@dOJ|E&+-X}wdKxfUo?Rf%sB;49X|s3~X!tKd0;6++mXBG(IE;u7F@ zdjs|7G`-6l4ooOyY60(G=|w4j?FGh^-EW5P(Nbp2Es>~Dxo&N}dra5?ZnXJlngFp` zmF?TH6S{{QbX&A^PK+i89XWt;oey%vyxxTbLV?T_fI2i7I)2?0 z0070+>6WCgR(D4>1wTC&$}zBdr+Z(zGq^!iv~{G>W8aOX^H z%7e8ugM6(k^lo;-U)(I$An3b;I{WdeI)wKSJBp?yYtx|?SpSW>W59)(eF6*69e5(< zi#@Kl)DV0JVVjU*^KptcfKNE?TLY$2)vB+3tUw{7-|^i~*1*Pot27s=yy@uL6It!D zQxr*mnfT!@B{!@_E#?B$wi)7JhmDdm@Dq_-7dn}PI$(NMq?2aJw6ZsVMeREVK0W2hn=bu8C06Q|dX9da__G403x8PB20B=)?iD<~Fy@^KIK+(vR(4c7l!&pB4(2;|e+ zVBw(|Fa6OA7~p@!UdWvcLsQ!Ji(yT8Buj%Y6dS1_YU^vgQ1<|Ubm|%Dh3iCmF`v1V zjd)2&#Bcs%!tc4ve*z4s=F0^Xa`@o^W(gWGg zOlj^vn881PCc55eRtZmyuS!MC1%{dA4|oQJbVxC;GMOC3>)T%Ro8*%^r9^=T~B>yrJ=@zi)lXh_9$28&FUbnAbQn?AywQq$Jb z_HZCwF;KVwIhFR-3rpT|N!4=ghSCq5b1wUp#q*;^|2@=s{i_<<6KIbqyoT!S&;GWT zmHKWpljkJ^Y;|I2K0jj4jKk3M@f681p%&hG6|y&Q9}Z#BOHxaPh}%~%! z)PN$1|EO$!w;+qG2;Mg$raG1$k8rRDf>6<;KsiSk+d>ZhmFNcEXJ>$`gaq4?4;hF- z{2)bPy#ay+y5*iGv{pe8ScK^(1Gnf6H@6wux)pi|p}g7}ofcR5*Ncw9%u-#!MM&e> zXY!D!&0NO7yk_1;@CK&;ls19v^dHY9|0#Q&C0A#c$qabk`t%zl`jtM_o4VoZ7!d`r zK0XUZY4e_jH9NV5!Hhl@qe@GkUtD8GP4xB&Ohzpb%ZC``X^+{l?Dd7{ub;%tHVd-4 zKwL%xzUGf5Qn;{0lXn(zm=JfOwXD~Qrv{siQ(64JhU&63yITB?8*P*-hEWyeL;ochl8p-cbt8nshVt4EpS+Idkcy}FK`$ImDK^JK%I?*_fYt95C z`)3STA)ai%crup2{VA@ZGR$O8Tzg;KYktoK4VyuVERl$Gy>G*hl}!W%0WTDn;gas~ z{tsi{6r@SeZTq$Dp0JW#L0@N%E*Vxr;Mt- zuvf#yI*~S)I6iOscwP{aHrMAJ57`#zjmQ{+QnIIk@X2N}D8s0O12K+4hdMc@C$r}5FgmK^pm`s?^tc9Gn1y{6@3#|^#%@9aQ zslerP7*#CC9a`I0Q5Zi;M)^0sJ$TM?wC9d+2onNv?(rsM76D@Jg*cMu8cRA_6$sM6 zE0Daq(`?f3?Pk(kZs;HwLj&5BxW~U@c9JT!sAGdexyD3C3Iv=0G&6LaYg6Ra!!kbq z{d=|mbdw8Xh}Sh5m<9dNq>p)`jyFzk(o`LS6CptexD=#u1PEE57_MfQr-Lip`eYD3 zzPo<0ZpyM_(pPq2M9TV$SQ#yPUg;QZ58gn692e6vEGC_)J%dxd+S zjyOzn}t4F zz6B}TXS~y8t0oyq0;3M(dJ+sl3>UPapu#Ae8lpQ51b&+{X@iHW5dlPzNvF{|YgiBw z+ZXkUhS#NL`PhAElQFy5has$*je;?=27Tm1uyfhWY&7TTw1rB|WKG$MjswGx+&=JUOHq3ta z%-k?e+!c9GY-Ju`=s?%1-E;ANc*gwJSju$k3JH&RBh7lHO*? z_+^uUN_O4xc|UQjfTh;+$t#~d)@)nP^e^Lycy!Xl7Sp z?XI_y>DuDW=wND5I=)U~!K}LhHC1NV8~Xg+=>~e8a3)MfrMh5Sn#HN|r(~%9VqLHU zXetgBa!*5eZ8n@RE}sU_3r3nuuGI=<@BQ&T#c7Q25D;}O=RLP& zUpqAKsJqj<@#~45xhCt=GX9O?Jb-F%K4CDm-Ko8r8)n;OX39Kypr1p0CJ-6mz4 z2=qD$_9tT2p@Ek`#4P_W6S$|`$Y-4;sB9Im{t4<$C1MY7-$sk*lu!&rNJh1i624E? zp9@$y$6NP2YVBE;BO5UPuJI4G06FV*EI+$1Q!tw38*f(zD>X#mCEl z-kb%#|1$p zmYet)C8tirc$oW*L~QnHl|>DN>OdHQo1=TC)%rjN+k=1wIujgAOfBz|)B8=jbq)B* z9(mF!k$r=&0}~MYNGy!$p1wm%3U!JvjgrDbB}l?~-xUUgkx=e~C?f-lGac?B;3!|A zXqHn>A6XNVy#{(C(B@qO+EZyP-5;-^7EWa@1-RsKZCn>Y*yK-aj2pOelp+`ksL0%^ zvyA}prFrl=L)Io%V|}e1bE5DQka)R$DPr94^UMhObkrek<>Jy*Q@iZ%E?#JaT^AuF zQl``S0!#YBXnP?Xhb@^cr>tIs2#}7N2`&Ctq0qNUXCSCQE7Kx2O7n!GtfQLL7w33E zFuhN=iN-^GBFK+Ub3_4;f|lvoTDSZ-Jig!zdV~`=BEjBT1k5x~enu%faS|MsT}}oJ z$|+qF@Jk6zYs;-^zykHiR{d* z?}%orUoFv_GHUWk9O!rS$4gHbcJ8V^5Rm~6-houIxoD_bRf9tyud~656FUBd${|Ah zlH{mZiQMXoe5gs8py6}YprPjC*{8ys#~t9E3!=`iLu+pwr;Jk;yRRwKo{2f1Psk(& zed)4yWz&_eWy%o3v_zsPOo~jZw{i=2)4SBwLnQN5GGzpW4S3Rb(JnZ%|3Lfy4E7ev z*g>|%w(Fqzlq$3A&j{-|r)Wsr$i@9Xo$eN*Z6w5!vKAo4zQ;#Nhg)skx*Q*a5c>a*-JSUIS!AU0U9q>F?BrE>jw~;9^DrgR%@FCC7opYec=|Z7uO2lfU?b zxVt)G_Mc7b)=N$XjpXX9cT827fn*z6(hnqjOG+%48*!)Ll@O?Ws}&^jntFNBk&J=^ z03c>NK8FF;Tx*6ZBiDVs%}%Q!m==gD0?de^#aF-7(8SiMYJSHys%UHAn^m;d^UkT* z8+#X2?2mqks0_vbi+n~rOJv@VUIhnZ-3WH%)Vx9eaR8~!i2@+2&dB=&pK)s@_hsxQGH)GP2F5$Cr14CX@_?e?u#Zk zU>%NT`5-hqljj5329Cs!s-!)QIq@cF*CgEpk=ADUgBiYFOyFn$7umP|*6q;ahQxeL zUsa0gNe%ZM9`x3ufiJ_ov@$QM!;p1l@J#Q~&X4g`3m!R7rAcSyU+|VqcLnUdyDw!K zJ8RF;X++*KFCSAf^o#B1FV3zIss_)BHT5Hv=JW{68qi@s#G{rfAw>~wS^Ke3Rub>j zWel4;uXS1XR;=R5dzarJjDO6V;Z9v1;Sr?v$PT@fnDjzJ zK;iEHrT%$m@oql!H>>wuCYw%vioGJp$$b6|MYHVH zEmPBg-APKC&T0|_hT|n%zb-%sGuP##Z&niaAxvI?FFC}RKj4Z!B|F3`@lz^!=NR-z zfN~8lWQ6pUabHh>GK|`-+SmOr#B`5Z?MeEj>y|>gyLwEz2${4+89ZdwGk9G`Ifs`+ zQsqX4i15I%nrtshdXB+h)PoVPr^v=?xS*Hzu@2)XZe`|b)1 z<2UUw6F)R95uKa+5;#_1jb<5_N8}DMCB}0NdWo{VS*2AfgrHmW3@_aPn!;=fux3#Q z2&jagNEk_mVM}jFsA}x%Vp0>~-=*6N2AOWGe%{ENBZr(o+DW35Y&>Mp0k=lmw8BP& zpU+fw_o8o!Ii6T`eTzD3lhJ$JP7h1)I19Y;lfjotz(RDZ-gJU{1>ZZRs{vL3gkxPl z7?0na@1;~MkDTUFvO_T=<|M03ty@;D8sO*6lR+?qL74CnSMu6||EjJ9kK#o6o=tWtV_w?`+FK!;dI;~V9Tb)DGR@gnwTm_=pq`?6*&=^Krj%>M?YFd{vQe*Y$S#1pe9E zXfad>^p!L*eCfs?`HjPAcw_N08F{S3ki_!F+HSjU;mp&pyTG33!y$H0?W~Gpp-TuI zoLMD?vRpSVBREK|@agjtia8wMqN51j=C@53W8YcPt<&iKEHNK|-+6gk=NE&gooND@C^b zo_`^Egn!?}{03nzUbHy2Po9-W9hzW1-VNX38W@Lq?RCA_w zWwi?=-%0-g)r013o>RKrKa}xdz?~Knew(mh={_u5>7l!DLDQ`T@g|U^4+|LK;72!9 zbaFh1Fbj7b!xmseDPuAV)OASgg5K*CLUm*SxYQTevg@UY>B z|A^Lt>kp^2-1}M<27+es??=uXr1U`g$xH?}`dWGvr9~|SC2fd(QG0jo)vPP@e!QPi zoXOr!d+QUI59GJd39OviBw<0VKXf9Ge{+jKq}e?IoE5Fsy3%MctZ!~< zOd$UPs**$&A3iEG>U!wJs9C_h(1yx7aYM$uGxmx!m2tM>|R zy;LS++Up?zgSUsA36O1Y5ZjIVYyz|>7azrZ!|Nf(vuV*3Iwtqrb#g#db=q`fjtVJK zIwgi_=VgRDKlWmhRL1>((F=4sK-g)=s1u>L*6<)|ef}J7t8z=X(6`b!dDmMKAn_*v)G+P7o4(fBt%>5&$9F-7J^ zO<|lLCc!!IGiW{yy!c=xZR6g<-3BJ-nQ845w4z~FFkP58OU~r|sQ3`%6PFxw8WQvQ zq6|G6an*L87s0%QO%O;?C}+Z_<1+JUG}6j!LRStm0<~>5ROkP_hFhuD7+HAHO-A(5 zxiRWIp}A>u0+g&UZU$$)Am+PmIv$baey2uX*o~yf$D6c1^se(4?$gU{0?OG%8a(C& zlB<98B~O|btdWcne*bC>nUnpK5R#pAJebs&zdd5zZD~++w@nY@&j8+9C)jO3rN}(*Nm9Y7kLmu>>g<7q*inH(1?Zp96LBovAV@ckQI|48xxQh*D z0ji{rM{XAz?N4!JqjHniRVqxdB=xd3F;bd@S~LlizS6yiqVkPZoue*Nua8z2yPMJE z_CY>bL;r%*9Esy;_3)$r0Y$=>$FY_V2a2o9zZLKC$q{qI%c5(@Ii$R$A~i_wJetAa zZ5`FYaM=0HKL$YzkpZ`Ua`Oz*MZ|){Xnwz`OEBhkYjddvc}!AyQBURO211v+g2#~2 z`A0E>zYe;4dMl25ysClLFUwfm_KLTb^`T$bk6Z#V3f1{_jXJ@+_w=C!9;jd_HXyLvn~xml@v-zbHz*jd|M{ZN6n1mnH3ia6 zYHmuI3!J`gqmetsT;f}#tKHC7$f{N|`=8V7 z8hl6TpzAJ_l6xo`yzfUO^Vofu!wfP)V|@wgV^N}yiTjW0?nY1iaA8TvXB8NLVJku% ze|gHk>IV!&kw5QdNFTG>lFI*mGfGqV_1`Ma`8Dw^E6vccXHo6k$qtM$8X{QUpi`)L z=9(A~m@$~KUsc?%1mJ&0A#vz2APoX)lK*K5$z^XSU5gNc%I{Hj-q?geI+_KKAM)+c z@82%}87!F@|9Nh7ngME;mJ-G9I+6F{H?zaOxlzZ()nYR7LfEQ@`ThL$W^m4yS*RyQ;Hp(EhT+YM`jE!$VnCU&F?C!C zl=Hyt#=DV?*1E-lr&qi2EnlXvC~6gb|<~I$+T2K~_bVT=_Gp0u1SIrD$ zu9hxdR$$-hs%==qB4NU0d*V%lw4r9zsSZjo#y+$>wHKGmLVe|wD?9FFZ;_)#i?n3U z9QJlh^Y`!hxt*kenEl${C)UkQ?oYhEX-t@0emXzr$&`h~{7M`(j4*bLSeje97>r0l zkm{6gXT+IZ7Luv_7BwnNXX%E_2kO0-UUK7|@!^wrFi5vKj=Fm_;{j5Q);o5&Gh|tc zZsNqN%~Uwp?_*D&b5CFJ@|QO}QY-JiPu^G1i~gE*lcTlXk`)`0OtRcVOH8Rspw*Po0Z_0W6Y3nyfwT{ltWd4 zJ=_QS`9HKt>&Gr<`Lau(S~et15tf|1g1k~g9{RL@==`S-G1ibz-l4ZEySN;GS`3Jw zN(_G^Pf4_Isoc#r`kb!Z*?FYNI2!WXj9&NFo=dHZp$(B?GgnmnNoFg0+qQ^}P58=q;L!@>`g?Mt+Ox#WbIkH6@m56OYK^6Ac?awpLO zuC6@O0l+l~F`Cbkw3O)97zF%^2EcWUztxs7OhsClEA+W$rS;O_29 zX48gZsz`~ixdUF}1j^HM7+giihc2quU+zT%FhzRmlP_5-@mSSJ3zeA7amg@Hh+vwo zIYZBfCgB9GTSd&~!2{}oeE(_f4C~{~y!5iGqEtQ0icCShMF@ABXPa1q{23#nu-y?E zQl9^{2Ti`Q1cMn8)i!C-ToeH6y0=~OSr^N2J z`#3YZz(c*aPBRSC9T_`bF}4S_?p!gR2(GXz*Dq3(8-|omq-;t3_I7eyriNx^N)l=V z6McisOQRF+e7QU#d8%VGrN3@ks`)baeTY4qEt93`%LiwfY6;ehLvg7?3IS*0PUqwR z{FWeDEp^Cr6o1olLfE);hO&hq%s`~Lv9soz+ct{fPhHrCg59uq79s=hkWP8I1>w(b zJAKQaku)0GXZ@9>!X1Sy6g>)hF?{PvBRYh)H+MXZcKvR@qE>HKki@4U-0G{=$^i%D zUKmpkkW5=x5N>d#B^a$JE5ST`r3zo`lrfMe<4&(n{3h>OO_gYDbGn|I?4S%4fS_c< z1J2^-vEprE$_efoZO>QlC~Oe$$e-*$B6@O?na3&gMNXf=fd{flfTU^nbC~_(>d8)R zY{qHf5ob$GBAzV4(wFI&^ajMuY+&m)6Qsj}=tEthmS@y3t!68cZ_8cn|G^A3N7ImJuB5*&FM^r4&}K8>*OGvBEL-&QqHn zi=GSfT$3yyW6#4~5qw2%7!FHF`MSzX*I!`q=QDpjACzR6e)$%^5eI9>jM8n1ZKm;Ov3sZ6`ouUyh z%PX5KdJS^|jDH?c+Y1pKgXT_k$89$Fk>xakcTf^8MsPQsdYKybBa^ zJS2vNOm~od|GH+K`l&LeywkJWQ;)uO47ohHl8;Ht8L_A-~iDvg{ z2BDNuOx@=uD0hzK^Qv9NYYVj)-e6{*nw$9*{wYpl z*PJ>$x`~e9W&JV&$%kx%nCkZa!R{Y9MP70s1t@$Sh3>_#WZNb69;GCekcRTn(a~iX zD~KIw#lGpDHOdOJrx>}r*tZs;Ij9pF4fNkdZqr=fSsA6uy-qR7(Ot8XAH{0A}BduLl}m-wCd z)R=g#Kw81)i^v1xRTFg&;qUbXd)z{mC3$9Pw9p;SW%-jr#$;2fU*93E?`Fj~k&ISE zTk@!b6E6p`>N`gJ2YZWL(KFtUpdc5@Z8;c+DpUFFaq@kYV_60hU_ag-9u1xGyx*ge z_lv3e@c*cgZ=Im6mcY7s*We_ZNy5-#)Yf0Kn~x`2E5O^8#^vt2nsJC$x_V~Rpai!; z3wpKtvcXDy4x)cyB7^fy+QBck_ImDE<yuae!sB^6d~HF=7eV^eKARL=o8=L9dzY+rhOYkzq95$c^0=jyI^X$Zso zyy}@BV^~aoCxNy@x6i$ZIgdA`ORnA)3yUt>-AxyLsq^L$6W9HPvD*WAAO9DTT0tCF zlaabNfRZgj0vW|=-?73GlIsI>$j%z|#b9`ulJkjjlW$LB&bm4%FYgb!k9o_!?yKI= z0g0AejMuXj0DRAT(V2`ZQ&t%(B4Z-RI93*8*|VGI_5;0BM%^{58Px5)ukS4qcyBfC3FX zkE)^NqDg6Y->y#^le~+n3#hJP8CH=?)P6H!HRTUQ?Lep5*bQv~_yyszlEdzc$?)|Q zYR{)X>pfPj!Pd~k9E3h2w3!lzc(@8Sy%BM(0K}xQvcp*Qpqbksc)QjnMk5C!tHc9F zD$}{1SPd7{i=IsiD{Ya|^U@_#rAi+X_um4FUt=*p&G* zw`rC2b(o@Wpz1?S8_LD%vRv*t(uGvWq~2#ZE!duul#AdxIJ&n*9nHR_VV61^R&aJo zzuPgrv;_4dx=kbL!^Y3%po0d@&}M zNz?kHdzn3|-69^cC(Sp^=S?vRUxpxtobg$TtMUI>0Rusa`H~P!LWrd)Q8m3eY3OvB z-*P3eQ(xWsdRfQIhIxA;ZhYF;$g08zhcF>53$A1=C<%DsADP-#*_4a^ z{IRkK5ir!ma!LJYHl>_|FWOwC1h&BK*8R9Jk!&9Nc+_jicHFHHfnE0w7h4{^xU9pW zN3aCrQq#DupM`Tiv$ypy2WrJRn6mCaf9?q4-#Q1rgBqK^Bn!m)2;)F5GkC&6yP)0g zuzO9#p!!#tfV?nb7$iL5=0+d@3m_eqT*@}r?AHnMe;7k7_zY;^d0|bQ7mo1K7%e^8L z_Eu6@a#V%_?kedXkBsEAqH|6l7;gH}iHTF*Gq;?Wi7S1Dnvhkk7s~NkhdXQKTSg~( z?|lO;gVz6z#1^7z@xmRSQh_ENZcXoW9Q&(Wj_?p!q_i(gD?Knr+_W8^;~A}7uX&Cx z4?NTU7tfb#1*m-{m67ly2Y~OVt99WY5c~Qj9r7?0e?z(9eKJF&Htodg-AX&fv zu*gsCmyaK?jmy{37*zl#|)E(XgaQI=@E3Mph#AonNIVx7Wk zSQaXTobBTt!gqvZ(}BiBH3kI4rIwqra9-is8QJaUjz5T8c-;##c-;!I%xiqHKE(hZ#Zo#rfMirS6wq%2y1*A-v>K# zyo?}eXIND(FL_dLl&cD~;4%5Xe|2nWK+Rfu3BI8?)Bw~%@^Yn|eEA}Kii!JKtzG? z|2yXZzzx_!iI2nO-byl!>M*|#aQO%v!p&W=J$wL`C0PTTRq_HH(MHj7UbP}90$*3ZujktK zBvZWgd{?W|*D$Z}y}HVDh?v~5?Qt7a=U_Hn{{nfpG8SV@pWn0ryAb+MXBPG>Ui8VW z^=<<@IPpw;diq&=5Ggu1ioxOZS@$>m_E1PLoWfQU{WR11h~n!M`#^La(92TO#PvZcri3ZKmyCGFbRuLXl?hsAjNHd>4bN z_gxhuUf;v&901bnJT_-so7o)qP)l9N9Kp_R zM*2>SH5!kSb4|Eyo!*+~)(A*W&eSUR%Hr#LklVzzlgnyr@O{RW2Jq(g zKouQSQuL&b69Ns)tJ!2{?5_Z^hQiiY5gL8yqJvx-V;L ze7%Dgm!S|S>o{QLtE&2i_l+r}T}Mm5{Y8awtQl-*%Z%;^f5pK>jvr^O@`2cERjpo_ z;$$WWDc0)D6v@WsQ8nmu3jn7QZ@Y|t}`Z8%j|+myN=!UtA` z?eNBvNvP|ZLpFP+9O}2S14ZXnCUgyBBa%kPUpKb7r>4}BG31%~`tBY_@#6_9Mt#?^ z<|d`qKC3x_UZ{`zIQmR+9J_uq^OCd!u-8*Yp!S8w4RTr~GM{B@8nvJm0kZ5cCn0XJ z9>N6S^Eu22mtQ=7NAL#y^8So;AEv5iDS2t~!fQ2im-NdGvYj`2j za<-`18(7&H7_Jw4=Kz&O z2Em~2-4Wyp_Sfu_unMr*z` z2bbGgO!P$ea4R8el~OchZz)TnD`IQZw_k)!&GBBfz502fw3~?kTDsQYIq|fDakf@5tLVmZ1W=LW4YnZx=R!SYj9vUtVyLW1Y*P;b}Y7!VGxK)-1p1eLSO=# zkD$Smug*NC_yewWIaPoN;_O(LqwYR)o2)(YRq`WpT3cPg9@zo%Bbo*(xsR`8@5PakB7bC)Z!5-I52UP+Ex&0C+uYj7= z%2sI`adlriTj_l6Q-wb{1u!c1w?F5#dXpX^r9gsi+^VD3m2T-Ok5SXY%J4;cXMpS5 z_~BWQutT0ZsM$U!iotLvQ)RR}C8-I#PkgneU>fu8(4{g<30R)olS zE#35^W|xeN$2`$~re((NNb;Xt?NbheDXH8vTZ4kNVy> ztqpZMDW{Fu)(EBYG@ZUR`pzD)dcLOdnQ1sKEBGO?Vm*wyIUH>OT+^u5#Z`u>L*Swj z2aiu1!IjuPb}P6W5BeE45$RKp7YpON0mTRVAu~TG?3JeHNu25g35kZ_&-9%*;Fn~f z!y7+ssSBXtl7B}Az0GjpVdYB~jd&hN8xeyV}?6VKrG|+VzkK zsLy+7bhW05U`L@wU&Y3@axd8~x>6iaIjiv+NOL1U?O2j+%rJv z>d+T1tPQNz$QKw-=;Aqn+dKS)3~>Nv!|${vv`1HI&jRcAnD`{b49?V$2N^%P4K6_N z?6ST4_paD$hKT{ihzk!BgrSd@Po)40GHwAi9ibz#L?@;ZNgTS%JRNs~wNy6k41(Ym zIwP(Hl)ho6Kq!$#jJ4m-IfRb_BMhD+%T*~Fd{JjKeZ-5-BSo=nJ@qRWp0RjP!zZ=n z>eiMwo?S{!lh9=uF40@4y$J0dsoFJ6auG}JU~CMf-{Mf7jr2FW+Ld60dWt6MFN?C2 z*Ri$Ia51tpb4iZZZNCWR1(76RTBSgX23FOLD=$>T!^6x>>xWZhA27-{CW?+0ZU(`_ z8efuT_N;*O5qnRAQ^(K##Ert_v)o9{02=Kq_ zKdtZY9Wt{1A_dx@-g_#rSGe*GSDFTp^|0SIGt<<;oY#;_n_)r*^}5HXoox7fQ7@=I ze?alGmGHINW~73Uvd*5i|3)h+TO{bZ8`yXJ_OBy$@#sCG+{W!ccL+mc^)L=J8&8#~ zyc5&+x&?TU>V~0G?sr5N6BVh5f}I#lSG0~Zl(fem_ZoANu-nr)(H6OzEIE)O3J>ne z1+qgtD?Jh)7z?+Za@XSLZJD1=DAI4pV~ZjTb2uK18fy&5HDl&@3eOul|7ap}_K+-J z2LDac-5Xjz&6`>8h}smhljUOOEHv0864CCVIN=iH^Q1OYnlxA@lwBG4p8W+s$^|= z_vX?75FX{rN6am3_qoTX!3mzx0|V#)k?a-=1Y<;HLA)@^c!pmrg9<+(1nu6ooBr1H zWz7%AYlxC+ZARf}D}6`^{>RHBg>(D@=GvsXXN`3-aSo07V|HH@Hh-%4_Di~kv&v?7 z#MWPniQPy2xvNr?B+e-#+2NUYnYWfMP`Na2-`1TL1vh`ag=$26GgXw-*v8R z09I?UGZ+f+7q9;GbCnh-Gk48P3iV;2lnN89UyKl?U_GE9{GGQ6uZ#fj@DO$gf!sdY zpzd_nv3#1d1)UBqRDHxjJ$1A^@v5n~?QeP)+3+lQ>q{X_L`6z(ln8HPLBDk~gw-w$ z*A!tk;h9`ghzs^&4_n{N8NB`Axv`;$7EUYp`igp8#|M6*;(lKiq=to{wT!BES{Dp% z*@EwI^qqcV+WulluH8mYGIaIs>E-@ib_?}7{D+CMXaTpmT?nr4KH+gu5xL{^GFAOL z#sxoGSDHqE&`=nOEO85|W(?b$jw8&)|0r>SfO+;>69G*7Wu8wM4G@y`9Qt%r+~Q+c zaW9$^c?Z*O?nv|1Mxz=S41Uva92i8+;}#LS-5{fu92*g(W2wQDj?b+<`(k-pG}%0uhxpP z=mN>frP)-}k8&Tw$J)SDvD&A<;H;wP1sJ z%O%^m09KET-uJsm8CeDtywfD8B7TxNx6#VZ=<{F)er7g2W$G+=kdK_(ky+;ZUt5KW z#A)6k7s@|u54rw%WIlD9nje%Zi=9a7a8&=Y3N28(xsfC}!Z=qLXWnLxB4iiN$gqQ^6-pQHsfGv_51u80#j6{>?y{b4$D=7q4~0(vr(Vd2J6_+#3y~@A6$0PDa-zJSh z1;lb@goF&q7Y9M?arMTgN{IMbR^zhu+|ZYfxvb1F6|E@l2w+6J{qargB zGN8GjP?S>XratqRl^TyP4IJOp%O`N4FL$WHLOKc=aj*^)HTSl;=opM;vXZy^zuqlj z;F)PYZ#l%6otyRV2AaY1aMwcq3Y!gyp%n8q!q-N4&&1T&G*> z6LAw+4JEjGby%5+QJ?IX`emz|JMufj z*c-R3)I*sGys!$Hw%Ayc^bohfR}5(2bgQ)&NBa&^Fu*7Hp;1Jy!kJP45`p9i*>@ET zi3!lYKKvfxydf`^zMZO~Pz@aiTX6P8Y<9I2I6}Tr5KO^VC*xR@U#E7w9FOSy@A7X< z3k$t5t%>zmq~CPS>|NnxADVWurN>|$rRLmK9cQ3OV^ELjI+GIdP~g0xabPfdDytOz zwf?!+Fh+@kfTTAfOk2AasOJz2h8<&iCzo%*nH{g9V&4oFfIQs$sPRb~NBG5u%bI!k zEfCZSF9Xy;qsPqVI7RU1Nx(~NpnI4EwRs+JX&6m&#!|$OPmk>c_ecP$NU$s!aofKl z!SuM%tPGR&hDgON$|5cgo0+%04%^%Y8rH37L9-Lw`=>iuhM#h}bKo**23>~|hfE-h zg-Ot5!+6>~vNA9W#&Xov`~W~Furd~4Hy-b@EKS`#r28gp1VFp9Xb1l=L3tV&!P&a}GEhXa@0TH%h$J^j!#RHdxWv_4OFu*MP*0Cb-=3!oNh$FO^5WJ?`ypX~Og|5%HW zn8J@`3)RI;*sVwSef*9ecA$4D{q}|v{Fl(dJ8aZj>HR^;2bWP7RBAYk2f?(t+q0=H z*6Tp)k{0&{^&&hRnipFhZv=eUcRJ2C{_#d3Aqc2u>*F2erUg^cFcI|JJnB3@h&2>I zQ!d9cvz__#ySS22zD2#U7G01u7kr}j#GwiRI0uthfD^mCn7`1H`jR+CY-uyocuIy* zmTEtXir`Ve?`WzzEzk2Z23|qN8`Z|vfGbH>Q^AHY zB5z9%yXu?7&-d#} zU|VPYRziy*1B0U|cd(*)rShF6hpNba?ZTPmB<$^|T`Bn(bv!_l=N#0KIlvkw2&7Q@ z34F_v3zdiIvt_`^KH_&{d2tq5df^#TU)9;bMC*m~wM`7jC9?q6xshmDV13?>Y1PKG!#Fx$)Bao^Hr;m^ z&frFvnOkoMIpvgIuxdR0_VcH9eJp{6#mT^X_d1hdI#EJEH;oO7LXId%xBemL&jSE@ z+slXq5^ydQ92=~BEVvN8PEDoL{Eu(4RM0ct{4Cx!{jkcSLF(n(XfbK6wYN*W>!nuE z5M$aqd0xYUgV=U?JtbgeV0C}{(v72gwtshS_**T0nVqMoU@qvRQZ^H*ocVNqOA;<* z<;wajY#HI6z~eE1gN*~VYKrfe!T!Z7J(q2wL+{|b$}{Q=>@j7#M(Kz@P<3fD&Tb@B z?k6aQ3CJCi-mAAC)cslnP3$bRB)-@IC{)VVJky(k32QD+0w#>%ti|g8$X5Hupj@ zHPDHVBMjvsGo%cTjvtsdr;;@7;(`8+;+Yx=Af21x(YZPGm*^w7zlD@IN#$55na3T$ zWWt+}mVJ<&m8Du3YfLBZzQq);&(P2wq?@Lu$V_qc>SFq5%tlgmFTA(B&;in+T9G|# zR`+WEdHGI-+S~q|a%vJX33kII9RbFNx`!L}PmCG@oaTnCEazciIF|lsUlw<1Ap_UI zJ6l<4yasU_fS|5eQol6PjV5{ac2bMxI`{&8@BE52@4`Haq zI}&EirP|UlL7Sgq6@kUeK&-j~sah(S?@tpOls``6_?=k6~yJ_|c|C@2FJUAbmTLHI?MYOTyXs%V(;axB<>>%F{9( zunN>nL^z)wnk=#UgXTnA(|S{DJ;3Mg?Q%+4-cY`~!wKJB6!^^+&=3$yfhp~uz!3Ay(5*4M>)?AYa~qlD{Jj}XZVYo1M12JsI*33Pv-$Z zS2ULL^X-SX1uPpR@5c8}#=uZQ<|#+}s4!KA)ony@@n98jc4Y1IainDOL;%z1-|_Az zX%4P_#rA~-;_{5wO0i$1*|DZ(pOOm9%gPNbhYL>KRnx{G$xzPgT6}TJtv?#nJ|EWJ!(-xI-lDpPQD)F6BJaj$g#uR5>2=2kv9y2# zEZhV}EK&~@RkS+-Vc3D6AJORloOs`1vA!nCWGYs5QEw%afrRz+Wk%(`pDb=_cA+O? zmfsYP$!#T^AGMu-p?w@DP?SMMdni^ZT<25#m<7$j=4jT%7dw`t$9KVco`tg|Q|7fs zTw#+Jar#J%*jSMwcgVZ|k>lTtpdvna3+JIS6L@ML0*lBKNo6nTc+iZs)-4FFERy(& zZ$2dL`5*a9p}ZV(FrMIfoH2@MkDyT2Pl5RyA9%Ow_8tEp;W?R4~P0$gpakm zHLO?*ufg=pBVxzgs6yH1NdOSHRA^(5_H;zPicFH{pKbz0G}Jh91vIbfdWNNnpq3Jr zddmU%`dH~36`;X+h8PyX(UH1E^2`9t<=SrAkD>`=p=?{~8PgsUHKakT8I*@IQgYd6 zQDd9GF3@J4zvCAeauhL*IAQO4PNKu`Ou*&mZpp0Cn0H^_2!#!V;J@Z79Hcfa=Z;2z z+-vhO6SPRY?wD}_R72}lF88VrMTN8vv2RI#74`lKQ}1<_ssRL|chnp-J5eB*g-D%G%p6?fYOGv*kcK3P; z_Ydm4Ni?9-U-@KQ zWrOJ1?Fjw6W^G}gvijoPcImsrSAdqR5uq@|T2!WsjbnEsSedLi|2BQ(|4z_z8Ixy< z_}uXB;H3ZaO?p5tE_%)lx*~a_8MNX2rO@gj5-4A5_FF_~n2-XQF2|xUjHJK>l>0%^(;-QUs zwrSs4$2ae77&lc+z!xBD57e!uhZj9$KbdyP&tVe)lr=gi@yOEg0}zQjH!`;SaCU|k zFa>4cZ$TN8$+fdTlWg$4;JSL=lD~C_)8a8FgFqL#j2#=zP<8v&B8|-8GW%kth21G# zQ(3vti%ba?;&duEYRga&W(!(g9qWNbZMmf?ROc}T8;`?8$P_Bjj18_VRv^Ak_CmU* zii82aFteP}MFPUCgCMn+ZhYx9DpHi2Xr0qEy6jYtlg<_{5JIogz|j@W$ZQqX=Z1S$AyyqWhPOQU(5JvWikyVr-W*F2s{3xlJ)b%bm@`? z)}AOPGL+>o@_8ZkBsL0nEJw4rF0$@+Iiu;xM72e~l#1*2VleLZhXR0zo$vMCgAH&M z6GCp1mEtW#(wvO`S{WU0uA&=qw_v8L%%|*P5X3}vo(KQI2+XT~w$l+M{Xfjl$N~S> z-lRg1!vjzI_*w=65|Z`DgEg^J?rPNR%xgm}pk}^^0sfGDDfv%PJP;Ldd&|zEhK9gD|f3TKAIR3_7isyo75+Gizm9C2E?1>46g;wFtE2% z#^vSvzosyZzk4VRLs7_+zit!FCv)jfi^2G7i7{B6s<^n(;>vosQvrjPbPAn+K|1hc z@kGX&t&IqZ|BAqlnkJ>4u?{tQlkx^yvW7z$k}p0H59eHg%xVY%7qums{mXcsJ^K;% zyvfAs!PB@38pQ9f<#tF_ujs5e1WI{rCK;l z**cDk@Q+g6;%gvZf_80v z+`95;O=6vO0yp!u-Id|IcEAKbWvk;@q}|%fKq1UtVddg`YJ5*t36|ngMq{_JCwWF* z#D%8LfQqXrqtbL2kwVvZg|JcV}kD zu-e%Kt+gPv3;v{j)zaDo)PKHM^9^Xd6<*0j)a=7IMc${yvEnvdCwx0?n{^!tOI)ZG z^9NK_3hFbCZevW*BAr&$Vrk;A1)KzAXMb8%ugCfFrtfK#cOh<;ojU6*?I>q@93AvF zLiz3Tvf`{Nq}Xv)_!)kk4on*0N>dO06}72koUv`$Pkj4UW;b$Mp!HmqoDR-3RuC|` zBkQ#`1TK2O9l{LF(|FI0&=EEqXMZdCBGZt*?6k1pOkoqs2e{jCu6RrDcMAGHUjJM6 zxj%s`zk6_xfI;_*GgoYLS7x;klq|${w7b85l3x3R7LJ})&XI`DZW`vU+B$Xp$rwAjsLsq z>8v{dON0k0rTiR)Mhm#ZJsN_ww(T*bbHCG2z7bxx=GEq_)gbfl!#0px@a6A~6x7}Z z_HbD1GBT;uUeEvJZ$ip?GETnMZ7MsC3B zCfHp48rGi-upxh{NJC{Pw#(RECIJ6Wzd)WuS$J0N|B8GASV6VASWC4AtwMTgIEb@S zFbr(K@2)n$oVi5iq~WY9Xa=0pGyBy{&DEC zqM3lQ`xY9-N2BAqg^EA&0v9-x$U}EWO6wx*P-aVqk62YM@3B_*Dfy7bA0OvNet^je zda3|^?AP!5A0LeD%i@n0(Bcr{!y(6xYeRd^`%x=8eBU_GJW_`+^mJc+^n<^OD}&9)rF5d1L+)HdeQ({Eb`7$y({fs)e(Nc z$!&4(7U;14b@?;}({-dwvh+oY%qvSc;8$@IwSV%hD%K?`m}TCh-QJc?{Q)>OECz3??XIMmgTN1` zGZHY~{Vm;WuwQu<(T%HG#!CPJQddIvx7zwYQPfyYqRd6xdG8o_e^}&1nPBZ$jWj&} zK2@0?IS{aWCY<1YhJ}(4j9%g`K_x2;O6Ls^%_@vUFZ}|4N_xWmC>M=U2%PNAs5nM; zI)AdW?ab4ejST7pL^8KK$dmC$6Hx*NCdioXcX0OMFRU=Ul&Z33@yorz-W(>*Jp5G= z(?ANpa2~l$kI8g^)b{hof*mvx;H#ztKr=c@vUoOx`GEP)o+Y^II;1THaO;97d3gTZ z)uzRUPD?J_yA0iaT`u_*OnQ62CI@U<=_OdD9LUHT?_v{EhvXJBz}1Qe-lMdnZbMc;FcP$)M7DAaqI^$T7L(uO9eeZ@zT`--GdH93eo<% z(S|xEesHy+k9@riCcn60@Q!s9HG+4BVS8k@U%X|1>suej&^>q4-dJt{3 z56ZIaUUN6IAB}8=C`t+7UUY=903HpL)c$!qLm_~4^S!oNZW;lwKuKb_mIRXN$!5pB z=1S9II%@F^nUqSYb!pB44LT+3Q|Cs(Y<9C9G5=H^;@>wygbfXP6|%YZsYkGQaR6W? z0uwi=V9QtGkg*KBMm1RVv8YYw;)Azu$3Fo7y!Aid+f3A-b?I{J000P)B!B<_00002 zY8jCWQNz5C=wEt=sJ_6z3LTw;UFIty+{wLTu90zR+{PnMxk$+ROpEmmvmT+gW7Iax zeU}9#m2>&XuTTAgN@JL?du0??iz$663ewmTJ_}VSMdWVhm4U`L%5+BS?-G%>d000017Nn2>00004&vHNl0`BU*J^-uyzkqhO7#z(Nfeb)mgO#ak zDhb8Li}td59X;*Ys45DApr|Sef}p4>3WA`Y^07YT-*>?c$h0RWO9*VjQsT28XN?J< z2lZ^cpRFWkHF}JZS5hna+w!K_(?5{XrnJO>06ChP02P<5{onuqCQB5_5D@Ad##M`W znVn^THC3~Vg@Oqr=Ra%$(%kk9YFpMT2jSl}jm`GcAcQOnQsCu$aft%U;Z~oybXI|s z#&YrUa|KD-C;BlkZfd#W_`NgB6y<7N zOaOs_=%XeMAg#G%~i`pUB)@}P|3#eF7O zX2)mv8(P$$0B?{=y>U1#n9|&FwoU4~(vO#KD_}>l2qs&Ux~S$UTifyMqjH^3Wv+MS zrC9zSu*in~{8MeU{N(G@pm*PmbHSZ*xK??1?C%D5`r~RZe=)&Wm#@F|E&$-3x2UPI z@hwv2Av#mQo+` zM+&k{=1Skf!CYcFH$JD8i?Pv;>gYxzu@63uwGftPkApTuj=h_6t*Pr0)cnvQ<}|u{ z45vP6KJqOa%w+oej(JmD7|{%pH$6&)@_iskZwmZ6G1B$qB%*GB+p@R$;73t_C?C5u zKjEaN$gMCiM<9B};(CjQp`T@C0}d#^Rc`lsW}v|jQ(A9^68*&uoyA2|YlUL~h}!Qe zVz1v;Zh_e~R(8gWO(~{Phk=f1uY1uCX)17vX;%#S?>vnk7B4rPIZ9aEeHpgUu@WG& z)`c@tZ*+#+vQk-G_HF8wdz?5LOVrSShsxCuv1&ThYMCdgW;e-zU7oj)&wiSKE|@k* zuMeU>D%LBli#Z`V#fB3-`Hpo|h%6l4M)h3Srj<8`O4w{Hxcrpr@TAj4x#WR9Yqy zJ#lOpUB9Ha)TugvM5;Zho6_gh#s!CqQbA6D|MtC5$#@foAKt(DDk7(|dz3T`j6sL} zs$F|bg7;wl8TI4xi|%CWNV2>ZDLRg`?*+ z7-woqSWy{#+N6CgF1*6Pq8M}zC{h{W4V^SAs_Y+4*-ppf5A ziS%RcFUZ3N=eJ+j1m^p#mGdgK!^-S+v_Jdw^Z0KB2_o_FW>bIUKp z%584nM&9@QXult)mvd)d{*ag3*4jmo(GA_fn;(9@OU5U0peKpv>btI@1;>TvA4K7C zR)D@$D%>GCrM;Fa^L2Cq(*h9P;!1BnvzqP!+l0e<#mMyMzmFGK48(3={-LqNLY7gN zBe|*cO?Bo+>g$xtz^pc_vH&OZ0oR_f)Lc4xYwiho=XGt)^qmV<1!tX{UBMK&C*#IP z4X7P=S%S}PUb#p&OUoOW4f3?AG^ulGAAd~!6@_O?3YWWevf$^^^;%Hz|=dP!lw zV|ZGBT{Kuj?<1vWf_W=42dW8Ab3x%mbj#1E8wTE4(g*lvcy&dxUMrx+A)w=sribhK zXGEukw!j}XF)Ajp$-MYq0}iON|BLF&)$|5FWACEi*`q(++}XBp%uG06&rt9#96HEV z3REc8ee}`khmW`Cch*ZQZ1*-FxrT~xTl<&-{Lu?Qk_y*-N_rBVi@O&Vl-CA`H~L54dn*H75Wsm?uNluzKM7$NHI4}M zTT(tC!{ajMZe9L{4rrmiRe8g2p?p-79$q|PI=K^|(y*daZnS;efchF^%Wf9Mt6=jxZszb=K>*{aIa$@nDB?S< z30&gM=pgx#+<`QtULYmmX7rY z5uofH1=WE)C=CS}l=N;2^~_EzS{LEaNu}_l_O)}RC?f(u)ku-Jvc+0*$F0tRkr=omhicGV_#-4k>a_zTN z3#V5szKSZ}=g6ruyeV-E1qf?M2rII67BEMu0Lr31O?4f+73(HRKd=%!L!6u}{8t4K zGg7`|8=+hYpiXlEy8%1c5cYHSl)s@5iDVOSAX9;6LOTRDR2EtHe`EMoD~z6XUu5l= z`cK2Nw_09Hu!{;ulYp)t9(i`=4#0W5YlO;Rl|KGi{f)ItLp90YgEEk{@6qQ<6RuOg3{h}&^T< z)j5{(bzu+PwUClHPHa4PeZAAXFG%$J_i4dv!L7jiZ{9wvr7>M z|LH?y%lcR18BMA(@!pgUJGBeXuLg>C7v_Y(k^#b; zyp)aeTkf=eL81I$DT}NsEh;S^Jvq;9Xp(F)wi}1Pq(R!pLO#&!FUhe8o|%mmV2+R* zT)z}s3F_DlCv0;=G*4fAX+ysR0^Er}KeEPpTt+CCVra{L3rb1NNK=b~6{Lq~-mmzr zNOxxkM}s;!66Ml9ECT)LbJmyqKpe(f;oMbHXlWDT=9MeyBR1~KvgiM!hSIn?BPSI^ z6=k>v%5!m%ahbhoCAb*Xm68zlby@tMq->~v@5xnzpqbKJ1`BF!tR9`Pzk(+E|5vV-%aIcHFYe@1EiUt!|DznTI@PIAQGD7w-pJDUbr@`69p(9O%4t8AhQwq!E4+X zUUS3z2j#^0Yhz(s*_6$Qs_N{g5izRdaOxR)= z2oEi^jdOXuX4rD$!W?+emN9~69EAMn6mTt%rG1y^QCuR%NrB5PJH!i$7p0CAF;F)? zQx=@>W2>y#ttY?00iS*b7F?cp)1;()#vT|G=MU|*SJ8-0@jhLoqvh574;7qgGCVY= zN>9czEXwP^eIHbHrjedHOSXSVk@; z_S@3MtwQggy(X8mj8NY~k@1K!`loyw71DMm$;>PUM3k|@&YfC?;%5w;@Axw3GR24O z{^#2i3f_w@3$Dl>s*mpT^;#(=gS*3N*aki*wFPu4#zwlHuHobGgKE768>C>KxV@O) zV}Q`lC5a733+MrAyz9OmXA~NVZaWvl5^f&Z-%VW}zr_pcMnP|jzrv^Ftnly_40@>H z;9S++gUGMf1Av&BTxm7pXtl>!gEEXV#~I^VGcxfM&ug%-SE?_QT`-a)MEdhDUS3Pw z<)QXa2gq2%xL0Vg)=o_-Hh#1zU1%nMy81}3ESkK(6_$r$P|pqw%z(-RJq z&*C#FR_RU8+sPHuGa9G+9{JHLGsPH8CTWJqzaz5ZM@n4m6t)7lNz%~o zf6oaw`y=P@*7qb{T&v)%%X< zl#K$wu`6p161;)O+7+@{cc|cK-2Ehwfd7j(xN$-4gm+}`mGJNZ8`p2A&bc1Fs(F+h zlEUv>*Xh!G&k-k5rB<$8$I`!a>kM9AdQ5uz#@qF?gPg4M;0KU3kXz3yd#;EVMgBmt z#`+I5<+Lw;UoE{m3(uzo6KzHF^&7v$2kig9_K z5S!b;tU}W@uCmGN-9Lwe2hEPAd9IE?kn>FGjA#T^$@7tc-3R6{!Joz8P`nog!K)@7-I0G9?q)W!=*`dt<>l7Am} z+;@-FG%pTO-8Qfl4(}4$!aTlk(~)#h1r;|CvSeUxGaJBCmjwmLr38CTTly2fA9z^h zqkZ#Rluc_Y!Wqu=a%%q$-|h=6{nMd$Gl7Wc6V3f>9$fE;rfw2hOe25?^^R}V#=3%_ zuj%ihf20A`?;ECk@W=rH>2~f%-d-Lt-X`K=`Of(hfzrrO0LKw~5RB+>(Wa7x(haic zZ}bt2%M|1+UPH6O)T1&S@!dd3NT|{w0Hv7rw0Y$}Qdu{V%i6U!0q5HB>saK1yuhy*|C~sE8$p^5+3Et9%N|9igw39P*l2s zLMl)6p9i@o5E~Df;q=bga+{~_&jb514$W>qz*;}tu3gX0$}$b5&q#-`97eNR)ThQq znP2$-KXnu3?&Ys3&A+3L4s4TTkb#ycJzNBGX`PBxnv^dcn{B*btww(5jwqW~IYhFj zF}8Nyw|w6yD}@<-+=98h5|J}X<$-$?;Nv8#h3@f0ko&-}_6=pfbC!qO zD6gw5e?1YuyMF#?X#};^bIG(WzJJ^zzd&cDdeG4V%fLm=B;7m2>1cf2354!1Y_M_wo$nT+ixIr>f5jWYZ0GcXT$Z5 zF9qdN^8!P$p(nN*@#jnao3gk>$)z6npLVdsP-(oA+0hmeO4JWz$VBiAJ`5l|Zo~Au zB+nHm6LQ!Co%ac_dvE|gP3J1~6DpPQQ2$}!r_r3>0UF-GrL{>}gS2sTo+_|4twhmS zK<_LsG;RmuzcW#M9qzq+SGl_LAqri*Uw=cVfqc{UhKL|g0v<+nwe4v`F7OApdT-m6kz3;3z)8GNBU-*R@KP}o9CP2 zMGyn(8fNp5IcH11UVV{+H+b&07`C{Aif3^b^)kK;7O2`sSTHq%3k|wXoa5c+{v#(c z&&ha&4lvTfe5j@TD`)$z;pvr7=f*R4k@q<86aUe}XD2!wO7^8xb0h zef-Gd;XL6hkOhR9q5ipGd1;t-suXgvD{>Zw6X>4j&JnXEhm{_uPA!;Menk&-ExN69 zUY&2{ap?Q$m&J zIK?~XsY?2FKN3o@)oG$S0MryFAyd@YTp?_o;`KE$T*kt1dN3FmGx0ZjzB~}LWn0JG z3H|j-SpkudE*gx>z;HMa44Sha>tcNll=72qB!Vjq^4`CashlPg&ia0OuL^a#LA(Tx z)PI61?lD%Y3wsCZ$pv;TB8U*3GCnm%5K(p5=r90&1mQ)?>`FwNo;x13m?Fn~@No&v zwCQebD&c<7f8w@oJIpjENyd}=Q)SYKswqa3%R80r#@!^(=S_EtX^?Swsh1@?ZR$y) zu-tP>gdriG1JlsPoHH)t??JW-3_!KNUtTAuiI>$U-Vr6ArfmTXu+uX zHQriD16NHgo*pUoKyfbR&odvkwDj}m7ubO~5@CV5Q@pD#$%T8XPPRFuq+bww`WlgK zRr4E`Y=Pv40u|BPntg0^%uE`mTEXBOo-KTp4e$s>TfP8r>3K{2o9Jp|%&=mMS z#mv5?0q1DBiT1fU?c8QMmUq}julA4t=^HYK*yId;T$du6IFXlCB@q;zOft^x5T8K0 z-+E**sMWar0RdkNCzi@Aa_)zJBV@UW0U?y=6@)yxio?ZHM=*os>Q;X)x2uWec&=;< zuZ{KOjj%s~;40smtdEU!?*0a=K33Kc~4M;*dtS?0sHOg!w}>vRQOvQX_v|&xGLARNtq| z-`@3)O_S7yjvxWEBifSC_Yv;WQ~bu_tfc`v9Q@$lCY2G!EEvc*MlpN9(K5%oWt_>B z8eF8;zF?iOO(rQA^brRx>~j8-2x^NoOO{_F z?f?6;0?C4!<(uY#E270HMV|A|9KKFN(WD~_Xj4re0n{B#nl)HJ|0}V>$A(Q0V(Q;X zaJ&O(eo8H2zwn3}2(=?_!aZQ($9~)4)pFagJK=tuc2ue&KrDlVi}HFN;sooEXr|Gr zhK0(O6Ip+{~pTk}AuBU2Jim-k}^WXRvEy6ThUewMn zG)B`HPD*v`@bQkmcIH_KvA6G|`}%11pAu46EMY~s(~`Y$bV#o>6Mv`FjYydVA_7|6 z!))Cjimj>6;d%U$-7#TE1fcmC_@Un=%N}QeO*N?omlvKwUG^GfoY%m%1bZoqZIu9M zy-lV-i4ln{<_5pl;q#jhKzPNMfMI)X#E82n3Yx2L?YOH?DqVd+dJ{LKmENAn)}VA2 zi!RSbH;(FPd7W$jeJ3Hd`+~wzqZ|L(e=V5x>CdNWrpz#+b7YiAqv(ri>Ej{oV)%L?0%erK|E>D(Pp`p!D>H~7PWj!Y4% zPo#2#ZQi%pmoox+{W=N{%QISJV2wWjzP>Xz+wG%|4QP-Nbx)Y_XvAvHw}o+KbIkA% zY7%v=`0rqRRf#d*Mm}`_q_~|k?#*$M;m5=kTLM-aE2Pw+lC7ToAC620%^Vo(;$G21 ztW1SJCR!I`rsMung!W;J=PEO&AlI!SPAiU6*J4W<4Ds@L$_>_C6g@1+LJ4<+!ekKX zv7hGp&nVGeavZB!Cv3uH;+O>fj;$8q8O-7bS9BTcpBMLioi)IqY!c9Iu5yDTP_)Ya zigioEZ7V~ElX)cY;j7UC6QwWDUWeQ|T*w@>uv@5G>9wS24wFi8ta4!R$4%n|O6XP- z^$-$(-A>t|eO|d!K0fpGh6|@Ui;pWeS!jeRfE+?SNW+TH8Yb+bG=sW^Zb-I>xSwiz z^xb>8i*E7m3{EZ{&&qk=Xqy~&dOzEzKKccjaH$3y_f$>fAk_aCE8Hs2Sj%f={_jV_A5D zPlcYe%B)V^MM~v~497Urb#pYK)1CT$|F}Uz=k|YHUP`tD0DW z*RXeiU@7sg-8|M+jsO!#S+_a8NaE(nrSLfWcd$*=s>O=NVOp41qrow4vJ6EHeImV| zU#3O!LZpdQ`_BSZKf~axfVpY~t(lh6uWX_{A6ck5a59!LUHpVVN4M29O}9oG#=1XZ zLbj53*JG<$xT^N`ob4VelP)u$F4r)0^6$c99=ju)XxA8iOK*6UwoAUrkypE|ljNcU zVa3{Q%wS5sDOxU6_<6PWqC1zCv+1Bizu$02xhbT)vXjvsBLjE^p8Vg>vnTIWO%znZ zh5mHie^cvH-Zr>#sY`xZa8Wl#`vNT5Fn zsZ&51Z8_br!(~7FIrGcjreUu~*4aTLR{^fy@b>~JfYel3)JGg9qxoo54T3gD0TNs^E z9GEbKZk2j?yt|hG{lAMj#p|Sqa}$(9J_*q>vGe_t4X`m>eC>9&tFahLB_sJDmCwSo zqSp+rF#qc*xCf##*TJ0Q_-F&dWdTnPIFhu%OGQ7`%l>G|vkZZMZZ7IqwoM7GbUELv zG^p&hFYHs$(OJD7*m)5>a2@wd6h6WGHq;Y-S7^Z=3taTaiYx)2#>4JtWA_OS2zt{X zboSzNBAnoKjGM9}=Ke?$cUF1M5Wt^x($=G>rNorYGp*HhT5)#CuCEsJI?cV>rcpF;G^!FA%n?)FKtL_vi*QH)^+)2` z&M`7}aOyQn71>>+TM?)x6Tm^1XEL}9qw3&Lv(f^A_-kJ<=T-8~cA;JD^9YQd8~JNm zznBjTy`e!Hi=0lNC91h{KLl)hHq@RkYcRt`8MbR45)4)Wt_~r5-Wg~G(6glZ&*i4W zJDJU=dBK}<1&!Naun%o5927nvKn7DRnfnC$?$Qw5b|?QaX~aK~@gGW2P=j(o&{ez; z({F5iS>=?ot8#28lDApPnT6B?&>9ZzE?|)i1@~Q{EGCvPk-mW}1L0l}2b717SA9ED zKx)5|jNlRakTk-D44Z&W|EB6-6gnBL^*x;Y#SgBA9?>w39m;$AjCL6aIRuaKi!I_i z^xrG7qrq$uFhK`QL}5e{y`VLC08(CMA7Uq-iMT2$@;?tOO9Q{~tf7fD!@LgBmQOjr z3B2g)wFXPcZc_=I2{4DMhMyl0fkkoxKHC{+eS$azv-M2pET|#m>0l+CGKS(QF73@C z7earHdkgJX$~~!Z(q6cV+@Lan@lj$^l`>rwR!7i*#A;9t2(K!j$Aga6p3wcFOlQP~ z{eP!%rkd$eaqFqLE}jH~q80lYAEbMjJ)NFZ?&p}i%2$@4^UaWFlHegWagkof)cECN za=~I{A*g~a)mc%Tj;FqNGj{dhyd43@fhvEx3rv2fv`y;1M8Dlr!`CxxO*xcStW*I3 zVTy6}%r=x0=;Jt4=l7{#c;aYy6g!qHIRqW9fS`%CD733wY+&Mb)`P@H_vjm{m?;;0 z#qb!N1^oKOi$TiWVf3R2z~2zJq;ykn+FMb-QFt{y;)O(w|^t_T-=)$>4XC5&)Z zgB72)l4<*kp^tT>EO81{5@K!(XmUik78I&K^VQ2_90y6OT=R2z7) zOYcA`cOAdykOU1Qh0DifJ&ZQ&Uh7Xk(uVn-F{FMFv5l1p@dQVUFc%DS_)yY^3&1AY zxDEGzIuDOPU{Uv7KmE;I9BLHDG~FYMPHaPj36fz-fs@5U|NiF^QjK-Bjd)|B@B+13 z6NnDBx*a6Z*eN5UAG>r0Ygxv{Zf?kwxK4I;KEwz%esrXlG{0_C7+~IKWV4n1;_Du% zo@`Bl`!r~%B=pWAz8WO5%d-ecXuwiT&y=hpEE^a8EBUB!ms8MNd);7u*>>Xzer{MmXA1&_~8J&nNz$V2M(trWgtb?1>e%tLRpuDF(Gm&31%G1Bejv8|RpwZxsJ} zA78jwg*nN~Ba>zCaUoAZ@8r&>UfeUaV~>mHf`Ko&0beg&RUA54H%GV%z8VMAHRysW zf_@htXF^hZEjohCL|eoUlSk^(Aad%!$nP@~MZP5C`Yd1Ohli0xV~8CbJnz#YSIIv% zblR(!=wV99_UWPUtr!$}l?1FvQFRi|KcDdZt>wb}w3SD2F?)s52{S10%I4R4jf#?? z9oSkJ<9^V&TO7{`&9`KwzYl)E-zZ3MM+9-=dRjZ3`Cn2fd^P*y<9F&i#o`0cJX13e zKY=6g<1;KQ8nO8f-01tmC_nQB=;#dAU`ojmC9XGbDcHlo-0P06eyL2wNaj6*|BAazQoN}+x8 zR>SPT9?CvL)}zcjm6;eXciLQ)sZwc;;9;m^A_J&&`%zJ%23>-*2(1*^%{Tc3Z2`;N zTV3ArqjF2G$_Qw3VsimEJ`Fq5?Vt_RUX++?d{%tm&721thTfvm=MPs*Z{PTD`^aX} z3!bvf3JBs;t#<^aa8)1K1eiEIzj=+GDY=~iaoekT^oWrTOLA&UVd4^y#U_d@C-eK_ zsPjV#Tlu1aZH?&nHoz;k=>u_-0m6?DS;=49{UX6In7xB)XBFu*E2ZdpC*;&X+t@`goMYv-IW!NjzHOauPoXw$Fnm)4gm=p@5a68>Tw(XsLyVa*@r5!;GQ$eWs7 zuz~nUz73O?@AeE2Y-~*qaH)jD*)-rpd&kLOY+A1T3gB$9@^zR&;y7n#tKMtycV!Q= zGPI<8uiSqLh#_Hcafw9Q+Jz>rEjd=z@X|1Eb ziZNvQOmjN%T3FexGflDp8I|Wlg7b@-&4ChXj>hPUNyCz76c`@A4-S{ILd1mFjX^)u zwAh3`0-&mA!g_bv34xo#M(A}C*D4#a9Nh8p*t*w9((P;ULFNEe@&0dndgjfg#~VRp zPd~b|8%dyJfK+Mo3x_AX0!stpu>`zhp} zGHiC!7E)3o1W{efS1=^{cyqC}ATF^=UcTBFDpV^?8)H@7&Y2@u9WHuJ6&qfWh<%KB znYwTDF2THNbL8W!8gtxl)NTbp{wS7n;6al3#p1ExOJ4gKrGn!w8zdHdjDxs4$5KE1 z0ks8l8RkJfdbbLZ(0kQrc?sJj67_Q8jYWp zUUKBnb2QO5lB(7vf;w8%f0Up|2FUEzl=g>kIA#Uyd^PtJn>G1#w+ysw>7i7k5^H6L z;Q36zVpJHj>$k$Sh*r|7JKK*zclg2T7Co=hmz!)9cl~EoOgn5@F;8X! zqc?7H>Z!=xyOgj#Lm|K_!d(qsgD0m}F0bCp*v$v>G(k&VWo+(eg zT0*0YK8xf_{oj4Zt%1vDy^!Q8r%>;yBJHP!Z`4bT(z5a06y8*QkbnCkr z{tRgV{Ly5~7YX2BFZQmJn$Xw}4{QSIjAW5r9v8_k!+I=2*`kD{^0s}`Tr{G}?+=mP z7NBC8{r_;do&_Gl3b*|2+eTC#%vcP&GOfA;J7tIy zKh`(Ewip*SXrlOKRmHmDS$+U@xIm#3teB^#W9#8wjEa3>_?a(*-OFd2 z7QTY)9crO-LZ=-SF1udw|7WdMA2{eC{%3@|S!DjVjPjUW;K%3*6cDl@F!A!oa zhqiQAelQAqxB=&BQAkRh*|pAPg8bv8ja?d_Z1C#* z50eDNpb?omcc*Xbvfah5JK5kG@YYB72;}_mQ_1PY`24Hh62Z;r50Fs@>twB5zGM5y zns&+PqEo*I8O7=CYOZ*|s;pZu!(k+njvJLfTy+2Z(U&srpl30i!@JhbiFwm5@*A?` zjWjcd(+@n}HBn~&uS&V;U^Ka@u~J}<6=2yu7{J^VtFlIa3^VOzU4sEl$uT2-Jt`2o zHt+7SjUi>}@(|f$KDPOfR@KdTpJFv16rs%nf5a~}$gV9u#bXA!#KVuQ$VfUUZ(Uvg zZy=2$)}_1M7AGFPE&+r`u3Q{at;W+p@1&-9`8D^;^6+^@>R~FZjL86qn65w#;A>6@VXFAKX-ohGa6j;n6LwRzi`B@whPxz(YyEv4rqgw?c&)mNNU= z4Sqr}d0g_Jl-?$S87xR5WzTI&(X?$}0TNfH;=uGH;FZhzPvu;mN}@1ltH|O=5EVO`QK#oXpD|xtRfRKRw|6@EAXJK2b%le?COlqC}oi#`dSM zG=}50CAA)DB60P!U71OLNejpO-ozo*HO1M>6#KnqF-Q@8>`R=^!0f$4xF|uhEx2vl zwr$(CZQJ{7+qP}nwr!hdoA3O$?;Z5(LHFPdy9N;%Rgw7>vhvHSj9AN5Ha$DQ*-60X zPjxa}iv>)0zs2EB)I{XU_#c#D8e_jQ{RZO3xl-Hdv`Z!UY4SS3CWwbXb`2dd==#3b z*jZ7_H_gm!lHFLq3HyPSCGOiYRkf-bUuyhxENQC@er7DH(nKHY+f?QC&xIg%V9$s0 z9K4o!!Z`>N2S>-~t6%^wH};{fcTL>iX>BL(CI=F=Hj_WvC3PrV3S@>JgS%_TLd+FL z%CBaLS+$Ff{r&SYKoNAkU=ytsP{7~u5c(d5lv}PGNN5%R@)a18*119T;?~0uWf!vN z9q&9SMgFAO)#oAeh2i1Hk;K$aqi4ynwU|tc5b1%;6R&O*g#D^uc!C;o1jW0QZSx$o zhJ$wqfWHw%z0yo+4ws*xiDGLd|2X@CG*nZPq;!&(^U0yC7IOk-jcUdn#@2VRL#bmS zuE{tXa@~a5X=rLiv0kNoaf4=1<%3!BfidrB_l%YR)eTyL_X(r1sFn}sVUk>NZ;wsJ zL2S0B!~!a?wCAyy^Z*5W{($yauukq@0rxU{lH5%ATox98xvcVlH^-PP9=`6I{zRJ) zJEV)Nw)v17Qj--NZydYWjbTiNh=*qC7QbsH=zWp$x*=lh&MTbewEkQA17jR&o9Idv znjkpyB4LRCnh-oLvXk2>8$vFF)GsbztYIF6?AuQKgjeIwLob!Q3(S5t;yjpU2B?v6 zv#xcS*fO`t%wP0Wlbplv1AEpSd(AA+#iyza0F@5J1-oB4`XYpr5*LNe+zL$C2}(FS zLwq>Re+1;Rv{e`1=@lKAS6mSA()*j6dYWl200H3~(k`F@PmqADCv&xCz&?77K^^M- z-u8!d7uTP~LjPjLqP;e;0l-(ez}nwwni|ng<(zT68!p4mniRu{XsC{Sg6II z_F4uFpqsZGHQBBdx~J#&ByomFQWMJ>%CoQtqxRO9f*w7c6*yit|4$8TomR^0|D+HJ-i zgwjjLu_VdguF5Og8kK|Uf8@Iao=a-WpB{8hI1yP|36D>W%02$1V+(uBZ(P|(*-hhC zw*$<_!|qA844&&q9tC?;hFI{|H$m#gjQo8?Y_ctB0eoW5@Mw1)U`MB2c+-) zxSU@VK9*f+I@oLrjVa|TshyJchP^se!v&#pbAKGO|LoX_Ou#0ujRff8a^NnaI1CmR zzJlqOx;CrN@m>r~Hx^}SD6>0kt4Z3_xnR}HS}ik@9bK%13Al0BYKChZO&vWm0p;F% zL$%guqt^GZV;_Ak9APlFSVA&UF)?9`U}|m>?h&!fUO@#y%7R1YYd!qHOTL9@Vq|m; z*)Bd`9q>&*ea~}M+kSrDPgT9%IdHE+a^K)Iy)4RZ<*PVMdRy<6s=T!@cX-wWBG=NU z_-+7y*3qzj;)^ifmPo@rx02Ws*J^{CFrl) zs=u4x8yp9lFut}LiJ7nq&O>RZ#n(Ushh=dzo5$h}0x$bRAHew)3_yy?->q>ys>6M4 zIC|8o6cjS@wlIGoJ^Phg#}>~jg}=*G3^2PZ-(Zq5PYPs-l19W%#K2Pj7@mrQNI0g8 zO5QqUaT;(|-0V6a-N;E{X~wZkYQ5Nt&aicQx)h^Js~4!&HV_AgB{Hig(H@HnSih*0 z1=zIi$5H5D?{&7BLR_`Xh&^Ru-aKKbYOY3_HcKW~{k?P$yAO0@LsKk$`BMj!L>gs= zVMCIrI3%2{%=4G!QE;SSCtpCisI{|fOZ{K~_*M7`duUU}?Z$8yh@&{D;8I>w0V%!h z+nV)7m>VmoVQXF%BWwAu8PGn&mK_YPXdmTM^-sa)?J?@EF)$cJO0=qz$96k9`T_1!{%+1Pb`+^X6F?SUZ5h0> zi8K>T87x+FPev*rNm_NXZ|kB~1cJG&8yvDZYkENX=|d=RfRWMx>9594PU$}#4;jJj zLs~(*VIHQVq1_9#{*`g*it9RE2B2ESnJNbE6m_C&ZG6s!{0Ge_2U`VkEOmgaf4?VH z`FmaPha|jH6Z?wW^96H(bj0c`J`({?)N0OvZRY=KZ%@+j61B_47cE(YXvzAXM@S2GSji|M*Jw&1fZe zBg^+xO>J+%e%=Cs@?0NPLY(IU>ONz7EU(C>fyJeR*fZ|goI;C-AvaASVob3|l*1$D zba0h-DbW_mpwI8sc8CYj)dj}A&*_W)_!*j$mO*laVXz47${_CGM(*gHo>kmd#lcsJ zF?E)Zzq{oQudLRR31&rwvnck^K0-Wm{DCaHx;Ad z@oRFuEoe7bV=ngUC&uFl$mU8h#XOAVBNKADpLoBlEA{9RkI5`iEHhstfPmp&QH7JS z);os65<#fo_A3DNlcBZucnke;lrSCtzex@e9E z6yKpWO;+Q|;x4{9h#@%u6bxUJz{$tX#Hrh=UvZRwyee71XYUiIyqPRS)#%$se#PSTUo ztQ+iMaAv}F;e}Mr|0>?hK1Dc$O}UX}%?1V)Qe+eERXRc3VwXWbHf>mf5V)>DKP<8e z$k%`Du|05#Z}a`^@MZl}GbtU~wO}YdczUQPytfggOEXYS%Z{Y4 zOn4|;p{F`XE1IyeL6h6UZ(%lgZ2MsP8NtcE$N7Tx){7yHAS5g3l>E8VqMR_i`cz<` zQW1C9RKFJdZsoOP&|LzH|M}AVFO4m8_zs+B-VGa$aF(Xz7#*ooC&FA?f259ktm^HA z3Lx&Gu{aO7{@-=5f;OFTHCodfN#ZDh(0~m=-lgydeUBW)KK4@J_cGV=v&$)E z^C7SR*6mrv3Mj>tqDwHPn37E?CKZ#5{?D0(36*+SRfWyz!D>kek&8x%S~5b^lHsD3 zj1VDGnjRvH$W<@|R;|Gbl7rPzH@ zajbeC2M62UIP3v@2R$B|o6*&Di9urk?kkXNI(hol9ET{C^GgzTE+Vm8=o(nrf3P#)qh6wRq=ct6dSkLRii0q2=%VXhdmZ$%lqd4?Zp1a3@qKD z`fM&r`V{!j9@WzL73v^p1QWdKz7y^$)b*I?qXm-99$}*A>V)3)@1|Mt4lyw{G~9?O z-^-wNXPRZuEsf!nn&~=&b_7d8xs)RjmUXfB%8YFHC5>-hfQs^CJC+I4-+sOjjtx>^ z@g_)^zR4{6)k*mi$~iSz?v%2&-3!>-VOl(YpCqGM(#6wzPY{E0fr#7j_5P5;FAVIG z#Q4Li9=FtY>wq0YGH_!@bM@Lzcr$7-6qe2^3l@jB4ZYS8x-Kj?M9r0`Lu@jFH#o)X zE;5kJ9?k(V=08KiUAlAPid=Jg$gh6HfaHy8P}4MwEyM{F4~RWzJIgRdKQ9!k`&~j) z74UENV2giuZeS7s={Up}1Cw~ouJTS{kZ@*g_c`YU`*7tgX7A+0%ErS^Mkv?%?p}GpHH8f3leCm8pXJrp?`k zrq$zmzg~B+FbI|#T}FSzfnRJ^dUp!?qD&R_)I1u-wF&-{%LY-fS*Y%lCjcerZ*K~- z_mln5dd{|)1E@6gZen-E3?WM5muQ_nYa(^^IR0~+{^lL%Urm+REM&|>7^<3#Jv zO&zZ0Z%(1`u1C)Ni^WS}PNNr^cMxl!Bg*33tI<>bw83J(LAh%6s?%WoP^8?z$e#fK zrDvNaLMt+||MXJ8%&$USlWW&v5RYy#a{O779b$zR3t~}`{p86%2kaP~W=ddxP!De< zC^!8YSmB8_(Xzsms~6NewAS`aV8}Xo{Vs^VQDUF50BftMG5yb2!X&IC6U*%!mD46G zSlJ(#O?LW6z@39!ns84zh_0`{Sr?#{pC$m6bvpzL%`-zIjBLa`6%{66=bm-}h9g%0TJqu3l5cN-!Ke4#nv9`{s4@q@b zk|7Nr(`O01z?iwH-EjJUn}S{IdnORY`i}bBvQ{>>9YbLZj*ysrWwBf1n>!d~3^+Yk zpvE8^Vy3MQLl944@igLr51Ioby{-ai-0ynkc!6G1p;wcEc#PNi`;+2Dp~_T?rRcME zVnl&X9(*Y2Ic}-6;lSxAXQjGgsXkd0Zty*jG*XR)*hu+8k5HvYEvH^Ze4Hsf5M`}S z0GFMVMefSldSuKXyHX^M+%OZ6vrfJI4ZS!V^6t=gb*mo=gA1f`?8h_V^&!H^O?UVz zK#l3F2?9|!p)rtujsA*h$z%o&wF9aOj6~*gGp? zix!by?aYqJEB4cLSshPPn%&Mwr?vIqcacwgF_!x2;L(mB8m%4v@Mfe+2=y7Izso@F zIQD7NNAT6xLs?DSMY_+U^r|xq>ZtKKd3jjwy}Icr1EINP`}GH)U=@Dm?YlhSV{-0W%160h(Xt5q2cvzk8o*Fpy?$ z7Ji?Jnj4(O*j+Cg2r~o( zaSBwJ!;lwNmK5VvOzI673O-TQVcm50DDzW4QOfpp=gP^2@oKQ24d@mL+<5-cD_Bc+ zgNSep@6+aXrBr%3D?vxeTV3wK`cZ|GHNQ%{AS!;!gk(X1;B=!jY;wLw8N&Ola+B7{ zhyZ}^waFP!n5eJ{?4HEtBxz;MvLTTKQJAe34UWhgSRD8 z=Y(vH>W}NSh5~}(@xYs0iaZ853v*4dJVs**kg!W5>dgWthWDX(b*t==K(tv0Y=;p( z^O+EvVYwBV`$`9N(_wP)occr2RS;TMcr;-mIpl<4iuB~`F$|sz3Ug#6uZdVMghCw# zMNU%k#!hAurLie?bmH(t?cunw&FNE^S&rfc^iJi(WSHy_L!JU3c5o-G~&v>VejMripVf;OXUu4st0hF!nql0I9`O1pCK_gG*^ zJ5jUb=%J+==bbm`#H-`IoruU%-3b-nK`Eo6R5Bt@(EQYdiHG6>N^La^7n!g~_e5r= zEmvZ`U&R7ttEug>b4uu(F@B7l)*cD!tfR0~ieH^-VVzgM#e!}KBj$*VyZwHvfWHI~ z{(OVOzu`gK{KGOk#l6SvprXHRDGNRehLEpKj1G32vW0R5hNFO&pX%5Q1~_f1dL`7^ zYCaQ^R{~olfTR;Xs89Hf*P`~eRyh&lz&wr0_HsnG_b~oby${Z>_=q_P1pA9D1CY?* zg(IUg#ND{Oo5AC9T36evJKH(E8RPQ7+|Xza8i2~4ifNymq8RD6^FjM3R6m%NMGX&s zx8IW~gS9!kQI{k@3cb_)GCxDjWpmiBs8p;p)OE24^jpN9+)O1g))|HKVf!s(N;oqT zWy^RyEjY}I=1y<0tF)27Z+Tdqq2I>Nmhz2D*xfGB*( zPfRPsg=rx&d|<#6MWU`j^vARAxXZwTAb&8;2@#vd9~EzmHlZ=U@<0|V zcUpZMRqs?FP2j*hC-a^gB4u4VE{tfh4}9ooHvkGqy3WCNXE&=tO+|l!nlfM6HvsQ)c1E!nWwDY_Qo%VO1#@< zWWr8zxjmi0Yxos%`n-<-laVDkR5uF9#lOE{fxbrIGmYqpU_u)i9|@^GM(mKB;2pr1 zH{!NX)*uvU>YK4x}`vkn%!yi^STd2s;d`u|J)6DS)0DFKT9`H%X)8`@$?KQ@0E zvaOXF%35-0kVf(coa{cf@=ms-qMJyIEjRaRWQW5)zZQA@RGp@4IGCTkBcPx+(`*$#jR zjj$ihV`MR;VY}L3gUhv~KNNF%AHSjBJ4*5b)W&71*d7efX>E+!#U0+d@3IIv|I+tX z18Syx23p)}JWC!Vk{s~>e4C8L{X^-F?JgX!AB-^t#cd+9c69*zA%&zVR-=AWO-`r6 zxQCgnN`?=PyNQdgwbNEIg@t)x^5a3r0Uu10Wl_>=xq>@~2yC>CJp za7r7V0j$xyn!aOmXFaPyf(o~4?-#-)$lo)!8sLHV?fKx?8S=vz#~+K~1uJ-b0kpBf zvYJ_BT-a_zDxavfe#6{7jU*1re`pXqOsb>0F9L^-AYpXh8{_NF{7l3n9Vfl!(ANGl9lsWRhxqX z>ka$m7baZ=@DtLOz{(#33q1F|{QTjGp+E{aj1(qgQ&=^^Q@z$Bp%qz8N!s;>W(z1p zX8ZzOgQhU=b7<}b(9oK#7vzFVp+h-ZC1;+2D*y82NUVL@m%V?*8nw6Xu#qhb{Yv(= z9Bea_+R|gaccGp|g7fA$hr?y_(zF4?U;d75xl#boa;HP~G&|XLa+^r& z==fiPO^rP?Vh}PQ`%Rgp&p+5+4G)$Hh)$={5?)OPk9Rosm?Fstjb(d1Vs>VJ(n$R_ z;0*WH9>g@5`;LAoA4?E^fI<-X9~B9Iw=8=5Tek4zJpDI0iBW>nC% zRw!W8v~{s4A)kJ^*l%H&po7_}w<y-F+Ol{5LCSdVpGJgm=4#58u&fp;%}j47t<-uvFoft0{5=jI|Fmvox! zSh%}tbxW&p9%40=5fP02cG4q(n3)O{5b~7ki{y;bu+F=EN&!<3@|}g--S6&_`4{Na zS^p{kufPe36D}ZH>GVfIiF!vu(FCp*{j_qv98HrQ`v-dSauhB%KMk{AlH$h^rPeYa zkMH7GQyE{frjE>ok3ja$yf%~bJ)iB>@jQrR<^-+}KN>gO6B;crl6F#0V};iY9zIT5 z#|K}@!ACenN)KPV4!~M~mne)zDAQa!h;;GUa|zWq9xp0(;?giog64!)_Ah&-E@Gw? zD|TrZzaW9J_1dB-!%gQDuaIZ100b~TBN0)C%{h49tXl0aMsc9RhhXwmkK9!S7MFYv zP{3YP3P9zH8`x!E8j`Kplv4JS^K|x|b0YCdtk$WKv?+Brs(l8yZaL)HEV!FMOrLbVm%G>N_&Yb$Rj08IkgV& z{L!YBv_kYYLJu73z)n1}wcs<5TMZhP4r6yS4EjuGhZK{ER_-Za#61N^<0%U*dxowa zpTt`M5C+H*29LyTGM62nE3$_OhlmEG?}t2qRxvGjBdYv!?4^cOxxX5xssuG&kAb44 zwGPZV521G-3)=WsqU`a^e#1wSO&SBn#+;n&jk89mqBC52x|g2CT7xmm9h+=WQOLR? z0)=5V#TdW3lS-t-nhFS zXqcX5_Ae}?Lx))(561cTHO1r_tIXIG#O#eWBerS*=KL^Og#`y%Lv%Sa4i|W_+VQDB z2t)ZZp8j2Y#FF1&@buIFAmvqMOG4Mp)bX5@_>@DsOy@D>vxP?Yrf>$r4+L?SW1I+y zEYgVY+Eh;YU#lhfvvZ)QjK(>1zKWlr5>#Lp)5~H8p@_6ziWB5{7h83CYxRX2Me2TW z6L5vCaVoM08Gp6+uZ01|8V6gnW;Mf=ms^1$fLq|eoLZ7nrayK8`DqOGotvORY$ytp ze;QuQJXMZROPT2BQp88Nz4s7cgd0zRHp$4f*V0Xwf3R%Ztxg8O&vwuC9tH`6Zhghu z#rzF?RmpD769=n?^L8dRPOy@}wgPsdECq^}?xedPC%mVjEsrS7f8vAry(7*~+i|!I z)F$k0mluJE0GTZyBM+WA%h)&zT205q=YK3{Uz-`&^?qIdbp4Qk7mpy5Z--~H0)BCO z-vM_9&uF@VB#v7H=M}VNENht)byI>P{S_dpw~N1r8;4$j+?{N>%O-4~_pp+cx;AA82(hvS{!Hd+?pzAvj#J=SV93ZQfL zq;Em1gG1Ps(UdAJI%;6$7TC1soC$?m5nfb^NPL8dbPE?b7Hbg8l*~Ra5twpUpmAW^ z#x@uen5YamsjUSA%Jiu+NiIX2b|l$NN^PJ~Z zcF4bnV>Z{o(uuwZPkr(%$=NSnL%>f`xrD$X#;54L|A>ft514V#itt%}>XaQceF{qW z#VT`G;%D-v&b(VfCx_hQbKgg#OhLD1r(_}HetrTkRXxuA_T!I43hPB{AHk7{(kETp zCd;3%M*hYtZXx{gDaClT@PpT*D#+G|O$YL(cst6P<8yJ_$j@uHN6+_?&&O7eP@PZ} zls5)BlbPDhU8z7B%Bk%?^v^JE+9Rr)Wvv2|b2cXI7K2QwlwM z2yv}lijrEf-&B2ArOfGtR%;9_6IV?>xavoBY?Ft|uR0;S61nxe>&9g;Ri9pG^N9fH z@#aHEu^F>7x(MfSMV9S0ANty05VP$2U164bgfvvZ=1%=8`3Dm9^)TskXO=@0?ArC9 zb+qtubZMuiot~4@&^=1O0PJg5ZSOBNU zlzv$Y%-br+PKPum?Ir!P+?PF1Kimop`upt)Qrj7M;1d_b1ZS$#&2r~ZWpcCTCZ*mr zwneY;4mK^qvrIs+QwIv-vLTH1kox<<);3}S?}Y0@}d+*QG13=zOP(@ zVUU=#X^{}DV|*GAbTmtj7XtjuLze3Qs=u zmN>`h%>6>^!N=lOh+0I;Gm2Va@uBzxc4w(58Ja=g&40}NpS7r3Wd*Sh@=l!?inf_* z7~}Hp7^ZMQ3YTkyTve^Y5H*?vAd)=oQFS9(^VFm0xoE!8)GrgbJ@XdfPu#^(s?y<# z*`7@7lf@3ayVR5MpD5HT;_bs?@)C?HIB7| zBtQFqjs%+DAXRv+Ax{(Wj`=mkr>ppkvg-^rSJq}l@lM$o=qcYXXMKM^m&qI{QYr}m z-zDcpzwOU+p?ojYwHj7tjrk>H+bUawJ}RMUTpsx;1Z8G1~G`T0`HD zI`xExcQKpeNy+f^tkVuo(B0OA^$Jd%N5#9(_Oo(|N>?0qD|g>7Cpdibv&QKB0Svnr z72K=m`1BLD5Fx4y$W=ZCwHMvv7&>%dVOaIDg1KWC1E*L`ZK7{6%fu59ax>ColgJi& zg9YN+EE^z5u+7Rgszfi zn1DVIDq-#6ZxcQ+C$1(xum4jN^qR?_5=dLpsa90*r>FBh45iyGF&x((GPky|==D7$%{(XlR9bu*tT`<4`1Y- zX}Rn52#6{h!L#xtf`|~g@+k7H?kzsf5kFd>t20p|{%}ts7xWAXMhoYb@HHXGWKDM` zlhT`~{`=O$d^U0uuW}2q^Dj<*moIY&4n1U@yOyyx%N5CuVE?O=*dOHnRWC6m--Hxj z%GQ&3=FK4K-*n_H8xH37?**0|ie5$2UKL#ry|7607{UelR;LgPNX-!d(B8L4G5f#k zlUJN-awcsnoVT6oC|a3V&q{w=ap-VfG2Kb=)94(P^0XI|r_4@jFA(IgYrBc8WD$we zKis*kf?u=eC#^fS05Nr{O(SK->I$VGFYGmVre-uU<4S5wQClp*OxDqsZBa+y_;W%b zT`$Xwa?v4C7(uVoEK2+fLJV9{*3V$%wbyr}Sov2cfn33;&L(Hj&L<$eX8=HYSG%0~ zGz<*NUH#t`2^4`2i%fy(Yl$VZ6v%9a-n@G{Acn~2!=&ved)OUN$;E9pb~%|85P$D+ zJzi>>y+09rEjsYAtYKZcLN94c+&Jf2x*KokIkvlt&rCaw+jg+U-ottQ&cA0%{L z7l5QCiwhcyP;nFc3CE_rGu}&bxVyZ{_KD;_F8uJ+G$D*J98_gq8pv#$85jSmxu>wW zXRNSej-(~UD9$_sb)~(-WJD&5b~b)N32P%n`58^oYZ)fEwFTx=aJTso!$6>KLmar5 zym&X5EOTL*>NG2P8mxg~GDhFCBLaYHaPvLrP~#$l{c zBALK+{5f@3VN&aUWcnRc;+IDk2ONUMb`B1kW1|@Ld`%W=gck$#+!iE1K~|V1%X~aB zrctseia&)p_fN;ou9?Goe~AU5g&B9SV*ar$IgIIKJ?hJ@LVr%C1}^!Dy>e}WfSjy! zmLCGuD`>qy8HJRP7_JarIamkRz@eCM4P%Dc&RqXy=16vt4xg+se9_Ry8q{O}J~^Kl zdG{(fR@*&>Tm!P2i^4V$LyL6jb~l`q%okr|o|rn)Lu$^^&=wcCj+P|IQ-qXRzsw0-`fMH~9iTWVQ91~_x+Af1 z*%y;*fYQdf&?&Jh^JPf%yk^n@G0w<`Tn@2HAhXW~GrR>Sa9F^%v_M?#l zJsCJv^2CPB?g-4pa+y-Szw<1UEFu+} zFYfZd)VE%L%RNi>@yk2=gX&s;4U16;=cb8p#Aq)NCoN`82LG1Sk$Qlz<(Ka5pV7ds zUIh(x7xg}^dzig@NfccxV?$6}no~DGACKlF&p3Gq$VtH9IrSTYv(oAQA+m=s@ENdv@&=C_2E z0z(c6h1B=N1gfA*>in&71qxfrKOZ@3+rSxqrkDrMZV6v9aS<9H`CP+6r!J#dE*vi) z>tN@w)H&$$!|H49+7LuRs!u||N440K|57CTG5Rvapz7&e*+b#i;j7|e#Ebb)Wy`3}>y|f~OymG)nId2sJBDUH>9jwj3Nt?t8MI@j6O}QVfPlhg|``NhL(S zg3eqBVb#5`_O{`cnJ9uB1e!0+f>@X>Ip{<85^;;-JAa08Wayp19@}b&f(4Bkfawl( zMJsK)D!j}>0B1I)MnVHV?R+P^V5I9DCZ^4~$NkP^wm7QqzcQ-#dnKLp_spbWEj7Wf zO9SWKV|7m9vza*R<#Py)YXlJ)AaW$km@%q|0y)&Y*6fSdpejS9Rqw?sd)p4DX!>zT z|X%Fl)v-)!&4xsT@FY``;5!t7l$j@ zpAQZXjZP(O$Bw_dra>e9)Tt#ZA{b<|-Uw|=`#i05f47%IWJK^a*RzmGVXi6XAeMG^ zJ5P?=0SI@B-8>i|JM;%@aONz~hUsO}aN^ipcl<#gG7KssTjy|?ib&fk`Z*agE}&=k zTF3L;s~%XnKCe)$O#saGJBl*?u@E%&7fHS+F>bWca6e*=4dBoCQ3gh!xhomv-9O1H z2e~{^Gxc?^l1~Ngfi!Gq8+8?W;)G8ZcICkK6*@Q3dc3c*qcZ{0ZRIxbI5B)*FXQ2m z%cp8wIXegi^vmSCKuV-dL=UuyGtO2O+hY((qjsa&Cj09}@J)jV>Q6@Au)a8?;d|~f z`<=g4h63J#|v`00$A#h!;3>QSX7G{JDUIRCT zkDJC` z9Kwgj6A_RSBhu4duZ;BHrvdn;k9d--=mg|_>)$umM{0}eD_VKG_TP8$nCPq;LLx@v zF0>Fk>S<0XB!>~reo-_V6`E-^z@kln(gz|tZ$QXFxR4%HGm!uHr>bXL5*tS~$}R~o z??7k-n@c}2r8)u`u@|Sot%YP~t1ESuXD;b|91mKOJdt^k&HLS4s)%QlC3m~rjgao? ze&@(m8Y&_HN$bSOY(ieo@udjz77h4K$V|RGA9G_1q>$|GWWzW4-2&kILyuE`#tmB_ zhB^5F=`LkwB^mrrBlC1<18gFOZB_)?q`~WBHV2h0(A|A(uYosU{9L`aN0{kn_-a!- zbPeO>SBH`hM;XD^is;99<+`?vkr5nf@)%DsV3II7h`>z!`T9tN^XV9q*hN*dhPb^? z{K!a*nWh11CqS9{IciN?Hd~TNtcA!fTqDc3qB%we_T!4ck@6(yZEQ=46z@=V>h4QM zds{DY4TYzulYPo|Qu3JDSAsRUpoAYazOP%>Z}{LekLanM%RUXgYn#!5Q-fRy zKXxKRZJpmUfK4e>_A=}j@4RU=;tS9(7d)@EB335uBfd&G^3%wzNVmR+jl1J|qQTJh z6R^p`j(49~7ZYWH6y+m$D^`T!7wO_Qs5MS-VQ&+6I3(w1JURH)@w^|4hbF)5rL~m0 zh&<}?1F3L^O6ejILef8cwrUh)f3fD&SA*X(ghF*AfEm&QavhDJGdVv>Ct=?PUMMk* zHW-v)qYC_|agcz(*A^6KbLP_nY3+d^80t4~*g}%N8zsmc;jHYY(Rs`^?ta=>SK77J zOg>OY+?!){dJf_uTxbcA7g<}}_n*!UKDs9Twn!$LY%#x4Ehnwiz8j!bL70y_FllEA zNF8=AmuzyoKp~jWe9p)OjUkLy>qq~WfopWVu`Ljc=Dqk^2dPb{2H)+>jKC1iL)2!q z%ddKAM2#gzxMCpk#})uME=$XNvji-4=0$td{NX1iR2ANA&+AO$HLmu|KE0+R_gt(; zlcYT=m#l8mk}mI((c{c0piaBBujmJW7jM<`J$c(_R@X%4O?1Ga&iLn0gNs26yE;P> zizaqYLEsBlhjEjQI@u+2ai2CHP5od{R8%rFf1qf zgX@~Gp%u-;I>Gv0r^~#?WeHt02*~9|xbJB0l@Y6Ke;%2>aC2k-b~Yb=nrl{e7SpL) zSHCthQj&G4=UFHMRO@?oVl6+6 zO*`_HTpBya(##3)@WtAeB~W!y!bTRExAM??SO&0sJ}ycV<&+1S5sZsZfW3+?o9HRv zm)Zoq`fi;jc%FXrdBxe<+KVfZa?a7V53Wa= zQf4pGryITkl=4j#pN|z4h|MGgip7BgNr-V8_k(|5wdS}cSE^2sDqo+xtih~cUrCi2 z9eW%bpL9R_`z~hwn}yZwKn})7DSDSbad&bfkYLBlF!$_3vpkkfi<Gt@cV{QraCFf(xmQ`KleVm(pc@fY~!p{=pQ)oN}CmB&Kn z`MU62lT`t%{Ejc>J3%p4;OoM;k3iA6>WH+E&=_6anfbtf=__w)eQ0|qXO99E!t;oH z+2K~_iDubdcdU(y^|x|+H0sNgVsmnob8t6EOZ<_Fec+J|DF*SU;Lep6t+~GZ#jJ7R zg5;W>IJb=T9LCxE0^^PZFEkrTtEZGJuyV~#SSS@JC70QiJ0VC8P6hcECXrMP-dT)) z{Ifh1nO}G*CQmw{h#iw=F|dk=dOke>--Ple^ef1$8}MpF-rkJgHRj-;QouP2eN0%& zd4>=>=o@N;?5!p-_;v*TyU(~S_sEQ-hq{Rz>wz`|s6*}x(FD}}c^4SOd|RO@B|_IW zo{r$&J%~-rhIX0*jwdus!k8*vBmm68=Q>yg!eehPm!J7FMHW!Oy^1wU$23|l7Z`Qz zRZ5VD-#XpuzUS7t5AY#OM{BZF7deh=)wF+DY)>|XuT|zV0>OTv!M{T53EmIhYfNEU z_~6}bNkVBMi2KxOy9+-Q(`o>I_(*#;6!c0#ZdS^rz2L@H)_#xjymc?uk#%N>(y4pC z`|%zPqLG7wPp08QhKv_ON+Y;p9AM_PTg}KoA|>bkc{U4(T9ON+yPu|m*!MM-b*q-- zq3$K!&k7r)o39sK{FJ1tJisa4A>1xOj*KFv3+P?zDiQ?8$H2{mON0$JqQ7$OYyMlt zSG?;>TG<3edyuwe>g>{AC39T0bH#mtF>y+8=CnevKsJ|0au=(L16gx@l#X$&faFaq zZ)k!orDe7%eRN-g1b2bcHHisjagPZ}Jz9h^|JQd6WM`;7V4~+p8cH^Qs4@AvNce2B zv2!TY!>MG73+X_c@7N~3@}6%@9WsXcG5b0N#a$HSLK*;{d+Qv&aT}IoOtxSRGcD{d zGPnlV@KkV}-3*yA84p`+%{H&C*jT49KodkBj7aatbXB!>+ZNW{b~M$s>UkJF2(4I=F?KKv(>3VI_snKbN}u2rRcFW>|$JYu++1{)$p7-#=rBUVN5w! zbAezw>#+L(tc@p8g;7D@1r-)a(K1FiAg$>uUx5_qI|mfNX88L8>{6kCG6Dh zFzw|>kyipF=^bG#I~A_z5QQYql$}*cD*vjm1m7&P$XK{=*-xO^Ii9~pFwMd z^{Xu5idy4S`Y<0B$t9oH3pVX^>_I^-oou2#B|$&*^0GkXZaI~rr%#TEs{UYp2Rwj)IH$>(EglYKBt zd7~zlkCV>Ab0BKCI?rcI;&>9;bxqqPEa*Mxqdo6wVEa-ahh9)Xr}I28yL7u4CuD9^39u(YB=!%{_YMGlq-e zKIU}(wZB2*^D{_(RAw^kn%_&kd)yE2tdrN;r_ZpGY8WIjfq`?!4UFi@G+#YVn4Oqe ze*+5h-0?|7yUqiR#6xn=e@>bQti0?!aYIj)b50*O%Z`0b{v2jRo;!axn(~GPW#ZDC z)l>YleB^0E1m!sG05>*I(~V7U>Eq9>etH6U&Mx`@cW0G~42%C^YHWU6CF9&_`HPjp zYq%AftGd0@j0wjt78FxQYDJas`aD;#l}|1oVRA+10zh53iRjt1TRj;=RI%&u_l?Zy zB8PpLUIK{IW-auJ!)Cx zNb{QIV4W&Vz_A>2$*Y9aKh&&0NJen@2-afSTuO)=JkvKXEnEhB`m51D_3JVk z9-)blGRWs^R)Y+Wa+qb?a+=UKP%70tR-(=7>6a?>(zgD+`|C&f*6b-hFotu4} zRC9^b-TVMD8@owDK972gappAb{Du(JG=p}dKcUg{yAQtN;%$ZV8SbK|C^H5JeD4%t zdF36X6z0$~V|EWQ1y-ERwC^+CKph=o7W z%G^+r8qU#~AP(4fQ)ugjW`QoNt;YP)#P{77P;$Wh5ZC7@)bippwO6}VHZ1ush4VZU z)hAMOz<0d4O`pLdu@y$tYbVzSX7ryobO9vtTA=t7(GTFP5WG&r2b)83qgVS-yznZ5 zl>`Uxv`q<_#vIBEhG#Sep?p)?`iSjC%zR{5Qy3Z#llcg*nT~}-km3<^zKyBCgEvqu z1)45qGv{#8e9=s{8GR=3Z%v;)lk0YU3Eu6*paWT;y+Y(wdIq)aAacR2BM;I(WCM5iWwuRFU;() zUMD|J)glQ`pvoj7Ae`>K>x3uuF4Zs8nfnewb>R%VEY`as9*;_Z`pPAAi0+B?0vh&7 z3j~{>+t>>+nP0L+wA&c|ZXX}v!6-)0wo4SL<}$iiue9zAf!c%m6WGM^xr7C|in+FO z0_IP6e~K_UX%3@_dm(yl^WS`KMR60&b;p6hdbRsLZuqAj4M>}H^aVioC@IgDIK&*5 z>-Q(N$`MBBnI>({h1O=DdPL|E6D(%n>K!lKKfUAnr)VD~Kygpy`kxz>X_xMl(w6-@ z7h%@56?1U7Lzu)TfC5ThoE^Qysg4pLzKFDV!Zsu}>Icc}l*NXYHDcc7`NkKl$pnR5 zR1j0GD`-xNBKji!)*LKQ<|QC)Kp%j0J`=3cA1QTh^bokiP4VicG-lMt${UeZOCd9a z3nQ)8tjkC-NYE1_`7+`n+ex!Q{$*>g6&)?MvHkHct}+?0W9W8D@8i*7EBRxV-ZM^&MX+Qv=10>Cw7*&z}B9(rO&38V+^7-wKmla zsZ%)C6%*7feAyw#?B>tU6|qH>HZ^R=H8ug2lJs0P;pyQNg2UAk>JUB)TwvX?G_hz6~vb`VzWX561+@Nh0MI+>ScLdxq_S< zn8Tr$kF%LpC-)Hhi1diuG87jA{q|Jb#B+O=4_rdp*X=$F3xFXufP2I+|q-MvpqQAPn|C8__xU=*SuPaRgH`B8AP3b z`YsyW@yu8>OmqQ;h-rmf4dF>oe~DA>Ml~RI?u1*-NEWo)Bi>ZGq7CA%&QhKmN8#Mg zj|%3(Q)4^8Tv%CiLVZ)Af6Yci5E#dy;Gnz#zcm`xgQA##PfO$>OjiGd?D|s^!uqvkVw|FyFZo~J zEMu_jYxIGFretPTC&7?mw`5D?M$q?nbLh!+6##RK%IZufg1|UO^<#7Zj7A4sFUf2y z%uA)elOi8>;h-Z3tqt6R;>EeAH$4<{vDg#fcfVkCTKl|U=}rT?b_rHG6iVgP>rF8(w; zIjLzNx8OxBmOi`AlGCEN_TQDxASo5;`sDuxb|LbU=M!@@8ARsQvLf7ovL=cc)&uOI z!dNPIrS=TK+>UqJSfQo@h&yJP5-jKIK568*=`8gOcFxB{zz5vqBd^EH4}DyeHKpR~ zTsGz{D?uRxHPwww@M=9LbiBZY{GvOWtkZ+^1rkcjN5r|L>?Z7U`)N>5h|QkRg^!CU zQYtGj6vdi_P+tOVTmXu7wx@hi?y^<)B8!-6^mD54e-ENB4YM1CPIIBDYcyQRB_0xx zCu_0nyAbs~#dDvW`vUCppc7ntQ7H)iY5_J9jN@Up_o%UFS+qtlc>dGhe|?*#d(+hd zp`vUg(jWopd}_9*sSJu%R@a{c-arR)jI9U0W~0rK+cEfp0{@7H{fQOkA5brlVmT-y zlLcsgllcg((Ch!x><~#F1!`$X2A-4ls_cW|dzIWmcb##br zify0%=15isj$T~@zO2QctU72P{Xdts!I4f4TIW?uKvt^vS&duy{pMqjF^(=8nhd#7JqfCW1aN-ce7WrtVnp3d?&w6V^nY9m}m=UmbMsv+6OR3BF z0rVg_ne+BcJ+(IFe?bT+FSm`o#js4N26`h?2^w>HWo0xrY4mfn%tYKl*e zhx(Fnwo#}#XXvJ!E&suLq3=GylGkmF(5|TaN`AdCGrLc0)bgZozai;B1G9D3{}H$a z520xOiR0)jy&!L*2~$$qmj1f2$Sz5Mf|njb=;hx2c$ft{7$L0=EGb;sf_g~>qYs{b zaoLO@E))q?i6H4qh=TAR5zwpNLOH9|a2W9AkRlce8I<IV_?cEIPhA_%9P z(Cb54EIcc|&Z0zpzi-CoIs;!`n}L5{K1Y&X96&U^Dr@6(nVM!#0bnp;N>AXcM{8CH zzh@srOUY8tz#S%rXT8Z@Nw$1frj%3)zxTgwjfO?w6)nun>(*)8Rx8eFuy*cA|)5tP`%A%XkDcM8(+FnxoD^6=0^Xn@L4+6Jympq9okWcv|}SK9$nDRoJle2j8)VHeQLQd;i_NC znJaKN0)`0*sa4m~&&;Bydprb_CPvyKfgDKNL2*;*6cbdK4U0Z3ADnHq9o|mW)reD*Cc-Xy_p9_m9r*vlI zeYLepU?44$xSam<;i9+Oq@1zWoQrqKbH{n&sJpg#B_TSwT$;8aYSOa#G{{%$JEuj7 zm^W+saAN4r#0|z$0Mm^mL#_tjIkN5@KFxopyks~5ObuoZVj>4NU58Ysv@If5cZP07 zJa+X9^Mdo-7Y@UNWz+G?5e?*Fch0GBDw+G$lM(_O%+@fFzHI$kQmLLJ)0CHF;=ehC z>B=^c5{F6(FR^|=VRSZsL*GutXUjOQ_r*W#n1hH@(R>mqP-C_|RP5aM z)~}yAltbsD`qsVEGUo6e`|P%5WD=BW1`Ej%dOpCmsysgUt3{i8kYUU$?P+UOd!Yl`J$0kH3;Ug`T3``}KG*8f5EiN}3{NM3~@ z&3@Zfy)O$lua)C`JO(hK633p0oGv6A2hXEcEI#JZ=xYgUxER1b;aQaw_%Os1m>Jol zk#Jt5tQIERqZbQTJ)U)c;6rpz-%6v;f8Pdp!HyO?MaInn4S2@b)13W$QMg^6_z`bH zSb#+}Pvf1bPkdPgaC$Su;(TQLM>QoVZ4@)k+(t|iJ^~jlIL%N?{-6|w*U^&h*(o$b zDNyyig&+DZrimcz2bm!Vwm-(N#9tQwQqxkjvei3+kZ`z@K3XKDlbCM)zIUC9S#8iD$YLrCjAz>BIA|zN(NBP(4ip^TN_K4?}BfCPtrB zNLO{9yI!)@o;bjt=DD`vo!J=GiGYKw#h=tWc-?5j+*9$N2?(%M9{tJ3MZym*+@J_V z!QvTHGlJ>M7{kYCGmG*HhL=xxiQo~|5o71mIA7IW+%WT4z7B)lp1yXZ3g)%^+qtQD zN{-UJR)vK(=MD+_+h0zaY-?VtEGp?;BB9Pl1x^RB!tXpf560AH6)9!|)D(>m2J?dr z?QEU$PfwZ5r5*YfaQUVphH0lePdXaZKZJQNQosRz;`&XzVkttA$fi+l0x}mS*&!aO zmQFM7NhO=09qVYBL5$kJu+>;l$3PF46nS_=9>HPQ26}~d9^Gqd2u4A_xMT?D&I{@#=KJBB+W4A?5aRr$_EH zSFOHdK#FI-PpM~1__Hh-e4)qXFrjTY%dDU+MufXICJf+HqJr5EFqlRzAwBHs4~paa z6)&qcoeLWP>KdUmT+T0fG`aZxURQ^%S&auK?1m};Y z^|m}qtlJWbBCOj%wEJ=aStRr(D%zW`5!-Mdkb|ZB%swRTTcHcq(f(gMC&Lpvj1QP zM6KZ)7Dyn7=Lb;5CcLt%vv0{J&aGOhIUs$8(q86oswO^^ zl}4L7Evm5({I}ne=#^MbSW;+iv?pJ`+n^^H|I|4Roh_gWkT>@!w_Bc*t^k%AU#Vv`DZnWN>lZ^H`M0RuC=BW?9|!i zY<72{xqr=`4!%(0OD&FS?>Z&C!jL{%csyJdH`h|LVk4r?iQbOSDG0y5PpzbnCF@MA zhBp2-L3VVwKawhROPJ`buEC?F>8)3eFVzk#e=uK(cGo*F?r@O%7Xh$kC={bLJAfZt zmrP6`koGNykMbx}9=cMAZ7*Mq{%LmXeYUWrCDkg$!pSt+(^k4AjFzDK$qaCWUBV|? z2L07lfM%>e>0{ihrf0|Z>rX+El;7Xa)`Wa(;k}>tYwOQW<6BpL>b6y@5x6+? zqNV>IW`XPAbXLq+Tck7alUP};jPk8Xhp+=j(u15$_G`ibVv?<4TX0WyxPih-cj^s! z)c}4jye7={t<`rY4@CmtFb91Gb0C0OpadArW)-07zyhQM13eAH>VGyskY?S46~=X& zEVxn%35v&CKq++v>9gi85Hwb|+|X4RjzmFX|NI#M>oi~}^YW9;T6_Y@TR3uTc(Ydi zIsg-D<*M|qe$JS47u3!NgDz54oKb$q(~Ps%cW zGSYJ!7)+}kX$3&lrNz^FB7y$v#8Japp!xlSzRxc4!<3(T?g2jr~ernD+|IN!(3e z5(*sBUvhX;fV>qQ9c-UP0FR=RMc+)z>99;MkcQ*YQHgE)VaR@ZBss7IX8v&Ky3&<8 zLG{`w`y0)3JG<|7acSsn21EjuJ0vB?Zku5}l0;@KI#Y?AbGFw$^TZao$1ZVq=x@Lr z)AX-JDiZRw_*m>QF*H0mdhl7c7!Q(4Gxn6%6#J*gS)L~=paplR?=a*c>96 z2!(n24ULGj1#6HX7W1ugW~j%e0+O`;$kGg8K_3KJ#>w!L04+B`E0Vb_=l6YAG-xv5 z$S4b@pJe>-^U(1-Iwu6ER%yzrR&7&}_OxXgm7hR0>Y*K;q)E2uy>`&eIOgE;qP|TY zJy+n*w@|ce%+jJ5@!E-P`;NsAtVoO<7w1iL<#rIJN{eWleMVz$MEWvwIsWsC*` zcdnL=yaP%q%xuD{O15pX_uw`Og+X_nug6fN#{7PQurW5ZM3{sRp365%zo}2PRDP=N zT@I*DB76N}b6-LjGCAa8PV)>sE? zE$cOkIGwD@W4pItkSA$_fV5nc>3ea zdFu`{!ne>Lb)%^##D!4siruKXwGmT-ojWD6qlCR?^0no)Y8yHJX$j^Ca_v&S!KG-d$J->R=8xD||YQTu&;Jf$FP|bKM zu7fin^ZyhVEXQ5l@*JP*R_{Nc`^Xa|!SRRgIUGt(>Wizb%{BJfG&>vaF&lv4Bq+S)FTWV(=zT?Te9yqMtDHacd>R9_K)PyT$F4mwz5ntyjJD7vkf<8c{z; z+Pz4CywJtUg%g8h@t#5+3!O76{~2H~Qqv@L`5|q^{ph$G!Zf--4V7j*ESi-G8{67e zmVa)R_R>QbLuC1~XNe^ZV3byu2siQOU+^rIYOAYz7M&o$JY(wXap0!flmXo!K zCu~rjBzu^SHw*IQ2CkDVAvD&J7rLpz$ciWPv-`57A;Y5zFuW+}W2%mHt*Ycj9X|cA zF&wA8LfgG}chk`wBMvLzTWngiX3xt~W4pexrH`pl&E_`zv(AwS2Cqpe)I|{7wu)Pn z&|4Jt)BSNP6wc)!F`X{zk==zz_`e1gfb)lTjlqo&QdynTmdBMBqiC~N6F?Eg5qV^+ zpGY`;14!b5izk}bx{iHrnn(&$g#vdv+K?-kY7bkVm7IV4+112gpgFh2U9^u5Loja* zjoo{)HI*EU9mj?#vmyA4lXku`ET_1l6`4(?z+63E!`?WN?LG#fg0ra}M3)F#LA3~k z1})eXWy8{%PPD2j6!f`mozy;oSpCQ&_dgdLX^`jzl!1Ev)#Lq?8yaThlI^ZqCWSEL zW!JDrCr;+NgHRa?Ym~gNZXTe+8Aj-&2l8voRZ&Gm{+KiYV2#Vzc00Uk_d!-P4P;y3 z|2Hv~jU~pMHwAosPS~`O?$c8-uFFnapa)*-GeEgdxi2Ca)@#7O6+6v;gzkjVAuUPen?=;4^vyJg$Kb1Zu#ry z#@x|0Sdt55y0Yw~S)nfV%nO-ENyyeq(R7Y@M`8)9(o& zI%p@+C?)IjD1?OoKl|ozpG{z$8TQdCv6&D@T81s9p&3kMF7T`Px?+b>60D6k)VAF_ zlXMDGw0u7(fk7P$+nku403cSo+N7xZt0osq9_G!~74-t#MfvA!Er6peA2jK^Eg?5x zqiGe{NjzEbio-(a|D!I@+(6Kly&(7Uc;6{lKNu`>a@L-rHE2&)9X%p( zD4Xa*Mt8OZ1O1lO)Bs^~JinjPDioDk!CE6(lZO0%a4J97IYAAnz`ri0|A#ns1_1_? zvfq#S)1WNl^|M7ngWOKtNE$Dj8{}T-E%&7Pvlz1QyGEn*QyjjE5W0dKlvB}o=tn{Q zG<&hcQH?EIim}k?2Y9&cP!n{356P}mW8%m`{vGjyUrc`g9czUmJvdZBm>j%bKB#NT z;IP5>D1vy=OC?>s+We;DPLv=6a&ubplSKesPx%(|e$?7@hUm;ifk z)n}1=W0Gy(6OLbpt{%odylVSe_%K2;tk9?jki<()sK!^N5XTeg7FTZpkg5RL4JZv8 zGbZTki+Pea{yuE9UjIQ4XSOg2hAa?#w0-E~=z^g@`|NH}9~Q<8#~MPlDt*VZ&~c2n z&&x{}uBZ^vldD!{OvAV|f_sbm^LlL*588E=3s}5)Ha_lAf<2-{Tv(@f+pJ~72mzzW zzF&1d6gxo+eaO_Gr}a&LmAy+=;E(R|!8nq`j=qM;+-TWI(Pbog5&S1i1ekA416?i2 z9F)Fy8O_#2vFH_Z>1L~U1w4V8;eSPEz8wQEm(J-!|470ehWwnHwQeZ0+ec+uIf*3R zqJCnmp8IjF(XoZ8Iudf9MuYC`NkcB!x<;Pqorrcrs;mzz5Dr+S%5O#}bV1L`}Ei)8|6Eu*iM@1{4oq>xrP8z?B2#?t2_Bz4!I3jA6EpMAvIsG@}DE!x3xRy zA_X;~9JHz}!*H`1!{%+1Cz8T7p8phOi12pxyu7KE2~9;(+m&7Z>e%eH+8JC+flz~| zz28@20Q)v_^2HSGK3&(~5>-5yb{hIJvO4dBhWIhzAPD+PribZ;(+c~%pvh_k;?k6M z&I)o`80+?w?p$AR^f&#V={%D+a^5Sa%Dr+*eI0bG*eM`U@BMM4XPv@1QvU|>nL&}W zfD8uk|DfFGN*OAJ+WWZWRkI+d>#Q6c?9}eEQKU~syD8ou(UNhDuDRA2 ztm<2x6s489rEThHZXeq=!ToH{f_TnQcY3oB1Z-cL<&zIP1%RGiXCP|&=+G6)seOtx zBo{0d$1zZA_>fCBZA+`G3R}P}j}wmnd78rENPfEsF+k>>^>~)&AhGC8n*MNz@xC@8 z2DfoY%MG(wqZgja^IT#5uo#lD&>eSgAH2rfG~X(bGmfpz5I0`&{HOZP5XSM}2!f;Q z&FlGd=$SvyvUwLQmLdY5*%f9rK%RKN&=8%p%vJ=q+VVzm_zDI-_Z)Xj0{3=4H&xb5 zIXK=H@C|EWf$@;cX`NaV@j+4Y3WPZ38%^oVM?Rvtx7br1B+VfzkfAAf=kK&f25087 zseZj#;l#v+bGegKMNBPJq_RM)o}F)BsQJZD(12z!pmbI6=H}Mz2!?&X0_1)~8$??l z4nWVM2FN}#M45riv*FKpBhhed#`7Pp?e03>dgs#5_{2ut-cSKhGmrIJ(*fu>0urIJeif}H|O0*FatlE)&<+<{Zr_kt_#V#6dY=STZIZ#KWD?ZV;hSlMv0g(f9& zyq5-{pOQ!UMs$oRv1Na^De&Hxn5T!}2WmTMSr=io-1h3}NFB)qym6+z1H5>>a9cIc z`(4>>{!~IF@2B_oULHbi-7`CN_sV-+#1}Yg3DcL_rGPGG-crNY1wvxs0;AW-a3htbB|=!?i1J+Skcou&T#Xreu>deoVh5V>UKN3ucz3j zf?&%dLOvBtl<-5o#~zlMw7AsEDQ{vuI8`oXjPBL~uK*{j1ZM^b1`((_dS>eS6c8*i zN{5D9|iYu!)Ny z2L`SoR|}Gt==R357F{!iyIzIat_-hH0&@EN{SG#52ixGe^i=9*KsSkxsd+If6sWQ! zwhTAq^*XTuh<7Yia3792BvF{|{Pag~G0vaat5k#$U8=DO(IvB^{AG45Gj|)H166Lo znX0fB@~VoQ_w`Jz7ua(;5h<=!##a;tgCPl!BXsOM_Ux2Pkse>p1YYCg&nzk^vX3qY zKe)CyYb=myEcOyu&xOGAAuJe4tg^(?QY4@=Ai8a$G zTDZ7A(6w=JeW7aN;QH>)+J_s0Bq_PWN&)tTtBZr}3s)Bh*SG@mbOCZdDlmCUdGd5u zWC2nxkFH7N0ZH*@=QIh=P9)};ll@#<^E>8%T^B{sbX^xk(e{O_i-YWAtdZKvk$*|z zV9nmA@OL43XhybNQp=arz7000000000000LFoeOJKZ#Lme* zYm4b%2y)RP-S}O{f+sSLb3bh-_{wuJdfK}st|v&>K2Ldid_BOX$%XxfN^PCF@kVC9 z$E`WBY4iS|@wq35(jW1FP|-w9lMuF^eQ<1b*<^F9NVlM1#YVJNUQWk7zBT|fBY2@s z7~vK%eJz<*@CJ}3rDXK=V=%@`cCnzL1`tKa#~Bc0D(rkw<`8Rebr*8^Y%t8+C!jq_ z8=_ct%gD@q;suUD19OF4uaa0-*$rN$e_iohgE9YpF+zRSMFmlT;BT=!N& z$TpGs2L}gTd)wDT6O=P^I{iNcsdN_7s5fKM;BHV_NZ#Xz8f~yy@2ql*XKmkpPORKc zlA~LJW3$iRlk-Fy?ZkeVy3+i*B{IH2+Vk`{UsJnfq~{lv_!}%L6&d0LK?9L`G9m zZ<3BL){YLBlh%Wi0h*e0`fFKFid7nV5j44-1od1aP(ec#*0E|1`9nz1sX1-?H%Crn zpP*5o^*Q8nx`a;HwhOIKfzEotoM%2eT0c``q+&eRY?R)*$9&;gSu7)R^nt-%S>TG38D!WVqq~ zOu)yq5Wh-K73KRf?ZtZLRSQV1gw$4C*AWS=!D4XAndkMn(6o+4PI+;#sZ+F=d6MWl z`l?RO7fKO99VhK^e9mlWSMU-2h4boWhuo56thxGnxk4W3Eo5@|6Ik36To{E$$!?QH zUEdP2#v@!v(AzO|HS>;=Ai25+vDwttGCJvtR`imSr)ywA`f8Xd#Ns*U2bq*~QHXUZ zAE*=Q&vtTS39se5R79E7y=D(6270Md{Oni7PMhoNZ<_fEs0-{31>q?X<#~OV20T-G z%C7KHccUl-Q{`Y!b`XnMEM8Ms65Dqo*e>|UI%#O^9$-+)If+2@A3l`$O8Lh<_g0z06jn= z5MV*t?qQcVqwzrocOVEU!iJfWkRnuHMMeeyvdo?W1g}zLZd16}MYMBbg;W|p8I#cN zZJWtF-HqV-1NKM!*fE6u#R}4^TC`Q-5MZGxhPW_oivycnzxmAcbEZA}X_0(Y25Q z5V*&iXE)ipyW-VPDv#A$1OOJpBKdB!myRuKPK4m`>F-`rp)-(W09O=fmFSu~Ydd81 z*r=fjLNUlJ3MK;;-{#{DoD;gKh@8%@8YpEjE&&T{4|JE#Qhpthl{$T?^|FGlCmDrn zaXo6y8M0VW%{Uuk;{^SWdbe!^s;G`}o7xyMb?;RE18@)-;Uz{Wa`PD0D{M_I*Ji~@ z+ybYo;nW{VKM=8kZEQaF>Ct)e7H&wRTrf5h;n2Q-Mv%a$FsHndR@I7R1rEyO`8okc zvXTlwu;8MeHgE6Q?9B36@r&%zeu|d7#Lv-#tc3pimv&Frk56}gvga>!^BzR=6+E6x z8I*3*^QCPK5seF4kgdK15^Zf4 zv-KDgF@JK>`-|WEByYB&v2lM~ua_;f72~2C*tQUs1g>GwEpcd8eAISrxS*{kadDDhIE`8FfsC`?EwA@uC=WDTmNVm&2&^puj9Ewp+K z$`YHWl%HZ8+%^ zK$rtQ*2mv8Uj&&Y~N-I8l_XwXw=tkj|s*1%X3!;um71 zeb=M=>!9Rf55RyKC1Zb3c1$-!bhe^+oST6bIW#%FURswnG$aXLx^3^5S>6ZYTU6+@ zX|J`FgMVN)21XfCm%CU5GfT__x4SIhGd%Mmvq+5VM{)GDnMAGKeAr?1OZ$SForw$%$w<}%+XaU6E zklXgpvVBL(^}UOAg47*CbQyIzDH3Xa=0rE;8*Blj%{RHxwD85Rfnn$xyx2Dx&wFX@ z?3?5w@!LYC#Wqmvv%Z)=q9wkS^dbE|=KT8qP%--!(wOp1HnNb2sE{SH8Dz=j z)~ZT0T-oJ3{|Ue(Ia^7+pl;Xk)DAS>DYo8w*4a<;6ArqGUk5EpVVqicM@~Q~#@reS zQRumt3Nn(?AW31}-p!3W0_L@P*0kN!8#YR)+7I#Qj4Si^VVG6DO=Gu^v}XOl1egzT z@~3eE6b=%SCfOBz*sNb%FE+Bft1)1Kzg^@ z6xu(*c5CI?>H4^}OpsyR<{GrALyL3XLI1MDT*AcJ+(+ttVz|2n#Or?|^(K;dwH$H4 zx$W$I-c~m}_Wrs}lFfY%Me%hQ!%gbC&R)fe2~@u)y#wZ&F;=pQEQc?Cp@APj4sF%4 z-_uvKpR>qx%M_9DbYRy!Twu!*Xi`&s>QHHM)RZi{E+iZ-pPcp17^cuofD*W%-G{GR zaao5a9wh1pQUaqf9A#=nNLV`=X9nDybtc*BMB5*tyQrfB6d#SFe(Jc~-Mr&V3YSHQ zMI&}%u&d2QjZiQzzh|Dd;v$ztJad$jUkeAf?=rb0a24ZibwfsrrZs|WubS0jEQ zuU^>FWG7<}?<~^^x%wT93>`5~S(Np}i4e+`MX-ey!=YuO- zi;>hBgA`SRWCWP`qe$vcZaV6j^S=TM(d zi<>cV-xFdK5AC zD|PwE#D`00n4*fF+_xywX}IvBk{bUm=M)ft!u6MB{9Jidg-D|yv$?CQ z=`~oRDjT#Sf+ob!%!~TBkr{6wl=7`@R+fVUBI1o*JtE8=sJ-_%E)(R<4XR2*-c!&) z440>s*M=i{08(m%6zRzTNG@wcCdghtQ%OcGgEi}O6O{!0qhyr|r+pp6UK7}Yc8i6b zS5K;|=5-A1gaNa0$N;0C+x+Q-W0qF|0}nbO5(LdIqx6d@hU~na2?7^C52| z9g830I$FrVy;h))ZpCeZLf?6%V;e4j!lF?tpzLdBA9y;`iw6>P=HkSS{eoHWR_E%QIA+ZR z4^gk3RgCV$|)Jwu{@!mG5w= zvMYW7eV6`GJ$j+dQ09Hz-1q>Igcmx@T2q4?(yj9fL2i1oL^$+fP-HhP-U-tYO)_^m ztatVBgl47BzLx$yDyU#^_S_k3)v`|<1@vCFZ%5Vn?0&^J{0`z7h~tE! z`{9m7T(1m;-by^XgNRhcq0)6`XZfYc3}~5;si*^vG9FJ2Xr4lKWiKr-32x+ zKK9kOj>9*l*TG}WofKcBi<-{Ybsuum^}eAPi};U2f^_scl*Fy$(9bMtHEI#Dez_2` zC>x}bA@wNt$4h$!CsQt#nr2zg~+GLujvy00xG&_-@g2gX@_tEc&M`PbwzE zY&}Ex?vXhpE{v4rjThCdSE=u=*sP?LmFgnU#kFUe9y0!)+&|Y_cR%NG^lY(HnXtZ; z6MV{u?A13$1a2x2(vaaAGn*)ijs^ALbAGwv2uJLR8+~0XVP+kD8gh{{UO>>Or{wI{ z?VP5I(SO+9O&=ddL0=4 zg=fanPs!7AFXl%nMyHS<5LNwZ$n}e~0h9~N4})8{eT2Wa(E9sqgIle39y(V)3=_?H zqJ+iIXr?*Y*f_h^PdYzf7nACd77BrIuKpTm)#O{SmzqQ2_OmSQ3YlyHKX_eTylgLO zaZ&kD?-?HTyz-c9{Y%XW)A6()nL(_}d!mS7zYBJh+g9B}>5Xa~7a<4hp<`Q#+0~6g zdG<#aQP|{{(a_2^rzvA*^Tfx|ZH#LyVP&rD+++|7 zY72ven@6TduNN|)`3GqcjpkwVJ7VSjYMB{3e!=N-FexC}aOIH_8UqBgTS{rDe?)b1 zHvEw;_V>U-s`44_@#6FZx8pMz)moAz0ijZh_7p!`9#tRy#sd70`5A`V@|*b#nk; zn*zhil*J4T1(tt`Plex$dJ7fn9q5Mf`Q*dmLN9fr*f+{d$pk{09O0;98yew9Hf={4 z4ACxq9+KF`M{i_}qC5RLI%Le}-K2b_TPVcahT;t#-p8!Au)0JJ$%1~={ZFCCc%^R2 zQ?-B+3%7CX&OySlzbg*_bM(-Y;Fhr!Bow%Xymt}&aSn9+x4wTSCxb{X;*41XyO7>V zOPH8T<$2Gr_rKFzpJ^qttaW1a>BrDk*%UwG+s=R|H#oz^#&uLDcb$m;7Anf70o55z zZbgab7<(SJV~GnZox~oczYsM7l)+^;71&`Z0OPAp9psR&ru0!0F4_Awx@ePY@dQbK z#=yf~;YC}VWWYh!Kg382Byp7$h|}k7Js!}ssnm)dY|R@?2+o$}MjZ)kPqc`=-#Bf| zf@GN+4r9h7%Wi5{lb4;=l3RV*c8=d`maa}tNFZLEkIas9P#tyh9=vC>Qi z9F;kSM0M+I-nHqBJ+5uFY=2eox@t;(B+W{UEE`p4hiA_Nc0c$+bm1K-@nfpkwnam6 zDM6*&G2Q54s6s%r676X<%gkD3^1lO(=n1_L)BK{ujP0_^b@K_SUWLS{?wLA$SrkL5 zjo;8U*6D&}M7*07%`bvggFjs)Oi~lH>Nhx3t36s1{7FwAE44Tb)Aw`Xi%8s;jfr|J z2>)XC^+voh=eE^+ZF5$K)W%+g@*yM zks2`j?M@;TRZWxK_e)0^P`!5iAD9ux4~Tb_l|t&sl;awo5&4f`R)FKYr$%Zww{T56 zcmn7ruTHTvVS?a@W(b~5$KTq#-!H^)A@$Qb)6jy`)5&BS)G6h9O167O&K88r;xj`Fc@6uJ2;8bbZR7O1SWX?_%>?H@fY_u@oVogq6(T2N!=58v*XNM8 zNMB~tVNheihrU>V*ohYAm#D@7f$;1P6JA4Rl+MzuW;sRYS_BBmFmmgDU9#aV9!Rt0 zuDCa0K-ELVt)Tthr;!uPm@e+vt#o3tTlIwVMQK@R8z(G_wE} zZ@0>^cMsKzwoMsRzIGg%m8mKT8V61>nS{?bI{~Kdn!uwvWyqEUvLf}6a0|229ycxc zHJW}AWVj=gIMyp!9(M5!LCe0Z2j!u?Os|AcGamq zWwPEVy6qBimWFDAhO zP%+SnFmmjNU1x&v$Yqt3aU)nD+zY-kp?)^K!z<_(_w3ko^;Rwb>GlI9wD#}De0lLr`ahY*|p~qjjU2a~``7{trG+{6M z2sU=XL9zojKc`Lg(i2h$h}ACpn@DbV;h^PW@#)tl6ROyMfC!JqPPuwPxy)IZxe*=p zO=b!Rz?FcKj9xu+2~%U2Hpm)G=WvrW^$kg^!0E<@fXyVRqzAHl=cuGKM{u~hC`?m2 zS^2B>*oE>mnTW)0uR&phR5Iow9KSBx(^HKihx_ACNhcgN|FDXhNz8QASg`69xmy|g ze=rUNa)etXAiwsZ{n_u{bM+;s(AEy~L^Um{%0?FHm}UFv?J;APv_Vn+P52+@RrE{3 za=-4T{d7kR9Zv@O1?8&DYZdL3yJqO9@L}*#kH0x8b!Dbrh7Qac^BDN?|D?h=hht=L z0toL21k{=*A-P@~D4F8b^?)Y}4Q6qqfP3r2InQONWx@4E5`cRSw0phjq7UL%JClPs6;1BClVAMP)%e1ylh)dYK4YfoJh&f^m6f_|h! z*6w|((R;o&U4i|x7@OkwJFUz@c#QfF|cWoNn*m-zjE5_Ew5^B_YVT5@_`qmE-st9lKd z`haC?p31YG(vJ-MTo6&JSt#Q}LpG5$Z7 z>l5JLldssyr@h`*gYF_hSs(Vq_DzqB2Ebpw&8A+}#d`Te#_=Iy_k@rEo{5lrZNY=) z_Gu$>{M`TdNN~gRVAm~%?SkbdYSNey z-&u(gc0{l9O4YeG=;{SjPCb2eX4AY4A^p?d;fA%GH&tI(Ifd~XQ8(5x7<;MmGbfew zPQ0DQ(w}6Jy7XyT*PRD~sBq;PSox%;j?#YqbdCo@IRdrr6|KQic%;Thy0BgK2YL3M zeI+$x_@w6RzvWdzg!!3K-?1qR-a*UUC!lalSzTZfj70tk9kln}JsxkNbEl`fNDI*HQKr2PvJ*8v8pZ=XyhZ6d(G0E`h`I3V-_{?x2t3HX^Czz^ z%|(CCBIy8gc{mkt>YsPb*%UHrBvaP247w@t!p}yN=EB%3kvXLlDW;s_?r7g1@5Qib z#+Y5oZKe|QH6o!*gCrk*XTjkATUaLXr4gUh#Sf4kh_7fh(>rcmeuX_2N^p)PF2suj zgeTek57o$zbXLr3wjEA~Yb%T_Waw5b#Vq+`+(4(?Y?`nqL|rs&(^f8tD$T!m5| z9!H<_DWB<$OX99;c(+R{aE6-1%l%X1XcAp<+12OJQuU{J`AXQP^as(5)n63z%?p`T zXd!b_!3#5@idWo+n3Vm3nAX-!q8eR;I2X10^fr2njEfHMD8Hna@Us0eWOw+)nBVaz za0v3$*HwJD0)#u+=@bH89UJ;FG2rzWkxL?;8|xKY8$G@8qnuR(4X`S4?zq(%{ee33YU9`pQ;8sS{3oyQyL+8 z&&@h-68Uka_s2E-eR8m%bD)3O>CGpWVf^X#aWg6<1f34%n8y4$mN;Mvl@_-cVcrOn zUzE+^N7w%RGsD!emB^mzY7#fnfHvfhwvb3DLcPZxF3U=$L^Z-StBI}u(Cjdi#J9r|HKoTp}xqkilx)toV`Lu27^AXx8u? z%$Te&P{?%^{-P$<5}Lb^$#X!ZyO&>dx<a&)0JvHS5gxp=uS9?%EwlW1`NDx zV8+(nKSl%R=nZ4uF1-9ABQ%}z6jTgJ(Z{Bgei82g4F1lto`7HE`} z;5BR0hfYZW|md1btI{70dv9b)YcKe#zS9=0^~9k(o)_Fz=Tj~kNxm^F5d zt+4Uo)zV^mFhcxNz`#Dgnj%lK{k-?-6_(*x_&amaV6CeLNs-(aIHus{Vls)o@Hbwb z>HbcAkjJ6?WVr>{{T@vK^O@rZ|C>3A5`0(zYyiEevp4L^p*W6*bw{{8<-1u3a$5k; zK4kptV^!5J9HN1vZ*WS?uvVij^EL2q-%Pe+@iYWC)3>T$nBU|M;8Wk({Z zcIJ#4*8oi!>o&TuPzWv+_UHIXg&3>(A4nLw_lMb6FdYW`S#25X&%;LiYh$1Jx;lAI z)dN5xYqF^WAMbB$p`ej-iVam2rju*SD>gx79oaLx#nXg|opr_k;vGcY2U0b4=9C9+ zu@3O1de@SWnsW3gX68=xlC0Um^Hs%egsh$fodBa-ov&ezH*5dZSz+;p4(MdPv2pAC zDSZPw#dpFBT;!fbcxXplId7(0hD=f3VxrHcU%B=z-som8ogFi%H$1QorszBeJp5o>QoNW!j6 zl=Ya`ePIQd2aTVphy3I5#;vNgCO@QHIQK{0wE_YZTG>4AK@bCyhkLv8(M|N=<+^v6 z#&$S9`_gb!_tV_|nWU@#%5P(B3|@0q$ZMpy3ct(~S>EOglJu=DFW`7SigCZ;5)t37 zlK0iNEDf*VN*$F84=xXu*>)mCrAtzSl!RIre_t?q{ke_Gn~UVqHn#73^%9B4WNPLHIA!fI$DN|4%_KUHV^-xc|QfNE!fi zxYD+emhe&&F+H71UgTk;-w-iV$GY$tu#4Y#!FsIRCjAAb3AdotXqk1|Gjt`NMZ$y18^<917Pt<+Upi%>;JQ~)%=8xlHxgBkCqHF zV8Wfl2O8$_^oRPMu}v@(8*pJq2Utnn5Cf7gv6JUv;%U(7tAlN`DZ80)K82?9AMdF zwll*z=l#&8iILTTHy$zvh7WWAVY=F+vnZ^Sxj;77=LzFi$~Vsk#VsThXeK9hjUkQN z`o^~@f_^V&6l_ocTa9&|AHKP*BQ2+9Hd)?-NO}WMHU!QL4cMeybAw>Vk)P{G5%Jt? z9@SA&Xy4H9p*ba$2bhn^j4P)w6@UN{o>??xz{e&(tPtA!4>ZVxZZeH4|GP``Yoi5uQOk@=wBJ)^5CPR0Ig)wBvcpAoOOX(4uE3F~@s1@1N`1p+NgV zz<}z3I^`_K7MY6?I5hf$78S8?gL->-1i~3;o}+v`-3NV zp2ECZGZybh3J%N3wI4Fi+qpJ_K8df9x_&D-1yQ)6h|o|u2h_YxyhY4#>p2$2Q3g_=5oBU!V8cm9Nl8PHLU@CRi_9~)t^FejS>oUM z^O)ci`ADkl-`nwXD>$U?87&MKo<-D9lJr|sumjvuR54wz?Im#=9i$yqbQRbPVRSQa z=VeZlbx{EZK`IYa>V~bdr>2{R4fd%?l_c7iy8zGa4Y9$Z>Oy0iE-uENQbn%t{&Vnj ztPKIcgt96r1W|HsDe$01gxwB*C170C%tAyCOxIApymUzJ|K5%9VCCOgQSBFO-Y{{& zOUB(YhQ^ajb!yXj4Cm9RD9EaX(b>}Vi?U7^#j(W7SVxVv>g=q^5MZvi|~zzs6-cdiJ|WfvlZ zU$u#kGeFg9P|=!EBss(1(&Qibr_i>jlZ@-*30GL&UJHXVx9*p= z8oWnzmDoHePg(`m))5%{5PHlQYi5|pDmOqDnhxLO1oa3tE|VGveg?C`GO!-y{`V+_ z&SQ`c{d#wUx*(~?Y~V+>EWI-%-)S|tR(iJEvC2>2SjyfQ?`8m+n0QJ-$gS=B+b|y* z!rp~yAB|W^l?5vV)L=2pHtFHb{&-qNvJjTCgMETj+AiCnPa~Z#Nt@tTjVSSJoXW%? zMPRRr*zRTVmqa<8=tkoro8O3J`rwPGw-qQtHu2*w9m6H^X@EAX0Uqr!{&|1DBkba! zXf31jUDdw#K>wO~kH9JYYFR!Lw~x4$=VdDu!ca}~LD$Y2`C3@w*a-#^ z7f2)zK{^5*61^(T)ka67i5|K;Ab!oQc#KUP@0Vnm)cPIsV*wFy*1feGJwbz`qy83K z(jp1K)D&1a)5rS#JxRe?z(&C(W`#>x-|$**V05NkY;I7i72}1fX^Kp^EJ8T@J(*dk zMhra0|`?CZHpStd`QAbg-9;l!ck#z9wiM- zXv!%u4bjHMdJrw!n$ii%RJJT3W2gRj3(XN2zi@zpWoCtJR`6DHsi$1Ge9q$`fw4IP zDsK?hmqt7p!G*=i3I?Z6$s^^qU=aCOY3z8x(>hO#zpFaN6R(X~o9`{>B(e@wM%{^K zf(Smm4DuKambYxO-tyz^5FapzOBjcqc2UF-()yhc-AAji@t)hj#g!v%i2C?<8#T8Y zvhvIqmKw1Hg`+((UQk+zV4d*NowINqh)N?2%Su0%Wh1|v%uj0~*#RBJR==7Sr`UHk zrvrmp?`8KQq5KGO^m2Kb00{h7gJM&6y15LslqTK1+~$Y@Xw>Pw93a5jlMVKRl`-Gw zFj=@I60rgL(C81_zEE>*WtLRRNy`)qRXpZnNi~GSeJlev(YDafC*DzP(Xfmee z2ZsK|!RDuL@1oqS4+rI4;bw5cBjs<0?k84f806LWuIs0V`uC-h7o!8ng1oyHR;VHG zx@GEa*P~!>kmG4w6BA(;jvw_oZs!09E6txEPO*w|9F*|=i+DPu6G`K0feqj^ICS|) zF+z9ioVjC{)ET}VzCZk>3=&aS@@WZGSKlOGDx3Fx%*S`T$0E}q zf$r11huQP9Ig;{_Z!?TKDgV^;0+>6pkze?yqTa+bR+io4bV8{u-hi6`FO1Ug zuNIZKF$Ve_pC)S8*>Rd~7JIlW7WataKnLpHrN(*NSwa)txTyUEqInpj<68?ZsN3w3 zbPY8ajIWKq*o{R5!b{WqDN>LJ->v$zrF-Bt$5=~)3|^dY5$>6=gC`-bwx1}tjl}X( zkHi!{9JI*ZM#6GP(Xp;fT-PR7ujZiNu%(R^IdbfcK zt!NS0bFfoY@NsoDj|J`{deDb@NQ=g2QDur>xOo>7!8Y4vI*+x5}_Lt`<` zc$|s(D|Q}TK-7C$(2^l+EIz!MChFHkTVd)Mi0IacC~UcQ3LPL)$pWf@4M*FWKhr7= zc0K)B#<@}3p*mp!srokpk1a8b-L${Od%L($$N_?e7rz2BiEOlIFjTG4;_C$a9o$Kw z8;&;9>R_9_^StMES3ron(qoEH$V-h=52g3qRGL>}Kx-5;1M!0c1R`Ft&;*kcj3U@G z1{qPs?vf3(g;nv-o`qx7@DHtLM@+h0b!PshYv z+zc~3HrYp8&@XeClM->9wM_}8I1>5rT})Rk#bw%K)E}Y^se|?HU-bK7MfC} zuI5*I8U59Q!u9NlV=;ajSWP|1#0*YdR7uPdb)?eLPH1(G?`y|Pp-^hzRRB~cv*RbY zwUT5NQsgA3M@tm7`zU4qI~wiNt%Td5Oezt#&|l+BnDDE{9ukbzymU^o1PME#lE63k z&R8y!BJHn$lAOrRDjyl*&5^fvF`KJ1NCJR%L41wCgv{bqJ5Ie!Na=lzj<8xkP9G=d z)63{uYfmq+{iI`T)~T#I#BW{;zVwffsao#SvfuHX?UF*uHS^}SoqkqF9p524VPA8k z0C;zT-#;LcMIi3y^N=DB$4rLZ@~R~4Ji|x#S9uXZldQ_Ul`-pyuAmp5guzVRBsu;> zO*Ek9fg>du&z|t~?55}ir=v}j%!nfJU_`XE6k-S-8CuPHmZJ1?&|$AErQO$ck$G9D z<1_~7L;K zak}#2XXQVrPJbxwWhSMEB;p;dXbv@RLAZF-*-m@Vm}khWpa3RuoC%RrurFWc#Pu5} z!^H#^w}B?e6jPXq#mbfrzZzMOY9~0)YuBB=at#}Kpk3kOa2MbqERTE%ij>#%!9`<2 zG<rdeT5vFy03LAO(CsNS(ghm)Y9->|t{t>%A%n*G@j%%K`lO?TEBv6p+OU(dXwT zgSI|TgYl$PvYa2kN%?R9iEe?DICT)zLqyEB&F{z{T9u3*@{Mwq1*Ipwb!n+ilgPf= ztL@gE*#H2^Z!^~uRhxWF{XGsjqzzf6dNtx#$h%$IPtytV-1LU^D!aEXU$o%TX`6~( z4IvE27$Oz>J??tO5tA00jMHP`{(GqVVFZGXi>g2@)l-yNq%Ukmj|nbq&M-bNc&33siu{e_pVr1GS87hY56Mp zs{k})io?GSl?iisn=OR?I+wtaWlR*jvGfzB_7?doNP_Vr4Ouqf} zkCEAXz*L1aD)&_-tw_1*lbyeoTe+a8qjj)moq(e`B!3iFw=ZO{DgfAVEmC_chR9pe zK?Vw0-}#7L@t1%Bz@U#3s`_~rjJ-cAqn1JX!nn9cTu&%KWX#P>rF}<<8T9<~O4T&TB#mnE%)PgIPI7=fY8>XM=SN04!JFDL%!gK@LW4_TRez zfH<(NR%Ped0agXvQx=hU2>xD5;>X%(M~)FyP*^_L14&}>ganNgm}{bj{J&R1Q0zC+ zyPnd7k^PzscOnZOm5}1x`y|irlE=DBI6h^q^c}^S(xH=$6_4nf0V;gtR)}j=2^Q|q zgiV70K;>Em8~C&;V4`9u^h+-OG}*Q?#m8?OkJZNJrA&@7!!1A>nN@L5rn-}_8hvAH zub;=ca@xz3<4@F2bqk;)VBnw41U@TR&~T&{a>{1@qs zk0-#Weezn0Ivat3`JisME+r7C43L${z;yoO*pZLxi=`%*t6IrHg(vb1vFV|;+vS;6@18xfW0) zUXqX6-@3An{wwyPYW{e^^-N=3%LC7M?{`29ai$C$6B!M+1mG<(sW-`@wz|=!mt&Sn zM2#s<)D$TsNXN!r){8%~g`gwVG9KL#p;YZp-G% z_szdFPBnv=*io!0L-_EZzq`9{pKX{^S*&Y<$OL`4!=p35ulyY#W~mm~8;+)iP+$g! zSwKO5ZX*0}atXM7++7;mZ-N_GRH2R37?xk{3T0dGgLi=#wzol z2b&Cd8+D_B&g$JmY4pvaLir~4CN8KQNAyiup!j^H%+FCBfcz|?$8X}113-t|aW!uM zDYkuuD->U+XS0u_gx+JFq3>rbAqu4&)`@&r=X&w@pO4vPqh9veughx|pnA@-9%0A7 zUtrs6J#z6kUc}kpI4V{zU$LQzs~;@(2pe|-nT|u*K~2;;%K`59 zwT!N5{vB5sO7NJFaXc0Fkc($xnNOifg=hEVFNA!PlXvzfOnn*B1(jteX&1vqD7sNs zmaq}Jl|f5QP^L|8zexdXfL|<~!vPrG zj><1TK|bJz2Z?rH_byzZCuglNV4mI4D49uz7}V41xbQn(7%slav`TIfTf`|FGe+wj z>UztL&&jj#JcE2_5DOx?CDC#Z@_pT@plD~W0mc;uz__}OHS7j&?j zlhJ-xSX|xTnF4qQ!fe(JHP!7GXAPPZlJH?lx}-YbM>c9>1PRkQuB~oS7RC%R}53gtx;()Ai}hu$=th z>{)RpS0?7*VFmY!t#Q^)sy#|^GJl@($ud?3mpgCRNCe zuP^KiNGcUb(yoseJo;aeD)*6DfDSJoBL%i3hgP69`$V+h`+Q ziX}m?55&y~XzIUWB!laJ%3O#wvSbpPxrrkHBTwno)4C`&Ri%f&c~9tH>f+?L&9*2I?oGQ^JaI2 zwI1pSI4!1pbaCP6d5r6Q8-!X?WaY^tuUa=O0VQP-(oD&XiZ;ER=p}7 zt72Q=b4X}FUNY^80(=($0@rfEU{2p-r>$glQF&b1%E=kck1V0Qsse2-6|2F{`s7R{ z)x$iKmJN-&7*f_vBo+#{;oF2>x>7UnN6b`8-SWBh+hwsb0-|Z5c);Junv4zTW(Tcn znIsvJQEBerECV$(TWpzts&J)S^Q&Z^m6GuLuKdl<-L135nERs588B^J#VDmV=0k0r z4~W|D;JNbg1bG?-ZR15-rS!Qhj_G1*k{7cJ49?KHXJTF@IwqM^RODjGqFD0gW!&dB!r*F z#3Lleo}onEcScC*CVkMYOr3OD$n08>cEGBRawES2TU0ZbJUND#79$P6Y?l*a3XB%IRsu zkVxvx>uOHX0G*0m&yM6RS!yx_43AiF{*79lU7<>^Ov_ajC}9b8PS4X+jrwv; zO%wjF!Tz=CdPOmvbWfrvh@-yKE%2t+NXrg;RdY3P4x>g2?}Xr4Ru%1dm`;moY>1s zUZK#|sJp!a%x| z5=xoy%ScI!A!7>}`{FgitqZwn@_lG*6Yc0@tk0WRhB1;xhQ(Xje{?meu;CS5`I!)=_Ch+IvdXk^3Z* z+h|BASKqS22rB58L@8FdsD=QEPrTW48!B%QVt;=ptI1eq!~e&^DM=ckK;STb7>!&eIPS=j);#FLYp ze?qb(R@W}XxdpL3#n7O%P8Nn4ZmrER(La_pIk2##vUkNl?Fg_T-D!5kxJd;H)lB%x zzt-5XdePCk8u@qdGSjJ6bzrp(&D_d%>BeNxwzxjE9#Ds{9xKKupTd3f!GHaCdo)IAxJGnKQ)z%Yy-;((qo=L^&>)? ziORe`$Mf^+az}mB(Q3xwBC#nSjX2OGdR9QZpD(IyoY#&{bgp|5T4jWKWWa&)PQpmB z%4&LlIhN^A?u5(KsdqPbIZt!VV6mRj64yh0Kt$HV^*436FVP}>#rp^<=_X<+apxwL zPvN~1bETbEjh&y^IJ$M?sk6A$v^m%Wj!chY$YBl$h^i>Z@$1UWOxtP7#)TKV*s@V) zUWKF6scIrb;|X2%h6yA^doTSRcj4B@A~tYnX*hvL*NQ_M(^GuaE$DJeCWfezEHFFn zxcu6vyY<=4jPDbsQ(pupA9$g>vgj@q*}gjMDEp04hc%-!EZb|2Jd){Otw`-Gf8Z4# ze~{D*FSL^>nU_4Rr8Zd$i=7rf7i_E`775sg73>FqV#7U3*N2T}Q<648k+~o1l(cap zm7eZZ;estQq&Gyd=pW|GJQ@s8rbOV-W7r|(ueKrXr0#~5Y3jF2W9Xhwq?}OA7>fWy z9!-%B*%L6Hc5JBv@~)PfMWv?Q^802nLhAV0zlGkF_i)gO_aL1aaQ6Wx=DI08hjobM8Z~Znk;cB(+(BC2kid&h+lL+nS}PPaq*N4!AK{ zY~GkVSSt9_D@m=4s*ku#M8{}c0^A*s-@7Sb0oDO3A;ZLL+N=-2hgvLX1za{w;XSMR zWph9^qC*alMQdT#VD*`y7xPIWc@VA?%X_fc$0#0*ML3~+;Lq|z=Ex7O@zyA(MhF`K zn*WfZSB%(nCd!>3T;3%Uax|ypfLlTrRtK@qoyTH^`D10hdR58nVZD>){$~AGpioSx z%^zM4*-i1ERJ|SoyQqP;gt7{noOkWc2+g5@Uo;{vLkfp{kc2P|H8GB3$2}W)H|L4i z%xXV~kc!#C7pZx&lvG|(f%SGnBw#+sodradiB-)fL@K$t|Mvs~iDiEqc0hAOuTk!dXkDxcFs-WJ9dc=Sgvkx0@{VD2+|qI|M~t1f2^ z5>t@a4HYB}lI7vvQ)8Wh$)0&>>>@AY;%%%>6IoV%cju`(soZ>v>&u1atHX6-Kbz1E z+BJ5&#`d=vW$cd~KNk0e;-B<~}VMufRN!IDt7?Ml8u8nVM={l+G*~XJYI`dYl zHe?&}gLb4MacuY=PD;(ZL9p*BlT#zmave9Zqj7x_rq@)7+`HP`uC7IFBT0k_PC`qy z3v;8u_+7}UDSK(%=_cgfYCMKw_Uq`lED80wx)|A_^h6=>@%Cc1$RmhO6aN8{>qJ3$ z;y8l|YM3`mKMRwDjO%red0n~*)G5d&piCchOmYAaxYi|OeB!Hu(y+R7WD8HE3&@B3 zKo>DBg9Myd2qxWL-xQNBi~i0k6*FMWp@;gVY`dlwENJ`g@NeI^LqY>Iq)#>D;m%^* z;)n~F6_L>ScDh|3qC|9cpAAN^hd0%LKgSAGGaBR)qU=Jlpznnl>YXY`u+^Tmy5F zK8t5%Uf5dfqPWH@+6it`oF(l)L2l+4LmaEB0o2uWtzMjU*V^ET;t^CcmAr3A1m1n* z5$O6pno*Wz**QwsHx^Hd2;m8g7heOYNYO>g@Y93VDyH8JTNaL-=wcL;o~fk>kDW%o~}!Uvl=k-&mc&d7;oJ`LuaPKDj+fge;9fK&KYc^a~-UdDR$(^sibET z!+N%*Vz*#-*-?RtkD9M!V;4vaEf^apZn>%Wv%gKB@ngW z-cxf$k%P{)mTw#onRw`%xnggpFx>{F+c@Tj9QR&UKl*4~sLq4OO6*AcBw&Va;OGrZ zu*x-q+5_fC?KY#$^o1{_Hu@V|e(cZ;x|Ol1$m|l_n~l%C=wMx^Ah~)Yp}{%mXxgcF z3a9qY`YAn|HZXkYco4dpnbnX6GK4R$5vZU%KA>^M7Oo%>*H#_TCg_AMt(1#uIW3j= zEPb6{zV6f8)@2j>@tHAApySbkHbjbsPlOHGLR78UCg29ZZT!8N`b=D?_5zLxb75=n z+HMAkpU(>lBzeLCbUfujPV*BHU7vBGOUp={ej#p z=+cB+@FzVMq0UD}pMv#`IaV<0P&i*tRrJJbC`5OP^e|bP?Lv&SgM}Mvl`!J+=bh2L z*`48BN+=e(az=t<%%MQJG~=~Nz!MOf{&IF_QpYLqi|5^UA7V-uuQ#dx9-Tz?piCXg z4VE8Az2{gfB?$cw4e_U=;`^r|JZ3Jzh;nd?^VYA3r?fG;IRYgjkar+$`3R3X4PQJh z=emRK;Gt>hBbc=d5O3qA@_w~S)CKT*{xnq(`ememhetsikvcE$@&W>>h&a@Z^;z2kkdS8G7WmXEoWXaSRjK)-avl9j3a&WH^DbQze@))r%|V{JPofl?CIkX ze*U58=0eCTP(ZkG)uj(6X;17etHFbxlojb~oaaM=!WPFF-El!Clxkq^%0(}3C;$LV zOP$HFxQA(k0yOEk%apu!+D$2M{Z8d4iSn!Z2Di$XU$FZbRm<%p z_}HO9o(M@&$Ng0n3m+vx0RbERVeJ+&z}N6@6Dt72B~uUfk6c})8fCeNHKQs;8&^X2 zB{RVLruBJ>uc+SK+tpi^02m%Dfpr8|NO;hi@WzPdMnijuQ#v?_#v`o>xxW7XKirx< zY45~U;lX*iIL6X@B-z7Y7O2Se(L(0X&L8W!;;8;VZ2Mm!1rxKKjM?xd?xWN<(n*{! zeOwfr8wj9Zrmxs+*tAN+gy}A(^&T&&3YHs4NVYA6a+$jg#cvfecmLmXP>JS#Kxi7= zBzmxETmFAAJm9SXJ`j8ddgVJZ-&A7b%uhFCS76IR~TCg;j13@N%}dIE9N&Yz}5e~oYb+AEP= z4$5HRDw%_<*LQ`jUc!Si8FjPdKdrUy{Pu<};vxarPIFaIEmk(n)ZFUdSWo}LoxHU< zd8Dtl=_Trs=7}RENiW#FHPWd{){^MTcRdt|#02=(q-zs`&rCqMu`P#g?4Z~U{OnL} ztHb*$aDd}2j`!Yj%5o9w*W-kE6@usIO6C$rW^jXfqMji_-23mcY+l#I z8C4*HJHsDakFPl6bYXwrr{`A}k8&+~$Iebhi{6@yKW()_$R| z$NvEdBJmf`@JIH#$7w&;{lXrU5XbkiryHv=A!aMt?D7l^RrirC=37;9Z0JrvVFrPG z_Nlufci7P@@5bm_nd$%;P!oG1Rz?3EjII-Ohm@b23HJ10RC-NiG0{X6VJ9 zXpueK5iZ?Qa>H-Czi61X%s4CfY<6EkToUNxeK&b;i}8L%@0r!bNOmwPj-Dd@U|b9z zL14PXR&dLoOKDedhW$ux{!D&hF?9v3DdnO9)BdwC3A@|LD)UWTrAoSn{tkM)IZbdV zs-)0#-H5XD39ls?-%!dk_*Ic z;U6U}E+U-Z(W+1uvY^%3?&wnWCwag@N*9uT%3E>A=C1`Vx;wuCU4z%r{*J`f(@EKT%*zG)0e|Bdsnmp3U~_sk&B>q(vSrw5Q5++2Ho zN8mquL=hzsRf3prK{xtKO(T}^6I zN$;`8XErXg^XDYHL^Fbp13bj0Nw7C;J{PAXbf%C3J3 z=~GQq%XKUPFWzsV>apu5ZnSy?`MS~Vb?O=&fx-QL&AVyAUZ$A5M${yN?^b+Kmfw|k zfk493!22w3+U}2TUs|SWmx;*rCE}kN%(srWjy++Bd}axKDPlpf==MGqR4f4aSq*Av zlu`wK5S4C9D7RC-JxSr!aHaoK#?k)!ODT>XDbz&0o9OF-qf~w3ThuZ6fR~TJ7zjhT zVDg<&49uAF&m6e?4AQ0SKzs`#o+@?rowsS?*RKQsFkWjbPn>9#EmYE(2ArEI>j>VC zSSob@0hC;7&KD1a43j6mkLroZnlt{JqUXG) zf-zR$7M)LvbjpK25R=~V`*7dHYvQ1{|7Ln=AeKqpx3wLvZVZ~HXDkamc0p1|2@Fu* zW((uGM7=_$EkuZYCOcc6j#0e)$>z4UPCojz5%a+L@FxjYXvYD@=W7#ST|$P*OJ(&> zo&;x=zdCwgm*+0ICYc^6XCUw^{Tae%M;S~j5lT%N2>yw$<2g$!3OMtU)!`Zsc1_e) zg<^Tqr4@92-PqbV+JfZd8{zDqX1N5EHWUMx3oB3$uR|r|tFHPA4V0l97i9VLz@EzW z7AGUoiD12pRxtY~&mjf>k)T8+e-1aawt)88>#X6RVJjAKl(qG!R zI4X?icbFF*-8hM5Q%W!@{4nw0_hgJU82cfl$n1iDw|&GZRT2~_rQckT`vcyaEoXM^ znAiSM(LT=g6+T*}}*y;rWPsL5F z69GTPyOrjeM!X}IDq?QL*XLgd%7x?k}B=g0p29Txl~lL2IQp=A2Le$?Q{vweoANwt-Hf zq-qwzq|nLKe@8*i?I4S45X?o=mJ0>4U|}ikd#!k_TWbPO`6RiN7N7D{MF^*k60iKDjw+wb|u8j0cB#;&>!@jzcuxRZcc zh@b1go-R1OoxoU=5kPn-dn;rwvTo@A!P;2n98nY0$lwTlY!%1YCo>WpzdUweSk9j0)Fdx-c34oqS+>qc+{X&?P4-{fG<`uIb=z-Q4 z9cCSBD_zAnH^R-|oxG3=Ir;qxh5i7(BY%Kbj_r&YH+v_XejhpSu$XNUsyj@G2Li4u zaN!U#=aV&TYLndXUvw!>%ocKs!`W_`woSo-T60FAUzRL-PP}A)mlE-7$V+;Pq-U## z_iG?`4T~oTRx4ipE|NRaJo2uTX6|>M@)E-+?66vDEg!*n?Lc&sjFB%GDXK&*|I=W8 zAHgoQVvJM*w7wPAy&07WC87oJJ)M=ok>Yr!wWQT5O)DLP)vV`FY(BY#&qArQc}`8iiXl25Zfa7wi^|_>F7v)Yz3^Y z!ws$)sfTOn=9Btm_>>47rEX+>Cg7)Y`;hRnm&s|Y(Jd?2M&^t+CP+BvASD~Zi!YVPFn4?Ag$cUmstmPUp~vo}ZFj+_(EZRF zT?>vs3{3pU$C#DmREz0SOOOe70n))yj%#6Q;T)whrH++hY&4|-F%&GtT3=9YddO(h zU1h;knbSaN=&hw2k(+%xC>eihk#&1%rCN-n@sj>O%HAPJ6s3vQZQHhO+qP}nwr$(C zZQHiHcYC*uyU#y(@g{e0YmkE)RaQhrMpUl+7Ku?=MQ|@!?&T-F`Zd^5XOovr3sp87dvpJJ?!pF+H<(k4b z%uHG7$t}Boi5bJM(na&kj9XU4KH7|5E3WqM1S(+X6aV%(NcgH&+3=L=4%`Hzkj4T} zTb~kRyrdaJpS16QO;*zzr1BA!&2AKqO20v~2gdhbF;g6(y!mbaCDf%;NjLI!n2?4C z(WK4akOMtJrfXP_KWeG6rbo{)uj2z7>^?|d54k80328RZ)d~^?Bv$fi@}3>v%MLm@ z&ntg&`9TWwMXEL7ALnYL#qPhAny^!x>b4<(b`eeHIg#U1HZ76H3Lh-)ZrtWksFh%XqdBxi0z zOge{_7Z$Pu3Y<^Y*0>puL*+LjV^(&Mx2glc?}}rj$wkEW`rJm_Y;t(bE&&*fKGWg& zCN-t6`G8S9C+ucJjqi7Ix0R*5>VLzvKdM(}(muAXfF`9EJ-A@{+Fjr*;X%=JL z6O1n8ezEW>7n4cyH`7|nMji8u<*o*l;G1No;i(nZ6OL41SXmMRrafHNPQj0!8;i_q z3k4OVu*sYcTivMR)LX3Bcw1F|*$`+A&#vc?;ff!MNNjS%yp?FRICrx*Yq@4DGw=w$ zvChjlUA(pZnJHOv<0kKhjq{mSS%VlS0g`6o znlaF=Ken@>*&3&LCH?cVaQCA01!d=D>|}v?O_v_8F0-5GORQRf#H8XJ<>!4jB2Mtt ze{G=t@<~H&>IZieYjxrj={Op$?YS=YG?C;6kQK7bo_QOx0X60DaW?+k=4R7mUM4*R zIiQ%$i&-R)&VJ?vY(pr^qZ#WDJPXexp-$e8@eq2!k7`|s?4rTX-AQr1nYJ%Prgzw% z?bPi?LT;N4+-Jw&_iB2sEA7NZNHs@jm7XZrW*9(rspyFv#a=V%?Xt@!!s=IR zpGPIIlf6`k`#5V~nB0~nsVSJ-b*VLjf4)Fft5%_o;#t!2L&D9&3Y-To>(J40b36MnU zx!4U%-j)&o@bBp2359OA`BQ|dV9SDZOMPvD3RQdidTXLrY#~!->9>4-Y?3p>t*g?* zgqxcYyYRx54SnA;AzwY!yf)JTq$>WjzYp&Am_XR!8j6bL{-jOumncnmd}2c-4SCA* z3U7glZ6SH${v4GR@+pC7isoU}@e?{|B*&fF(h;!kChZ9iV0Yx~LK#|(rX+f4ids(q z`Zcl=m8E!x5Y= z$RM0?4{toTkEats@n0kay*jtVd9(D%8qzG;g(7Ix=aOYWd zq1h17S)yzkFjO4GxK*k-E|#KL-FHA(Bc`DA{)00gW3N5(U^{J{bL8Vpv8gEyQ0{|K zDUjQ*_cR6zMJMMV`s#?kBlqoioM<1)AME!iQeK;1Bq$Ij7rG0RA+UUsC85e*CDlVL zq!lehGXx-c-7_wWB_Km|kv>SXqmf;<6|AvHRIWY^cd(X|zv>d+t&K`3570ItL>JH5 z3ab@LSUO}?A6!|pi7Lz(C}hd7Tr7mi2h)a3h+CpZhv$!TJi!rQgBhcm0*`wQY^$uf zt)HWMEA&+^Etc(MivP+h+PF$(f;B~(7Rq)Jk@D3^6WbC<8OYyJCZmw_H0E5VrQ+rV zeuEssAjsGh_8Yn(OKoX6>XEf&++*Mku6sm)>fPZ);p&i6%wQH95lYg`ZZ13a<8X{+ zQ*@-Ti+%@`wSyJ~iTc*dQa2$S`ii1={igt4aD@l*A24tu0b|R|%ai$`eFgDMaoY9N zW_9dEsut%urB8-EL*8KS2Qx-Hh4!;YN5(HpF+dSj+<8SzmT%9uNWRZovAGuy@Pf0= zDZZ^ws{CnNwd_{Q@`+4UPw&`kq){;hi|7MaZ-0Oi`h1C_K1K#=`I^n(L zLrAf^Ul8>SXljcigMS75ezXB=u+&VZ2@bdI5AfKhI;O);?_GoZyn>N8Or=Hi4MkD% znx>Lj@I$h%cqK2=^^52Qlva+IZ?T%|ZVcZSLyEjGbGlXE*S$*7F9%O0ds%N}VM=l- z%=kk>@Aj_(HlHYZVno75okXhlNaVMpp12NoQux@$BFy$X*m*ybtKch;u^ULmUfH+T?wL!P8g*ZZc|&)eFgL@HkZ-_S8%L$4 zMR}yy$O_H73WV?Zf^a`tA{f3R_8Sydv_r8d5q%WAU-Xfn*+mi}Lp5OkRSgWuOpPSN z0yDS#jpjn*cB|N@#$t=Kc2H@`*p8Z>>CD#$`bThW_do8ESjm&-shG8%2>l_^x5Do2 zi(kp}qvXqO&L7b7ymNFTSAWd}Ef-~(IRb`vXzVz&+yG>FcwZ;(yUOgDi191A_$9WvHuKyU#>!s1-Xy8 z8Tq-treg;;z0YKs}IAk55LeyRL`?f|#sC>gCY`C?-TCNp2v zW15vh&`GJ3G%SQ*{Bg-Xw_9jrOm=uW^S!GpXetE{53Xzj&$mRUa1NBoNr1Eo{Lt+P zIHs_1mJ%D3ap&BTFSjgUNiqpz#sbZ5rhZu~>1E6m6#|39uf@Z=z)(E*axK9G2I(Zo za$Mq9k|H*-4FN9zkkR9zA(e9R?dF7!(%NpU8$|vcn8>)zp6gluO``T_2 zSR&d>Pauhz)SX8;M>k+9H^GE!=b#!6C+Tm2vKU%O#t(=iEXgPf1#zNo*dFc!1!h$= z0xhBU>}r;L@!&Sj^wz1nkGPGFb|wB0Ql^W0Iqr8v>)#Yw?q!~3>WeebGy$)yjlY4s z{)aCvWmKc=EQLHqH7go2?eA@jDwu0E#*lXxPw!*irR}@i<_`?Yib=E1xQfCVZX7n+ zNCvTzvAw@990SxfEA=@ISexpyv-tcB(HeejbhL+%&SdESu5Op9aiN>JC`lQ*tfr+j zrOi3*(n6vCW-CD(=mBCnFZR$m!-9rzJ}meONHaz_V%jsaA7u8U?%SMUKlJ1#x{ zk=s!uGbUIWmNnf8-=n{P1u|~(7P2X>lt3J^#_mnVN2+l89ds@c;wqS0f|sjLk|4)1 zp#>L*t#U&UTU01sV$m&k%ga0B8y&ZP$p}$uf3{rDc~`FG&w|yLh+~z~Wka!?dJd?p z_54bM`JN+GiRf1lt(yHByJGid{TkDY1TQyQ-&~nj5s!qf*&c);qQ1E;e!oe&zQK-r5pXeYEvMI z=UB3efz=3TT7oy7;M)tl5|QOniOz86^RzYrM;5&=sS2#Vbth|PTv z+v_+fIdkeiJOm29PYbNJ3J z$8AZFt&eRmd}6Pjw6R&9K>;GawQZ(C8An^9b%Lr9<;;~zdcY;S1}=Y1ScD_j%5d@S ze8-bGEF={6w)Dg(c%q0@odw3%poJ6|>q1cCN}s z9l(Pj5I9RDX9Zrya_%9Eo}z)(q=0;|tcUx^Jn+7^olr%S&i^uV%e0*P>{!Et;^OLQ zxva!d1-Dln3h^J1Sz~>v$ZO^ZQG~;aw1ZR8|L|!|pKX`=CuU*acY$W%^`pjzPxG|s zU%wUmgKX=+-7QyQo^bvVjo{8!i{6?;560|}UeQd85)m+RGfTS|7u0`hgw~e)k-YJ0 zW*gHUSg04YKKjxt_c9HSow|kdM<5!dWJNAB{2m1A#wl+G@u30~| zB1~T-8_6KH-AG%Z3BDO1#QWH&w{5u}PU{rTwNET>a01@(^oN4$A-N;E9x z(Y`dH_pj%CZa(8iItSh13k7%d91*vL#lY+!6dQCh(pKmM0E~|+>&acQ0QHzf+BpI2 zJk&%aAUCwhglf(nTvNZ??FftvbG;SibE6xB>@`?{{!>F-TCfdC^cZ0^x7m4;NuV?6 zld`<_D7u1m{iV9^7Qi2H+gNxKLq zJ=}?p%#(IVeWzL(!r$$GMj>amWbByE7UP132@O*b+Fam}fa^{N`&PiChznOmPc+e=X1L65jT|T;8oG z?9bnHcPWZG$Og_@DM*w|f4`=S zz_3YG>!lic=;c9W3AGTE4Zwel5D;wg*NO1NLqM#w^WOl-yX({IS#F+HwuX=Lq#7PS zRQ|dnmAU7f)~l5U`1>+DC?CK)fJcVRMRt- zZBV#uXR9A#K}9{#A(;K@Z4b6V-5vqTXf&{K#Q@E zmshsy~+yk_ajda-CO6B*0#458gNf5|@T4@B%)V^!|wR{eTz# z(xDhIc>4>fHy;$u%SGs)U{_}O?0?wR5hSlnh!a028QjrHd-&v36+-pSN9-<@Cd^FS z&L)ixdA$rRN||1K|M!_8n6Nvk({z1a@+MHa>WDtPPk>XkRk;oI&(>;;!`RKO^Nh z{K!FTLvcxs7?EFcRhT;6{5ET*v%ZglT^DW?6WT9_V_p-|nq=a-sVU>&)HCi#0rOo8hZkl2>N&f~;t5z) z0{xc|$dFh%9Wudn)9Aa1Z|Y~9+yNY($mkPF;)P5%P9P;Mv6>@d|Djv%14#id;BOr! z|7gd`6y^a)GnX%0PsKQZZJlH5Te&(u3lQC4eZ1gjA=2u@30c7esXO=O)!vhhzT!ZT zz_^G>c1qYK*r@$X9LYDLF$3i9N0rD31}ed{)JycSV=Nd|OP*#6oZW@2h39z?x}2>- z;O2U7j2lRl6IbxuJ+57i!-PrpA_UH%S~AXf*+B1YOOmhOg_8;c32>Zq@kf8_3F{aI zax+2cm$PGElgo(!(P9ia_rXY~E^;5i9W*UT-iQSerU}<$?{c)a@eRiNbdy=GNUJAd zI>);;1$(#^I-2F6EX|9QjQh~P5x<^NqVPY4a)1o-Xwd#d)4GDB9%h#%D>EFGtao;3 zd}YoIjqd~!)XOivfpv~Ea(~;V<}BgL@+djr>Hu_{$}^nlw`90qOon?|s29`VF~KyN zn$PD(mFv3|U7=DTm1F!N)709O!RgNHPI5VNd0&^|LG2(;&*I$`C}D)PouY$t)djf@ zO|+Xf<1KoK?e9)o##t%ZtgL(o$aO9K!8t8yJXOd=wR9MXQ@XRT@}X3hTr1e8U2Ikf zOg+rM14GJnQjggK)TJqWnH(WXw}3poT)P%jjz|*tZsl}#W+>I;)>2w_XQ)v57 z14b-~5F}o+PBm*ap3*c&bJQo=dClNinjY(s2a`f}d#RRw$yD_q@KetQ&FaTcs*r-d zn7enP^mxm>n{PCR&hMZH<*HE}pOai~e|7}=?;j~Shoh23BuuPN*r@isZvjM%FNHoI zoL4M3HRjFXjAD@#UU+T`8I03Z!3D%dI?h$%HPp)Nv-!_JR0SXGab_=++R6qXz$6Q2 zO=}1fJ9i}U&Vw(ETrdod7t0*_lCD;7zmr2pYor=6m>2Wj+1@At18L<#)+)t7aY)|W z6pHe1IQt?gzxb$kBFZI@a8b6doHhn%- zAi2P*8uLk;Cr{X#vwG}R1&XMs_h3?vv0o@;6l~;$y+4pOG+$`TP+Mpju?a zSoh3)ivEY6S^i@`c6L-*^u^Xz)O56i*-yesWF*tkWdehJDAIX#8yTTga-5!6dMz^- z@|PF0b6i0h>VXXP@ep=siS6#l`g{ql>hrys6*;=YqQSLnO2$=9;juqP#9O}6s}7oa zg_wus$D*weFkt|JKYvo)OYn&R{zw=>;Nh8^^KZmrfAh5i`3D5#QQ^O;gzHYR2lpEl|wHGmnMMj11NWgYrAN1y1G#BqE4GPxdrLRyI zBP>*%l(663q?B=$7;FBau|Mrj!Q%0HzJYgSs@N?f5TR&P9bq+(2MF;OwBE!9+O1u4 z@m`WX3%Zr!4K#qD0ctBrLOIGyR&^oJX%NBRp57m{569b6j?1(8?*@00-9{7b#omZcC_{74 z$4We5+FPDL*c}O%uAF8iCJyIg z@kg&jnQE>}O6UM0ih0jKCDOZ^R7S@51{~K3Lqp0d>qfWs{g|^1xO(u_uP+nwh8P?i znpEYp{sfAdu*FXKkb3F)6sg~kFA#R3bFzq;57={~(>q zYGHg{5<#(xHh^1s0U^imQdZpz8w0iC#S}XGXv^L4br7WSClKW4pN|_1YnHcyV6k4F zwWCk8>DIDH&G7e`Y(eXD6x)k^HEmAE^t-*phK$jk$j~qp$S*&?Te^E72yX#K7A&&>z_R!Z5o_3D88H&#KSzomo^xxjC$3o$>e_QPtg<7u!F z@acy$Y|nRwwc2v;TLIUPOSIL6-%F)XVzpnjxBySAu5f4P<02Y^`luA&0E`QL4@SlTEWck$mW} zin$okpW74^lvRR8#m0|`oc%Ib^+KP>t}t!Kz_l-p4-gW#>YZ`RMG*B%q;B$>-UZ8S zZp3DTz=g#fdL3gUqnWwVq4s?=9W`OiL*1H4T(EUbZ{Am?3M}Z4=K>*hfV3rU;eeLY z2We4}SdF%@25nQ<)Ofk*zaF7{#?I}VUlu!-}NEn>Ne zjDArVtwkatvX&$pN$v6-me}+!+afjecNntu;}!!>=zVpX)k>nIE&BV9ZH4YitAe(*4 zEdUbj{|sjzy%TVPV@G#`ctl9DtC;K_ZLL^5iyiW1extPo(62~LNbd^(hzoChPTKC( z*@GhyRxvU2a*qPbYD}%lVl|4VI|aV;c-4AFgVR_Xw5*wCP74^&;6v9Qec$Nk>Ru18 zs^5g}%VoG~PTDc}(%q|Z9-)bL`0&5VH=ab?C0Oz4F}FE}j_FUa>|Y7Kcf)v8Zj~-o z(jbD6Wo~C=j53PXg6AsM1$Y2}0Sf?q{p}a?nU;L#gzp0LeL;s;8PrsVGQ#|L!k$U` zpZ@m05T>8S^I8L`-_Y*-?%6qn)$y$CyqsXogz*pbA>DEVAap5fKgfEuw{})(vE%sh zR=8WAEQf20<}2$0=rBZdXxi;iD_7!%Tywt4T-Bjk?FIyGj^|y58~+C(sp+*yo%jPu z zP-CM%l%uveNolR;?b)k=_mFr^aYbJ5t zDfwTgvXHr&dJx2S?bR{n;IfEel5@mL67N&~fd3K!d;tJeU%L$nhGV&WpukGHtP22% zW^i^tg-X6c-GDb$2_b|KLim3Q0p69o-bY{yMTYnn{^wk;A;)Vp;jz{1zKe$)k_B(^ zc8b7HQb-sBs^e|Gcl+?3-D;$0st_P^MKbxd*e;7WSNWM;3Nn*4O1sQS48{9# z{&x8oBpy1;Gty45NXC6Ht0d190kPDTF~P>TVX_sl{X@=5l0Rfrf{$AvDMrWdh?=Ra zSr~|m2RBe>G7GsQ#+|%cczn4y%;_HDqEOY{iy{oFTI2Y;+O4*$Q(?wfj9ei4Z}(Af_k#9O-u`nF0%oyKF?&e4`hc3}a{a7JaxGV?HkRHv6$Kis&a_=M{7uXQ8=iLhC z=-+Vu_PXwd=oT-cZPK;|fxnMPe}R?`b0?s$7uDv5;qLu73ld7rLz_K<06#!n3opn> z7BchEB^`bs3!>G>0SsQN=chjT4^m~slz~u)fUI36zSUwE$|JrE%d=W@D|-lwT7=o{ zxTKaq#rPow#PticDL*Vj{$|fhx91X>c+R1Er!ofE8XowsD}YaOR?vKZ{%M-pQJJQl zj_T(!5yYP@8;wmU?3qRmHEQp4;;Re@(eZ!CUx{_Tvq&Z(&^<+a8#1HnUZ6;9A$Zjj zXP_o9PNtZ-t^iO@4ae^HYW}dlrEx-TqKPN8a0x2_kk`|$`iti9A;>z13wZ~=xiMDb z5b^CaCTyFC42ADixCa8BPQg^8dE>Rr#N7iS6x`fi`2x%li9zeb%9H2cvoYpGgMlbb z)o}atx9QpAj2cS0yJP^ktedL2G)I}9gQP^^I;Km?0}yVb*{1WycDx=)`h0(TGv)ZONjYH;3<%o&;50mkHF|t!U>vJM*Q| zMb*Sw2jPz3-WIS{t3TRNo?7yvJKX?`SIuPJ^7sDrJByOyq^-=!I@pNXpOi1A8r-iq zu#HiXyb_r)Wz$ZY6jO@1b=tboD&RXPFCo%e(DA<*CVw2ibZWZJ0#`G}YsUM!+>3C_ zH()kc^u2%mll{0BW@>erBhQYtsL|(|pZXcM#x|AVi5!?44Zhw80@K#OLQrT>*DPTn z0lj{~b!pcoE*{-#e?R}}$M>MxxzWJfOQOl`9<)A+kdG#bq5AXacOO(k?DP%|XdVDZ z0&e&`BGOd!CyA@%pZzZuynPtamaGt*VCnD)yyMx(p{5Ll7q1w{h4JgjDsz^ACQhog}+2dK{<2BgzJsxua_`tV>D{eYDopXx>A z$JzSyY+p+7$1l$r0e8BsMvgN|uoKD;c~MrnFyq&(b{OT>o1EIg*{;qa97UQCoe`lC$y z0h5OnJk~NUH@Edo`m5tjFh{s_7F9+LZ8fTx8mBJ8a2?c5ms1IH<{3~tjxfKdzSYEk z&*&wyRpyW9ayJu4pNt5EGJ$UdTz&M$WinxNu}%J_g$6r0}e> zPnIOIP=?`xgg%UktQ8|XkFvhorl7fR8_W!C&G@FU4|I&6R!N2xx|6S&d;4Aa<@j5= zuu4C!Tyc}liufs*%vpwbE6wbr3K-=`U|g)4 zptVe8BwxNvt1$rEHrpq9v#e!3L-wD+*cTey*$Or))}5P)H;iOr1=C{ENjT!}$#*^) zd)?e67qs)(Qt=cW0bAvO3hAC|+xU1R5|PoxdyjP1@bI0Nxp4@}wT|p+ku~(?yEI!s z=k~UgWwk6ovGC-I4W?$e2g25+Yh}Xz3bI9Y4DwfG_F`mMOw}9VeH&a*B3mJe!;yV4 zSQ{m$mfb#{_7lBxE!bRn9{W}yLoXEvCIKJggjYC!&Emt$(j{;IMNj({mtz@QD`&Z9 zK1rjXU9v${)3N#S|MabFz7jqU+PUprKeAvx=KiWbLuP&`T@%DZ^<>_jE<(d-8$1Rl zzk~>40-e)XeBvIcai=$1Q6K~KUvKvy0$N-Xcogx}s#r00$bgSAuIx_gQC?V*%yruK zTMIJ+J4m{&wIZlahfLnOnP(e8)Jc2Llji^|%vv$Qo4{~Twc_C7?9i4t{zsMy6MB6L z`w6h$7rNv&;Bd;P0yksrKjuNhzE?7F{0*Cr`5Igl+^hMcW{2SKbZ}o@GAZ(oZocOI zxB}&UoUw~esA&txFf2NC2;!$GOnqQ@DuQ7c)?Cx|F+ml0A{-VBW$xM+0N6s4 z*NqCXb7C^;zYGRi#ON&Gc@yG^h@9l_PxnJ_vzce%um5pu(gQOBMU3x8B+E1)+u}hp zVwIV2b0WwaIRK3v^l{55cAm0^j)pP7XN@8WXE`-C0aG15OXK~jFE4-MU(&U-Vtx3H zJLtY-o!s6o(Z`AZK!DU6txlnUe&HA%#M`yp;CPjpA2nY1xX$^ou!9NRw;pb3>rmM8k= z|9FQ{CDo05KYSxG_D1h&&1ZMbsarK!AnkhqZLzD1?|o)%`OZM#M5qtKgH*v6(t80u z6WT2MuXT_sB}y!U+F+`%tKNSPL)e)aXQvs?y%BrVLzAvtN1T4EvB&$GBDk7|G5ZGs z3T-}LOq)9xu5QXx^INZx^fWRZ;d9n__w$;Mg$iq{iD1=ZU#A1&bILB{`fkSZKHU*0 zEv;7r9~lfLFl^$<>E8OoGGD0lLVl_ch8W`Z=rXrCZJCCD2%lX-5IJTDioz$^fww@N zy%H3oT94n(lQ3dgg$(WHXE!mP39`!Ul#~tLi9!4P5f!11Uf69d^*s>9==2 zZRQz+58r36dEplC=a*PFE;Emqhh2AI&@7L1Md5Z;YEIx@R;NXX5183owl`~Q`7#+h zavWfSxSAI^L2vjh?07WG+$%^ zY9(~klmp&O(C$+SX@L6e>uga>`C;}-C!g3bc31)HHgIKWg7Em+EoY~^X1T)lScM|g z&ucseZEp4ukm?@ixt%gAV}-Zb`7%%>Qe*c?fDZgU5t zXbHfEL4!kdTK_T&+=i3Ga6QZzxX300J}aPzU`?G55@~vWX?H-+sbVT4am_%_H9LB^ zBYNMiJz`O5rQeG3mQYv#YaAz9iy*AdpTkFCf8v*@#ns{>PS1KhK`^ zb7=;j%8op$?aD+=aZ)dt%*1?UG-n~YIoA>~nUVgYIkT59tBU5of{hlLHfE8CSS=s% zto~VvnK4*Zmt7Q63L3+!@q>4Kh)Vlzkv;q4LI1o*H&L1}WF&>8TF{Jl=I8RPgh7-g zLyK@>>24HDy1FL{V3o})wSWDD1a(O9Gh-7xFx+xjkusUUoKT%!bKh-Le!R1JD;@&mF)b9bZ zM)=>gkL#cpw=#VMs{@>xWp}P%f5p3J>``5SlM}@DEJ+7BX#ZgeE#!9Nh!Jou8(>8@ z$8h z@nk~&h?=n775*0UOcs3hJuUyy@bPFTP(ymJvE}*o@nTOHxb^AkgR9u1y@r+_>f8h> zWq%$>-sJs@p}M<_KJ*A_NyiWhB1Ej;Il49(pUr}SQ%}v=1s#U<4wrG0jkCmh4{j6j z1}AIkP7O1oGEd@dYRL9o&$)@@e@)Z;_l{8M>v)_q_Vw}*rPl8i1?0J%Lm&VKI3qjp zn;rTie^)FAVD-dbV)-fGNeBR_s7(oBH)n%NHqUK$FopPnVDLxv*KUKUoRJ<(8e8d@WB64u7@e6P{m%%o|_|A-U0w(xO!Snv@R_yWq5VrKYx z8I$z$V}#CXSO;z*mQGKPU#XGka_l}qQdu+Kky4rQ-z*{>vCm9OEQpF;3EHfzYAGEv z_bhkWH;iUr=@R&jYRA7Twvt`o91De&1AeoNIQ=xIc5j$gFkcJJiJkp71Jy`<_kCPL zW0u|QTz-eh8SMb_Y-!#nM0uI_Tivor&>P8M)VDs?i3bQl)(C#Lz@hJw%}8C8WhN0i z;Pi*7_4gd~BA?RbUF1DzromLZjuqHNNS+*FnX{;b37E%CJ6(()BUwd90-neSNXEb@ zcvbf=Pe|g{QBhyy-Y71}x2dMY7HchHi(A3qYex9}P$rolkTNvX8EStI{ME<0Se16v zgKz$aO#4hdTbAYNUgQY8-u|D;{T{IcRRfP(_VpqQ0ZJ-)nZ@+OcW?H>D;JDHrkJK2 zq&m|ViWd_EM=v~CfiYYl8f=XA68dD6DjvHzWY=O&A?-)3v^tvC*Ie_dR?}dyl1Bq= z5<>bvwqvoEfTnBbeQc5Pk?T5kA9k5g6tb9${O+o{;2}i?DRu+HuR!N! zb=r-idU&vSrjUICqws_FL|m&o7}6f$|J0HiYFr}z0~TBDzXcHlLc^Mo9qJ<1XbI0m z$1!Fl3zJmVr$nL!Pz$eClN=}fF4+czdN!P?;k|N>=YRJx%{24%pi&(^7qvFsh(u;d z2PN2QDy*uRm{7Zk2vqy`F&>=_(V;Am^6)_XALFanU?2BNg9jBpTLqZz@TZUk43EUZ z(VV^5t2v$}v;bTY7%~Ztg+Q`OmIW4F=ITC^_IhZDVCRj?Sh}`lmw%SGWan41?ODL? z@pP}+GPdXqNu1`mi>-7k5t;=>{P!_bM~f*dbuY$C+;_e2&ol$EeGA7AvXg|c<=?m> z>gPG#Z6uA>7CIiLn9A}Dcf2bt!>wqspL&MoKI9xGa7Rt_=iT59;KM>jDn%t=7#A7E zcWtD!^_-R)4BRuIl%GQZkO?B=QA{P>+y!F@)V1SE8gTHG(_uOs=s9VqdrY8wC~MPD zJ{=h$BCh~)P9h?2{SlzPGNYD-U_O72xhP#Qi)fb#3B@3pkP15I*?(pI?l9YurFT4WP7Hn z*_$noG^&RBQ-rMHw$sq4Y;N#uLb^hz`Oc$|Z#19=GfHhgR=t+!)5Rv*OJ>y2_z zpT130{gxP?e0yVaQ#_Pn>^b@LZc;B)+3eUoNVZU|-F1EmT?bzHUM%GVU_4b?1WScl zN#930y9TgyL%qVXJxrd|5H55B9{g6T<}EbPZgAKE!6!C>g(UHy7T&mq8!Smn#I#zs zaeQ%b{N7v|zVK%@_!edaC&Bnsyw)jwq=L# z=SX3zC%*5H3x7|TJ~DJlB!#mg<~mGbseA+MJ#oe!;k?7cY@dU5OpjZie1^fn zC=3M6JC**=8~lIrcwrl}?~*p878K^crxCe`xW z&3xa!O;*5P%Xr(o;0*2!P{BNDaH$F}Uax4;C&DZ!Q))tyQXB51%{)c7X7#yG!THqd zpo6U8oVZoCkIg7)dC@&j`jKUDQ%Nx;%U^RHB;omQ?2TCyT)c#c!x9q{Yim8Q6Wb=l z@SRgEJD~y%&Wl1f`7)BdAI~rrfD$}0q(;paa4sRW`BFfyr%Cmi^;8-c6mdlS?LcmizIR0L-#MrG@F z-|sLf&39Zm-=P8pFVeZcA_X0+Ii&M?(klR97_o%D>zJ(c7F3Db>*xnN+mzPyaaxqw zBfshoCyiv)9L4H(d+XADOV_0UHk+HQSF}&mQHx~>XMMa~cophb_&m2r6B3~QhR$tQCyuX&m=4skjTYFF06owsb=nqf2Hr(L6M4TCJ~_T; z*MvEdxpAyyDCcLF)r);_Our${(e$%=p&IO&a)u1uDvMKJ)eyuyGHvsTuwCq;No!cRk~I z>SD>J^kd#p1Mn?b)~iYi7`T^Z_BqiCpK$J~DoS+q$(C<+&||<8Jn@Hat|;1IewMEa zj~-9bOuwtY8cBKseW%Er;;=}`yeEyOgQRGqPY4}sT1zMI*OaJW>NQ1*a&Zy+lb*TL zVXM2abyao39m#Ug2R>ot>-4~V5%%22Nr`SNQ&REiKc`FY^ScPT<|NBnk=yRf^4*FA zdX%GcjyW>CHkWvF2iJA%6uT)B5mRvNbfS53vzf4{V$V9pdeT!XC@HfpN$V|YTQX19 z2`AwMg?iunmr+J?nTTVJ46<|0U>$$t|Mb~XJA};}+7EM;`8WQq!HW{)w-<&E)pI<1 zvF=u*tQhq4!(acFg*eKwQK4&eKw{E3>gUh37wf*2Di}LrHiB`-NTD*g?@Z8RW4&v5 zuvYhM%Boq&;ymLp*m9tAbIO_2?$HZ_^J{F{W81A6xn{L93Np+y`&E1`9yvj66F8$D zV0k!T6Pb3;q4pP063ZnRsjtmHJs`eLgqjCvZWU8};c`(0#5?Gn@5gqILRy7<2~!Qv zJs>Zcmw8~&jTD07bJZY9m`iGAD$7v&b5yZGsi(L_eSNWBt`;?02+L{B8_|>n^9jFO z?p{drS>}=zfy8^&`}mmrlz^tO7o*MWg6#GaMm{Ob_f{LXlorvY#>!zD+?|bz%s@`C z5+Jt%3Z0Ij1{?sMdo&m z-+1WtZo4KuK7ide3eI>L3bw~N{T$a~4`>kBwmH{*??E)u3>3lKK@aCu;$Tj9xbGu$ zeZD9cKd0bMTjvl*2D21y2F>rl%s0ta73ff*~y%R6&Hlp-qx$Jee9S zuQ=BZO82pEy5K`Eu%5F4su(?9+Ki!Xhj?*=vd#;R}5yevaT5@sH`Wl)rOPdk~5Mp#0Y#TRubF z2e+O(wS^!0{&uI28Z>WOP%gau-1uGVA4eqal4b>NQhac)#rVISTRocDKbdGP*8Qxs4zUnf3C#(~v$L z^_rrhXg{{oXCiaC6s1>mwnYB_JQ|=6p#R$RW&&AzKhR(mK|}=FJl=+Tip#S9@qI1< zSP+G00*>D~$B+{9$#XP;Lj%YKldOXkkxwNa3XY#1+JuTXUgo51_RJ3epez9Rg`|>D zJ99~3OlbOZ%WVkVmugqUNP@_~NBEi`pa?_QK{{l5JW70I=~O$w@K_38RrNczsDb;0yymy6F*vQhMI?Rvs~Nf#Z`e6 zb&}3f;LqIf-I0=I|+ z$?t^=cWR2WAYWH}<`i^rm-~SDbBmp_9ThnyBJ3F)zrB`ozDDwu@}(L1E#HgmZE@7 zV$H`-=P!Fs%Er~*6W zZUhplpvqd}qSn$jsUJ;jIIPgGsz9xkad0-&@30ph#fk|^vIoFFV+J+9wE8_b>SjIc z9nRwkgu4#(X8^s`#}W*Df9kxLal(6xyDfwsB~kcxHLTncVj6uJ^Bt*FJIIJHJhIOl zm*uE~C;RL2d+%}HN(BP{cR*y=!9b8?=3frz9FFej=eE|XH~!LQ#9Yz&aWO4>iclu5 zA;#v0x`&Qe!UP}-%usq2De>cuWbG6C+hkxV1YC_d8R~%dk?M&(nU4C>*nUag4XfRw z$`FJOTK@*GpB9Uv5WMRf1R-)07?vA@rc+h$A(;KV&SM;wGo8mgs_BsG&!(<2@?go# z@X^x^8+4cG+y@VJ^g}v(>lx0S%qAyZsgfBA02o#vB2{iVoBs=JRi*ETEaTa{zC1+l3KCnfJl&KHalFszhAE?L%DWuVJx!e|A(`82o|mhx^$0i zzsI(1+qP}nwr$(CZQHi((_jA`_s)9KvmG_qm4k}PiWRxmQ>0ta`@yO}75kVNE)V4^ zXzEiGBF^d?Vgg9y;u)nVORa!UsAPY|%q|1Hx2EF!lc#D7%M=^>1%of{n=gL%hfla# z;3C2BU7a)BMVZBgT2dscfK^|`*!Sp$Jz<) zqb{>)BtWD7!fBY1nhHgklaw`+Z9U(FQLQHtato1LTo8_SD``y~o3iYpO8j-r$JEbqF(rEoF8@q0BB92%$gN(cA}&BBD1cB2R7dj8D_Zi46a z(=?QfC&xqf4WDQ_%x~9(5ShrM!BTYFc;9a6daJGiQA=Ql(Ui?*Ux>LeR{FNj6A%Yi z`XG^O1Ol+cm*x=0WUg2wN=UK!0`StU?L|1Q*Ct|)l>$>_a>=P!H;ScYYN41p7c=0u zHj)K3sGO7i+<`ZLT3S;?51!hEasFJ1@k2X*b24ZM5&mu=)nO~+hTn}nd;NOsg=8Lc zv)|b$*B9TsEsG!SJ1L6ZA$4IV0vzOxG_)6CFemL|aUpNLh;|mQm5ymrN81JW(zm$mzJVb|B{ z$V$es!Y}S)gZ$5ANFoKk2fgi~MrJdTL7sg*Ynq^09TVM6_*@%?P0{w~R{Hx%I$Pi? zOSCoM%qj?qJ`!eqI*lr?Y*}k@8dB5(aghm;C-+4u$!XK=nv#CxMO&-)@jS*CBDhFa zgw%k%c^F%0@iJ_7LFRDL9pTP9AK5_yNLj3mw{~du8MR%Jh*pOlOXgls5oxnQ&{dI0>N&}*g9(taxH45{@jRO*hz!&Y@--^U(&~? z--6wIya~G~O{=4@h^48D?b$!CbMO0oFT?=09NE-yW6bGJ6~Y~pphNS!HJ2)SoDOC4 z>M*m@i6uIG>_3fUvIt~Z9zgFf*ue%zIIQp{I?*v1!e#!=I(|HHa)pG#b0E`|^=e~y z@sn#>W2bVa&j!=t!qKU!lO&KYyv`fNDb-&?c+x<%KP}CIA48*T6Q!erHqu^E@l9mHZ4v_!J%gPy}^tp0Pd*Xgv1VsCy6${vBG1U5GpTAJXR1U_lhlm!L$PK@|XQ$S_hK(xrLuq-~C_rs#*q^a0m>|Aw5}lUHxe_ftY#)dJ5|W zs$y6v%t<7bwc;yN-DxUjpT9D?Gx{5)tF4A+AMB!s$i3BNdx5e36M|;jRMzAjxl-}hEDNysbjs27A+$}PYjvB1_}!Zc3Qp+-BBX6z748Bx7BV~rFC z)kv|j{t(IU>5zfh%8{u?3q;;S<6aH&iTyJ zq-thldVC1KL_I;2%1LI9O(HUZJ+8h4HydmI8Tg0ek7Xw5*Tn2lf6sK**>E{f;iW^M ztsc;AFH3@tRCWKB63MsVWDF@-9c@90BO*!Qy}6^|4ESGa<-nVm8=8YUo)}@3(NDS6 zgpb%08$Xp%=YeIp??8O`F=@Y6TH&M;_sw6zym*xZWanZ^VC&YySm&5|06W}5w;F3@ z;GslW6^g)KIPO>)+y{=yT!WjxNsV2+KBSGrGr)OdgdigTYYCzTy)y3`G^W_vW;|m_ znCgF)LG{Na4RQ(_{b@tRwXXl5jx01Icg$d^k>e>MWlQ#s;@Q(p|0SfDhd1^lq$F9r zH51w*XV-EErzw8t?}k}2!gECSZSbDYbdoFi!PK%e8rXne?gtBsN$ zjMO}`n(1}z62|ztoALYZuo4Z!dh2LF!z-BH+b-)#)MjAHP~uMGgZ_oJ+yj7055eT- zIq7B3wKtAEfB^K2M&so#{enOIu^3RZe|oJ)v7kHnD~!;AJKI)nJZR=sUDGTMS@Y=D zHn1PJw7=gBOg26K=(GKhN33^&^nkB~?1>f%0qc@O5*<8jczq}5o6@>|U4M|N=?~pM z4~FZ4>Xw?x=}k$)4R0>j{Mqr-&B|RnV|d}!AF5%v@G+OWH=+mzF`i0)YaM- zErER(N$^teq;;@>YkW^s$wXPoEy}YT`CDQqtv(@Q0T2(n3joRC!WB2G2OM5h@9DJG zP4>V`g`3TZZ8xn*9BHHkN1!Qk^S4f(y|JKA=2(ycf^z99{Bsmu5&jS3dPX*GT|3*J z+fn8Ud#5`g-X%SEMKI|f{U-wAC+O(Z$2>t@sD}37W9A$POpWXsT}QQR7eP}h zPFV!EX3&}XqlGl3d}a2W#%ZiAgMf?NvY_NdE!&5`?Y)Q%A%-l|Oy_k6+?3W!%Vt^I zSUA!|wHDg6fD>-gmlpsP*6jvL0jbAr)3m*x3pg%)TtYf1PIFqAs3?4F0W<7qI9wHY zBE)&~EG&7Xi*BH=$8|6~7nDn&Wj~Z|?`x>%Ez+3wLT5KqR?bb;_6AP#VWu#T_u<9= zArgSE&x~A|s_SkPE2Oh$=;0X?#0iYQ?P>OMc816&K?DBqDL)1tTpYPB;lDVOcC`hsDf~k>tZ(SPpO&XqIa4)`E0Oc; zV*N=J>(bh$_Cqm2aPxG2tr<)dW?uY)%4LyX;GqUoBn?`v3Kz3F^3k@Xzl$(3jzvQb z=^<(rH&9YDcOG<%=~UVM12kAS-p|hv&EGn)GUl|3d*pUq;KV4Aqea(4%e_N?T=K*P zVQNDUO493#3RVeG0!`IM=9WDHgbjpycl$5uvTyL~&>Fc|=VNR0wt+SE?hbiT^oaWDDR;u`cehm{lz zoNJ8-5q_UQ=Dxm4fzg#iSJ4KzYbU!3=7=eOu|B(u=~5b!TokbVH2fjD>X*Fiw#G1J zwy%p8>?1Y+j3l^-1U$l2YL>3JE3d+q5NMT1Dx|0!dbP11DR^MG##oNA+7z-)NA7e< zzQS8&zK|~7H}q7aNZu#lDA37T?%s$mT;ec5Q1d$)#0~RAO7$AdBfie42ON!jU_A+b zRneV7i%PwL&uD@cwZJ9O0Cfu)_fO6wj(HE>M!I7|wo%fz?ez6+)b$sJUo=iPOo%{e z?gWiLGVZ{^uzcC>-_6(#)@3r3Jzgj$2FTCSqO?02B`SBEZ7@S?CAgRvXx_TyG0Cp% zbF8;22LP<*hL_~mVQsxhH;hDPAg)*0ln35N^p5s_WI0O#6zII+t!ZeG`iD|7z2w{% zP72ilBY}SWU`XSnNjf5*>*PDW$B)oShD!tO-@Jm?TEw7gT*>RWSpJREm`tQxV1^Y3 ziIr!ynUY|jL=(XdI{-a@yiEj;(+1OTu{=9QH~aQkKlc#H742}N?qpD)fu|>~IYhY= zg+aU=>4`HFk=UHf+N_4Yl73#c%0@6--gjnrud?&~N2bS`T1 z%?u9hYl~J=d*5@|2>t0Ipvzt*R14gn7jO_}@0C?n0ps(M#GJNRtGP zl9r`ql2jL+QSc(o1xFhG^JKT9lAbmt1dxzmY@WJw-M?kS)56(accu&D z?%K5Qiw{Mq5tdb)bOLXxA&1OtD3eksKJy1V{VJf>LbCsc({nguGJ@}`;7Clt>FkR8P~m4PUtynvZERQ1x^(K<@YoP7XZ7B_Z0D$Hj>0TPq^L00u7& zXfKxB^DSNP4pspk(UKkngqVr{-Okx4l)HYX89F;r^g#^M%!gX~28lheXYIxC)}~{E ze~}UO;HmLb5JBUBPV#2^hm_Q;C8#bJJnfGh0V6`S;^ze!k=0qUlyEPIbDjh!$a^CY z+WonZ31=gVX8X5^H^Z!i@iPr& zHRG$z%*#vzwpAScnvwWMC#55>Lgi1n#u`(PD6wO*b5P=wjpAOATQ(n^{TT@_(0ES8 z+D@4-lI5=v#|w5$3<2B9v2W<1R{2kG{STA9%TBKqPF3I9a{PFU#t+Gwp=r@CiqE4e69b@ktj1%PiO z5*0+5hj~bR(!$v2aLZ9#`zai{Akf9Ao_=7B?v6^2hH%Q>BgXqY_8{mj`4E}HXee@7KNlhfFkplIhtL7vd<;_7KBT3$Bf-C<_CP+oy)S$ZNBi|n?MV1aS6WBbZXVB7tf zKZpk;-D9egD(Qz!{oXY2yxUmfOy}6=4HLOZc40kA25YU}&zSQdj-;o!s}6pu?{rZPDMy0vhl5dZ+x`u~WFT!#E?s!XdTPe^1d+pQ=1-*7tmLNgyLR49qs z+c1!%yn)_RXYTqokw|z!c=EP{lb*|`w>+_~rv0;s*G|E1RNxoBAIi#b=m!4Zvt#UH zj`hB2cPS$L2d>b3kq1VEFAp!lG5j4oti`L;PD+z=E}FpTUZ{J1Kpvr;4})uD*2&#j zU{y>OLL6$4!kQ$iJ`(!?|39!6*!X{HWakIiP_xa?ug>%dVmN|)*R+cXS6KM>L6feh zllXy(G}`Dd7kFKr+zR_0|W>&_#e=zXau<*dNjiYmz*)f zlZ10VPxap)lh7dgg@IuNpo#vce<)6^FsHI9 zx$g280E$^Hd2j5o7DqaB6eptZ?{Uj>O4Y%yb0erXcnNK5W;YXHqL{pLs|}Gw!=Yr@ z60rgNqNHv{xWS)LhZbvp8eB;Xnl)bm!U>8q~!*BdL`SZbJJtDF7)lPMRG{I#D0gA7&D1L!BwP^=NPjtMg5^ zxz$(Cq3-N{cuVoaq;)p*I}DN;WJm`@9Zuui+=GLF+xf{t!WrHoLj-hVLP=t!O!E3Ed4h?-Kp2hTAe0%Tq*m6e8aoiB5>xrd^h$s(+pw)V zcPOacrCYL{%dHjE*7f(|yrSo`+|w1pwt7V+**y|2Ptx;?BbUR?n%ROZ2e4qrUyipr zo2R$QGgPK}>3+IUDN4em6==i!DHoJNTrR_3?)t5)QP9#;CxXcX9&E5TH`>*N0~?~* zZSZ%B*TZ#n`Q~V<%TmcaA4Yd+n!0rrXf}4TYk2=oW0MaXHvFf>7B|n(2>*LE4<9Ff ztzGp;c#!BLHx)v=C^CGVHj20)`-M|mA}`pF(1XB+sLYo13rJEB1{SSycpR9x#1r{l zj34N96`mq~>}(gv&dokTu-vZsMAO;IiAhG|rpGD<{$wmIEMAW9HGXxPXqMu+UHY1a z?kY9+u-Ap_V}Opi^E-=Q``=+|Q~3?KdTEjDs0UCAT#welEBkJXH)UZVSLHiFVPQS? z)&MqD&rne^1LX@quihC?H-6#RyAmsl5MFG?PJg+qR03PzNp z`&7Of4`+1bpfph2QpeL9Sz11W!E+~Ij_vqhrju`=W|rj!aA9~3Y5PVW(Kir(Gr^0v zq8tV9}oT{>jZZ%2g$uD6^&yBCV-l3!xr<{}b0tZ)fc>)-@7~^dJ304l-`YRr~mhDXcQXMF(<^H7Pd-|99X^*O&>yQl< zy})Nah8I}36|d8N!*`@IRF?DCnWqa$fNwVUm^XiD1+x-9!SngN1Y4W{-X_(IKm+r! zHp%EH3pL$*Od#(IVau~Rrx)ZJA)gA&et;0yZ|!p4M|J#}y<1xf*P0F^LYvs;Dnp%U zz*0re;}m2)N&@DILKYtJYH=t7s?>XP5c>KC#!IgHxgIC*N2;%I z?%qxQ(&raC$%Tev_hsS3Ro(GtSTcP1;Z1iwV8Vi6c#tDh}moT{wyg}q%eq~Ei+=Dsb zJCn<8o8pUtXtV(+aNIC}1^*hBbVRzdOuV;@9{EYKou!bV0@rAIZO%8<4_yhu)MQWk zn`v~t2J2lJ~BSkn&~NTLA)(d3aQcbe4epvylk3NiM7QbJ`C)l*!&jMO|#0Agw;D^qFE}wcCpVM4$s+ zkP8k`(TfZ5Eu5R;K)-bg}}Nh7>GU=rP3^M zuHNqD6jX!NCuH6=C&S!atqB<7V?=MMqm#Q;4%5c_6C~=H>=#(n_>B-5yLO5DE00@b zh9sRD7Y8c=#L3w+dF-U{xXfKN&bww?SjWks->^2mDS1Z|w7#D_S9iuEbPMBM&8x7< zLx1sH*U1~d7>k@A{rx&CGiQsBbm37z_e$bnoh+cLFy;FyapP@ZU*{PoYKxkit-6t< zjT5L$I-NsA&{{mNhK#u>M79>TJ#huDA|)eA&*9D7AcF8~8Rxe;7!YKtRz7grfLHtL z*p(G@n5-&D{j9+CX@b^&Iw8RUC6XQAIu(|uOwRU(D#M{0?}Ia>PM~6h5PuAnIXzM$Dum z6nL4CJyvJ{hYAyi(}b#%!Z)RbifeN${TsQ=3?)haxIKLJ;|W@H4_~$H1SpN!JS!Dv zZ>ZamcM`u4n6QvY<*JnFNUfS-8?k&rb6EY+Syj7!`HpqQdXSY4rw(>8qqJ)~MZ7pY z3DZgfd?Ml1enyD1^Bz2Q7ZR-WT!3mT^SegjB8qq%;!$@jqdYsfHY~TZ*K(f{3%hyS z3xwWxhf-sB#ODlQuewr~*tSz5bVPFO)SzW3ncO0OChL6@Nfo?KEElLjDS% zC5aR#DIILRj)xL|>kWZuwz#)7eQ}bUOj;6z?I&}dyL)LN)fte+mkjuQnMPF=#xHAI ztpTcwSh*O4MhW(#O)1cunfE_JK_ykegxxdZ)8CNlYLvd+w&lY8i#u14z#xT92Z~J^#+62c0{=hMCJgD5@T5rW7$aL`6NUo z$TTFDf0sBiz;zvsXK_uH;@pGiCM)XFu;F&_pa64Fw?>1tUx;>;k6&}1N#Qwnqk(^; zQd&GHaUS@(-dwn^N~&c!j4*BGSAcUpLA8rJU#mR}I?X|+UHy8EcT86k`{`^0>FizZ*joP7+m9x z0%hp)ZOBUFMI5B?qgC`3qs-R7_TL|q9qqQxRrs71YBAwgrDz7PGim`!X=Coo9$rzd z)cn%{7kSEHS_?l(0C}I?-+Ld1duRQ8XX@xU6j)7h&V|sqIdVT5{eunv`CS5|xkrY{ z(j<0OiWv~UCpR8UW0g4HO2T&J>#^xHC#rgONM8_uNs~T4tz8Vr)YSSoFZc1sms>yasFLrU{oKnqT#W0fME7cH{Hs6twD9%^TGuMi?)0SR+&kb z%?LOZo_phMK@!ux z{cFU=Z7h}(>b@whaTMH+X#jFwD?rIq2)n=Yd~bLc^ilaz#lq^`nER+o*fnnv~@?)BP+hIZWE%Q&5?X zrO|%g0`X?Ibok4v4_UvZe@EKuXbJIKCvQf#xKQ@RDzPI0K$+ktm0JJz3yNyOGPhn& z3z;p65vL0?%`}e_QKHBWal2FYP*j*~pGr@o_`6xcLrzi=mkEn>;5h&Q@9_xSjBvwV zR%bcCY#>5wH`m`s-k(kr8k)gb=9Vx37@X|FA7SxI0&1Hrwm7mJo;w)Zo&VeiTUFQ zxY{gPz{*5jC&|Eorz^gBDxTZ&QcQptk26imk%RAn2}c}WrDo;&V6I56z?luL`sy>s zN-c%Hw&6@XC3TN{s?QfQ{@QPP4Og^ez6vCUFK_X=+s&y9>`_PCr*?S_ zdUyiHk$VVcTF1aT9Nw$_*u};WVQuJ9MVg8F@v(Xlq0As9ms*8DK+ma z?9l*Z5W`zsgr&0IgQ(xo0aU+^hY^7jh$$uvG0s&);>Wrr^YAFArtqy(;1%d0L2Ajq zfLJ+U4)HSs*E*DkV1o!Ba(s=4efjI26Kg4nU!$Ob`rhopK&C(8Q5xFfQ}jB;0q=cX zLg@^1d>h9lo;bEN!`y}n7KVr$>yOwT)XCbUA2}CLht{CpWqJ}n-(^b4U>K-E9LUnQ zHSS{i5Zs5y;;~_u&DAevN%ye09ixC1&T-2g2P5xh3J7X?kgcjHL3K&JeBjVzXWSU@ zjeWkCTC0d*u{VQfo(YTK`%982F1%7Xu~prs|2*S(O-Ru14~j?$oF#ahXxn<&{wW(f z#h}nAEKz;pYJ{U{(hriZ{Dn3oj2*x_S=hrTF-GFOXkVp$MvWwzF-YIfc$?xgt6=EG zSH=w>Lo1ms4n=A^6eQW&R?I*ocbM*Y6Llas8 z(U+WD`i&_;Bw_6X=neJi3X4ha^d<1Ijo2>oi>-J_VqWVcp$l|Xjda6lRc>Y*(mgzBw~*H+=BU0Q(Km&=|7^L+L6L3hFN|+PzqobF*9noNuivRKH3Np z63X$I);_2_hz+)@R6xQ;NU^}torSDCoqq7;z0Dv26plMWYSZar@$0p}kY@JJ7!MO`Oq-7V7 z_@u=lnyEbl13#8C)|R7W&y-up4Y`oU6u2cY_B68TcDR-W7 z@TXp~fIcjsNxzW=>8&fuy3cn&n)lxkig#r#ILxB1K#@j^42 zVKdWsjJKEj1Sj0T59Y4@iYq3}L=}$*8X@s*Y^Pr1lZ^tkjD`Rw!xr&TbF;nar3Mzvc zzU~)WhwTt|nlwFJbk_zxzAEWV21nc!vQxVFMbT8i{!~tXp`Hu^KhGb}+yKiL`8l#H zWmn=127-HMtbK~>hr_66`uxu}6@t&3##eyp*S35YPj@;`09;>xjt^3qX-P zFC0oiD!=Vhr{^|YNedOUg4;IVUo%>lUPUFlOc9yR!9NaJl}_Z0C{S*sWSE*f#|Eu8 zC>JW9bn9P+q8j^sbr0#9QL zlh}2~(lxxWr1_;4i3uy+7*?zx+fwd)^>w20`z|TR?yNJF`961wu@Uv{HGPqZnjD0) zI8Cv}16;%DXuO`MjCx?xz?1{q%#~NKjcqv7wqjjS)VwP@ET&~b+$vaOrUGU_*ZXvv zvcl~1#Fer$WOj)EQt-TR`s4BI-vka!b8837%R$d}qB<|}&m3CZ-Ol8^LOMLO-_*pL}?t#d;-Q?Z}*W6;%;5RT;(|ryaegX9T3ap=cpKds*={W!4_9)?;x#&0rwm>i=<7d$o-er z?&HFwIUe_rbPBwh<14+#qIvCSR^eY=MOuqDxIKH~E}9anFSh8!?8|V-M7@b+BPWH3 z2h*6O&YUF0xa{@I0Oc96s+$% z0!rj|P6pdAHm=Lx0j?O? z;w!0l@Ti7c_7?D)5!DMUfuz(NSDY-ap}_bH=`pjvPy<~blj5Nh>~+b1PgtPAMKk}l zveI1T?zV2kcE3oO1 zChkcHug1%cp>@87$0{9q>@`nNh4f^U8w=cBB|mF=}4PCY?3@6XXw-9<3HBqtu7Hj7@eJ`6(5zS>Iqz zKzLO7%lZuDw7LmiW{9Vw&0*vYT~g)SK|;y=w9e0e&$Z^Ie)jMx#ykXEwu^w1l$C3S zEsA+u-yWX;H0*cuDn^7X}BE(gSo-U&&*lYbA<1 z#f5Zsgnho{tpBuEAp4(6(4BP*Z8i<3KLT_bKiUsHsUp4KE1NTqIUvpQAq`VB!?ae- zHo?COD3FYx*0O#J>Y~Qr3fPcJ|1-AYVmNsiTx9p&)$|$ojn!!(QV3CfkR7<~Ev7D3 z=}m5X+!#D?HIe{F_=-{&ZGPi%1GKj|rvj{n;I)G1o5~znFNJv1>xwJ0X43_I>+aI` ziR{>pp1A;oo)3_-eWUSAx&t79Tv5t1GqQI;89whcvW~k6sa(@DWkUn?=7ksdt;|F1 z@gahJn`JhroM0+=%VMotKcq(~#x?bmuN0EkSH~}lMAm*~vRtJpp!3Orbu$N2v_m`@ z)5 z{AJe|0D6NH9>{tF(mJ8M`=^I|5mBjGkd|80>;tt$hUaQA4gT|x_CTlq07k|XMMLro zQ1||Xq;n*S3<@XIN|{>VYGm?DXt)ujQ>#V9e+J&HmsXP+xU@jHUhvHaOHt=*FA?a$ z4y)wJ!cV^wL)rHm6$Ng6xw0B$-9jfKAIiL$POJ)>>@5)WdQaP>k6ao^Ia)kC=8tfN zQJBp}Cd^@QJUS4SCjMA61cYk#Pa{5#6l|mI46qRU(`S&)@EiNxxD2wH0>u!xU6wIN zV8fMug=(TH>WMbtmwnZ(Q4c&sPC(_^e)u{liCFXnnUlrK(6gJD0XygsoqpgFnZ%>V z6fvDw78(&@19LzfkUE_jhQxO(okuc#d#2+B#q6+cEn<0Clw7Gao7@>!bag!acG@j_ z^9*JOn!iJr>E`l7*vt@pzgU1(-vaw115fkGd zqv1Takr>F;4Cf~fqiqeLWsOqMxSu?D&{#o!F1h9j$v!CwKiSmBlf@l|lIe~M74fsy; zx=YDNsRR}!(rr+|3)iQy5QG3z8e%v#Z$g1O27>)3!jBYi>ox)j8ieZ)r;fv%C*4UW z`|kJh#kZdmCn_@V<>aT|RWcH0ViNSxE(D)i>I zAPdrHd7j&J>*EOw?L#-XDQLQWiGMwP-iTk;kO)<3AAvn+APPn-Rh95I}Yfg~rYlGnc%uF6z&2ogoZ0XrtRZNnfiNhFR5ZTp*R(gL5$5 zmtLA*w*~~4td$KEHb4|k-pR)gy~yj{}08AdcV;TtAX~if9Cd zFcM>0v}X~P$1-L!DXK@B;yxHC8kt2Ib#63;eL2VDip$$7tKDT;qqpOe)lWqHNie`X zeKskSD!A4j6cEN>M!%LTt%5To-;`xIg~D-6nJ8*R4nlWPa7iM{(~Dhn>MDWthhdqg zx}N%3Q%BhI{x*%g0DrzP+Oh@&a^M<1a8szOIY8g_K17qtuK_WXQ+Fu_5CFduuHt12 z@Rn4h3S3iKU`_{-HLt>hnAAcnAKFoXtuE&c-1byv#4k?3F28V2c-<`ARG5k3(EOJ` zcX#49@#Q|2JyZIg_d)^4$Y9~LPk%Y%R&MQWsS_>b^Kt|ZiNNhs>hmgHFG4TLZ9%Vz zQeVA_J}=tp%s0*IP?}$99QuGi5~s$+MbYSm!~2-cP8@cW_av!qdHdX@cD&{F^WbnU zjlN85MM07C^>4_lMmFGDw&kR21Gk_96NzX`iiGsXFxKgR~a34>W632pnQq3!76}E!QZK zXqPSAfBDW zc8zyb1~oOB1q>ZH#K+)u;i%8>WBvjR-re3!yGKaH#oE{OD11N-2zsEVQu|H`KL?WP z`%-%(9xc()tZ=uV3%766mG|xRKE3?DzPPPPtWm{oJjos};lg>k`C?*8ow@Ki6-CDb zxuHGKc&SeXJbeHY0%S%l?bH!pj-UQJRXBtGDyB*_!acEc*~2Kw7|C0fpVI1z>F}!0 z@J?m9Q$VEs0@nZ@Wr)sjndBlD9z{8ha#?)-BHC8o_mqo)`(45}ZQA%Q_bxsCl{AGA ziUk}4#c$hIhBCMbws}f*r+$u5!Cdl(j@z~~Pk)7dKqYXLm6oty9A^Lio0vq#2r#8LqU1D(Pd?FtX=*4m z8S-_i+pt5!RM`3V#~HZ6S;%)V?;cSPCvGrHVZYDL>SH4m=%pt=Y`nbXzs!pD@23}? zL*{5B)ZAZkI|XDtJlD1%7|&+xg5EAI1@O5@AznhwMzy98%dN}Z1(*1bWiaiM5WqD4 zB7F?8af;PM^bZQCRqQ*A3r6U?G#1z-?$QAj_H@w{KWns3gUo+Osw6{EL3V;Jwm94` zf2lV^%4jpAXNBe+WdfO2zC!+t1AE6acT+}`ttXn8U~yx2x9_`H)zT&HgW%GFrUH)9 z(I1cjn5fu?hG9iboG7O1#L_i~1PX^5UYCYSpO{aSlkmJ5164VWAls{^kf?}EKy)n3 z1ap-$hW}t4M08O1v?uj=ti0^o5bN7?aOkGTXpcF z)>2O)PVb1NXV^HqAX|I;7x0J5gRr$b;0kSmno|ZTN2Lfm_Uh-Z<-LG83?;(%Spthm z5^or7N1RW$Opw1y_?)8%VDTx+`^;*k1_=KpA6*(!Zzs2#_0G?y^z)NE*JjD~!T$0e z8R~=Xkb^Y0Xe#W{&d%!5uFMo73RtR$o-u5(mj^*h0-5!ZoKehfDnzsryJ)StY{x%QP z(=>LN*dG;8DLkR6yDW?zT$Iq-qICU=-b$d=yF)@?$=G_-Ztw zBN)vGk*o>mux&xTKooVpA-Lv7y$QADIWDFnQ#D5x~S|b@9Rhd`&Eaoim#n zR|1Td^V9KboF<;dY6EPaG%4rB)th5|!XM?M24r~SiONJ)2BqEE4^p;KVU+)3rAI+B zlqcDa(vnd`FD1fajlX$A28046r1A0&nD?8h)u{A$wyyb6KbJKeLrSL`G(MlM8uLud z6QIuen;ceH5T8Jyt;q6-l1q#*Fv7X<$22RsB`PTgBQ9oCAgyg7F}H}!z)gGni5>K)v&tfi@Vx)AMT%MowpP5OwgD)g5o)cQ>fj?RqQ2vL}&oEans`t5rGq36gcxz^gkw0 z__m_}jaKbjsC{=HfI(y;9%%r5qJFF5m??+ovxNsfhq*?j=w8R6- z@9p zK2sJ?bik=t^G`R`I-SY?(q10f+xrP-xU!?Jz##_-@b<=cQAY{%GB+5~u8v!+Z~Qi}hVhx5MR(sftvb z%%_KO&2%8Z-ma;h`%@4V88$DyVuQ%tDZQDv^kd%V^vy~c@^p7qx|?XR19r&*E?}ij zCs0UQ4XA++te->N2B^Q?$KI6D8^J2A$<-HFS#k4@l_E@l1QB+YN=86w`7Y|O_=s`tWOhn)t{+uOYJpuU_Vn4g}+u=d%%nl7fO1yJRr8mlMB^OgF!+PD}@n001*H+!6X?ab-3Se}6uy+Xf=q4AIDhoNZt{ zqaLl2*hnd2#~5ka!&@N1Pc>l3-Gm^k&4#}X9T45@^;|3cJcYisw_@WSQt(pZ`u^sF zKU-q>i-b{syUoKwRW^Qhj` z5%NGC(g_G40UT6FenkW_ z*6-}68{i78Ls5DvIHs$R(;euD60ls7!b&y{GlpPg92!K_w=J}+fs6&1`r$)sLSHs& zpWP$y*LDmJlW0B=L141Yz(h)4KP*hsL}Eq7NgvlYgqq5bn|+$RIsFUa0=smJDI>1+ z${^b6H57RFA94RnDM~MZhdqv%(vXOMeg-Gu z6ty=3>!$T@Sq0&C&=e5PS-^yI{htycj}G2DxFZ0)lL@Gqu=mMlrFxILJcN)8c13}HD|-LvZnw0fA;Xp`DO0n zmGMdczYPI5dnt*PoPP}E&d%88L*4#2*5Ti364_uvJhl<>^k&l7o>M-)e;nl1^r*!F zsCY)gQOEQ{kv)>1p1Lzdv2#ePyh`AGU%rd|PtXA1+4Nqng0&?S+3M2b18DxhECh`| zW`*>GBoLpo1wQL!EXtufP`FtMlDkK4^6mes>>6Wq;eqwqwr$(SS=+X4+unWGwr$%u zYumQZS>5y9-}ld*q)pQ_ok^2vr;|MM^p6n(Ndezkig3ELHrruhRe2^w*IH0A_u<>( z>dQ#pyw}Ru)TfMAI+H4)Pta@{A(abk4($?8(a3URMR?^5fF;tpxP5+2{hQC}p z&eum|I!cW*Lq7GO0yJz|N>O#~kyh(GsQ;D?kSm<5mo|+LVGHK_L?p8efFPwq9uq** zk)Dh*`&PyW>vGx`(kCIUZG48Kq>L0WkA+JX*B{wwaSkTg*tF1**+4LnlNH~|-M;>u z+T#@FHjiDF1XUC=u#^NXIJ*x`04qkD#NrP`4ZvI8QXJgE<2^7`Ry&3h_||;yD_9O) zhZ~cg7Xzhj!&F%X$Jq$wK*g4t3eVq0PNp;SR@>fC#c2(+X6+6}yl= zhXiRN=nWmChtA;-vY(Dyj2)+5ht# zoQ|d_=vxFx_6{F+8J?Q5Dv}UYP~UDsx80$$jvRKFAUqEJxrxpp#$OFF!r@HG$x)l$ zr=9hZ=}AWdlY|KKsN&5wVbYch9y|r;YUUUB&tegu-Sa7Ja>a~|R3pF5(|etmi~J)! z3pHxE%)_%PvDMrClQ$_LZeo#LY2P2%M^A z=?Ld{iT2S}$bSItS*)Atp~m0)!Xwzx8nYxqO9W>cbM0i9PfJer@NNDRa_{one&2+D zR29-vrEMl}I`QO3*fj4k6};vk_@h&eO!1c{Mj5swCR2 zF9@I-wor#7U4%(lZVu5w=cJJG60VHK-weOW2S1&@#k0*S)mDRqdXo)T#6X{)@@QUYk)eukBnvt4ZaC@_8~K5*q5ea+<@ zf3C;(=Q4^A+|ez+2$!it#}OHK%p3f!SSgWlreqFUJW8EffdhRuVGp0x_`fN? zb^hQj!t_#>Fxl`zIaC=4R4_{W{%L)+J=%jfx6{(@F;-D0z2D%w2=-0ZKvTEqUUx@!e*YMW)m$y?SCGH7MUWvC3&r-<9L|+-Y~yNj@efm;7AnB4aAx3k z%4{>0`FMtztnz*x$?iry(JG?gnyuXLI9ha{kJB1rtw9258qQt}ORl5;VhA7H3CWy?}AH5ph$-3*>YcgO?;h{f_AoRl%zcJcg7C&%ObR(je>$mzlnus##GPCda9$K2G%b zg>R~42@Ko@o1$MlS-=kBLrG^Qv6!))AJ`U`A&OW*?`&5o<&X)l2?>bGn(kkBC;$IM}$mE7*0#(YNlfFzZ;Y)+%;||{; zfdSziVsg`P6C@O11w*o82#Zgi>Xbt1ZE+x3Oq0e9a3zI+TPI8K=AVhml6iHP1vRR?eKZ&5+S8Zxoe*~X?qtVA&pf!jk-_|m2hCW* zoP#ck1p$VkvE498`d%q??#S7s)LYKE`+^oyBBG0#+?!wGu1!=CVM%@EF7cjmLNxb^Aj z)Nqm)Gr1@VR@VhW$dp1PhU6fsN#H7v+#)wUI|8GImdVKTvF9uGix9&7)=_*#7pdJ# zPnuDv8#O;`PfxX{Hf?{hpYnLp2BqREnuk=m0wWv7nwxzbeCREd1={ne7z_58MRRZd z&^MMpESO7yAi3q<#ecNckK3-F@>*TCnPcvh8+yPJ(m@4SVZWBhFB7z!-!7gQHN3{@ zmvz{6xCoghgf=f&KT)%rKD{6DNVbv%k)d9|8>cRJi5o-NM*Y&03d1BhsJ;wWh_q_Y zM5F*`m%m3jl35$5YeHv?&oBF*>L))$BSAZ1_{NAx6~-0xi4;J>81eHhTwLzK~w z#VvxDdruX0UQ&{8?KVJE9xbL2%9t~Wg$15|GkZ5x+{>0&6 zv_J~w-uI>X^EkCV?!4eF%_oK$0dCJ6?wF{;K6nuKbUhkpIkZNuK=Q2smo2SnoyR` zf;A0IR$ECbv*l%lmR+}=i6XqNCj804FNH5eLf&dL*{D-T;yknyh;b;-^u;O3&}V$4 zR4{L=ap@qEwE~+=SiI!Z`B%F0QTy?iLc=$ZJLB_NHZkv!-pSfmMiFvqIF|%YQw83>G>cMF*ynS;-^sdb# z+**1IqR~d*fX0+{J|r-D8&R81@@4qJz=#`+9||9<7b}AoSi@k`>9^XKv%=oGa5}U_ zvPv!tt;-;%$G*!x1jteT75&)V(0yOOMLGu zBywpd#(bNN{xruX&f(?yF6Y)67V*avv^!99q;K1?vDx1;&=6*RRaDL7TIHYX4C>&&J zW8tJ_pC_3)@ADF3lfMekonQ-373r}b>BEkv>T!-(@|BB0kun69(%jG>jf4>>H8#@k z2|vXvfkt-7uX&%&gCS@KUqgj6jhM%o{ZkW@GMBIDthv5Tv{3w_2@eWA2mo!%qgCoy z=sw-SRtD6_oJS*AcD(D(`V0RyrHVp?7pT}sNqZbqCsK|o1L)6fvNl<7-m-3a*u*58 zaQ-l<>kdhPMCtq6sRL4kC4n<&_|2=USZxgHWpnyEewIn+$K2$}aUwbr!ao8&r@Jg_ zl@ufJ#Tk}~R&Vr5Twsgdor)n6Et`)dmG!5e~l5%w~c zsO_1jwE&3m)_}+)BQ36Dw~(t+{{@;ai2|d=mok5J0lP4%i6H$O1Oyo*GhzEr3zui3 zlSXHwTp*L7nmw-1s%T81?&EoD(PP~aUzITlH zAHQ?(W835M!TAWl&Xmpg^huna4ec(Q z(~8P^*zKPWYOO2nmV4^^?611dUf+H`c$__lGD(3T zG8LSjuIH^T2XdM1Tm;zf>}bHoN%X{VtJDNfj~eKMX0|l zAv$6ssNt{4=n=3KXA7*p2SirW^sm8d-5$?^*=z4W*&Y6s@`R-giDkrh=e%MKbK6|# zK>uYvNuW;);t2dZp1Xc{PEC6%lK<-Xtx)%zGa7)|6pq3Q)`d}~sbVCrF@*)R?Vuk~7jahDOd{Qn22;wrxBObATOK6_ z`3{2H9|No$!CavsTScKT`3DfHeaw_mrCR4vW77C36vdq4raPya>v7t{J-v4IUi`|S z%_1Di&z{ggj^sEKz*Np$uo3TOLx7nb7v&nH?sq6w8D*N55lhNF2)7r~bH8=J|I{+B-(=7`WvgDjvbWf4v6tB&r9 z+~s-!K|;N!RZOydEx7R7n_)n5u#K7Fc-ib*hca*0k@VP+0v2CDWdf9h@d%hgiUrzG zCUm6whO<M?aO6YEiy?wD35E4~Qp9EwDUYbgG5| z5%hj78RQkb)JW?1M@OT0;t6=qglUJy_F=^f+-;uwc@1erj0`H?uLb4;$TMSC;|@Y< zb-L{!*FNKHB#wz)aG`uU5|UB@!mZ~|R4~O(P@He5=J3oW%@qtWi(K4c&wZZh z2944x>m2P7H9)7^y7`R@!mCEJLY$bAq(1hl7LpgryOco*sKkyp(YhzeTDs2BM5r$C)Q$?djbs`X-Ythgo!@t*X zx=zru`v$MY!st*5Kb;E(SgG&^`vbCfj2eJblO=HsoPEv@oJe@RT_be_;TG7h%m}qA zc5QAmKllO(4vy%TmcX7EBro5glCzj_^5z*&G0&i*&W<*mO&T8RAtcw#|b$}9L3 z*26*xQk%ZnfWi9_VX-8pTf^gm&tb$wt?J_N{m7m*qjg#HtWi!aTCUf!T?EH6WvAB9 zV@}5x0TiC+XLKS>MdWY%qT;yO$i9uW=*YNG4R;nuf-d44tY zDQ$v}uA_d;4Z7;Fh7uHcaBS4N^OafJAugza8Ol7K`|Nt- z7DLNX0A+KekaokF0e0aLm;djaLz?7Qtt=n#%;0hGmOruzI%ZCg;SzddA1wG@^-F zF1Yl_^-r$@qE5*bcDFU7t}3%W{` z@#U84R{4C})EzTscqHMSVe4Ea_wi-O;kW3&lQrp>^Rgu%9WOLIKJh9rPm8{Ym_d_Y zepR|{tE7spKnEw~<5p}z&Q*JDn>eN92gK7;NsDRD*RJY(lo-eOs_)*#m|xPA!C$`Z z&k6yS766yBquw}?ytIeO?a3cGD`AXgNE7!j-KvBO%<`KaIjv^^tc;~9H->INCe0npwHRq>rZsyB6vyX&SgdyDu0BIsR z!R&w?{zw;jYk?iqc;TTSy4Ka2a9CWM33(zP2{L4 z82l%cq_u@-kOdfl5*1;>#&MYSTp=nNNKJ_BsiC46oEF}(D_*tr|RVbh|7 zg#;FPO5JD7Fi`qFjkil!_K69LcGbchJ#e5#b4jTosoxk}Ufhfkcd1H?J|H(wo3Q^- zonBy3qMY3YECPXDacPaa+H=p`tWQQZu+U9JyMvwb4R^bQ@wU7d5g_KKoeaD`u+#Js ze^HbT&X^s>$6OgmIMU=SLO{U(JF^%vRPKZ;l|1C*{Bb^UHWJS+SEY=@JwD&;a$Dzp z4Ho&cTf0TnE632eH^M|U*K=2m3oq|rEgi?;Y?Je7BXuQKtEQfkI3~~jV61cj%64QU zj~M+Deb@^MIPq2>zwO8T%nvsU(a`fuIleXtect1vi&^&7CU^@w?5W7L57ak&xAqxT zv?~N?AERSAAKdqbOnPZhVIYx7C!7!AhY#_X>R!TpfBZqMtX_Rnn(q8GJec%2J*SP1hKkD zELXzr8wfCYs>P(fTdTWKX-)gjBXE|qoJSV{5s3*jNBWS>dETF%lhL`)$WR_6F=uz} z2ZorTDK9qCmhkuP7{@MN_+!5-lXu0=%;4s$h$X4vmseUWS5^!?+LV%zom?1+3teqiZ*zjlCyPe2rP5X#yr zN=)`JROagI*gcigoinf0U*y?5NM%#wKjJo*2M3|&+*42-4Esso5K8pP@-Zzd5tkEl zDxn^)rNFIWSLn8BgLDUd?Pb9pp5FUm>2h-(#z z2*+ogK9Lb<8w};O+JUb3umOBSL!eXKGysBgJ_pfhSqx^TYrXLLK(8sRay@(k&mWxh zbGm3ptuzr-RnjUEg&%!{$l8A~+hdHPLc41y^Wio>53p;BL#4A($P}x)S)LUgUe9Ev zM0Nk%j%uo5|2OFyN#|0uluS9wU5?#gPAb_MPw7pys_#d%m|`;e*C>CRd#jLE3WlSt zq?n$8AUi=2U0Tj?je*jV-uXW8XtBp(ElmIMUW-vQ65IDZFssZ%Y9Ln5Z1FvOXP{5x z-_k+g4%y~ruN#M9bRxNG#BQ#I`Vx5jSZoPs)0c)EpW47GAniIt(@No_B_x!ljB3D@L#T)m&KDRLh-N>lta0MPBb8SoDBH-i*+e6JLHaDI zSIHC<4iH+z7j|RqThsbwaYAp^im&jS*;|t06xy)*34dFa@*Q&zV$ty!>t;8OBhk_7 z-sOQy#gZ{Yd|0FIezh)Rq~<&6k-g*TDXRIolb4sDBn3s?kt&7f=oD45^ttrA5#%8f zx5z(o1Hng19eE6i6a8mq|FX7K835>H(Dq5*o9Box#zo*OHaqS`| z=efF9N#uIRKZ`cinwB~$)l)>MnV7x?Gn7&=Di%9pEh+GZ7L>gs-PUI3`!`|tVD&8m z(|<7MwupdzdLB;hBYXcV#%(-Ne_Y=*P>luNgi^;+F-Z>wt&CsPw%io2&$0p#I+Xc; zT*6H@TMxf&czd}<$WSadX#hO>=0i;7HnC1VVS>cm!Rml4FTc)KQ$tMa-oXJDRD$r` z4#pFY+)tl}5)=qe#IYv%Ps_;yt*ryA5p2TU)48%Yp7#;|j3|nmm4L2DJP!G2aZLMl zEAp=gRWMubIs&?8pqWYO@Fu9Vf~5gZx8jol$mp8aZ5X~{PO{tgwOd!&dCH4m>|>^X zj~e(CDNrwsbh%{u2r++c;)*HPUyUXxLM6W<=8mVb+9*uT2_a0I8$5+VDv|uJ(?qFw z*T7f%=YB$ApB`;_xng|2$JKZsD-45AXt+JLqWtVv>gUIfcQJboX0NmCuwQ)MHdbmS zpB!~UyrzDVB@D4MRx(RdANIe>(2f|y)7g*H<)Ld%>$4H+%}c!TM2x`I{H0+e=rfyH z7f)U7CYLj{G;3UVFC71p=o=RKJJF1`k7{aDPwo}fflm3sBtRXhc;Hgm2zvw3+ zDrEtN;H!_Oc(MN zEsH#LP1?IkK%44jMa(DH)dzQs;IO*@pQ_s24y(YJ{=rku7&saFnIxK?h9gKQoPJYn zd;G&@_h&F~{7igurIo@N8||AW#ZDYH&djU*9dT>b?UVEEryS4aUEYJbROPOfBEdJj zwM*Y6z+%u~@LQQxf6%x8kH7u=uqhWP9DTM4X`<7+`zmDQf=L-72~*1mm=|q4POXX9 zup0Ne%}D$!Eb`jMqu}seNL?$y*soha?mQXiUljw`or)v66lm_u)u=*frfJh&5ovS3 z3858n*agG2pgxy}tG({F<(hiJ_g+$ZAH;LZ6HADQ+a5u>sWi0SVdw4b>@}X>S>?S) zl)P!=V|pnnI~qJgbs{MH1^8d<6092GBw_}A{rMQm%}y9Bk-geCDf0N@8*rD3C{QA6 zs)N@h;w+7c%6SKA0$xi}T*J}jXn##RjGN0L4 zTtOXES`>|QfLcnfeC_(-062Oj8+~JL!SEC5-gJU0%s!p~+rv+V0Of}Ilu-_j2)tDH zU>r2~*CwG_0#~LjHv6|}X*e{T>1$qIpgZfs7Ns33 zFPT;+F}y8^u{WE%#Jmk3`pm%=Q3`Kr8PQS}vi7yTe4MX!J>)As=|1kiar#MumX2A7 z%w)!Y8TO~Z-XIqAvdC%K{_-|abt(AbanO$)5}G{c=czS?QvI~!kqeU(gMkFvIV_HM@ffKp{dFp7sF2`YgK(`fw8CO(3JK3zs!`Rmt0C++Q_4S{k^- zQ~_z1-Q$r}VRC&qY3;i#tKCla5wXaA z!av#K{X+tlm&Y|GTe)Y7u2MDj7Y#(`1p+r~_CeD?UuOrs3YxX#63E81X%p}d`NVwz zbVy)=AYXeU?6XWt4JE+rqw9W7E2cX8uz3y5?ID`_ng)5`L#)@LQ6iI|s&5>XvLcj7 zg|YkSujrR@@a|*)DSE-{l2Ht&i2w4o_N8MrhbMVX=u@u9wGeK>LY?K}iy@#S@&)~? z(kmqvq2rz<{e(#|?d9hj`S*jQL(B$8EkPoMT#U?;>B8POJ)u?=-B7>ZP{^6Ipk$=v zc0OK*F!&L#lYc#Z95df8R9@pi7ND8JPL-E@;BMcT1)?V(>4|Rx{QloX2%0y5^NFOx`FJy}X_MA!Fr)@kr|v;HPVQ2NB`65MMVNz>% diff --git a/static/images/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp b/static/images/identitymanager/job_operation.webp similarity index 100% rename from static/images/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp rename to static/images/identitymanager/job_operation.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp b/static/images/identitymanager/launch_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp rename to static/images/identitymanager/launch_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp b/static/images/identitymanager/menuitems_userslist_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp rename to static/images/identitymanager/menuitems_userslist_v603.webp diff --git a/static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp b/static/images/identitymanager/menuitems_userview_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp rename to static/images/identitymanager/menuitems_userview_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp b/static/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp rename to static/images/identitymanager/microsoftexchange_fulfill_display_entity_type_5.1.7.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp b/static/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp rename to static/images/identitymanager/microsoftexchange_fulfill_display_table_5.1.7.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp b/static/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp rename to static/images/identitymanager/microsoftexchange_fulfill_menu_item_5.1.7.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp b/static/images/identitymanager/microsoftexchange_jobs_5.1.7.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp rename to static/images/identitymanager/microsoftexchange_jobs_5.1.7.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp b/static/images/identitymanager/namingrulecreation_example_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp rename to static/images/identitymanager/namingrulecreation_example_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp b/static/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp rename to static/images/identitymanager/namingrulecreation_exampleroleresult_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp b/static/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp rename to static/images/identitymanager/namingrulecreation_exampleruleresult_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp b/static/images/identitymanager/namingrulecreation_newrule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp rename to static/images/identitymanager/namingrulecreation_newrule_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp b/static/images/identitymanager/namingrulecreation_testroles_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp rename to static/images/identitymanager/namingrulecreation_testroles_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp b/static/images/identitymanager/namingrulecreation_testrules_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp rename to static/images/identitymanager/namingrulecreation_testrules_v602.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp b/static/images/identitymanager/navrule_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp rename to static/images/identitymanager/navrule_5.2.1.webp diff --git a/static/images/identitymanager/installation-guide/production-ready/server/newlogin.webp b/static/images/identitymanager/newlogin.webp similarity index 100% rename from static/images/identitymanager/installation-guide/production-ready/server/newlogin.webp rename to static/images/identitymanager/newlogin.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfileModal_v63.png b/static/images/identitymanager/nimProfileModal_v63.png similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfileModal_v63.png rename to static/images/identitymanager/nimProfileModal_v63.png diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfile_MenuItem_v63.png b/static/images/identitymanager/nimProfile_MenuItem_v63.png similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/nimProfile_MenuItem_v63.png rename to static/images/identitymanager/nimProfile_MenuItem_v63.png diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp b/static/images/identitymanager/oauthauthentication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp rename to static/images/identitymanager/oauthauthentication.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp b/static/images/identitymanager/okta.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp rename to static/images/identitymanager/okta.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp b/static/images/identitymanager/okta_addapplication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp rename to static/images/identitymanager/okta_addapplication.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp b/static/images/identitymanager/okta_applicationsection.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp rename to static/images/identitymanager/okta_applicationsection.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp b/static/images/identitymanager/okta_clientcredentials.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp rename to static/images/identitymanager/okta_clientcredentials.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp b/static/images/identitymanager/okta_createnativeapp.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp rename to static/images/identitymanager/okta_createnativeapp.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp b/static/images/identitymanager/okta_createnewapp.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp rename to static/images/identitymanager/okta_createnewapp.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp b/static/images/identitymanager/okta_saveapplication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp rename to static/images/identitymanager/okta_saveapplication.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp b/static/images/identitymanager/orphan_bulkreconcile_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp rename to static/images/identitymanager/orphan_bulkreconcile_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp b/static/images/identitymanager/orphan_entitytype_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp rename to static/images/identitymanager/orphan_entitytype_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg b/static/images/identitymanager/orphan_iconapprove_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg rename to static/images/identitymanager/orphan_iconapprove_v602.svg diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg b/static/images/identitymanager/orphan_icondecline_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg rename to static/images/identitymanager/orphan_icondecline_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp b/static/images/identitymanager/orphan_propertyview_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp rename to static/images/identitymanager/orphan_propertyview_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp b/static/images/identitymanager/orphan_resourceview_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp rename to static/images/identitymanager/orphan_resourceview_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp b/static/images/identitymanager/orphan_revieworphans-owners_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp rename to static/images/identitymanager/orphan_revieworphans-owners_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp b/static/images/identitymanager/orphan_revieworphans_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp rename to static/images/identitymanager/orphan_revieworphans_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp b/static/images/identitymanager/orphan_serviceaccounts.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp rename to static/images/identitymanager/orphan_serviceaccounts.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp b/static/images/identitymanager/orphan_unusedquery_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp rename to static/images/identitymanager/orphan_unusedquery_v602.webp diff --git a/static/images/identitymanager/introduction-guide/overview/overview_calculation.webp b/static/images/identitymanager/overview_calculation.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/overview_calculation.webp rename to static/images/identitymanager/overview_calculation.webp diff --git a/static/images/identitymanager/introduction-guide/overview/overview_connectors.webp b/static/images/identitymanager/overview_connectors.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/overview_connectors.webp rename to static/images/identitymanager/overview_connectors.webp diff --git a/static/images/identitymanager/introduction-guide/overview/overview_provisioning.webp b/static/images/identitymanager/overview_provisioning.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/overview_provisioning.webp rename to static/images/identitymanager/overview_provisioning.webp diff --git a/static/images/identitymanager/introduction-guide/overview/overview_synchronization.webp b/static/images/identitymanager/overview_synchronization.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/overview_synchronization.webp rename to static/images/identitymanager/overview_synchronization.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp b/static/images/identitymanager/packages_ad_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp rename to static/images/identitymanager/packages_ad_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp b/static/images/identitymanager/packages_azure_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp rename to static/images/identitymanager/packages_azure_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp b/static/images/identitymanager/packages_azuread_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp rename to static/images/identitymanager/packages_azuread_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp b/static/images/identitymanager/packages_csv_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp rename to static/images/identitymanager/packages_csv_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp b/static/images/identitymanager/packages_cyberark_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp rename to static/images/identitymanager/packages_cyberark_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp b/static/images/identitymanager/packages_easyvista_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp rename to static/images/identitymanager/packages_easyvista_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp b/static/images/identitymanager/packages_easyvistaticket_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp rename to static/images/identitymanager/packages_easyvistaticket_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp b/static/images/identitymanager/packages_excel_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp rename to static/images/identitymanager/packages_excel_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp b/static/images/identitymanager/packages_exchange_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp rename to static/images/identitymanager/packages_exchange_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp b/static/images/identitymanager/packages_homefolders_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp rename to static/images/identitymanager/packages_homefolders_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp b/static/images/identitymanager/packages_identitymanagerticket_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp rename to static/images/identitymanager/packages_identitymanagerticket_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp b/static/images/identitymanager/packages_identitymanagerticketcud_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp rename to static/images/identitymanager/packages_identitymanagerticketcud_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp b/static/images/identitymanager/packages_json_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp rename to static/images/identitymanager/packages_json_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp b/static/images/identitymanager/packages_ldapapache_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp rename to static/images/identitymanager/packages_ldapapache_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp b/static/images/identitymanager/packages_ldapgeneric_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp rename to static/images/identitymanager/packages_ldapgeneric_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp b/static/images/identitymanager/packages_ldapopen_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp rename to static/images/identitymanager/packages_ldapopen_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp b/static/images/identitymanager/packages_ldaporacle_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp rename to static/images/identitymanager/packages_ldaporacle_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp b/static/images/identitymanager/packages_ldapredhat_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp rename to static/images/identitymanager/packages_ldapredhat_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp b/static/images/identitymanager/packages_ldif_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp rename to static/images/identitymanager/packages_ldif_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/packages_nimprofile_v63.png b/static/images/identitymanager/packages_nimprofile_v63.png similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/nimprofile/packages_nimprofile_v63.png rename to static/images/identitymanager/packages_nimprofile_v63.png diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp b/static/images/identitymanager/packages_odata_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp rename to static/images/identitymanager/packages_odata_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp b/static/images/identitymanager/packages_powershellprov_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp rename to static/images/identitymanager/packages_powershellprov_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp b/static/images/identitymanager/packages_powershellsync_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp rename to static/images/identitymanager/packages_powershellsync_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp b/static/images/identitymanager/packages_racf_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp rename to static/images/identitymanager/packages_racf_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp b/static/images/identitymanager/packages_robot_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp rename to static/images/identitymanager/packages_robot_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp b/static/images/identitymanager/packages_salesforce_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp rename to static/images/identitymanager/packages_salesforce_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp b/static/images/identitymanager/packages_sap_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp rename to static/images/identitymanager/packages_sap_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp b/static/images/identitymanager/packages_saperp6_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp rename to static/images/identitymanager/packages_saperp6_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp b/static/images/identitymanager/packages_scim_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp rename to static/images/identitymanager/packages_scim_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp b/static/images/identitymanager/packages_servicenow_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp rename to static/images/identitymanager/packages_servicenow_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp b/static/images/identitymanager/packages_servicenowticket_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp rename to static/images/identitymanager/packages_servicenowticket_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp b/static/images/identitymanager/packages_sharedfolders_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp rename to static/images/identitymanager/packages_sharedfolders_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp b/static/images/identitymanager/packages_sharepoint_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp rename to static/images/identitymanager/packages_sharepoint_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp b/static/images/identitymanager/packages_slack_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp rename to static/images/identitymanager/packages_slack_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp b/static/images/identitymanager/packages_sqlgeneric_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp rename to static/images/identitymanager/packages_sqlgeneric_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp b/static/images/identitymanager/packages_sqlmy_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp rename to static/images/identitymanager/packages_sqlmy_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp b/static/images/identitymanager/packages_sqlodbc_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp rename to static/images/identitymanager/packages_sqlodbc_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp b/static/images/identitymanager/packages_sqloracle_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp rename to static/images/identitymanager/packages_sqloracle_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp b/static/images/identitymanager/packages_sqlpostgre_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp rename to static/images/identitymanager/packages_sqlpostgre_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp b/static/images/identitymanager/packages_sqlsap_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp rename to static/images/identitymanager/packages_sqlsap_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp b/static/images/identitymanager/packages_sqlserver_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp rename to static/images/identitymanager/packages_sqlserver_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp b/static/images/identitymanager/packages_sqlservermanagement_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp rename to static/images/identitymanager/packages_sqlservermanagement_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp b/static/images/identitymanager/packages_tss_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp rename to static/images/identitymanager/packages_tss_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp b/static/images/identitymanager/packages_workday_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp rename to static/images/identitymanager/packages_workday_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp b/static/images/identitymanager/packages_workflow_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp rename to static/images/identitymanager/packages_workflow_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp b/static/images/identitymanager/packages_workspace_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp rename to static/images/identitymanager/packages_workspace_v603.webp diff --git a/static/images/identitymanager/integration-guide/api/pagination/pagination.webp b/static/images/identitymanager/pagination.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/pagination/pagination.webp rename to static/images/identitymanager/pagination.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp b/static/images/identitymanager/parameterizedrole_examplerole_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp rename to static/images/identitymanager/parameterizedrole_examplerole_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp b/static/images/identitymanager/parameterizedrole_exampleroleparameter_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp rename to static/images/identitymanager/parameterizedrole_exampleroleparameter_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp b/static/images/identitymanager/parameterizedrole_examplerolesuggestion_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp rename to static/images/identitymanager/parameterizedrole_examplerolesuggestion_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp b/static/images/identitymanager/parameterizedrole_examplerule_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp rename to static/images/identitymanager/parameterizedrole_examplerule_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp b/static/images/identitymanager/parameterizedroles_numerousroles.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp rename to static/images/identitymanager/parameterizedroles_numerousroles.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp b/static/images/identitymanager/parameterizedroles_parameterexamplestep1_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp rename to static/images/identitymanager/parameterizedroles_parameterexamplestep1_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp b/static/images/identitymanager/parameterizedroles_parameterexamplestep2_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp rename to static/images/identitymanager/parameterizedroles_parameterexamplestep2_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp b/static/images/identitymanager/parameterizedroles_parameters.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp rename to static/images/identitymanager/parameterizedroles_parameters.webp diff --git a/static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp b/static/images/identitymanager/parameterizedroles_simplerole.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp rename to static/images/identitymanager/parameterizedroles_simplerole.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp b/static/images/identitymanager/pointcut.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp rename to static/images/identitymanager/pointcut.webp diff --git a/static/images/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp b/static/images/identitymanager/policycreation_policies_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp rename to static/images/identitymanager/policycreation_policies_v602.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp b/static/images/identitymanager/positionextension-identity.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp rename to static/images/identitymanager/positionextension-identity.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp b/static/images/identitymanager/positionextension-result.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp rename to static/images/identitymanager/positionextension-result.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp b/static/images/identitymanager/postman_accesstoken.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp rename to static/images/identitymanager/postman_accesstoken.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp b/static/images/identitymanager/postman_accesstokenresult.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp rename to static/images/identitymanager/postman_accesstokenresult.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp b/static/images/identitymanager/postman_authentication.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp rename to static/images/identitymanager/postman_authentication.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp b/static/images/identitymanager/postman_authorization.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp rename to static/images/identitymanager/postman_authorization.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp b/static/images/identitymanager/postman_authorizationcombined.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp rename to static/images/identitymanager/postman_authorizationcombined.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp b/static/images/identitymanager/postman_gettokencombined.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp rename to static/images/identitymanager/postman_gettokencombined.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp b/static/images/identitymanager/postman_newaccesstokencombined.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp rename to static/images/identitymanager/postman_newaccesstokencombined.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp b/static/images/identitymanager/postman_newrequest.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp rename to static/images/identitymanager/postman_newrequest.webp diff --git a/static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp b/static/images/identitymanager/postman_requestfields.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp rename to static/images/identitymanager/postman_requestfields.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp b/static/images/identitymanager/powerbi_clearcache.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp rename to static/images/identitymanager/powerbi_clearcache.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp b/static/images/identitymanager/powerbi_clientid.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp rename to static/images/identitymanager/powerbi_clientid.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp b/static/images/identitymanager/powerbi_getdata.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp rename to static/images/identitymanager/powerbi_getdata.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp b/static/images/identitymanager/powerbi_getdatawindow.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp rename to static/images/identitymanager/powerbi_getdatawindow.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp b/static/images/identitymanager/powerbi_process.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp rename to static/images/identitymanager/powerbi_process.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp b/static/images/identitymanager/powerbi_universes.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp rename to static/images/identitymanager/powerbi_universes.webp diff --git a/static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp b/static/images/identitymanager/powerbi_url.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp rename to static/images/identitymanager/powerbi_url.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp b/static/images/identitymanager/prodagent_directoryproperties1.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp rename to static/images/identitymanager/prodagent_directoryproperties1.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp b/static/images/identitymanager/prodagent_directoryproperties2.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp rename to static/images/identitymanager/prodagent_directoryproperties2.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp b/static/images/identitymanager/prodagent_directoryproperties3.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp rename to static/images/identitymanager/prodagent_directoryproperties3.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp b/static/images/identitymanager/prodagent_directoryproperties4.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp rename to static/images/identitymanager/prodagent_directoryproperties4.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp b/static/images/identitymanager/prodagent_foldersproperties1.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp rename to static/images/identitymanager/prodagent_foldersproperties1.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp b/static/images/identitymanager/prodagent_foldersproperties2.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp rename to static/images/identitymanager/prodagent_foldersproperties2.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp b/static/images/identitymanager/prodagent_iis1.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp rename to static/images/identitymanager/prodagent_iis1.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp b/static/images/identitymanager/prodagent_iis2.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp rename to static/images/identitymanager/prodagent_iis2.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp b/static/images/identitymanager/prodagent_iis3.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp rename to static/images/identitymanager/prodagent_iis3.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp b/static/images/identitymanager/prodagent_iis4.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp rename to static/images/identitymanager/prodagent_iis4.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp b/static/images/identitymanager/prodagent_iis5.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp rename to static/images/identitymanager/prodagent_iis5.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp b/static/images/identitymanager/prodagent_servercertificate1.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp rename to static/images/identitymanager/prodagent_servercertificate1.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp b/static/images/identitymanager/prodagent_servercertificate2.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp rename to static/images/identitymanager/prodagent_servercertificate2.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp b/static/images/identitymanager/prodagent_servercertificate3.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp rename to static/images/identitymanager/prodagent_servercertificate3.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp b/static/images/identitymanager/prodagent_servermanager1.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp rename to static/images/identitymanager/prodagent_servermanager1.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp b/static/images/identitymanager/prodagent_servermanager2.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp rename to static/images/identitymanager/prodagent_servermanager2.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp b/static/images/identitymanager/prodagent_servermanager3.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp rename to static/images/identitymanager/prodagent_servermanager3.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp b/static/images/identitymanager/prodagent_servermanager4.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp rename to static/images/identitymanager/prodagent_servermanager4.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp b/static/images/identitymanager/prodagent_servermanager5.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp rename to static/images/identitymanager/prodagent_servermanager5.webp diff --git a/static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp b/static/images/identitymanager/prodagent_servermanager6.webp similarity index 100% rename from static/images/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp rename to static/images/identitymanager/prodagent_servermanager6.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp b/static/images/identitymanager/profiles_creation_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp rename to static/images/identitymanager/profiles_creation_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp b/static/images/identitymanager/profiles_example_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp rename to static/images/identitymanager/profiles_example_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp b/static/images/identitymanager/profiles_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp rename to static/images/identitymanager/profiles_schema.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp b/static/images/identitymanager/prov_stateschema_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp rename to static/images/identitymanager/prov_stateschema_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp b/static/images/identitymanager/provauto_states_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp rename to static/images/identitymanager/provauto_states_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp b/static/images/identitymanager/provmanual_bulk_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp rename to static/images/identitymanager/provmanual_bulk_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp b/static/images/identitymanager/provmanual_createresource_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp rename to static/images/identitymanager/provmanual_createresource_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp b/static/images/identitymanager/provmanual_editresource_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp rename to static/images/identitymanager/provmanual_editresource_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg b/static/images/identitymanager/provmanual_iconapprove_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg rename to static/images/identitymanager/provmanual_iconapprove_v602.svg diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg b/static/images/identitymanager/provmanual_icondecline_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg rename to static/images/identitymanager/provmanual_icondecline_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg b/static/images/identitymanager/provmanual_iconedit_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg rename to static/images/identitymanager/provmanual_iconedit_v602.svg diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg b/static/images/identitymanager/provmanual_iconpostpone_v522.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg rename to static/images/identitymanager/provmanual_iconpostpone_v522.svg diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp b/static/images/identitymanager/provmanual_page_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp rename to static/images/identitymanager/provmanual_page_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp b/static/images/identitymanager/provmanual_provreview_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp rename to static/images/identitymanager/provmanual_provreview_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp b/static/images/identitymanager/provmanual_reviewaddition_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp rename to static/images/identitymanager/provmanual_reviewaddition_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp b/static/images/identitymanager/provmanual_reviewassociation_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp rename to static/images/identitymanager/provmanual_reviewassociation_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp b/static/images/identitymanager/provmanual_reviewdeletion_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp rename to static/images/identitymanager/provmanual_reviewdeletion_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp b/static/images/identitymanager/provmanual_reviewedition_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp rename to static/images/identitymanager/provmanual_reviewedition_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp b/static/images/identitymanager/provmanual_states_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp rename to static/images/identitymanager/provmanual_states_v523.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp b/static/images/identitymanager/provreview_bulkunblock_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp rename to static/images/identitymanager/provreview_bulkunblock_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp b/static/images/identitymanager/provreview_propertyview_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp rename to static/images/identitymanager/provreview_propertyview_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp b/static/images/identitymanager/provreview_resourceview_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp rename to static/images/identitymanager/provreview_resourceview_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp b/static/images/identitymanager/provreview_states_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp rename to static/images/identitymanager/provreview_states_v523.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp b/static/images/identitymanager/provrules_entitytype_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp rename to static/images/identitymanager/provrules_entitytype_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp b/static/images/identitymanager/provrules_examplenav_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp rename to static/images/identitymanager/provrules_examplenav_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp b/static/images/identitymanager/provrules_examplequery_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp rename to static/images/identitymanager/provrules_examplequery_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp b/static/images/identitymanager/provrules_examplequerybis_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp rename to static/images/identitymanager/provrules_examplequerybis_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp b/static/images/identitymanager/provrules_examplescalar_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp rename to static/images/identitymanager/provrules_examplescalar_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp b/static/images/identitymanager/provrules_exampletype_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp rename to static/images/identitymanager/provrules_exampletype_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp b/static/images/identitymanager/provrules_queryrule_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp rename to static/images/identitymanager/provrules_queryrule_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp b/static/images/identitymanager/provrules_queryrulefields_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp rename to static/images/identitymanager/provrules_queryrulefields_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp b/static/images/identitymanager/provrules_scalarrule_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp rename to static/images/identitymanager/provrules_scalarrule_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp b/static/images/identitymanager/provrules_scalarrulefields_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp rename to static/images/identitymanager/provrules_scalarrulefields_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp b/static/images/identitymanager/provrules_schemanavigation.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp rename to static/images/identitymanager/provrules_schemanavigation.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp b/static/images/identitymanager/provrules_schemascalar.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp rename to static/images/identitymanager/provrules_schemascalar.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp b/static/images/identitymanager/provrules_typerule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp rename to static/images/identitymanager/provrules_typerule_v602.webp diff --git a/static/images/identitymanager/installation-guide/reverse-proxy/proxy_example.webp b/static/images/identitymanager/proxy_example.webp similarity index 100% rename from static/images/identitymanager/installation-guide/reverse-proxy/proxy_example.webp rename to static/images/identitymanager/proxy_example.webp diff --git a/static/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp b/static/images/identitymanager/proxy_purpose_encryption.webp similarity index 100% rename from static/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp rename to static/images/identitymanager/proxy_purpose_encryption.webp diff --git a/static/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp b/static/images/identitymanager/proxy_purpose_loadbalancing.webp similarity index 100% rename from static/images/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp rename to static/images/identitymanager/proxy_purpose_loadbalancing.webp diff --git a/static/images/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp b/static/images/identitymanager/quadratic-linear-complexity.webp similarity index 100% rename from static/images/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp rename to static/images/identitymanager/quadratic-linear-complexity.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp b/static/images/identitymanager/recommendation.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp rename to static/images/identitymanager/recommendation.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp b/static/images/identitymanager/recordsection-withvaluecopy-result1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp rename to static/images/identitymanager/recordsection-withvaluecopy-result1.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp b/static/images/identitymanager/recordsection_extensionkind.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp rename to static/images/identitymanager/recordsection_extensionkind.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp b/static/images/identitymanager/recordsorigin_contexts.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp rename to static/images/identitymanager/recordsorigin_contexts.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp b/static/images/identitymanager/recordsorigin_firstmodel.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp rename to static/images/identitymanager/recordsorigin_firstmodel.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp b/static/images/identitymanager/recordsorigin_thirdmodel.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp rename to static/images/identitymanager/recordsorigin_thirdmodel.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp b/static/images/identitymanager/recordsorigin_timelines.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp rename to static/images/identitymanager/recordsorigin_timelines.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp b/static/images/identitymanager/recordsorigin_userexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp rename to static/images/identitymanager/recordsorigin_userexample.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp b/static/images/identitymanager/redundantassignments_buttons_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp rename to static/images/identitymanager/redundantassignments_buttons_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp b/static/images/identitymanager/redundantassignments_examplewith.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp rename to static/images/identitymanager/redundantassignments_examplewith.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp b/static/images/identitymanager/redundantassignments_examplewithout.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp rename to static/images/identitymanager/redundantassignments_examplewithout.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp b/static/images/identitymanager/redundantassignments_reportexample_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp rename to static/images/identitymanager/redundantassignments_reportexample_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp b/static/images/identitymanager/redundantassignments_reportexampleverif_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp rename to static/images/identitymanager/redundantassignments_reportexampleverif_v602.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp b/static/images/identitymanager/references_connectors_activedirectory_01.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp rename to static/images/identitymanager/references_connectors_activedirectory_01.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp b/static/images/identitymanager/references_connectors_activedirectory_02.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp rename to static/images/identitymanager/references_connectors_activedirectory_02.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp b/static/images/identitymanager/references_connectors_activedirectory_03.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp rename to static/images/identitymanager/references_connectors_activedirectory_03.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp b/static/images/identitymanager/references_connectors_activedirectory_04.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp rename to static/images/identitymanager/references_connectors_activedirectory_04.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp b/static/images/identitymanager/references_connectors_activedirectory_05.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp rename to static/images/identitymanager/references_connectors_activedirectory_05.webp diff --git a/static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp b/static/images/identitymanager/reload_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp rename to static/images/identitymanager/reload_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp b/static/images/identitymanager/reporting_fieldstodisplay_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp rename to static/images/identitymanager/reporting_fieldstodisplay_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp b/static/images/identitymanager/reporting_filters_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp rename to static/images/identitymanager/reporting_filters_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp b/static/images/identitymanager/reporting_predefinedreports_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp rename to static/images/identitymanager/reporting_predefinedreports_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp b/static/images/identitymanager/reporting_querypage_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp rename to static/images/identitymanager/reporting_querypage_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp b/static/images/identitymanager/resourcetype_newclassifrule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp rename to static/images/identitymanager/resourcetype_newclassifrule_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp b/static/images/identitymanager/resourcetype_newclassifrulefields_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp rename to static/images/identitymanager/resourcetype_newclassifrulefields_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp b/static/images/identitymanager/resourcetype_newcorrelrule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp rename to static/images/identitymanager/resourcetype_newcorrelrule_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp b/static/images/identitymanager/resourcetype_newcorrelrulefields_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp rename to static/images/identitymanager/resourcetype_newcorrelrulefields_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp b/static/images/identitymanager/resourcetype_newresourcet_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp rename to static/images/identitymanager/resourcetype_newresourcet_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp b/static/images/identitymanager/resourcetype_test_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp rename to static/images/identitymanager/resourcetype_test_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp b/static/images/identitymanager/reviewautomation_newrulefields_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp rename to static/images/identitymanager/reviewautomation_newrulefields_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp b/static/images/identitymanager/reviewautomation_rulemessage_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp rename to static/images/identitymanager/reviewautomation_rulemessage_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp b/static/images/identitymanager/reviewprop_example_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp rename to static/images/identitymanager/reviewprop_example_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp b/static/images/identitymanager/reviewprop_unreconciled_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp rename to static/images/identitymanager/reviewprop_unreconciled_v522.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp b/static/images/identitymanager/reviewrole_exampleresource_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp rename to static/images/identitymanager/reviewrole_exampleresource_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp b/static/images/identitymanager/reviewrole_exampleresourceprop_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp rename to static/images/identitymanager/reviewrole_exampleresourceprop_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp b/static/images/identitymanager/reviewrole_examplerole_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp rename to static/images/identitymanager/reviewrole_examplerole_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg b/static/images/identitymanager/reviewrole_icondelete_v602.svg similarity index 100% rename from static/images/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg rename to static/images/identitymanager/reviewrole_icondelete_v602.svg diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp b/static/images/identitymanager/reviewrole_rolereconciliation_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp rename to static/images/identitymanager/reviewrole_rolereconciliation_v603.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp b/static/images/identitymanager/reviewrole_rolereconciliationbulk_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp rename to static/images/identitymanager/reviewrole_rolereconciliationbulk_v603.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp b/static/images/identitymanager/riskmanagement_identifiedrisks_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp rename to static/images/identitymanager/riskmanagement_identifiedrisks_v522.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp b/static/images/identitymanager/riskmanagement_newrisk_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp rename to static/images/identitymanager/riskmanagement_newrisk_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp b/static/images/identitymanager/riskmanagement_newriskitem_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp rename to static/images/identitymanager/riskmanagement_newriskitem_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp b/static/images/identitymanager/riskmanagement_workflowstate_v523.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp rename to static/images/identitymanager/riskmanagement_workflowstate_v523.webp diff --git a/static/images/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp b/static/images/identitymanager/risks_blocking_v522.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp rename to static/images/identitymanager/risks_blocking_v522.webp diff --git a/static/images/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp b/static/images/identitymanager/risks_requiredapproval_v522.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp rename to static/images/identitymanager/risks_requiredapproval_v522.webp diff --git a/static/images/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp b/static/images/identitymanager/risks_riskcomputetask_v522.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp rename to static/images/identitymanager/risks_riskcomputetask_v522.webp diff --git a/static/images/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg b/static/images/identitymanager/risks_riskicon_v522.svg similarity index 100% rename from static/images/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg rename to static/images/identitymanager/risks_riskicon_v522.svg diff --git a/static/images/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp b/static/images/identitymanager/risks_warning_v522.webp similarity index 100% rename from static/images/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp rename to static/images/identitymanager/risks_warning_v522.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp b/static/images/identitymanager/robotframeworkflaui_flauishowxpath.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp rename to static/images/identitymanager/robotframeworkflaui_flauishowxpath.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp b/static/images/identitymanager/robotframeworkflaui_flauixpathexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp rename to static/images/identitymanager/robotframeworkflaui_flauixpathexample.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp b/static/images/identitymanager/robotframeworkselenium_copyfullxpath.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp rename to static/images/identitymanager/robotframeworkselenium_copyfullxpath.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp b/static/images/identitymanager/robotframeworkselenium_inspecttool.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp rename to static/images/identitymanager/robotframeworkselenium_inspecttool.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp b/static/images/identitymanager/rolemining_impact_usecase1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp rename to static/images/identitymanager/rolemining_impact_usecase1.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp b/static/images/identitymanager/rolemining_impact_usecase2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp rename to static/images/identitymanager/rolemining_impact_usecase2.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp b/static/images/identitymanager/rolemining_impact_usecase3.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp rename to static/images/identitymanager/rolemining_impact_usecase3.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp b/static/images/identitymanager/rolemining_impact_usecase4.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp rename to static/images/identitymanager/rolemining_impact_usecase4.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp b/static/images/identitymanager/rolemining_impact_usecase5.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp rename to static/images/identitymanager/rolemining_impact_usecase5.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp b/static/images/identitymanager/rolemining_launchjob_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp rename to static/images/identitymanager/rolemining_launchjob_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp b/static/images/identitymanager/rolemining_miningrule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp rename to static/images/identitymanager/rolemining_miningrule_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp b/static/images/identitymanager/rolemining_ruletype-sensitivity.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp rename to static/images/identitymanager/rolemining_ruletype-sensitivity.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp b/static/images/identitymanager/rolemining_ruletype.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp rename to static/images/identitymanager/rolemining_ruletype.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp b/static/images/identitymanager/rolemining_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp rename to static/images/identitymanager/rolemining_schema.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_simulation.webp b/static/images/identitymanager/rolemining_simulation.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_simulation.webp rename to static/images/identitymanager/rolemining_simulation.webp diff --git a/static/images/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp b/static/images/identitymanager/rolemining_simulationresults.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp rename to static/images/identitymanager/rolemining_simulationresults.webp diff --git a/static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp b/static/images/identitymanager/rolemining_suggested_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp rename to static/images/identitymanager/rolemining_suggested_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp b/static/images/identitymanager/roleofficers_newprofile_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp rename to static/images/identitymanager/roleofficers_newprofile_v602.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp b/static/images/identitymanager/salesforce-advancesetup.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp rename to static/images/identitymanager/salesforce-advancesetup.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp b/static/images/identitymanager/salesforce-agent-settings.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp rename to static/images/identitymanager/salesforce-agent-settings.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp b/static/images/identitymanager/salesforce-checkemail.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp rename to static/images/identitymanager/salesforce-checkemail.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp b/static/images/identitymanager/salesforce-connection.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp rename to static/images/identitymanager/salesforce-connection.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp b/static/images/identitymanager/salesforce-connector.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp rename to static/images/identitymanager/salesforce-connector.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp b/static/images/identitymanager/salesforce-consumerkey.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp rename to static/images/identitymanager/salesforce-consumerkey.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp b/static/images/identitymanager/salesforce-enableoauth.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp rename to static/images/identitymanager/salesforce-enableoauth.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp b/static/images/identitymanager/salesforce-manageconnectedapps.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp rename to static/images/identitymanager/salesforce-manageconnectedapps.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp b/static/images/identitymanager/salesforce-manageconsumerdetails.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp rename to static/images/identitymanager/salesforce-manageconsumerdetails.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp b/static/images/identitymanager/salesforce-newconnectedapp.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp rename to static/images/identitymanager/salesforce-newconnectedapp.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp b/static/images/identitymanager/salesforce-resetseuritytoken.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp rename to static/images/identitymanager/salesforce-resetseuritytoken.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp b/static/images/identitymanager/salesforce-usertoken-settings.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp rename to static/images/identitymanager/salesforce-usertoken-settings.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp b/static/images/identitymanager/scim_cyberark_export_display_entity_type_5.1.6.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp rename to static/images/identitymanager/scim_cyberark_export_display_entity_type_5.1.6.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp b/static/images/identitymanager/scim_cyberark_export_display_table_5.1.6.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp rename to static/images/identitymanager/scim_cyberark_export_display_table_5.1.6.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp b/static/images/identitymanager/scim_cyberark_export_menu_item_5.1.6.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp rename to static/images/identitymanager/scim_cyberark_export_menu_item_5.1.6.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp b/static/images/identitymanager/searchbarfilters.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp rename to static/images/identitymanager/searchbarfilters.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp b/static/images/identitymanager/searchbarwithoutfilter.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp rename to static/images/identitymanager/searchbarwithoutfilter.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp b/static/images/identitymanager/securedoptions_adexample_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp rename to static/images/identitymanager/securedoptions_adexample_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp b/static/images/identitymanager/securedoptions_adexamplevisible_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp rename to static/images/identitymanager/securedoptions_adexamplevisible_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp b/static/images/identitymanager/securedoptions_adlogin_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp rename to static/images/identitymanager/securedoptions_adlogin_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp b/static/images/identitymanager/securedoptions_keyvalue_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp rename to static/images/identitymanager/securedoptions_keyvalue_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp b/static/images/identitymanager/securedoptions_powershellexample_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp rename to static/images/identitymanager/securedoptions_powershellexample_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp b/static/images/identitymanager/securedoptions_sqlexample1_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp rename to static/images/identitymanager/securedoptions_sqlexample1_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp b/static/images/identitymanager/securedoptions_sqlexample2_v603.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp rename to static/images/identitymanager/securedoptions_sqlexample2_v603.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp b/static/images/identitymanager/sharedfolder_permission.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp rename to static/images/identitymanager/sharedfolder_permission.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp b/static/images/identitymanager/sharepoint_export_add_member.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp rename to static/images/identitymanager/sharepoint_export_add_member.webp diff --git a/static/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp b/static/images/identitymanager/sharepoint_export_role_owner.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp rename to static/images/identitymanager/sharepoint_export_role_owner.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp b/static/images/identitymanager/simple-recordsection-identity.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp rename to static/images/identitymanager/simple-recordsection-identity.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp b/static/images/identitymanager/simple-recordsection-result.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp rename to static/images/identitymanager/simple-recordsection-result.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp b/static/images/identitymanager/simulation_cancel_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp rename to static/images/identitymanager/simulation_cancel_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp b/static/images/identitymanager/simulation_decision_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp rename to static/images/identitymanager/simulation_decision_v600.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg b/static/images/identitymanager/simulation_icondelete_v600.svg similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg rename to static/images/identitymanager/simulation_icondelete_v600.svg diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg b/static/images/identitymanager/simulation_iconedit_v600.svg similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg rename to static/images/identitymanager/simulation_iconedit_v600.svg diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp b/static/images/identitymanager/simulation_list_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp rename to static/images/identitymanager/simulation_list_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp b/static/images/identitymanager/simulation_new_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp rename to static/images/identitymanager/simulation_new_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp b/static/images/identitymanager/simulation_start_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp rename to static/images/identitymanager/simulation_start_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp b/static/images/identitymanager/singlerolescatalog_createcategory_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp rename to static/images/identitymanager/singlerolescatalog_createcategory_v602.webp diff --git a/static/images/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp b/static/images/identitymanager/singlerolescatalog_createcompositerole_v62.webp similarity index 100% rename from static/images/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp rename to static/images/identitymanager/singlerolescatalog_createcompositerole_v62.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp b/static/images/identitymanager/singlerolescatalog_createnavrule_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp rename to static/images/identitymanager/singlerolescatalog_createnavrule_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp b/static/images/identitymanager/singlerolescatalog_newcategory_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp rename to static/images/identitymanager/singlerolescatalog_newcategory_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp b/static/images/identitymanager/singlerolescatalog_schemaapprovals.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp rename to static/images/identitymanager/singlerolescatalog_schemaapprovals.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp b/static/images/identitymanager/singlerolescatalog_schemabottomup.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp rename to static/images/identitymanager/singlerolescatalog_schemabottomup.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp b/static/images/identitymanager/singlerolescatalog_schemarole.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp rename to static/images/identitymanager/singlerolescatalog_schemarole.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp b/static/images/identitymanager/singlerolescatalog_schemarolerule.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp rename to static/images/identitymanager/singlerolescatalog_schemarolerule.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp b/static/images/identitymanager/singlerolescatalog_schemarolesidentities.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp rename to static/images/identitymanager/singlerolescatalog_schemarolesidentities.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp b/static/images/identitymanager/singlerolescatalog_schematopdown.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp rename to static/images/identitymanager/singlerolescatalog_schematopdown.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp b/static/images/identitymanager/singlerolescatalog_strategymono_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp rename to static/images/identitymanager/singlerolescatalog_strategymono_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp b/static/images/identitymanager/singlerolescatalog_strategymulti_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp rename to static/images/identitymanager/singlerolescatalog_strategymulti_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp b/static/images/identitymanager/singlerolescatalog_strategymultinoname_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp rename to static/images/identitymanager/singlerolescatalog_strategymultinoname_v522.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp b/static/images/identitymanager/sql_downloadpackage.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp rename to static/images/identitymanager/sql_downloadpackage.webp diff --git a/static/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp b/static/images/identitymanager/sql_packagecharacteristics.webp similarity index 100% rename from static/images/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp rename to static/images/identitymanager/sql_packagecharacteristics.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp b/static/images/identitymanager/srconf_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp rename to static/images/identitymanager/srconf_5.2.1.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp b/static/images/identitymanager/srrule_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp rename to static/images/identitymanager/srrule_5.2.1.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp b/static/images/identitymanager/suggestallcorrelations-nnn.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp rename to static/images/identitymanager/suggestallcorrelations-nnn.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp b/static/images/identitymanager/suggestallcorrelations-nnn2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp rename to static/images/identitymanager/suggestallcorrelations-nnn2.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp b/static/images/identitymanager/suggestallcorrelations-nny.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp rename to static/images/identitymanager/suggestallcorrelations-nny.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp b/static/images/identitymanager/suggestallcorrelations-nyn.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp rename to static/images/identitymanager/suggestallcorrelations-nyn.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp b/static/images/identitymanager/suggestallcorrelations-nyy.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp rename to static/images/identitymanager/suggestallcorrelations-nyy.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp b/static/images/identitymanager/suggestallcorrelations-ynn.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp rename to static/images/identitymanager/suggestallcorrelations-ynn.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp b/static/images/identitymanager/suggestallcorrelations-ynn2.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp rename to static/images/identitymanager/suggestallcorrelations-ynn2.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp b/static/images/identitymanager/suggestallcorrelations-yny.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp rename to static/images/identitymanager/suggestallcorrelations-yny.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp b/static/images/identitymanager/suggestallcorrelations-yyny.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp rename to static/images/identitymanager/suggestallcorrelations-yyny.webp diff --git a/static/images/identitymanager/integration-guide/api/swagger.webp b/static/images/identitymanager/swagger.webp similarity index 100% rename from static/images/identitymanager/integration-guide/api/swagger.webp rename to static/images/identitymanager/swagger.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp b/static/images/identitymanager/synchro_dashboard_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp rename to static/images/identitymanager/synchro_dashboard_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp b/static/images/identitymanager/synchro_edit_v600.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp rename to static/images/identitymanager/synchro_edit_v600.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp b/static/images/identitymanager/synchro_examplesab2_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp rename to static/images/identitymanager/synchro_examplesab2_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp b/static/images/identitymanager/synchro_examplesab3_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp rename to static/images/identitymanager/synchro_examplesab3_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp b/static/images/identitymanager/synchro_examplesab_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp rename to static/images/identitymanager/synchro_examplesab_v522.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp b/static/images/identitymanager/synchro_executionjobs-complete_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp rename to static/images/identitymanager/synchro_executionjobs-complete_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp b/static/images/identitymanager/synchro_executionjobs_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp rename to static/images/identitymanager/synchro_executionjobs_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp b/static/images/identitymanager/synchro_resourcetype_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp rename to static/images/identitymanager/synchro_resourcetype_v602.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp b/static/images/identitymanager/synchro_results_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp rename to static/images/identitymanager/synchro_results_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp b/static/images/identitymanager/synchro_schema.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp rename to static/images/identitymanager/synchro_schema.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp b/static/images/identitymanager/synchro_threshold_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp rename to static/images/identitymanager/synchro_threshold_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp b/static/images/identitymanager/synchro_thresholdlog_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp rename to static/images/identitymanager/synchro_thresholdlog_v603.webp diff --git a/static/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp b/static/images/identitymanager/synchro_thresholdresumed_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp rename to static/images/identitymanager/synchro_thresholdresumed_v602.webp diff --git a/static/images/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp b/static/images/identitymanager/tools_managehistory_schema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp rename to static/images/identitymanager/tools_managehistory_schema.webp diff --git a/static/images/identitymanager/integration-guide/network-configuration/tree-like-structure.webp b/static/images/identitymanager/tree-like-structure.webp similarity index 100% rename from static/images/identitymanager/integration-guide/network-configuration/tree-like-structure.webp rename to static/images/identitymanager/tree-like-structure.webp diff --git a/static/images/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp b/static/images/identitymanager/troubleshoot_synchroprovschema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp rename to static/images/identitymanager/troubleshoot_synchroprovschema.webp diff --git a/static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp b/static/images/identitymanager/troubleshooting_connectorjobs_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp rename to static/images/identitymanager/troubleshooting_connectorjobs_v603.webp diff --git a/static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp b/static/images/identitymanager/troubleshooting_helpdesk_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp rename to static/images/identitymanager/troubleshooting_helpdesk_v603.webp diff --git a/static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp b/static/images/identitymanager/troubleshooting_userdata_v603.webp similarity index 100% rename from static/images/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp rename to static/images/identitymanager/troubleshooting_userdata_v603.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp b/static/images/identitymanager/ui_displaypriorities_changeselection_v521beta.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp rename to static/images/identitymanager/ui_displaypriorities_changeselection_v521beta.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp b/static/images/identitymanager/unauth_reviewunauthorized_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp rename to static/images/identitymanager/unauth_reviewunauthorized_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp b/static/images/identitymanager/unauth_unauthorizedaccounts_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp rename to static/images/identitymanager/unauth_unauthorizedaccounts_v602.webp diff --git a/static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp b/static/images/identitymanager/unauth_updateprop_v522.webp similarity index 100% rename from static/images/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp rename to static/images/identitymanager/unauth_updateprop_v522.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp b/static/images/identitymanager/universe_columnnamedisplayname.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp rename to static/images/identitymanager/universe_columnnamedisplayname.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp b/static/images/identitymanager/universe_columnnameidentifier.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp rename to static/images/identitymanager/universe_columnnameidentifier.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp b/static/images/identitymanager/universe_excluded.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp rename to static/images/identitymanager/universe_excluded.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp b/static/images/identitymanager/universe_mixedexample.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp rename to static/images/identitymanager/universe_mixedexample.webp diff --git a/static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp b/static/images/identitymanager/universe_notemplateschema.webp similarity index 100% rename from static/images/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp rename to static/images/identitymanager/universe_notemplateschema.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp b/static/images/identitymanager/use_case_1_deduction.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp rename to static/images/identitymanager/use_case_1_deduction.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp b/static/images/identitymanager/use_case_1_rolemodel.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp rename to static/images/identitymanager/use_case_1_rolemodel.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp b/static/images/identitymanager/use_case_1_sync.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp rename to static/images/identitymanager/use_case_1_sync.webp diff --git a/static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp b/static/images/identitymanager/validityperiod.webp similarity index 100% rename from static/images/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp rename to static/images/identitymanager/validityperiod.webp diff --git a/static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp b/static/images/identitymanager/viewpermissions_v602.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp rename to static/images/identitymanager/viewpermissions_v602.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp b/static/images/identitymanager/viewpermissionsadvanced_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp rename to static/images/identitymanager/viewpermissionsadvanced_5.2.1.webp diff --git a/static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp b/static/images/identitymanager/viewpermissionssimplified_5.2.1.webp similarity index 100% rename from static/images/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp rename to static/images/identitymanager/viewpermissionssimplified_5.2.1.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp b/static/images/identitymanager/workflowinentitylist.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp rename to static/images/identitymanager/workflowinentitylist.webp diff --git a/static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp b/static/images/identitymanager/workflowinresourceview.webp similarity index 100% rename from static/images/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp rename to static/images/identitymanager/workflowinresourceview.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp b/static/images/identitymanager/workflows_homonyms_v601.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp rename to static/images/identitymanager/workflows_homonyms_v601.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp b/static/images/identitymanager/workflows_reviewpermissions_v601.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp rename to static/images/identitymanager/workflows_reviewpermissions_v601.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp b/static/images/identitymanager/workflows_reviewsteps_v601.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp rename to static/images/identitymanager/workflows_reviewsteps_v601.webp diff --git a/static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp b/static/images/identitymanager/workflows_verifyhomonyms_v601.webp similarity index 100% rename from static/images/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp rename to static/images/identitymanager/workflows_verifyhomonyms_v601.webp