Product Overview Guide

Transcription

1 IBM Security Identity Manager Version 6.0 Product Oeriew Guide GC

2

3 IBM Security Identity Manager Version 6.0 Product Oeriew Guide GC

4 Note Before using this information and the product it supports, read the information in Notices on page 69. Edition notice Note: This edition applies to ersion 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Table of contents Table list About this publication ii Access to publications and terminology..... ii Accessibility iii Technical training iii Support information iii Chapter 1. How to obtain software images Chapter 2. Hardware and software requirements Hardware requirements Operating system support Virtualization support Jaa Runtime Enironment support WebSphere Application Serer support Database serer support Directory serer support Directory Integrator support Report serer support Browser requirements for client connections Adapter leel support Chapter 3. What's new in this release 11 Account ownership type Shared access module Role management Extended role attributes Role assignment attributes Serice management and proisioning Serice leel form Serice connection mode Serice status and failure retry Serice tagging Account and access management Multiple leel access types Account search in the self serice console Authentication with an external user registry configured with WebSphere Vertical cluster support Application programming interfaces Web Serices API Extensions to the Recertification Policy API Enhanced logging APIs for use in custom JaaScript Report data synchronization enhancements Health monitoring Chapter 4. Known limitations, problems, and workarounds Chapter 5. Features oeriew Access management Shared access Shared access documentation Roadmap for configuring shared access for a managed resource Support for corporate regulatory compliance Identity goernance Dual user interface Administratie console user interface Self-care user interface Recertification Reporting Static and dynamic roles Self-access management Proisioning features Resource proisioning Request-based access to resources Roles and access control A hybrid proisioning model Chapter 6. Technical oeriew Users, authorization, and resources Main components People oeriew Users Identities Accounts Access Passwords Resources oeriew Serices Adapters Adapter communication with managed resources 56 System security oeriew Security model characteristics Business requirements Resource access from a user's perspectie Organization tree oeriew Nodes in an organization tree Entity types associated with a business unit.. 61 Entity searches of the organization tree Policies oeriew Workflow oeriew Chapter 7. Initial login and password information Notices Index Copyright IBM Corp iii

6 i IBM Security Identity Manager Version 6.0: Product Oeriew Guide

7 Table list 1. Hardware requirements for IBM Security Identity Manager Operating system support Virtualization support Database serer support Directory serer support Supported ersions of IBM Tioli Directory Integrator Prerequisites to run the UNIX and Linux adapter More information on role assignment attributes Shared access features Installation and upgrade System configuration Shared access administration Data references Shared access troubleshooting Shared access application programming interfaces Shared access for users Configuring managed resources that are supported by the IBM Security Identity Manager adapter Configuring managed resources that are not supported by the IBM Security Identity Manager adapter Defining roles and proisioning policies to grant ownership of sponsored accounts Configuring shared access for the new managed resource Summary of reports Policy types and naigation Initial user ID and password for IBM Security Identity Manager Copyright IBM Corp. 2012

8 i IBM Security Identity Manager Version 6.0: Product Oeriew Guide

9 About this publication IBM Security Identity Manager Product Oeriew Guide proides the general information about IBM Security Identity Manager. It includes the information about: The product release, such as new or deprecated product features and functions The open standards, technologies, and architecture on which the product is based The user model and roles underlying the product features The graphical interfaces and tools proided to support arious user roles Access to publications and terminology This section proides: A list of publications in the IBM Security Identity Manager library. Links to Online publications. A link to the IBM Terminology website on page iii. IBM Security Identity Manager library The following documents are aailable in the IBM Security Identity Manager library: IBM Security Identity Manager Quick Start Guide, CF3L2ML IBM Security Identity Manager Product Oeriew Guide, GC IBM Security Identity Manager Scenarios Guide, SC IBM Security Identity Manager Planning Guide, GC IBM Security Identity Manager Installation Guide, GC IBM Security Identity Manager Configuration Guide, SC IBM Security Identity Manager Security Guide, SC IBM Security Identity Manager Administration Guide, SC IBM Security Identity Manager Troubleshooting Guide, GC IBM Security Identity Manager Error Message Reference, GC IBM Security Identity Manager Reference Guide, SC IBM Security Identity Manager Database and Directory Serer Schema Reference, SC IBM Security Identity Manager Glossary, SC Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Identity Manager Information Center The com.ibm.isim.doc_6.0/ic-homepage.htm site displays the information center welcome page for this product. Copyright IBM Corp ii

10 IBM Security Information Center The site displays an alphabetical list of and general information about all IBM Security product documentation. IBM Publications Center The pbi.wss site offers customized search functions to help you find all the IBM publications you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at software/globalization/terminology. Accessibility Technical training Support information Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. For additional information, see the topic "Accessibility features for IBM Security Identity Manager" in the IBM Security Identity Manager Reference Guide. For technical training information, see the following IBM Education website at IBM Support proides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at IBM Security Identity Manager Troubleshooting Guide proides details about: What information to collect before contacting IBM Support. The arious methods for contacting IBM Support. How to use IBM Support Assistant. Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can proide additional support resources. iii IBM Security Identity Manager Version 6.0: Product Oeriew Guide

11 Chapter 1. How to obtain software images IBM Security Identity Manager installation files and fix packs can be obtained with the IBM Passport Adantage website, or from a DVD distribution. The Passport Adantage website proides packages, called eassemblies, for IBM products. To obtain eassemblies for IBM Security Identity Manager, follow the instructions in the IBM Security Identity Manager Download Document. The IBM Security Identity Manager Installation Guide proides full instructions for installing IBM Security Identity Manager and the prerequisite middleware products. The procedure that is appropriate for your organization depends on the following conditions: Operating system used by IBM Security Identity Manager Language requirements for using the product Type of installation you need to do: eassembly for the product and all prerequisites The IBM Security Identity Manager installation program enables you to install IBM Security Identity Manager, prerequisite products, and required fix packs as described in the IBM Security Identity Manager Installation Guide. Use this type of installation if your organization does not currently use one or more of the products required by IBM Security Identity Manager. eassembly for a manual installation You can install IBM Security Identity Manager separately from the prerequisites, and you can install separately any of the prerequisite products that are not installed. In addition, you must erify that each prerequisite product is operating at the required fix or patch leel. Copyright IBM Corp

12 2 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

13 Chapter 2. Hardware and software requirements Hardware requirements IBM Security Identity Manager has specific hardware requirements and supports specific ersions of operating systems, middleware, and browsers. The topics in this section list the hardware requirements and the supported ersions for each of the software products. The information lists the supported ersions when the product release was released. Note: Support for prerequisite software is continuously updated. To reiew the latest updates to this information, see dociew.wss?uid=swg IBM Security Identity Manager has these hardware requirements: Table 1. Hardware requirements for IBM Security Identity Manager System components Minimum alues* Recommended alues** System memory (RAM) 2 gigabytes 4 gigabytes Processor speed Single 2.0 gigahertz Intel or pseries processor Dual 3.2 gigahertz Intel or pseries processors Disk space for product and prerequisite products 20 gigabytes 25 gigabytes * Minimum alues: These alues enable a basic use of IBM Security Identity Manager. ** Recommended alues: You might need to use larger alues that are appropriate for your production enironment. Operating system support IBM Security Identity Manager supports multiple operating systems. The IBM Security Identity Manager installation program checks to ensure that specific operating systems and leels are present before starting the installation process. Table 2. Operating system support Operating system Platform Patch or maintenance leel AIX Version 6.1 and AIX System p None Version 7.1 Oracle Solaris 10 SPARC None Windows Serer 2008 Standard x86-32, x86-64 None Edition and Enterprise Edition Windows Serer 2008 Release 2 Standard Edition and Enterprise Edition x86-64 None Copyright IBM Corp

14 Table 2. Operating system support (continued) Operating system Platform Patch or maintenance leel Red Hat Linux Enterprise 5.0, Red Hat Linux Enterprise 6.0 SUSE Linux Enterprise Serer 10.0, SUSE Linux Enterprise Serer 11.0 System z, System p, x86-32, x86-64 System z, System p, x86-32, x86-64 For 5.0, Update 1 through Update 5. For both 5.0 and 6.0, Security Enhanced Linux must be disabled. See the topic "Red Hat Linux Serer Configuration" in the IBM Security Identity Manager Installation Guide. None Virtualization support IBM Security Identity Manager supports irtualization enironments. See Table 3 for a list of the irtualization products that IBM Security Identity Manager supports at the time of product release. Table 3. Virtualization support Product IBM AIX Workload Partitioning (WPAR) and Logical Partitioning (LPAR) 6.1 and 7.1 and future fix packs IBM PowerVM Hyperisor (LPAR, DPAR, Micro-Partition), any supported ersion and future fix packs IBM PR/SM, any ersion, and future fix packs IBM z/vm Hyperisor 5.4 and any future fix packs IBM z/vm Hyperisor 6.1 and any future fix packs KVM in SUSE Linux Enterprise Serer (SLES) 11 Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 5.4 and future fix packs Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 6.0 and future fix packs Sun Solaris 10 Global/Local Zones (SPARC) 10 and future fix packs Sun/Oracle Logical Domains (LDoms) any ersion and future fix packs VMware ESXi 4.0 and future fix packs VMware ESXi 5.0 and future fix packs Applicable operating systems All supported operating system ersions automatically applied AIX All supported operating system ersions automatically applied All supported operating system ersions automatically applied Linux All supported operating system ersions automatically applied Linux, Windows All supported operating system ersions automatically applied All supported operating system ersions automatically applied Solaris All supported operating system ersions automatically applied All supported operating system ersions automatically applied 4 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

15 Jaa Runtime Enironment support IBM Security Identity Manager requires Jaa Runtime Enironment (JRE) ersion 1.6 SR10 Fix Pack 1. This ersion is installed in the WAS_HOME/jaa directory when WebSphere Application Serer ersion 7.0 Fix Pack 23 is installed. Use of an independently installed deelopment kit for Jaa, from IBM or other endors, is not supported. The Jaa Runtime Enironment requirements for using a browser to create a client connection to the IBM Security Identity Manager serer are different than the JRE requirements for running the WebSphere Application Serer. WebSphere Application Serer support Database serer support IBM Security Identity Manager runs as an enterprise application in a WebSphere Application Serer enironment. IBM Security Identity Manager requires: WebSphere Application Serer, Version 7.0 WebSphere Fix Pack 23 for WebSphere Application Serer, Version 7.0, and SDK WebSphere interim fix PM64800 WebSphere interim fix PM66514 WebSphere interim fix WS-WAS-IFPM71296 Note: You must apply Fix Pack 23 before applying the interim fixes. WebSphere supports each of the operating systems that IBM Security Identity Manager supports. Reiew the WebSphere website for WebSphere requirements for each operating system: &uid=swg IBM Security Identity Manager supports multiple database serer products. Table 4. Database serer support Database serer Fix pack Notes IBM DB2 Enterprise Version 9.5 Fix Pack 3b IBM DB2 Enterprise 9.5 is not supported on Linux 32 bit operating systems or on any Linux operating systems on pseries hardware. IBM DB2 9.5 WorkGroup Edition is bundled for Linux 32 bit operating systems. IBM DB2 Enterprise Version 9.7 Fix Pack 4 On Linux, DB2 9.7 Enterprise Serer Edition is only supported on 64 bit architectures. See support/dociew.wss?uid=swg IBM DB2 9.7 Workgroup Edition is required on Linux 32 bit operating systems. IBM Tioli Directory Serer requires Fix Pack 2 Red Hat Linux 6.0 requires Fix Pack 4 Chapter 2. Hardware and software requirements 5

16 Table 4. Database serer support (continued) Database serer Fix pack Notes Microsoft SQL Serer 2008, Enterprise Edition Microsoft SQL Serer 2008, R2 Oracle 10g Release 2 (Version ) and Oracle 11g Release 2 none WebSphere Application Serer supports Microsoft SQL Serer 2008, Enterprise Edition IBM Security Identity Manager must be running on a supported Windows operating system if Microsoft SQL Serer is used for the IBM Security Identity Manager database. For information on JDBC drier support with Microsoft SQL Serer 2008, see support/dociew.wss?uid=swg none The Oracle database drier is required for both Oracle 10gR2 and Oracle 11g databases. Oracle 11g ersion supports Windows Serer and 64 bit operating systems. Support is aailable for Oracle11gR2 with Oracle11gR1 ojdbc5 drier only. Directory serer support IBM Security Identity Manager supports multiple directory serers. Table 5. Directory serer support Directory serer IBM Tioli Directory Serer, Version 6.2 IBM Tioli Directory Serer, Version 6.3 Sun Directory Serer Enterprise Edition Oracle Directory Serer Enterprise Edition Fix packs FP1 none none none Notes IBM Tioli Directory Serer supports the operating system releases that IBM Security Identity Manager supports. See Oracle documentation to erify operating system support. Directory Integrator support IBM Security Identity Manager supports IBM Tioli Directory Integrator. You can optionally install IBM Tioli Directory Integrator for use with IBM Security Identity Manager. IBM Tioli Directory Integrator is used to enable communication between the installed agentless adapters and IBM Security Identity Manager. See the IBM Security Identity Manager Installation Guide. Table 6. Supported ersions of IBM Tioli Directory Integrator Release Fix pack IBM Tioli Directory Integrator, Version 7.1 Fix Pack 5 IBM Tioli Directory Integrator, Version Fix Pack 1 and Limited Aailability Fix TIV-TDI-LA IBM Security Identity Manager Version 6.0: Product Oeriew Guide

17 Report serer support IBM Tioli Directory Integrator supports each of the operating system ersions that IBM Security Identity Manager supports. IBM Security Identity Manager supports IBM Tioli Common Reporting Version The following fix packs and ifixes are required. Install the fixes in the following order: 1. IBM Tioli Common Reporting, Version 2.1.1, interim fix 2 2. IBM Tioli Common Reporting, Version 2.1.1, interim fix 5 3. IBM Tioli Integrated Portal Fix Pack IBM Tioli Common Reporting, Version 2.1.1, interim fix 6 To obtain fixes: Download the latest fixes for IBM Tioli Common Reporting Serer from the Fix Central website at Obtain and install the IBM Tioli Integrated Portal Fix Pack before installing IBM Tioli Common Reporting, Version 2.1.1, interim fix 6. For instructions on how to obtain IBM Tioli Integrated Portal Fix Pack , see the IBM deeloperworks topic: Tioli Common Reporting Interim Fix 6. Browser requirements for client connections IBM Security Identity Manager has browser requirements for client connections. IBM Security Identity Manager supports the following browser ersions: Microsoft Internet Explorer 8.0 Microsoft Internet Explorer 9.0 Mozilla Firefox 3.6 (supported on AIX only) Note: Firefox 3.6 requires the Next-Generation Jaa plug-in, which is included in Jaa 6 Update 10 and newer. Mozilla Firefox 10 Extended Support Release (not supported on AIX) IBM Security Identity Manager software distribution does not include the supported browsers. TheIBM Security Identity Manager administratie user interface uses applets that require a Jaa plug-in proided by Sun Microsystems JRE Version 1.6 or higher. When the browser requests a page that contains an applet, it attempts to load the applet with the Jaa plug-in. If the required JRE is not present on the system, the browser prompts the user for the correct Jaa plug-in, or fails to complete the presentation of the items in the window. The IBM Security Identity Manager user interface is displayed correctly for all pages that do not contain a Jaa applet, regardless of JRE installation. You must enable cookies in the browser in order to establish a session with IBM Security Identity Manager. Do not start two or more separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with the data. Chapter 2. Hardware and software requirements 7

18 Adapter leel support The IBM Security Identity Manager installation program always installs a number of adapter profiles. The installation program installs these profiles: AIX profile (UNIX and Linux adapter) Solaris profile (UNIX and Linux adapter) HP-UX profile (UNIX and Linux adapter) Linux profile (UNIX and Linux adapter) LDAP profiles (LDAP adapter) The IBM Security Identity Manager installation program optionally installs the IBM Security Identity Manager LDAP adapter and IBM Security Identity Manager UNIX and Linux adapter. Newer ersions of the adapters might be aailable as separate download. Install the latest ersions before you use the adapters. You must take additional steps to install adapters if you choose not to install them during the IBM Security Identity Manager installation. The following table lists the UNIX and Linux systems and ersions that are supported by the UNIX and Linux adapter. Table 7. Prerequisites to run the UNIX and Linux adapter Operating system Version AIX AIX 6.1, AIX 7.1 HP-UX HP-UX 11i1, HP-UX 11i1 trusted, HP-UX 11i2, HP-UX 11i2 trusted, HP-UX 11i3, HP-UX 11i3 trusted Red Hat Linux Red Hat Enterprise Linux Enterprise Serer 6.0, Red Hat Enterprise Linux Enterprise Serer 6.1, Red Hat Enterprise Linux Enterprise Serer 6.2 Oracle Solaris Oracle Solaris 10 SUSE Linux SLES 10.0, SLES 11.0 The following directory serer ersions that are supported by the LDAP adapter: IBM Tioli Directory Serer 6.1, IBM Tioli Directory Serer 6.2, IBM Tioli Directory Serer 6.3 Sun Directory Serer Enterprise Edition 6.3, Sun Directory Serer Enterprise Edition The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme. This scheme supports communication between the IBM Security Identity Manager and systems that run IBM Tioli Directory Serer or Sun Directory Serer Enterprise Edition. The IBM Security Identity Manager LDAP Adapter Installation Guide describes how to configure the LDAP adapter. Adapters are aailable at the following IBM Passport Adantage website: passporthome 8 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

19 Installation and configuration guides for adapters can be found at the IBM Security Identity Manager information center website. Chapter 2. Hardware and software requirements 9

20 10 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

21 Chapter 3. What's new in this release Account ownership type Shared access module IBM Security Identity Manager Version 6.0 proides new infrastructure, processes and controls to support priileged identity management. In addition, it proides enhanced support for operational role management and integration with other identity and access management solutions. See the topics in this chapter for detailed descriptions of new features and function. New account ownership types separate personal accounts from custodial accounts. Accounts that represent a user identity for personal use are indiidual accounts. All other accounts are sponsored accounts. Examples of sponsored accounts include the root account on a UNIX system, application accounts, and deice accounts. The owner of a sponsored account typically configures the account and completes maintenance tasks such as password reset. Password synchronization applies only to indiidual accounts. Account entitlements in a proisioning policy are specified differently for each account type. The type of ownership affects the password management process and proisioning policy ealuation. For example, password synchronization synchronizes passwords only for accounts of ownership type "Indiidual". For proisioning policies, entitlement to a particular serice can be based on the specific ownership type on the serice. You can filter accounts by ownership type when doing account management tasks. You can specify the ownership type when completing account request and account adoption tasks. See "Ownership type management" in the IBM Security Identity Manager Configuration Guide. IBM Security Identity Manager proides a new shared access module that extends the identity and access management goernance capabilities by supporting priileged identity management. The shared access module is used by a new IBM product called IBM Security Priileged Identity Manager. When you purchase IBM Security Priileged Identity Manager, you obtain a license to use the IBM Security Identity Manager shared access module. You can then install the optional shared access module component as part of the IBM Security Identity Manager installation. The shared access module proides the following support for priileged identity management: Copyright IBM Corp

22 Role management Centralized management, secure access, and storage of priileged shared account identities. Also, new administratie features support role-based access control for shared accounts. Account ownership types that distinguish between indiidually owned accounts and different types of sponsored accounts. You can manage accounts, passwords, and entitlements according to ownership types. Lifecycle management of shared accounts. This management includes role-based access request, and approal and alidation of priileged access for shared identities. Auditing of shared account actiity to monitor accountability and compliance. Single sign-on with automated checkin and checkout of shared and priileged IDs. Automation of checkout and checkin is achieed when IBM Security Identity Manager is deployed as part of the IBM Security Priileged Identity Manager product solution. For more information, see: Shared access on page 24 IBM Security Priileged Identity Manager Information Center. Role management now includes management of extended role attributes and role assignment attributes. Extended role attributes The IBM Security Identity Manager administrator can define, set, and modify extended role attributes when creating or modifying a role. These actions are achieed by using a new form template introduced in the form designer for role customization. Both static and dynamic roles support extended role attributes. Note: Before you can use extended role attributes, you must first set the extended role attributes in LDAP by extending the role definition schema. After you add the extended role attributes in LDAP, use the form designer to customize and sae form templates for roles in the IBM Security Identity Manager administratie console. For more information about extended role attributes, see IBM Security Identity Manager Technotes. Role assignment attributes The role administration component is enhanced to include the ability to define role assignment attributes, which are associated with the person-role relationship. Only static roles support assignment attributes. Only the string type and text widget of assignment attributes are supported. Optional role assignment attributes tasks include: Defining role assignment attributes when creating or modifying a static role. Associating a custom label with each assignment attribute. Specifying assignment attribute alues when adding user members to the role. Specifying assignment attribute alues to the existing user members of the role. 12 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

23 ACI capabilities for role assignment attributes Both the default and new ACIs supports attribute-leel permissions for role assignment attributes like other attributes in the role definition. You can now modify or create ACIs. You can set attribute-leel permissions for granting or denying usage of these role assignment attributes within the role definition. Only authorized users can read or write assignment attributes. Additionally, you can: Set ACIs to read or write assignment attribute alues when adding a user to the role. Set assignment attribute alues to the existing user members. ACI works the same way as it does for other entities. There is not ACI on specific role assignment attributes. The following attributes are aailable: erroleassignmentkey is on the role that dictates the permission to define role assignment attributes on the role and an attribute. erroleassignments is on the person that dictates the permission to assign alues for the assignment attributes. You cannot define ACI on the assignment attribute that you defined on the role. JaaScript capabilities for role assignment attributes You can access these capabilities for role assignment attributes within the JaaScript interface: The role assignment attributes of the role schema. The role assignment attributes and their alues for users in role membership. New JaaScript APIs include: Person Role RoleAssignmentAttribute RoleAssignmentObject For more information, see the reference pages in the IBM Security Identity Manager Reference Guide. Role assignment attributes and the self-serice console For more information about adding or modifying role assignment attributes for a user profile in the self-serice console, see the IBM Security Identity Manager Technotes. Additional information For more information on role assignment attributes, see the following topics: Table 8. More information on role assignment attributes Topic title Role assignment attributes Role assignment attribute tables IBM Security Identity Manager documentation Administration Guide Database and Directory Serer Schema Reference Chapter 3. What's new in this release 13

24 Table 8. More information on role assignment attributes (continued) Topic title Person Role RoleAssignmentAttribute RoleAssignmentObject IBM Security Identity Manager documentation Reference Guide Serice management and proisioning Serice management and proisioning now supports a new account form, an adanced connection mode, new serice status information, and serice tagging. See: Serice leel form Serice connection mode Serice status and failure retry on page 15 Serice tagging on page 15 Serice leel form You can specify different account forms for each serice instance of a particular serice type. You can define an account form for a serice in the console. For example, you can customize the form for the account type, such as Windows Local Account Form. This feature can specify different account forms for each serice instance of a particular serice type. This feature remoes the restriction of needing to use the same form for eery serice instance of a particular type. You can use your new form to request a new account or modify an existing account. You can also use your new form for proisioning policy parameters. If you hae an account form customized for a serice, and you select serice specific entitlements for that serice in the proisioning policy, the specific widget for that attribute that you customized is displayed. You can also use the new form for repeat account creation or modification in the administration console or the self serice console. See "Customizing account form templates for a serice instance" in the IBM Security Identity Manager Configuration Guide. Serice connection mode This release introduces a new serice form attribute for connection mode. Use this attribute to create a serice that can function like either an automated or a manual serice. You can now specify a serice connection mode of manual or automated. The connection mode setting dictates the IBM Security Identity Manager behaior for account management, and minimizes the configuration required for transition between different connection modes to end points. 14 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

25 The new attribute for connection mode is erconnectionmode. This attribute enables you to create a serice and to specify a manual account request route before installing the adapter for the managed resource. The adantage of using connection mode is that you do not need to create and later remoe a manual serice. After installing the adapter, you can change the serice so that the managed resource handles the account requests. Use the change serice task to change connection mode from manual to automatic. After changing the serice type to automatic, it is the default setting for any serices of that serice type. Connection mode is not supported on ITIM serice or any type of identity feed serice, hosted serice, or manual serice types. Do not add the erconnectionmode attribute to the forms for those serice types. See the following topics in the "Serices administration" chapter of the IBM Security Identity Manager Administration Guide: "Enabling connection mode" "Creating a serice that has manual connection mode" "Changing connection mode from manual to automatic" Serice status and failure retry The IBM Security Identity Manager administratie console is enhanced to display status information for each serice, to search for serices with a specific status, and to proide an option to retry blocked requests. The alues in the serice status reflect the ability of the IBM Security Identity Manager serer to contact the managed resource for the serice for proisioning actions. The user interface also allows searching for serices with a specific status alue. You can use the alue to locate serices that failed or are recoering from a failure. This release proides a new action, Retry Blocked Requests, that you can use to immediately restart the blocked requests from the Manage Serices panel. This action tests a serice to see whether the problem is corrected. If the test is successful, it restarts any blocked requests for a failed serice. For more information, see the topic "Serice status" in the IBM Security Identity Manager Administration Guide. Serice tagging You can define multiple tags for a serice in the serice form. You can use serice tags to fine-tune proisioning policy entitlement for a serice type. You can specify that entitlement is only applicable for serices with matching tags. On the administration console, you can trigger automated proisioning of new accounts and policy enforcements on all accounts of a serice. Use the Manage Serices console entry point, select Search, and then open the twistie for a serice and click Enforce Policy. See the topic "Serice tagging" in the "Serices administration" chapter of the IBM Security Identity Manager Administration Guide. Chapter 3. What's new in this release 15

26 Account and access management IBM Security Identity Manager extends account and access management to support multiple access leels, and to support account search in the self serice console. See: Multiple leel access types Account search in the self serice console Multiple leel access types IBM Security Identity Manager supports multiple leel of access types that simulate a hierarchical tree structure with a set of linked nodes. A hierarchy represents access leels. The access types are categorized in the form of parent-child access types. This structure aids in the administration of large deployments. An administrator can do these actions: Manage access types in a hierarchical tree structure. Search an access type by categories during an access request by using the tree structure. Specify an access type from any leel to associate with a group or role. Translate organizational access types into system-defined access types in a hierarchical tree structure. Categorize multiple access types in an organization for a particular access category. For example, access to all financial applications can be categorized under Application > Finance. A user can search, filter, or request for an access based upon the access types. See the topic Access type management in the IBM Security Identity Manager Configuration Guide, and the topic Creating an access type based on role in the IBM Security Identity Manager Administration Guide. Account search in the self serice console Account search function is now aailable in the self serice console You can now search accounts when using the following features in the self serice console: Viewing or changing accounts Deleting accounts Changing passwords You can base the account search on ownership type, account ID, serice type (account profile), serice (account type), or organizational container. Authentication with an external user registry configured with WebSphere The IBM Security Identity Manager authentication mechanism is integrated with the container-based security capabilities of WebSphere Application Serer. 16 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

27 Vertical cluster support IBM Security Identity Manager users can authenticate against a WebSphere Application Serer user registry, and then be mapped to an IBM Security Identity Manager user. The login support includes: Forgotten password, with challenge response Password expiration Account suspension with maximum logon attempts You can use an external user registry when doing an initial installation of IBM Security Identity Manager. Alternatiely, you can install IBM Security Identity Manager with the custom registry, and then later reconfigure to use an external user registry. Use of an external user registry requires configuration of the WebSphere security domain. IBM Security Identity Manager proides documentation of an example configuration of how to configure an external user registry. The example documentation is in the extensions directory in the product distribution. If you want to use an external user registry during an initial installation of IBM Security Identity Manager, you must do configuration steps before the installation. If you want to configure an external user registry after the IBM Security Identity Manager installation, you must finish the installation with the default custom user registry and then manually configure the external user registry. For more information, see the topic "Using an external user registry for authentication" in the IBM Security Identity Manager Security Guide. You can now install IBM Security Identity Manager in a WebSphere deployment that uses ertical clusters. A ertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. You can now install an IBM Security Identity Manager into both horizontal and ertical cluster topologies. For more information, see the following topics in the IBM Security Identity Manager Installation Guide: "Clustered configuration" "Creating the WebSphere clusters for the IBM Security Identity Manager application" Application programming interfaces IBM Security Identity Manager supports additional application programming interfaces. New additions include Web Serices API, new APIs to manage recertification policies, and new logging APIs for use in JaaScript. See: Web Serices API on page 18 Extensions to the Recertification Policy API on page 18 Chapter 3. What's new in this release 17

28 Enhanced logging APIs for use in custom JaaScript Web Serices API The IBM Security Identity Manager Web Serices wrappers proide a lightweight communication channel to the IBM Security Identity Manager serer. You can use the Web Serices API to add user functions into your custom built applications. The Web Serices client does not depend on installation of either IBM Security Identity Manager or WebSphere Application Serer. For more information, see the topic "Web Serices API" in the IBM Security Identity Manager Reference Guide. Extensions to the Recertification Policy API IBM Security Identity Manager uses recertification policies to automate the realidation of entitlements granted to a user. The introduction of new APIs proides capabilities to search, add, modify, delete, and run recertification policies in IBM Security Identity Manager from a remote application. The recertification policy API consists of a set of Jaa classes. The classes abstract the more commonly used concepts of the recertification policies, such as recertification policy targets, participants, recertification action, and policy schedules. For more information, see: "Recertification Policy API" in the IBM Security Identity Manager Reference Guide "Recertification policies" in the IBM Security Identity Manager Administration Guide Enhanced logging APIs for use in custom JaaScript The introduction of enhanced logging APIs proides new methods for use in custom JaaScript extensions. The new methods proide the following increased flexibility in IBM Security Identity Manager: Ability to selectiely log messages to the IBM Security Identity Manager trace log or message log. Ability to log message at specified seerity like ERROR, WARN, or INFO for msg.log, and DEBUG_MIN, DEBUG_MID, or DEBUG_MAX for trace.log. Allows runtime configuration of which messages are written to the log file by specifying the component-logging leel in the enrolelogging.properties file. Before the IBM Security Identity Manager Version 6.0 release, the logging option from JaaScript was only to write to the msg.log at ERROR leel. With the new logging APIs in Version 6.0, you can define custom-logging or tracing messages at different logging leels. You can also control the statements that are logged through runtime configuration. The log statements that are written to the log or trace files is controlled by configuring the logging leels in the enrolelogging.properties file. The logging leel configuration is the same as the 18 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

29 other IBM Security Identity Manager components. The component in the file is defined by the user in their log and trace methods. This configuration proides the following capabilities: Fine-grained control of custom-generated trace messages. Flexibility to indicate which custom JaaScript piece generated the log or trace message by iewing the component and method in the resulting log record. The new methods are on the Enrole JaaScript extension. For writing to the msg.log: loginfo(string component, String method, String message) logwarn(string component, String method, String message) logerror(string component, String method, String message) For writing to the trace.log: tracemax(string component, String method, String message) tracemid(string component, String method, String message) tracemin(string component, String method, String message) For more information, see the following topics in the IBM Security Identity Manager Reference Guide: "Enrole" "enrolelogging.properties" Report data synchronization enhancements Report data synchronization was redesigned to improe performance, and a new utility proides remote data synchronization capability. The report data synchronization enhancements are: Redesign to improe the performance of data synchronization of the following entity types: Accounts Authorization Owners Groups Organizational Containers People Roles Serices See the file ISIM_HOME/data/ReportDataSynchronization.properties for more details about the following properties: accountsynchronizationstrategy authorizationownersynchronizationstrategy groupsynchronizationstrategy organizationalcontainersynchronizationstrategy personsynchronizationstrategy rolesynchronizationstrategy sericesynchronizationstrategy IBM Security Identity Manager report data synchronization utility: A self contained utility that can be used to run the report data synchronization process outside of the IBM Security Identity Manager operational enironment. Chapter 3. What's new in this release 19

30 Health monitoring See the topic Data synchronization in the IBM Security Identity Manager Administration Guide. The IBM Security Identity Manager serer is enhanced to proide deployment health monitoring features. These features include monitoring of performance and aailability of arious requests in the key components. The proisioning and workflow components add instrumentation, which tracks eents in the WebSphere Performance Monitoring Infrastructure (PMI) system. Additionally, the serer includes new APIs to better integrate with monitoring products, such as IBM Tioli Monitoring. For more information, see the topic "IBM Security Identity Manager deployment health monitoring" in the IBM Security Identity Manager Performance Tuning Guide. 20 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

31 Chapter 4. Known limitations, problems, and workarounds You can iew the known software limitations, problems, and workarounds on the IBM Security Identity Manager Support site. The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discoered and resoled, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience. The following link launches a customized query of the lie Support knowledge base for items specific to ersion 6.0: IBM Security Identity Manager Version 6.0 technical notes To create your own query, go to the Adanced search page on the IBM Software Support website. Copyright IBM Corp

32 22 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

33 Chapter 5. Features oeriew Access management IBM Security Identity Manager deliers simplified identity management capabilities in a solution that is easy to install, deploy, and manage. IBM Security Identity Manager proides essential password management, user proisioning, and auditing capabilities. In a security lifecycle, IBM Security Identity Manager and seeral other products proide access management. You can determine who can enter your protected systems. You can also determine what can they access, and ensure that users access only what they need for their business tasks. Access management addresses three questions from the business point of iew: Who can come into my systems? What can they do? Can I easily proe what they did with that access? These products alidate the authenticity of all users with access to resources, and ensure that access controls are in place and consistently enforced: IBM Security Identity Manager Proides a secure, automated, and policy-based user management solution that helps effectiely manage user identities throughout their lifecycle across both legacy and e-business enironments. IBM Security Identity Manager proides centralized user access to disparate resources in an organization, with policies and features that streamline operations associated with user-resource access. As a result, your organization realizes numerous benefits, including: Web self-serice and password reset and synchronization; users can self-administer their passwords with the rules of a password management policy to control access to multiple applications. Password synchronization enables a user to use one password for all accounts that IBM Security Identity Manager manages. Quick response to audits and regulatory mandates Automation of business processes related to changes in user identities by proiding lifecycle management Centralized control and local autonomy Enhanced integration with the use of extensie APIs Choices to manage target systems either with an agent or agentless approach Reduced help desk costs Increased access security through the reduction of orphaned accounts Reduced administratie costs through the proisioning of users with software automation Reduced costs and delays associated with approing resource access to new and changed users IBM Security Access Manager Copyright IBM Corp

34 Enables your organization to use centralized security policies for specified user groups to manage access authorization throughout the network, including the ulnerable, internet-facing web serers. IBM Security Access Manager can be tightly coupled with IBM Security Identity Manager to reconcile user groups and accounts managed by IBM Security Access Manager with the identities managed by IBM Security Identity Manager to proide an integrated solution for resource access control. IBM Security Access Manager deliers: Unified authentication and authorization access to dierse web-based applications within the entire enterprise Flexible single sign-on to web, Microsoft, telnet and mainframe application enironments Rapid and scalable deployment of web applications, with standards-based support for Jaa 2 Enterprise Edition (J2EE) applications Design flexibility through a highly scalable proxy architecture and easy-to-install web serer plug-ins, rule- and role-based access control, support for leading user registries and platforms, and adanced APIs for customized security IBM Security Federated Identity Manager Handles all the configuration information for a federation across organizational boundaries, including the partner relationships, identity mapping, and identity token management. IBM Security Federated Identity Manager enables your organization to share serices with business partner organizations and obtain trusted information about third-party identities such as customers, suppliers, and client employees. You can obtain user information without creating, enrolling, or managing identity accounts with the organizations that proide access to serices that are used by your organization. So, users are spared from registering at a partner site, and from remembering additional logins and passwords. The result is improed integration and communication between your organization and your suppliers, business partners, and customers. For more information about how access management products fit in larger solutions for a security lifecycle, see the IBM Security Management website: IBM Redbooks and Redpapers also describe implementing IBM Security Identity Manager within a portfolio of IBM security products. Shared access IBM Security Identity Manager supports shared access by proiding a shared access module. Installation and use of the shared access module is required for the IBM priileged management solution. The shared access module is licensed as part of the IBM Security Priileged Identity Manager product. When you purchase IBM Security Priileged Identity Manager, you obtain a license that enables you to use the IBM Security Identity Manager shared access module. The shared access module extends the IBM Security Identity Manager support for account proisioning, and also extends the identity and goernance framework. Highlights: 24 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

35 Account proisioning framework proides centralized account and password management for priileged users. Shared access uses secure check in, check out, and logging of account credentials from a credential ault serer. Administratie control of shared credential access ensures indiidual accountability. Jaa APIs and Web Serices APIs make it possible for application clients to programmatically access shared credentials. There is role-based access control for shared credential access and shared account ownership. There is lifecycle management of priileged identities. These tasks include management of access requests; approal and realidation of account ownership, role-based access requests; and shared credential access. There is end-to-end auditing for administration and shared credential access actiities. There are web applications for shared credential administration and manual check out and check in. Shared access documentation The shared access documentation includes topics that describe installation, configuration, administration, and troubleshooting of the shared access module. The documentation also describes shared access programming APIs, database schema, directory serer schema, and user scenarios. Features Table 9. Shared access features Description Link to documentation Shared access module features Shared access on page 24 Roadmap for deploying shared access for a managed resource Priileged administrator iew and default access control items Priileged user iew and default access control items Roadmap for configuring shared access for a managed resource on page 28 See the topic "Scope of the priileged administrator group" in the IBM Security Identity Manager Planning Guide See the topic "Scope of the priileged user group" in the IBM Security Identity Manager Planning Guide Installation and upgrade Table 10. Installation and upgrade Description Installation of the shared access module Addition of the shared access module during an upgrade on a WebSphere single serer Addition of the shared access module during an upgrade on a WebSphere cluster See the following topics in the IBM Security Identity Manager Installation Guide "Shared access module configuration" "Configuring the shared access module during upgrade on a WebSphere single serer" "Configuring the shared access module during upgrade on a WebSphere cluster" Chapter 5. Features oeriew 25

36 Table 10. Installation and upgrade (continued) Description Update of the shared access module after reconfiguration of a database or directory serer See the following topics in the IBM Security Identity Manager Installation Guide "Reconfiguring the shared access module" System configuration Table 11. System configuration Description Shared access configuration, including configuration of an external credential ault serer Adanced shared access configuration, including customization of operations Shared access Tioli Common Reporting reports See the following topics in the IBM Security Identity Manager Configuration Guide "Shared access configuration" "Shared access adanced configuration" "Shared access audit history report" "Shared access entitlements by owner" "Shared access entitlements by role" Administration Table 12. Shared access administration Description Shared access administration Managing the credential ault. Includes adding, modifying, remoing, and checking in credentials. Also coers modifying credential settings, registering credential passwords, and iewing password history Creating, modifying, and deleting credential pools Creating, modifying, and deleting shared access policies Shared access bulk load Default access control items for Shared Access Module Reporting Shared access objects you can use to customize reports Examples: Creating custom report to iew all shared access credentials checked out Creating check in audit report Creating role and shared access entitlement report See the following topics in the IBM Security Identity Manager Administration Guide "Shared access administration" "Default access control items". "Shared Access objects for custom reports" 26 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

37 Data references Table 13. Data references Description Shared access database tables reference Shared access classes for IBM Tioli Directory Serer schema and class reference Auditing schema for shared access policy management See the following topics in the IBM Security Identity Manager Database and Directory Serer Schema Reference "Shared access tables" in the "Database tables reference" section "Shared access classes" in the "IBM Tioli Directory Serer schema and class reference" section In the "Auditing schema tables" section, see: "Shared Access Policy Management" "Credential Lease management" "Credential pool management" "Credential management" Troubleshooting Table 14. Shared access troubleshooting Description Troubleshooting Shared access configuration must be updated when LDAP schema or database tables are updated. Requests to add credentials to the credential ault can fail because of incorrectly configured properties files Incorrect configuration of credential attributes can preent users from accessing the shared credential. See the following topic: "Troubleshooting Shared Access Module problems" in the IBM Security Identity Manager Troubleshooting Guide Application programming interfaces Table 15. Shared access application programming interfaces Description Shared Access Application APIs Shared Access Web Serices APIs Shared Access Authorization Extension APIs Shared Access JaaScript APIs See the following topics in the IBM Security Identity Manager Reference Guide "Shared Access Application APIs" "Shared Access Web Serices APIs" "Shared Access Authorization Extension APIs" "CredentialModelExtension" Chapter 5. Features oeriew 27

38 User scenarios for shared access Table 16. Shared access for users Description User scenario for checking out a credential or credential pool User scenario for iewing the password of a shared credential Priileged user iew and default access control items See the following topics in the IBM Security Identity Manager Scenarios Guide "Checking out a credential or a credential pool" "Viewing the password for a shared credential" "Scope of the priileged user group" Roadmap for configuring shared access for a managed resource This roadmap proides high-leel steps for configuring shared access for a new managed resource in IBM Security Priileged Identity Manager. The IBM Security Priileged Identity Manager product solution includes the IBM Security Identity Manager shared access capability that is proided by the shared access module. IBM Security Priileged Identity Manager also includes the IBM Security Access Manager for Enterprise Single Sign-on support for automated checkout and checkin of shared credentials. This roadmap describes how to configure shared access in a deployment that also supports automated checkout and checkin of shared credentials. Prerequisites Requirement Install the Shared Access Module on the IBM Security Identity Manager serer. Install the AccessAgent component on client computers that require credential check in and check out automation. Installation instructions See the topic "Shared access module configuration" in the IBM Security Identity Manager Installation Guide. See the IBM Security Priileged Identity Manager Deployment Guide in the IBM Security Priileged Identity Manager Information Center Information Center. 28 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

39 Flowchart for configuring shared access for a managed resource Figure 1. Flowchart for configuring shared access for a managed resource Import or configure serice types in IBM Security Identity Manager for the managed resource For each resource type, you must configure the profile information in IBM Security Identity Manager either by importing the serice type or by creating the serice type for a manual serice. Chapter 5. Features oeriew 29

40 For information about importing serice types, see Importing serice types in the Configuration Guide in the IBM Security Identity Manager Information Center. For information about creating manual serice types, see Creating serice types in the Configuration Guide in the IBM Security Identity Manager Information Center. Customize the serice form template to include the unique identifier (eruri) field Add the unique identifier (eruri) field to the serice form template. For more information, see Customizing the serice form template to include the unique identifier (eruri) field in the IBM Security Identity Manager Administration Guide. Import or configure the application for IBM Security Access Manager for Enterprise Single Sign-on Perform these steps for each application that is supported in IBM Security Access Manager for Enterprise Single Sign-on. Step Prepare the priileged identity policies and AccessProfiles on the IMS Serer. See Preparing priileged identity policies and AccessProfiles on the IMS Serer in the IBM Security Priileged Identity Manager Deployment Guide in the IBM Security Priileged Identity Manager Information Center Configure the new managed resource in IBM Security Identity Manager Note: You must follow these steps eery time there is a new managed resource on your system. Is the new managed resource supported by the IBM Security Identity Manager adapter? See Yes Table 17 No Table 18 on page 31 Table 17. Configuring managed resources that are supported by the IBM Security Identity Manager adapter Steps See Install and configure the IBM Security Identity Manager adapter for the managed resource. Note: This step does not apply to agentless adapters. Create the IBM Security Identity Manager serice instance for the managed resource. Adapter documentation in the IBM Security Identity Manager Information Center Creating serices in the Administration Guide 30 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

41 Table 17. Configuring managed resources that are supported by the IBM Security Identity Manager adapter (continued) Steps See Set the serice unique identifier in the managed resource serice definition in IBM Security Identity Manager (using the administratie console) with the unique identifier that you use to connect to the managed resource on the AccessAgent. For example, the unique identifier might be an IP address or host name of the serer. Setting the serice unique identifier in the Administration Guide Table 18. Configuring managed resources that are not supported by the IBM Security Identity Manager adapter Steps See Create the IBM Security Identity Manager serice instance with the manual serice type. Set the serice unique identifier in the managed resource serice definition in IBM Security Identity Manager (using the administratie console) with the unique identifier that you use to connect to the managed resource on the AccessAgent. For example, the unique identifier might be an IP address or host name of the serer. Manual serices and serice types in the Configuration Guide Creating manual serices in the Administration Guide Setting the serice unique identifier in the Administration Guide Define roles and proisioning policies to grant ownership of sponsored accounts Perform these tasks in IBM Security Identity Manager. Table 19. Defining roles and proisioning policies to grant ownership of sponsored accounts Steps Reconcile groups and accounts. Define roles and proisioning policies to grant ownership of sponsored accounts. Identify or create groups for priileged access to managed resources. Proision or adopt priileged accounts to authorized owners. The account that is used for shared access must be a sponsored account. The ownership type for the account can be anything other than Indiidual. See the following topics in the Administration Guide Managing reconciliation schedules Creating a proisioning policy Creating roles Specifying owners of a role Creating groups Defining access on a group If an account does not exist on the serice, see Requesting accounts on a serice. If an account exists on the serice, see Assigning an account to a user. For general information about sponsored accounts, see Managing accounts. Chapter 5. Features oeriew 31

42 Configure shared access for the new managed resource Table 20. Configuring shared access for the new managed resource Steps Add the priileged accounts to be shared to the credential ault. Designate a sponsored account to be shared by storing its credentials (user ID and password) in a credential ault. Access to these credentials is goerned by a role-based shared access policy. Create the credential pools (typically based on groups of the serice). Use the credential pools to organize shared credentials that hae the same priileged access. Define roles and shared access policies to grant access to shared credentials. Shared access policies authorize role members to share credentials or credential pools. See the following topics in the Administration Guide Adding credentials to the ault Creating a credential pool Creating a shared access policy Support for corporate regulatory compliance IBM Security Identity Manager proides support for corporate regulatory compliance. Compliance areas IBM Security Identity Manager addresses corporate regulatory compliance in the following key areas: Proisioning and the approal workflow process Audit trail tracking Enhanced compliance status Password policy and password compliance Account and access proisioning authorization and enforcement Recertification policy and process Reports Proisioning and the approal workflow process IBM Security Identity Manager proides support for proisioning, for user accounts and for access to arious resources. Implemented within a suite of security products, IBM Security Identity Manager plays a key role to ensure that resources are proisioned only to authorized persons. IBM Security Identity Manager safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. IBM Security Identity Manager proides an integrated software solution for managing the proisioning of serices, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its proisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. 32 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

43 At its highest leel, an identity management solution automates and centralizes the process of proisioning resources. The solution includes operating systems and applications, and people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the proisioning policies and procedures. Howeer, the organization tree used for proisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all leels can use standardized procedures for managing user credentials. Some leels of administration can be reduced or eliminated, depending on the breadth of the proisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among arious organizations. The approal process can be associated with different types of proisioning requests, including account and access proisioning requests. Lifecycle operations can also be customized to incorporate the approal process. Models for proisioning Depending on business needs, IBM Security Identity Manager proides alternaties to proision resources to authorized users on request-based, role-based, or hybrid models. Approal workflows Account and access request workflows are started during account and access proisioning. You typically use account and access request workflows to define approal workflows for account and access proisioning. Account request workflows proide a decision-based process to determine whether the entitlement proided by a proisioning policy is granted. The entitlement proided by a proisioning policy specifies the account request workflow that applies to the set of users in the proisioning policy membership. Multiple proisioning policies might apply to the same user for the same serice target. There might also be different account request workflows in each proisioning policy. The account request workflow for the user is based on the priority of the proisioning policy. If a proisioning policy has no associated workflow and the policy grants an account entitlement, the operations that are related to the request run immediately. For example, an operation might add an account. Howeer, if a proisioning policy has an associated workflow, that workflow runs before the policy grants the entitlement. If the workflow returns a result of Approed, the policy grants the entitlement. If the workflow has a result of Rejected, the entitlement is not granted. For example, a workflow might require a manager's approal. Until the approal is submitted and the workflow completes, the account is not proisioned. When you design a workflow, consider the intent of the proisioning policy and the purpose of the entitlement itself. Tracking IBM Security Identity Manager proides audit trail information about how and why a user has access. On a request basis, IBM Security Identity Manager proides a process to grant, modify, and remoe access to resources throughout a business. The process proides an effectie audit trail with automated reports. The steps inoled in the process, including approal and proisioning of accounts, are logged in the request audit trail. Corresponding audit eents are Chapter 5. Features oeriew 33

44 generated in the database for audit reports. User and Account lifecycle management eents, including account and access changes, recertification, and compliance iolation alerts, are also logged in the audit trail. Enhanced compliance status IBM Security Identity Manager proides enhanced compliance status on items such as dormant and orphan accounts, proisioning policy compliance status, recertification status, and arious reports. Dormant accounts. You can iew a list of dormant accounts with the Reports feature. IBM Security Identity Manager includes a dormant account attribute to serice types that you can use to find and manage unused accounts on serices. Orphan accounts. Accounts on the managed resource whose owner in the Security Identity Manager Serer cannot be determined are orphan accounts. These accounts are identified during reconciliation when the applicable adoption rule cannot successfully determine the owner of an account. Proisioning policy compliance status. The compliance status based on the specification of proisioning policy is aailable for accounts and access. An account can be either compliant, non-compliant with attribute alue iolations, or disallowed. An access is either compliant or disallowed. Recertification status. The recertification status is aailable for user, account, and access target types, which indicates whether the target type is certified, rejected, or neer certified. The timestamp of the recertification is also aailable. Password policy and password compliance Use IBM Security Identity Manager to create and manage password policies. password policy defines the password strength rules that are used to determine whether a new password is alid. A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be fie. The rule might specify that the maximum number of characters must be 10. The IBM Security Identity Manager administrator can also create new rules to be used in password policies. If password synchronization is enabled, the administrator must ensure that password policies do not hae any conflicting password strength rules. When password synchronization is enabled, IBM Security Identity Manager combines policies for all accounts that are owned by the user to determine the password to be used. If conflicts between password policies occur, the password might not be set. Proisioning policy and policy enforcement A proisioning policy grants access to many types of managed resources, such as IBM Security Identity Manager serer, Windows NT serers, and Solaris serers. Proisioning policy parameters help system administrators define the attribute alues that are required and the alues that are allowed. Policy enforcement is the manner in which IBM Security Identity Manager allows or disallows accounts that iolate proisioning policies. 34 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

45 You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. Mark Sets a mark on an account that has a noncompliant attribute. Suspend Suspends an account that has a noncompliant attribute. Correct Replaces a noncompliant attribute on an account with the correct attribute. Alert Issues an alert for an account that has a noncompliant attribute. Recertification policy and process A recertification policy includes actiities to ensure that users proide confirmation that they hae a alid, ongoing need for the target type specified (user, account, and access). The policy defines how frequently users must alidate an ongoing need. Additionally, the policy defines the operation that occurs if the recipient declines or does not respond to the recertification request. IBM Security Identity Manager supports recertification policies that use a set of notifications to initiate the workflow actiities that are inoled in the recertification process. Depending on the user response, a recertification policy can mark a user's roles, accounts, groups, or accesses as recertified. The policy can suspend or delete an account, or delete a role, group, or access. Audits that are specific to recertification are created for use by seeral reports that are related to recertification: Accounts, access, or users pending recertification Proides a list of recertifications that are not completed. Recertification history Proides a historical list of recertifications for the target type specified. Recertification policies Proides a list of all recertification policies. User recertification history Proides history of user recertification. User recertification policy Proides a list of all user recertification policies. Reports Security administrators, auditors, managers, and serice owners in your organization can use one or more of the following reports to control and support corporate regulatory compliance: Accesses Report, which lists all access definitions in the system. Approals and Rejections Report, which shows request actiities that were either approed or rejected. Dormant Accounts Report, which lists the accounts that were not used recently. Entitlements Granted to an Indiidual Report, which lists all users with the proisioning policies for which they are entitled. Noncompliant Accounts Report, which lists all noncompliant accounts. Orphan Accounts Report, which lists all accounts not haing an owner. Chapter 5. Features oeriew 35

46 Pending Recertification Report, which highlights recertification eents that can occur if the recertification person does not act on an account or access. This report supports filtering data by a specific serice type or a specific serice instance. Recertification Change History Report, which shows a history of accesses (including accounts) and when they were last recertified. This report seres as eidence of past recertifications. Recertification Policies Report, which shows the current recertification configuration for a specific access or serice. Separation of Duty Policy Definition Report, which lists the separation of duty policy definitions. Separation of Duty Policy Violation Report, which contains the person, policy, rules iolated, approal, and justification (if any), and who requested the iolating change. Serices Report, which lists serices currently defined in the system. Summary of Accounts on a Serice Report, which lists a summary of accounts on a specified serice defined in the system. Suspended Accounts Report, which lists the suspended accounts. User Recertification History Report, which lists the history of user recertifications done manually (by specific recertifiers), or automatically (due to timeout action). User Recertification Policy Definition Report, which lists the user recertification policy definitions. All reports are aailable to all users when the appropriate access controls are configured. Howeer, certain reports are designed specifically for certain types of users. Table 21. Summary of reports Designed for Aailable reports Security administrators Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Managers Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Serice owners Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies 36 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

47 Table 21. Summary of reports (continued) Designed for Aailable reports Auditors Dormant Accounts End users, help desk, and deelopers Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies None Identity goernance Dual user interface IBM Security Identity Manager extends the identity management goernance capabilities with a focus on operational role management. Using roles simplifies the management of access to IT resources. Identity goernance includes these IBM Security Identity Manager features: Role management Manages user access to resources, but unlike user proisioning, role management does not grant or remoe user access. Instead, it sets up a role structure to do it more efficiently. Entitlement management Simplifies access control by administering and enforcing fine-grained authorizations. Access certification Proides ongoing reiew and alidation of access to resources at role or entitlement leel. Priileged user management Proides enhanced user administration and monitoring of system or administrator accounts that hae eleated priileges. Separation of duties Preents and detects business-specific conflicts at role or entitlement leel. IBM Security Identity Manager has a dual user interface that shows users only what they need to do their job. The interfaces are separate, and users access them through different web addresses. IBM Security Identity Manager has two types of user interfaces: an administratie console interface and a self-care interface. Administratie console user interface The administratie console user interface proides an adanced set of administratie tasks, and has new multitasking capabilities. Persona-based console customization Chapter 5. Features oeriew 37

48 The administratie console user interface contains the entire set of administratie tasks, such as managing roles, policies, and reports. This persona-based console proides sets of tasks, each tailored for the needs of the default administratie user types: System administrator Serice owner Help desk assistant Auditor Manager System administrators can easily customize which tasks the different types of users can do. To control user access to accounts and tasks, for example, use a default set of user groups, access control items, and iews. You can also customize user access by defining additional user groups, iews, and access control items. Multitasking control Wizards within the administratie console user interface expedite the administratie tasks of adding users, requesting accounts, and creating new serices. The administrator can concurrently manage seeral tasks. Adanced search capability The administratie console user interface also proides a powerful adanced search feature. Self-care user interface The self-care user interface proides a simpler subset of personal tasks that apply only to the user. With the IBM Security Identity Manager self-care interface, users can update their personal information and passwords. Users can iew requests, complete and delegate actiities, and request and manage their own accounts and access. The self-care user interface proides a central location for users to do arious simple, intuitie tasks. From the self-care home page, the following task panels are aailable, depending on the authority the system administrator granted. Action Needed A list of tasks that require completion. My Password A list of tasks to change passwords. If password synchronization is enabled, users can enter one password that is synchronized for all of their accounts. A user can reset a forgotten password by successfully responding to forgotten password questions, if forgotten password information is configured in the system. My Access A list of tasks to request and manage access to folders, applications, roles, and other resources. My Profile A list of tasks to iew or update personal information. My Requests A list of tasks to iew requests that a user submitted. 38 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

49 Recertification My Actiities A list of actiities that require user action. Users can also delegate actiities. IBM Security Identity Manager Serer recertification simplifies and automates the process of periodically realidating users, accounts, and accesses. The recertification process automates alidating that users, accounts, and accesses are still required for a alid business purpose. The process sends recertification notification and approal eents to the participants that you specify. Reporting IBM Security Identity Manager reports reduce the time to prepare for audits and proide a consolidated iew of access rights and account proisioning actiity for all managed people and systems. Static and dynamic roles A report is a summary of IBM Security Identity Manager actiities and resources. You can generate reports based on requests, user and accounts, serices, or audit and security. Report data is staged through a data synchronization process. The process gathers data from the IBM Security Identity Manager directory information store and prepares it for the reporting engine. Data synchronization can be run on demand, or it can be scheduled to occur regularly. Report accessibility The IBM Security Identity Manager reports are accessible in the PDF format. The following categories of reports are aailable: Requests Reports that proide workflow process data, such as account operations, approals, and rejections. User and Accounts Reports that proide data about users and accounts. For example: indiidual access rights, account actiity, pending recertifications, and suspended indiiduals. Serices Reports that proide serice data, such as reconciliation statistics, list of serices, and summary of accounts on a serice. Audit and Security Reports that proide audit and security data, such as access control information, audit eents, and noncompliant accounts. Shared Access Reports that proide a history of shared access, a listing of shared entitlements by role, and a listing of shared access entitlements by owner. IBM Security Identity Manager proides static and dynamic roles. Chapter 5. Features oeriew 39

50 Self-access management Proisioning features In static organizational roles, assigning a person to a static role is a manual process. In the case of a dynamic role, the scope of access can be to an organizational unit only or to the organizational unit and its subunits. Dynamic organizational roles use alid LDAP filters to set a user's membership in a specific role. For example, a dynamic role might use an LDAP filter to proide access to specific resources to users who are members of an auditing department named audit123. For example, type: (departmentnumber=audit123) Dynamic organizational roles are ealuated at the following times: When a new user is created in the IBM Security Identity Manager system When a user's information, such as title or department membership, changes When a new dynamic organizational role is created IBM Security Identity Manager allows users and administrators the ability to request and manage access to resources such as shared folders, groups, or applications. Access differs from an account. An account exists as an object on a managed serice. An access is an entitlement to use a resource, such as a shared folder, on the managed serice. The ability to access a resource is based on the attributes of the group to which the user account belongs. The user's access to a resource is therefore dependent on the account and its group mapping. When an account is suspended, their access becomes inactie; similarly, when an account is restored, their access becomes actie again. When an account is deleted, access to the resource for that user is deleted. When a group is remoed from the serice, the user access that maps to that group is also remoed. An administrator typically configures the access to resources on a serice based on the need for a particular user group. Users can request or delete access. They can manage access to the resources they use without the need to understand the underlying technology such as account attributes. IBM Security Identity Manager proides support for proisioning, the process of proiding, deploying, and tracking a serice or component in your enterprise. In a suite of security products, IBM Security Identity Manager plays a key role to ensure that resources are accessible only to authorized persons. IBM Security Identity Manager safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. Oeriew IBM Security Identity Manager proides an integrated software solution for managing the proisioning of serices, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its proisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. The two main types of information are person data and 40 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

51 account data. Person data represents the people whose accounts are being managed. Account data represents the credentials of the persons and the managed resources to which the persons were granted access. At its highest leel, an identity management solution automates and centralizes the process of proisioning resources. Resources range from operating systems and applications to people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the proisioning policies and procedures. Howeer, the organization tree used for proisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all leels can use standardized procedures for managing user credentials. Some leels of administration can be reduced or eliminated, depending on the breadth of the proisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among arious organizations. For example, a domain administrator can sere only the people and resources in that domain. This user can do administratie and proisioning tasks, but is not authorized to do configuration tasks, such as creating workflows. IBM Security Identity Manager supports distributed administration capabilities, which include the secure distribution of proisioning tasks, whether manual or automatic, among arious organizations. Distributing administratie tasks in your organization improes the accuracy and effectieness of administration and improes the balance of the work load of an organization. IBM Security Identity Manager addresses proisioning of enterprise serices and components in the following areas: Account access management Workflow and lifecycle automation Proisioning policies Role-based access control Separation of duty capabilities Self-regulating user administration Customization Account access management and the proisioning system With an effectie account access management solution, your organization can track precisely who has access to what information across the organization. Access control is a critical function of a centralized, single-point proisioning system. Besides protecting sensitie information, access controls expose existing accounts that hae unapproed authorizations or are no longer necessary. Orphan accounts are actie accounts that cannot be associated with alid users. For orphan accounts on a managed resource, the account owner cannot be automatically determined by the proisioning system. To control orphan accounts, the proisioning system links together account information with authoritatie information about the users who own the accounts. Authoritatie user identity information is typically maintained in the databases and directories of human resources. Improperly configured accounts are actie accounts that are associated with alid users but were granted improper authorization because the organization allowed local administrators to add or modify users outside of IBM Security Identity Manager. The ability to control improper accounts is much more difficult, and Chapter 5. Features oeriew 41

52 requires a comparison of what should be with what is at the account authority leel. The existence of an account does not necessarily expose its capabilities. Accounts in sophisticated IT systems include hundreds of parameters that define the authorities, and these details can be controlled by your proisioning system. New users can be readily identified with the data feed that you establish from the human resources directory. The access request approal capability initiates the processes that approe (or reject) resource proisioning for them. Workflow and lifecycle automation When a user becomes affiliated or employed with an organization, the lifecycle of the user begins. Your business policies and processes, whether manual or semi-automated, proision the user with access to certain resources based on role and responsibilities. Oer time, when the role and functions of a user change, your business policies and processes can proision the resources that are aailable to the user. Eentually, the user becomes unaffiliated with the organization, associated accounts are suspended and later deleted, and the lifecycle of the user in the organization is finished. You can use workflows to customize how accounts are proisioned. You can customize the lifecycle management of users and accounts, such as adding, remoing, and modifying users and accounts. A complete proisioning workflow system automatically routes requests to the appropriate approers and preemptiely escalates to other approers if actions are not taken on the requests. You can define two types of workflows in IBM Security Identity Manager: entitlement workflows that apply to proisioning actiities, and operational workflows that apply to entity types. An entitlement workflow defines the business logic that is tied specifically to the proisioning actions of proisioning policies. A proisioning policy entitlement ties the proisioning actions to entitlement workflows. For example, an entitlement workflow is used to define approals for managing accounts. An operational workflow defines the business logic for the lifecycle processes for entity types and entities. You can use workflow programming tools to automate key aspects of the proisioning lifecycle, specifically the approal processes that your organization uses. A workflow object in the organization tree can contain one or more participants and escalation participants. A participant is a signature authority that approes or rejects a proisioning request. Proisioning policies and auditing An organizational role entity is assigned to one or more identities when you implement role-based access control for the resources that are managed by IBM Security Identity Manager. An organizational role is controlled by a proisioning policy. The policy represents a set of organizational rules and the logic that the Security Identity Manager Serer uses to manage resources such as applications or operating systems. If a role is a member of another organizational role in a proisioning policy, then that role member also inherits the permissions of proisioning policy. A proisioning policy maps the people in organizational roles to serices that represent corresponding resources in IBM Security Identity Manager. The policy sets the entitlements that people hae when accessing the serices. The proisioning policies you implement must reflect your organizational identity management policies in your security plan. To implement effectie proisioning 42 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

53 policies, you must analyze and document existing business approal processes in your organization. You must determine what adjustments to make those processes to implement an automated identity management solution. A proisioning policy proides a key part of the framework for the automation of identity lifecycle management. IBM Security Identity Manager proides APIs that interface to information about proisioning policies defined in IBM Security Identity Manager, and interface to the access granted to an indiidual task. These APIs can be used effectiely to generate audit data. When a proisioning policy is defined, the reconciliation function enables the enforcement of the policy rules. The reconciliation function keeps the participating systems (both the Security Identity Manager Serer and the repositories of the managed resources) from potentially becoming a single point of failure. When two or more proisioning policies are applied, a join directie defines how to handle attributes. Two or more policies might hae oerlapping scope, and the join directie specifies what actions to take when this oerlap occurs. Proisioning policies can be mapped to a distinct portion or leel of the organizational hierarchy. For example, policies can be defined at a specific organization unit that affects organization roles for that unit only. Serice selection policies extend the function of a proisioning policy by enabling the proisioning of accounts based on person attributes. A serice selection policy is enforced when it is defined as a target of a proisioning policy. Using a JaaScript script to determine which serice to use, the serice selection policy defines proisioning based on the instructions in the script. The logic in the JaaScript typically uses person object attributes to determine which serice to use. The attribute is often the location of the person in the organization tree. Role-based access control Role-based access control (RBAC) uses roles and proisioning policies to ealuate, test, and enforce your business processes and rules for granting access to users. Key administrators create proisioning policies and assign users to roles and that define sets of entitlements to resources for these roles. RBAC tasks establish role-based access control to resource. RBAC extends the identity management solution to use software-based processes and reduce user manual interaction in the proisioning process. Role-based access control ealuates changes to user information to determine whether the changes alter the role membership for the user. If a change is needed, policies are reiewed and changes to entitlements are put in place immediately. Similarly, a change in the definition of the set of resources in a policy can also trigger a change to associated entitlements. Role-based access control includes the following features: Mandatory and optional entitlements, where optional entitlements are not automatically proisioned but can be requested by a user in a group Prerequisite serices, where specific serices must be granted before certain access rights are set Entitlement defaults and constraints, where each characteristic of an entitlement can be set to a default alue. The entitlement range can be constrained, depending on the capabilities of the entitlement to be granted A single account with multiple authorities goerned by different policies Priate, filtered iews of information about users and aailable resources Chapter 5. Features oeriew 43

54 Resource proisioning User authentication approaches that are consistent with internal security policies Distribution of proisioning system components securely oer WAN and Internet enironments, including the crossing of firewalls User IDs that use consistent, user-defined algorithms Self-regulating user administration When your organization starts to proision resources across all internal organizations, you implement the self-regulating user administration capability. You can realize the adantages and benefits of proisioning users across organizational boundaries. In this enironment, a change in a user's status is automatically reflected in access rights across organization boundaries and geographies. You can reduce proisioning costs and streamline the access and approal processes. The implementation realizes the full potential of implementing role-based access control for end-to-end access management in your organization. You can reduce administratie costs through automated procedures for goerning user proisioning. You can improe security by automating security policy enforcement, and streamline and centralize user lifecycle management and resource proisioning for large user populations. Incremental proisioning and other customization options Your team can use business plans and requirements to decide how much to customize IBM Security Identity Manager. For example, a large enterprise might require a phased roll-out plan for workflows and custom adapters that is based on a time line for incrementally proisioning applications that are widely used across geographies. Another customization plan might proide for two or more applications to be proisioned across an entire organization, after successful testing. User-application interaction can be customized, and procedures for proisioning resources might be changed to accommodate automated proisioning. You can deproision to remoe a serice or component. For example, deproisioning an account means that the account is deleted from a resource. Depending on business needs, IBM Security Identity Manager proides alternaties you can use to proision resources to authorized users. Alternaties are based on requests, roles, or a combination of requests and roles. Request-based access to resources On a request basis, IBM Security Identity Manager proides a process to grant, modify, and remoe access to resources throughout a business. The process establishes an effectie audit trail with automated reports. In request-based proisioning, users and their managers search for and request access to specific applications, priilege leels, or resources with a system. The requests are alidated by workflow-drien approals and audited for reporting and compliance purposes. For example, users, or their managers, can request access to new accounts. Additionally, managers or other administrators are alerted to unused accounts and gien the option to delete the accounts through a recertification process. These periodic reiews of user access rights ensure that access with preious approal is remoed, if it is no longer needed. 44 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

55 Roles and access control An organizational role supports different access control and access proisioning models in a customer deployment. An organizational role can map to IBM Security Identity Manager access entitlements in a proisioning policy. Specific IBM Security Identity Manager groups can be authorized or automatically proisioned for users that are members of the role. If a role is a member of another organizational role in a proisioning policy, then that role member also inherits the permissions of the proisioning policy. IBM Security Identity Manager groups can be used to define iews and access control for different types of entities that are managed in IBM Security Identity Manager. A hybrid proisioning model The hybrid model of proisioning resources combines request and role-based approaches, which are both supported by IBM Security Identity Manager. For a subset of employees or managed systems, a business might want to automate access with role-based assignment. A business might also handle all other access requests or exceptions through a request-based model. Some businesses might start with manual assignment, and eole toward a hybrid model, with an intention of a fully role-based deployment at a future time. Other companies might find it impractical for business reasons to achiee complete role-based proisioning, and target a hybrid approach as a wanted goal. Still other companies might be satisfied with only request-based proisioning, and not want to inest additional effort to define and manage role-based, automated proisioning policies. Chapter 5. Features oeriew 45

56 46 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

57 Chapter 6. Technical oeriew You can use IBM Security Identity Manager to manage the identity records that represent people in a business organization. This section introduces the product architecture and main components. IBM Security Identity Manager is an identity management solution that centralizes the process of proisioning resources, such as proisioning accounts on operating systems and applications to users. IBM Security Identity Manager gies you the ability to add business processes and security policies to basic user management. The ability includes adding approals for user requests to access resources. In addition, IBM Security Identity Manager proides a uniform way to manage user accounts and to delegate administration, including self-serice and a help desk user interface. Users, authorization, and resources An administrator uses the entities that IBM Security Identity Manager proides for users, authorization, and resources to proide both initial and ongoing access in a changing organization. Accounts Access control item Identity policy Adapter Identities Password policy Serice Users Other policies Group Workflow Identities An identity is the subset of profile data that uniquely represents a person in one or more repositories, and includes additional information related to the person. Accounts An account is the set of parameters for a managed resource that defines your identity, user profile, and credentials. Users People Authorization Workflows/policies Resources Figure 2. Users, authorization, and resources A user is an indiidual who uses IBM Security Identity Manager to manage their accounts. Copyright IBM Corp

58 Main components Access control items An access control item is data that identifies the permissions that users hae for a specific type of resource. You create an access control item to specify a set of operations and permissions. You then identify which groups use the access control item. Groups A group is used to control user access to functions and data in IBM Security Identity Manager. Membership in a IBM Security Identity Manager group proides a set of default permissions and operations, as well as iews, that group members need. Policies A policy is a set of considerations that influence the behaior of a managed resource (called a serice in IBM Security Identity Manager) or a user. A policy represents a set of organizational rules and the logic that IBM Security Identity Manager uses to manage other entities, such as user IDs, and applies to a specific managed resource as a serice-specific policy. Adapters An adapter is a software component that proides an interface between a managed resource and the IBM Security Identity Manager Serer. Serices A serice represents a managed resource, such as an operating system, a database application, or another application that IBM Security Identity Manager manages. For example, a managed resource might be a Lotus Notes application. Users access these serices by using an account on the serice. Main components in the IBM Security Identity Manager solution include the IBM Security Identity Manager Serer and required and optional middleware components, including adapters that proide an interface to managed resources. In a cluster configuration, main components include: 48 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

59 WebSphere Application Serer Network Deployment IBM Security Identity Manager cell IBM HTTP Serer WebSphere Web Serer plug-in IBM Security Identity Manager cluster } } } Application Serer IBM Security Identity Manager Serer JDBC drier IBM Security Identity Manager database Deployment Manager JDBC drier } LDAP data store Figure 3. Main components For more information about configuration alternaties, see the IBM Security Identity Manager Installation Guide. Components include: Database serer products IBM Security Identity Manager stores transactional and historical data in a database serer, a relational database that maintains the current and historical states of data. Computers that communicate with the database require a Jaa Database Connectiity drier (JDBC drier). For example, a JDBC drier enables a IBM Security Identity Manager Serer to communicate with the data source. IBM Security Identity Manager supports a JDBC type 4 drier to connect a Jaa-based application to a database. The supported database products are IBM DB2 Database, Oracle DB, and MS SQL Serer database. The information about type 4 JDBC driers for each database product are as follows: IBM DB2 Database DB2 supports a Type 4 JDBC drier. The DB2 type 4 JDBC drier is bundled with the IBM Security Identity Manager installation program. Oracle database The Oracle database supports a Type 4 JDBC drier. The IBM Security Identity Manager installation program prompts for the location and name of this JDBC drier. Before you install the IBM Security Identity Manager Serer, obtain this JDBC drier from your Oracle Database Serer installation in the ORACLE_HOME\jdbc\lib\ directory. Alternatiely, you can download the drier from this website: technology/software/tech/jaa/sqlj_jdbc/index.html Chapter 6. Technical oeriew 49

60 For WebSphere Application Serer ersion 7.0, the JDBC drier is ojdbc6.jar. Microsoft SQL Serer database The SQL Serer database supports a Type 4 JDBC drier. The IBM Security Identity Manager installation program prompts for the location and name of this JDBC drier. You can download the drier from this website: For more information about supported database serer products, see Database serer requirements in the IBM Security Identity Manager Information Center. Directory serer products IBM Security Identity Manager stores the current state of the managed identities in an LDAP directory, including user account and organizational data. IBM Security Identity Manager supports the following products: IBM Tioli Directory Serer Sun Enterprise Directory Serer IBM Tioli Directory Integrator IBM Tioli Directory Integrator synchronizes identity data in different directories, databases, and applications. IBM Tioli Directory Integrator synchronizes and manages information exchanges between applications or directory sources. WebSphere Application Serer WebSphere Application Serer is the primary component of the WebSphere enironment. WebSphere Application Serer runs a Jaa irtual machine, proiding the runtime enironment for the application code. The application serer proides communication security, logging, messaging, and Web serices. The IBM Security Identity Manager application can run on a single-serer configuration with the WebSphere Application Serer base serer. IBM Security Identity Manager can also run in a larger cluster configuration. The configuration can hae one or more WebSphere Application Serers and a deployment manager that manages the cluster. HTTP serer and WebSphere Web Serer plug-in An HTTP serer proides administration of IBM Security Identity Manager through a client interface in a web browser. IBM Security Identity Manager requires the installation of a WebSphere Web Serer plug-in with the HTTP serer. The WebSphere Application Serer installation program can separately install both the IBM HTTP Serer and WebSphere Web Serer plug-in. IBM Security Identity Manager adapters An adapter is a program that proides an interface between a managed resource and the IBM Security Identity Manager Serer. Adapters function as trusted irtual administrators on the target platform for account management. For example, adapters do such tasks as creating accounts, suspending accounts, and modifying account attributes. A IBM Security Identity Manager adapter can be either agent-based or agentless: 50 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

61 People oeriew Agent-based adapter You install adapter code directly onto the managed resource with which it is designed to communicate. Agentless adapter Deploys its adapter code onto the IBM Security Identity Manager Serer and the system that hosts IBM Tioli Directory Integrator. The adapter code is separate from the managed resource with which it is designed to communicate. Note: For agentless adapters, the SSH process or daemon must be actie on the managed resource. People, such as employees and contractors, need to use the resources that an organization proides. A person who has a IBM Security Identity Manager account is a IBM Security Identity Manager user. Users need different degrees of access to resources for their work. Some users need to use a specific application. Other users need to administer the system that links users to the resources that their work requires. IBM Security Identity Manager manages users' identities (user IDs), accounts, access entitlements on those accounts, and user credentials such as passwords. Users A person who is managed by IBM Security Identity Manager is a user. A user who has a IBM Security Identity Manager account is called a IBM Security Identity Manager user. This user can use IBM Security Identity Manager to manage accounts or do other administratie tasks. Users need different degrees of access to resources for their work. Some users need to use a specific application. Other users need to administer the system that links users to the resources that their work requires. A IBM Security Identity Manager user is assigned to a specific group that proides access to specific iews and allows the user to do specific tasks in IBM Security Identity Manager. As an administrator, you create users either by importing identity records or by using IBM Security Identity Manager. Identities An identity is the subset of profile data that uniquely represents a person or entity. The data is stored in one or more repositories. For example, an identity might be represented by the unique combination of a person's first, last (family) name, and full (gien) name, and employee number. An identity profile might also contain additional information such as phone numbers, manager, and address. Accounts An account is the set of parameters for a managed resource that defines an identity, user profile, and credentials. Chapter 6. Technical oeriew 51

62 An account defines login information (your user ID and password, for example) and access to the specific resource with which it is associated. In IBM Security Identity Manager, accounts are created on serices, which represent the managed resources. Such resources might be operating systems (UNIX), applications (Lotus Notes), or other resources. Accounts, when owned, are either indiidual or sponsored. Indiidual accounts are for use by a single owner and hae an ownership type of Indiidual. Sponsored accounts are assigned to owners who are responsible for the accounts, but might not actually use them to access resources. Sponsored accounts can hae arious types of non-indiidual ownership types. IBM Security Identity Manager supplies three ownership types for sponsored accounts Deice, System, and Vendor. You can use the Configure System utility to create additional ownership types for sponsored accounts. Accounts are either actie or inactie. Accounts must be actie to log in to the system. An account becomes inactie when it is suspended. Suspension can occur if a request to recertify your account usage is declined and the recertification action is suspend. Suspended accounts still exist, but they cannot be used to access the system. System administrators can restore and reactiate a suspended account if the account is not deleted. Access Access is your ability to use a specific resource, such as a shared folder or an application. In IBM Security Identity Manager, access can be created to represent access to access types. Such access types might be shared folders, applications (such as Lotus Notes), groups, or other managed resources. An access differs from an account in that an account is a form of access; an account is access to the resource itself. Access is the permission to use the resource. The access entitlement defines the condition that grants access to a user with a set of attribute alues of a user account on the managed resource. In IBM Security Identity Manager, an access is defined on an existing group on the managed serice. In this case, the access is granted to a user by creating an account on the serice and assigning the user to the group. Access entitlement can also be defined as a set of parameters on a serice account that uses a proisioning policy. When a user requests new access, by default an account is created on that serice. If an account exists, the account is modified to fulfill the access entitlement. For example, the account is assigned to the group that grants access to an access type. If one account exists, the account is associated with the access. If multiple accounts exist, you must select the user ID of the account to which you want to associate your access. An access is often described in terms that can be easily understood by business users. 52 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

63 Passwords A password is a string of characters that is used to authenticate a user's access to a system. A user ID and password are the two elements that grant access to a system. Resources oeriew As an administrator, you can manage user passwords and the passwords that are set for the users that are used by IBM Security Identity Manager. Forgotten password administration You can administer and define forgotten password information so users can reset forgotten IBM Security Identity Manager passwords. The information is in the format of questions and answers. Password synchronization Password synchronization is the process of assigning and maintaining one password for all indiidual accounts that a user owns. Password synchronization reduces the number of passwords that a user must remember. You can configure the system to automatically synchronize passwords for all indiidual accounts owned by a user. Then, the user must remember only one password. For example, a user has two indiidual accounts: a IBM Security Identity Manager account and a Lotus Notes account. If the user changes or resets the password for the IBM Security Identity Manager account, the Lotus Notes password is automatically changed to the same password as the IBM Security Identity Manager password. Passwords might also be synchronized when you proision an account or restore a suspended account. If password synchronization is enabled, a user cannot specify different passwords for other indiidual accounts owned by the user. Note: When you proision an account or restore an account that was suspended, you must specify a password for the account. If password synchronization is enabled, you are not prompted for a password. Instead the indiidual account is automatically gien the same password as the existing indiidual accounts of the user. Password strength rules A password strength rule is a rule or requirement to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be fie. The rules might specify that the maximum number of characters must be 10. You can define password strength rules in a password policy. Resources are the applications, components, processes, and other functions that users need to complete their work assignments. IBM Security Identity Manager uses a serice to manage user accounts and access to resources by using adapters to proide trusted communication of data between the resources and IBM Security Identity Manager. Chapter 6. Technical oeriew 53

64 Serices A serice represents a managed resource, such as an operating system, a database application, or another application that IBM Security Identity Manager manages. For example, a managed resource might be a Lotus Notes application. Users access these serices by using an account on the serice. Serices are created from serice types, which represent a set of managed resources that share similar attributes. For example, there is a default serice type that represents Linux machines. These serice types are installed by default when IBM Security Identity Manager is installed. Alternatiely, they are installed when you import the serice definition files for the adapters for those managed resources. Accounts on serices identify the users of the serice. Accounts contain the login and access information of the user and allow the use of specific resources. Most serices use IBM Security Identity Manager to proision accounts, which usually inoles some workflow processes that must be completed successfully. Howeer, manual serices generate a work order actiity that defines the manual interention that is required to complete the request or to proision the account for the user. A serice owner owns and maintains a particular serice in IBM Security Identity Manager. A serice owner is either a person or a static organizational role. For a static organizational role, all the members of the organizational role are considered serice owners. If that static organizational role contains other roles, then all members of those roles are also considered serice owners. Serice types A serice type is a category of related serices that share schemas. It defines the schema attributes that are common across a set of similar managed resources. Serice types are used to create serices for specific instances of managed resources. For example, you might hae seeral Lotus Domino serers that users need access to. You might create one serice for each Lotus Domino serer with the Lotus Domino serice type. Serice prerequisite A serice might hae another serice defined as a serice prerequisite. A user can receie a new account only if they hae an existing account on the serice prerequisite. For example, Serice B has a serice prerequisite, Serice A. If a user requests an account on Serice B, in order to receie an account, the user must first hae an account on Serice A. Serice definition file A serice definition file, which is also known as an adapter profile, defines the type of managed resource that IBM Security Identity Manager can manage. The serice definition file creates the serice types on the IBM Security Identity Manager Serer. The serice definition file is a JAR file that contains the following information: Serice information, including definitions of the user proisioning operations that can be done for the serice, such as add, delete, suspend, or restore. 54 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

65 Serice proider information, which defines the underlying implementation of how the IBM Security Identity Manager Serer communicates with the managed resource. Valid serice proiders are Tioli Directory Integrator and DSML2. Schema information, including the LDAP classes and attributes. Account forms and serice forms. A properties file for accounts and supporting data such as serice groups defines the labels for the attributes on these forms. The labels are displayed in the user interface for creating serices and requesting accounts on those serices. Manual serices A manual serice is a type of serice that requires manual interention to complete the request. For example, a manual serice might be defined for setting up oice mail for a user. Manual serices generate a work order actiity that defines the manual interention that is required. You might create a manual serice when IBM Security Identity Manager does not proide an adapter for a managed resource for which you want to proision accounts. When you create a manual serice, you add new schema classes and attributes for the manual serice to your LDAP directory. See the following topics: "Manual serices and serice type" in the IBM Security Identity Manager Configuration Guide "Enabling connection mode" in the IBM Security Identity Manager Administration Guide Adapters An adapter is a software component that proides an interface between a managed resource and IBM Security Identity Manager. An adapter functions as a trusted irtual administrator for the managed resource. An adapter does such tasks as creating accounts, suspending accounts, and other functions that administrators typically do. An adapter consists of the serice definition file and the executable code for managing accounts. Adapters are deployed in one of two ways: Agent-based adapter An agent-based adapter must be on the managed resource, in order to administer accounts. For example, the Lotus Notes adapter for AIX is an agent-based adapter. Agentless adapter An agentless adapter can be on a remote serer, in order to administer accounts. For example, the UNIX/Linux adapter is an agentless adapter. Adapters are created from one of two technologies: Adapter Deelopment Kit (ADK) Adapters that are created with the ADK are either agent-based adapters or Chapter 6. Technical oeriew 55

66 agentless adapters. The ADK is the base component of the adapters and contains the runtime library, filtering and eent notification functionality, protocol settings, and logging information. The ADK is the same across the adapters. IBM Tioli Directory Integrator Adapters that are created with IBM Tioli Directory Integrator are either agent-based or agentless adapters. These adapters are implemented as assembly lines, each of which is a single path of data transfer and transformation. IBM Tioli Directory Integrator can pass data from one assembly line to the next assembly line. Seeral agentless adapters are automatically installed when you install IBM Security Identity Manager. You can install additional agentless or agent-based adapters. Adapter communication with managed resources Communication between IBM Security Identity Manager and managed resources has seeral solutions. Linux and UNIX managed resources use agentless adapters that are created with IBM Tioli Directory Integrator. Other managed resources use ADK adapters. Figure 4 illustrates how communication links between software products and components can be configured. IBM Security Identity Manager Serer WebSphere Application Serer SSL Web browser S S L S S L Other adapters Tioli Directory Integrator A da p t e r SSH SSL UNIX managed resource LDAP managed resource KEY: SSL = One-way or two-way SSL SSH = Secure Shell protocol System security oeriew Figure 4. Secure communication in the IBM Security Identity Manager enironment An organization has critical needs to control user access, and to protect sensitie information. 56 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

67 First, an organization agrees on security requirements for business needs. Then, a system administrator configures the groups, iews, access control items, and forms that IBM Security Identity Manager proides for security of its data. Security model characteristics An organization defines a security model to meet its business needs. The model seres as a basis to define the requirements and actual implementation of a security system. Some characteristic objecties of a security model include: Verifying the identity of users, proided by authentication systems that include password strength and other factors. Enabling authorized users to access resources, proided by authorization systems that define request or role-based processes, and related proisioning. Resources, for example, include accounts, serices, user information, and IBM Security Identity Manager functions. A security model also requires additional proisioning processes to select the resources that users are permitted to access. Administering which operations and permissions are granted for accounts and users. Delegating a user's list of actiities to other users, on a request or assignment basis. Protecting sensitie information, such as user lists or account attributes. Ensuring the integrity of communications and data. Business requirements A business needs agreement on its security requirements before implementing the processes that IBM Security Identity Manager proides. For example, requirement definitions might answer these questions: What groups of IBM Security Identity Manager users are there? What information does each user group need to see? What tasks do the users in each group need to do? What roles do users perform in the organization? Which access rights need definition? What working relationships exist that require some users to hae different authority leels? How can preention and auditing proide remedies for actiity that does not comply with established policies? To meet common business needs, a business might frequently hae seeral groups, such as a manager, a help desk assistant, an auditor group. The business might hae customized groups that do a more expanded or limited set of tasks. Resource access from a user's perspectie To proide security of data for a user who works within a range of tasks on specific business resources, IBM Security Identity Manager might proide one or more roles, and membership in one or more groups. For example, a user in a business unit often has a title, or role that has a responsibility, such as buyer. The user might also be a member of a group that Chapter 6. Technical oeriew 57

68 proides a iew of tasks that the user can do, such as regional purchasing. The relationships are illustrated in Figure 5: Figure 5. Securing data for user access to resources Each role has a related proisioning policy and workflow to grant the user to access one or more resources, such as accounts. Each group has a iew of specific tasks, and one or more access control items that grant specific operations and permissions to do the tasks. By using a form designer applet, you can also modify the user interface that a user sees. You might remoe unnecessary fields for account, serice, or user attributes. Groups A group is used to control user access to functions and data in IBM Security Identity Manager. Group members hae an account on the IBM Security Identity Manager serice. Membership in an IBM Security Identity Manager group proides a set of default permissions and operations, as well as iews, that group members need. Your site might also create customized groups. Additionally, some users might be members of a serice group that grants specific access to a certain application or other functions. For example, a serice group might hae members that work directly with data in an accounting application. Predefined groups, iews, and access control items IBM Security Identity Manager proides predefined groups. The groups are associated with iews and access control items. Two user interfaces, or consoles, are aailable: Self-serice console for all users, for self-care actiities such as changing personal profile information, such as a telephone number. Administratie console, for selected users who belong to one or more groups that enable a range of administratie tasks. 58 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

69 A IBM Security Identity Manager user with no other group membership has a basic priilege to use IBM Security Identity Manager. This set of users needs only a self-serice console for self-care capabilities. The users are not in a labeled "group" such as a Help Desk Assistant group. The predefined groups are associated with predefined iews and access control items, to control what members can see and do, as illustrated in Figure 6 Figure 6. Predefined groups, iews, and access control items The predefined groups are: Administrator The administrator group has no limits set by default iews or access control items and can access all iews and do all operations in IBM Security Identity Manager. The first system administrator user is named "itim manager". Auditor Members of the auditor group can request reports for audit purposes. Help Desk Assistant Members of the Help Desk Assistant group can request, change, suspend, restore, and delete accounts. Members can request, change, and delete access, and also can reset passwords, profiles, and accounts of others. Additionally, members can delegate actiities for a user. Manager Members of the Manager group are users who manage the accounts, profiles, and passwords of their direct subordinates. Serice Owner Members of the Serice Owner group manage a serice, including the user accounts and requests for that serice. Chapter 6. Technical oeriew 59

70 Views A iew is a set of tasks that a particular type of user can see, but not necessarily do, on the graphical user interface. For example, it is a task portfolio of the eeryday actiities that a user needs to use IBM Security Identity Manager. On both the self-serice console and the administratie console, you can specify the iew that a user sees. Access control items An access control item (ACI) is data that identifies the permissions that users hae for a specific type of resource. You create an access control item to specify a set of operations and permissions. You also identify which groups use the access control item. An access control item defines these items: The entity types to which the access control item applies Operations that users might do on entity types Attributes of the entity types that users might read or write The set of users that is goerned by the access control item IBM Security Identity Manager proides default access control items. You can also create a customized access control item. For example, a customized access control item might limit the ability of a specific Help Desk Assistant group to change information for other users. Access control items can also specify relationships such as Manager or Serice Owner. When you create customized reports, you must also manually create report access control items and entity access control items for the new report. These ACIs permit users who are not administrators, such as auditors, to run the custom report and iew data in the custom report. After you create an access control item or change an existing access control item, run a data synchronization to ensure that other IBM Security Identity Manager processes, such as the reporting engine, use the new or changed access control item. Forms A form is a user interface window that is used to collect and display alues for account, serice, or user attributes. IBM Security Identity Manager includes a form designer, which runs as a Jaa applet, that you use to modify existing user, serice and account forms. For example, you might add the fax number attribute and an associated entry field to capture that number for a particular account. You might remoe an account attribute that your organization does not want a user to see. If you remoe an attribute from a form, it is completely remoed; that is, een system administrators cannot see the attribute. You can see only those attributes that are on the form and that you hae read or write access to (as granted by access control items). Using the form designer, you can also customize forms for other elements in the organization tree, such as location or organization unit. 60 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

71 Organization tree oeriew Business organizations hae arious configurations that contain their subordinate units, including serices and employees. For a specific set of business needs, you can configure IBM Security Identity Manager to proide a hierarchy of serices. You can configure organizations, users, and other elements in a tree that corresponds to the needs of a user population. Note: This release proides enhanced menus to search for a specific user, but not a graphic organization tree for that purpose. In this release, you cannot browse and create entities by naigating the organization tree. The association to a business unit within the organization tree is specified during the creation of the entity. Nodes in an organization tree An organization tree has nodes that include organizations and subordinate business units, as well as other elements. An organization tree can hae these nodes: Organization Identifies the top of an organizational hierarchy, which might contain subsidiary entities such as organization units, business partner organization units, and locations. The organization is the parent node at the top of the node tree. Organization Unit Identifies a subsidiary part of an organization, such as a diision or department. An organization unit can be subordinate to any other container, such as organization, organization unit, location, and business partner organization. Business Partner Organization Unit Identifies a business partner organization, which is typically a company outside your organization that has an affiliation, such as a supplier, customer, or contractor. Location Identifies a container that is different geographically, but contained within an organization entity. Admin Domain Identifies a subsidiary part of an organization as a separate entity with its own policies, serices, and access control items, including an administrator whose actions and iews are restricted to that domain. Entity types associated with a business unit Different types of entities can be associated with a business unit in an organization tree. The association to a business unit is specified when the entity is created. Normally, an entity cannot change the business unit association after it is created. The only exception is the User entity. IBM Security Identity Manager supports the transfer of users between different business units. Chapter 6. Technical oeriew 61

72 The following entity types can be associated to a business unit in the organization tree: User ITIM group Serice Role Identity policy Password policy Proisioning policy Serice selection policy Recertification policy Account and access request workflow Access control item Entity searches of the organization tree This release proides menus to search for a specific user, but not a graphic organization tree to naigate to locate a specific user. Policies oeriew To locate a specific user with search menus, use the adanced search filter to search by user type such as Person or Business Partner Person. In the search, you can also select a business unit and its subunits, and the status of the user, such as Actie. Additionally, you can add other fields to qualify the search, including an LDAP filter statement. A policy is a set of considerations that influence the behaior of a managed resource (called a serice in IBM Security Identity Manager) or a user. A policy represents a set of organizational rules and the logic that IBM Security Identity Manager uses to manage other entities, such as user IDs, and applies to a specific managed resource as a serice-specific policy. IBM Security Identity Manager enables your organization to use centralized security policies for specified user groups. You can use IBM Security Identity Manager policies to centralize user access for disparate resources in an organization. You can implement additional policies and features that streamline operations associated with access to resources for users. IBM Security Identity Manager supports the following types of policies: Adoption policies Identity policies Password policies Proisioning policies Recertification policies Separation of duty policies Serice selection policies A policy can apply to one or multiple serice targets, which can be identified either by a serice type or by listing the serices explicitly. These policies do not apply to serices that represent identity feeds. 62 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

73 Adoption policies apply to serices. A global adoption policy applies to all serices of a serice type. Identity policies, password policies, and proisioning policies can apply to all serice types, all serices of a serice type, or specific serices. Recertification policies cannot act on all serice types, but you can add all the different serices for a specific recertification policy. Separation of duty policies does not apply directly to serice types, and apply only to role membership for users. Serice selection policies apply to only one serice type. Policy types and naigation Table 22. Policy types and naigation Type of policy Adoption Identity Password Proisioning Recertification Separation of duty Serice selection Naigation Manage Policies > Manage Adoption Policies Manage Policies > Manage Identity Policies Manage Policies > Manage Password Policies Manage Policies > Manage Proisioning Policies Manage Policies > Manage Recertification Policies Manage Policies > Manage Separation of Duty Policies Manage Policies > Manage Serice Selection Policies Account defaults Account defaults define default alues for an account during new account creation. The default can be defined at the serice type leel that applies to all serices of that type. Alternatiely, the default can be defined at the serice leel, which applies only to the serice. Policy enforcement Global policy enforcement is the manner in which IBM Security Identity Manager globally allows or disallows accounts that iolate proisioning policies. When a policy enforcement action is global, the policy enforcement for any serice is defined by the default configuration setting. You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. Note: If a serice has a specific policy enforcement setting, that setting is applied to the noncompliant accounts. The global enforcement setting does not apply. Policy enforcement can also be set for a specific serice. Mark The existing user account on the old serice is marked as disallowed, and a new account is not created on the new serice. Chapter 6. Technical oeriew 63

74 Suspend The existing user account on the old serice instance is suspended, and a new account is not created on the new serice. Alert Correct Workflow oeriew An alert is sent to the recipient administrator to confirm remoal of the old account on old serices. A new account is created on new serice if the user does not hae account on new serice, and entitlement is automatic. Existing accounts are remoed on the old serice. A new account is created on new serice if the user does not hae account on new serice and entitlement is automatic. To work with global policy enforcement, go to the naigation tree and select Configure System > Configure Global Policy Enforcement. Note: To set serice policy enforcement, go to the naigation tree and select Manage Serices. A workflow defines a sequence of actiities that represent a business process. You can use workflows to customize account proisioning and access proisioning, and lifecycle management. A workflow is a set of steps or actiities that define a business process. You can use the IBM Security Identity Manager workflows to customize account proisioning and lifecycle management. For example, you can add approals and information requests to account or access proisioning processes. You can integrate lifecycle management processes (such as adding, remoing, and modifying people and accounts in IBM Security Identity Manager) with external systems. IBM Security Identity Manager proides these major types of workflows: Operation workflows Use operation workflows to customize the lifecycle management of accounts and people, or a specific serice type, such as all Linux systems. Operation workflows add, delete, modify, restore, and suspend system entities, such as accounts and people. You can also add new operations that your business process requires, such as approal for new accounts. For example, you might specify an operation workflow that defines actiities to approe the account, including notifications and manager approals. Account request and access request workflows Use account request and access request workflows to ensure that resources such as accounts or serices are proisioned to users according to the business policies of your organization. Note: The term entitlement workflow was preiously used for this workflow type in IBM Security Identity Manager Version 4.6. An account request workflow can be bound to an entitlement for an access or an account. In proisioning policies, an entitlement workflow for accounts adds decision points to account requests, such as adding or modifying an account. If the request is approed, the processing continues; if the request is rejected, the request is canceled. 64 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

75 The account request workflow is started during account proisioning requests, including adding and modifying an account, made by a IBM Security Identity Manager user or made during account auto proisioning. An account request workflow can be also started during an access request if there is no access request workflow defined. An access request workflow is bound to an access by the access definition, rather than by a proisioning policy. This workflow can specify the steps and approals that authorize access to resources in a request. The access request workflow is started only for access requests that are made by a IBM Security Identity Manager user. The workflow is not started if the access is proisioned for the user as a result of an external or internal account request. An external account request is an account request made by a IBM Security Identity Manager user. An internal account request is an account request made by the IBM Security Identity Manager system. For example, an auto account proisioning gies the user a default or mandatory group that maps to an access. Chapter 6. Technical oeriew 65

76 66 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

77 Chapter 7. Initial login and password information To get started after installing IBM Security Identity Manager, you need to know the login URL and the initial user ID and password. Login URL The login URL enables you to access the IBM Security Identity Manager web interface. The login URL for the IBM Security Identity Manager administratie console is: Where ip-address is the IP address or DNS address of the IBM Security Identity Manager serer, and port is the port number. The default port for new installations of IBM Security Identity Manager is The login URL for the IBM Security Identity Manager self-serice console is: Where ip-address is the IP address or DNS address of the IBM Security Identity Manager serer, and port is the port number. The default port for new installations of IBM Security Identity Manager is Initial user ID and password The initial user ID and password to authenticate to IBM Security Identity Manager is: Table 23. Initial user ID and password for IBM Security Identity Manager User ID Password itim manager secret Copyright IBM Corp

78 68 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

79 Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features contained in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user's responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM might hae patents or pending patent applications that coer subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd , Shimotsuruma, Yamato-shi Kanagawa Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Copyright IBM Corp

80 IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Licensees of this program who wish to hae information about it to enable: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation J46A/G4 555 Bailey Aenue San Jose, CA U.S.A. Such information might be aailable, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments might ary significantly. Some measurements might hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurements might hae been estimated through extrapolation. Actual results might ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements, or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. All statements regarding the future direction or intent of IBM are subject to change or withdrawal without notice, and represent goals and objecties only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of indiiduals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on arious operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of deeloping, using, marketing, or distributing application programs that conform to the application programming interface for the operating platform for which the sample programs are written. These examples hae not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, sericeability, or function of these programs. The sample 70 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

81 programs are proided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any deriatie work, must include a copyright notice as follows: (your company name) (year). Portions of this code are deried from IBM Corp. Sample Programs. Copyright IBM Corp. 2004, All rights resered. If you are iewing this information softcopy, the photographs and color illustrations might not appear. Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: legal/copytrade.shtml Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Jaa and all Jaa-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. The Oracle Outside In Technology included herein is subject to a restricted use license and can only be used in conjunction with this application. Other company, product, and serice names might be trademarks or serice marks of others. Notices 71