Embed Size (px)
Citation preview
IBM Security Identity ManagerVersion 6.0
Product Overview Guide
GC14-7692-01
���
IBM Security Identity ManagerVersion 6.0
Product Overview Guide
GC14-7692-01
���
NoteBefore using this information and the product it supports, read the information in Notices” on page 71.
Edition notice
Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and toall subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2012, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Table of contents
Table list . . . . . . . . . . . . . . v
About this publication . . . . . . . . viiAccess to publications and terminology . . . . . viiAccessibility . . . . . . . . . . . . . . viiiTechnical training . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiStatement of Good Security Practices . . . . . . ix
Chapter 1. How to obtain softwareimages . . . . . . . . . . . . . . . 1
Chapter 2. Hardware and softwarerequirements . . . . . . . . . . . . 3Hardware requirements. . . . . . . . . . . 3Operating system support . . . . . . . . . . 3Virtualization support . . . . . . . . . . . 4Java Runtime Environment support. . . . . . . 5WebSphere Application Server support . . . . . 5Database server support . . . . . . . . . . 5Directory server support . . . . . . . . . . 6Directory Integrator support . . . . . . . . . 7Report server support . . . . . . . . . . . 7Prerequisites for IBM Cognos report server . . . . 8Browser requirements for client connections . . . . 9Adapter level support . . . . . . . . . . . 9
Chapter 3. What's new in this release 11Account ownership type . . . . . . . . . . 11Identity Service Center user interface . . . . . . 11Shared access module . . . . . . . . . . . 12Role management . . . . . . . . . . . . 14
Extended role attributes . . . . . . . . . 14Role assignment attributes . . . . . . . . 14
Service management and provisioning . . . . . 15Service level form . . . . . . . . . . . 16Service connection mode . . . . . . . . . 16Service status and failure retry . . . . . . . 17Service tagging . . . . . . . . . . . . 17Enhanced adapter testing . . . . . . . . . 17
Account and access management . . . . . . . 18Multiple level access types . . . . . . . . 18Account search in the self service console . . . 18
Authentication with an external user registryconfigured with WebSphere . . . . . . . . . 18Vertical cluster support . . . . . . . . . . 19Application programming interfaces . . . . . . 19
Web Services API . . . . . . . . . . . 20Extensions to the Recertification Policy API. . . 20Enhanced logging APIs for use in customJavaScript . . . . . . . . . . . . . . 20
Report data synchronization enhancements . . . . 21Health monitoring . . . . . . . . . . . . 22IBM Cognos reporting framework . . . . . . . 22
Chapter 4. Known limitations,problems, and workarounds . . . . . 23
Chapter 5. Features overview . . . . . 25Access management . . . . . . . . . . . 25Shared access . . . . . . . . . . . . . . 26
Shared access documentation . . . . . . . 27Roadmap for configuring shared access for amanaged resource . . . . . . . . . . . 30
Support for corporate regulatory compliance . . . 34Identity governance . . . . . . . . . . . 39Triple user interface . . . . . . . . . . . 40
Administrative console user interface . . . . . 40Self-care user interface. . . . . . . . . . 40Identity Service Center user interface . . . . . 41
Recertification . . . . . . . . . . . . . 42Reporting . . . . . . . . . . . . . . . 42Static and dynamic roles . . . . . . . . . . 43Self-access management . . . . . . . . . . 43Provisioning features . . . . . . . . . . . 43Resource provisioning . . . . . . . . . . . 47
Request-based access to resources . . . . . . 47Roles and access control . . . . . . . . . 48Hybrid provisioning model . . . . . . . . 48
Chapter 6. Technical overview. . . . . 49Users, authorization, and resources . . . . . . 49Main components . . . . . . . . . . . . 50People overview. . . . . . . . . . . . . 53
Users . . . . . . . . . . . . . . . 53Identities . . . . . . . . . . . . . . 53Accounts . . . . . . . . . . . . . . 54Access . . . . . . . . . . . . . . . 54Passwords . . . . . . . . . . . . . . 55
Resources overview . . . . . . . . . . . 55Services . . . . . . . . . . . . . . 56Adapters . . . . . . . . . . . . . . 57Adapter communication with managed resources 58
System security overview. . . . . . . . . . 58Security model characteristics . . . . . . . 59Business requirements . . . . . . . . . . 59Resource access from a user's perspective . . . 59
Organization tree overview . . . . . . . . . 62Nodes in an organization tree . . . . . . . 63Entity types associated with a business unit . . 63Entity searches of the organization tree . . . . 64
Policies overview . . . . . . . . . . . . 64Workflow overview. . . . . . . . . . . . 66
© Copyright IBM Corp. 2012, 2013 iii
Chapter 7. Initial login and passwordinformation . . . . . . . . . . . . . 69
Notices . . . . . . . . . . . . . . 71
Index . . . . . . . . . . . . . . . 75
iv IBM Security Identity Manager Version 6.0: Product Overview Guide
Table list
1. Hardware requirements for IBM SecurityIdentity Manager . . . . . . . . . . . 3
2. Operating system support . . . . . . . . 33. Virtualization support . . . . . . . . . 44. Database server support. . . . . . . . . 65. Directory server support . . . . . . . . 66. Supported versions of IBM Tivoli Directory
Integrator . . . . . . . . . . . . . 77. Software requirements for IBM Cognos report
server . . . . . . . . . . . . . . . 88. Prerequisites to run the UNIX and Linux
adapter . . . . . . . . . . . . . . 109. More information on role assignment attributes 15
10. Shared access features . . . . . . . . . 2711. Installation and upgrade . . . . . . . . 2712. System configuration . . . . . . . . . 2813. Shared access administration . . . . . . . 2814. Data references . . . . . . . . . . . 2915. Shared access troubleshooting . . . . . . 29
16. Shared access application programminginterfaces . . . . . . . . . . . . . 29
17. Shared access for users. . . . . . . . . 3018. Configuring managed resources that are
supported by the IBM Security IdentityManager . . . . . . . . . . . . . 33
19. Defining roles and provisioning policies togrant ownership of sponsored accounts . . . 33
20. Adding credentials with a connection to anaccount to the vault . . . . . . . . . . 34
21. Adding credentials without a connection to anaccount to the vault . . . . . . . . . . 34
22. Configuring a shared access policy to grantaccess to the credentials . . . . . . . . 34
23. Summary of reports . . . . . . . . . . 3924. Policy types and navigation . . . . . . . 6525. Initial user ID and password for IBM Security
Identity Manager. . . . . . . . . . . 69
© Copyright IBM Corp. 2012, 2013 v
vi IBM Security Identity Manager Version 6.0: Product Overview Guide
About this publication
IBM Security Identity Manager Product Overview Guide provides the generalinformation about IBM Security Identity Manager. It includes the informationabout:v The product release, such as new or deprecated product features and functionsv The open standards, technologies, and architecture on which the product is
basedv The user model and roles underlying the product featuresv The graphical interfaces and tools provided to support various user roles
Access to publications and terminologyThis section provides:v A list of publications in the IBM Security Identity Manager library.v Links to Online publications.”v A link to the IBM Terminology website” on page viii.
IBM Security Identity Manager library
The following documents are available in the IBM Security Identity Managerlibrary:v IBM Security Identity Manager Quick Start Guide, CF3L2MLv IBM Security Identity Manager Product Overview Guide, GC14-7692-01v IBM Security Identity Manager Scenarios Guide, SC14-7693-01v IBM Security Identity Manager Planning Guide, GC14-7694-01v IBM Security Identity Manager Installation Guide, GC14-7695-01v IBM Security Identity Manager Configuration Guide, SC14-7696-01v IBM Security Identity Manager Security Guide, SC14-7699-01v IBM Security Identity Manager Administration Guide, SC14-7701-01v IBM Security Identity Manager Troubleshooting Guide, GC14-7702-01v IBM Security Identity Manager Error Message Reference, GC14-7393-01v IBM Security Identity Manager Reference Guide, SC14-7394-01v IBM Security Identity Manager Database and Directory Server Schema Reference,
SC14-7395-01v IBM Security Identity Manager Glossary, SC14-7397-01
Online publications
IBM posts product publications when the product is released and when thepublications are updated at the following locations:
IBM Security Identity Manager libraryThe product documentation site displays the welcome page and navigationfor the library.
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm
© Copyright IBM Corp. 2012, 2013 vii
IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.
IBM Publications CenterThe IBM Publications Center site http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss offers customized search functionsto help you find all the IBM publications you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.
AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.
For additional information, see the topic "Accessibility features for IBM SecurityIdentity Manager" in the IBM Security Identity Manager Reference Guide.
Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.
Support informationIf you have a problem with your IBM® software, you want to resolve it quickly.IBM provides the following ways for you to obtain the support you need:
OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.
IBM Support AssistantThe IBM Support Assistant (ISA) is a free local software serviceabilityworkbench that helps you resolve questions and problems with IBMsoftware products. The ISA provides quick access to support-relatedinformation and serviceability tools for problem determination. To installthe ISA software, see the IBM Security Identity Manager Installation Guide.Also see: http://www.ibm.com/software/support/isa.
Troubleshooting GuideFor more information about resolving problems, see the IBM SecurityIdentity Manager Troubleshooting Guide.
viii IBM Security Identity Manager Version 6.0: Product Overview Guide
Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
About this publication ix
x IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 1. How to obtain software images
IBM Security Identity Manager installation files and fix packs can be obtained withthe IBM Passport Advantage® website, or from a DVD distribution.
The Passport Advantage website provides packages, called eAssemblies, for IBMproducts.
To obtain eAssemblies for IBM Security Identity Manager, follow the instructions inthe IBM Security Identity Manager Download Document.
The IBM Security Identity Manager Installation Guide provides full instructions forinstalling IBM Security Identity Manager and the prerequisite middlewareproducts.
The procedure that is appropriate for your organization depends on the followingconditions:v Operating system used by IBM Security Identity Managerv Language requirements for using the productv Type of installation you need to do:
eAssembly for the product and all prerequisitesThe IBM Security Identity Manager installation program enables you toinstall IBM Security Identity Manager, prerequisite products, andrequired fix packs as described in the IBM Security Identity ManagerInstallation Guide. Use this type of installation if your organization doesnot currently use one or more of the products required by IBM SecurityIdentity Manager.
eAssembly for a manual installationYou can install IBM Security Identity Manager separately from theprerequisites, and you can install separately any of the prerequisiteproducts that are not installed. In addition, you must verify that eachprerequisite product is operating at the required fix or patch level.
© Copyright IBM Corp. 2012, 2013 1
2 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 2. Hardware and software requirements
IBM Security Identity Manager has specific hardware requirements and supportsspecific versions of operating systems, middleware, and browsers.
The topics in this section list the hardware requirements and the supportedversions for each of the software products. The information lists the supportedversions when the product release was released.
Note: Support for prerequisite software is continuously updated. To review thelatest updates to this information, see the Software Product Compatibility Reportspage at http://pic.dhe.ibm.com/infocenter/prodguid/v1r0/clarity/index.html.
Hardware requirementsIBM Security Identity Manager has these hardware requirements:
Table 1. Hardware requirements for IBM Security Identity Manager
System components Minimum values* Suggested values**
System memory (RAM) 2 gigabytes 4 gigabytes
Processor speed Single 2.0 gigahertz Intel orpSeries processor
Dual 3.2 gigahertz Intel orpSeries processors
Disk space for product andprerequisite products
20 gigabytes 25 gigabytes
* Minimum values: These values enable a basic use of IBM Security Identity Manager.
** Suggested values: You might need to use larger values that are appropriate for yourproduction environment.
Operating system supportIBM Security Identity Manager supports multiple operating systems.
The IBM Security Identity Manager installation program checks to ensure thatspecific operating systems and levels are present before it starts the installationprocess.
Table 2. Operating system support
Operating system Platform Patch or maintenance level
AIX® Version 6.1 System p® None
AIX Version 7.1 System p None
Oracle Solaris 10 SPARC None
Windows Server 2008 StandardEdition
x86-32
x86-64
None
Windows Server 2008Enterprise Edition
x86-32
x86-64
None
Windows Server 2008 Release 2Standard Edition
x86-64 None
© Copyright IBM Corp. 2012, 2013 3
Table 2. Operating system support (continued)
Operating system Platform Patch or maintenance level
Windows Server 2008 Release 2Enterprise Edition
x86-64 None
Windows Server 2012 StandardEdition
x86-64 None
Red Hat Enterprise Linux 5.0
Red Hat Enterprise Linux 6.0
x86-32, x86-64,System p, System z
x86-32, x86-64,System p, System z
v For 5.0, Update 6.
v For 6.0, Update 5.
v For both 5.0 and 6.0, SecurityEnhanced Linux must bedisabled. See the topic "Red HatLinux Server Configuration" inthe IBM Security Identity ManagerInstallation Guide.
SUSE Linux Enterprise Server10.0
SUSE Linux Enterprise Server11.0
System p, System z,x86-32, x86-64
System p, Systemz®, x86-32, x86-64
v For 10, SP3
v For 11, SP1
Virtualization supportIBM Security Identity Manager supports virtualization environments.
See Table 3 for a list of the virtualization products that IBM Security IdentityManager supports at the time of product release.
Table 3. Virtualization support
Product Applicable operating systems
IBM AIX Workload Partitioning (WPAR) andLogical Partitioning (LPAR) 6.1 and 7.1 andfuture fix packs
All supported operating system versionsautomatically applied
IBM PowerVM® Hypervisor (LPAR, DPAR,Micro-Partition), any supported version andfuture fix packs
AIX
IBM PR/SM™, any version, and future fixpacks
All supported operating system versionsautomatically applied
IBM z/VM® Hypervisor 5.4 and any futurefix packs
All supported operating system versionsautomatically applied
IBM z/VM Hypervisor 6.1 and any futurefix packs
Linux
KVM in SUSE Linux Enterprise Server(SLES) 11
All supported operating system versionsautomatically applied
Red Hat KVM as delivered with Red HatEnterprise Linux (RHEL) 5.4 and future fixpacks
Linux, Windows
Red Hat KVM as delivered with Red HatEnterprise Linux (RHEL) 6.0 and future fixpacks
All supported operating system versionsautomatically applied
Sun Solaris 10 Global/Local Zones (SPARC)10 and future fix packs
All supported operating system versionsautomatically applied
4 IBM Security Identity Manager Version 6.0: Product Overview Guide
Table 3. Virtualization support (continued)
Product Applicable operating systems
Sun/Oracle Logical Domains (LDoms) anyversion and future fix packs
Solaris
VMware ESXi 4.0 and future fix packs All supported operating system versionsautomatically applied
VMware ESXi 5.0 and future fix packs All supported operating system versionsautomatically applied
Java Runtime Environment supportIBM Security Identity Manager requires the Java™ Runtime Environment (JRE).
When a required version of the WebSphere® Application Server is installed, therequired version or a later version of the JRE is installed in the WAS_HOME/javadirectory. For information about the required versions of the WebSphereApplication Server, see WebSphere Application Server support.”
Use of an independently installed development kit for Java, from IBM or othervendors, is not supported. The Java Runtime Environment requirements for using abrowser to create a client connection to the IBM Security Identity Manager serverare different than the JRE requirements for running the WebSphere ApplicationServer.
WebSphere Application Server supportIBM Security Identity Manager runs as an enterprise application in a WebSphereApplication Server environment.
IBM Security Identity Manager requires one of the following versions ofWebSphere Application Server:v WebSphere Application Server, Version 8.5 with WebSphere Application Server
V8.5 Fix Pack 2.v WebSphere Application Server, Version 8.5, Network Deployment, with the
Identity Service Center user interface. WebSphere Application Server V8.5 FixPack 2 is required for support of all platforms.
v WebSphere Application Server, Version 7.0, with the WebSphere Fix Pack 29.
WebSphere supports each of the operating systems that IBM Security IdentityManager supports. Review the WebSphere website for WebSphere requirements foreach operating system: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27012369
Database server supportIBM Security Identity Manager supports multiple database server products.
Chapter 2. Hardware and software requirements 5
Note: The Identity Service Center and Cognos reporting do not support MicrosoftSQL Server database. Use DB2 database or Oracle database instead.
Table 4. Database server support
Database server Fix pack Notes
IBM DB2® Enterprise Version9.5.0.3
Fix Pack 3 IBM DB2 Workgroup Edition is required for Linux 32 bit operatingsystem.
IBM DB2 Enterprise Version9.7.0.7
Fix Pack 7 v IBM DB2 Workgroup Edition is required for Linux 32 bit operatingsystem.
v Red Hat Linux 6.0 requires Fix Pack 4.
v Windows 2012 requires Fix Pack 7.
IBM DB2 Enterprise Version10.1.0.2
Fix Pack 2 v IBM DB2 Enterprise 10.1 is only supported on 64 bit operatingsystems.
v Using IBM DB2 10.1 with IBM Tivoli® Directory Server 6.3 requiresFix Pack 21.
Oracle 10g Standard Editionand Enterprise Edition Release 2
none The Oracle 11.1.0.7 database driver is required for both Oracle 10gRelease 2 and 11g databases.
Oracle 11g Standard andEnterprise Edition Release 2
none The Oracle 11.1.0.7 database driver is required for both Oracle 10gRelease 2 and 11g databases.
Microsoft SQL Server EnterpriseEdition 2008
none
Microsoft SQL Server EnterpriseEdition 2008 Release 2
none
Directory server supportIBM Security Identity Manager supports multiple directory servers.
Table 5. Directory server support
Directory server Fixpacks
Notes®
IBM Tivoli Directory Server, Version6.2
FixPack 29
IBM Tivoli Directory Server, Version6.3
FixPack 21
IBM Tivoli Directory Server supports theoperating system releases that IBMSecurity Identity Manager supports.
IBM Tivoli Directory Server, Version 6.3Fix Pack 21 is required for IBM TivoliDirectory Server V6.3 to work with IBMDB2 10.1.
A fix pack can have requirements for aspecific level of Global Security ToolKit(GSKit). For more information, seedocumentation that the directory serverproduct provides. For example, access thiswebsite: http://www-947.ibm.com/support/entry/portal/documentation_expanded_list/software/security_systems/tivoli_directory_server
6 IBM Security Identity Manager Version 6.0: Product Overview Guide
Table 5. Directory server support (continued)
Directory server Fixpacks
Notes®
Sun Directory Server EnterpriseEdition 6.3.1 and 7.0
none See Oracle documentation to verifyoperating system support.
Oracle Directory Server EnterpriseEdition 11.1.1
none
Directory Integrator supportIBM Security Identity Manager supports IBM Tivoli Directory Integrator.
You can optionally install IBM Tivoli Directory Integrator for use with IBMSecurity Identity Manager.
IBM Tivoli Directory Integrator is used to enable communication between theinstalled agentless adapters and IBM Security Identity Manager. See the IBMSecurity Identity Manager Installation Guide.
Table 6. Supported versions of IBM Tivoli Directory Integrator
Release Fix pack
IBM Tivoli Directory Integrator, Version 7.1 Fix Pack 3
IBM Tivoli Directory Integrator, Version 7.1.1 Fix Pack 2
IBM Tivoli Directory Integrator supports each of the operating system versions thatIBM Security Identity Manager supports.
Report server supportIBM Security Identity Manager supports IBM Tivoli Common Reporting Version2.1.1.
Note: Though IBM Tivoli Common Reporting is currently supported, it is beingdeprecated. It is the best practice to use IBM Cognos Business Intelligence Serverversion 10.2.1 to generate IBM Security Identity Manager reports.The following fix packs and interim fixes are required. Install the fixes in thefollowing order:1. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 22. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 53. IBM Tivoli Integrated Portal Fix Pack 2.2.0.74. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6
To obtain fixes:v Download the latest fixes for IBM Tivoli Common Reporting Server from the Fix
Central website at http://www.ibm.com/support/fixcentral/.v Obtain and install the IBM Tivoli Integrated Portal Fix Pack 2.2.0.7 before you
install IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6. Forinstructions for obtaining IBM Tivoli Integrated Portal Fix Pack 2.2.0.7, see theIBM developerWorks® topic: Tivoli Common Reporting 2.1.1 Interim Fix 6.
Chapter 2. Hardware and software requirements 7
Prerequisites for IBM Cognos report serverIBM Security Identity Manager supports IBM Cognos Business Intelligence Serverversion 10.2.1.
You must install the software in the following table to work with IBM SecurityIdentity Manager Cognos reports.
Table 7. Software requirements for IBM Cognos report server
Software For more information, see
IBM Cognos Business Intelligence Server,version 10.2.1.
1. Access the IBM Cognos BusinessIntelligence documentation athttp://pic.dhe.ibm.com/infocenter/cbi/v10r2m1/index.jsp.
2. Search for Business IntelligenceInstallation and Configuration Guide10.2.1.
3. Search for the installation informationand follow the procedure.
Web server 1. Access the IBM Cognos BusinessIntelligence documentation athttp://pic.dhe.ibm.com/infocenter/cbi/v10r2m1/index.jsp.
2. In the right pane of the home page,under Supported hardware andsoftware section, click IBM CognosBusiness Intelligence 10.2.1 SupportedSoftware Environments.
3. Click 10.2.1 tab.
4. Click Software in the Requirements bytype column under the section IBMCognos Business Intelligence 10.2.1.
5. Search for Web Servers section.
Data sources 1. Access the IBM Cognos BusinessIntelligence documentation athttp://pic.dhe.ibm.com/infocenter/cbi/v10r2m1/index.jsp.
2. In the right pane of the home page,under Supported hardware andsoftware section, click IBM CognosBusiness Intelligence 10.2.1 SupportedSoftware Environments.
3. Click 10.2.1 tab.
4. Click Software in the Requirements bytype column under the section IBMCognos Business Intelligence 10.2.1.
5. Search for Data Sources section.
Note: Optionally, you can install IBM Framework Manager, version 10.2.1 if youwant to customize the reports or models.
8 IBM Security Identity Manager Version 6.0: Product Overview Guide
Browser requirements for client connectionsIBM Security Identity Manager has browser requirements for client connections.
IBM Security Identity Manager supports the following browser versions:v Microsoft Internet Explorer 9.0v Microsoft Internet Explorer 10.0v Mozilla Firefox 3.6 (supported on AIX only)
Note:
1. Microsoft Internet Explorer 10.0 Metro mode is not supported.2. Firefox 3.6 requires the Next-Generation Java plug-in, which is included in
Java 6 Update 10 and newer version.3. The Identity Service Center user interface is not supported in Firefox 3.6.
v Mozilla Firefox 10 Extended Support Release (not supported on AIX)
Note: The Identity Service Center user interface is not supported in Firefox 10Extended Support Release.
v Mozilla Firefox 17 Extended Support Release (not supported on AIX)v Mozilla Firefox 24 Extended Support Release (not supported on AIX)v IBM Security Identity Manager software distribution does not include the
supported browsers.v The IBM Security Identity Manager administrative user interface uses applets
that require a Java plug-in that is provided by Sun Microsystems JRE Version 1.6or higher. When the browser requests a page that contains an applet, it attemptsto load the applet with the Java plug-in. If the required JRE is not present on thesystem, the browser prompts the user for the correct Java plug-in, or fails tocomplete the presentation of the items in the window. The IBM Security IdentityManager user interface is displayed correctly for all pages that do not contain aJava applet, regardless of JRE installation.
v You must enable cookies in the browser to establish a session with IBM SecurityIdentity Manager.
v Do not start two or more separate browser sessions from the same clientcomputer. The two sessions are regarded as one session ID, which causesproblems with the data.
Adapter level supportThe IBM Security Identity Manager installation program always installs a numberof adapter profiles.
The installation program installs these profiles:v AIX profile (UNIX and Linux adapter)v Solaris profile (UNIX and Linux adapter)v HP-UX profile (UNIX and Linux adapter)v Linux profile (UNIX and Linux adapter)v LDAP profiles (LDAP adapter)
The IBM Security Identity Manager installation program optionally installs the IBMSecurity Identity Manager LDAP adapter and IBM Security Identity Manager
Chapter 2. Hardware and software requirements 9
UNIX and Linux adapter. Newer versions of the adapters might be available asseparate downloads. Install the latest versions before you use the adapters.
You must take additional steps to install adapters if you choose not to install themduring the IBM Security Identity Manager installation.
The following table lists the UNIX and Linux systems and versions that aresupported by the UNIX and Linux adapter.
Table 8. Prerequisites to run the UNIX and Linux adapter
Operating system Version
AIX AIX 6.1, AIX 7.1
HP-UX HP-UX 11iv1, HP-UX 11iv1 trusted, HP-UX 11iv2, HP-UX 11iv2trusted, HP-UX 11iv3, HP-UX 11iv3 trusted
Red Hat Linux Red Hat Enterprise Linux Enterprise Server 6.0, Red Hat EnterpriseLinux Enterprise Server 6.1, Red Hat Enterprise Linux EnterpriseServer 6.2
Oracle Solaris Oracle Solaris 10
SUSE Linux SLES 10.0, SLES 11.0
The following directory server versions are supported by the LDAP adapter:v IBM Tivoli Directory Server 6.1, IBM Tivoli Directory Server 6.2, IBM Tivoli
Directory Server 6.3v Sun Directory Server Enterprise Edition 6.3, Sun Directory Server Enterprise
Edition 6.3.1
The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme.This scheme supports communication between the IBM Security Identity Managerand systems that run IBM Tivoli Directory Server or Sun Directory ServerEnterprise Edition. The IBM Security Identity Manager LDAP Adapter InstallationGuide describes how to configure the LDAP adapter.
Adapters are available at the following IBM Passport Advantage website:
http://www.ibm.com/software/sw-lotus/services/cwepassport.nsf/wdocs/passporthome
Installation and configuration guides for adapters can be found in the IBM SecurityIdentity Manager product documentation website at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm.
10 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 3. What's new in this release
IBM Security Identity Manager Version 6.0 provides new infrastructure, processes,and controls to support privileged identity management. In addition, it providesenhanced support for operational role management and integration with otheridentity and access management solutions.
Note: The documentation updates in this library are added in the context of theIBM Security Identity Manager, version 6.0.0, Fix Pack 2.
The Identity Service Center, Cognos Reporting, and selected Shared Access featurescan only be available in your system after you install the fix pack.
See the following README files for installation, configuration, and removaldetails.v ISIM6.0.0FP2_InstallAndConfig_README.pdfv ISIM6.0.0FP2_UnInstallAndManualRemoval_README.pdfv ISPIM1.0.1FP2_InstallandConfig_README.pdf
See the topics that follow for detailed descriptions of new features and function.
Account ownership typeNew account ownership types separate personal accounts from custodial accounts.
Accounts that represent a user identity for personal use are individual accounts.All other accounts are sponsored accounts. Examples of sponsored accountsinclude the root account on a UNIX system, application accounts, and deviceaccounts. The owner of a sponsored account typically configures the account andcompletes maintenance tasks such as password reset.
Password synchronization applies only to individual accounts. Accountentitlements in a provisioning policy are specified differently for each account type.
The type of ownership affects the password management process and provisioningpolicy evaluation. For example, password synchronization synchronizes passwordsonly for accounts of ownership type "Individual". For provisioning policies,entitlement to a particular service can be based on the specific ownership type onthe service.
You can filter accounts by ownership type when doing account management tasks.You can specify the ownership type when completing account request and accountadoption tasks.
See "Ownership type management" in the IBM Security Identity ManagerConfiguration Guide.
Identity Service Center user interfaceIBM Security Identity Manager introduces the Identity Service Center, a new userinterface, which provides the capability for managers or individuals to requestaccess for individuals.
© Copyright IBM Corp. 2012, 2013 11
Note: The Identity Service Center does not support Microsoft SQL Server database.Use DB2 Universal Database™ or Oracle database instead.
Unified access catalog
The Identity Service Center user interface contains a unified access catalogthat provides sets of tasks, each tailored for the needs of the default usertypes:v System administratorv Managerv Employeev Auditor
Enhanced user experienceThe Identity Service Center gives you an enhanced user experience that istailored to your business goals:v Request access to applicationsv View your requests
Modern, intuitive, and efficient user interface
You can model your business goals and user interface with a dedicatedflow. The Identity Service Center has:v Type ahead searchv Guided tasksv Usable layoutv Work flow and tasks that are applicable to your business goalsv Context-sensitive help
Customizable user interface
System administrators can easily customize the Identity Service Center userinterface either by copying and modifying the customizable files that areinstalled with IBM Security Identity Manager. They can also customize thenew user interface by replacing the icons and graphics. See the IdentityService Center user interface customization˝ section of the IBM SecurityIdentity Manager Configuration Guide for details.
Shared access moduleIBM Security Identity Manager provides a shared access module that extends theidentity and access management governance capabilities by supporting privilegedidentity management.
The shared access module is used by an IBM product called IBM Security PrivilegedIdentity Manager. When you purchase IBM Security Privileged Identity Manager,you obtain a license to use the IBM Security Identity Manager shared accessmodule. You can then install the optional shared access module component as partof the IBM Security Identity Manager installation.
The shared access module provides the following support for privileged identitymanagement:v Credential vault management for shared credentials, which can be connected or
not connected to accounts.v Lifecycle management of shared credentials. This management includes
role-based access requests, role membership, and shared credential access.
12 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Auditing of shared credential activity to monitor accountability and compliance.v Single sign-on with automated checkin and checkout of shared IDs.
Automation of checkout and checkin is achieved when IBM Security IdentityManager is deployed as part of the IBM Security Privileged Identity Managerproduct solution.
v Management of shared credentials that are not connected to accounts.v Ability to connect credentials to an account so that the password can be changed
at checkin; ability to disconnect credentials from an account.v The following items are deprecated:
– Adding credentials to the vault through Manage Users, Manage Services >Accounts, or Manage Groups > Manage Members. Instead, use ManageShared Access > Manage Credential Vault.
– The #Credentials type identifier is deprecated and is provided for users withexisting CSV files from a previous release. If you use this type identifier, readthe column header descriptions because some of them have changed. It issuggested, however, that you use the #Credentials_v2 type identifier insteadof the #Credentials type identifier in your CSV files for shared access bulkload.
v The USE_GLOBAL_SETTINGS column header in the CSV file is changed toUSE_DEFAULT_SETTINGS.
v The following access control items (ACIs) are added:
Protection category Name Type Principal
Credential Default ACI for Credential: Grant All toDomain Admin
erCredential Domain Admin
Credential Lease Default ACI for Credential Lease: GrantAll to Domain Admin
erCredentialLease Domain Admin
Account Default ACI for Account: Grant Connectto Domain Admin and Account Owner
erAccountItem Domain Admin
Account Owner
Credential Service Default ACI for Credential Service: GrantAll to Domain Admin
erCVService Domain Admin
Person Default ACI for Person: Grant Search androle assignment to PrivilegedAdministrator Group
erPersonItem Privileged Admin
v The following ACIs are removed:
Protection category Name Type Principal
Identity ManagerUser
Default ACI for ITIM User: GrantDelegate to Privileged AdministratorGroup
erSystemUser Privileged Admin
Identity ManagerUser
Default ACI for ITIM User: Grant Add toPrivileged Administrator Group
erSystemUser Privileged Admin
RecertificationPolicy
Default ACI for Recertification Policy:Grant All to Privileged AdministratorGroup
erRecertificationPolicy Privileged Admin
Report Default ACI for Pending RecertificationReport: Grant Run to PrivilegedAdministrator Group
Pending RecertificationReport
Privileged Admin
Chapter 3. What's new in this release 13
Protection category Name Type Principal
Report Default ACI for Recertification PoliciesReport: Grant Run to PrivilegedAdministrator Group
Recertification PoliciesReport
Privileged Admin
StaticOrganizational Role
Default ACI for Role: Grant All toPrivileged Administrator Group
erRole Privileged Admin
For more information, see:v Shared access˝ on page 26v IBM Security Privileged Identity Manager product documentation website.
Role managementRole management now includes management of extended role attributes and roleassignment attributes.
Extended role attributesThe IBM Security Identity Manager administrator can define, set, and modifyextended role attributes when creating or modifying a role. These actions areachieved by using a new form template introduced in the form designer for rolecustomization. Both static and dynamic roles support extended role attributes.
Note: Before you can use extended role attributes, you must first set the extendedrole attributes in LDAP by extending the role definition schema.
After you add the extended role attributes in LDAP, use the form designer tocustomize and save form templates for roles in the IBM Security Identity Manageradministrative console.
Role assignment attributesThe role administration component is enhanced to include the ability to define roleassignment attributes, which are associated with the person-role relationship. Onlystatic roles support assignment attributes. Only the string type and text widget ofassignment attributes are supported.
Optional role assignment attributes tasks include:v Defining role assignment attributes when creating or modifying a static role.v Associating a custom label with each assignment attribute.v Specifying assignment attribute values when adding user members to the role.v Specifying assignment attribute values to the existing user members of the role.
ACI capabilities for role assignment attributes
Both the default and new ACIs supports attribute-level permissions for roleassignment attributes like other attributes in the role definition. You can nowmodify or create ACIs. You can set attribute-level permissions for granting ordenying usage of these role assignment attributes within the role definition. Onlyauthorized users can read or write assignment attributes. Additionally, you can:v Set ACIs to read or write assignment attribute values when adding a user to the
role.v Set assignment attribute values to the existing user members.
14 IBM Security Identity Manager Version 6.0: Product Overview Guide
ACI works the same way as it does for other entities. There is not ACI on specificrole assignment attributes. The following attributes are available:v erRoleAssignmentKey is on the role that dictates the permission to define role
assignment attributes on the role and an attribute.v erRoleAssignments is on the person that dictates the permission to assign values
for the assignment attributes.
You cannot define ACI on the assignment attribute that you defined on the role.
JavaScript capabilities for role assignment attributes
You can access these capabilities for role assignment attributes within theJavaScript interface:v The role assignment attributes of the role schema.v The role assignment attributes and their values for users in role membership.
New JavaScript APIs include:v Personv Rolev RoleAssignmentAttributev RoleAssignmentObject
For more information, see the reference pages in the IBM Security Identity ManagerReference Guide.
Role assignment attributes and the self-service console
For more information about adding or modifying role assignment attributes for auser profile in the self-service console, see the IBM Security Identity ManagerTechnotes.
Additional information
For more information on role assignment attributes, see the following topics:
Table 9. More information on role assignment attributes
Topic title IBM Security Identity Manager documentation
Role assignment attributes˝ Administration Guide
Role assignment attribute tables˝ Database and Directory Server Schema Reference
Person˝ Reference Guide
Role˝
RoleAssignmentAttribute˝
RoleAssignmentObject˝
Service management and provisioningService management and provisioning now supports a new account form, anadvanced connection mode, new service status information, and service tagging.
See:v Service level form˝ on page 16
Chapter 3. What's new in this release 15
v Service connection mode˝v Service status and failure retry˝ on page 17v Service tagging˝ on page 17
Service level formYou can specify different account forms for each service instance of a particularservice type.
You can define an account form for a service in the console. For example, you cancustomize the form for the account type, such as Windows Local Account Form.This feature can specify different account forms for each service instance of aparticular service type. This feature removes the restriction of needing to use thesame form for every service instance of a particular type.
You can use your new form to request a new account or modify an existingaccount. You can also use your new form for provisioning policy parameters. Ifyou have an account form customized for a service, and you select service specificentitlements for that service in the provisioning policy, the specific widget for thatattribute that you customized is displayed.
You can also use the new form for repeat account creation or modification in theadministration console or the self service console.
See "Customizing account form templates for a service instance" in the IBMSecurity Identity Manager Configuration Guide.
Service connection modeThis release introduces a new service form attribute for connection mode. Use thisattribute to create a service that can function like either an automated or a manualservice.
You can now specify a service connection mode of manual or automated. Theconnection mode setting dictates the IBM Security Identity Manager behavior foraccount management, and minimizes the configuration required for transitionbetween different connection modes to end points.
The new attribute for connection mode is erconnectionmode. This attribute enablesyou to create a service and to specify a manual account request route beforeinstalling the adapter for the managed resource. The advantage of using connectionmode is that you do not need to create and later remove a manual service. Afterinstalling the adapter, you can change the service so that the managed resourcehandles the account requests. Use the change service task to change connectionmode from manual to automatic.
After changing the service type to automatic, it is the default setting for anyservices of that service type.
Connection mode is not supported on ITIM service or any type of identity feedservice, hosted service, or manual service types. Do not add the erconnectionmodeattribute to the forms for those service types.
See the following topics in the "Services administration" chapter of the IBM SecurityIdentity Manager Administration Guide:v "Enabling connection mode"
16 IBM Security Identity Manager Version 6.0: Product Overview Guide
v "Creating a service that has manual connection mode"v "Changing connection mode from manual to automatic"
Service status and failure retryThe IBM Security Identity Manager administrative console is enhanced to displaystatus information for each service, to search for services with a specific status, andto provide an option to retry blocked requests.
The values in the service status reflect the ability of the IBM Security IdentityManager server to contact the managed resource for the service for provisioningactions. The user interface also allows searching for services with a specific statusvalue. You can use the value to locate services that failed or are recovering from afailure.
This release provides a new action, Retry Blocked Requests, that you can use toimmediately restart the blocked requests from the Manage Services panel. Thisaction tests a service to see whether the problem is corrected. If the test issuccessful, it restarts any blocked requests for a failed service.
For more information, see the topic "Service status" in the IBM Security IdentityManager Administration Guide.
Service taggingYou can define multiple tags for a service in the service form.
You can use service tags to fine-tune provisioning policy entitlement for a servicetype. You can specify that entitlement is only applicable for services with matchingtags.
On the administration console, you can trigger automated provisioning of newaccounts and policy enforcements on all accounts of a service. Use the ManageServices console entry point, select Search, and then open the twistie for a serviceand click Enforce Policy.
See the topic "Service tagging" in the "Services administration" chapter of the IBMSecurity Identity Manager Administration Guide.
Enhanced adapter testingService management and provisioning now support enhanced adapter testing.
Enhanced adapter testing provides more information and more status informationof the adapter that is configured for the resource. To start the adapter test, clickTest Connection in the service form.
Some examples about more information are adapter version, adapter installationplatform, profile version, and other information.
Some examples about status information are time stamp of previous test, memoryusage, other information.
For more information, see the Adapter documentation section in the IBM SecurityIdentity Manager product documentation.
Chapter 3. What's new in this release 17
Account and access managementIBM Security Identity Manager extends account and access management to supportmultiple access levels, and to support account search in the self service console.
See:v Multiple level access types˝v Account search in the self service console˝
Multiple level access typesIBM Security Identity Manager supports multiple level of access types thatsimulate a hierarchical tree structure with a set of linked nodes.
A hierarchy represents access levels. The access types are categorized in the formof parent-child access types. This structure aids in the administration of largedeployments.
An administrator can do these actions:v Manage access types in a hierarchical tree structure.v Search an access type by categories during an access request by using the tree
structure.v Specify an access type from any level to associate with a group or role.v Translate organizational access types into system-defined access types in a
hierarchical tree structure.v Categorize multiple access types in an organization for a particular access
category. For example, access to all financial applications can be categorizedunder Application > Finance.
A user can search, filter, or request for an access based upon the access types.
See the topic Access type management˝ in the IBM Security Identity ManagerConfiguration Guide, and the topic Creating an access type based on role˝ in theIBM Security Identity Manager Administration Guide.
Account search in the self service consoleAccount search function is now available in the self service console
You can now search accounts when using the following features in the self serviceconsole:v Viewing or changing accountsv Deleting accountsv Changing passwords
You can base the account search on ownership type, account ID, service type(account profile), service (account type), or organizational container.
Authentication with an external user registry configured withWebSphere
The IBM Security Identity Manager authentication mechanism is integrated withthe container-based security capabilities of WebSphere Application Server.
18 IBM Security Identity Manager Version 6.0: Product Overview Guide
IBM Security Identity Manager users can authenticate against a WebSphereApplication Server user registry, and then be mapped to an IBM Security IdentityManager user.
The login support includes:v Forgotten password, with challenge responsev Password expirationv Account suspension with maximum logon attempts
You can use an external user registry when doing an initial installation of IBMSecurity Identity Manager. Alternatively, you can install IBM Security IdentityManager with the custom registry, and then later reconfigure to use an externaluser registry.
Use of an external user registry requires configuration of the WebSphere securitydomain. IBM Security Identity Manager provides documentation of an exampleconfiguration of how to configure an external user registry. The exampledocumentation is in the extensions directory in the product distribution. If youwant to use an external user registry during an initial installation of IBM SecurityIdentity Manager, you must do configuration steps before the installation. If youwant to configure an external user registry after the IBM Security Identity Managerinstallation, you must finish the installation with the default custom user registryand then manually configure the external user registry.
For more information, see the topic "Using an external user registry forauthentication" in the IBM Security Identity Manager Security Guide.
Vertical cluster supportYou can now install IBM Security Identity Manager in a WebSphere deploymentthat uses vertical clusters.
A vertical cluster has cluster members on the same node, or physical machine. Ahorizontal cluster has cluster members on multiple nodes across many machines ina cell. You can now install an IBM Security Identity Manager into both horizontaland vertical cluster topologies.
For more information, see the following topics in the IBM Security Identity ManagerInstallation Guide:
v "Clustered configuration"v "Creating the WebSphere clusters for the IBM Security Identity Manager
application"
Application programming interfacesIBM Security Identity Manager supports additional application programminginterfaces.
New additions include Web Services API, new APIs to manage recertificationpolicies, and new logging APIs for use in JavaScript.
See:v Web Services API˝ on page 20v Extensions to the Recertification Policy API˝ on page 20
Chapter 3. What's new in this release 19
v Enhanced logging APIs for use in custom JavaScript˝
Web Services APIThe IBM Security Identity Manager Web Services wrappers provide a lightweightcommunication channel to the IBM Security Identity Manager server.
You can use the Web Services API to add user functions into your custom builtapplications.
The Web Services client does not depend on installation of either IBM SecurityIdentity Manager or WebSphere Application Server.
For more information, see the topic "Web Services API" in the IBM Security IdentityManager Reference Guide.
Extensions to the Recertification Policy APIIBM Security Identity Manager uses recertification policies to automate therevalidation of entitlements granted to a user.
The introduction of new APIs provides capabilities to search, add, modify, delete,and run recertification policies in IBM Security Identity Manager from a remoteapplication.
The recertification policy API consists of a set of Java classes. The classes abstractthe more commonly used concepts of the recertification policies, such asrecertification policy targets, participants, recertification action, and policyschedules.
For more information, see:v "Recertification Policy API" in the IBM Security Identity Manager Reference Guide
v "Recertification policies" in the IBM Security Identity Manager Administration Guide
Enhanced logging APIs for use in custom JavaScriptThe introduction of enhanced logging APIs provides new methods for use incustom JavaScript extensions.
The new methods provide the following increased flexibility in IBM SecurityIdentity Manager:v Ability to selectively log messages to the IBM Security Identity Manager trace
log or message log.v Ability to log message at specified severity like ERROR, WARN, or INFO for msg.log,
and DEBUG_MIN, DEBUG_MID, or DEBUG_MAX for trace.log.v Allows runtime configuration of which messages are written to the log file by
specifying the component-logging level in the enRoleLogging.properties file.
Before the IBM Security Identity Manager Version 6.0 release, the logging optionfrom JavaScript was only to write to the msg.log at ERROR level. With the newlogging APIs in Version 6.0, you can define custom-logging or tracing messages atdifferent logging levels. You can also control the statements that are loggedthrough runtime configuration. The log statements that are written to the log ortrace files is controlled by configuring the logging levels in theenRoleLogging.properties file. The logging level configuration is the same as the
20 IBM Security Identity Manager Version 6.0: Product Overview Guide
other IBM Security Identity Manager components. The component in the file isdefined by the user in their log and trace methods. This configuration provides thefollowing capabilities:v Fine-grained control of custom-generated trace messages.v Flexibility to indicate which custom JavaScript piece generated the log or trace
message by viewing the component and method in the resulting log record.
The new methods are on the Enrole JavaScript extension.v For writing to the msg.log:
– logInfo(String component, String method, String message)
– logWarn(String component, String method, String message)
– logError(String component, String method, String message)
v For writing to the trace.log:– traceMax(String component, String method, String message)
– traceMid(String component, String method, String message)
– traceMin(String component, String method, String message)
For more information, see the following topics in the IBM Security Identity ManagerReference Guide:
v "Enrole"v "enRoleLogging.properties"
Report data synchronization enhancementsReport data synchronization was redesigned to improve performance, and a newutility provides remote data synchronization capability.
Note: Though IBM Tivoli Common Reporting is currently supported, it is beingdeprecated. It is the best practice to use IBM Cognos Business Intelligence Serverversion 10.2.1 to generate IBM Security Identity Manager reports.
The report data synchronization enhancements are:v Redesign to improve the performance of data synchronization of the following
entity types:– Accounts– Authorization Owners– Groups– Organizational Containers– People– Roles– ServicesSee the file ISIM_HOME/data/ReportDataSynchronization.properties for moredetails about the following properties:– accountSynchronizationStrategy
– authorizationOwnerSynchronizationStrategy
– groupSynchronizationStrategy
– organizationalContainerSynchronizationStrategy
– personSynchronizationStrategy
– roleSynchronizationStrategy
Chapter 3. What's new in this release 21
– serviceSynchronizationStrategy
v IBM Security Identity Manager report data synchronization utility: A selfcontained utility that can be used to run the report data synchronization processoutside of the IBM Security Identity Manager operational environment.
See the topic Data synchronization˝ in the IBM Security Identity ManagerAdministration Guide.
Health monitoringThe IBM Security Identity Manager server is enhanced to provide deploymenthealth monitoring features. These features include monitoring of performance andavailability of various requests in the key components.
The provisioning and workflow components add instrumentation, which tracksevents in the WebSphere Performance Monitoring Infrastructure (PMI) system.Additionally, the server includes new APIs to better integrate with monitoringproducts, such as IBM Tivoli Monitoring.
For more information, see the topic "IBM Security Identity Manager deploymenthealth monitoring" in the IBM Security Identity Manager Performance Tuning Guide.
IBM Cognos reporting frameworkIBM Security Identity Manager version 6.0 provides the Cognos reportingframework to create and analyze reports. You can modify the schema and generatereports in different formats.
Note: Cognos reporting does not support Microsoft SQL Server database. Use DB2database or Oracle database instead.
The IBM Cognos reporting framework includes the following items:
Reporting modelRepresents the business view of IBM Security Identity Manager data. Youcan use the models to customize and generate different types of reportsthat suit your requirements.
Static reportsReady-to-use reports that are bundled with the IBM Security IdentityManager reporting packages.
22 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 4. Known limitations, problems, and workarounds
You can view the known software limitations, problems, and workarounds on theIBM Security Identity Manager Support site.
The Support site describes not only the limitations and problems that exist whenthe product is released, but also any additional items that are found after productrelease. As limitations and problems are discovered and resolved, the IBM SoftwareSupport team updates the online knowledge base. By searching the knowledgebase, you can find workarounds or solutions to problems that you experience.
The following link launches a customized query of the live Support knowledgebase for items specific to version 6.0:
IBM Security Identity Manager Version 6.0 technical notes
To create your own query, go to the Advanced search page on the IBM SoftwareSupport website.
© Copyright IBM Corp. 2012, 2013 23
24 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 5. Features overview
IBM Security Identity Manager delivers simplified identity managementcapabilities in a solution that is easy to install, deploy, and manage.
IBM Security Identity Manager provides essential password management, userprovisioning, and auditing capabilities.
Access managementIn a security lifecycle, IBM Security Identity Manager and several other productsprovide access management. You can determine who can enter your protectedsystems. You can also determine what can they access, and ensure that users accessonly what they need for their business tasks.
Access management addresses three questions from the business point of view:v Who can come into my systems?v What can they do?v Can I easily prove what they did with that access?
These products validate the authenticity of all users with access to resources, andensure that access controls are in place and consistently enforced:v IBM Security Identity Manager
Provides a secure, automated, and policy-based user management solution thathelps effectively manage user identities throughout their lifecycle across bothlegacy and e-business environments. IBM Security Identity Manager providescentralized user access to disparate resources in an organization, with policiesand features that streamline operations associated with user-resource access. Asa result, your organization realizes numerous benefits, including:– Web self-service and password reset and synchronization; users can
self-administer their passwords with the rules of a password managementpolicy to control access to multiple applications. Password synchronizationenables a user to use one password for all accounts that IBM Security IdentityManager manages.
– Quick response to audits and regulatory mandates– Automation of business processes related to changes in user identities by
providing lifecycle management– Centralized control and local autonomy– Enhanced integration with the use of extensive APIs– Choices to manage target systems either with an agent or agentless approach– Reduced help desk costs– Increased access security through the reduction of orphaned accounts– Reduced administrative costs through the provisioning of users with software
automation– Reduced costs and delays associated with approving resource access to new
and changed usersv IBM Security Access Manager
Enables your organization to use centralized security policies for specified usergroups to manage access authorization throughout the network, including the
© Copyright IBM Corp. 2012, 2013 25
vulnerable, internet-facing web servers. IBM Security Access Manager can betightly coupled with IBM Security Identity Manager to reconcile user groups andaccounts managed by IBM Security Access Manager with the identities managedby IBM Security Identity Manager to provide an integrated solution for resourceaccess control.IBM Security Access Manager delivers:– Unified authentication and authorization access to diverse web-based
applications within the entire enterprise– Flexible single sign-on to web, Microsoft, telnet and mainframe application
environments– Rapid and scalable deployment of web applications, with standards-based
support for Java Platform, Enterprise Edition (Java EE) applications– Design flexibility through a highly scalable proxy architecture and
easy-to-install web server plug-ins, rule- and role-based access control,support for leading user registries and platforms, and advanced APIs forcustomized security
v IBM Security Federated Identity ManagerHandles all the configuration information for a federation across organizationalboundaries, including the partner relationships, identity mapping, and identitytoken management.IBM Security Federated Identity Manager enables your organization to shareservices with business partner organizations and obtain trusted informationabout third-party identities such as customers, suppliers, and client employees.You can obtain user information without creating, enrolling, or managingidentity accounts with the organizations that provide access to services that areused by your organization. So, users are spared from registering at a partnersite, and from remembering additional logins and passwords. The result isimproved integration and communication between your organization and yoursuppliers, business partners, and customers.
For more information about how access management products fit in largersolutions for a security lifecycle, see the IBM Security Management website:http://www.ibm.com/software/tivoli/solutions/security/
IBM Redbooks® and Redpapers also describe implementing IBM Security IdentityManager within a portfolio of IBM security products.
Shared accessIBM Security Identity Manager supports shared access by providing a sharedaccess module.
Installation and use of the shared access module is required for the IBM privilegedidentity management solution. The shared access module is licensed as part of theIBM Security Privileged Identity Manager product. When you purchase IBMSecurity Privileged Identity Manager, you obtain a license that enables you to usethe IBM Security Identity Manager shared access module.
The shared access module extends the IBM Security Identity Manager support foraccount provisioning, and also extends the identity and governance framework.
Highlights:v Credential vault management for shared credentials, which can be connected or
not connected to accounts.
26 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Shared access uses secure check in, check out, and logging of credentials from acredential vault server.
v Administrative control of shared credential access ensures individualaccountability.
v Java APIs and Web Services APIs make it possible for application clients toprogrammatically access shared credentials.
v There is role-based access control for shared credential access and sharedaccount ownership.
v Lifecycle management of shared credentials. This management includesrole-based access requests, role membership, and shared credential access.
v There is end-to-end auditing for administration and shared credential accessactivities.
v There are web applications for shared credential administration and manualcheck out and checkin.
v Automation of checkout and checkin is achieved when IBM Security IdentityManager is deployed as part of the IBM Security Privileged Identity Managerproduct solution.
Shared access documentationThe shared access documentation includes topics that describe installation,configuration, administration, and troubleshooting of the shared access module.The documentation also describes shared access programming APIs, databaseschema, directory server schema, and user scenarios.
Features
Table 10. Shared access features
Description Link to documentation
Shared access module features Shared access˝ on page 26
Roadmap for deploying shared access for amanaged resource
Roadmap for configuring shared access fora managed resource˝ on page 30
Privileged administrator view and defaultaccess control items
See the topic "Scope of the privilegedadministrator group" in the IBM SecurityIdentity Manager Planning Guide
Privileged user view and default accesscontrol items
See the topic "Scope of the privileged usergroup" in the IBM Security Identity ManagerPlanning Guide
Installation and upgrade
Table 11. Installation and upgrade
DescriptionSee the following topics in the IBM SecurityIdentity Manager Installation Guide
Installation of the shared access module "Shared access module configuration"
Addition of the shared access moduleduring an upgrade on a WebSphere singleserver
"Configuring the shared access moduleduring upgrade on a WebSphere singleserver"
Addition of the shared access moduleduring an upgrade on a WebSphere cluster
"Configuring the shared access moduleduring upgrade on a WebSphere cluster"
Chapter 5. Features overview 27
Table 11. Installation and upgrade (continued)
DescriptionSee the following topics in the IBM SecurityIdentity Manager Installation Guide
Update of the shared access module afterreconfiguration of a database or directoryserver
"Reconfiguring the shared access module"
System configuration
Table 12. System configuration
DescriptionSee the following topics in the IBM SecurityIdentity Manager Configuration Guide
Shared access configuration, includingconfiguration of an external credential vaultserver
"Shared access configuration"
Advanced shared access configuration,including customization of operations
"Shared access advanced configuration"
Administration
Table 13. Shared access administration
DescriptionSee the following topics in the IBM SecurityIdentity Manager Administration Guide
Shared access administration
v Managing the credential vault.Includes adding, modifying,connecting, disconnecting, removing,and checking in credentials. Alsocovers registering credentialpasswords, and viewing passwordhistory.
v Creating, modifying, and deletingcredential pools.
v Creating, modifying, and deletingshared access policies.
v Shared access bulk load.
"Shared access administration"
Default access control items for SharedAccess Module
"Default access control items".
Reporting
v Shared access objects you can use tocustomize reports
v Examples:
– Creating custom report to view allshared access credentials checkedout
– Creating check in audit report
– Creating role and shared accessentitlement report
"Shared Access objects for custom reports"
Shared access IBM Cognos reportingframework reports
v "Shared access history report"
v "Shared access entitlement by owner"
v "Shared access entitlement by role"
28 IBM Security Identity Manager Version 6.0: Product Overview Guide
Data references
Table 14. Data references
Description
See the following topics in the IBM SecurityIdentity Manager Database and Directory ServerSchema Reference
Shared access database tables reference "Shared access tables" in the "Database tablesreference" section
Shared access classes for IBM TivoliDirectory Server schema and classreference
"Shared access classes" in the "IBM TivoliDirectory Server schema and class reference"section
Auditing schema for shared accesspolicy management
In the "Auditing schema tables" section, see:
v "Shared Access Policy Management"
v "Credential Lease management"
v "Credential pool management"
v "Credential management"
Troubleshooting
Table 15. Shared access troubleshooting
Description See the following topic:
Troubleshooting
v Shared access configuration must beupdated when LDAP schema or databasetables are updated.
v Requests to add credentials to thecredential vault can fail because ofincorrectly configured properties files
v Incorrect configuration of credentialattributes can prevent users fromaccessing the shared credential.
"Troubleshooting Shared Access Moduleproblems" in the IBM Security IdentityManager Troubleshooting Guide
Application programming interfaces
Table 16. Shared access application programming interfaces
DescriptionSee the following topics in the IBM SecurityIdentity Manager Reference Guide
Shared Access Application APIs "Shared Access Application APIs"
Shared Access Web Services APIs "Shared Access Web Services APIs"
Shared Access Authorization Extension APIs "Shared Access Authorization ExtensionAPIs"
Shared Access JavaScript APIs "CredentialModelExtension"
Chapter 5. Features overview 29
User scenarios for shared access
Table 17. Shared access for users
DescriptionSee the following topics in the IBM SecurityIdentity Manager Scenarios Guide
User scenario for checking out a credentialor credential pool
"Checking out a credential or a credentialpool"
User scenario for viewing the password of ashared credential
"Viewing the password for a sharedcredential"
Privileged user view and default accesscontrol items
"Scope of the privileged user group"
Roadmap for configuring shared access for a managedresource
This roadmap provides high-level steps for configuring shared access for a newmanaged resource in IBM Security Privileged Identity Manager.
The IBM Security Privileged Identity Manager product solution includes the IBMSecurity Identity Manager shared access capability that is provided by the sharedaccess module. IBM Security Privileged Identity Manager also includes the IBMSecurity Access Manager for Enterprise Single Sign-on support for automatedcheckout and checkin of shared credentials. This roadmap describes how toconfigure shared access in a deployment that also supports automated checkoutand checkin of shared credentials.
Prerequisites
Requirement Installation instructions
Install the Shared Access Module on the IBMSecurity Identity Manager server.
See the topic "Shared access moduleconfiguration" in the IBM Security IdentityManager Installation Guide.
Install the AccessAgent component on clientcomputers that require credential check-inand check-out automation.
See the IBM Security Privileged IdentityManager Deployment Guide in the IBMSecurity Privileged Identity Managerproduct documentation website.
30 IBM Security Identity Manager Version 6.0: Product Overview Guide
Flowchart for configuring shared access for a managed resource
Import or configure service types in IBM Security IdentityManager for the managed resource
Note: This process is needed only when you want the password to be reset whenthe credential for the managed resource is checked in.
Ensure that all prerequisites are met.
( Perform these steps when a new service type or application is required. )
Yes
No
Import or configure service types in IBM Security Identity Manager for the managed resource.
Configure the managed resource that is supported by IBM Security Identity Manager
Is password reset required on credential checkin for the managed resource?
Install and configure the adapter for the managed resource (does not apply to agentless adapters).Create the service instance for the managed resource.Set the service unique identifier.
Import or configure the application for IBM Security Access Manager for Enterprise Single Sign-on.
Define roles and provisioning policies to grant ownership of sponsored accounts
Reconcile groups and accounts.Define roles and provisioning policies to grant ownership of sponsored accounts.Identify or create groups for privileged access to managed resources.Provision or adopt privileged accounts to authorized owners.
Add credentials with a connection to an account to the vault.
Add credentials from accounts.Add the credential pool from the service group.
Configure Shared Access Policy to grant access to the credentials or credentials in the pool:
Add credentials without a connection to an account to the vault.
Define roles for the group of users who can access the credentials or credentials in the pool.Define Shared Access Policy to allow role members to access credentials or credentials in the pool. Note: Only the credentials with the connection to the account can be in the credential pool
Figure 1. Flowchart for configuring shared access for a managed resource
Chapter 5. Features overview 31
For each resource type, you must configure the profile information in IBM SecurityIdentity Manager either by importing the service type or by creating the servicetype for a manual service.
For information about importing service types, see Importing service types˝ in theConfiguration Guide in the IBM Security Identity Manager product documentationwebsite at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm.
For information about creating manual service types, see Creating service types˝in the Configuration Guide in the IBM Security Identity Manager productdocumentation website at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm.
Import or configure the application for IBM Security AccessManager for Enterprise Single Sign-on
Perform these steps for each application that is supported in IBM Security AccessManager for Enterprise Single Sign-on.
Step See
Prepare the privileged identity policies andAccessProfiles on the IMS Server.
Preparing privileged identity policies andAccessProfiles on the IMS™ Server˝ in theIBM Security Privileged Identity ManagerDeployment Guide in the IBM SecurityPrivileged Identity Manager productdocumentation website
Is password reset required on credential checkin for themanaged resource
You can add a credential with or without a connection to an account. If thecredential is connected to an account, you can optionally configure the credentialso that the password can be changed when you check in the credential. Thepassword for both the credential and account are changed at checkin if this optionis enabled.
Is Password Reset required on credentialcheckin for managed resource?
Yes You must add the credential with aconnection to an account.
No You can add the credential without aconnection to an account.
Configure the managed resource that is supported by IBMSecurity Identity Manager
Note: You must follow these steps every time there is a new managed resource onyour system.
32 IBM Security Identity Manager Version 6.0: Product Overview Guide
Table 18. Configuring managed resources that are supported by the IBM Security IdentityManager
Steps See
Install and configure the IBM SecurityIdentity Manager adapter for the managedresource.Note: This step does not apply to agentlessadapters.
Adapter documentation in the IBM SecurityIdentity Manager product documentationwebsite at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm
Create the IBM Security Identity Managerservice instance for the managed resource.
Creating services˝ in the AdministrationGuide
Set the service unique identifier in themanaged resource service definition in IBMSecurity Identity Manager (using theadministrative console) with the uniqueidentifier that you use to connect to themanaged resource on the AccessAgent. Forexample, the unique identifier might be anIP address or host name of the server.
Setting the service unique identifier˝ in theAdministration Guide
Define roles and provisioning policies to grant ownership ofsponsored accounts
Perform these tasks in IBM Security Identity Manager.
Table 19. Defining roles and provisioning policies to grant ownership of sponsored accounts
StepsSee the following topics in theAdministration Guide
Reconcile groups and accounts. Managing reconciliation schedules˝
Define roles and provisioning policies togrant ownership of sponsored accounts.
Creating a provisioning policy˝
Creating roles˝
Specifying owners of a role˝
Identify or create groups for privilegedaccess to managed resources.
Creating groups˝
Defining access on a group˝
Provision or adopt privileged accounts toauthorized owners. The account that is usedfor shared access must be a sponsoredaccount. The ownership type for the accountcan be anything other than Individual.
If an account does not exist on the service,see Requesting accounts on a service˝.
If an account exists on the service, seeAssigning an account to a user˝.
For general information about sponsoredaccounts, see Managing accounts˝.
Add credentials with a connection to an account to the vault
If you want the password on the credential and on the managed resource to bechanged when you check in the credential, you must add the credential from theaccount. To add credentials with a connection to an account, you must either addthe credential from an account or create a credential pool from the service group.
Chapter 5. Features overview 33
Table 20. Adding credentials with a connection to an account to the vault
StepSee the following topics in theAdministration Guide
Add credentials from accounts Adding credentials that are connected toan account through Manage CredentialVault˝
Add the credential pool from the servicegroup
Creating credential pools˝
Add credentials without a connection to an account to the vault
If you do not want the password on the credential and on the managed resource tobe changed when you check in the credential, you can add the credential without aconnection to an account.
Table 21. Adding credentials without a connection to an account to the vault
StepSee the following topics in theAdministration Guide
Add credentials that are not connected toaccounts
Adding credentials that are not connectedto an account through Manage CredentialVault˝
Configure a shared access policy to grant access to thecredentials or credentials in the pool
After you add the credentials or credential pool, you must configure the sharedaccess policy to allow users to check out or check in the credentials or credentialpools.
Note: Only credentials with a connection to an account can be in the credentialpool.
Table 22. Configuring a shared access policy to grant access to the credentials
StepsSee the following topics in theAdministration Guide
Define roles for the group of users who canaccess the credentials or credentials in thepool.
Creating roles˝
Define a shared access policy to allow rolemembers to access credentials or credentialsin the pool.
Creating shared access policies˝
Support for corporate regulatory complianceIBM Security Identity Manager provides support for corporate regulatorycompliance.
Compliance areas
IBM Security Identity Manager addresses corporate regulatory compliance in thefollowing key areas:v Provisioning and the approval workflow process
34 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Audit trail trackingv Enhanced compliance statusv Password policy and password compliancev Account and access provisioning authorization and enforcementv Recertification policy and processv Reports
Provisioning and the approval workflow process
IBM Security Identity Manager provides support for provisioning, for useraccounts and for access to various resources. Implemented within a suite ofsecurity products, IBM Security Identity Manager plays a key role to ensure thatresources are provisioned only to authorized persons. IBM Security IdentityManager safeguards the accuracy and completeness of information processingmethods and granting authorized users access to information and associated assets.IBM Security Identity Manager provides an integrated software solution formanaging the provisioning of services, applications, and controls to employees,business partners, suppliers, and others associated with your organization acrossplatforms, organizations, and geographies. You can use its provisioning features tocontrol the setup and maintenance of user access to system and account creationon a managed resource.
At its highest level, an identity management solution automates and centralizes theprocess of provisioning resources. The solution includes operating systems andapplications, and people in, or affiliated with, an organization. Organizationalstructure can be altered to accommodate the provisioning policies and procedures.However, the organization tree used for provisioning resources does notnecessarily reflect the managerial structure of an organization. Administrators at alllevels can use standardized procedures for managing user credentials. Some levelsof administration can be reduced or eliminated, depending on the breadth of theprovisioning management solution. Furthermore, you can securely distributeadministration capabilities, manually or automatically, among variousorganizations.
The approval process can be associated with different types of provisioningrequests, including account and access provisioning requests. Lifecycle operationscan also be customized to incorporate the approval process.
Models for provisioning
Depending on business needs, IBM Security Identity Manager provides alternativesto provision resources to authorized users on request-based, role-based, or hybridmodels.
Approval workflows
Account and access request workflows are started during account and accessprovisioning. You typically use account and access request workflows to defineapproval workflows for account and access provisioning.
Account request workflows provide a decision-based process to determine whetherthe entitlement provided by a provisioning policy is granted. The entitlementprovided by a provisioning policy specifies the account request workflow thatapplies to the set of users in the provisioning policy membership. Multipleprovisioning policies might apply to the same user for the same service target.
Chapter 5. Features overview 35
There might also be different account request workflows in each provisioningpolicy. The account request workflow for the user is based on the priority of theprovisioning policy. If a provisioning policy has no associated workflow and thepolicy grants an account entitlement, the operations that are related to the requestrun immediately. For example, an operation might add an account.
However, if a provisioning policy has an associated workflow, that workflow runsbefore the policy grants the entitlement. If the workflow returns a result ofApproved, the policy grants the entitlement. If the workflow has a result ofRejected, the entitlement is not granted. For example, a workflow might require amanager's approval. Until the approval is submitted and the workflow completes,the account is not provisioned. When you design a workflow, consider the intent ofthe provisioning policy and the purpose of the entitlement itself.
Tracking
IBM Security Identity Manager provides audit trail information about how andwhy a user has access. On a request basis, IBM Security Identity Manager providesa process to grant, modify, and remove access to resources throughout a business.The process provides an effective audit trail with automated reports.
The steps involved in the process, including approval and provisioning ofaccounts, are logged in the request audit trail. Corresponding audit events aregenerated in the database for audit reports. User and Account lifecyclemanagement events, including account and access changes, recertification, andcompliance violation alerts, are also logged in the audit trail.
Enhanced compliance status
IBM Security Identity Manager provides enhanced compliance status on items suchas dormant and orphan accounts, provisioning policy compliance status,recertification status, and various reports.v Dormant accounts. You can view a list of dormant accounts with the Reports
feature. IBM Security Identity Manager includes a dormant account attribute toservice types that you can use to find and manage unused accounts on services.
v Orphan accounts. Accounts on the managed resource whose owner in theSecurity Identity Manager Server cannot be determined are orphan accounts.These accounts are identified during reconciliation when the applicable adoptionrule cannot successfully determine the owner of an account.
v Provisioning policy compliance status. The compliance status based on thespecification of provisioning policy is available for accounts and access. Anaccount can be either compliant, non-compliant with attribute value violations,or disallowed. An access is either compliant or disallowed.
v Recertification status. The recertification status is available for user, account,and access target types, which indicates whether the target type is certified,rejected, or never certified. The timestamp of the recertification is also available.
Password policy and password compliance
Use IBM Security Identity Manager to create and manage password policies.password policy defines the password strength rules that are used to determinewhether a new password is valid. A password strength rule is a rule to which apassword must conform. For example, password strength rules might specify thatthe minimum number of characters of a password must be five. The rule mightspecify that the maximum number of characters must be 10.
36 IBM Security Identity Manager Version 6.0: Product Overview Guide
The IBM Security Identity Manager administrator can also create new rules to beused in password policies.
If password synchronization is enabled, the administrator must ensure thatpassword policies do not have any conflicting password strength rules. Whenpassword synchronization is enabled, IBM Security Identity Manager combinespolicies for all accounts that are owned by the user to determine the password tobe used. If conflicts between password policies occur, the password might not beset.
Provisioning policy and policy enforcement
A provisioning policy grants access to many types of managed resources, such asIBM Security Identity Manager server, Windows NT servers, and Solaris servers.
Provisioning policy parameters help system administrators define the attributevalues that are required and the values that are allowed.
Policy enforcement is the manner in which IBM Security Identity Manager allows ordisallows accounts that violate provisioning policies.
You can specify one of the following policy enforcement actions to occur for anaccount that has a noncompliant attribute.
Mark Sets a mark on an account that has a noncompliant attribute.
SuspendSuspends an account that has a noncompliant attribute.
CorrectReplaces a noncompliant attribute on an account with the correct attribute.
Alert Issues an alert for an account that has a noncompliant attribute.
Recertification policy and process
A recertification policy includes activities to ensure that users provide confirmationthat they have a valid, ongoing need for the target type specified (user, account,and access). The policy defines how frequently users must validate an ongoingneed. Additionally, the policy defines the operation that occurs if the recipientdeclines or does not respond to the recertification request. IBM Security IdentityManager supports recertification policies that use a set of notifications to initiatethe workflow activities that are involved in the recertification process. Dependingon the user response, a recertification policy can mark a user's roles, accounts,groups, or accesses as recertified. The policy can suspend or delete an account, ordelete a role, group, or access.
Audits that are specific to recertification are created for use by several reports thatare related to recertification:
Accounts, access, or users pending recertificationProvides a list of recertifications that are not completed.
Recertification historyProvides a historical list of recertifications for the target type specified.
Recertification policiesProvides a list of all recertification policies.
Chapter 5. Features overview 37
User recertification historyProvides history of user recertification.
User recertification policyProvides a list of all user recertification policies.
Reports
Security administrators, auditors, managers, and service owners in yourorganization can use one or more of the following reports to control and supportcorporate regulatory compliance:v Accesses Report, which lists all access definitions in the system.v Approvals and Rejections Report, which shows request activities that were either
approved or rejected.v Dormant Accounts Report, which lists the accounts that were not used recently.v Entitlements Granted to an Individual Report, which lists all users with the
provisioning policies for which they are entitled.v Noncompliant Accounts Report, which lists all noncompliant accounts.v Orphan Accounts Report, which lists all accounts not having an owner.v Pending Recertification Report, which highlights recertification events that can
occur if the recertification person does not act on an account or access. Thisreport supports filtering data by a specific service type or a specific serviceinstance.
v Recertification Change History Report, which shows a history of accesses(including accounts) and when they were last recertified. This report serves asevidence of past recertifications.
v Recertification Policies Report, which shows the current recertificationconfiguration for a specific access or service.
v Separation of Duty Policy Definition Report, which lists the separation of dutypolicy definitions.
v Separation of Duty Policy Violation Report, which contains the person, policy,rules violated, approval, and justification (if any), and who requested theviolating change.
v Services Report, which lists services currently defined in the system.v Summary of Accounts on a Service Report, which lists a summary of accounts
on a specified service defined in the system.v Suspended Accounts Report, which lists the suspended accounts.v User Recertification History Report, which lists the history of user
recertifications done manually (by specific recertifiers), or automatically (due totimeout action).
v User Recertification Policy Definition Report, which lists the user recertificationpolicy definitions.
All reports are available to all users when the appropriate access controls areconfigured. However, certain reports are designed specifically for certain types ofusers.
38 IBM Security Identity Manager Version 6.0: Product Overview Guide
Table 23. Summary of reports
Designed for Available reports
Security administrators v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Managers v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Service owners v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Auditors v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
End users, help desk,and developers
None
Identity governanceIBM Security Identity Manager extends the identity management governancecapabilities with a focus on operational role management. Using roles simplifiesthe management of access to IT resources.
Identity governance includes these IBM Security Identity Manager features:
Role managementManages user access to resources, but unlike user provisioning, rolemanagement does not grant or remove user access. Instead, it sets up arole structure to do it more efficiently.
Entitlement managementSimplifies access control by administering and enforcing fine-grainedauthorizations.
Chapter 5. Features overview 39
Access certificationProvides ongoing review and validation of access to resources at role orentitlement level.
Privileged user managementProvides enhanced user administration and monitoring of system oradministrator accounts that have elevated privileges.
Separation of dutiesPrevents and detects business-specific conflicts at role or entitlement level.
Triple user interfaceIBM Security Identity Manager has three user interfaces that shows users only thetasks they need to complete, based on their user role.
The interfaces are separate, and users access them through different web addresses.IBM Security Identity Manager has three types of user interfaces: theAdministrative console interface, the Self-care interface, and the Identity ServiceCenter interface.
Administrative console user interfaceThe administrative console user interface provides an advanced set ofadministrative tasks, and has new multitasking capabilities.
Persona-based console customization
The administrative console user interface contains the entire set ofadministrative tasks, such as managing roles, policies, and reports. Thispersona-based console provides sets of tasks, each tailored for the needs ofthe default administrative user types:v System administratorv Privileged administratorv Service ownerv Help desk assistantv Auditorv Manager
System administrators can easily customize which tasks the different typesof users can do. To control user access to accounts and tasks, for example,use a default set of user groups, access control items, and views. You canalso customize user access by defining additional user groups, views, andaccess control items.
Multitasking control
Wizards within the administrative console user interface expedite theadministrative tasks of adding users, requesting accounts, and creatingnew services. The administrator can concurrently manage several tasks.
Advanced search capability
The administrative console user interface also provides a powerfuladvanced search feature.
Self-care user interfaceThe self-care user interface provides a simpler subset of personal tasks that applyonly to the user. With the IBM Security Identity Manager self-care interface, users
40 IBM Security Identity Manager Version 6.0: Product Overview Guide
can update their personal information and passwords. Users can view requests,complete and delegate activities, and request and manage their own accounts andaccess.
The self-care user interface provides a central location for users to do varioussimple, intuitive tasks.
From the self-care home page, the following task panels are available, dependingon the authority the system administrator granted.
Action NeededA list of tasks that require completion.
My PasswordA list of tasks to change passwords. If password synchronization isenabled, users can enter one password that is synchronized for all of theiraccounts. A user can reset a forgotten password by successfully respondingto forgotten password questions, if forgotten password information isconfigured in the system.
My AccessA list of tasks to request and manage access to folders, applications, roles,and other resources.
My ProfileA list of tasks to view or update personal information.
My RequestsA list of tasks to view requests that a user submitted.
My ActivitiesA list of activities that require user action. Users can also delegateactivities.
Privileged users can also check out and check in credentials from the self-care userinterface.
Identity Service Center user interfaceThe Identity Service Center user interface provides a unified catalog that makesmanager request access tasks simple and straight-forward.
Request Access wizard
The Identity Service Center has a Request Access wizard where users canprocess new accesses such as role membership, accounts, and accessentitlements.
It also supports batch requests by allowing the users to build up a list ofitems that are requested at the same time. For example, a member movesinto a new role from one department to another, and the manager wants togive access to certain systems or applications.
The user can follow the basic steps to use the wizard effectively:1. Select a person for whom you want to request access.2. Select one or more accesses to request for that person.3. Provide the required information, such as justification, account details,
or passwords.4. Submit the request.5. View a submission confirmation and status page.
Chapter 5. Features overview 41
Configurable and extensible
You can use the Identity Service Center to have a tailored user experience:v Use the default Identity Service Center features and add to itv Edit the custom tasksv Add your own custom tasks
See the Identity Service Center user interface customization˝ section of theIBM Security Identity Manager Configuration Guide for details.
RecertificationIBM Security Identity Manager Server recertification simplifies and automates theprocess of periodically revalidating users, accounts, and accesses.
The recertification process automates validating that users, accounts, and accessesare still required for a valid business purpose. The process sends recertificationnotification and approval events to the participants that you specify.
ReportingIBM Security Identity Manager reports reduce the time to prepare for audits andprovide a consolidated view of access rights and account provisioning activity forall managed people and systems.
A report is a summary of IBM Security Identity Manager activities and resources.You can generate reports based on requests, user and accounts, services, or auditand security.
Report data is staged through a data synchronization process. The process gathersdata from the IBM Security Identity Manager directory information store andprepares it for the reporting engine. Data synchronization can be run on demand,or it can be scheduled to occur regularly.
Report accessibilityThe IBM Security Identity Manager reports are accessible in the PDFformat.
The following categories of reports are available:
RequestsReports that provide workflow process data, such as account operations,approvals, and rejections.
User and AccountsReports that provide data about users and accounts. For example:individual access rights, account activity, pending recertifications, andsuspended individuals.
ServicesReports that provide service data, such as reconciliation statistics, list ofservices, and summary of accounts on a service.
Audit and SecurityReports that provide audit and security data, such as access controlinformation, audit events, and noncompliant accounts.
42 IBM Security Identity Manager Version 6.0: Product Overview Guide
Shared AccessReports that provide a history of shared access, a listing of sharedentitlements by role, and a listing of shared access entitlements by owner.
Static and dynamic rolesIBM Security Identity Manager provides static and dynamic roles.
In static organizational roles, assigning a person to a static role is a manualprocess.
In the case of a dynamic role, the scope of access can be to an organizational unitonly or to the organizational unit and its subunits. Dynamic organizational rolesuse valid LDAP filters to set a user's membership in a specific role. For example, adynamic role might use an LDAP filter to provide access to specific resources tousers who are members of an auditing department named audit123. For example,type:(departmentnumber=audit123)
Dynamic organizational roles are evaluated at the following times:v When a new user is created in the IBM Security Identity Manager systemv When a user's information, such as title or department membership, changesv When a new dynamic organizational role is created
Self-access managementIBM Security Identity Manager allows users and administrators the ability torequest and manage access to resources such as shared folders, email groups, orapplications.
Access differs from an account. An account exists as an object on a managedservice. An access is an entitlement to use a resource, such as a shared folder, onthe managed service. The ability to access a resource is based on the attributes ofthe group to which the user account belongs. The user's access to a resource istherefore dependent on the account and its group mapping. When an account issuspended, their access becomes inactive; similarly, when an account is restored,their access becomes active again. When an account is deleted, access to theresource for that user is deleted. When a group is removed from the service, theuser access that maps to that group is also removed.
An administrator typically configures the access to resources on a service based onthe need for a particular user group. Users can request or delete access. They canmanage access to the resources they use without the need to understand theunderlying technology such as account attributes.
Provisioning featuresIBM Security Identity Manager provides support for provisioning, the process ofproviding, deploying, and tracking a service or component in your enterprise. In asuite of security products, IBM Security Identity Manager plays a key role toensure that resources are accessible only to authorized persons. IBM SecurityIdentity Manager safeguards the accuracy and completeness of informationprocessing methods and granting authorized users access to information andassociated assets.
Chapter 5. Features overview 43
Overview
IBM Security Identity Manager provides an integrated software solution formanaging the provisioning of services, applications, and controls to employees,business partners, suppliers, and others associated with your organization acrossplatforms, organizations, and geographies. You can use its provisioning features tocontrol the setup and maintenance of user access to system and account creationon a managed resource. The two main types of information are person data andaccount data. Person data represents the people whose accounts are being managed.Account data represents the credentials of the persons and the managed resourcesto which the persons were granted access.
At its highest level, an identity management solution automates and centralizes theprocess of provisioning resources. Resources range from operating systems andapplications to people in, or affiliated with, an organization. Organizationalstructure can be altered to accommodate the provisioning policies and procedures.However, the organization tree used for provisioning resources does notnecessarily reflect the managerial structure of an organization.
Administrators at all levels can use standardized procedures for managing usercredentials. Some levels of administration can be reduced or eliminated, dependingon the breadth of the provisioning management solution. Furthermore, you cansecurely distribute administration capabilities, manually or automatically, amongvarious organizations. For example, a domain administrator can serve only thepeople and resources in that domain. This user can do administrative andprovisioning tasks, but is not authorized to do configuration tasks, such as creatingworkflows.
IBM Security Identity Manager supports distributed administration capabilities,which include the secure distribution of provisioning tasks, whether manual orautomatic, among various organizations. Distributing administrative tasks in yourorganization improves the accuracy and effectiveness of administration andimproves the balance of the work load of an organization.
IBM Security Identity Manager addresses provisioning of enterprise services andcomponents in the following areas:v Account access managementv Workflow and lifecycle automationv Provisioning policiesv Role-based access controlv Separation of duty capabilitiesv Self-regulating user administrationv Customization
Account access management and the provisioning system
With an effective account access management solution, your organization can trackprecisely who has access to what information across the organization. Accesscontrol is a critical function of a centralized, single-point provisioning system.Besides protecting sensitive information, access controls expose existing accountsthat have unapproved authorizations or are no longer necessary. Orphan accountsare active accounts that cannot be associated with valid users. For orphan accountson a managed resource, the account owner cannot be automatically determined bythe provisioning system. To control orphan accounts, the provisioning system links
44 IBM Security Identity Manager Version 6.0: Product Overview Guide
together account information with authoritative information about the users whoown the accounts. Authoritative user identity information is typically maintainedin the databases and directories of human resources.
Improperly configured accounts are active accounts that are associated with validusers but were granted improper authorization because the organization allowedlocal administrators to add or modify users outside of IBM Security IdentityManager. The ability to control improper accounts is much more difficult, andrequires a comparison of what should be˝ with what is˝ at the account authoritylevel. The existence of an account does not necessarily expose its capabilities.Accounts in sophisticated IT systems include hundreds of parameters that definethe authorities, and these details can be controlled by your provisioning system.
New users can be readily identified with the data feed that you establish from thehuman resources directory. The access request approval capability initiates theprocesses that approve (or reject) resource provisioning for them.
Workflow and lifecycle automation
When a user becomes affiliated or employed with an organization, the lifecycle ofthe user begins. Your business policies and processes, whether manual orsemi-automated, provision the user with access to certain resources based on roleand responsibilities. Over time, when the role and functions of a user change, yourbusiness policies and processes can provision the resources that are available to theuser. Eventually, the user becomes unaffiliated with the organization, associatedaccounts are suspended and later deleted, and the lifecycle of the user in theorganization is finished. You can use workflows to customize how accounts areprovisioned. You can customize the lifecycle management of users and accounts,such as adding, removing, and modifying users and accounts. A completeprovisioning workflow system automatically routes requests to the appropriateapprovers and preemptively escalates to other approvers if actions are not taken onthe requests.
You can define two types of workflows in IBM Security Identity Manager:entitlement workflows that apply to provisioning activities, and operationalworkflows that apply to entity types. An entitlement workflow defines the businesslogic that is tied specifically to the provisioning actions of provisioning policies. Aprovisioning policy entitlement ties the provisioning actions to entitlementworkflows. For example, an entitlement workflow is used to define approvals formanaging accounts. An operational workflow defines the business logic for thelifecycle processes for entity types and entities. You can use workflowprogramming tools to automate key aspects of the provisioning lifecycle,specifically the approval processes that your organization uses. A workflow objectin the organization tree can contain one or more participants and escalationparticipants. A participant is a signature authority that approves or rejects aprovisioning request.
Provisioning policies and auditing
An organizational role entity is assigned to one or more identities when youimplement role-based access control for the resources that are managed by IBMSecurity Identity Manager. An organizational role is controlled by a provisioningpolicy. The policy represents a set of organizational rules and the logic that theSecurity Identity Manager Server uses to manage resources such as applications oroperating systems.
Chapter 5. Features overview 45
If a role is a member of another organizational role in a provisioning policy, thenthat role member also inherits the permissions of provisioning policy.
A provisioning policy maps the people in organizational roles to services thatrepresent corresponding resources in IBM Security Identity Manager. The policysets the entitlements that people have when accessing the services. Theprovisioning policies you implement must reflect your organizational identitymanagement policies in your security plan. To implement effective provisioningpolicies, you must analyze and document existing business approval processes inyour organization. You must determine what adjustments to make those processesto implement an automated identity management solution. A provisioning policyprovides a key part of the framework for the automation of identity lifecyclemanagement.
IBM Security Identity Manager provides APIs that interface to information aboutprovisioning policies defined in IBM Security Identity Manager, and interface tothe access granted to an individual task. These APIs can be used effectively togenerate audit data. When a provisioning policy is defined, the reconciliationfunction enables the enforcement of the policy rules. The reconciliation functionkeeps the participating systems (both the Security Identity Manager Server and therepositories of the managed resources) from potentially becoming a single point offailure.
When two or more provisioning policies are applied, a join directive defines how tohandle attributes. Two or more policies might have overlapping scope, and the joindirective specifies what actions to take when this overlap occurs.
Provisioning policies can be mapped to a distinct portion or level of theorganizational hierarchy. For example, policies can be defined at a specificorganization unit that affects organization roles for that unit only. Service selectionpolicies extend the function of a provisioning policy by enabling the provisioningof accounts based on person attributes. A service selection policy is enforced whenit is defined as a target of a provisioning policy. Using a JavaScript script todetermine which service to use, the service selection policy defines provisioningbased on the instructions in the script. The logic in the JavaScript typically usesperson object attributes to determine which service to use. The attribute is oftenthe location of the person in the organization tree.
Role-based access control
Role-based access control (RBAC) uses roles and provisioning policies to evaluate,test, and enforce your business processes and rules for granting access to users.Key administrators create provisioning policies and assign users to roles and thatdefine sets of entitlements to resources for these roles. RBAC tasks establishrole-based access control to resource. RBAC extends the identity managementsolution to use software-based processes and reduce user manual interaction in theprovisioning process.
Role-based access control evaluates changes to user information to determinewhether the changes alter the role membership for the user. If a change is needed,policies are reviewed and changes to entitlements are put in place immediately.Similarly, a change in the definition of the set of resources in a policy can alsotrigger a change to associated entitlements. Role-based access control includes thefollowing features:v Mandatory and optional entitlements, where optional entitlements are not
automatically provisioned but can be requested by a user in a group
46 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Prerequisite services, where specific services must be granted before certainaccess rights are set
v Entitlement defaults and constraints, where each characteristic of an entitlementcan be set to a default value. The entitlement range can be constrained,depending on the capabilities of the entitlement to be granted
v A single account with multiple authorities governed by different policiesv Private, filtered views of information about users and available resourcesv User authentication approaches that are consistent with internal security policiesv Distribution of provisioning system components securely over WAN and
Internet environments, including the crossing of firewallsv User IDs that use consistent, user-defined algorithms
Self-regulating user administration
When your organization starts to provision resources across all internalorganizations, you implement the self-regulating user administration capability.You can realize the advantages and benefits of provisioning users acrossorganizational boundaries. In this environment, a change in a user's status isautomatically reflected in access rights across organization boundaries andgeographies. You can reduce provisioning costs and streamline the access andapproval processes. The implementation realizes the full potential of implementingrole-based access control for end-to-end access management in your organization.You can reduce administrative costs through automated procedures for governinguser provisioning. You can improve security by automating security policyenforcement, and streamline and centralize user lifecycle management and resourceprovisioning for large user populations.
Incremental provisioning and other customization options
Your team can use business plans and requirements to decide how much tocustomize IBM Security Identity Manager. For example, a large enterprise mightrequire a phased roll-out plan for workflows and custom adapters that is based ona time line for incrementally provisioning applications that are widely used acrossgeographies. Another customization plan might provide for two or moreapplications to be provisioned across an entire organization, after successfultesting. User-application interaction can be customized, and procedures forprovisioning resources might be changed to accommodate automated provisioning.
You can deprovision to remove a service or component. For example, deprovisioningan account means that the account is deleted from a resource.
Resource provisioningDepending on business needs, IBM Security Identity Manager provides alternativesyou can use to provision resources to authorized users. Alternatives are based onrequests, roles, or a combination of requests and roles.
Request-based access to resourcesOn a request basis, IBM Security Identity Manager provides a process to grant,modify, and remove access to resources throughout a business. The processestablishes an effective audit trail with automated reports.
Chapter 5. Features overview 47
In request-based provisioning, users and their managers search for and requestaccess to specific applications, privilege levels, or resources with a system. Therequests are validated by workflow-driven approvals and audited for reportingand compliance purposes.
For example, users, or their managers, can request access to new accounts.Additionally, managers or other administrators are alerted to unused accounts andgiven the option to delete the accounts through a recertification process. Theseperiodic reviews of user access rights ensure that access with previous approval isremoved, if it is no longer needed.
Roles and access controlAn organizational role supports different access control and access provisioningmodels in a customer deployment.
An organizational role can map to IBM Security Identity Manager accessentitlements in a provisioning policy. Specific IBM Security Identity Managergroups can be authorized or automatically provisioned for users that are membersof the role.
If a role is a member of another organizational role in a provisioning policy, thenthat role member also inherits the permissions of the provisioning policy.
IBM Security Identity Manager groups can be used to define views and accesscontrol for different types of entities that are managed in IBM Security IdentityManager.
Hybrid provisioning modelThe hybrid model of provisioning resources combines request and role-basedapproaches, which are both supported by IBM Security Identity Manager.
For a subset of employees or managed systems, a business might want to automateaccess with role-based assignment. A business might also handle all other accessrequests or exceptions through a request-based model. Some businesses might startwith manual assignment, and evolve toward a hybrid model, with an intention ofa fully role-based deployment at a future time.
Other companies might find it impractical for business reasons to achieve completerole-based provisioning, and target a hybrid approach as a wanted goal. Still othercompanies might be satisfied with only request-based provisioning, and not wantto invest additional effort to define and manage role-based, automatedprovisioning policies.
48 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 6. Technical overview
You can use IBM Security Identity Manager to manage the identity records thatrepresent people in a business organization. This section introduces the productarchitecture and main components.
IBM Security Identity Manager is an identity management solution that centralizesthe process of provisioning resources, such as provisioning accounts on operatingsystems and applications to users.
IBM Security Identity Manager gives you the ability to add business processes andsecurity policies to basic user management. The ability includes adding approvalsfor user requests to access resources. In addition, IBM Security Identity Managerprovides a uniform way to manage user accounts and to delegate administration,including self-service and a help desk user interface.
Users, authorization, and resourcesAn administrator uses the entities that IBM Security Identity Manager provides forusers, authorization, and resources to provide both initial and ongoing access in achanging organization.
IdentitiesAn identity is the subset of profile data that uniquely represents a personin one or more repositories, and includes additional information related tothe person.
AccountsAn account is the set of parameters for a managed resource that definesyour identity, user profile, and credentials.
Users A user is an individual who uses IBM Security Identity Manager tomanage their accounts.
Access control itemsAn access control item is data that identifies the permissions that users
Identities
Accounts Accesscontrolitem
Service
Users
Group
Identitypolicy Adapter
Passwordpolicy
Otherpolicies
Workflow
People Authorization Workflows/policies ResourcesFigure 2. Users, authorization, and resources
© Copyright IBM Corp. 2012, 2013 49
have for a specific type of resource. You create an access control item tospecify a set of operations and permissions. You then identify whichgroups use the access control item.
GroupsA group is used to control user access to functions and data in IBMSecurity Identity Manager. Membership in a IBM Security IdentityManager group provides a set of default permissions and operations, aswell as views, that group members need.
PoliciesA policy is a set of considerations that influence the behavior of a managedresource (called a service in IBM Security Identity Manager) or a user. Apolicy represents a set of organizational rules and the logic that IBMSecurity Identity Manager uses to manage other entities, such as user IDs,and applies to a specific managed resource as a service-specific policy.
AdaptersAn adapter is a software component that provides an interface between amanaged resource and the IBM Security Identity Manager Server.
ServicesA service represents a managed resource, such as an operating system, adatabase application, or another application that IBM Security IdentityManager manages. For example, a managed resource might be a LotusNotes® application. Users access these services by using an account on theservice.
Main componentsMain components in the IBM Security Identity Manager solution include the IBMSecurity Identity Manager Server and required and optional middlewarecomponents, including adapters that provide an interface to managed resources.
In a cluster configuration, main components include:
50 IBM Security Identity Manager Version 6.0: Product Overview Guide
For more information about configuration alternatives, see the IBM Security IdentityManager Installation Guide.
Components include:
Database server productsIBM Security Identity Manager stores transactional and historical data in adatabase server, a relational database that maintains the current andhistorical states of data.
Computers that communicate with the database require a Java DatabaseConnectivity driver (JDBC driver). For example, a JDBC driver enables aIBM Security Identity Manager Server to communicate with the datasource. IBM Security Identity Manager supports a JDBC type 4 driver toconnect a Java-based application to a database.
The supported database products are IBM DB2 Database, Oracle DB, andMS SQL Server database. The information about type 4 JDBC drivers foreach database product are as follows:
IBM DB2 DatabaseDB2 supports a Type 4 JDBC driver. The DB2 type 4 JDBC driver isbundled with the IBM Security Identity Manager installationprogram.
Oracle databaseThe Oracle database supports a Type 4 JDBC driver. The IBMSecurity Identity Manager installation program prompts for thelocation and name of this JDBC driver.
Before you install the IBM Security Identity Manager Server, obtainthis JDBC driver from your Oracle Database Server installation inthe ORACLE_HOME\jdbc\lib\ directory. Alternatively, you candownload the driver from this website: http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html
WebSphere Application Server Network DeploymentIBM Security Identity Manager cell
IBM Security Identity Manager cluster
Application ServerIBM Security Identity Manager ServerJDBC driver
}}
}IBM HTTP ServerWebSphere Web
Server plug-in
Deployment ManagerJDBC driver}
IBM Security Identity Managerdatabase
LDAPdata store
Figure 3. Main components
Chapter 6. Technical overview 51
For WebSphere Application Server version 7.0, the JDBC driver isojdbc6.jar.
Microsoft SQL Server database
Note: The Identity Service Center does not support Microsoft SQLServer database. Use DB2 database or Oracle database instead.
The SQL Server database supports a Type 4 JDBC driver. The IBMSecurity Identity Manager installation program prompts for thelocation and name of this JDBC driver.
You can download the driver from this website:http://msdn.microsoft.com/en-us/data/aa937724.aspx
For more information about supported database server products, seeDatabase server support” on page 5.
Directory server productsIBM Security Identity Manager stores the current state of the managedidentities in an LDAP directory, including user account and organizationaldata.
IBM Security Identity Manager supports the following products:v IBM Tivoli Directory Serverv Sun Enterprise Directory Server
IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator synchronizes identity data in differentdirectories, databases, and applications. IBM Tivoli Directory Integratorsynchronizes and manages information exchanges between applications ordirectory sources.
WebSphere Application ServerWebSphere Application Server is the primary component of the WebSphereenvironment. WebSphere Application Server runs a Java virtual machine,providing the runtime environment for the application code. Theapplication server provides communication security, logging, messaging,and Web services.
The IBM Security Identity Manager application can run on a single-serverconfiguration with the WebSphere Application Server base server. IBMSecurity Identity Manager can also run in a larger cluster configuration.The configuration can have one or more WebSphere Application Serversand a deployment manager that manages the cluster.
HTTP server and WebSphere Web Server plug-inAn HTTP server provides administration of IBM Security Identity Managerthrough a client interface in a web browser. IBM Security Identity Managerrequires the installation of a WebSphere Web Server plug-in with the HTTPserver. The WebSphere Application Server installation program canseparately install both the IBM HTTP Server and WebSphere Web Serverplug-in.
IBM Security Identity Manager adaptersAn adapter is a program that provides an interface between a managedresource and the IBM Security Identity Manager Server. Adapters functionas trusted virtual administrators on the target platform for accountmanagement. For example, adapters do such tasks as creating accounts,suspending accounts, and modifying account attributes.
52 IBM Security Identity Manager Version 6.0: Product Overview Guide
A IBM Security Identity Manager adapter can be either agent-based oragentless:
Agent-based adapterYou install adapter code directly onto the managed resource withwhich it is designed to communicate.
Agentless adapterDeploys its adapter code onto the IBM Security Identity ManagerServer and the system that hosts IBM Tivoli Directory Integrator.The adapter code is separate from the managed resource withwhich it is designed to communicate.
Note: For agentless adapters, the SSH process or daemon must be activeon the managed resource.
People overviewPeople, such as employees and contractors, need to use the resources that anorganization provides. A person who has a IBM Security Identity Manager accountis a IBM Security Identity Manager user.
Users need different degrees of access to resources for their work. Some users needto use a specific application. Other users need to administer the system that linksusers to the resources that their work requires.
IBM Security Identity Manager manages users' identities (user IDs), accounts,access entitlements on those accounts, and user credentials such as passwords.
UsersA person who is managed by IBM Security Identity Manager is a user. A user whohas a IBM Security Identity Manager account is called a IBM Security IdentityManager user. This user can use IBM Security Identity Manager to manageaccounts or do other administrative tasks.
Users need different degrees of access to resources for their work. Some users needto use a specific application. Other users need to administer the system that linksusers to the resources that their work requires. A IBM Security Identity Manageruser is assigned to a specific group that provides access to specific views andallows the user to do specific tasks in IBM Security Identity Manager .
As an administrator, you create users either by importing identity records or byusing IBM Security Identity Manager .
IdentitiesAn identity is the subset of profile data that uniquely represents a person or entity.The data is stored in one or more repositories.
For example, an identity might be represented by the unique combination of aperson's first, last (family) name, and full (given) name, and employee number. Anidentity profile might also contain additional information such as phone numbers,manager, and email address.
Chapter 6. Technical overview 53
AccountsAn account is the set of parameters for a managed resource that defines anidentity, user profile, and credentials.
An account defines login information (your user ID and password, for example)and access to the specific resource with which it is associated.
In IBM Security Identity Manager, accounts are created on services, whichrepresent the managed resources. Such resources might be operating systems(UNIX), applications (Lotus Notes), or other resources.
Accounts, when owned, are either individual or sponsored. Individual accounts arefor use by a single owner and have an ownership type of Individual. Sponsoredaccounts are assigned to owners who are responsible for the accounts, but mightnot actually use them to access resources. Sponsored accounts can have varioustypes of non-Individual ownership types. IBM Security Identity Manager suppliesthree ownership types for sponsored accounts Device, System, and Vendor. Youcan use the Configure System utility to create additional ownership types forsponsored accounts.
Accounts are either active or inactive. Accounts must be active to log in to thesystem. An account becomes inactive when it is suspended. Suspension can occurif a request to recertify your account usage is declined and the recertification actionis suspend. Suspended accounts still exist, but they cannot be used to access thesystem. System administrators can restore and reactivate a suspended account ifthe account is not deleted.
AccessAccess is your ability to use a specific resource, such as a shared folder or anapplication.
In IBM Security Identity Manager, access can be created to represent access toaccess types. Such access types might be shared folders, applications (such as LotusNotes), email groups, or other managed resources.
An access differs from an account in that an account is a form of access; an accountis access to the resource itself.
Access is the permission to use the resource. The access entitlement defines thecondition that grants access to a user with a set of attribute values of a useraccount on the managed resource. In IBM Security Identity Manager, an access isdefined on an existing group on the managed service. In this case, the access isgranted to a user by creating an account on the service and assigning the user tothe group. Access entitlement can also be defined as a set of parameters on aservice account that uses a provisioning policy.
When a user requests new access, by default an account is created on that service.If an account exists, the account is modified to fulfill the access entitlement. Forexample, the account is assigned to the group that grants access to an access type.If one account exists, the account is associated with the access. If multiple accountsexist, you must select the user ID of the account to which you want to associateyour access.
An access is often described in terms that can be easily understood by businessusers.
54 IBM Security Identity Manager Version 6.0: Product Overview Guide
PasswordsA password is a string of characters that is used to authenticate a user's access to asystem. A user ID and password are the two elements that grant access to asystem.
As an administrator, you can manage user passwords and the passwords that areset for the users that are used by IBM Security Identity Manager .
Forgotten password administrationYou can administer and define forgotten password information so users can resetforgotten IBM Security Identity Manager passwords. The information is in theformat of questions and answers.
Password synchronizationPassword synchronization is the process of assigning and maintaining onepassword for all individual accounts that a user owns. Password synchronizationreduces the number of passwords that a user must remember.
You can configure the system to automatically synchronize passwords for allindividual accounts owned by a user. Then, the user must remember only onepassword. For example, a user has two individual accounts: a IBM SecurityIdentity Manager account and a Lotus Notes account. If the user changes or resetsthe password for the IBM Security Identity Manager account, the Lotus Notespassword is automatically changed to the same password as the IBM SecurityIdentity Manager password. Passwords might also be synchronized when youprovision an account or restore a suspended account.
If password synchronization is enabled, a user cannot specify different passwordsfor other individual accounts owned by the user.
Note: When you provision an account or restore an account that was suspended,you must specify a password for the account. If password synchronization isenabled, you are not prompted for a password. Instead the individual account isautomatically given the same password as the existing individual accounts of theuser.
Password strength rulesA password strength rule is a rule or requirement to which a password mustconform. For example, password strength rules might specify that the minimumnumber of characters of a password must be five. The rules might specify that themaximum number of characters must be 10.
You can define password strength rules in a password policy.
Resources overviewResources are the applications, components, processes, and other functions thatusers need to complete their work assignments.
IBM Security Identity Manager uses a service to manage user accounts and accessto resources by using adapters to provide trusted communication of data betweenthe resources and IBM Security Identity Manager.
Chapter 6. Technical overview 55
ServicesA service represents a managed resource, such as an operating system, a databaseapplication, or another application that IBM Security Identity Manager manages.For example, a managed resource might be a Lotus Notes application.
Users access these services by using an account on the service.
Services are created from service types, which represent a set of managed resourcesthat share similar attributes. For example, there is a default service type thatrepresents Linux machines. These service types are installed by default when IBMSecurity Identity Manager is installed. Alternatively, they are installed when youimport the service definition files for the adapters for those managed resources.
Accounts on services identify the users of the service. Accounts contain the loginand access information of the user and allow the use of specific resources.
Most services use IBM Security Identity Manager to provision accounts, whichusually involves some workflow processes that must be completed successfully.However, manual services generate a work order activity that defines the manualintervention that is required to complete the request or to provision the account forthe user.
A service owner owns and maintains a particular service in IBM Security IdentityManager. A service owner is either a person or a static organizational role. For astatic organizational role, all the members of the organizational role are consideredservice owners. If that static organizational role contains other roles, then allmembers of those roles are also considered service owners.
Service typesA service type is a category of related services that share schemas. It defines theschema attributes that are common across a set of similar managed resources.
Service types are used to create services for specific instances of managedresources. For example, you might have several Lotus® Domino® servers that usersneed access to. You might create one service for each Lotus Domino server withthe Lotus Domino service type.
Service prerequisiteA service might have another service defined as a service prerequisite. A user canreceive a new account only if they have an existing account on the serviceprerequisite.
For example, Service B has a service prerequisite, Service A. If a user requests anaccount on Service B, in order to receive an account, the user must first have anaccount on Service A.
Service definition fileA service definition file, which is also known as an adapter profile, defines the type ofmanaged resource that IBM Security Identity Manager can manage. The servicedefinition file creates the service types on the IBM Security Identity ManagerServer.
The service definition file is a JAR file that contains the following information:v Service information, including definitions of the user provisioning operations
that can be done for the service, such as add, delete, suspend, or restore.
56 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Service provider information, which defines the underlying implementation ofhow the IBM Security Identity Manager Server communicates with the managedresource. Valid service providers are Tivoli Directory Integrator and DSMLv2.
v Schema information, including the LDAP classes and attributes.v Account forms and service forms. A properties file for accounts and supporting
data such as service groups defines the labels for the attributes on these forms.The labels are displayed in the user interface for creating services and requestingaccounts on those services.
Manual servicesA manual service is a type of service that requires manual intervention to completethe request. For example, a manual service might be defined for setting up voicemail for a user.
Manual services generate a work order activity that defines the manualintervention that is required.
You might create a manual service when IBM Security Identity Manager does notprovide an adapter for a managed resource for which you want to provisionaccounts.
When you create a manual service, you add new schema classes and attributes forthe manual service to your LDAP directory.
See the following topics:v "Manual services and service type" in the IBM Security Identity Manager
Configuration Guide
v "Enabling connection mode" in the IBM Security Identity Manager AdministrationGuide
AdaptersAn adapter is a software component that provides an interface between a managedresource and IBM Security Identity Manager.
An adapter functions as a trusted virtual administrator for the managed resource.An adapter does such tasks as creating accounts, suspending accounts, and otherfunctions that administrators typically do.
An adapter consists of the service definition file and the executable code formanaging accounts.
Adapters are deployed in one of two ways:
Agent-based adapterAn agent-based adapter must be on the managed resource, in order toadminister accounts. For example, the Lotus Notes adapter for AIX® is anagent-based adapter.
Agentless adapterAn agentless adapter can be on a remote server, in order to administeraccounts. For example, the UNIX/Linux adapter is an agentless adapter.
Adapters are created from one of two technologies:
Adapter Development Kit (ADK)Adapters that are created with the ADK are either agent-based adapters or
Chapter 6. Technical overview 57
agentless adapters. The ADK is the base component of the adapters andcontains the runtime library, filtering and event notification functionality,protocol settings, and logging information. The ADK is the same across theadapters.
IBM Tivoli Directory IntegratorAdapters that are created with IBM Tivoli Directory Integrator are eitheragent-based or agentless adapters. These adapters are implemented asassembly lines, each of which is a single path of data transfer andtransformation. IBM Tivoli Directory Integrator can pass data from oneassembly line to the next assembly line.
Several agentless adapters are automatically installed when you install IBMSecurity Identity Manager. You can install additional agentless or agent-basedadapters.
Adapter communication with managed resourcesCommunication between IBM Security Identity Manager and managed resourceshas several solutions.
Linux and UNIX managed resources use agentless adapters that are created withIBM Tivoli Directory Integrator. Other managed resources use ADK adapters.
Figure 4 illustrates how communication links between software products andcomponents can be configured.
System security overviewAn organization has critical needs to control user access, and to protect sensitiveinformation.
First, an organization agrees on security requirements for business needs. Then, asystem administrator configures the groups, views, access control items, and formsthat IBM Security Identity Manager provides for security of its data.
WebSphereApplicationServer
Webbrowser
UNIXmanagedresource
LDAPmanagedresource
IBM SecurityIdentityManagerServer
Otheradapters
TivoliDirectoryIntegrator
SSL
SSL
SSH
SSH
SSL
Adapter
= One-way or two-way SSL
= Secure Shell protocol
KEY:
SSLS
SL
Figure 4. Secure communication in the IBM Security Identity Manager environment
58 IBM Security Identity Manager Version 6.0: Product Overview Guide
Security model characteristicsAn organization defines a security model to meet its business needs. The modelserves as a basis to define the requirements and actual implementation of asecurity system.
Some characteristic objectives of a security model include:v Verifying the identity of users, provided by authentication systems that include
password strength and other factors.v Enabling authorized users to access resources, provided by authorization
systems that define request or role-based processes, and related provisioning.Resources, for example, include accounts, services, user information, and IBMSecurity Identity Manager functions.A security model also requires additional provisioning processes to select theresources that users are permitted to access.
v Administering which operations and permissions are granted for accounts andusers.
v Delegating a user's list of activities to other users, on a request or assignmentbasis.
v Protecting sensitive information, such as user lists or account attributes.v Ensuring the integrity of communications and data.
Business requirementsA business needs agreement on its security requirements before implementing theprocesses that IBM Security Identity Manager provides.
For example, requirement definitions might answer these questions:v What groups of IBM Security Identity Manager users are there?v What information does each user group need to see?v What tasks do the users in each group need to do?v What roles do users perform in the organization?v Which access rights need definition?v What working relationships exist that require some users to have different
authority levels?v How can prevention and auditing provide remedies for activity that does not
comply with established policies?
To meet common business needs, a business might frequently have several groups,such as a manager, a help desk assistant, an auditor group. The business mighthave customized groups that do a more expanded or limited set of tasks.
Resource access from a user's perspectiveTo provide security of data for a user who works within a range of tasks onspecific business resources, IBM Security Identity Manager might provide one ormore roles, and membership in one or more groups.
For example, a user in a business unit often has a title, or role that has aresponsibility, such as buyer. The user might also be a member of a group thatprovides a view of tasks that the user can do, such as regional purchasing. Therelationships are illustrated in Figure 5 on page 60:
Chapter 6. Technical overview 59
Each role has a related provisioning policy and workflow to grant the user toaccess one or more resources, such as accounts.
Each group has a view of specific tasks, and one or more access control items thatgrant specific operations and permissions to do the tasks. By using a form designerapplet, you can also modify the user interface that a user sees. You might removeunnecessary fields for account, service, or user attributes.
GroupsA group is used to control user access to functions and data in IBM SecurityIdentity Manager.
Group members have an account on the IBM Security Identity Manager service.Membership in an IBM Security Identity Manager group provides a set of defaultpermissions and operations, as well as views, that group members need. Your sitemight also create customized groups.
Additionally, some users might be members of a service group that grants specificaccess to a certain application or other functions. For example, a service groupmight have members that work directly with data in an accounting application.
Predefined groups, views, and access control itemsIBM Security Identity Manager provides predefined groups. The groups areassociated with views and access control items.
Two user interfaces, or consoles, are available:v Self-service console for all users, for self-care activities such as changing personal
profile information, such as a telephone number.v Administrative console, for selected users who belong to one or more groups
that enable a range of administrative tasks.
A IBM Security Identity Manager user with no other group membership has abasic privilege to use IBM Security Identity Manager.
Figure 5. Securing data for user access to resources
60 IBM Security Identity Manager Version 6.0: Product Overview Guide
This set of users needs only a self-service console for self-care capabilities. Theusers are not in a labeled "group" such as a Help Desk Assistant group.
The predefined groups are associated with predefined views and access controlitems, to control what members can see and do, as illustrated in Figure 6
The predefined groups are:
AdministratorThe administrator group has no limits set by default views or accesscontrol items and can access all views and do all operations in IBMSecurity Identity Manager. The first system administrator user is named"itim manager".
AuditorMembers of the auditor group can request reports for audit purposes.
Help Desk AssistantMembers of the Help Desk Assistant group can request, change, suspend,restore, and delete accounts. Members can request, change, and deleteaccess, and also can reset passwords, profiles, and accounts of others.Additionally, members can delegate activities for a user.
ManagerMembers of the Manager group are users who manage the accounts,profiles, and passwords of their direct subordinates.
Service OwnerMembers of the Service Owner group manage a service, including the useraccounts and requests for that service.
ViewsA view is a set of tasks that a particular type of user can see, but not necessarilydo, on the graphical user interface. For example, it is a task portfolio of theeveryday activities that a user needs to use IBM Security Identity Manager.
Figure 6. Predefined groups, views, and access control items
Chapter 6. Technical overview 61
On both the self-service console and the administrative console, you can specifythe view that a user sees.
Access control itemsAn access control item (ACI) is data that identifies the permissions that users havefor a specific type of resource. You create an access control item to specify a set ofoperations and permissions. You also identify which groups use the access controlitem.
An access control item defines these items:v The entity types to which the access control item appliesv Operations that users might do on entity typesv Attributes of the entity types that users might read or writev The set of users that is governed by the access control item
IBM Security Identity Manager provides default access control items.
You can also create a customized access control item. For example, a customizedaccess control item might limit the ability of a specific Help Desk Assistant groupto change information for other users. Access control items can also specifyrelationships such as Manager or Service Owner.
When you create customized reports, you must also manually create report accesscontrol items and entity access control items for the new report. These ACIs permitusers who are not administrators, such as auditors, to run the custom report andview data in the custom report.
After you create an access control item or change an existing access control item,run a data synchronization to ensure that other IBM Security Identity Managerprocesses, such as the reporting engine, use the new or changed access controlitem.
FormsA form is a user interface window that is used to collect and display values foraccount, service, or user attributes.
IBM Security Identity Manager includes a form designer, which runs as a Javaapplet, that you use to modify existing user, service and account forms. Forexample, you might add the fax number attribute and an associated entry field tocapture that number for a particular account. You might remove an accountattribute that your organization does not want a user to see. If you remove anattribute from a form, it is completely removed; that is, even system administratorscannot see the attribute.
You can see only those attributes that are on the form and that you have read orwrite access to (as granted by access control items). Using the form designer, youcan also customize forms for other elements in the organization tree, such aslocation or organization unit.
Organization tree overviewBusiness organizations have various configurations that contain their subordinateunits, including services and employees.
62 IBM Security Identity Manager Version 6.0: Product Overview Guide
For a specific set of business needs, you can configure IBM Security IdentityManager to provide a hierarchy of services. You can configure organizations, users,and other elements in a tree that corresponds to the needs of a user population.
Note: This release provides enhanced menus to search for a specific user, but not agraphic organization tree for that purpose.
In this release, you cannot browse and create entities by navigating theorganization tree. The association to a business unit within the organization tree isspecified during the creation of the entity.
Nodes in an organization treeAn organization tree has nodes that include organizations and subordinatebusiness units, as well as other elements.
An organization tree can have these nodes:
OrganizationIdentifies the top of an organizational hierarchy, which might containsubsidiary entities such as organization units, business partnerorganization units, and locations. The organization is the parent node atthe top of the node tree.
Organization UnitIdentifies a subsidiary part of an organization, such as a division ordepartment. An organization unit can be subordinate to any othercontainer, such as organization, organization unit, location, and businesspartner organization.
Business Partner Organization UnitIdentifies a business partner organization, which is typically a companyoutside your organization that has an affiliation, such as a supplier,customer, or contractor.
LocationIdentifies a container that is different geographically, but contained withinan organization entity.
Admin DomainIdentifies a subsidiary part of an organization as a separate entity with itsown policies, services, and access control items, including an administratorwhose actions and views are restricted to that domain.
Entity types associated with a business unitDifferent types of entities can be associated with a business unit in an organizationtree.
The association to a business unit is specified when the entity is created. Normally,an entity cannot change the business unit association after it is created. The onlyexception is the User entity. IBM Security Identity Manager supports the transfer ofusers between different business units.
The following entity types can be associated to a business unit in the organizationtree:v Userv ITIM groupv Service
Chapter 6. Technical overview 63
v Rolev Identity policyv Password policyv Provisioning policyv Service selection policyv Recertification policyv Account and access request workflowv Access control item
Entity searches of the organization treeThis release provides menus to search for a specific user, but not a graphicorganization tree to navigate to locate a specific user.
To locate a specific user with search menus, use the advanced search filter tosearch by user type such as Person or Business Partner Person. In the search, youcan also select a business unit and its subunits, and the status of the user, such asActive. Additionally, you can add other fields to qualify the search, including anLDAP filter statement.
Policies overviewA policy is a set of considerations that influence the behavior of a managedresource (called a service in IBM Security Identity Manager) or a user.
A policy represents a set of organizational rules and the logic that IBM SecurityIdentity Manager uses to manage other entities, such as user IDs, and applies to aspecific managed resource as a service-specific policy.
IBM Security Identity Manager enables your organization to use centralizedsecurity policies for specified user groups. You can use IBM Security IdentityManager policies to centralize user access for disparate resources in anorganization. You can implement additional policies and features that streamlineoperations associated with access to resources for users.
IBM Security Identity Manager supports the following types of policies:v Adoption policiesv Identity policiesv Password policiesv Provisioning policiesv Recertification policiesv Separation of duty policiesv Service selection policies
A policy can apply to one or multiple service targets, which can be identifiedeither by a service type or by listing the services explicitly. These policies do notapply to services that represent identity feeds.v Adoption policies apply to services. A global adoption policy applies to all
services of a service type.v Identity policies, password policies, and provisioning policies can apply to all
service types, all services of a service type, or specific services.
64 IBM Security Identity Manager Version 6.0: Product Overview Guide
v Recertification policies cannot act on all service types, but you can add all thedifferent services for a specific recertification policy.
v Separation of duty policies does not apply directly to service types, and applyonly to role membership for users.
v Service selection policies apply to only one service type.
Policy types and navigation
Table 24. Policy types and navigation
Type of policy Navigation
Adoption Manage Policies > Manage AdoptionPolicies
Identity Manage Policies > Manage Identity Policies
Password Manage Policies > Manage PasswordPolicies
Provisioning Manage Policies > Manage ProvisioningPolicies
Recertification Manage Policies > Manage RecertificationPolicies
Separation of duty Manage Policies > Manage Separation ofDuty Policies
Service selection Manage Policies > Manage ServiceSelection Policies
Account defaults
Account defaults define default values for an account during new account creation.The default can be defined at the service type level that applies to all services ofthat type. Alternatively, the default can be defined at the service level, whichapplies only to the service.
Policy enforcement
Global policy enforcement is the manner in which IBM Security Identity Managerglobally allows or disallows accounts that violate provisioning policies.
When a policy enforcement action is global, the policy enforcement for any serviceis defined by the default configuration setting. You can specify one of the followingpolicy enforcement actions to occur for an account that has a noncompliantattribute.
Note: If a service has a specific policy enforcement setting, that setting is appliedto the noncompliant accounts. The global enforcement setting does not apply.Policy enforcement can also be set for a specific service.
Mark The existing user account on the old service is marked as disallowed, anda new account is not created on the new service.
SuspendThe existing user account on the old service instance is suspended, and anew account is not created on the new service.
Alert An alert is sent to the recipient administrator to confirm removal of the old
Chapter 6. Technical overview 65
account on old services. A new account is created on new service if theuser does not have account on new service, and entitlement is automatic.
CorrectExisting accounts are removed on the old service. A new account is createdon new service if the user does not have account on new service andentitlement is automatic.
To work with global policy enforcement, go to the navigation tree and selectConfigure System > Configure Global Policy Enforcement.
Note: To set service policy enforcement, go to the navigation tree and selectManage Services.
Workflow overviewA workflow defines a sequence of activities that represent a business process. Youcan use workflows to customize account provisioning and access provisioning, andlifecycle management.
A workflow is a set of steps or activities that define a business process. You canuse the IBM Security Identity Manager workflows to customize accountprovisioning and lifecycle management. For example, you can add approvals andinformation requests to account or access provisioning processes. You can integratelifecycle management processes (such as adding, removing, and modifying peopleand accounts in IBM Security Identity Manager) with external systems.
IBM Security Identity Manager provides these major types of workflows:
Operation workflowsUse operation workflows to customize the lifecycle management ofaccounts and people, or a specific service type, such as all Linux systems.
Operation workflows add, delete, modify, restore, and suspend systementities, such as accounts and people. You can also add new operationsthat your business process requires, such as approval for new accounts. Forexample, you might specify an operation workflow that defines activitiesto approve the account, including notifications and manager approvals.
Account request and access request workflowsUse account request and access request workflows to ensure that resourcessuch as accounts or services are provisioned to users according to thebusiness policies of your organization.
Note: The term entitlement workflow was previously used for this workflowtype in IBM Security Identity Manager Version 4.6.v An account request workflow can be bound to an entitlement for an access
or an account.In provisioning policies, an entitlement workflow for accounts addsdecision points to account requests, such as adding or modifying anaccount. If the request is approved, the processing continues; if therequest is rejected, the request is canceled.The account request workflow is started during account provisioningrequests, including adding and modifying an account, made by a IBMSecurity Identity Manager user or made during account autoprovisioning. An account request workflow can be also started during anaccess request if there is no access request workflow defined.
66 IBM Security Identity Manager Version 6.0: Product Overview Guide
v An access request workflow is bound to an access by the access definition,rather than by a provisioning policy. This workflow can specify the stepsand approvals that authorize access to resources in a request.The access request workflow is started only for access requests that aremade by a IBM Security Identity Manager user. The workflow is notstarted if the access is provisioned for the user as a result of an externalor internal account request. An external account request is an accountrequest made by a IBM Security Identity Manager user. An internalaccount request is an account request made by the IBM Security IdentityManager system. For example, an auto account provisioning gives theuser a default or mandatory group that maps to an access.
Chapter 6. Technical overview 67
68 IBM Security Identity Manager Version 6.0: Product Overview Guide
Chapter 7. Initial login and password information
To get started after installing IBM Security Identity Manager, you need to know thelogin URL and the initial user ID and password.
Login URL
The login URL enables you to access the IBM Security Identity Manager webinterface.
The login URL for the IBM Security Identity Manager administrative console is:http://ip-address:port/itim/console/main/
Where ip-address is the IP address or DNS address of the IBM Security IdentityManager server, and port is the port number. The default port for new installationsof IBM Security Identity Manager is 9080.
The login URL for the IBM Security Identity Manager self-service console is:http://ip-address:port/itim/self
Where ip-address is the IP address or DNS address of the IBM Security IdentityManager server, and port is the port number. The default port for new installationsof IBM Security Identity Manager is 9080.
Initial user ID and password
The initial user ID and password to authenticate to IBM Security Identity Manageris:
Table 25. Initial user ID and password for IBM Security Identity Manager
User ID Password
itim manager secret
© Copyright IBM Corp. 2012, 2013 69
70 IBM Security Identity Manager Version 6.0: Product Overview Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.
© Copyright IBM Corp. 2012, 2013 71
IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:
IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.
The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.
Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.
All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to
72 IBM Security Identity Manager Version 6.0: Product Overview Guide
IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:
If you are viewing this information softcopy, the photographs and colorillustrations might not appear.
© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.
If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.
UNIX is a registered trademark of The Open Group in the United States and othercountries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.
Notices 73
Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.
Privacy Policy Considerations
This information was developed for products and services that are offered in theUS and the European Union.
IBM Software products, including software as a service solutions, (SoftwareOfferings˝) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offeringQs use of cookies is set forth below.
This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.
If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.
For more information about the use of various technologies, including cookies, forthese purposes, See IBMQs Privacy Policy at http://www.ibm.com/privacy andIBMQs Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled Cookies, Web Beacons and Other Technologies˝ and SoftwareProducts and Software-as-a Service˝.
74 IBM Security Identity Manager Version 6.0: Product Overview Guide
Index
Aaccess 49, 54
entitlement 54management 25, 48
access control 48, 62accessibility viiiaccounts 54
active, inactive 54and access management 18created on account types 54form 15ownership type 11search, self service console 18
ACI 62adapters 57, 58
profile 56supported levels 9
administrative console 40adoption policies 64agent-based adapter 57agentless adapter 57application programming interface
(API) 19approval workflow process 34audit trail tracking 34authorization
ACI 62
Bbrowser requirements 9business requirements 59
Cclient connections
browser requirements 9compliance, corporate 34
Ddatabase server support 6directory server requirements 6dynamic role 43
Eeducation viiienhanced adapter testing 17enhanced logging APIs 20entities 49entitlement workflow 66entity search 64extended role attributes 14
Ffeatures 11
overview 25fix packs 1form designer 62forms 62
Ggroups 60
members 60planning 60
Hhardware requirements 3health monitoring 22
WebSphere Performance MonitoringInfrastructure 22
hybrid provisioning model 48
IIBM Cognos
report server, softwarerequirements 8
reporting framework 22IBM Software Support viiiIBM Support Assistant viiiIBM Tivoli Directory Integrator
support 7identity 53
governance 39policies 64
Identity Service Centeruser interface 12, 41
installation images 1
Kknown limitations 23known problems 23
Llogin
initial user ID and password 69URL 69
Mmain components 50managed resources 30, 56, 58manual services 57message log 20middleware components 50multiple access levels 18
Nnew features 11
account ownership type 11api for recertification policies 20external user registry 19multiple level access types 18report data synchronization 21role assignment attributes 14service connection mode 16service management 16service tagging 17shared access module 12, 26web services api 20
node 63notices 71
Oonline
publications viiterminology vii
operating system support 3operation workflow 66operational role management 39organization
entity types 63overview 63role 48tree 63, 64
overvieworganization 63
entity types 63self-access management 43
Ppasswords
forgotten 55policies 64policy and compliance 34reset 55strength rules 55synchronization 55
people 53persona-based console 40policies
adoption 64identity 64password 64provisioning 64recertification 64recertification, API 19recertification, compliance 34separation of duty 64service selection 64
policy enforcement 34privileged identity management 12problem determination, support
information viii
© Copyright IBM Corp. 2012, 2013 75
provisioningaccounts 49overview 44policies 64policy 34resources 48, 49
publicationsaccessing online viilist of for this product vii
Rrecertification 42report data 42
synchronization 21reporting 42reporting framework
reporting model 22static reports 22
request-based access 48request-based provisioning 48requirements
browser 9database server 6definitions 59directory integrator 7directory server 6hardware 3Java Runtime Environment 5JRE 5operating system 3report server 7software 3supported adapter levels 9Tivoli Reporting Server 7web application server 5
resourcesaccess 59overview 55provisioning 47
retryservice 17
roadmap 30role
assignment attributes 14customization 14management 14
Sschema 56security
lifecycle 25model 59system 59
self-care user interface 41separation of duty policies 64service definition file 56service failure retry 17service form 17service management and
provisioning 15, 17services 56
manual 57prerequisite 56selection policies 64
services (continued)status 17tagging 15types 56
shared accessconfiguration 30documentation 27features 27module 12
software requirementsIBM Cognos report server 8Java Runtime Environment 5JRE 5operating system 3
static role 43system security 58
Tterminology viithree user interfaces 40Tivoli Reporting Server
requirements 7training viiitroubleshooting viii
known limitations 23
Uuser access 59user interface
Identity Service Center 12, 41new 12, 41
users 53
Vvertical clusters 19views, default 62virtualization, supported products 4
Wworkarounds 23workflows
entitlement 66operation 66
76 IBM Security Identity Manager Version 6.0: Product Overview Guide
����
Printed in USA
GC14-7692-01
