Upload
bupbechanh
View
222
Download
0
Embed Size (px)
Citation preview
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
1/24
Copyright IBM Corp. 2004. All rights reserved. ibm.com/redbooks 1
Redbooks Paper
Delegated Administration for IBM Tivoli
Identity Manager Version 4.5.1
Introduction
IBM Tivoli Identity Manager Version 4 delegated user administration enables companies toconfigure a secure administration model for user identities and accounts in a distributed
organization. Small companies that administer their users from a single department might notneed to use delegated administration because of the extra work required to set up and
maintain this administration model. Medium to large companies with many departments anddivisions might want to implement Tivoli Identity Manager using a delegated user
administration model because of internal politics, regional differences in the way identities
and accounts are administered, or perhaps the number of identities and accounts is too largefor a single department to manage. Figure 1 illustrates delegated user administration.
Robert Adachi
Axel Buecker
Robert Adachi
Axel Buecker
http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
2/24
2 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 1 Delegated user administration
Tivoli Identity Manager delegated administration is a valuable user administration toolbecause there might be multiple divisions or projects requiring a slightly different way of
administering user accounts. One division might require manager approval on every new useraccount request, while another division might only require account approvals on new
database accounts.
Or a company might have vendors who need computer accounts setup on a price bidding
system. The company could delegate the identity and account management to the vendorusing the Tivoli Identity Manager delegated user administration features instead of
administering all the accounts themselves.
Also, Tivoli Identity Manager delegated user administration manages the companys entireuser account population (RACF, Microsoft Windows 2000, Microsoft Exchange 2000,DB2, and so on), not just to a single platform (just Microsoft Windows 2000, or Oracle).
Companies might not understand that they can manage their entire user accounts in aheterogeneous network environment.
Steps
To use delegated user administration:
1. Create a new Organizational Unit.
2. Create a new Tivoli Identity Manager Organizational Unit group and make the new user amember of the group.
3. Create a new user identity and add a new Tivoli Identity Manager account for the user inthe Organizational Unit who will be the primary administrator.
4. Assign the new user to be the supervisor for the new Organizational Unit.
Domain A Domain B
Company A
The entire companys useradministration is managed
by a single group. Mighttake a long time to process
account requests, and the
person processing therequest might not
understand the business
requirements/security for the
access.
Domains A & B
User administration ismanaged by each domain.
Because there are a smallernumber of users to manage
in each domain, user
account request times mightshorten, and the businessrequirements/security might
be understood better.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
3/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.13
5. Create AIX Account Widgets Admin access control information (ACI), allowingmembers of the Widgets Admin Tivoli Identity Manager (ITIM) group to administeraccount privileges.
Define the permissions (add, change, delete, search, and so on) for the ACI.
The ACI might only allow the Administrators group to add, change, and search newidentities and accounts, but not to delete.
6. Define the ACI for the ITIM groups Administrators, Help Desk, and Users:
Administrators: Create, modify, delete, suspend, and change passwords for users
within their own administration realm.
Help Desk: Reset and change account passwords for any user. Help Desk cannot
create, modify, delete, or suspend users. (A companys help desk might service allusers across the organization, which means that the Help Desk group must have
global access. If the help desk is regional, the Help Desk ACI must only be configuredfor the region.)
Users: Users have a self-service capability that allows them to change their ownaccount passwords, request new accounts (which have a workflow approval process),and update their phone number or numbers and addresses in their identity information.
Step 1: Create a new Organizational Unit
To create a new Organizational Unit:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another account
with sufficient permissions to create new Organizational Units). Click the MYORGANIZATION tab located at the top of the main Tivoli Identity Manager window, as
shown in Figure 2.
Figure 2 The MY ORGANIZATION tab
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
4/24
4 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
2. Click Manage Organizational Units on the lower-left side, and click the Add button.
3. Enter the Organizational Unit Name and an optional description.
4. Click the Submit button to create the new Organizational Unit. See Figure 3.
Figure 3 Organizational Unit information
Step 2: Create a new Organizational Unit group and make thenew user a member of the group
To create a new ITIM Organizational Unit group and make the new user a member of thegroup:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the PROVISIONING tab located at the
top of the main Tivoli Identity Manager window, as shown in Figure 4.
2. Click Manage ITIM Groups and then Widgets Inc. This allows us to create a new
Widgets Admin ITIM group in the Widgets Inc. Organizational Unit (OU).
3. Click Add to create a new ITIM group.
Figure 4 The PROVISIONING tab
4. Enter a description and select Organization Tree for Optional Access.
5. Click Submit to create the ITIM group. See Figure 5.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
5/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.15
Figure 5 ITIM group
Step 3: Add a new user in the new Organizational Unit asprimary administrator
To add a new user in the new OU to be the primary administrator:
1. In the MY ORGANIZATION tab, select Manage People. Click the plus sign (+) on the leftside of your organization to display all the Organizational Units, as shown in Figure 6.
Figure 6 Display Organizational Units
2. Click Widgets Inc. (highlighted in blue) to display the users stored in the OU. Because this
is a new OU, no users are displayed. See Figure 7.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
6/24
6 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 7 New Organizational Unit
3. Click Add to add a new user identity.
4. Select the type of person you want to add (choose Person), and click Submit.
5. Enter the Last Name and Full Name, which is the minimum required data. Click Submit.
Figure 8 A new user identity
6. The scheduling window opens. Click Submit again.
If you do not click all the Submit buttons, you will not save your work.
At this point, we have created a new Organizational Unit and a new identity. Now, we have to
create an Tivoli Identity Manager account:
1. Select Manage Accounts to create a new Tivoli Identity Manager account, as shown in
Figure 9.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
7/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.17
Figure 9 Select Manage Accounts
2. Select New to display all the available services to which the user is entitled.
3. Select ITIM Service, and then click Continue.
4. Add an ITIM group by clicking Search located on the right side of the ITIM group.5. Enter an asterisk (*) in the search box, and click Search.
6. Select the ITIM group (Widgets Admin). Click Add and then Done.
7. Click Submit.
Figure 10 Click Submit button
8. The scheduling window opens. Click Submit again.
9. You are returned to the user accounts window. Click Refresh to display the new account.
Step 4: Assign the new user to be the supervisor for the newOrganizational Unit
Optional step: The step is not required for delegated user administration. A supervisor isrequired for the work flow if one of the approvers is the OU supervisor.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
8/24
8 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
To assign the new user to be the supervisor for the new Organizational Unit:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another account
with sufficient administration permissions) and click the MY ORGANIZATION tab locatedat the top of the main Tivoli Identity Manager window, as shown in Figure 11.
Figure 11 Manage Organizational Units
2. Click Manage Organizational Units and then Widgets Inc.
3. Add a supervisor by clicking Search, as shown in Figure 12.
Figure 12 Click the Search button
4. Enter an asterisk (*) in the search field and click Search, as shown in Figure 13.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
9/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.19
Figure 13 Enter an asterisk
5. Select a user (for example, Dirk). Click Add and then Done, as shown in Figure 14.
Figure 14 Select a user
6. Click Submit to save your work, as shown in Figure 15
Figure 15 Click Submit
If Dirk Pitt (DPitt) logs on to Tivoli Identity Manager, he will see the window shown in
Figure 16.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
10/24
10 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 16 Manage Password window
There are a few new tabs (PROVISIONING, REPORT) that a regular user would not be able
to see. The PROVISIONING tab enables the administrator to see other users in the OU.
Selecting the MY ORGANIZATION tab displays only the OU for which the administrator hasadministrator privileges.
Without applying new ACI, the administrator will only be able to register new users, create
new OUs, and create new Tivoli Identity Manager accounts.
Step 5: Create an AIX Account Widgets Admin ACI withadministrator account privileges
With this access control information (ACI), members of the Widgets Admin ITIM group getadministrator authority for the AIX service. The ACI is at the top level because the AIXservice was created at the same level. If we created the services in the Widgets Inc. OU, we
would have created the account ACI at the same OU level.
To create AIX Account - Widgets Admin ACI allowing members of the Widgets Admin ITIM
group to administer account privileges:
1. In the MY ORGANIZATION tab, click Control Access located on the left side of the
window. Make sure the focus is set to the top level (Easy Software Company).
2. Click Add to create a new ACI, as shown in Figure 17.
Important: Scoping is very important to the behavior of Tivoli Identity Manager. If youcreate a lot of access control information (ACI), and some of the permissions do not seem
to be what you think they should be, stop and review where you have created the ACI. Itmight not be created at the proper level.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
11/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.111
Figure 17 Click Add
3. From the Category list, select Account, which then displays a Custom Class list, asshown in Figure 18. Select the appropriate service (this example uses AIX Account).
Figure 18 Select Account
This menu is divided into five sections (see Figure 19):
Details: Name of the ACI and the scoping (Single or SubTree).
Attributes: Click Attribute Permissions to display a window.
Operations: The operations (actions) for the ACI.
ACI Principles: To which user the ACI applies.
Allow Access for the following ITIM groups: Use to attach ITIM groups.
4. In the Details section:
Enter a name for the ACI (AIX Account Widgets Admin).
Change the Scope from Single to SubTree.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
12/24
12 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
5. In the Operation section, select Grant for the Remove, Search, Suspend, Add, and Modifyfields.
6. In the Allow Access for the following ITIM groups section, click Add. Search for the ITIMgroup you want to associate with the ACI and add it (we selected Widgets Admin).
Figure 19 Fill in the five sections
7. In the Attributes section, click Attributes Permissions (blue text) to display the window
shown in Figure 20:
a. Select Grant All under the Read and Write columns. If you only want the ACI to be
able to display the attribute value (no write permission), change the attributes Write
permission to None or Deny.
b. At the bottom of the menu, click Continue to return to the previous window.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
13/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.113
Figure 20 Attribute Permission Details window
8. Click Submit to save the ACI, as shown in Figure 21.
Figure 21 Click Submit
Step 6: Define ACI for the ITIM groups Administrators, HelpDesk, and Users
Most companies use the term role in the context of a grouping of business roles a userhas. A business role might be an administrator who is in charge of setting up new useraccounts on multiple systems or applications. The administrator would need the ability to add,
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
14/24
14 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
delete, modify, suspend, restore, and change passwords for the people they are administeringon a given system.
For each managed resource (accounts on systems or applications), we map Tivoli IdentityManager roles and ACI to a companys business role using a table similar to Table 1. For this
example, we assume that our company (Widgets Inc.) only manages three accounts: TivoliIdentity Manager, AIX, and Domino.
Companies can have additional business roles depending on the complexity of their useradministration processes.
Table 1 Mapping Tivoli Identity Manager roles and ACI
To implement the three business roles using Tivoli Identity Manager, we need to create an
ITIM group for each business role and organizational ACI for assigning which groups haveappropriate permissions for each system to which we are provisioning.
We create ITIM groups for Administrators (Widgets Admin), Help Desk (Widgets Help Desk)and Users (Widgets Users). Because Widgets Inc. administers their own users, the ITIM
groups will be created in the Widgets Inc. OU instead of at the Easy Software Company level.
Rather than listing how to create all the ITIM groups (Admin, Help Desk, User) and then theACI after all the groups, we create the ITIM group and then the ACI for that group.
Each managed system (that is, AIX) requires one ACI for each business role. If two or morebusiness roles require the same permissions, those business roles can be grouped together
on one ACI. The AIX example requires three ACI categories: one each for Administrators,Help Desk, and Users.
We only include screen captures of the ITIM ACI. The only procedural difference between theTivoli Identity Manager and AIX ACI is that instead of selecting ITIM Account, you would
select Account and the Account class (AIX).
Add Delete Modify Suspend Restore Change
password
Tivoli Identity Manager account
group/account ACI
Administrators X X X X X X
Help Desk X X
Users X X
AIX account
group/account ACI
Administrators X X X X X X
Help Desk X X X
Users X X
Domino account
group/account ACI
Administrators X X X X X X
Help Desk X
Users X X
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
15/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.115
Widgets Admin ITIM group
To create the Widgets Admin ITIM group:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the PROVISIONING tab located at the
top of the main Tivoli Identity Manager window. See Figure 22.
2. Click ITIM Groups, and then click Widgets Inc. to create the Widgets Admin ITIM groupin the Widgets Inc. OU.
3. Type in the name of the ITIM group (Widgets Admin), the Description (Admin group for
Widgets Inc.), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.
4. Click Submit to save your work.
Figure 22 Widgets Admin ITIM group
Widgets Administrators ITIM ACITo create the Widgets Administrators ITIM ACI:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the MY ORGANIZATION tab located at
the top of the main Tivoli Identity Manager window.
2. Click Control Access and then Widgets Inc.
3. Select Identity Manager User for the Category. Click Continue. See Figure 23.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
16/24
16 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 23 Widgets Administrators ITIM ACI
4. Enter a name for the ACI, in our example, ITIM Administrators. As a convention, weusually enter the system name and a dash (-), followed by the business role name.
5. Change the Scope from Single to SubTree.
6. Refer to the Tivoli Identity Manager Account chart shown in Figure 24. Select all theoptions in the Operation section that apply to the ACI. The ITIM Administrators group
has all the permissions, so we grant all the operations (Remove, Search, Restore,Suspend, Add, and Modify). You must grant Search; otherwise, the user will not be able tosearch for data in the Tivoli Identity Manager directory.
Figure 24 Access Control Information Details window
7. Click Attribute Permissions.
Because the Administrators role should be able to read and write all the attributes for aTivoli Identity Manager account, we select Grant All for both Read and Write. If there are
some attributes you do not want the Administrators role to be able to write, change theattribute permission to None.
8. Click Continue to save your work.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
17/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.117
Figure 25 Select Grant All
9. In the Allow Access for the following ITIM groups section, click Add.
10.Enter an asterisk (*) in the search box. A list of ITIM groups will appear. Select WidgetsAdmin and then click Add. See Figure 26.
Figure 26 Enter an asterisk
11.Click Submit (located at the bottom of the page) to save the ACI.
Widgets Help Desk ITIM group
To create the Widgets Help Desk ITIM group:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the PROVISIONING tab located at the
top of the main Tivoli Identity Manage window. See Figure 27.
2. Click ITIM Groups and then Widgets Inc. to create the Widgets Help Desk ITIM group in
the Widgets Inc. OU.
3. Type in the name of the ITIM group (Widgets Help Desk), the Description(Reset/change), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.
4. Click Submit to save your work.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
18/24
18 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 27 Widgets Help Desk ITIM group
Widgets Help Desk ITIM ACITo create the Widgets Help Desk ITIM ACI:
1. Click Control Access and then Widgets Inc.
2. Select Identity Manager User for the Category. Click Continue.
3. Enter a name for the ACI, in our example, ITIM Help Desk. As a convention, we usuallyenter the system name and a dash (-), followed by the business role name.
4. Change the Scope from Single to SubTree.
5. Refer to the Tivoli Identity Manager account chart in Figure 28. Select all the options in theOperation section that apply to the ACI. The ITIM Help Desk group only has Suspendand Change Password permissions, so we grant the operations Search, Suspend, and
Modify. You must grant Search; otherwise, the user will not be able to search for data in theTivoli Identity Manager directory.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
19/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.119
Figure 28 Widgets Help Desk ITIM ACI
6. In the Allow Access for the following ITIM groups section, click Add.
7. Enter an asterisk (*) in the search box. A list of ITIM groups opens.
8. Select Widgets Help Desk, and then click Add. See Figure 29.
Figure 29 Select Widgets Help Desk
9. Select Submit (located at the bottom of the page) to save the ACI.
Widgets User ITIM group
To create the Widgets User ITIM group:
1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the PROVISIONING tab located at the
top of the main Tivoli Identity Manager window. See Figure 30.
2. Click ITIM Groups and then Widgets Inc. to create the Widgets User ITIM group in the
Widgets Inc. OU.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
20/24
20 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
3. Type in the name of the ITIM group (Widgets User), the Description (Self service
capability), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.
4. Click Submit to save your work.
Figure 30 Widgets User ITIM group
Widgets User ITIM ACI
To create the Widgets User ITIM ACI:
1. Click Control Access and then Widgets Inc. See
2. Select Identity Manager User for the Category and click Continue.
3. Enter a name for the ACI, in our example, ITIM User. As a convention, we usually enterthe system name and a dash (-), followed by the business role name.
4. Change the Scope from Single to SubTree.
5. Refer to the Tivoli Identity Manager account chart in Figure 31. Select all the options in the
Operation section that apply to the ACI. The ITIM User group only has Add and ChangePassword permissions, so we grant the operations Add, Search, and Modify. You must
grant Search; otherwise, the user will not be able to search for data in the Tivoli IdentityManager directory.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
21/24
Delegated Administration for IBM Tivoli Identity Manager Version 4.5.121
Figure 31 Widgets User ITIM ACI
6. Click Attribute Permissions. Select Grant All in the Read column. Select Grant in thePassword attribute. See Figure 32.
Figure 32 Attribute Permission Details
7. In the Allow Access for the following ITIM groups section, click Add.
8. Enter an asterisk (*) in the search box, as shown in Figure 33. A list of ITIM groups opens.
Tip: Every managed resource requires an ACI granting Read and Write permissions
before a user can manage their own passwords. If you do not create the ACI, the userwill not see the managed resource in the change password window.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
22/24
22 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1
Figure 33 Enter an asterisk
9. Select Widgets User and click Add, as shown in Figure 34.
Figure 34 Select Widgets User
10.Click Submit (located at the bottom of the page) to save the ACI.
The team that wrote this Redpaper
This Redpaper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Austin Center.
Robert Adachi is a Certified IT Specialist with IBM. He's an Above Region Systems Engineer
for all the Americas. Before working for IBM, he initially helped to develop and write code forearlier versions of IBM Tivoli Identity Manager. Before that, he was Systems Analyst for a
petroleum research authority for eight years.
Axel Buecker is a Certified Consulting Software I/T Specialist at the International TechnicalSupport Organization, Austin Center. He writes extensively and teaches IBM classesworldwide on the areas of software security architecture and network computing
technologies. He holds a degree in computer science from the University of Bremen,Germany. He has 17 years of experience in a variety of areas related to workstation and
systems management, network computing, and e-business solutions. Before joining the ITSOin March 2000, Axel was working for IBM in Germany as a Senior IT Specialist in Software
Security Architecture.
Special thanks to the ITSO group for all the help they have provided to publish papers.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
23/24
Copyright IBM Corp. 2004. All rights reserved.23
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.
COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, anddistribute these sample programs in any form without payment to IBM for the purposes of developing, using,marketing, or distributing application programs conforming to IBM's application programming interfaces.
7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857
24/24
Send us your comments in one of the following ways: Use the online Contact us review redbook form found at:
ibm.com/redbooks Send your comments in an Internet note to:
[email protected] Mail your comments to:
IBM Corporation, International Technical Support OrganizationDept. JN9B Building 003 Internal Zip 283411400 Burnet RoadAustin, Texas 78758-3493 U.S.A.
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both:
AIX
Domino
DB2
IBM
ibm.com
RACF
Redbooks
Redbooks (logo)
Tivoli
The following terms are trademarks of other companies:
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
http://www.redbooks.ibm.com/http://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.ibm.com/redbooks/http://www.redbooks.ibm.com/contacts.htmlhttp://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/