Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857

7/31/2019 Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857

1/24

Copyright IBM Corp. 2004. All rights reserved. ibm.com/redbooks 1

Redbooks Paper

Delegated Administration for IBM Tivoli

Identity Manager Version 4.5.1

Introduction

IBM Tivoli Identity Manager Version 4 delegated user administration enables companies toconfigure a secure administration model for user identities and accounts in a distributed

organization. Small companies that administer their users from a single department might notneed to use delegated administration because of the extra work required to set up and

maintain this administration model. Medium to large companies with many departments anddivisions might want to implement Tivoli Identity Manager using a delegated user

administration model because of internal politics, regional differences in the way identities

and accounts are administered, or perhaps the number of identities and accounts is too largefor a single department to manage. Figure 1 illustrates delegated user administration.

Robert Adachi

Axel Buecker

Robert Adachi

Axel Buecker
http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/


2/24

2 Delegated Administration for IBM Tivoli Identity Manager Version 4.5.1

Figure 1 Delegated user administration

Tivoli Identity Manager delegated administration is a valuable user administration toolbecause there might be multiple divisions or projects requiring a slightly different way of

administering user accounts. One division might require manager approval on every new useraccount request, while another division might only require account approvals on new

database accounts.

Or a company might have vendors who need computer accounts setup on a price bidding

system. The company could delegate the identity and account management to the vendorusing the Tivoli Identity Manager delegated user administration features instead of

administering all the accounts themselves.

Also, Tivoli Identity Manager delegated user administration manages the companys entireuser account population (RACF, Microsoft Windows 2000, Microsoft Exchange 2000,DB2, and so on), not just to a single platform (just Microsoft Windows 2000, or Oracle).

Companies might not understand that they can manage their entire user accounts in aheterogeneous network environment.

Steps

To use delegated user administration:

1. Create a new Organizational Unit.

2. Create a new Tivoli Identity Manager Organizational Unit group and make the new user amember of the group.

3. Create a new user identity and add a new Tivoli Identity Manager account for the user inthe Organizational Unit who will be the primary administrator.

4. Assign the new user to be the supervisor for the new Organizational Unit.

Domain A Domain B

Company A

The entire companys useradministration is managed

by a single group. Mighttake a long time to process

account requests, and the

person processing therequest might not

understand the business

requirements/security for the

access.

Domains A & B

User administration ismanaged by each domain.

Because there are a smallernumber of users to manage

in each domain, user

account request times mightshorten, and the businessrequirements/security might

be understood better.


3/24

Delegated Administration for IBM Tivoli Identity Manager Version 4.5.13

5. Create AIX Account Widgets Admin access control information (ACI), allowingmembers of the Widgets Admin Tivoli Identity Manager (ITIM) group to administeraccount privileges.

Define the permissions (add, change, delete, search, and so on) for the ACI.

The ACI might only allow the Administrators group to add, change, and search newidentities and accounts, but not to delete.

6. Define the ACI for the ITIM groups Administrators, Help Desk, and Users:

Administrators: Create, modify, delete, suspend, and change passwords for users

within their own administration realm.

Help Desk: Reset and change account passwords for any user. Help Desk cannot

create, modify, delete, or suspend users. (A companys help desk might service allusers across the organization, which means that the Help Desk group must have

global access. If the help desk is regional, the Help Desk ACI must only be configuredfor the region.)

Users: Users have a self-service capability that allows them to change their ownaccount passwords, request new accounts (which have a workflow approval process),and update their phone number or numbers and addresses in their identity information.

Step 1: Create a new Organizational Unit

To create a new Organizational Unit:

1. Log on to Tivoli Identity Manager using the ITIM manager account (or another account

with sufficient permissions to create new Organizational Units). Click the MYORGANIZATION tab located at the top of the main Tivoli Identity Manager window, as

shown in Figure 2.

Figure 2 The MY ORGANIZATION tab


4/24


2. Click Manage Organizational Units on the lower-left side, and click the Add button.

3. Enter the Organizational Unit Name and an optional description.

4. Click the Submit button to create the new Organizational Unit. See Figure 3.

Figure 3 Organizational Unit information

Step 2: Create a new Organizational Unit group and make thenew user a member of the group

To create a new ITIM Organizational Unit group and make the new user a member of thegroup:

1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the PROVISIONING tab located at the

top of the main Tivoli Identity Manager window, as shown in Figure 4.

2. Click Manage ITIM Groups and then Widgets Inc. This allows us to create a new

Widgets Admin ITIM group in the Widgets Inc. Organizational Unit (OU).

3. Click Add to create a new ITIM group.

Figure 4 The PROVISIONING tab

4. Enter a description and select Organization Tree for Optional Access.

5. Click Submit to create the ITIM group. See Figure 5.


5/24


Figure 5 ITIM group

Step 3: Add a new user in the new Organizational Unit asprimary administrator

To add a new user in the new OU to be the primary administrator:

1. In the MY ORGANIZATION tab, select Manage People. Click the plus sign (+) on the leftside of your organization to display all the Organizational Units, as shown in Figure 6.

Figure 6 Display Organizational Units

2. Click Widgets Inc. (highlighted in blue) to display the users stored in the OU. Because this

is a new OU, no users are displayed. See Figure 7.


6/24


Figure 7 New Organizational Unit

3. Click Add to add a new user identity.

4. Select the type of person you want to add (choose Person), and click Submit.

5. Enter the Last Name and Full Name, which is the minimum required data. Click Submit.

Figure 8 A new user identity

6. The scheduling window opens. Click Submit again.

If you do not click all the Submit buttons, you will not save your work.

At this point, we have created a new Organizational Unit and a new identity. Now, we have to

create an Tivoli Identity Manager account:

1. Select Manage Accounts to create a new Tivoli Identity Manager account, as shown in

Figure 9.


7/24


Figure 9 Select Manage Accounts

2. Select New to display all the available services to which the user is entitled.

3. Select ITIM Service, and then click Continue.

4. Add an ITIM group by clicking Search located on the right side of the ITIM group.5. Enter an asterisk (*) in the search box, and click Search.

6. Select the ITIM group (Widgets Admin). Click Add and then Done.

7. Click Submit.

Figure 10 Click Submit button

8. The scheduling window opens. Click Submit again.

9. You are returned to the user accounts window. Click Refresh to display the new account.

Step 4: Assign the new user to be the supervisor for the newOrganizational Unit

Optional step: The step is not required for delegated user administration. A supervisor isrequired for the work flow if one of the approvers is the OU supervisor.


8/24


To assign the new user to be the supervisor for the new Organizational Unit:

1. Log on to Tivoli Identity Manager using the ITIM manager account (or another account

with sufficient administration permissions) and click the MY ORGANIZATION tab locatedat the top of the main Tivoli Identity Manager window, as shown in Figure 11.

Figure 11 Manage Organizational Units

2. Click Manage Organizational Units and then Widgets Inc.

3. Add a supervisor by clicking Search, as shown in Figure 12.

Figure 12 Click the Search button

4. Enter an asterisk (*) in the search field and click Search, as shown in Figure 13.


9/24


Figure 13 Enter an asterisk

5. Select a user (for example, Dirk). Click Add and then Done, as shown in Figure 14.

Figure 14 Select a user

6. Click Submit to save your work, as shown in Figure 15

Figure 15 Click Submit

If Dirk Pitt (DPitt) logs on to Tivoli Identity Manager, he will see the window shown in

Figure 16.


10/24


Figure 16 Manage Password window

There are a few new tabs (PROVISIONING, REPORT) that a regular user would not be able

to see. The PROVISIONING tab enables the administrator to see other users in the OU.

Selecting the MY ORGANIZATION tab displays only the OU for which the administrator hasadministrator privileges.

Without applying new ACI, the administrator will only be able to register new users, create

new OUs, and create new Tivoli Identity Manager accounts.

Step 5: Create an AIX Account Widgets Admin ACI withadministrator account privileges

With this access control information (ACI), members of the Widgets Admin ITIM group getadministrator authority for the AIX service. The ACI is at the top level because the AIXservice was created at the same level. If we created the services in the Widgets Inc. OU, we

would have created the account ACI at the same OU level.

To create AIX Account - Widgets Admin ACI allowing members of the Widgets Admin ITIM

group to administer account privileges:

1. In the MY ORGANIZATION tab, click Control Access located on the left side of the

window. Make sure the focus is set to the top level (Easy Software Company).

2. Click Add to create a new ACI, as shown in Figure 17.

Important: Scoping is very important to the behavior of Tivoli Identity Manager. If youcreate a lot of access control information (ACI), and some of the permissions do not seem

to be what you think they should be, stop and review where you have created the ACI. Itmight not be created at the proper level.


11/24


Figure 17 Click Add

3. From the Category list, select Account, which then displays a Custom Class list, asshown in Figure 18. Select the appropriate service (this example uses AIX Account).

Figure 18 Select Account

This menu is divided into five sections (see Figure 19):

Details: Name of the ACI and the scoping (Single or SubTree).

Attributes: Click Attribute Permissions to display a window.

Operations: The operations (actions) for the ACI.

ACI Principles: To which user the ACI applies.

Allow Access for the following ITIM groups: Use to attach ITIM groups.

4. In the Details section:

Enter a name for the ACI (AIX Account Widgets Admin).

Change the Scope from Single to SubTree.


12/24


5. In the Operation section, select Grant for the Remove, Search, Suspend, Add, and Modifyfields.

6. In the Allow Access for the following ITIM groups section, click Add. Search for the ITIMgroup you want to associate with the ACI and add it (we selected Widgets Admin).

Figure 19 Fill in the five sections

7. In the Attributes section, click Attributes Permissions (blue text) to display the window

shown in Figure 20:

a. Select Grant All under the Read and Write columns. If you only want the ACI to be

able to display the attribute value (no write permission), change the attributes Write

permission to None or Deny.

b. At the bottom of the menu, click Continue to return to the previous window.


13/24


Figure 20 Attribute Permission Details window

8. Click Submit to save the ACI, as shown in Figure 21.

Figure 21 Click Submit

Step 6: Define ACI for the ITIM groups Administrators, HelpDesk, and Users

Most companies use the term role in the context of a grouping of business roles a userhas. A business role might be an administrator who is in charge of setting up new useraccounts on multiple systems or applications. The administrator would need the ability to add,


14/24


delete, modify, suspend, restore, and change passwords for the people they are administeringon a given system.

For each managed resource (accounts on systems or applications), we map Tivoli IdentityManager roles and ACI to a companys business role using a table similar to Table 1. For this

example, we assume that our company (Widgets Inc.) only manages three accounts: TivoliIdentity Manager, AIX, and Domino.

Companies can have additional business roles depending on the complexity of their useradministration processes.

Table 1 Mapping Tivoli Identity Manager roles and ACI

To implement the three business roles using Tivoli Identity Manager, we need to create an

ITIM group for each business role and organizational ACI for assigning which groups haveappropriate permissions for each system to which we are provisioning.

We create ITIM groups for Administrators (Widgets Admin), Help Desk (Widgets Help Desk)and Users (Widgets Users). Because Widgets Inc. administers their own users, the ITIM

groups will be created in the Widgets Inc. OU instead of at the Easy Software Company level.

Rather than listing how to create all the ITIM groups (Admin, Help Desk, User) and then theACI after all the groups, we create the ITIM group and then the ACI for that group.

Each managed system (that is, AIX) requires one ACI for each business role. If two or morebusiness roles require the same permissions, those business roles can be grouped together

on one ACI. The AIX example requires three ACI categories: one each for Administrators,Help Desk, and Users.

We only include screen captures of the ITIM ACI. The only procedural difference between theTivoli Identity Manager and AIX ACI is that instead of selecting ITIM Account, you would

select Account and the Account class (AIX).

Add Delete Modify Suspend Restore Change

password

Tivoli Identity Manager account

group/account ACI

Administrators X X X X X X

Help Desk X X

Users X X

AIX account

group/account ACI


Help Desk X X X

Users X X

Domino account

group/account ACI


Help Desk X

Users X X


15/24


Widgets Admin ITIM group

To create the Widgets Admin ITIM group:


top of the main Tivoli Identity Manager window. See Figure 22.

2. Click ITIM Groups, and then click Widgets Inc. to create the Widgets Admin ITIM groupin the Widgets Inc. OU.

3. Type in the name of the ITIM group (Widgets Admin), the Description (Admin group for

Widgets Inc.), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.

4. Click Submit to save your work.

Figure 22 Widgets Admin ITIM group

Widgets Administrators ITIM ACITo create the Widgets Administrators ITIM ACI:

1. Log on to Tivoli Identity Manager using the ITIM manager account (or another accountwith sufficient administration permissions). Click the MY ORGANIZATION tab located at

the top of the main Tivoli Identity Manager window.

2. Click Control Access and then Widgets Inc.

3. Select Identity Manager User for the Category. Click Continue. See Figure 23.


16/24


Figure 23 Widgets Administrators ITIM ACI

4. Enter a name for the ACI, in our example, ITIM Administrators. As a convention, weusually enter the system name and a dash (-), followed by the business role name.

5. Change the Scope from Single to SubTree.

6. Refer to the Tivoli Identity Manager Account chart shown in Figure 24. Select all theoptions in the Operation section that apply to the ACI. The ITIM Administrators group

has all the permissions, so we grant all the operations (Remove, Search, Restore,Suspend, Add, and Modify). You must grant Search; otherwise, the user will not be able tosearch for data in the Tivoli Identity Manager directory.

Figure 24 Access Control Information Details window

7. Click Attribute Permissions.

Because the Administrators role should be able to read and write all the attributes for aTivoli Identity Manager account, we select Grant All for both Read and Write. If there are

some attributes you do not want the Administrators role to be able to write, change theattribute permission to None.

8. Click Continue to save your work.


17/24


Figure 25 Select Grant All

9. In the Allow Access for the following ITIM groups section, click Add.

10.Enter an asterisk (*) in the search box. A list of ITIM groups will appear. Select WidgetsAdmin and then click Add. See Figure 26.


11.Click Submit (located at the bottom of the page) to save the ACI.

Widgets Help Desk ITIM group

To create the Widgets Help Desk ITIM group:


top of the main Tivoli Identity Manage window. See Figure 27.

2. Click ITIM Groups and then Widgets Inc. to create the Widgets Help Desk ITIM group in

the Widgets Inc. OU.

3. Type in the name of the ITIM group (Widgets Help Desk), the Description(Reset/change), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.



18/24


Figure 27 Widgets Help Desk ITIM group

Widgets Help Desk ITIM ACITo create the Widgets Help Desk ITIM ACI:

1. Click Control Access and then Widgets Inc.

2. Select Identity Manager User for the Category. Click Continue.

3. Enter a name for the ACI, in our example, ITIM Help Desk. As a convention, we usuallyenter the system name and a dash (-), followed by the business role name.


5. Refer to the Tivoli Identity Manager account chart in Figure 28. Select all the options in theOperation section that apply to the ACI. The ITIM Help Desk group only has Suspendand Change Password permissions, so we grant the operations Search, Suspend, and

Modify. You must grant Search; otherwise, the user will not be able to search for data in theTivoli Identity Manager directory.


19/24


Figure 28 Widgets Help Desk ITIM ACI


7. Enter an asterisk (*) in the search box. A list of ITIM groups opens.

8. Select Widgets Help Desk, and then click Add. See Figure 29.

Figure 29 Select Widgets Help Desk

9. Select Submit (located at the bottom of the page) to save the ACI.

Widgets User ITIM group

To create the Widgets User ITIM group:


top of the main Tivoli Identity Manager window. See Figure 30.

2. Click ITIM Groups and then Widgets Inc. to create the Widgets User ITIM group in the

Widgets Inc. OU.


20/24


3. Type in the name of the ITIM group (Widgets User), the Description (Self service

capability), and select Organization Tree. Selecting Organization Tree makes theITIM group available to any OUs created in the Widgets Inc. OU.


Figure 30 Widgets User ITIM group

Widgets User ITIM ACI

To create the Widgets User ITIM ACI:

1. Click Control Access and then Widgets Inc. See

2. Select Identity Manager User for the Category and click Continue.

3. Enter a name for the ACI, in our example, ITIM User. As a convention, we usually enterthe system name and a dash (-), followed by the business role name.


5. Refer to the Tivoli Identity Manager account chart in Figure 31. Select all the options in the

Operation section that apply to the ACI. The ITIM User group only has Add and ChangePassword permissions, so we grant the operations Add, Search, and Modify. You must

grant Search; otherwise, the user will not be able to search for data in the Tivoli IdentityManager directory.


21/24


Figure 31 Widgets User ITIM ACI

6. Click Attribute Permissions. Select Grant All in the Read column. Select Grant in thePassword attribute. See Figure 32.

Figure 32 Attribute Permission Details


8. Enter an asterisk (*) in the search box, as shown in Figure 33. A list of ITIM groups opens.

Tip: Every managed resource requires an ACI granting Read and Write permissions

before a user can manage their own passwords. If you do not create the ACI, the userwill not see the managed resource in the change password window.


22/24



9. Select Widgets User and click Add, as shown in Figure 34.

Figure 34 Select Widgets User

10.Click Submit (located at the bottom of the page) to save the ACI.

The team that wrote this Redpaper

This Redpaper was produced by a team of specialists from around the world working at the

International Technical Support Organization, Austin Center.

Robert Adachi is a Certified IT Specialist with IBM. He's an Above Region Systems Engineer

for all the Americas. Before working for IBM, he initially helped to develop and write code forearlier versions of IBM Tivoli Identity Manager. Before that, he was Systems Analyst for a

petroleum research authority for eight years.

Axel Buecker is a Certified Consulting Software I/T Specialist at the International TechnicalSupport Organization, Austin Center. He writes extensively and teaches IBM classesworldwide on the areas of software security architecture and network computing

technologies. He holds a degree in computer science from the University of Bremen,Germany. He has 17 years of experience in a variety of areas related to workstation and

systems management, network computing, and e-business solutions. Before joining the ITSOin March 2000, Axel was working for IBM in Germany as a Senior IT Specialist in Software

Security Architecture.

Special thanks to the ITSO group for all the help they have provided to publish papers.


23/24

Copyright IBM Corp. 2004. All rights reserved.23

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR

IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing application

programs conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, anddistribute these sample programs in any form without payment to IBM for the purposes of developing, using,marketing, or distributing application programs conforming to IBM's application programming interfaces.


24/24

Send us your comments in one of the following ways: Use the online Contact us review redbook form found at:

ibm.com/redbooks Send your comments in an Internet note to:

[email protected] Mail your comments to:

IBM Corporation, International Technical Support OrganizationDept. JN9B Building 003 Internal Zip 283411400 Burnet RoadAustin, Texas 78758-3493 U.S.A.

Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both:

AIX

Domino

DB2

IBM

ibm.com

RACF

Redbooks

Redbooks (logo)

Tivoli

The following terms are trademarks of other companies:

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.
http://www.redbooks.ibm.com/http://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.ibm.com/redbooks/http://www.redbooks.ibm.com/contacts.htmlhttp://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/

Documents

Delegated Administration for Tivoli Identity Manager 4.5.1 Redp3857