F12 IBM Tivoli Identity Manager Best Practices TTUC2007

© IBM Corporation 2007

San Francisco, CA May 7-10, 2007

®

F12

Thomas L. Brooks, PMP

IBM Tivoli Identity Manager Best Practices

®

IBM Software Group

© 2007 IBM Corporation

IBM Tivoli Identity Manager Best Practices

IBM Software Group | Tivoli software

3

AgendaIntroduction

Lifecycle of an ITIM Implementation ProjectPrior to Project StartProject Initiation and PlanningProject Execution, Control, and Closure

Deployment Expectations and Pitfalls to Avoid

Steady State Considerations

Supplemental MaterialsComponent View vs. Logical ViewIdentity Management PyramidBest Practice Deployment ApproachWho Does What and When?Steady State Backup


4

Introduction

What makes an ITIM Implementation different?

Complexity of identity management business needs

Required level of commitment from the customer

Misconceptions about the ITIM solution

Range of skills needed to implement an ITIM solution

Limited pool of experienced ITIM solution implementers

Maturity of the ITIM solution


5

Introduction (cont.)

What skills, knowledge, and experience does an ITIM implementer need?

Possess a working knowledge of the product itself, the middleware components of the solution, and the foundational skills needed to install and configure it

Know what tools, templates, and other intellectual capital are available for ITIM solutions and learn how to use them properly

Know who the contacts are in various IBM organizations and teams to get help when you need it

Strongly recommend participating in at least one ITIM implementation being managed or led by an experienced resource before attempting one on your own

Must have good negotiating skills for expectation and satisfaction management and for getting and holding on to the resources you need

Must have a strong project manager


6

Lifecycle of an ITIM Implementation Project

Prior to Project StartThe timeframe before the software is sold and/or before a contract for services is signed when the team is supporting the sales cycle and helping to close the deal. Focus is on gathering information to produce scope, cost, and time estimates and setting expectations.

Project Initiation and Planning

The timeframe between the signing of a contract for services and the establishment of a baseline project plan. Focus is on establishing the project team and assessing and/or resetting expectations as needed to get the project started properly.

Project Execution, Control, and ClosureThe timeframe following the establishment of a baseline project plan when the work of the project is proceeding and the change control and issues management processes are being executed through the controlled closure of the project. Focus is on monitoring the status of project activities, taking corrective action as needed, and leading the team through the successful implementation of the ITIM solution to meet the business needs.


7

Prior to Project Start

Understanding Requirements

Several key high level questions must be addressed– Do you have clear business needs and goals?– Does the responsibility for achieving these goals rest with a specific group?– How does the identity management business need fit into the “big picture”?– What are the “real” constraints that will affect the implementation?

Most customers will not have all the answers at this point

Drive information gathering to be specific and focus on the critical areas

Take advantage of tools, templates, and other intellectual capital available


8

Prior to Project Start (cont.)

Setting Expectations

This timeframe is when you have the most power to shape perceptions

Guide the stakeholders towards a phased implementation

Look for opportunities to create some early “wins”

Try to avoid full scale implementation and/or customization in the first phase

You can’t win them all – when you don’t, document thoroughly

Improper expectations can disrupt every aspect of an implementation


9


Performing a Proof of Concept (PoC)

Should be treated as a tool, not an exercise – use it to your advantage

Limit scope to simple platforms, configs, and functions – no customizations!

Ensure that very specific objectives are defined with completion criteria

Stick to the basics – this is not the time to try new stuff or push the envelope

Do not get held up by details – note questions and issues and move on

Conclude with a demo to the key customer stakeholders – make it an event!

A successful Proof of Concept does not need to eliminate all doubts or

answer all questions – it just needs to reassure the stakeholders that it can

work in their environment


10


ITIM Implementation Estimation and SizingTime, Cost, Functionality

– What is the timeline? Are there multiple phases? When are key milestones?– Will the services be time and materials or fixed price? What are the rates?– What will be in scope for each phase and overall?

Resource Planning– What is the size and composition of the implementation team?– What resources will various stakeholders provide for the implementation?

Hardware Sizing– What capacity does the solution need to accommodate?

Defining Initial Architecture– Do you have enough info to define an initial architecture with stakeholder approval?

Factor in all the information you have and allow for missing dataTake advantage of tools, templates, and other intellectual capital availableHave a more experienced implementer review estimates and discuss feedback


11


ITIM Implementation Statement of WorkScopeBe as specific and thorough as possible. This serves as the basis for all project activities. In the strictest sense, if it is not listed here, it should not be done without a formal change order.

AssumptionsUse this section to cover any areas where you do not have enough information or where you want to confirm that your understanding of something matches other stakeholders’.

Responsibilities – both Contractor and CustomerClearly define what the contractor project team will do versus what the customer project team will do.

Deliverables and Completion CriteriaMake sure that all deliverables are concrete and specific and all completion criteria is finite and within your control.

Change Control and Issues Management ProcessesEnsure that these sections are clearly defined and tailored to the specific project. Structure them so that they can be followed as a natural aspect of the implementation.

Take advantage of tools, templates, and other intellectual capital available


12

Project Initiation and Planning

Before You Get Started on Project Tasks

Understanding the History– Review everything that has taken place up to this point– You want to be prepared to be fully productive on the first day of the project

Engaging the IBM Account Team or IBM Advocate– Especially important if they were not involved in the pre-sales activities– Involving them from the start improves your position when issues arise

Securing Project Team Resources– You need to make sure you have the right resources with the right skills when you

need them– Allow enough time for other commitments to be wrapped up before planning to

have resources in place


13

Project Initiation and Planning (cont.)Beginning Project Tasks

Assessing Your Position– Especially critical if you were not involved in the pre-sales activities– Needs to be a natural part of the project startup– You need to make sure the stakeholders do not feel like they are rehashing– Should be comprehensive

Resetting Expectations As Needed– Should be done as soon as you complete assessment of your position and have

recommendations to present– Everyone who was involved in setting the original expectations needs to be part of

resetting them– Make this a positive experience

Developing the Initial Project Plan– Build this around key project milestones and keep it high level– Be sure to factor in all of the information you have available– Avoid allowing stakeholders to lock you into this initial plan – no commitments yet


14

Project Initiation and Planning (cont.)

Project Kickoff Meeting

Should schedule during first two weeks of starting project, but not too soon!

Critical that all key stakeholders participate in the meeting

Use this as an opportunity to gauge stakeholder “investment” in the project

Observe how the stakeholders interact with each other – look for the “power”

Try to sense the internal politics – look for factions and try to discern their

support of the project

Seek additional information and details that you have not obtained yet

Schedule follow up discussions with stakeholders as needed

Be confident, but realistic and end the meeting on a positive note


15


Baselining the Project PlanBuild on the initial project plan by applying what you learn from the project kickoff meeting and follow up discussions

Do not make the project plan too detailed – some abstraction gives you flexibility to deal with minor events

Solicit input from the whole team

Avoid overloading resources right from the start

Plan for unexpected delays and think about how tasks that are not on the critical path can be rearranged if necessary

Finalize the project plan that you are confident you can meet and get the right stakeholder to sign it to indicate their acceptance. This is your baseline!


16


Initiating Change Control and Issues Management ProcessesOnce you baseline the project plan, it is critical that you enforce the Change Control Process right from the start

Make sure all of the project stakeholders are aware of these processes from the beginning

The project manager is the judge of whether minor events or requests are adding up enough to have an impact on the baseline – if so, they should get a change request

Thoroughly documented change requests and issues will help prevent drifting expectations and misunderstandings as the project proceeds

The results of change requests are reflected as updated project plan baselines and the status of issues are reflected in a running issues log


17

Project Execution, Control, and Closure

Status Tracking and ReportingPlan to be engaged enough to keep track of everything going on

Include the project manager in as many technical meetings and discussions as possible

If your project manager is not busy with project management duties, they should spend time learning more about the product

Your project manager should be positioned as the status reporting interface between your team and the other stakeholders

Arrange status discussions and meetings for various audiences at regular intervals

Your goal is to be prepared to respond to any question the stakeholders may pose at any time in a way that inspires confidence and the sense that everything is under control


18

Project Execution, Control, and Closure (cont.)

Ongoing Expectation ManagementStakeholder expectations should be monitored constantly – assume nothing!

Use status meetings and status reports to help guide expectations

Be aware of how factors outside your project may be influencing stakeholder expectations

Enlist the aid of resources who demonstrate a good understanding of the project scope and who are realistic and supportive of your plans

Make sure that communication is occurring consistently with all levels of stakeholders

Make a special effort to create and maintain an open channel of communication with the sponsor and/or executive management

Enforce the change control and issues management processes


19


Managing Changes and Issues and Avoiding CritSitsChanges and issues are a natural aspect of the project – if it was easy, nobody would pay for consultants to do it!

Be passionate, but not emotional when dealing with changes and issues

Set a good example – be positive and keep morale up

Even when the stakeholders are friendly and cooperative, document everything thoroughly

Gather as much information as possible before contacting Technical Support

Learn to escalate issues effectively – use it, but don’t abuse it

Develop a network of “go to” people throughout the organization who you can turn to for assistance in dealing with stumbling blocks

Being responsive and demonstrating progress can sometimes be thedifference between a significant issue and a CritSit


20


Preparing To Be Self SufficientThe overall objective in an ITIM implementation project is to obtain the maximum benefit from the solution you have invested in

The quote, “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.” sums it up

The preparation should begin from the first day of the project and continued throughout – effective knowledge transfer is a critical success factor!

Consider this goal when developing all project documentation anddeliverables – the more thorough, the better

Share tips and techniques about how to troubleshoot the solution and deal with unexpected behaviors and results

The solution operation resources should be both technically prepared and psychologically comfortable assuming operational control of the solution


21


Controlled Closing

Verifying the Deliverables and Exit Criteria– Review all deliverables produced by your team for contract compliance– Confirm that all exit criteria are satisfied and get stakeholder signoff as appropriate

Releasing Resources– Make sure you get all of the work products from the resources before they leave– Plan the orderly release of project resources to allow them to transition to the next

project in a timely fashion

Identifying Follow On Opportunities with Stakeholders– Arrange a meeting with stakeholders specifically to discuss “next steps”– Try to time discussions to capitalize on current project success and/or momentum


22

Steady State Considerations

Level of Effort (LOE) or Full Time Equivalents (FTEs) required to operate and maintain an ITIM solution are dependent upon many factors. The most important of these factors are:

The functionality of the solution that has been deployed

The complexity of the enterprise in terms of identities, organizations, managed targets, roles, policies, workflows, etc.

The volume and frequency of change to the configuration elements

The maturity of the business logic the solution is based upon

The quality of the identity and account data that is being managed

The extent to which the out of the box solution has been customized

The skill levels and experience of the operation and administration staff

Central vs. Distributed Security Administration Model


23

Steady State Considerations (cont.)

Regardless of the quantities, there are certain aspects of operation and maintenance that are almost universal. Planning early in the project to ensure that there will be coverage for all of these aspects is the most effective way to avoid problems down the road. These aspects are:

Thorough documentation of the decisions made during the solution design and implementation

Detailed understanding of the configurations and any customizations made to the solution

Staff with the proper foundational skills and training to operate and maintain the solution

Detailed processes and procedures for operation and maintenance scenarios

An individual or team that clearly owns the solution

Complete socialization of the solution throughout the enterprise


24

Steady State Considerations (cont.)

The resources responsible for operating and maintaining the ITIMsolution should have an administrative-level understanding and working knowledge and skills in the following areas:

The operating system(s) that the ITIM solution is running on (i.e. Windows, AIX, Solaris, HPUX, Linux)

The relevant database platforms (i.e. DB2, Oracle, MS SQL Server)

The relevant directory server (i.e. IBM Directory Server, Sun ONE)

The relevant application server (i.e. WebSphere, WebLogic)

The IBM Tivoli Identity Manager application itself

TCP/IP Networking configuration and troubleshooting

Information gathering, documentation, and communication with IBM Tivoli Customer Support


25

As customer scale and complexity increase, implementation work increases but not in strictly linear fashion. As a rough rule of thumb, a "typical" customer implementation with medium/high complexity, and 100,000+ users, will likely range 10-18 months duration an require an IBM project team of 3-5 resources. This estimated duration and team size could be higher based on actual solution design results - the range varies based on the following factors:

1. Complexity and heterogeneity of the customer specific OS/application/hardware IT environment2. The customer's unique business and technical requirements 3. Number, skill level and types of customer resources that will be applied to the project. 4. Customer's project standards and security and IT process maturity.

All IT deployments require:

Project management

Solution design

Detailed project planning

Internal process and standards design and definition

Data loading and migration

Configuration of entitlements (org unit, access control, Workflow, password & identity polices, etc.)

Some level of customization

Test environment implementation

Change control and QA process

Production roll out implementation

Documentation

Training

In general, the more organized, prepared, educated, and committed the customer is, the more efficient is the deployment. IBM can significantly assist here by supplying highly skilled, seasoned ITIM deployment resources (PM, Architect, Consultants) to assist the customer with their ITIM deployment.

Deployment Expectations – General Information


26

By themselves, data points like number of users, number of agents, number of platforms/applications, number of roles/policies, and number of project team members are not necessarily indicative of size or complexity of an identity management solution deploymentSize and complexity is more often driven by the variety and intricacy of the business logic that is to be implemented in the solutionFor a given time and effort, the number of systems that can be implemented can skew widely based on whether those systems are platforms or applications and in the case of applications, whether the underlying user account data store is proprietary, database, LDAP, etc.The most effective way to level the skewing factors to arrive at a meaningful data point in terms of time and effort is by deriving the number of unique user account data stores for which a solution needs to be implementedDetermining the number of unique user account data stores usually requires a detailed discovery effort

Pitfalls to Avoid – Planning and Estimating Lessons Learned


27

The two most common challenges in identity management solution deployment projects are vague requirements and unstable scopeThe most rapid and successful deployments begin with adequate analysis and detailed design, tend to focus on the platforms vs. applications, and aim to establish basic functionality that can be expanded on and improved in subsequent project phases When there are many unknowns or complex targets are part of the first phase scope, fewer targets decreases risk and improves chance of successMore project team members do not generally result in a faster deployment – there is an optimal project team sizeThe combined IBM and customer project team gets more efficient in deploying targets and estimating time and effort with each successive phase – the IBM resources understand the customer environment better and the customer resources understand the capabilities and limitations of the solution better

Pitfalls to Avoid – Planning and Estimating Lessons Learned


28

The majority of detailed solution design effort must take place at the beginning stages of the project, not “design as we go”Following a pre-defined and agreed upon deployment roadmap is instrumental to recognize successCustomer executive support and sponsorship must exist for a project to be successfulA teaming approach between the customer and IBM will greatly smooth out the engagementAll members of the team, both customer and IBM, should be aware of the entire project scope and goalsAny decisions that affect change on the project should be communicated to all team membersProject issues and problems should be approached with a goal of resolution, not blame placementCustomer education and knowledge transfer must start at the beginning of the project Proper project management principals must be followed throughout the life of the project

Pitfalls to Avoid – General Project Lessons Learned


29

Supplemental Materials


30

Application Installation Process – Component View

J2EE Application Server

ITIMApplication

ITIMWorkflowDatabase

Web User Interface

Web User Interface

Administrator

End User

mainframe

RDBMS

ITIM Directory Data

LDAP v3

XML over SSL

XML over SSL

agent

agent

if policy.getMember()s

then Accounts.set…()

Java Application

IIOP

ExistingIdentityStore

HR Application

JDBC

DSMLv2 over SSL

IDI

DSMLv2Server &Notifier


31

Organizational Structure

C o n t a i n

ITIM Data – Logical ViewIdentities

Locations

Accountsroot Administrator

ownRoles

managerdeveloper

assigned to

Policies

new employee

Workflowsstart

appl

y to

Services

unix windows

depl

oy

apply to

Locations

OrganizationalUnits

Organizations


32

Integrated Identity Management Pyramid

Productivity: Enforce security policies proactively

Competitive Advantage: Extend security automation to business partners

Scale: Support large, distributed user base

Compliance: Ease support of audits

Productivity: Speed accurate account creationRisk: Eliminate Backdoor Access

ROI: Cut Helpdesk Costs by 40%Fundamental: Administer web and legacy environments consistently

Security: Consistent Authentication and Authorization to all Resources

Integration: Meta view of Enterprise Data Assets

Access Controlled Systems

Data Integration Layer

Self-Regulating Access Controls

Across Organizations

Access Control Policy Automation

Distributed Administration

Access Request Audit Trails

Access Request Approval Process Automation

Orphan Account Control

Password Management

Connectors to Access Control Systems


33

Phase 1 Phase 2 Phase 3 Phase 4 Phase 5

Foundation & Password Management

• Out of the box supported applications/systems (5)

• Baseline reporting• Covers large or small

user target• HR Feed established • Orphan Account Control• Single action to close/

suspend a user accounts

• Password Management: synchronisation, Reset and Self Service across managed platforms

• Organizational tree established

• Eliminate Risks from ‘Backdoor’ access.

• Necessary reporting available

• High visibility of the solution

• Large benefits gained among the end-users and in the central user administration and support desk

• Compact delivery time

Custom Agents & Extension• Custom developed agent• Start program to extend

RBAC to cover all companies

• No unauthorised administration of user accounts outside of ITIM

• Workflow supports authorisation mgmt

• User registration is automatically updated

• Reduced Admin• Necessary reporting for

external parties • Consolidation of users• Organisational Structure• HR Feed creating new

users

• High visibility of the solution

• Large benefits gained among the end-users and in the central user administration

• Higher security and lower license cost

Auto Provision Std Accounts & workflow

• Consistent GUI for Admin

• Consistent Account creation

• Full Audi Trail• Simple Workflow

introduced• Start Road to RBAC

• Templates for later roll-out established

• All significant applications covered

• Time consuming tasks replaced by automation

• Large benefits gained by the application owners

• Delegated admin possible• Improved control from

detailed reporting

Maturity• Customer able to

repeat new instances of agent installs and integrate into appropriate policies.

• Able to self maintain ITIM to reflect changing business demands.

• Role-based access control fully enabled.

• Only ‘run-out’applications excluded – if any.

Role based account management• Rule-set for automated

creation and deletion of user accounts

• Rule-set for org. changes• Full workflow for account

management• Focused on small community

• HR-Feed for managing user accounts – high demands on data quality.

• Organisational chart may need refining

• Administration by Role management introduced

• Requires input and buy-in from application/system owners

• One interface for ALL user administration.• Scheduled re-organisations with shorter non-

productive time for the end-user• Fast activation and deactivation of user• Time consuming tasks replaced by automation

Scop

eFe

atur

eBe

nefit

Best Practice Deployment Approach - Phased Approach to Implementation


34

Best Practice Deployment Approach – Deployment Strategy

Phase 4CustomAgents

Phase 5

Maturity

Phase 3Policies and Roles Defined

RBAC

Phase 2Auto Provisioning &

Workflow forInfrastructure Accts

Phase A : Business Analysis Roles and PoliciesPhase 1

Password Management

Repeat Phase 1 and 2 for additional Systemsand Apps as requirements are defined

Phase 1 : Infrastructure Foundation Orphan Accounts Identified, Adopted and otherwise Cleaned Up Self Service Forgotten and Reset Password

Foundation : Infrastructure Systems

Phase 2 : Automatic Provisioning for Infrastructure Accounts Infrastructure Accounts Provisioned Automatically Dynamically Driven by Attribute Evaluation

Org Unit, Job Title, Business Role etcAutomatically Initiated Approval/RFI Workflows as Needed

Repeat Phases 1 and 2 for Additional Systems and Applications

Non Infrastructure Systems and Applications


35


Phase 4CustomAgents

Phase 5

Maturity


RBAC




Password Management


Phase 3 : RBAC for Out of the Box Services and Apps Analysis of Business Role Requirements completedMapping of Business Roles to Access rights Define Roles and Policies (Roles may be Static or Dynamic) Culminating in the Automatic Role Driven Provisioning and De-provisioning of Access Rights

Foundation : Infrastructure Systems Non Infrastructure Systems and Applications

Phase 4 : Develop Custom AgentsTools: IDI, LDAP-X, RDBMS-X, CLI-X

Phase 5 : Maturity All Access Rights are now ControlledRefine Roles and Policies as Required


36


Phase 4CustomAgents

Phase 5

Maturity


RBAC




Password Management


Foundation : Infrastructure Systems Non Infrastructure Systems and Applications

5 – 7 Months

3 - 4 Months

Timelines for Phases 3+ cannot be determined without knowing:Details behind business requirementsDetails behind the number of systems/apps for which access rights are to be managedDetails behind the targets that will require custom agents vs out of the boxHow complex the role matrix will be

TBD Based on Business Requirement Analysis


37

Best Practice Deployment Approach – Business Pain Led Realization of ROIBusiness/Technology Focus

Business Process

IntegrationEmployees

Customers Partners

Suppliers

Business Portals

Application

Connectivity

ApplicationDevelopment

Operating Systems

Applications

Infrastructure

Data

Applications

Applications

Applications

“Bottom Up” DeploymentHigh Coverage, Well Defined Deliverables, Early ROI, High Visibility, High Impact

“Top Down” DeploymentTactical Coverage, Restricted Deliverables, Late ROI, Low Impact, Higher Deployment costs


38

Best Practice Deployment Approach - Strategy Options

Phase 4 : Custom Agents

Phase 5 : Maturity

Phase 3 : Roles and Policies Refined - RBAC

Phase 2 : Auto provisioning and

workflow of standard accounts

Phase A : Business Analysis Roles and Policies

Phase 1 : Foundation - Password Management

Customer Repeats Phase 1 and 2

Option 1 : Bottom Up

Option 2 : Top Down

Phase 5 : Maturity

Roles and Policies

Business Analysis for Roles and Policies

Custom Agent

Password Management & Reconciliation

Auto Provision & Workflow


39

Best Practice Deployment Approach – For and Against

Option 1 – Bottom Up

For:User and business awareness of product and benefits are visible from and early stage.

Many manual processes can be replaced by automation.

Password management can be implemented for a large number of users.

No development of agents required in phase 1.

Broadens skills and understanding within your organisation at the first phase.

Eases ITIM gently into the business.

Against:Organisational structure may have to be altered at a later phase.

Medium to high impact on system owners etc, co-operation required.

Driven by Infrastructure, not Business.

Option 2 – Top Down

For:Focused use of resources from the individual target.

First implementation will be showcase of what can be done.

Deep coverage of an application once implementation has finished.

Low impact on operation and maintenance resources.

Against:Limited coverage in the first phases, minimal % of user accounts managed.

Potentially custom agents will have to be developed at an early stage.

Minimal benefit to support and overall business.

Higher implementation cost.


40

Who Does What and When? – Tivoli Security Engagement Model


41

Project Team Training

Tech

Ed

Determine Scope and Approach

Develop and Maintain Work Plan

Tech

nica

l In

stal

latio

n Install and Test E/S

Data Loading

Impl

emen

tatio

n

Develop To-Be Process Maps

Configure Provisioning Policies and Entitlements

Document As-Is Process Maps

Technology Architecture Drawing and Solution Design

Develop Provisioning Policies and Entitlements

Perform Pre-Production Testing

Configure Organization Structure

and Roles

Schedule Training Help Desk Support Training

Install and Test Agents

Verify Client Environment

Administrator Training

Configure ITIM Groups and ACIs

Develop Automated Processes

Proj

ect

Mgm

t.

Configure Account Management Forms

Design ITIM Groups and ACIs

Design Security Administration Workflows & Procedures

Project Wrap-up Activities

Reconciliation and Orphan Account

Cleanup

Data Files PreparationData File Design

Design Testing Strategy and Scripts

Perform System Tuning

PREPARATION andPLANNING FRAMEWORK CONFIGURATION DEPLOY TO

PRODUCTIONDESIGN

Design Account Management Forms

End User Training

Org

/ C

onf

Grp

/ A

CI

Polic

yW

ork-

Flow

Aut

o

Document Installation History

Enable Chosen Workflows and

Procedures

Budget and Actuals Tracking

Configure Security Administration Workflows & Procedures

Monitoring and Reporting ActivitiesPerform Readiness Assessment

Who Does What and When? – Implementation


42

Who Does What and When? – Typical Deliverables by Implementation Phases

Preparation and Planning

Sales andPre-Planning

Project Management

Work Plan, Budget and Actuals Tracking, Project Status Reporting

Scoping, Planning and Documenting

Project Wrap-up Activities

Handoff from Sales

Documented Scope and project success requirements/goals

Documented as-is process maps

Training plan

Technology Architecture Drawing

Solution Design

Client Environment Verification

Documented Work Plan

Project Team training delivered

Installation of E/S and Agents complete

Documented Data File design

Organization Structure Configured in EnRole

Documented to-be process maps

Documented Automated Processes

Administrator Training delivered

Data File Preparation Complete

Design Documentation for Account Management Forms

Design Documentation for ITIM Groups and ACIs

Design Documentation for Provisioning Policies and Entitlements

Documented security administration workflows & procedures

Unit Test Scripts

Business Integration Test Scripts

Help Desk Training delivered

Account Management forms configuration complete

Groups and ACIs configuration complete

Password Policy and Identity Policies

Provisioning Policies and Entitlements configured in ITIM

Security administration workflows & procedures configured

Unit Test results documentation

End User Training delivered

Documented Installation History

Data loading complete

Initial Reconciliation and Data Cleansing complete

Business Integration Test results documented

Final project Sign-off

DEPLOY TOPRODUCTIONCONFIGURATIONDESIGNFRAMEWORKPREPARATION and

PLANNING


43

Steady State Backup – Case Studies – Customer #1Customer’s Project Goal: Create single user interface (UI) for identity and access management and true

Roles Based Access Control (RBAC) environment.Products Implemented: TIMNumber of Users Managed: 25,000Number of “out of the box” Agents: 4 – Tivoli Access Manager (TAM), Sybase, Clarify, RACFNumber of “custom” Agents: 4 – Universal Provisioning Agent (UPA) (3 apps done) and Generic Service

Provider for Applications (4 apps done)Number of Unique Account Data Stores: 11Number of Organizational Roles: 300+ (out of 1400 total roles identified; adding about 100 per week)Number of Provisioning Policies: 300+ (there is one policy per role in this environment)Project Timeline: 24 mos. total, 2 phases of 12 mos. each -- separate 2 yr. RBAC project completed prior

to start of this projectPhase Focuses: Installation and configuration, initial data load, out of the box targets, custom reports,

limited Production // Expand Production to UPA and Custom Service Provider ApplicationsAverage Lifecycle Duration for Agents: 2 mos. for simple agents and 8 mos. for the most complex agentsIBM Project Staff: 5 FT (Project Manager, Architect/Tech Lead, Customization Consultant, and

2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager, Technical Lead, 2 FT Application

Administrators, and 2 PT Application Administrators)Major Project Work Products: Solution Design, Installation, Configuration, Customization,

Implementation DocumentationProject Challenges: Enterprise complexity, product issuesProject Strengths: RBAC project completed in advance, clear requirements, excellent relationship with the

customer, strong customer executive sponsor, experienced project management, assistance from Tivoli Development and quick fixes

Transition to Operations: Formal product training, extensive direct knowledge transferOperations Staff: ~12 FTEs – Central team of 4 FT Application Administrators and a distributed team of

PT Security Administrators


44

Steady State Backup – Case Studies – Customer #2Customer’s Project Goal: Reduce security admin costs and eliminate annual recertification audit findings.Products Implemented: TIM, IDINumber of Users Managed: 13,000 (3,500 internal and 9,500 external)Number of “out of the box” Agents: 7 – AIX, Solaris, HPUX, NT, Lotus Notes, Oracle, SybaseNumber of “custom” Agents: 2 – Generic Service Provider for Null Services, IDI Agent to Provision to LDAPNumber of Unique Account Data Stores: 9Number of Organizational Roles: 100+Number of Provisioning Policies: 160+Project Timeline: 18 mos. total, 3 phases 7/5/6 mos. -- 4th phase plannedPhase Focuses: Detailed solution design, installation and configuration, custom agents/utilities/reports,

testing and validation // Operational readiness and limited Production // Improve automation and expand Production // 4th phase planned to put additional targets in Production

Average Lifecycle Duration for Agents: 1 mo. for out of the box agents and 2 mos. for custom agentsIBM Project Staff: 6 FT (Project Manager, Architect/Tech Lead, Customization Consultant,

Trainer/Technical Writer, and 2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager, Technical Lead, 2 FT Application

Administrators, and 2 PT Technical Subject Matter Experts (SMEs))Major Project Work Products: Solution Design, Installation, Configuration, Customization,

Implementation and Operations Documentation, TrainingProject Challenges: Enterprise complexity, lack of requirements, customer skillsProject Strengths: Excellent relationship with the customer, strong customer executive sponsor,

experienced project managementTransition to Operations: Custom in-house training, direct knowledge transfer, detailed documentationOperations Staff: ~7 FTEs – Central team of 6 FT Security Administrators and a team of PT Technical SMEs


45

Steady State Backup – Case Studies – Customer #3Customer’s Project Goal: Save time/money with password self service, easily manage 450,000 user ids

for their portal applications, and easily detect/suspend noncompliant accounts.Products Implemented: TIM, IDINumber of Users Managed: 450,000Number of “out of the box” Agents: NoneNumber of “custom” Agents: 1 – IDI Agent to Provision to LDAP (Customer Internal Portal)Number of Unique Account Data Stores: 1Number of Organizational Roles: 40 (30 static, 10 dynamic)Number of Provisioning Policies: 60Project Timeline: 16 mos. total, 2 phases of 8 mos. each -- 3rd phase plannedPhase Focuses: Installation and configuration, custom UI for password self service, initial data load,

and limited Production // Improve automation and expand Production // 3rd phase planned to put Unix targets in Production

Average Lifecycle Duration for Agents: 1 mo.IBM Project Staff: 1 PT Project Manager, 1 FT Implementer (assisted by Tivoli Support and Development) Customer Project Staff: 1 PT Project Manager, 1 FT Application Administrator, and a team of PT

Technical SMEsMajor Project Work Products: Solution Design, Installation, Configuration, Customization,

Implementation and Operations Documentation, TrainingProject Challenges: Changing requirements, hardware allocationProject Strengths: Excellent relationship with the customer, aid from Tivoli Support and DevelopmentTransition to Operations: Formal product training, direct knowledge transfer, detailed documentationOperations Staff: 2 FTEs – 2 FT Application Administrators (strong troubleshooting skills and Unix, TIM,

IDI, IBM Directory Server (IDS), WebSphere Application Server (WAS), and scripting skills)


46

Steady State Backup – Case Studies – Customer #4Customer’s Project Goal: Provide secure access to data for external users.Products Implemented: TAM, IDI, TIMNumber of Users Managed: 30,000Number of “out of the box” Agents: 1 – TAMNumber of “custom” Agents: 1 – Generic Service Provider for Applications (3 apps done)Number of Unique Account Data Stores: 4Number of Organizational Roles: 10Number of Provisioning Policies: 3Project Timeline: 18 mos. total, 3 phases of 6 mos. each, 6 mos. for TAM/IDI and 12 mos. for TIMPhase Focuses: TAM/IDI in Production // TIM test and validation // TIM in ProductionAverage Lifecycle Duration for Agents: 1 mo. for TAM and 6 mos. for Generic Service ProviderIBM Project Staff: 1 PT Project Manager, 1 PT Architect, 1 FT Implementer Customer Project Staff: 1 FT Application Administrator, 2 PT Technical SMEs (Java, Middleware)Major Project Work Products: Solution Design, Installation, Configuration, Customization,

Implementation and Operations Documentation, TrainingProject Challenges: Changing requirements, customer skills, product knowledge, product issuesProject Strengths: Services team commitment, assistance from Tivoli Development and quick fixesTransition to Operations: Formal product training, direct knowledge transfer, detailed documentationOperations Staff: 1.5 FTE – 1 FT Application Administrator, 1 PT Technical SME (Java, Middleware)


47

Steady State Backup – Side-by-Side Comparisons

Project Goals

Users Managed

No. of Data Stores

No. of Roles

No. of Policies

Project Timeline

Agent Timeline

Project Staff Size

Ops. Staff Size

Customer #4

Secure access to data for external

users

4

30,000

10

3

18 mo. – 3 phases

1 – 6 mo.

2 FT + 4 PT

1.5 FTE

Customer #3

Save time/money with password self service,

manage users for portal apps, detect and suspend non-

compliant accounts

1

450,000

40

60

16 mo. – 2 phases

1 mo.

2 FT + 2 PT

2 FTE

Customer #2

Reduce security admin costs and eliminate annual

recertification audit findings

9

13,000

100+

160+

18 mo. – 3 phases

1 – 2 mo.

10 FT + 2 PT

~7 FTE

Customer #1

Create single UI for identity and access

management and true RBAC environment

11

25,000

300+

300+

24 mo. – 2 phases

2 – 8 mo.

9 FT + 2 PT

~12 FTE


48

Q & A


49

For More InformationTivoli User GroupsYou can get even more out of Tivoli software by participating in independently run Tivoli User Groups around the world; learn about online and in-person opportunities near you at www.tivoli-ug.org

Tivoli TrainingIBM offers technical training and education services to help you acquire, maintain and optimize your IT skills. For a complete Tivoli Course Catalog and Certification Exams visit www.ibm.com/software/tivoli/education

Tivoli ServicesWith IBM Software Services for Tivoli, you get the most knowledgeable experts on Tivoli technology to accelerate your implementation. For a complete list of Services Offerings visit www.ibm.com/software/tivoli/services

Tivoli SupportIBM Software Premium Support provides an extra layer of proactive support, skills sharing and problem management, personalized to your environment.Visit www.ibm.com/software/support/premium/ps_enterprise.html

Documents

F12 IBM Tivoli Identity Manager Best Practices TTUC2007