SIM Overview

Product overview

��

ii Product overview

Contents

Product overview. . . . . . . . . . . 1Initial login and password information . . . . . 1Access management with IBM Tivoli IdentityManager and other products . . . . . . . . . 2Support for corporate regulatory compliance . . . 3Identity governance . . . . . . . . . . . . 8Release information . . . . . . . . . . . . 8

What’s new in this release . . . . . . . . . 9Hardware and software requirements. . . . . 14Installation images and fix packs . . . . . . 21Known limitations, problems, and workarounds 22

Technical overview . . . . . . . . . . . . 40Users, authorization, and resources . . . . . 40Main components . . . . . . . . . . . 42People overview. . . . . . . . . . . . 43Resources overview . . . . . . . . . . 45System security overview. . . . . . . . . 48Organization tree overview . . . . . . . . 53Policies overview . . . . . . . . . . . 54

Workflow overview. . . . . . . . . . . 56Features overview . . . . . . . . . . . . 57

Improved user interface . . . . . . . . . 57Recertification . . . . . . . . . . . . 58Reporting . . . . . . . . . . . . . . 59Static and dynamic roles . . . . . . . . . 59Self-access management . . . . . . . . . 59Provisioning features . . . . . . . . . . 60Resource provisioning . . . . . . . . . . 64

About this information . . . . . . . . . . 65Intended audience . . . . . . . . . . . 65Publications . . . . . . . . . . . . . 65Tivoli technical training . . . . . . . . . 66Support information . . . . . . . . . . 66Conventions used in this information. . . . . 67Notices . . . . . . . . . . . . . . . 70

Accessibility . . . . . . . . . . . . . . 72

Index . . . . . . . . . . . . . . . 73

iii

iv Product overview

Product overview

These topics describe the product and its surrounding business and technologycontext.

They include information about:

v The particular product release, such as new or deprecated product features andfunctions

v The open standards, technologies, and architecture on which the product isbased

v The user model and roles underlying the product features

v The graphical interfaces and tools provided to support various user roles

v The information center for viewing documentation

Initial login and password informationTo get started after installing IBM® Tivoli® Identity Manager, you need to know thelogin URL and the initial user ID and password.

Login URL

The login URL enables you to access the IBM Tivoli Identity Manager webinterface.

The login URL for the IBM Tivoli Identity Manager administrative console is:http://ip-address:port/itim/console/main/

Where ip-address is the IP address or DNS address of the IBM Tivoli IdentityManager server, and port is the port number. The default port for new installationsof IBM Tivoli Identity Manager is 9080.

The login URL for the IBM Tivoli Identity Manager self-service console is:http://ip-address:port/itim/self

Where ip-address is the IP address or DNS address of the IBM Tivoli IdentityManager server, and port is the port number. The default port for new installationsof IBM Tivoli Identity Manager is 9080.

Initial user ID and password

The initial user ID and password to authenticate to IBM Tivoli Identity Manager is:

Table 1. Initial user ID and password for IBM Tivoli Identity Manager

User ID Password

itim manager secret

1

Access management with IBM Tivoli Identity Manager and otherproducts

In a security lifecycle, IBM Tivoli Identity Manager and several other productsprovide access management that enables you to determine who can enter yourprotected systems, what can they access, and how to ensure that users access onlywhat they need for their business tasks.

Access management addresses three questions from the business point of view:v Who can come into my systems?v What can they do?v Can I easily prove what they’ve done with that access?

These products validate the authenticity of all users with access to resources, andensure that access controls are in place and consistently enforced:v IBM Tivoli Identity Manager

Provides a secure, automated and policy-based user management solution thathelps effectively manage user identities throughout their lifecycle across bothlegacy and e-business environments. IBM Tivoli Identity Manager providescentralized user access to disparate resources in an organization, using policiesand features that streamline operations associated with user-resource access. Asa result, your organization realizes numerous benefits, including:– Web self-service and password reset and synchronization; users can

self-administer their passwords using the rules of a password managementpolicy to control access to multiple applications. Password synchronizationenables a user to use one password for all accounts that IBM Tivoli IdentityManager manages.

– Quick response to audits and regulatory mandates– Automation of business processes related to changes in user identities by

providing life-cycle management– Centralized control and local autonomy– Enhanced integration with the use of extensive APIs– Choices to manage target systems either with an agent or agentless approach– Reduced help desk costs– Increased access security through the reduction of orphaned accounts– Reduced administrative costs through the provisioning of users using

software automation– Reduced costs and delays associated with approving resource access to new

and changed usersv Tivoli Access Manager

Enables your organization to use centralized security policies for specified usergroups to manage access authorization throughout the network, including thevulnerable, internet-facing Web servers. Tivoli Access Manager can be tightlycoupled with IBM Tivoli Identity Manager to reconcile user groups and accountsmanaged by Tivoli Access Manager with the identities managed by IBM TivoliIdentity Manager to provide an integrated solution for resource access control.Tivoli Access Manager delivers:– Unified authentication and authorization access to diverse Web-based

applications within the entire enterprise

2 Product overview

– Flexible single sign-on to Web, Microsoft®, telnet and mainframe applicationenvironments

– Rapid and scalable deployment of Web applications, with standards-basedsupport for Java™ 2 Enterprise Edition (J2EE) applications

– Design flexibility through a highly scalable proxy architecture andeasy-to-install Web server plug-ins, rule- and role-based access control,support for leading user registries and platforms, and advanced APIs forcustomized security

v Tivoli Federated Identity ManagerHandles all the configuration information for a federation across organizationalboundaries, including the partner relationships, identity mapping, and identitytoken management.Tivoli Federated Identity Manager enables your organization to share serviceswith business partner organizations and obtain trusted information aboutthird-party identities such as customers, suppliers, and client employees. Youcan obtain user information without having to create, enroll, or manage identityaccounts with the organizations that provide access to services that are used byyour organization. Consequently, users are spared from having to register at apartner site, and from having to remember additional logins and passwords. Theresult is improved integration and communication between your organizationand your suppliers, business partners, and customers.

For more information how access management products fit in larger solutions for asecurity lifecycle, refer to the Tivoli Security Management Web site:http://www.ibm.com/software/tivoli/solutions/security/

IBM Redbooks® and Redpapers also describe implementing IBM Tivoli IdentityManager within a portfolio of IBM security products.

Support for corporate regulatory complianceIBM Tivoli Identity Manager provides support for corporate regulatory compliance.

Compliance areas

Tivoli Identity Manager addresses corporate regulatory compliance in the followingkey areas:v Provisioning and the approval workflow processv Audit trail trackingv Enhanced compliance statusv Password policy and password compliancev Account and access provisioning authorization and enforcementv Recertification policy and processv Reports

Provisioning and the approval workflow process

Tivoli Identity Manager provides support for provisioning, user accounts andaccess to various resources. When implemented as one of a suite of securityproducts, Tivoli Identity Manager plays a key role to ensure that resources areprovisioned only to authorized persons, safeguarding the accuracy andcompleteness of information processing methods and granting authorized usersaccess to information and associated assets. Tivoli Identity Manager provides an

Product overview 3

http://www.ibm.com/software/tivoli/solutions/security/

integrated software solution for managing the provisioning of services,applications, and controls to employees, business partners, suppliers, and othersassociated with your organization across platforms, organizations, andgeographies. You can use its provisioning features to control the setup andmaintenance of user access to system and account creation on a managed resource.

At its highest level, an identity management solution automates and centralizes theprocess of provisioning resources, such as operating systems and applications, topeople in, or affiliated with, an organization. Organizational structure can bealtered to accommodate the provisioning policies and procedures. However, theorganization tree used for provisioning resources does not necessarily reflect themanagerial structure of an organization. Administrators at all levels can usestandardized procedures for managing user credentials. Some levels ofadministration can be reduced or eliminated, depending on the breadth of theprovisioning management solution. Furthermore, you can securely distributeadministration capabilities, manually or automatically, among variousorganizations.

The approval process can be associated with different types of provisioningrequests, including account and access provisioning requests. Life cycle operationscan also be customized to incorporate the approval process.

Models for provisioning

Depending on business needs, Tivoli Identity Manager provides alternatives toprovision resources to authorized users on request-based, role-based, or hybridmodels.

Approval workflows

Account and access request workflows are invoked during account and accessprovisioning. You typically use account and access request workflows to defineapproval workflows for account and access provisioning.

Account request workflows provide a decision-based process to determine if theentitlement provided by a provisioning policy should be granted. The entitlementprovided by a provisioning policy specifies the account request workflow thatapplies to the set of users in the provisioning policy membership. If multipleprovisioning policies apply to the same user for the same service target, and thereare different account request workflows in each provisioning policy, the accountrequest workflow that is invoked for the user is determined based on the priorityof the provisioning policy. If a provisioning policy has no associated workflow andthe policy grants an account entitlement, the operations that are related to therequest run immediately. For example, an operation might add an account.

However, if a provisioning policy has an associated workflow, that workflow runsbefore the policy grants the entitlement. If the workflow returns a result ofApproved, the policy grants the entitlement. If the workflow has a result ofRejected, the entitlement is not granted. For example, a workflow might require amanager’s approval. Until the approval is submitted and the workflow completes,the account is not provisioned. When you design a workflow, consider the intent ofthe provisioning policy and the purpose of the entitlement itself.

4 Product overview

Tracking

Tivoli Identity Manager provides audit trail information about how and why auser has access. On a request basis, Tivoli Identity Manager provides a process togrant, modify, and remove access to resources throughout a business, and toestablish an effective audit trail using automated reports.

The steps involved in the process, including approval and provisioning ofaccounts, are logged in the request audit trail, and corresponding audit events aregenerated in the database for audit reports. User and Account lifecyclemanagement events, including account and access changes, recertification, andcompliance violation alerts, are also logged in the audit trail.

Enhanced compliance status

Tivoli Identity Manager provides enhanced compliance status on items such asdormant and orphan accounts, provisioning policy compliance status,recertification status, and a variety of reports.v Dormant accounts. You can view a list of dormant accounts using the Reports

feature. Tivoli Identity Manager includes a dormant account attribute to servicetypes that you can use to find and manage unused accounts on services.

v Orphan accounts. Accounts on the managed resource whose owner in the TivoliIdentity Manager Server cannot be determined are orphan accounts, which areidentified during reconciliation when the applicable adoption rule cannotsuccessfully determine the owner of an account.

v Provisioning policy compliance status. The compliance status based on thespecification of provisioning policy is available for accounts and access. Anaccount could be either compliant, non-compliant with attribute value violations,or disallowed. An access is either compliant or disallowed.

v Recertification status. The recertification status is available for user, account,and access target types, which indicates whether the target type is certified,rejected, or never certified. The timestamp of the recertification is also available.

Password policy and password compliance

Tivoli Identity Manager provides the ability to create and manage passwordpolicies. password policy defines the password strength rules that are used todetermine whether a new password is valid. A password strength rule is a rule towhich a password must conform. For example, password strength rules mightspecify that the minimum number of characters of a password must be five andthe maximum number of characters must be ten.

The Tivoli Identity Manager administrator can also create new rules to be used inpassword policies.

If password synchronization is enabled, the administrator must ensure thatpassword policies do not have any conflicting password strength rules. Whenpassword synchronization is enabled, Tivoli Identity Manager combines policies forall accounts that are owned by the user to determine the password to be used. Ifconflicts between password policies occur, the password might not be set.

Provisioning policy and policy enforcement

A provisioning policy grants access to many types of managed resources, such asTivoli Identity Manager server, Windows NT® servers, Solaris servers, and so on.

Product overview 5

Provisioning policy parameters help system administrators define the attributevalues that are required and the values that are allowed.

Policy enforcement is the manner in which Tivoli Identity Manager allows ordisallows accounts that violate provisioning policies.

You can specify one of the following policy enforcement actions to occur for anaccount that has a noncompliant attribute.

Mark Sets a mark on an account that has a noncompliant attribute.

SuspendSuspends an account that has a noncompliant attribute.

CorrectReplaces a noncompliant attribute on an account with the correct attribute.

Alert Issues an alert for an account that has a noncompliant attribute.

Recertification policy and process

A recertification policy includes activities to ensure that users provide confirmationthat they have a valid, ongoing need for the target type specified (user, account,and access). The policy defines how frequently users must validate an ongoingneed. Additionally, the policy defines the operation that occurs if the recipientdeclines or does not respond to the recertification request. Tivoli Identity Managersupports recertification policies that use a set of notifications to initiate theworkflow activities that are involved in the recertification process. Depending onthe user response, a recertification policy can mark a user’s roles, accounts, groups,or accesses as recertified, suspend or delete an account, or delete a role, group, oraccess.

Audits that are specific to recertification are created for use by several reports thatare related to recertification:

Accounts, access, or users pending recertificationProvides a list of recertifications that are not completed.

Recertification historyProvides a historical list of recertifications for the target type specified.

Recertification policiesProvides a list of all recertification policies.

User recertification historyProvides history of user recertification.

User recertification policyProvides a list of all user recertification policies.

Reports

Security administrators, auditors, managers, and service owners in yourorganization can use one or more of the following reports to control and supportcorporate regulatory compliance:v Accesses Report, which lists all access definitions in the system.v Approvals and Rejections Report, which shows request activities that were either

approved or rejected.v Dormant Accounts Report, which lists the accounts that have not been used

recently.

6 Product overview

v Entitlements Granted to an Individual Report, which lists all users with theprovisioning policies for which they are entitled.

v Noncompliant Accounts Report, which lists all noncompliant accounts.v Orphan Accounts Report, which lists all accounts not having an owner.v Pending Recertification Report, which highlights recertification events that can

occur if the recertification person does not take action on an account or access.This report supports data filtering by a specific service type or a specific serviceinstance.

v Recertification Change History Report, which shows a history of accesses(including accounts) and when they were last recertified. This report serves asevidence of past recertifications.

v Recertification Policies Report, which shows the current recertificationconfiguration for a given access or service.

v Separation of Duty Policy Definition Report, which lists the separation of dutypolicy definitions.

v Separation of Duty Policy Violation Report, which contains the person, policy,and rules violated, approval and justification (if any), and who requested theviolating change.

v Services Report, which lists services currently defined in the system.v Summary of Accounts on a Service Report, which lists a summary of accounts

on a specified service defined in the system.v Suspended Accounts Report, which lists the suspended accounts.v User Recertification History Report, which lists the history of user

recertifications performed manually (by specific recertifiers), or automatically(due to time out action).

v User Recertification Policy Definition Report, which lists the user recertificationpolicy definitions.

All reports are available to all users when the appropriate access controls areconfigured. However, certain reports are designed specifically for certain types ofusers.

Table 2. Summary of reports

Designed for Available reports

Security administrators v Dormant Accounts

v Orphan Accounts

v Pending Recertification

v Recertification History

v Recertification Policies

v User Recertification History

v User Recertification Policies

Managers v Pending Recertification





Product overview 7

Table 2. Summary of reports (continued)

Designed for Available reports

Service owners v Dormant Accounts

v Orphan Accounts






Auditors v Dormant Accounts

v Orphan Accounts






End users, help desk,and developers

None

Identity governanceIBM Tivoli Identity Manager extends the identity management governancecapabilities with a focus on operational role management. Using roles simplifiesthe management of access to IT resources.

Identity governance includes these Tivoli Identity Manager features:

Role managementManages user access to resources, but unlike user provisioning, rolemanagement does not grant or remove user access. Instead, it sets up arole structure to do it more efficiently.

Entitlement managementSimplifies access control by administering and enforcing fine-grainedauthorizations.

Access certificationProvides ongoing review and validation of access to resources at role orentitlement level.

Privileged user managementProvides enhanced user administration and monitoring of system oradministrator accounts that have elevated privileges.

Separation of dutiesPrevents and detects business-specific conflicts at role or entitlement level.

Release informationThis section describes new features and hardware and software requirements forIBM Tivoli Identity Manager.

8 Product overview

What’s new in this releaseIBM Tivoli Identity Manager continues to deliver new identity managementcapabilities in line with common standards and best practices. This release extendsidentity management governance capabilities with a focus on compliance.

Role management capabilitiesRoles manage user access to resources, but unlike user provisioning, rolemanagement does not grant or remove user access. Instead, it sets up a rolestructure to do it more efficiently. IBM Tivoli Identity Manager 5.1 extends identitymanagement governance capabilities with a focus on operational role management.

Management of access to IT resources using roles is simplified and enhanced withthese role management capabilities:

Role hierarchiesRole hierarchies allow security administrators to build and plan logical rolehierarchies and to build more meaningful role relationships.v Role relationships can be implemented.v Immediate parent-child role relationships can be tracked and navigated.v Separation of duty can be evaluated where role hierarchy is used.

Role relationshipsRole relationships allow roles to be logically linked by allowing parent-childrole relationships in the hierarchy, in which child roles inherit theentitlements of their parent roles.v A parent role can have multiple child roles.v A child role can have multiple parent roles.v Role relationships can be evaluated to determine which entitlements are

inherited and granted.v Provisioning behavior can be changed by role hierarchy assignment; for

example, by making a department role a child of an application role.

Role classificationRole classification is the ability to classify a role for workflow and policycustomization purposes.v Default role types are business and application types.v Business roles encompass the kind of job that a person does.v Application roles encompass the kind of access that the person requires.v Role relationships and role classification can be used to define how

different role types relate.

Role ownership and approvalsRole owners can be users or other roles.v Roles can have multiple owners.v Workflow participants and access control items (ACIs) are enhanced to

analyze and resolve role participants.

Role administrationOrganizational roles are a method of providing users with entitlements tomanaged resources by determining which resources are provisioned for a useror set of users who share similar responsibilities. A role is a job function thatidentifies the tasks that a person can perform and the resources to which theperson has access.

Product overview 9

Separation of duty capabilitiesSeparation of duty is a policy-driven feature to manage potential or existing roleconflicts. A separation of duty policy is a logical container of separation rules thatdefine mutually exclusive relationships among roles. Separation of duty policiesare defined by one or more business rules that exclude users from membership inmultiple roles that might present a business conflict.

The purpose of the separation of duty policy is to group the rules for ease ofadministration. For example, you can assign a set of administrators to a policy,making the administrators responsible for tracking the violations of a set of rules.

Separation of duty capabilities include:v Violation tracking through the administrative console, which provides identity

governance and accountabilityv Violation and exemptions auditing through reports, which helps prevent or

highlight inappropriate use of privilegesv Approval workflow for separation of duties, which helps achieve compliance

goalsv New access control items (ACIs), which reflect new separation of duty policy

targetsv Evaluation of the separation of duty policy when workflow is used for identity

feedsv Prevention of invalid or inconsistent (with business policy) combinations of

roles, which prohibits parent-child relationships within a separation of dutypolicy

v Workflow participant type (SoD Policy Owner)v Violations entity for workflow and notification customizationv Approval process, which allows for exemptions when a violation occurs; the

exemptions can be revoked later

Separation of duty policiesA separation of duty policy is a logical container of separation rules that definemutually exclusive relationships among roles. Separation of duty policies aredefined by one or more business rules that exclude users from membership inmultiple roles that might present a business conflict.

Separation of duty policies reportsThis section describes various separation of duty policy reports.

Separation of duty violation reportThis section describes the separation of duty violation report. This reportcontains the person, policy, and rules violated, approval and justification (ifany), and who requested the violating change.

SeparationOfDutyRuleViolationObject that provides information about a specific separation of duty ruleviolation. Use this object to get specific information about a separation of dutypolicy violation. This object cannot be created for use by the user. The user canwork only with SeparationOfDutyRuleViolation objects that the system hasgenerated as part of the approveSoDViolation workflow.

ParticipantTypeWorkflow Participant Type constants.

10 Product overview

User recertificationIBM Tivoli Identity Manager provides the ability to certify and validate a user’saccess to IT resources on a regular interval. User recertification is a type ofcertification process that combines recertification of a user’s accounts, groupmemberships of accounts, and role memberships into a single activity.

User recertification activities are completed by a specified participant, such as amanager or application owner. Each user recertification activity lists accounts,group memberships, and role memberships owned by a user. Groups that areenabled as access are displayed within the activity using the access informationrather than the group information. The participant can individually approve orreject whether the user still requires each account, group membership, and rolemembership. Several actions can be taken when a resource or membership isrejected, including suspension of the resource or removal of the membership.

The user recertification policy provides options for configuring the scope of therecertification, workflow activities, notifications, and timeout and rejectionbehaviors.

Recertification policiesRecertification simplifies and automates the process of periodically revalidatinga target type (account or access) or a membership (role or resource group). Therecertification process validates whether the target type or membership is stillrequired for a valid business purpose. The process sends recertificationnotification and approval events to the participants that you specify. Arecertification policy includes activities to ensure that users provide confirmationthat they have a valid, ongoing need for a specified resource or membership.

Creating a user recertification policyAs an administrator, you can create a user recertification policy to recertify theaccounts, group membership of accounts, and memberships of users.

User recertification history reportThis section describes the report that lists history of user recertificationsperformed manually (by specific recertifiers), or automatically (due to time outaction).

User recertification policy definition reportThis section describes a report that lists information about the userrecertification policies defined in the system.

Group management capabilitiesIBM Tivoli Identity Manager provides additional security administrationenhancements through new group management capabilities.

Group management capabilities include:v Ability to create, change, delete groups on the target resource as long as the

Tivoli Identity Manager version 5.1 adapter is installedv Synchronous group provisioning to the target resource for creating, modifying,

and deleting groupsv Streamlined navigation in the administrative console for group managementv New version 5.1 adapters and profiles take advantage of group management

capabilities

Product overview 11

Group administrationIBM Tivoli Identity Manager provides predefined groups. You can also createand modify customized groups.

Tivoli Common ReportingIBM Tivoli Identity Manager features new reporting capabilities for auditingpurposes and provides reports based on a common reporting component namedIBM Tivoli Common Reporting. This component is based on the Eclipse BusinessIntelligence Reporting Tool and provides custom report authoring, reportdistribution, report scheduling capabilities, and the ability to run and managereports from multiple IBM Tivoli products.

Tivoli Common Reporting is a reporting feature that is available as an additionalbenefit to owners of Tivoli products. Tivoli Common Reporting offers Tivolicustomers a common approach to viewing and administering reports. Tivoliproducts provide report packages based on Tivoli Common Reporting, with reportsthat have a common look and feel across all Tivoli products.

For more details about the Tivoli Common Reporting component, see thedocumentation on the Tivoli Common Reporting DVD. For more information aboutthe availability of Tivoli Identity Manager reports, see the Tivoli Identity ManagerSupport Site.

Reports included with Tivoli Common Reportingv Accesses Reportv Approvals and Rejections Reportv Dormant Accounts Reportv Entitlements Granted to an Individual Reportv Noncompliant Accounts Reportv Orphan Accounts Reportv Separation of Duty Policy Definition Reportv Separation of Duty Policy Violation Reportv Services Reportv Summary of Accounts on a Service Reportv Suspended Accounts Reportv User Recertification History Reportv User Recertification Policy Definition Report

Configuring and administering IBM Tivoli Common ReportingIBM Tivoli Common Reporting (also called the reports pack) focuses onaccount, service, and request information.

New APIsThese new application programming interfaces (APIs) are available to support thenew features of IBM Tivoli Identity Manager 5.1.v Groupv GroupEntityv GroupFactoryv GroupManagerv GroupMOv GroupSearch

12 Product overview

v GroupServicev New methods on the Role, RoleEntity, and RoleMO classesv SeparationOfDutyPolicyv SeparationOfDutyPolicyManagerv SeparationOfDutyPolicyMOv SeparationOfDutyRulev UserRecertificationCompletionImpactv UserRecertificationWorkflowAssignmentMO

New workflow extensionsThese new workflow extensions are available to support the new features of IBMTivoli Identity Manager 5.1.v approveRolesByOwnerv approveRolesWithOperationv callApprovalOperationv addSeparationOfDutyPolicyv callSODApprovalOperationv constructApprovalDocumentv remediateAccountsAndGroupsv remediateRoleMembershipsv updateRecertificationStatusAllApprovedv updateRecertificationStatusEmptyDocument

Sample workflow: sequential approval for user recertification usingpackaged approval nodeThis scenario shows an organization policy that requires user recertification tobe approved by two levels of approvers. The first approver submits decisionsthat are reviewed by the second approver. The second approver can change thedecisions made by the first approver and then submit the final decisions. Therequest in this scenario is for recertification approval of user resources(accounts, groups, or roles).

Sample workflow: user recertification role membership approval by roleownerThis scenario shows an organization with a policy that requires that rolemembership recertifications are completed by individual role owners, while theuser’s accounts and groups are recertified by the manager. After all approvalshave been completed, the individual resource decisions are combined andremediated.

New JavaScript functionsThese new JavaScript™ functions are available to support the new features of IBMTivoli Identity Manager 5.1.v PackagedApprovalDocumentv PackagedApprovalItemv RecertificationWorkflowv SeparationOfDutyRuleViolation

PackagedApprovalDocumentA relevant data object used in multi-item approval, used exclusively in userrecertification workflows. This object is made up of multiple

Product overview 13

PackagedApprovalItem objects from the user recertification approval and allowsfor searching and retrieving recertification items.

PackagedApprovalItemA relevant data object used in IBM Tivoli Identity Manager multi-itemapproval, used exclusively in user recertification workflows. This objectrepresents the individual roles, accounts, and groups that are presented to theuser during the recertification process. Some items might contain a decisioncode indicating the choice of the approvers for that item. Each item alsocontains a list of children that is used to represent relationships betweenaccounts and groups.

RecertificationWorkflowProvides extended capabilities to user recertification workflows, including auditsupport for the reporting and view requests functions.

SeparationOfDutyRuleViolationObject that provides information about a specific separation of duty ruleviolation. Use this object to get specific information about a separation of dutypolicy violation. This object cannot be created for use by the user. The user canwork only with SeparationOfDutyRuleViolation objects that the system hasgenerated as part of the approveSoDViolation workflow.

Hardware and software requirementsHardware and software requirements that are stated here for IBM Tivoli IdentityManager take precedence over any other mention in other IBM Tivoli IdentityManager publications.

These requirements were current when this publication went to production. Forpossible updates to this information, contact your customer support representative.

Operating system requirementsThe IBM Tivoli Identity Manager installation program checks to ensure thatspecific operating systems and levels are present before starting the installationprocess.

Table 3 identifies the operating systems, patches, and minimum requirements forinstallation:

Table 3. Operating system requirements for IBM Tivoli Identity Manager

Operating system Patch or maintenance level requirements

AIX® Version 5.3 None

AIX Version 6.11 None

Sun Server Solaris 10 (SPARC)2 None

Windows® Server 2003 StandardEdition and Enterprise Edition

None

Windows Server 2008 StandardEdition and Enterprise Edition

None

Red Hat Linux® Enterprise 4.0for Intel®, System p® and Systemz®

None

Red Hat Linux Enterprise 5.0 forIntel, System p and System z

None

14 Product overview

Table 3. Operating system requirements for IBM Tivoli Identity Manager (continued)

Operating system Patch or maintenance level requirements

SUSE Linux Enterprise Server9.0 for Intel, System p andSystem z

None


None


None

Note:

1. Support is also available for AIX 6.1 WPAR.2. Support is also available for Sun Server Solaris 10 64-bit LDOM.

Hardware requirementsIBM Tivoli Identity Manager has these hardware requirements:

Table 4. Hardware requirements for IBM Tivoli Identity Manager

System components Minimum values* Recommended values**

System memory (RAM) 2 gigabytes 4 gigabytes

Processor speed Single 2.0 gigahertz Intel orpSeries® processor

Dual 3.2 gigahertz Intel orpSeries processors

Disk space for product andprerequisite products

20 gigabytes 25 gigabytes

* Minimum values: These values enable a basic use of IBM Tivoli Identity Manager.

** Recommended values: You might need to use larger values that are appropriate for yourproduction environment.

Software prerequisitesIBM Tivoli Identity Manager has these software prerequisites:

Java Runtime Environment (JRE) requirements:

IBM Tivoli Identity Manager requires JRE version 1.5 SR9, which is installed in theWAS_HOME/java directory when WebSphere® Application Server Fix pack 23 isinstalled.

Use of an independently installed development kit for Java, from IBM or othervendors, is not supported. The JRE requirements for using a browser to create aclient connection to the IBM Tivoli Identity Manager server are different than theJRE requirements for running the WebSphere Application Server.

WebSphere Application Server requirements:

The following table lists the required version of WebSphere Application Server andany applicable fix pack or APAR requirements.

Product overview 15

Table 5. Requirements for using WebSphere Application Server with IBM Tivoli IdentityManager

Applicationserver

Fixpack,patch,andmaintenancelevelrequirements

Cumulativefix

AdditionalAPARs

AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

WebSphereApplicationServerVersion6.1

Fixpack23

None None

WebSphereApplicationServerVersion7.0

Fixpack 5

None None

Database server requirements:

IBM Tivoli Identity Manager has these database server requirements:

Table 6. Database server requirements

Databaseserver


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0

SUSELinux10.0

SUSELinux11.0

IBMDB2®

EnterpriseVersion9.1

Fix pack4

IBMDB2EnterpriseVersion9.51

Fix pack3B

IBMDB2EnterpriseVersion9.7

MicrosoftSQLServer2005,EnterpriseEdition2

16 Product overview

Table 6. Database server requirements (continued)

Databaseserver


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0

SUSELinux10.0

SUSELinux11.0

Oracle10gRelease2(Version10.2.0.1)3

Oracle11gRelease13

4

Note:

1. IBM DB2 Enterprise 9.5 is not supported on Linux 32 bit operating systems oron any Linux operating systems on pSeries hardware. IBM DB2 9.5 WorkGroupEdition is bundled for Linux 32 bit operating systems.

2. IBM Tivoli Identity Manager must be running on a supported Windowsoperating system if Microsoft SQL Server is used for the IBM Tivoli IdentityManager database.

3. The Oracle 11.1.0.7 database driver is required for both Oracle 10gR2 andOracle 11g databases.

4. Oracle 11g version 11.1.0.7.0 supports Windows Server 2008 32 and 64 bitoperating systems.

Directory server requirements:

IBM Tivoli Identity Manager has these directory server requirements:

Table 7. Directory server requirements

Directoryserver


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

IBMTivoliDirectoryServerVersion6.1

2

IBMTivoliDirectoryServerVersion6.2

1

Product overview 17

Table 7. Directory server requirements (continued)

Directoryserver


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

SunEnterpriseDirectoryServerVersion6.3

Note:

1. Supported with Tivoli Directory Server 6.1 Fix pack 1.2. Supported with Tivoli Directory Server 6.1 Fix pack 4.

Directory Integrator requirements:

Tivoli Identity Manager has these optional directory integrator requirements:

You can optionally install IBM Tivoli Directory Integrator Version 6.1.1, Version6.1.2, or Version 7.0 for use with IBM Tivoli Identity Manager.

IBM Tivoli Directory Integrator is used to enable communication between theinstalled agentless adapters and IBM Tivoli Identity Manager. For moreinformation on agentless adapters, refer to the IBM Tivoli Identity ManagerInstallation and Configuration Guide.

Table 8. Directory integrator requirements

Directoryintegrator


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

IBMTivoliDirectoryIntegratorVersion6.1.1

IBMTivoliDirectoryIntegratorVersion6.1.2

18 Product overview

Table 8. Directory integrator requirements (continued)

Directoryintegrator


AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

IBMTivoliDirectoryIntegratorVersion7.0

Note:

For the UNIX® and Linux adapter IBM Tivoli Identity Manager requires:Version 6.1.1, Fix Pack FP0003 or higherVersion 6.1.2, Fix Pack FP0001 or higherVersion 7.0, Fix Pack FP0001 or higher

Report server requirements:

The following table lists the required version of Tivoli Common Reporting Serverand any applicable fix pack or APAR requirements.

Table 9. Requirements for using Tivoli Reporting Server with IBM Tivoli Identity Manager

Report server Fix pack, patch, and maintenance levelrequirements

Cumulative fix Additional APARs

Tivoli Common ReportingServer, Version 1.2.0.1

Interim fix 02 of fix pack 2 None None

You can download the latest fixes for Tivoli Common Reporting Server from theFix Central Web site at http://www.ibm.com/support/fixcentral/

Browser requirements for client connections:

IBM Tivoli Identity Manager has browser requirements for client connections.

The IBM Tivoli Identity Manager administrative user interface uses applets thatrequire a Java plug-in provided by Sun Microsystems JRE Version 1.5 or higher.When the browser requests a page that contains an applet, it attempts to load theapplet using the Java plug-in. If the required JRE is not present on the system, thebrowser prompts the user for the correct Java plug-in, or fails to complete thepresentation of the items in the window. The Tivoli Identity Manager user interfaceis displayed correctly for all pages that do not contain a Java applet, regardless ofJRE installation.

Cookies must be enabled in the browser to establish a session with IBM TivoliIdentity Manager.

Product overview 19

http://www.ibm.com/support/fixcentral/

Note: Do not start two or more separate browser sessions from the same clientcomputer. The two sessions are regarded as one session ID, which will causeproblems with the data.

The following table lists the browser and browser versions that are supported byIBM Tivoli Identity Manager. Supported browsers are not included with theproduct installation.

Table 10. Browser requirements

BrowserFixpack,patch,andmaintenancelevelrequirements

AIX5.3

AIX6.1

Solaris10

WindowsServer2003

WindowsServer2008

Windowsclients

RedHatLinux4.0

RedHatLinux5.0

SUSELinux9.0,

SUSELinux10.0

SUSELinux11.0

Mozilla,FirefoxVersion2.0


1


1

MicrosoftInternetExplorer,Version7.0

1

MicrosoftInternetExplorer,Version8.0

1

Note:

1. Supported with Windows Server 2003 Service Pack 1 (SP1).

Supported adapter levelsIBM Tivoli Identity Manager supports the use of agentless and agent-basedadapters.

The IBM Tivoli Identity Manager installation program will always install thefollowing adapter profiles:v AIX profile (UNIX and Linux adapter)v Solaris profile (UNIX and Linux adapter)v HP-UX profile (UNIX and Linux adapter)v Linux profile (UNIX and Linux adapter)v LDAP profiles (LDAP adapter)

20 Product overview

The IBM Tivoli Identity Manager installation program will optionally install theagentless adapter profiles for the IBM Tivoli Identity Manager LDAP adapter andIBM Tivoli Identity Manager UNIX and Linux adapter. It is recommended that youinstall the latest adapter profile before you start using the adapter.

You must take additional steps to install adapters if you choose not to install themduring the IBM Tivoli Identity Manager installation or if the adapter is notinstalled as a service profile with IBM Tivoli Identity Manager.

The LDAP adapter supports an LDAP directory that uses the RFC 2798 schema,which enables communication between the IBM Tivoli Identity Manager andsystems running IBM IBM Tivoli Directory Server or Sun ONE directory server.The IBM Tivoli Identity Manager LDAP Adapter Installation Guide describes how toconfigure the LDAP adapter. The following table lists the UNIX and Linux systemsand versions that are supported by the UNIX and Linux adapter.

Table 11. Prerequisites to run the UNIX and Linux adapter

Operating system Version

AIX AIX 5.1, AIX 5.2, AIX 5.3

HP-UX HP-UX 11i Trusted, HP-UX 11i Non-Trusted

Red Hat Linux Red Hat Enterprise Linux Advanced Server 3.0

Red Hat Enterprise Linux Advanced Server 4.0

Red Hat Enterprise Linux Enterprise Server 3.0

Red Hat Enterprise Linux Enterprise Server 4.0

Solaris Solaris 9, Solaris 10

SUSE Linux SLES 8, SLES 9

Adapters are available at the following IBM Passport Advantage® Web site:

http://www.ibm.com/software/sw-lotus/services/cwepassport.nsf/wdocs/passporthome

Installation and configuration guides for adapters can be found at the followingTivoli Identity Manager information center Web site:

http://publib.boulder.ibm.com/tividd/td/IdentityManager5.0.html

Installation images and fix packsIBM Tivoli Identity Manager installation files and fix packs can be obtained usingthe IBM Passport Advantage Web site, or by another means, such as a CD or DVDas provided by your IBM sales representative.

The Passport Advantage Web site provides packages, referred to as eAssemblies,for various IBM products. The IBM Tivoli Identity Manager Installation andConfiguration Guide provides full instructions for installing and configuring IBMTivoli Identity Manager and the prerequisite middleware products.

The procedure that is appropriate for your organization depends on the followingconditions:v Operating system used by IBM Tivoli Identity Manager

Product overview 21



http://publib.boulder.ibm.com/tividd/td/IdentityManager5.0.html

v Language requirements for using the productv Type of installation you need to perform:

eAssembly for the product and all prerequisitesThe IBM Tivoli Identity Manager installation program enables you toinstall IBM Tivoli Identity Manager, prerequisite products, and requiredfix packs as described in the IBM Tivoli Identity Manager Installation andConfiguration Guide. This type of installation is recommended if yourorganization does not currently use one or more of the productsrequired by IBM Tivoli Identity Manager.

eAssembly for a manual installationYou can install IBM Tivoli Identity Manager separately from theprerequisites, and you can install separately any of the prerequisiteproducts that are not installed. In addition, you must verify that eachprerequisite product is operating at the required fix or patch level.

Known limitations, problems, and workaroundsIBM Tivoli Identity Manager has these known software limitations, problems, andworkarounds.

As limitations and problems are discovered and resolved, the IBM SoftwareSupport team updates the online knowledge base. By searching the knowledgebase, you can find workarounds or solutions to problems that you experience. Thefollowing link launches a customized query of the live Support knowledge base foritems specific to version 5.0:

Tivoli Identity Manager Version 5.0 tech notes

To create your own query, go to the Advanced search page on the IBM SoftwareSupport Web site.

Product installation, upgrade, and removal limitations, problemsand workaroundsYou might encounter these IBM Tivoli Identity Manager Server installation,upgrade, or product removal problems, and use these workarounds:v Problem: The dollar sign ($) has special meaning in the installer frameworks

used by IBM Tivoli Identity Manager Server and non-Windows operatingplatforms. The installer framework or operating system might do variablesubstitution for the value. For example, on UNIX-like platforms, $$ will bereplaced with the process ID. For installers based on ISMP (InstallShieldMultiplatform), $$ are replaced with a single $.Workaround: Avoid using $ as a value in any field in a IBM Tivoli IdentityManager Server installation or configuration page.

v Problem: If you uninstall and then quickly reinstall IBM Tivoli Identity ManagerServer, the performance of the graphical user interface degrades significantlyand might become unusable. The performance of the WebSphere ApplicationServer might also degrade. Although no messaging engine problem is the cause,the symptom is a message such as:CWSIT0019E: No suitable messaging engine is available on bus itim_bus

Workaround: Remove the WebSphere Application Server transaction log files. Inthe WAS_PROFILE_HOME/tranlog/cell_name/node_name/server_name/transaction/tranlog/ directory, the files are named log1 and log2.Additionally, in the WAS_PROFILE_HOME/tranlog/cell_name/node_name/server_name/transaction/partnerlog/ directory, the files are named log1 and log2.

22 Product overview

http://www-1.ibm.com/support/search.wss?tc=SSTFWV&rs=644&rank=8&atrn=SWVersion&atrv=5.0&dc=DB520+D800+D900+DA900+DA800+DB560&dtm

The cause of the problem is that after reinstallation, transaction recovery maynot be able to complete properly. The cause is a problem in the transaction log.The messaging engine detects this condition as identifiers in the transaction logthat remain from the previous IBM Tivoli Identity Manager Server installation,and that differ from the current database.

v Problem: When user groups are migrated from Version 4.6 of IBM Tivoli IdentityManager Express, a help desk assistant at IBM Tivoli Identity Manager Version 5is able to change the role of a group member, but not the IBM Tivoli IdentityManager account.Workaround: At IBM Tivoli Identity Manager Express Version 4.6, groups androles were not separated. A help desk user could assign any user to any groupby changing the user’s personal profile, because groups and roles were treatedas the same. At Version 4.6, however, a help desk user could not update orrequest a IBM Tivoli Identity Manager account. To provide change permission,create a new access control item that targets IBM Tivoli Identity Manageraccounts and grants that permission.

v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version4.6 to IBM Tivoli Identity Manager Version 5, a manager who clicks Manageusers to manage a specific subordinate will observe these results:– All the users in IBM Tivoli Identity Manager are displayed.– The details of the subordinates were read only.Workaround: Immediately after upgrading from Version 4.6 to Version 5, assystem administrator, adjust the views and access control items for managers, toproduce the correct results:

views IBM Tivoli Identity Manager Express Version 4.6 provided independentview settings for manager tasks. These independent tasks no longer existin IBM Tivoli Identity Manager Version 5. Instead, managers use thesame tasks as help desk assistants. In this scenario, the ChangeSubordinate’s Profile task no longer exists. After the upgrade, you mustenable Change User in the manager view. This also applies to the othermanager-specific tasks from IBM Tivoli Identity Manager ExpressVersion 4.6 such as requesting, changing, or deleting an account.

access control itemsThe *default* access control items in IBM Tivoli Identity ManagerExpress Version 4.6 allowed managers to search for all users, but thelogic in the manager-specific tasks, such as Change Subordinate’s Profile,displayed only the manager’s subordinates. Since those special tasks nolonger exist in IBM Tivoli Identity Manager Version 5, you must adjustthe access control items so that managers can search only for theirsubordinates.

v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version4.6 to IBM Tivoli Identity Manager Version 5, for the users created previously onVersion 4.6, the Identity Manager login ID field is also displayed in a user’sprofile in the Personal Information page at Version 5. However, for the defaultSystem Administrator which is a system generated person, the attribute IdentityManager login ID is not displayed. Creating a new person on the upgradedVersion 5 does not display the Identity Manager login ID.Workaround: Upgrade disables the default identity policy for ITIM Service,which is responsible for populating the erpersonuid (Identity Manager Login ID)attribute when a user is created. To hide the field for the users createdpreviously on Version 4.6, use the Form Designer to hide the TIM Account

Product overview 23

userID in the Person form. To enable all previous and new end-users to see thefield, enable the IBM Tivoli Identity Manager Express Version 4.6 identity policythat copies the userID to that attribute.The Identity Manager login ID field was used in IBM Tivoli Identity ManagerExpress Version 4.6 because the IBM Tivoli Identity Manager Express accountwas hidden, and users needed a field that displayed their user ID. Afterupgrading to Version 5, the IBM Tivoli Identity Manager accounts are no longerhidden and there is no need for the field. Users can find their user ID bylooking at the IBM Tivoli Identity Manager accounts.The identity policy might not function if you migrate a deployment fromsingle-server deployment of IBM Tivoli Identity Manager Express Version 4.6 toa cluster environment at Version 5, because a cluster environment uses anin-memory cache to avoid ID collisions that would be unique to each clustermember.

v Problem: Middleware configuration errors occur if you use InstallShieldMultiPlatform to install IBM Tivoli Identity Manager on RedHat EnterpriseLinux Version 5.0, which provides 64-bit JVM. For example, an error messagemight be:The installer is unable to run in graphical mode.Try running the installer with the -console or -silent flag.

Additionally, some X display programs might not work.Workaround: During installation on RedHat Enterprise Linux Version 5.0, theInstallShield MultiPlatform middleware configuration tool requires 32-bit JVM,including the 32-bit version of libXmu.so.6, which must reside in the /usr/libdirectory. These 32-bit libraries are not installed by default. Before installing IBMTivoli Identity Manager, obtain the following files and write them to the/usr/lib directory:– 64-bit zLinux systems

libXmu-1.0.2-5.s390.rpm– 64-bit X86 systems

libXmu-1.0.2-5.i386.rpmv Problem: When you upgrade IBM Tivoli Identity Manager Version 5.0, you

might perform tasks similar to this scenario:1. Create a new organization and create users in the new organization.2. Create a hosted ITIM service and provide at least one of the newly created

users with an account on the service. For example, the newly created user’saccount might have the user ID of ″helpdeskuser″.

3. Add helpdeskuser to the Help Desk Assistant group.4. Log out and log in as helpdeskuser.5. Navigate to Manage users in the portfolio and search for users.

Although users exist, the search by the Help Desk member displays no users.The default search page does not automatically search the logged in user’sorganization.

Workaround: Use the Advanced search feature to select to the new organizationand perform the search. The users are then found and listed.

v Problem: After an upgrade from a previous version of Tivoli Identity Manager,errors can occur when you attempt to view requests made before the upgrade.Additionally, a similar error occurs in viewing requests if you create identicallynamed services and then delete them.

24 Product overview

Workaround: Pending a fix, a method in the service search returns items fromthe recycle bin. To correct this, remove all service entries from the recycle bin.For example, to remove a service entry, complete these steps:1. Use the ldap browser to connect to the directory server.2. Expand the entries under ″ou=recycleBin, ou=itim, <tenant_dn>″, where the

value of <tenant_dn> is the actual DN.3. Delete the entry matching ″objectClass=erServiceItem″ attribute under

″ou=recycleBin, ou=itim, <tenant_dn>″.v Problem: Problems might arise from an improper configuration of the JDBC

driver at upgrade time for IBM Tivoli Identity Manager. At upgrade time, theIBM Tivoli Identity Manager installation prompts for the location of the JDBCdriver for IBM Tivoli Identity Manager to use in connecting to the database. Ifthe administrator does not reference an Oracle 10.x JDBC driver (ojdbc14.jar),problems can occur when users attempt to reconcile services following an Oracleupgrade from Version 9.x to 10.x. The error produces a message similar to this:CTGIMU552E An error occurred while communicating with the server.

Workaround: IBM Tivoli Identity Manager requires the JDBC driver to bematched with the database server level; therefore, the driver needs to beupdated with the Oracle 10.x driver. Replace the ojdbc14.jar file inITIM_HOME/lib with the JAR file provided by the Oracle Version 10.xinstallation, and then restart the WebSphere Application Server. The JDBC driverlevel used by the WebSphere Application Server is printed in the SystemOut.logat server startup.This is an example log record in SystemOut.log for the Oracle 9.x JDBC driver,which is the wrong driver:[12/6/07 10:32:02:369 EST] 00000156 DSConfigurati IDSRA8205I: JDBC driver name : Oracle JDBC driver[12/6/07 10:32:02:372 EST] 00000156 DSConfigurati IDSRA8206I: JDBC driver version : 9.2.0.7.0

This is an example log record in SystemOut.log for the Oracle 10.x JDBC driver,which is the correct driver:[12/6/07 10:54:41:913 EST] 00000024 InternalOracl IDSRA8205I: JDBC driver name : Oracle JDBC driver[12/6/07 10:54:41:918 EST] 00000024 InternalOracl IDSRA8206I: JDBC driver version : 10.2.0.1.0

v Problem: If there are two or more nodes that contain node.xml files on theWebSphere Application Server, errors can occur when the IBM Tivoli IdentityManager installation program checks in alphabetic order for the existence of theNODE_NAME directory as the node that the WebSphere Application Servershould use as the target server to deploy IBM Tivoli Identity Manager to.For example, you might see an error message similar to this one:Server name is not valid

This is a critical failure. Although the installation process will continue, theinstallation will later fail.On the WebSphere Application Server, the node.xml file is in this directory:WAS_HOME/config/cells/CELL_NAME/nodes/NODE_NAME/servers/SERVER_NAME/

where:

WAS_HOMEThe installation directory, such as /opt/IBM/WebSphere/AppServer/profiles/AppSrv01.

Product overview 25

CELL_NAMEThe cell name, such as tivmvs12Node01Cell.

NODE_NAMEThe node name, such as tivmvs12Node01.

SERVER_NAMEThe server name, such as server1.

Workaround: To work around the error, complete these tasks:1. Back up in your sequence of completing the installation panels to the

previous panel.2. Temporarily rename the node.xml files that exist in the wrong nodes, to

allow the installation program to find the correct node.xml file.3. Continue forward in the installation panels, passing the ″Server Name is not

valid″ error message to continue the installation.4. Rename the files back to their original names when installation is complete.

To rename a node.xml file, for example, type:– Windows systems:

rename node.xml node.xml.original

– UNIX/Linux systems:mv node.xml node.xml.original

v Problem: When running the manual uninstallation of IBM Tivoli IdentityManager Version 5.0 from the ITIM_HOME\itim\itimUninstallerData directory,the messages Preparing SILENT Mode Installation... and InstallationComplete appear. These messages are not indicative of the proper function of theuninstaller.Limitation: This is a known limitation of the InstallAnywhere platform that isused to customize the manual uninstallation of IBM Tivoli Identity Manager.

v Problem: After upgrading from IBM Tivoli Identity Manager version 4.6 andviewing requests in the Identity Manager console, the following warning isissued in the trace log: Unable to parse ’erworkflow’ attribute value for viewrequests -- using default query.This message occurs because the formatting of the user’s view requestspreferences was changed between releases. This trace entry indicates that thepreferences cannot be parsed, and is replaced with the default query.Limitation: This is a onetime occurrence for each user as they use the viewrequests function after the upgrade. The message can safely be ignored. The userpreferences are updated, using the default query as a starting point.

v Problem: Passwords might be displayed in the clear in the itim_install.stderrinstallation log file.Limitation: This is a onetime installation log file. After a successful installationthe log can be deleted.

v Problem: The script files changeCipher andstartIncrementalSynchronizerCMD_WAS are not working correctly.Workaround: To use the scripts changeCipher.sh, changeCipher.bat,startIncrementalSynchronizerCMD_WAS.sh andstartIncrementalSynchronizerCMD_WAS.bat, you must first set the ITIM_HOMEand WAS_HOME variables in the scripts.

26 Product overview

IBM Tivoli Identity Manager Server limitations, problems, andworkaroundsThese are IBM Tivoli Identity Manager Server problems, workarounds, andlimitations:v Problem: APARS that were fixed in IBM Tivoli Identity Manager Version 4.6 and

in IBM Tivoli Identity Manager Express Version 4.6 are still pending resolutionfor IBM Tivoli Identity Manager Version 5.0.Limitation: APARS pending resolution at Version 5.0 include:IY86885, IY86991, IY88093, IY91022, IY91040, IY91106, IY91896, IY92097, IY92176,IY92227, IY92688, IY92841, IY92851, IY93514, IY94096, IY94415, IY94425, IY94471,IY94616, IY94708, IY94774, IY94978, IY94980, IY94986, IY95478, IY95684, IY95834,IY96118, IY96257, IY96616, IY96967, IY97292, IY97340, IY97662, IY97665, IY97769,IY98312, IY98464, IY98612, IY99084, IY99175, IY99208, IY99295, IY99300, IY99416,IY99624, IY99659, IY99660, IY99813, IY99826, IZ00148, IZ00153, IZ00195, IZ00197,IZ00311, IZ00318, IZ00812, IZ00815, IZ01021, IZ01059, IZ01074, IZ01107, IZ01112,IZ01125, IZ01187, IZ01588, IZ01602, IZ01654, IZ01763, IZ01768, IZ01799, IZ01890,IZ01953, IZ02057, IZ02355, IZ02621, IZ02744, IZ03822, IZ03983, IZ04263, IZ04631,IZ47646, IZ04801, IZ05063, IZ05103, IZ05313, IZ05732, IZ05951, IZ06712, IZ07364,IZ07571, IZ08011, IZ08157, IZ08190, IZ08287, IZ08459

v Problem: When you apply the IBM Tivoli Identity Manager Server Fix Pack forLdapUpgrade, the Fix Pack application fails with error 80 if the TAM-ESSOTivoli Access Manager for Enterprise Single Sign-On Provisioning Adapter hasbeen integrated into IBM Tivoli Identity Manager Server. The process ofTAM-ESSO integration introduces new attributes into the IBM Tivoli IdentityManager Server system object classes erAccountItem and erServiceItem.LdapUpgrade will fail with the message Error in loading schema - LDAP:error code 80-Other. The NamingException should be logged inITIM_HOME/install_logs/ldapUpgrade.stdout file.Limitation: To resolve the error, complete these manual steps:1. Click OK when the Error in loading schema message occurs.2. After the Fix Pack application is done, update the ITIM_HOME/config/

ldap/er-schema.dsml file by modifying IBM Tivoli Identity Manager Serverobject classes, erAccountItem and erServiceItem.a. After the object-identifier1.3.6.1.4.1.6054.1.2.2 object-identifier of

erAccountItem, add the entries below:<attribute ref="vgoAdminID" required="false" /><attribute ref="vgoAdminPWD" required="false" /><attribute ref="vgoApplicationDescription" required="false" /><attribute ref="vgoApplicationID" required="false" /><attribute ref="vgoApplicationPWD" required="false" /><attribute ref="vgoCredAttribute1" required="false" /><attribute ref="vgoCredAttribute2" required="false" /><attribute ref="vgoSSOUserID" required="false" />

b. After the object-identifier1.3.6.1.4.1.6054.1.2.6object-identifier oferServiceItem, add the entries below:<attribute ref="vgoApplicationIDMeta" required="false" /><attribute ref="vgoSSOUserIDMeta" required="false" /><attribute ref="vgoApplicationDescriptionMeta" required="false"/><attribute ref="vgoCredAttribute1Meta" required="false" /><attribute ref="vgoCredAttribute2Meta" required="false" /><attribute ref="vgoApplicationUserIDMeta" required="false" />

c. Run ITIM_HOME/bin/ldapUpgrade.v Problem: The forms designer provides the ability to edit the Person form

template. During an editing session, under the personal tab, you can replace the

Product overview 27

initials text field with the password pop-up widget. The field will then containinitials of a person which are encrypted because of change in widget. However,a correct error message does not appear after you create the Person instance, andthen put incorrect initials in the text field.Limitation: To avoid issues with popup blocking software, the password pop-upwidget does not launch a new window.

v Problem: During a change or modify operation, the password widget used incustom form pages can cause display of a blank password field, rather than asequence of asterisks (***).However, if the widget is part of the first tab in a notebook or first step in awizard, the field will be blank.Limitation: Use of a blank value prevents a user from discovering the value of apassword by viewing the page source file.

v Problem: How to define default values for attributes not shown on an accountform using a form widget is not described.Workaround: To use a form widget to define an account default when theattribute is not on the form, complete the following steps:1. Select Configure System > Design Forms task to add the attribute to the

account form.2. Select a widget for the attribute and save the form.3. Select Manage Services > Manage Default task to define the default value.

You can use the widget configured for the attribute on the form to define thedefault value.

4. Remove the attribute from the account form, using the Configure System >Design Forms task and save the form.

v Problem: Errors occur if a semicolon is used within a password on the Windowsoperating system.Workaround: When you define a password, do not use a semicolon.

v Problem: If you start an activity as a user, and while the activity is pending,delete the service to which the activity applies, the activity remains in theactivity list for the user, and an error message occurs if you attempt to view thetarget activity.Limitation: Cleanup of pending activities does not immediately occur forrunning workflows that reference a service, when the service is deleted. Theinformation is not easily available (if at all) to the running workflows. Theworkflow runs to completion, or until an error occurs.For example, if a workflow is assigned to account creation for a given serviceand an account on that service is requested, the workflow starts. If the service isdeleted during the run, the account request workflow continues to run,including any required approvals, and other operations. When the workflowattempts to create the account on the deleted service, the workflow fails becausethe service no longer exists.

v Problem: In a key=value pair in a property file such as CustomLabels.propertiesfile, you must specify a key name that is entirely lowercase. Otherwise, an erroroccurs.Limitation: Because the method that fetches the schema class for an attributewill return only lowercase characters, you must specify in any properties file, akey name that is entirely lowercase.

v Problem: If you suspend and then restore an account, the e-mail notification ofaccount restoration does not contain the account password. This occurs if the

28 Product overview

person initiating the restore is the owner of the account, or if the password wasnot changed as part of the restore operation (the account is restored with thesame password as before).Limitation: This notification behavior is working as designed. The person whoowns the restored account, and did not change the password, still knows theexisting password.

v Problem: Using LDAP Data Interchange Format (LDIF) files to importbacked-up directory information can cause problems if the system is notstopped, or workflows are incomplete.Workaround: When you use LDIF files to import backed-up directoryinformation, ensure that the application servers have been stopped. If the LDIFimport modifies workflows or operations, ensure that all workflows arecomplete before you perform the import operation. For more information aboutimporting LDIF files, refer to your directory server documentation.

v Problem: When you create a service and add an attribute, there might beattribute with the same name that already exists, but does not yet have any userdata stored. If you add a duplicate attribute with same name in other servicetype, the change to attribute with the duplicate name will affect data in otherservice profiles.For example, adding a single-valued attribute in the case where a previouslyexisting attribute is multi-valued, will change the attribute type to single-valuedin all service profiles in which this attribute exists. If no data exists, there is nowarning message.Workaround: Before you create an attribute for a service, ensure that the newattribute does not already exist in other service profiles.

v Problem: When configuring an entitlement parameter for a provisioning policy,if the attribute value is defined to be of type JavaScript, but only a single stringis entered, such as my password, the string is automatically converted to typeConstant.Limitation: A single string of type JavaScript is automatically converted to typeConstant, for an attribute of an entitlement parameter of a provisioning policy.

v Problem: When selecting objects for a partial export, other objects that theselected objects depend on are automatically added to the export list by thesystem. If you then remove a selected object, the objects that the selected objectdepends on are not also automatically removed from the export list, nor canthey be removed manually.Workaround: Either continue to export the list and ignore the extraneous objects,or save the list, and then delete it and make a new partial export list without theobject that you wanted to remove. Then, perform the export.

v Problem: If a user has a IBM Tivoli Identity Manager account in multiple IBMTivoli Identity Manager groups, an e-mail notification that the user receivesmight contain links to both the administrator and self-care user interfaces.Workaround: Use either link. This is working as designed. Two links aregenerated because of user’s membership in two different types of IBM TivoliIdentity Manager groups (end user and non-end user) through the user’s IBMTivoli Identity Manager accounts.

v Problem: In some circumstances, when you click Test Connection for an ADOrganizationalPerson identity feed service, and you have provided incorrectinformation, an error message is displayed without the remaining content of thepage.Workaround: Refresh your browser page, or exit the task and perform it againusing correct information.

Product overview 29

v Problem: To configure SSL connections between the IBM Tivoli Identity ManagerServer and adapters, the following two parameters are required to be defined inthe WebSphere Application Server as parameters to JVM.– javax.net.ssl.trustStore– javax.net.ssl.trustStorePasswordWhen you inquire for a process list by typing the ps -ef command, the passwordof the Java Key Store is listed in the result output.Workaround: Describe these parameters in a file, then specify the file with the-Xoptionsfile option. Complete these tasks:1. Create a file, then describe these parameters on the same line as follows:

-Djavax.net.ssl.trustStore=/usr/IBM/itim/itim50.jks-Djavax.net.ssl.trustStorePassword=password

2. Specify the file name with the -Xoptionsfile option as a parameter to JVM.a. Open the WebSphere Application Server Administrative Console.b. Select Server → Application Server → servername → Process Definition →

Java Virtual Machine.c. Add the-Xoptionsfile option as follows:

-Xoptionsfile=/usr/IBM/itim/jksProps.txt

d. Restart the WebSphere Application Server.v Problem: A filter change to a lifecycle rule does not take effect immediately

when running it manually. Lifecycle rule operations can take an extended periodof time to finish for the entire result set returned from the evaluation of thelifecycle rule filter, primarily due to the manual workflow activities associatedwith the operation.Additional information: For lifecycle rules that are associated with profiles orcategories, execution is dependent on the enrole.profile.timeout property, definedin minutes, in the enRole.properties file. Even if the filter that is present in thelifecycle rule is modified and run manually, it takes the previous filter themaximum time of the refresh interval to elapse, specified in minutes for theenrole.profile.timeout property. Once this period is over, the modified value forthe filter is then used during lifecycle execution.

v Problem: Owners of disabled IBM Tivoli Identity Manager accounts still receivenotification e-mails targeted to them as the participant of a request forinformation or approval request.Limitation: This is a current limitation.

v Problem: When you have access control items for default Person and customPerson (derived from inetOrgPerson) entities in IBM Tivoli Identity Manager, theaccess control item for the default Person entity also affects the custom Personentity. For example, a custom Person entity that is defined as customPersoninherits from inetOrgPerson. Any access control item that applies to theinetOrgPerson entity also applies to the customPerson entity, in addition toaccess control items defined for the customPerson entity.

Note: The behavior of the access control items was changed in IBM TivoliIdentity Manager at Version 4.6 to enforce the inheritance. An access control itemdefined for an objectclass not only applies to entities of the objectclass, but alsoto entities belonging to objectclasses that inherit this objectclass directly orindirectly.Workaround: Define an access control item exclusively for inetOrgPerson toallow for the access control item to apply only to the default person entity. Setthe following access control item target filter:(!(objectclass=customPerson))

30 Product overview

v Problem: To allow some users to change a user’s role, you might configureaccess control items for both Person and custom Person objects with Read andWrite access on erRoles (as well as Search/Modify operations). An additionalaccess control item would allow users to search for organizational roles.However, when a user then attempts to modify the erRole attribute, you mightfind that IBM Tivoli Identity Manager does not allow the modification.Workaround: For an organizational role, create an additional access control itemthat grants Modify rights to users.To assign an organizational role to a person or remove the person from anorganizational role, define appropriate access control items that give a user all ofthe following permissions and operations:– Write attribute permission for the erRoles attribute of the Person to be

modified.– Modify operation on the Person to be modified.– Modify operation for the organizational role that is to be removed from or

added to the Person.v Problem: To provide a role for a service owner, you must change the Category

owner field on the service form to Static Organizational Role. However, it is notrecommended to change the owner type (from Person to Static OrganizationalRole and vice versa) for a service profile when one or more service instanceshave been defined for that profile.Workaround: If you want to specify Static Organizational Role on the serviceform for a profile that already has existing services, remove the service owner ofall services of the profile. For example, if you want to specify StaticOrganizational Role for a WinLocal service, you must remove all service ownersof all Winlocal services.

v Problem: If you use the Form Designer to configure a date on a form, you canconfigure the attribute and see the value correctly displayed, as long as it is notset to null in LDAP.Workaround: The DateInput Type allows users to select a default or analternative date. The Default date input type allows the user to specify that theattribute value never expires, by selecting ″Never″ in the administrative console,or ″No date selected″ in the self-service console. The Alternative Date date inputtype does not allow the user to specify that the attribute value never expires,and should be used if the attribute value must expire at some point in time.For a default date, a null or empty value for the attribute is interpreted as theattribute ″never expires″, and is displayed on the administrative console with″Never″ selected, and on the self-service console with ″No date selected″selected.

v Problem: When you preview a change to a provisioning policy, the list size ofthe display of the affected accounts is limited by the combination of twoproperties in ui.properties file: enrole.ui.pageSize and enrole.ui.pageLinkMax.The account list size limit is determined by the value of enrole.ui.pageSizeproperty multiplied by the value of enrole.ui.pageLinkMax property plus 1(one).For example, by default, if enrole.ui.pageSize=50 and enrole.ui.pageLinkMax=10,the maximum affected account list size would be calculated as:50 x 10 + 1 = 501

Workaround: If you have a large number of affected accounts to preview for achange in a provisioning policy, increase these two properties appropriately.

Product overview 31

Start by increasing only the enrole.ui.pageLinkMax value, because increasing thevalue of enrole.ui.pageSize will affect other parts of the IBM Tivoli IdentityManager user interface.

v Problem: A provisioning policy preview will time out if the preview summarypage is idled for more than 10 minutes after evaluation completion, or if younavigate away from the preview summary page for more than 10 minutes.When the preview times out, navigating to obtain detail from the summary pageis not possible. If timeout occurs, you can only click Close on the summarypage.Workaround: To prevent timeout, avoid idling or navigating away from thepreview summary page for more than 10 minutes. To correct the problem after itoccurs, resubmit the preview request.

v Problem: If an access definition for a group on a service is referenced by arecertification policy and the access definition is undefined for the group, therecertification policy is not fully updated with the removal of the accessdefinition. The target of the recertification policy will be listed in the userinterface as null or None, due to an improper update of the recertification policyfor the access removal. Although the recertification policy user interface willshow the target as None, running the recertification policy will continue torecertify accounts which make use of the group for which the access wasdefined.Workaround: Edit the recertification policy by using the user interface for thepolicy which referenced the access definition to be deleted:1. First, remove the access to be deleted from the recertification policy with

which it is associated. If the access definition is removed before removing thetarget from the recertification policy, the recertification policy pages can beused to work around the issue.

2. Once the recertification policy is opened in edit mode, navigate to the AccessTarget tab and remove the target listed as None.

3. Save the recertification policy to properly update the policy.If None is the only target for the recertification policy, you might want to deletethe recertification policy entirely, because it is not used for other accessdefinitions.A similar issue can occur when you modify an access definition to deselectDisplay in an Access list. If this option is not selected in the access definition,the recertification policy that references that access definition will not besearchable by access name.

v Problem: When you manage identities, no default operations appear for aPerson object at the Entity Level. Operations do appear at the Entity Type level.However, when they are changed, the operations still indicate they aresystem-defined operations.Limitation: This is an existing limitation. By design, operations that are definedat the Entity Type Level are not shown, when the Entity Level is selected. Asystem-defined entity operation indicates it is system-defined, even after a userhas modified the operation.

v Problem: When you configure IBM Tivoli Identity Manager Integration forMaximo Service Request Manager Version 7.1, the Maximo Web service issuescall failures when IBM Tivoli Identity Manager attempts to provision more than10,000 users. One to two dozen Maximo users do not get created due to the callfailures. However, the users are created when the requests for them areresubmitted.Limitation: This is an existing limitation. For more information, refer to APARIZ23893.

32 Product overview

v Problem: If you remove a cluster node from a cluster and then add the clusternode back to the cluster, the Tivoli Identity Manager administrative console doesnot start.Workaround: Add the ITIM_Home/data directory again to the classpath on theserver associated with the node.

v Problem: When using the GUI to submit an attribute with leading or trailingspaces, the IBM Tivoli Identity Manager server deletes the leading or trailingspaces for that attribute value. This occurs for all attributes except for thepassword attribute.Limitation: This is an existing limitation.

WebSphere Application Server limitations, problems, andworkaroundsYou might encounter these WebSphere Application Server problems, and use theseworkarounds:v Problem: The WebSphere Application Server and the DB2 Universal Database™

are installed on the same Windows machine. The WebSphere Application Serverand the DB2 Universal Database services are set up to start automatically. Afterrebooting the machine, the WebSphere Application Server and DB2 UniversalDatabase are successfully started, but a user or account cannot be created ormodified.Workaround: The messaging engine did not start because the WebSphereApplication Server started before the DB2 Universal Database started. When theWebSphere Application Server starts, the messaging engine for IBM TivoliIdentity Manager is started, if the DB2 Universal Database is available at thattime.After rebooting the machine, manually ensure that the messaging engine forIBM Tivoli Identity Manager started successfully. On the WebSphere ApplicationServer Administrative Console, select Service Integration > Buses > itim_bus >Messaging engines from the Topology section. If the messaging engine is notstarted, start it from this page.

v Problem: On the Sun Solaris 10 operating system, the WebSphere ApplicationServer JVM produces a core error while attempting to resize the JVM heapduring a garbage collection.Workaround: Set both the minimum and maximum JVM heap sizes (Xms andXmx) to the same value.

Database server limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager database server problems,and use these workarounds:v Problem: IBM Tivoli Identity Manager does not install on a Windows system

configured in the Russian language. Specifically, DB2 Universal Database cannotdetermine the Windows Administrator user if the user ID is spelled in Russian.Workaround: Before you attempt to start the IBM Tivoli Identity Managerinstallation program or the middleware configuration utility, open the operatingsystem user management utility and change the Russian spelling of the user″Administrator″ and the group ″Administrators″ to the English spelling. Try theinstallation again.

v Problem: IBM Tivoli Identity Manager does not work with SQL Server JDBCDriver 1.2 when FIPS is enabled.Workaround: disable FIPS. IBM Tivoli Identity Manager works with SQL ServerJDBC Driver 1.2 when FIPS is disabled. Microsoft has accepted this problem as adefect in the SQL Server 2005 JDBC driver 1.2.

Product overview 33

v Problem: IBM Tivoli Identity Manager does not work with SQL Server if thedatabase is case sensitive (CS).Workaround: Ensure that Microsoft SQL Server 2005 or at least the database isinstalled with the codepage set to case insensitive (CI).

Directory server limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager directory server problems,and use these workarounds:v Problem: In some Linux environments, a potentially ignorable error message

might occur during a service profile import operation. You might observe thefollowing socket failure error message in the ibmslapd.log file on the IBM TivoliDirectory Server:07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).

Workaround: If either the Tivoli Identity Manager or the LDAP operationsucceeded, ignore these messages, which are written to the ibmslapd.log file, butdo not affect the requested operation. If the operation failed, contact TivoliIdentity Manager level 2 support for assistance.

v Problem: The LDAP server can hang after several days of continuous activity, orduring intervals with large numbers of concurrent users.Workaround: On the directory server, set the environment variableLDAP_WAITQ=NO before you start the LDAP server. Setting the value of LDAP_WAITQto NO changes the behavior of the LDAP server to use the version 6.0 method ofhandling requests. For more information, refer to APAR IO07991.

Directory Integrator limitations, problems, and workaroundsYou might encounter these IBM Tivoli Directory Integrator problems, and use theseworkarounds:v Problem: IBM Tivoli Directory Integrator Version 6.1 is known to stop under

heavy load from a high number of user deletion requests. For example,attempting to delete 1,000 or more users at a time can cause IBM TivoliDirectory Integrator to stop.Workaround: Try deleting fewer users at a time to avoid the problem. For moreinformation, refer to APAR IO09039.

Browser limitations, problems, and workaroundsYou might encounter these browser limitation, or browser problems, and use theseworkarounds:v Problem: When you click Manage Services > Select a Service, and then search

for a service, the Services table returns a list of services. If the hyperlinked nameof a service in the table is very long, the rightmost characters in the name mightoverrun the right column boundary in the table.Limitation: This is a browser limitation, in which a long service name will fail towrap within the column boundary.

v Problem: If you are using the Mozilla Version 1.7 browser, you can create asubordinate node, such as a Location, from the menu on the main Organizationnode. The new node appears under the main Organization node. However, ifyou collapse the main Organization, and then create a second node, such as anadditional Location, the Organization subtree expands in the display, but thesecond node does not appear in the tree.Workaround: Collapse the node for the Organization subtree, and then expand itagain. The additional node appears.

34 Product overview

v Problem: Using the Mozilla Version 1.7 browser, the last row of the Users tablemight overlap with the summary line after you reconcile a service and then listall the users of the service. For example, complete these tasks:1. Click Manage Services > Select a Service, and then click Search for available

services. In the Services table, select a service. Then, click Reconcile Now inthe popup menu.

2. After the reconciliation completes successfully, click Manage Users > Select aUser. Then, click Search for available users. Assuming there are sufficientusers to fill the table, the last row of the Users table overlaps the summaryline.

Limitation: This is a known limitation of the browser.v Problem: Using the Internet Explorer browser, when you intend to select the

Browse button in some activities, pressing the Enter key does not cause the nextaction to occur. For example, pressing Enter does not cause the Browse key todisplay a Choose File page during the reconciliation step of service creation.Workaround: Press the space bar instead the Enter key to select the Browsebutton. This is a known limitation of the browser.

v Problem: Display is blocked for security reasons if you attempt to open theAbout information page for IBM Tivoli Identity Manager using the InternetExplorer browser with Enhanced Security Configuration (ESC) enabled. TheAbout page provides the server name, product build number and date, andother product information.Workaround: To view the page, add the about:blank site to the browser’s list oftrusted sites. However, this is not recommended because adding about:blank asa trusted site will reduce the security of the system.

v Problem: When you are managing activities, and want to view and lock youractivities, a graphic image of a lock does not consistently appear adjacent to theactivity that you lock for IBM Tivoli Identity Manager, viewed with the Mozillabrowser at Version 1.7.x.Workaround: To view the lock symbol, open the browser to another tab, andthen return to the page on which you view locked activities.

v Problem: Clicking the Back button on the browser during data entry in the userinterface might cause a loss of the data that you enter. For example, clickingBack and then Forward causes data that you entered in fields to be lost.Limitation: Do not use the Back and Forward selections provided by thebrowser; use only the selections provided in the application window to navigatefrom one window to another.

v Problem: A user cannot open multiple browser sessions with the IBM TivoliIdentity Manager Server on the same system.Limitation: IBM Tivoli Identity Manager does not support using the samebrowser on the same machine to start multiple sessions with the server.

v Problem: The tab sequence for pages containing radio buttons is not alwayscorrect in Internet Explorer.Limitation: When tabbing to a group of radio buttons, focus should move to thecurrently selected radio button. However, in some cases, focus will incorrectlymove to the closest radio button in the group, rather than the currently selectedradio button.

v Problem: Using the Firefox browser, you might have difficulty selecting multipleitems in some selection boxes using the shift-down key combination. Oneexample is the Organizational Roles field located in the person form. Thisproblem does not occur on Internet Explorer.

Product overview 35

Workaround: Select multiple items by clicking items while holding down thecontrol (Ctrl) key, or by clicking shift-down quickly and repeatedly, or byselecting the first item and shift-clicking another item, which will select bothitems and all items in between.

v Problem: Using the Internet Explorer browser at version 6 with SP2, the Submitand Cancel buttons might become disabled when you enter an incorrect filename during data import and then attempt to import the file. For example, thismight occur when you click Configure System > Import Data and then attemptto upload a file that is not correctly specified. This problem does not occur witha Mozilla browser, or with a later version of Internet Explorer.Workaround: Repeat the operation, entering a valid name for the file that youwant to import.

v Problem: The title of the JavaScript dialog box appears as ″[JavaScriptApplication]″ instead of ″IBM IBM Tivoli Identity Manager 5.0″ when exiting outof the launchpad installer.Limitation: This is a known limitation with titles of JavaScript dialog boxeswhen using the Mozilla or Firefox browser. This issue does not occur onWindows operating systems.

v Problem: Internet Explorer 7, running on a non English Windows operatingsystem can render drop down list with truncated contents.Limitation: This is a known limitation that does not occur with the FireFoxbrowser or Internet Explorer running on English version operating systems.

Accessibility limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager accessibility limitations, oraccessibility problems. If so, use these workarounds:v Problem: A separating symbol used as part of a breadcrumb between the trail of

tasks, which is the > character, is read as ″greater than″ by screen reader such asJAWS. The screen reader encounters the symbol when it reads a task title on awindow that IBM Tivoli Identity Manager provides. For example, the screenreader might read Home > View or Change Profile as the words ″Home greaterthan View or Change Profile.″Limitation: The use of the separator symbol > is coded as the greater thancharacter. An equivalent visual character that avoids causing a screen reader toread the symbol is not available in this release.

v Problem: No logout occurs when you tab to and then press ENTER on thelogout button, at the top right corner of the main IBM Tivoli Identity Managerconsole page.Additionally, a screen reader such as JAWS does not read the logout button as alink.Workaround: Press the Tab one additional time, before you press ENTER.Otherwise, the cell in which the logout button exists is selected, not the buttonitself. There is no workaround for a screen reader such as JAWS. However, avisually impaired person is unlikely to tab through all the frames. It is morelikely that the person will invoke a list of links (click Ins-F7) and select Log out.

v Problem: A screen reader such as JAWS reads read-only buttons as available onthe Mozilla Firefox browser. For example, the screen reader reads greyed outChange or Delete buttons as available. However, using Internet Explorer atVersion 6.0, service pack 2 or above, the screen reader correctly determines thatread-only buttons are unavailable.Limitation: For purposes of correctly reading unavailable buttons, the InternetExplorer browser reads correctly for visually-impaired users.

36 Product overview

v Problem: JAWS does not read file input fields correctly, using Internet Explorer.A file input consists of a text field and a browse button. Using Internet Explorer,JAWs reads both widgets when the focus is on the text field, but says nothingwhen the focus is on the Browse button. For example, the screen reader fails toread a Browse button, when it should read the button as ″Browse button, toactivate press spacebar.″These problems are not observed using the Mozilla FireFox browser.Limitation: For purposes of correctly reading empty fields and Browse buttons,the Mozilla FireFox browser reads correctly for visually-impaired users.However, other reading problems might exist, which are solved by a differentbrowser.

v Problem: A screen reader such as JAWS reads some fields such as schedulingstart and end date entry fields as though they were read-only, rather than fieldsthat allow selecting a new date from the calendar control. Additionally, a screenreader will read fields that are populated by a Search or a Browse button asread-only, rather than fields that can be changed by clicking Search or Browse.For example, if you select a person in the search results and then click OK, theprogram returns to the page that has the target field, and the name of theselected person now appears in the read-only text field. A similar problem isclicking Clear to clear the value in the read-only text field.Limitation: There is no workaround. The user must understand when to clickthe appropriate button from the additional information in page text or help thatis provided.

v Problem: Using the middle pane of the Form Designer applet, it is not possibleto use the keyboard to switch between the property dialog page and theattributes. For example, using Enter and Tab keys does not switch the focus.Workaround: Start your edit activity by clicking the launch in new page link.Because there are no level one (that is, main) headings on IBM Tivoli IdentityManager console pages, you cannot use the reading function that the FreedomScientific JAWS application provides. Users using screen readers should read thescreen using the paragraph, line, or full page reading functions of JAWS. Themost important frames that readers use include:– Task Switcher to switch between active tasks in the console.– Portfolio area to access the list of tasks to perform.– Work area, which is the current, active page.

v Problem: Occasionally, certain browser readers that are used by sight-impairedusers may read a control twice on a IBM Tivoli Identity Manager Version 5 pagein the graphical user interface. This occurs, for example, using the JAWS browserreader.Workaround: Ignore the second reading. The IBM Tivoli Identity ManagerVersion 5 graphical user interface does not have more than one control with thesame name on the same page.

Report limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager report problems, and usethese workarounds.v Problem: After you perform a data synchronization and then run a report for

account operations with a status of Pending, the report does not show pendingrequests to create accounts.When the report runs, the actual service provisioning process is in apending/scheduled state and no account create process exists in workflowtables. The account create process is invoked when a scheduled service provision

Product overview 37

process runs. However, because there is no pending create account process in thecase of a scheduled account creation, the report is not able to capture thatprocess as a pending request in the report.Workaround: A partial workaround exists. To view account create requests forservice types other than Tivoli Identity Manager accounts, select Create accountas the request type and then select the root process type as ANY or serviceprovision process. Selecting ANY as root process type will show all accountcreation requests where root processes may be different from one another.

v Problem: After you install Japanese from the language pack, viewing a reportshows erroneous characters after selecting English at the Tivoli Identity Managerlogon. However, if you select Japanese as the language at the logon, the report iscorrectly displayed.Workaround: This problem occurs if you run a Japanese language report andhave set the locale to English, because the default English font does not supportDBCS characters. To view reports generated in a double-byte character set(DBCS) language, specify a font that is capable of displaying DBCS characters.This workaround applies for locales other than English when DBCS charactersare not supported by the respective font.Complete these tasks:1. Open the ITIM_HOME/data/enRoleFonts.properties file.2. Comment out the $LOCALE=$font_name line for the English font. For example,

if characters in the report are Japanese, and $LOCALE = en, comment outen=sans-serif.

3. Add a new line for the $LOCALE=$DBCS_character_support_font_name. Thefollowing fonts are supported:– Japanese– Simplified_Chinese– Traditional_Chinese– Korean

v Problem: For languages such as Arabic or Korean, the date and time dataremains in English, in reports formatted in Portable Document Format (PDF).Limitation: This is a Java limitation. The date and time format for Arabic andKorean languages are displayed incorrectly, based on their locale.

v Problem: Life cycle rule reports do not generate correctly. The life cycle ruleoperation appears to have root process of LC. In an account operation report, allaccount operations which are performed for the life cycle rule are displayed withthe root process as LC.Workaround: Change a statement and add a statement in theITIM_HOME/data/reportingLabels.properties file. Complete these steps:1. Open the ITIM_HOME/data/reportingLabels.properties file in any text editor.

If you have a language pack installed, the file that you edit is theITIM_HOME/data/reportingLabels_languagecode.properties file, wherelanguagecode is a locale-specific code, such as en for English.

2. Edit the following statement, replacing ls with lc.rootprocessview.type.ls=life Cycle Rule Execution

After the change, the line reads:rootprocessview.type.lc=life Cycle Rule Execution

For languages other than English, the language of the text following theequal sign will vary.

3. Add a new label by adding the following line:

38 Product overview

process.type.lc=Life Cycle Rule Execution

For languages other than English, the language of the text following theequal sign will vary.

4. Save the file and quit the text editor.5. Run the report again.

v Problem: The CrystalTestWAS script indicates a connectivity problem betweenthe IBM Tivoli Identity Manager Server machine and the Crystal Enterprisemachine. More specifically, the CrystalTestWAS.sh script runs from a UNIXsetup that hosts the Tivoli Identity Manager Server fails to connect to the CrystalManagement server installed on a Windows machine. The error is similar to thismessage:com.crystaldecisions.enterprise.ocaframework.OCAFrameworkException$AllServersDown:All the servers with CMS, cluster and kind cms are down or disabled

As a result of this error, Crystal Reports can not be executed from Tivoli IdentityManager, and Tivoli Identity Manager also cannot import new Crystal Reporttemplates.Workaround: If the connection type of the Crystal Enterprise user(crystalEnterpriseUser property in the ITIM_HOME/data/crystal.propertiesfile) is chosen as Concurrent User, the access to the Crystal Enterprise systemfor the concurrent user will depend on the number of other users that arecurrently connected to the Crystal system. This sometimes leads to a situation inwhich the Crystal Enterprise user used by Tivoli Identity Manager is unable toconnect to the Crystal system because of a connection limit being reached at theCrystal server. As a result, this type of error may appear while running theCrystalTestWAS script.Complete these steps:1. Log on to the Windows system where Crystal Enterprise 10 system is

installed. Click Start → Programs → Crystal Enterprise 10 → CrystalConfiguration Manager. A page listing all the Crystal Report services isopened. Select all the services that are currently running, and restart them.

2. Log on to the UNIX system that hosts Tivoli Identity Manager as thenon-root Crystal user that was used to install Crystal Enterprise clientcomponents on the UNIX system. Go to the directory of client components(crystalHome property in the ITIM_HOME/data/crystal.properties file), andrun env.sh.

3. Make sure that all the properties specified in the ITIM_HOME/data/crystal.properties file are correct.

4. Run the ITIM_HOME/bin/unix/CrystalTestWAS.sh script again.v Problem: Generating a Tivoli Common Reporting Server Approval and

Rejections report might have performance problems when large amounts of dataare involved.Limitation: This is a know limitation when using ″like″ in the query.

Other limitations, problems, and workaroundsYou might encounter these additional problems, and use these workarounds:v Problem: When high contrast is enabled on Windows XP, the display of the IBM

Tivoli Identity Manager workflow designer applet is not reformatted to the highcontrast scheme. When you turn on High Contrast, the applet window outline isconverted to high contrast. However, the interior fields of the applet display donot match the high contrast changes.Workaround: Refresh the browser to reload the workflow designer, which willupdate the applet with the high contrast settings.

Product overview 39

v Problem: Active users experience unexpected results when the date and time ischanged on the operating system on which IBM Tivoli Identity Manager isinstalled.Workaround: As an administrator, if you change the date and time on theoperating system on which IBM Tivoli Identity Manager is installed, alwaysensure that no users are currently logged into the IBM Tivoli Identity ManagerServer. Users that are logged on can experience unpredictable results if thechange is significant.

v Problem: The help panel for the user advanced search displays additional fields.Limitation: The help panel displays information about additional fields that arenot displayed on the search page. These fields are specific to an LDAP accountand can be added using the Add another search filed link.

Note: The Account type information incorrectly states that the type cannot bechanged. The account type can be changed.

v Problem: The help panel for the Form designer interface page lists TungstenTheme as the default menu theme.Limitation: The correct name is Default Theme.

v Problem: The contextual help for the Separation of Duty Policy Violations pageindicates that there is a Person Name column in the policy table. However, thetable does not include that column.Limitation: This is a known limitation in the contextual help content.

Technical overviewYou can use IBM Tivoli Identity Manager to manage the identity records thatrepresent people in a business organization. This section introduces the productarchitecture and main components.

Tivoli Identity Manager is an identity management solution that centralizes theprocess of provisioning resources, such as provisioning accounts on operatingsystems and applications to users.

Tivoli Identity Manager gives you the ability to add business processes andsecurity policies to basic user management, including approvals for user requeststo access resources. In addition, Tivoli Identity Manager provides a uniform way tomanage user accounts and to delegate administration, including self-service and ahelp desk user interface.

Users, authorization, and resourcesAn administrator uses the entities that IBM Tivoli Identity Manager provides forusers, authorization, and resources to provide both initial and ongoing access in achanging organization.

40 Product overview

IdentitiesAn identity is the subset of profile data that uniquely represents a personin one or more repositories, and includes additional information related tothe person.

AccountsAn account is the set of parameters for a managed resource that definesyour identity, user profile, and credentials.

Users A user is an individual who uses IBM Tivoli Identity Manager to managetheir accounts.

Access control itemsAn access control item is data that identifies the permissions that usershave for a given type of resource. You create an access control item thatallows you to specify a set of operations and permissions, and thenidentify which groups use the access control item.

GroupsA group is used to control user access to functions and data in IBM TivoliIdentity Manager. Membership in a IBM Tivoli Identity Manager groupprovides a set of default permissions and operations, as well as views, thatgroup members need.

PoliciesA policy is a set of considerations that influence the behavior of a managedresource (called a service in IBM Tivoli Identity Manager) or a user. Apolicy represents a set of organizational rules and the logic that IBM TivoliIdentity Manager uses to manage other entities, such as user IDs, andapplies to a specific managed resource as a service-specific policy.

AdaptersAn adapter is a software component that provides an interface between amanaged resource and the IBM Tivoli Identity Manager Server.

ServicesA service represents a managed resource, such as an operating system, adatabase application, or another application that IBM Tivoli IdentityManager manages. For example, a managed resource might be a LotusNotes® application. Users access these services by using an account on theservice.

Identities

Accounts Accesscontrolitem

Service

Users

Group

Identitypolicy Adapter

Passwordpolicy

Otherpolicies

Workflow

People Authorization Workflows/policies Resources

Figure 1. Users, authorization, and resources

Product overview 41

Main componentsMain components in the IBM Tivoli Identity Manager solution include the IBMTivoli Identity Manager Server and required and optional middleware components,including adapters that provide an interface to managed resources.

In a cluster configuration, main components include:

For more information on configuration alternatives, refer to the IBM Tivoli IdentityManager Installation and Configuration Guide.

Components include:

Database server productsIBM Tivoli Identity Manager stores transactional and historical data in adatabase server, a relational database that maintains the current andhistorical states of data.

Directory server productsIBM Tivoli Identity Manager stores the current state of the managedidentities in an LDAP directory, including user account and organizationaldata.

IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator synchronizes identity data residing indifferent directories, databases, and applications. IBM Tivoli DirectoryIntegrator synchronizes and manages information exchanges betweenapplications or directory sources.

WebSphere Application ServerWebSphere Application Server is the primary component of the WebSphereenvironment. WebSphere Application Server runs a Java virtual machine,providing the runtime environment for the application code. Theapplication server provides communication security, logging, messaging,and Web services.

WebSphere Application Server Network DeploymentTivoli Identity Manager cell

Tivoli Identity Manager cluster

Application ServerTivoli Identity Manager ServerJDBC driver

}}

}IBM HTTP ServerWebSphere Web

Server plug-in

Deployment ManagerJDBC driver}

Tivoli Identity Managerdatabase

LDAPdata store

Figure 2. Main components

42 Product overview

HTTP server and WebSphere Web Server plug-inAn HTTP server provides administration of IBM Tivoli Identity Managerthrough a client interface in a web browser. IBM Tivoli Identity Managerrequires the installation of a WebSphere Web Server plug-in with the HTTPserver. The WebSphere Application Server installation program canseparately install both the IBM HTTP Server and WebSphere Web Serverplug-in.

IBM Tivoli Identity Manager adaptersAn adapter is a software component that provides an interface between amanaged resource and IBM Tivoli Identity Manager. An adapter functionsas a trusted virtual administrator for the managed resource, performingsuch tasks as creating accounts, suspending accounts, and other functionsthat administrators typically perform.

People overviewPeople, such as employees and contractors, need to use the resources that anorganization provides. A person who has a IBM Tivoli Identity Manager account isa IBM Tivoli Identity Manager user.

Users need different degrees of access to resources for their work. Some users needto use a specific application. Other users need to administer the system that linksusers to the resources that their work requires.

IBM Tivoli Identity Manager manages users’ identities (user IDs), accounts, accessentitlements on those accounts, and user credentials such as passwords.

UsersA person who is managed by IBM Tivoli Identity Manager is a user; a user whohas a IBM Tivoli Identity Manager account is called a IBM Tivoli Identity Manageruser, and can use IBM Tivoli Identity Manager to manage their accounts orperform other administrative tasks.

Users need different degrees of access to resources for their work. Some users needto use a specific application. Other users need to administer the system that linksusers to the resources that their work requires. A IBM Tivoli Identity Manager useris assigned to a specific group that provides access to specific views and allows theuser to perform specific tasks in IBM Tivoli Identity Manager .

As an administrator, you create users either by importing identity records or byusing IBM Tivoli Identity Manager .

IdentitiesAn identity is the subset of profile data that uniquely represents a person or entityand that is stored in one or more repositories.

For example, an identity might be represented by the unique combination of aperson’s first, last (family) name, and full (given) name, and employee number. Anidentity profile might also contain additional information such as phone numbers,manager, and e-mail address.

AccountsAn account is the set of parameters for a managed resource that defines anidentity, user profile, and credentials.

Product overview 43

An account defines login information (your user ID and password, for example)and access to the specific resource with which it is associated.

In IBM Tivoli Identity Manager, accounts are created on services, which representthe managed resources such as operating systems (UNIX), applications (LotusNotes), or other resources.

Accounts are either active or inactive. Accounts must be active to log in to thesystem. An account becomes inactive when it is suspended, which might occur if arequest to recertify your account usage is declined and the recertification action issuspend. Suspended accounts still exist, but they cannot be used to access thesystem. System administrators can restore and reactivate a suspended account aslong as the account has not been deleted.

AccessAccess is your ability to use a specific resource, such as a shared folder or anapplication.

In IBM Tivoli Identity Manager, access can be created to represent access to accesstypes such as shared folders, applications (such as Lotus Notes), e-mail groups, orother managed resources.

An access differs from an account in that an account is a form of access; an accountis access to the resource itself.

Access is the permission to use the resource, and access entitlement defines thecondition that grants access to a user with a set of attribute values of a user’saccount on the managed resource. In IBM Tivoli Identity Manager, an access isdefined on an existing group on the managed service. In this case, the access isgranted to a user by creating an account on the service and assigning the user tothe group. Access entitlement can also be defined as a set of parameters on aservice’s account that uses a provisioning policy.

When a user requests new access, by default an account is created on that service.If an account already exists, the account is modified to fulfill the accessentitlement, for example by assigning the account to the group that grants accessto an access type. If one account already exists, the account is associated with theaccess. If multiple accounts already exist, you must select the user ID of theaccount to which you wish to associate your access.

An access is often described in terms that can be easily understood by businessusers.

PasswordsA password is a string of characters that is used to authenticate a user’s access to asystem. A user ID and password are the two elements that grant access to asystem.

As an administrator, you can manage user passwords and the passwords that areset for the users that are used by IBM Tivoli Identity Manager .

Forgotten password information:

When a user forgets a IBM Tivoli Identity Manager password and needs to reset it,the user must verify his or her credentials with the system. To do so, the userresponds to a set of forgotten password questions with answers that the user

44 Product overview

previously specified. The answer that the user types must match exactly what thatuser typed when he or she defined that answer, including the case of the letters.

As the system administrator, you define how many questions must be answered,and whether the questions are predefined.v If you predefine the forgotten password questions, the user will need to specify

only the answers.v If you do not predefine the questions, the user must specify both the forgotten

password questions and the answers.

If the system configuration changes, for instance from undefined questions topredefined questions, the user will need to specify new forgotten passwordquestions and answers.

Password synchronization:

Password synchronization is the process of assigning and maintaining onepassword for all accounts that a user owns, which reduces the number ofpasswords that a user must remember.

You can configure the system to automatically synchronize passwords for allaccounts owned by a user. Then, the user only has to remember one password. Forexample, a user has two accounts: a IBM Tivoli Identity Manager account and aLotus Notes account. If the user changes or resets the password for the IBM TivoliIdentity Manager account, the Lotus Notes password is automatically changed tothe same password as the IBM Tivoli Identity Manager password. Passwordsmight also be synchronized when you provision an account or restore a suspendedaccount.

If password synchronization is enabled, a user cannot specify different passwordsfor his or her accounts.

Note: When you provision an account or restore an account that was suspended,you must specify a password for the account. If password synchronization isenabled, you are not prompted for a password. Instead the account isautomatically given the same password as the user’s existing accounts.

Password strength rules:

A password strength rule is a rule or requirement to which a password mustconform. For example, password strength rules might specify that the minimumnumber of characters of a password must be five and the maximum number ofcharacters must be ten.

You can define password strength rules in a password policy.

Resources overviewResources are the applications, components, processes, and other functions thatusers need to complete their work assignments.

IBM Tivoli Identity Manager uses a service to manage user accounts and access toresources by using adapters to provide trusted communication of data between theresources and IBM Tivoli Identity Manager.

Product overview 45

ServicesA service represents a managed resource, such as an operating system, a databaseapplication, or another application that IBM Tivoli Identity Manager manages. Forexample, a managed resource might be a Lotus Notes application.

Users access these services by using an account on the service.

Services are created from service types, which represent a set of managed resourcesthat share similar attributes. For example, there is a default service type thatrepresents Linux machines. These service types are either installed by default whenIBM Tivoli Identity Manager is installed, or they are installed when you import theservice definition files for the adapters for those managed resources.

Accounts on services identify the users of the service. Accounts contain the loginand access information of the user and allow the use of specific resources.

Most services use IBM Tivoli Identity Manager to provision accounts, whichusually involves some workflow processes that must be completed successfully.However, manual services generate a work order activity that defines the manualintervention that is required to complete the request or to provision the account forthe user.

A service owner owns and maintains a particular service in IBM Tivoli IdentityManager. A service owner should be either a person or a static organizational role.In case of a static organizational role, all the members of the organizational role areconsidered service owners. If that static organizational role contains other roles,then all members of those roles are also considered service owners.

Service types:

A service type is a category of related services that share the same schemas. Itdefines the schema attributes that are common across a set of similar managedresources.

Service types are used to create services for specific instances of managedresources. For example, you might have several Lotus® Domino® servers that usersneed access to; you might create one service for each Lotus Domino server usingthe Lotus Domino service type.

Service prerequisite:

If a service has another service defined as a service prerequisite, a user can onlyreceive a new account if they have an existing account on the service prerequisite.

For example, Service B has a service prerequisite, Service A. If a user requests anaccount on Service B, in order to receive an account, the user must first have anaccount on Service A.

Service definition file:

A service definition file, which is also known as an adapter profile, defines the type ofmanaged resource that IBM Tivoli Identity Manager can manage. The servicedefinition file creates the service types on the IBM Tivoli Identity Manager Server.

The service definition file is a JAR file that contains the following information:

46 Product overview

v Service information, including definitions of the user provisioning operationsthat can be performed for the service, such as add, delete, suspend, or restore.

v Service provider information, which defines the underlying implementation ofhow the IBM Tivoli Identity Manager Server communicates with the managedresource. Valid service providers are Tivoli Directory Integrator and DSMLv2.

v Schema information, including the LDAP classes and attributes.v Account forms and service forms, along with a properties file for accounts and

supporting data such as service groups that defines the labels for the attributeson these forms, which are displayed in the user interface for creating servicesand requesting accounts on those services.

Manual services:

A manual service is a type of service that requires manual intervention to completethe request. For example, a manual service might be defined for setting up voicemail for a user.

Manual services generate a work order activity that defines the manualintervention that is required.

You might create a manual service when IBM Tivoli Identity Manager does notprovide an adapter for a managed resource for which you want to provisionaccounts.

When you create a manual service, you add new schema classes and attributes forthe manual service to your LDAP directory.

AdaptersAn adapter is a software component that provides an interface between a managedresource and IBM Tivoli Identity Manager.

An adapter functions as a trusted virtual administrator for the managed resource,performing such tasks as creating accounts, suspending accounts, and otherfunctions that administrators typically perform.

An adapter consists of the service definition file and the executable code formanaging accounts.

Adapters are deployed in one of two ways:

Agent-based adapterAn agent-based adapter must reside on the managed resource, in order toadminister accounts. For example, the Lotus Notes adapter for AIX® is anagent-based adapter.

Agentless adapterAn agentless adapter can reside on a remote server, in order to administeraccounts. For example, the UNIX/Linux adapter is an agentless adapter.

Adapters are created from one of two technologies:

Adapter Development Kit (ADK)Adapters that are created using the ADK are either agent-based adapters oragentless adapters. The ADK is the base component of the adapters andcontains the runtime library, filtering and event notification functionality,protocol settings, and logging information. The ADK is the same across theadapters.

Product overview 47

IBM Tivoli Directory IntegratorAdapters that are created using IBM Tivoli Directory Integrator are eitheragent-based or agentless adapters. These adapters are implemented asassembly lines, each of which is a single path of data transfer andtransformation. IBM Tivoli Directory Integrator can pass data from oneassembly line to the next assembly line.

Several agentless adapters are automatically installed when you install IBM TivoliIdentity Manager. You can install additional agentless or agent-based adapters.

Adapter communication with managed resourcesCommunication between IBM Tivoli Identity Manager and managed resources hasseveral solutions.

Linux and UNIX managed resources use agentless adapters that are created usingIBM Tivoli Directory Integrator. Other managed resources use ADK adapters.

Figure 3 illustrates how communication links between software products andcomponents can be configured.

System security overviewAn organization has critical needs to control user access, and to protect sensitiveinformation.

WebSphereApplicationServer

Webbrowser

UNIXmanagedresource

LDAPmanagedresource

TivoliIdentityManagerServer

Otheradapters

TivoliDirectoryIntegrator

SSL

SSL

SSH

SSH

SSL

Adapter

= One-way or two-way SSL

= Secure Shell protocol

KEY:

SSLS

SL

SSL

Figure 3. Secure communication in the IBM Tivoli Identity Manager environment

48 Product overview

Given agreement on security requirements for business needs, a systemadministrator configures the groups, views, access control items, and forms thatIBM Tivoli Identity Manager provides for security of its data.

Security model characteristicsAn organization defines a security model to meet its business needs. The modelserves as a basis to define the requirements and actual implementation of asecurity system.

Some characteristic objectives of a security model include:v Verifying the identity of users, provided by authentication systems that include

password strength and other factors.v Enabling authorized users to access resources, provided by authorization

systems that define request or role-based processes, and related provisioning.Resources, for example, include accounts, services, user information, and IBMTivoli Identity Manager functions.A security model also requires additional provisioning processes to select theresources that users are permitted to access.

v Administering which operations and permissions are granted for accounts andusers.

v Delegating a user’s list of activities to other users, on a request or assignmentbasis.

v Protecting sensitive information, such as user lists or account attributes.v Ensuring the integrity of communications and data.

Business requirementsA business needs agreement on its security requirements before implementing theprocesses that IBM Tivoli Identity Manager provides.

For example, requirement definitions might answer these questions:v What groups of IBM Tivoli Identity Manager users are there?v What information does each user group need to see?v What tasks do the users in each group need to do?v What roles do users perform in the organization?v Which access rights need definition?v What working relationships exist that require some users to have different

authority levels?v How can prevention and auditing provide remedies for activity that does not

comply with established policies?

To meet common business needs, a business might frequently have several groups,such as a manager, a help desk assistant, an auditor group, and customized groupsthat perform a more expanded or limited set of tasks.

Resource access from a user’s perspectiveTo provide security of data for a user who works within a range of tasks onspecific business resources, IBM Tivoli Identity Manager might provide one ormore roles, and membership in one or more groups.

For example, a user in a business unit often has a title, or role that has aresponsibility, such as buyer. The user might also be a member of a group thatprovides a view of tasks that the user can do, such as regional purchasing, asillustrated in Figure 4 on page 50:

Product overview 49

Each role has a related provisioning policy and workflow to grant the user toaccess one or more resources, such as accounts.

Each group has a view of specific tasks, and one or more access control items thatgrant specific operations and permissions to perform the tasks. By using a formdesigner applet, you can also modify the user interface that a user sees, perhapsremoving unnecessary fields for account, service, or user attributes.

Groups:

A group is used to control user access to functions and data in IBM Tivoli IdentityManager.

Group members have an account on the IBM Tivoli Identity Manager service.Membership in an IBM Tivoli Identity Manager group provides a set of defaultpermissions and operations, as well as views, that group members need. Your sitemight also create customized groups.

Additionally, some users might be members of a service group that grants specificaccess to a certain application or other functions. For example, a service groupmight have members that work directly with data in an accounting application.

Predefined groups, views, and access control items:

IBM Tivoli Identity Manager provides predefined groups, which have associatedviews and access control items.

Two user interfaces, or consoles, are available:v Self-service console for all users, for self-care activities such as changing personal

profile information, such as a telephone number.v Administrative console, for selected users who belong to one or more groups

that enable a range of administrative tasks.

Figure 4. Securing data for user access to resources

50 Product overview

A IBM Tivoli Identity Manager user with no other group membership has a basicprivilege to use IBM Tivoli Identity Manager.

This set of users need only a self-service console for self-care capabilities. The usersare not in a labeled ″group″ such as a Help Desk Assistant group.

The predefined groups are associated with predefined views and access controlitems, to control what members can see and do, as illustrated in Figure 5

The predefined groups are:

AdministratorThe administrator group has no limits set by default views or accesscontrol items and can access all views and perform all operations in IBMTivoli Identity Manager. The first system administrator user is named ″itimmanager″.

AuditorMembers of the auditor group can request reports for audit purposes.

Help Desk AssistantMembers of the Help Desk Assistant group can request, change, suspend,restore, and delete accounts. Members can request, change, and deleteaccess, and also can reset others’ passwords, profiles, and accounts.Additionally, members can delegate activities for a user.

ManagerMembers of the Manager group are users who manage the accounts,profiles, and passwords of their direct subordinates.

Service OwnerMembers of the Service Owner group manage a service, including the useraccounts and requests for that service.

Views:

Figure 5. Predefined groups, views, and access control items

Product overview 51

A view is a set of tasks that a particular type of user can see, but not necessarilyperform, on the graphical user interface. For example, it is a task portfolio of theeveryday activities that a user needs to use IBM Tivoli Identity Manager.

On both the self-service console and the administrative console, you can specifythe view that a user sees.

Access control items:

An access control item is data that identifies the permissions that users have for agiven type of resource. You create an access control item that allows you to specifya set of operations and permissions, and then identify which groups use the accesscontrol item.

An access control item defines these items:v The entity types to which the access control item appliesv Operations that users might perform on entity typesv Attributes of the entity types that users might read or writev The set of users that are governed by the access control item

IBM Tivoli Identity Manager provides default access control items.

You can also create a customized access control item that allows you to specify aset of operations and permissions, and then identify which groups are governed bythe access control item. For example, a customized access control item might limitthe ability of a specific Help Desk Assistant group to change information for otherusers. Access control items can also specify relationships such as Manager orService Owner.

When you create customized reports, you must also manually create report accesscontrol items and entity access control items for the new report, to permit userswho are not administrators, such as auditors, to run and view data in the customreport.

After you create an access control item or change an existing access control item,run a data synchronization to ensure that other Tivoli Identity Manager processes,such as the reporting engine, use the new or changed access control item.

Forms:

A form is a user interface window that is used to collect and display values foraccount, service, or user attributes.

IBM Tivoli Identity Manager includes a form designer, which runs as a Java applet,that you use to modify existing user, service and account forms. For example, youmight add the fax number attribute and an associated entry field to capture thatnumber for a particular account, or you might remove an account attribute thatyour organization does not want a user to see. If you remove an attribute from aform, it is completely removed; that is, even system administrators cannot see theattribute.

You can only see those attributes that are on the form and that you have read orwrite access to (as granted by access control items). Using the form designer, youcan also customize forms for other elements in the organization tree, such aslocation or organization unit.

52 Product overview

Organization tree overviewBusiness organizations have a variety of configurations that contain theirsubordinate units, including services and employees.

For a given set of business needs, you can configure IBM Tivoli Identity Managerto provide a hierarchy of services, organizations, users, and other elements in atree that corresponds to the needs of a user population.

Note: This release provides enhanced menus to search for a specific user, but not agraphic organization tree for that purpose.

In this release, you cannot browse and create entities by navigating theorganization tree. The association to a business unit within the organization tree isspecified during the creation of the entity.

Nodes in an organization treeAn organization tree has nodes that include organizations and subordinatebusiness units, as well as other elements.

An organization tree can have these nodes:

OrganizationIdentifies the top of an organizational hierarchy, which might containsubsidiary entities such as organization units, business partnerorganization units, and locations. The organization is the parent node atthe top of the node tree.

Organization UnitIdentifies a subsidiary part of an organization, such as a division ordepartment. An organization unit can be subordinate to any othercontainer, such as organization, organization unit, location, and businesspartner organization.

Business Partner Organization UnitIdentifies a business partner organization, which is typically a companyoutside your organization that has an affiliation, such as a supplier,customer, or contractor.

LocationIdentifies a container that is different geographically, but contained withinan organization entity.

Admin DomainIdentifies a subsidiary part of an organization as a separate entity with itsown policies, services, and access control items, including an administratorwhose actions and views are restricted to that domain.

Entity types associated with a business unitDifferent types of entities can be associated with a business unit in an organizationtree.

The association to a business unit is specified when the entity is created. Normally,an entity can not change the business unit association after it is created. The onlyexception is the User entity. IBM Tivoli Identity Manager supports the transfer ofusers between different business units.

The following entity types can be associated to a business unit in the organizationtree:

Product overview 53

v Userv ITIM groupv Servicev Rolev Identity policyv Password policyv Provisioning policyv Service selection policyv Recertification policyv Account and access request workflowv Access control item

Entity searches of the organization treeThis release provides menus to search for a specific user, but not a graphicorganization tree to navigate to locate a specific user.

To locate a specific user using search menus, use the advanced search filter tosearch by user type such as Person or Business Partner Person. In the search, youcan also select a business unit and its subunits, and the status of the user, such asActive. Additionally, you can add other fields to qualify the search, including anLDAP filter statement.

Policies overviewA policy is a set of considerations that influence the behavior of a managedresource (called a service in IBM Tivoli Identity Manager) or a user.

A policy represents a set of organizational rules and the logic that Tivoli IdentityManager uses to manage other entities, such as user IDs, and applies to a specificmanaged resource as a service-specific policy.

Tivoli Identity Manager enables your organization to use centralized securitypolicies for specified user groups. You can use Tivoli Identity Manager policies tocentralize user access for disparate resources in an organization and implementadditional policies and features that streamline operations associated with users’access to resources.

Tivoli Identity Manager supports the following types of policies:v Adoption policiesv Identity policiesv Password policiesv Provisioning policiesv Recertification policiesv Separation of duty policiesv Service selection policies

A policy can apply to one or multiple service targets, which can be identifiedeither by a service type or by listing the services explicitly. These policies do notapply to services that represent identity feeds.v Adoption policies apply to services. A global adoption policy applies to all

services of a service type.

54 Product overview

v Identity policies, password policies, and provisioning policies can apply to allservice types, all services of a service type, or specific services.

v Recertification policies cannot act on all service types, but you can add all thedifferent services for a specific recertification policy.

v Separation of duty policies do not apply directly to service types, and applyonly to role membership for users.

v Service selection policies apply to only one service type.

Policy types and navigation

Table 12. Policy types and navigation

Type of policy Navigation

Adoption Manage Policies > Manage AdoptionPolicies

Identity Manage Policies > Manage Identity Policies

Password Manage Policies > Manage PasswordPolicies

Provisioning Manage Policies > Manage ProvisioningPolicies

Recertification Manage Policies > Manage RecertificationPolicies

Separation of duty Manage Policies > Manage Separation ofDuty Policies

Service selection Manage Policies > Manage ServiceSelection Policies

Account defaults

Account defaults define default values for an account during new account creation.The default can be defined at the service type level that applies to all services ofthat type, or at the service level, which only applies to the service.

Policy enforcement

Global policy enforcement is the manner in which Tivoli Identity Manager globallyallows or disallows accounts that violate provisioning policies.

When a policy enforcement action is global, the policy enforcement for any serviceis defined by the default configuration setting. You can specify one of the followingpolicy enforcement actions to occur for an account that has a noncompliantattribute.

Note: If a service has a specific policy enforcement setting, that setting is appliedto the noncompliant accounts. The global enforcement setting does not apply.Policy enforcement can also be set for a specific service.

Mark The existing user account on the old service is marked as disallowed, anda new account is not created on the new service.

SuspendThe existing user account on the old service instance is suspended, and anew account is not created on the new service.

Alert An alert is sent to the recipient administrator to confirm removal of the old

Product overview 55

account on old services, and a new account is created on new service if theuser does not have account on new service, and entitlement is automatic.

CorrectExisting accounts are removed on the old service, and a new account iscreated on new service if the user does not have account on new serviceand entitlement is automatic.

To work with global policy enforcement, go to the navigation tree and selectConfigure System > Configure Global Policy Enforcement.

Note: To set service policy enforcement, go to the navigation tree and selectManage Services.

Workflow overviewA workflow defines a sequence of activities that represent a business process. Youcan use workflows to customize account provisioning and access provisioning, andlifecycle management.

A workflow is a set of steps or activities that define a business process. You canuse the IBM Tivoli Identity Manager workflows to customize account provisioningand lifecycle management. For example, you can add approvals and informationrequests to account or access provisioning processes, and you can integratelifecycle management processes (such as adding, removing, and modifying peopleand accounts in Tivoli Identity Manager) with external systems.

Tivoli Identity Manager provides these major types of workflows:

Operation workflowsUse operation workflows to customize the lifecycle management ofaccounts and people, or a specific service type, such as all Linux systems.

Operation workflows add, delete, modify, restore, and suspend systementities, such as accounts and people. You can also add new operationsthat your business process requires, such as approval for new accounts. Forexample, you might specify an operation workflow that defines activitiesto approve the account, including notifications and manager approvals.

Account request and access request workflowsUse account request and access request workflows to ensure that resourcessuch as accounts or services are provisioned to users according to thebusiness policies of your organization.

Note: The term entitlement workflow was previously used for this workflowtype in Tivoli Identity Manager Version 4.6.v An account request workflow can be bound to an entitlement for an access

or an account.In provisioning policies, an entitlement workflow for accounts addsdecision points to account requests, such as adding or modifying anaccount. If the request is approved, the processing continues; if therequest is rejected, the request is cancelled.The account request workflow is invoked during account provisioningrequests, including adding and modifying an account, made by a TivoliIdentity Manager user or made during account auto provisioning. Anaccount request workflow can be also invoked during an access requestif there is no access request workflow defined.

56 Product overview

v An access request workflow is bound to an access by the access definition,rather than by a provisioning policy. This workflow can specify the stepsand approvals that authorize access to resources in a request.The access request workflow is invoked only for access requests that aremade by a Tivoli Identity Manager user, but not if the access isprovisioned for the user as a result of an external or internal accountrequest. An external account request is an account request made by aTivoli Identity Manager user. An internal account request is an accountrequest made by the Tivoli Identity Manager system; for example, anauto account provisioning which gives the user a default or mandatorygroup that maps to an access.

Features overviewIBM Tivoli Identity Manager delivers simplified identity management capabilitiesin a solution that is easy to install, deploy, and manage.

IBM Tivoli Identity Manager provides essential password management, userprovisioning, and auditing capabilities.

Improved user interfaceIBM Tivoli Identity Manager introduces a new dual user interface that shows usersonly what they need to do their job.

The interfaces are separate and users access them through different Web addresses.IBM Tivoli Identity Manager has two types of user interfaces, a self-care interfaceand an administrative console interface.

Self-care user interfaceThe self-care user interface provides a simpler subset of personal tasks thatapply only to the user.

Administrative console user interfaceThe administrative console user interface provides an advanced set ofadministrative tasks, and has new multitasking capabilities.

Administrative console user interfaceThe administrative console provides a powerful set of tools for managing theorganization.

Persona-based console customization

The administrative console user interface contains the entire set ofadministrative tasks, such as managing roles, policies, and reports. Thispersona-based console provide sets of tasks, each tailored for the needs ofthe default administrative user types:v System administratorv Service ownerv Help desk assistantv Auditorv Manager

System administrators can easily customize which tasks the different typesof users can perform. To control user access to accounts and tasks, for

Product overview 57

example, use a default set of user groups, access control items, and views.You can also customize user access by defining additional user groups,views, and access control items.

Multitasking control

Wizards within the administrative console user interface expedite theadministrative tasks of adding users, requesting accounts, and creatingnew services. The administrator can concurrently manage several tasks.

Advanced search capability

The administrative console user interface also provides a powerfuladvanced search feature.

Self-care user interfaceUsing the IBM Tivoli Identity Manager self-care interface, users can update theirpersonal information and passwords, view requests, complete and delegateactivities, and request and manage their own accounts and access.

The self-care user interface provides a central location for users to perform avariety of simple, intuitive tasks.

From the self-care home page, the following task panels are available, dependingon the authority the system administrator has granted.

Action NeededA list of tasks that require completion.

My PasswordA list of tasks to change passwords. If password synchronization isenabled, users can enter one password that is synchronized for all of theiraccounts. A user can reset a forgotten password by successfully respondingto forgotten password questions, if forgotten password information isconfigured in the system.

My AccessA list of tasks to request and manage access to folders, applications, roles,and other resources.

My ProfileA list of tasks to view or update personal information.

My RequestsA list of tasks to view requests that a user has submitted.

My ActivitiesA list of activities that require user action. Users can also delegateactivities.

RecertificationIBM Tivoli Identity Manager Server recertification simplifies and automates theprocess of periodically revalidating users, accounts and accesses.

The recertification process automates validating that users, accounts and accessesare still required for a valid business purpose. The process sends recertificationnotification and approval events to the participants that you specify.

58 Product overview

ReportingIBM Tivoli Identity Manager reports reduce the time to prepare for audits andprovide a consolidated view of access rights and account provisioning activity forall managed people and systems.

A report is a summary of IBM Tivoli Identity Manager activities and resources. Youcan generate reports based on requests, user and accounts, services, or audit andsecurity.

Report data is staged through a data synchronization process, which gathers datafrom the IBM Tivoli Identity Manager directory information store and prepares itfor the reporting engine. Data synchronization can be run on demand, or it can bescheduled to occur regularly.

The following categories of reports are available:

RequestsReports that provide workflow process data, such as account operations,approvals, and rejections.

User and AccountsReports that provide user and accounts data, such as individual access andaccounts, pending recertifications, and suspended individuals.

ServicesReports that provide service data, such as reconciliation statistics, list ofservices, and summary of accounts on a service.

Audit and SecurityReports that provide audit and security data, such as access controlinformation, audit events, and noncompliant accounts.

Static and dynamic rolesIBM Tivoli Identity Manager provides static and dynamic roles.

In static organizational roles, assigning a person to a static role is a manualprocess.

In the case of a dynamic role, the scope of access can be to an organizational unitonly, or to the organizational unit and its subunits. Dynamic organizational rolesuse valid LDAP filters to set a user’s membership in a specific role. For example, adynamic role might use an LDAP filter to provide access to specific resources tousers who are members of an auditing department named audit123. For example,type:(departmentnumber=audit123)

Dynamic organizational roles are evaluated at the following times:v When a new user is created in the Tivoli Identity Manager systemv When a user’s information, such as title or department membership, changesv When a new dynamic organizational role is created

Self-access managementIBM Tivoli Identity Manager allows users and administrators the ability to requestand manage access to resources such as shared folders, email groups, orapplications.

Product overview 59

Access differs from an account. While an account exists as an object on a managedservice, an access is an entitlement to use a resource, such as a shared folder, onthe managed service. The ability to access a resource is based on the attributes ofthe group to which the user account belongs. The user’s access to a resource istherefore dependent on the account and its group mapping. When an account issuspended, their access becomes inactive; similarly, when an account is restored,their access becomes active again. When an account is deleted, access to theresource for that user is deleted. When a group is removed from the service, theuser access that maps to that group is also removed.

An administrator will typically configure the access to resources on a servicedepending on the need for a particular user group. Users can request or deleteaccess, which allows them to manage their access to the resources they use withoutthe need to understand the underlying technology such as account attributes.

Provisioning featuresIBM Tivoli Identity Manager provides support for provisioning, the process ofproviding, deploying, and tracking a service or component in your enterprise.When implemented as one of a suite of security products, Tivoli Identity Managerplays a key role to ensure that resources are accessible only to authorized persons,safeguarding the accuracy and completeness of information processing methodsand granting authorized users access to information and associated assets.

Overview

Tivoli Identity Manager provides an integrated software solution for managing theprovisioning of services, applications, and controls to employees, business partners,suppliers, and others associated with your organization across platforms,organizations, and geographies. You can use its provisioning features to control thesetup and maintenance of user access to system and account creation on amanaged resource. The two main types of information are person data and accountdata. Person data represents the people whose accounts are being managed. Accountdata represents the credentials of the persons and the managed resources to whichthe persons have been granted access.

At its highest level, an identity management solution automates and centralizes theprocess of provisioning resources, such as operating systems and applications, topeople in, or affiliated with, an organization. Organizational structure can bealtered to accommodate the provisioning policies and procedures. However, theorganization tree used for provisioning resources does not necessarily reflect themanagerial structure of an organization.

Administrators at all levels can use standardized procedures for managing usercredentials. Some levels of administration can be reduced or eliminated, dependingon the breadth of the provisioning management solution. Furthermore, you cansecurely distribute administration capabilities, manually or automatically, amongvarious organizations. For example, a domain administrator can serve only thepeople and resources in that domain. This user can perform administrative andprovisioning tasks, but is not authorized to perform configuration tasks, such ascreating workflows.

Tivoli Identity Manager supports distributed administration capabilities, whichinclude the secure distribution of provisioning tasks, whether manual or automatic,among various organizations. When you distribute administrative tasks in your

60 Product overview

organization, you improve the accuracy and effectiveness of administration andimprove the balance of the organization’s work load.

Tivoli Identity Manager addresses provisioning of enterprise services andcomponents in the following areas:v Account access managementv Workflow and life cycle automationv Provisioning policiesv Role-based access controlv Separation of duty capabilitiesv Self-regulating user administrationv Customization

Account access management and the provisioning system

With an effective account access management solution, your organization can trackprecisely who has access to what information across the organization. Accesscontrol is a critical function of a centralized, single-point provisioning system.Besides protecting sensitive information, access controls expose existing accountsthat have unapproved authorizations or are no longer necessary. Orphan accountsare active accounts that cannot be associated with valid users. For orphan accountson a managed resource, the account owner cannot be automatically determined bythe provisioning system. To control orphan accounts, the provisioning system linkstogether account information with authoritative information about the users whoown the accounts. Authoritative user identity information is typically maintainedin the databases and directories of human resources.

Improperly configured accounts are active accounts that are associated with validusers but have been granted improper authorization because the organizationpermitted local administrators to add or modify users outside of Tivoli IdentityManager. The ability to control improper accounts is much more difficult, andrequires a comparison of “what should be” with “what is” at the account authoritylevel. The existence of an account does not necessarily expose its capabilities.Accounts in sophisticated IT systems include hundreds of parameters defining theauthorities, and these details can be controlled by your provisioning system.

New users can be readily identified using the data feed that you establish from thehuman resources directory, and the access request approval capability initiates theprocesses that approve (or reject) resource provisioning for them.

Workflow and life cycle automation

When a user becomes affiliated or employed with an organization, the life cycle ofthe user begins. Your business policies and processes, whether manual orsemi-automated, provision the user with access to certain resources based on roleand responsibilities. Over time, when user’s role and functions change, yourbusiness policies and processes can provision the resources that should be availableto the user. Eventually, the user becomes unaffiliated with the organization,associated accounts are suspended and later deleted, and the user’s life cycle in theorganization is finished. You can use workflows to customize how accounts areprovisioned and to customize the life cycle management of users and accounts,such as adding, removing, and modifying users and accounts. A complete

Product overview 61

provisioning workflow system automatically routes requests to the properapprovers and preemptively escalates to alternate approvers if actions are nottaken on the requests.

You can define two types of workflows in Tivoli Identity Manager: entitlementworkflows that apply to provisioning activities, and operational workflows thatapply to entity types. An entitlement workflow defines the business logic that is tiedspecifically to the provisioning actions of provisioning policies. A provisioningpolicy entitlement ties provisioning actions to entitlement workflows. For example,an entitlement workflow is used to define approvals for managing accounts. Anoperational workflow defines the business logic for the life cycle processes for entitytypes and entities. You can use workflow programming tools to automate keyaspects of the provisioning life cycle, specifically the approval processes that yourorganization uses. A workflow object in the organization tree can contain one ormore participants and escalation participants. A participant is a signature authoritythat approves or rejects a provisioning request.

Provisioning policies and auditing

An organizational role entity is assigned to one or more identities when youimplement role-based access control for the resources that are managed by TivoliIdentity Manager. An organizational role is controlled by a provisioning policy,which represents a set of organizational rules and supplies the logic that the TivoliIdentity Manager Server uses to manage resources such as applications oroperating systems.

If a role is a member of another organizational role in a provisioning policy, thenthat role member also inherits the permissions of provisioning policy.

A provisioning policy maps people in organizational roles to services that representcorresponding resources in Tivoli Identity Manager, and sets the entitlements thatpeople have when accessing the services. The provisioning policies you implementmust reflect your organizational identity management policies in your securityplan. To implement effective provisioning policies, you must analyze anddocument existing business approval processes in your organization, anddetermine what adjustments should be made to those processes to implement anautomated identity management solution. A provisioning policy provides a keypart of the framework for the automation of identity life cycle management.

Tivoli Identity Manager provides APIs that interface to information aboutprovisioning policies defined in Tivoli Identity Manager, and interface to the accessgranted to an individual task. These APIs can be used effectively to generate auditdata. When a provisioning policy is defined, the reconciliation function enables theenforcement of the policy rules and keeps the participating systems (both the TivoliIdentity Manager Server and the repositories of the managed resources) frompotentially becoming a single point of failure.

When two or more provisioning policies are applied, a join directive defines how tohandle attributes. Two or more policies might have overlapping scope, and the joindirective specifies what actions to take when this overlap occurs.

Provisioning policies can be mapped to a distinct portion or level of theorganizational hierarchy. For example, policies can be defined at a specificorganization unit affecting organization roles for that unit only. Service selectionpolicies extend the function of a provisioning policy by enabling the provisioningof accounts based on person attributes. A service selection policy is enforced when

62 Product overview

it is defined as a target of a provisioning policy. Using a JavaScript script todetermine which service to use, the service selection policy defines provisioningbased on the instructions in the script. The logic in the JavaScript typically usesperson object attributes to determine which service to use, which is often theperson’s location in the organization tree.

Role-based access control

Role-based access control (RBAC) uses roles and provisioning policies to evaluate,test, and enforce your business processes and rules for granting access to users.Key administrators create provisioning policies and assign users to roles and thatdefine sets of entitlements to resources for these roles. RBAC tasks establishrole-based access control to resources, which extends the identity managementsolution to use software-based processes and reduce user manual interaction in theprovisioning process.

Role-based access control evaluates changes to user information to determine if thechanges alter the role membership for the user. If a change is needed, policies arereviewed and changes to entitlements are put in place immediately. Similarly, achange in the definition of the set of resources in a policy can also trigger a changeto associated entitlements. Role-based access control includes the followingfeatures:v Mandatory and optional entitlements, where optional entitlements are not

automatically provisioned but can be requested by a user in a groupv Prerequisite services, where specific services must be granted before certain

access rights are setv Entitlement defaults and constraints, where each characteristic of an entitlement

can be set to a default value, or its range can be constrained, depending on thecapabilities of the entitlement to be granted

v A single account with multiple authorities governed by different policiesv Private, filtered views of information about users and available resourcesv User authentication approaches that are consistent with internal security policiesv Distribution of provisioning system components securely over WAN and

Internet environments, including the crossing of firewallsv User IDs that use consistent, user-defined algorithms

Self-regulating user administration

When your organization starts to provision resources across all internalorganizations, you have implemented the self-regulating user administrationcapability and can realize the advantages and benefits of provisioning users acrossorganizational boundaries. In this environment, a change in a user’s status isautomatically reflected in access rights across organization boundaries andgeographies. You can reduce provisioning costs, streamline the access and approvalprocesses, and realize the full potential of implementing role-based access controlfor end-to-end access management in your organization. You can reduceadministrative costs through automated procedures for governing userprovisioning, improve security by automating security policy enforcement, andstreamline and centralize user life cycle management and resource provisioning forlarge user populations.

Product overview 63

Incremental provisioning and other customization options

Your team can use business plans and requirements to decide how much tocustomize Tivoli Identity Manager. For example, a large enterprise might require aphased roll-out plan for workflows and custom adapters that is based on a timeline for incrementally provisioning applications that are widely used acrossgeographies. Another customization plan might provide for two or moreapplications to be provisioned across an entire organization, after successfultesting. User-application interaction can be customized, and procedures forprovisioning resources might be changed to accommodate automated provisioning.

You can deprovision to remove a service or component. For example, deprovisioningan account means that the account is deleted from a resource.

Resource provisioningDepending on business needs, IBM Tivoli Identity Manager provides thealternatives to provision resources to authorized users on request-based, role-based,or a hybrid models.

Request-based access to resourcesOn a request basis, IBM Tivoli Identity Manager provides a process to grant,modify, and remove access to resources throughout a business, and to establish aneffective audit trail using automated reports.

In request-based provisioning, users and their managers search for and requestaccess to specific applications, privilege levels, or resources with a system. Therequests are validated by workflow-driven approvals and audited for reportingand compliance purposes.

For example, users, or their managers, can request access to new accounts.Additionally, managers or other administrators are alerted to unused accounts andgiven the option to delete the accounts through a recertification process. Theseperiodic reviews of user access rights ensure that previously-approved access isremoved, if it is no longer needed.

Roles and access controlAn organizational role supports different access control and access provisioningmodels in a customer deployment.

An organizational role can map to IBM Tivoli Identity Manager access entitlementsin a provisioning policy so that specific Tivoli Identity Manager groups can beauthorized or automatically provisioned for users that are members of the role.

If a role is a member of another organizational role in a provisioning policy, thenthat role member also inherits the permissions of provisioning policy.

Tivoli Identity Manager groups can be used to define views and access control fordifferent types of entities that are managed in Tivoli Identity Manager.

A hybrid provisioning modelThe hybrid model of provisioning resources combines request and role-basedapproaches, which are both supported by IBM Tivoli Identity Manager.

For a subset of employees or managed systems, a business might want to automateaccess with role-based assignment, and also handle all other access requests orexceptions through a request-based model. Some businesses might start with

64 Product overview

manual assignment, and evolve toward a hybrid model, with an intention of afully role-based deployment at a future time.

Other companies might find it impractical for business reasons to achieve completerole-based provisioning, and target a hybrid approach as a desired goal. Still othercompanies might be satisfied with only request-based provisioning, and not wishto invest additional effort to define and manage role-based, automatedprovisioning policies.

About this informationThis information center describes how to install, configure, and administer IBMIBM Tivoli Identity Manager.

Intended audienceThis information center is designed for the system and security administrators inan organization that uses IBM Tivoli Identity Manager.

Readers are expected to understand system and security administration concepts.Additionally, the readers must understand administration concepts for thefollowing types of products:v Database serverv Directory serverv Application serverv Messaging supportv Web server

PublicationsRead the descriptions of the product library and the related publications todetermine which publications you might find helpful. After you determine thepublications you need, refer to the instructions for accessing publications online.

IBM Tivoli Identity Manager libraryYou can obtain the product documentation from the Tivoli Identity Managerinformation center.

The information center is available at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm.

Administration information is presented in HTML. The following information isprovided in PDF files:v IBM Tivoli Identity Manager Quick Start Guide

v IBM Tivoli Identity Manager Installation and Configuration Guide

v IBM Tivoli Identity Manager Message Reference

v IBM Tivoli Identity Manager Database and Schema Reference

v IBM Tivoli Identity Manager Performance Tuning Guide

v Adapter Installation and Configuration Guides for adapters that are supportedfor use with this version of Tivoli Identity Manager

Related publicationsYou can obtain related publications from these IBM Web sites.

Product overview 65

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm

v The Tivoli Software Library provides a variety of Tivoli publications such aswhite papers, datasheets, demonstrations, IBM Redbooks, and announcementletters. The Tivoli Software Library is available on the Web at:http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available athttp://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications onlineThe publications for this product are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivolisoftware library.

The Tivoli software library is located at http://publib.boulder.ibm.com/tividd/td/tdprodlist.html.

To locate product publications in the library, click the first letter of the productname or scroll until you find the product name. Then, click the product name.Product publications can include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page checkbox in the Adobe® Acrobat Print window (which is available when you click File →Print).

Ordering publicationsYou can order many Tivoli publications online or by telephone.

You can order publications from http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, see the Web site http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

Tivoli technical trainingFor Tivoli software training information, refer to the IBM Tivoli Education Website.

The Web site address is http://www.ibm.com/software/tivoli/education/.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides several ways for you to obtain the support you need.

About this task

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

66 Product overview

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm



http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi




http://www.ibm.com/software/tivoli/education/

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

IBM Support AssistantThe IBM Support Assistant (ISA) is a free local software serviceabilityworkbench that helps you resolve questions and problems with IBMsoftware products. The ISA provides quick access to support-relatedinformation and serviceability tools for problem determination. To installthe ISA software, go to http://www.ibm.com/software/support/isa, log inand follow the instructions for downloading the IBM Support Assistantthat is appropriate for your operating system. After you have downloadedand installed the IBM Support Assistant, locate the plug-in that is specificto IBM Tivoli Identity Manager 5.0.

Conventions used in this informationThis information uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThis information uses these typeface conventions.

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), labels (such as Tip, and Operating system considerations:)

v Keywords and parameters in text

italic

v Words defined in textv Emphasis of words (words as words)v New terms in text (except in a definition list)v Variables and values you must provide

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

Definitions for HOME and other directory variablesThe following table contains default definitions that are used in this information torepresent the HOME directory level for various product installation paths.

You can customize the HOME directory for your specific implementation. If this isthe case, you need to make the appropriate substitution for the definition of eachvariable represented in this table.

The default value of path varies for these operating systems:v For Windows systems, drive:\Program Files is the default path.v For Linux, Solaris, and HP-UX (UNIX) systems, /opt is the default path.v For AIX systems, /usr is the default path.

Product overview 67

http://www.ibm.com/software/support/isa

Table 13. HOME and other directory variables

Path variable Default definition Description

DB_HOMEWindows

path\IBM\SQLLIB

Linux, AIX, HP-UX, andSolaris path/ibm/db2/V9.1

The directory thatcontains the DB2database for IBMTivoli IdentityManager.

DB_INSTANCE_HOMEWindows

drive\IBM\SQLLIB

Linux, AIX, and HP-UX/home/dbinstancename

Solaris /export/home/dbinstancename

The directory thatcontains the DB2database instancefor IBM TivoliIdentity Manager.

ITIM_HOMEWindows

path\IBM\itim

Linux, AIX, HP-UX, andSolaris path/IBM/itim

The base directorythat contains theIBM Tivoli IdentityManager code,configuration, anddocumentation.

ITIM_UNINSTALL_HOMEWindows

path\IBM\itim\itimUninstallerData

Linux, AIX, HP-UX, andSolaris path/IBM/itim/

itimUninstallerData

The directory thatcontains the IBMTivoli IdentityManageruninstallationprograminformation.

WAS_HOMEWindows

path\IBM\WebSphere\AppServer

Linux, AIX, HP-UX, andSolaris path/IBM/WebSphere/

AppServer

The WebSphereApplication Serverhome directory

ITDS_HOMEWindows

path\IBM\LDAP\V6.x

Linux, AIX, HP-UX, andSolaris path/ibm/ldap/V6.x

The directory thatcontains thedirectory servercode.

The versionnumber in thepath is 6.0 or 6.1depending on theversion of the IBMTivoli DirectoryServer you areusing.

68 Product overview

Table 13. HOME and other directory variables (continued)

Path variable Default definition Description

ITDS_INSTANCE_HOMEWindows

drive\ibmslapd-instance_owner_name

Linux, AIX, and HP-UX/home/instance_owner_name/idsslapd-instance_owner_name

Solaris /export/home/instance_owner_name/idsslapd-instance_owner_name

An example ofinstance_owner_name is ldapdb2,which is used by the IBM TivoliIdentity Manager installationprogram.

The directory thatcontains the TivoliDirectory Serverinstance.

ITDI_HOMEWindows

path\TDI\V6.1.1

Linux, AIX, HP-UX, andSolaris path/IBM/TDI/V6.1.1

The directory thatcontains the TivoliDirectoryIntegrator Servercode.

TIVOLI_COMMON_DIRECTORYWindows

path\IBM\tivoli\common

Linux, AIX, HP-UX, andSolaris path/IBM/tivoli/

common

The centrallocation for allserviceability-related files, suchas logs andfirst-failure capturedata.

Note: If youinstalled anotherTivoli product onthis system beforeyou installed IBMTivoli IdentityManager, yourTivoli Commondirectory will be inthe followingdirectory:

Windows:

path\ibm\tivoli\common\cfg\log.properties

Other systems:/etc/ibm/tivoli/common/cfg/log.properties

Product overview 69

NoticesThis information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing 2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently created

70 Product overview

programs and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

TrademarksThe following terms are trademarks of International Business MachinesCorporation in the United States, other countries, or both:

AIXDB2developerWorksDominoIBMLotusLotus NotesPassport AdvantageRACFRedbooksSP

Product overview 71

System pSystem zTivoliWebSphere

Adobe, Acrobat, and Portable Document Format (PDF) are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

Intel is a trademark of Intel Corporation in the United States, other countries, orboth.

Java and all Java-based trademarks are trademarks of SunMicrosystems, Inc. in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names may be trademarks or service marks ofothers.

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

IBM strives to provide products with usable access for everyone, regardless of ageor ability. This product uses standard Microsoft Windows navigation keys.

For additional information, see the Accessibility features for IBM Tivoli IdentityManager topic in the information center.

72 Product overview

Index

Aaccess 44access control 52accessibility 72accounts 44

active, inactive 44created on account types 44

adapters 47, 48adoption policies 54API 12, 13approval workflow process 3audit trail tracking 3authorization 52

Ccompliance

separation of duty 10compliance, corporate

features 3corporate compliance

features overview 3

Eentitlement workflow 56

Ffeatures 9fix packs 21forgotten password information 45forms 52

Ggroup management 11groups 50

Iidentity 43identity governance 8identity policies 54installation images 21

Llogin

initial user ID and password 1

login (continued)URL 1

Nnew 9

Ooperation workflow 56organization

overview 53entity types 53

overvieworganization 53

entity types 53self-access management 60

Ppassword

forgotten 45password policies 54password policy and compliance 3password synchronization 45passwords

strength rules 44, 45synchronization 45

people 43planning

groups 50policies

adoption 54identity 54password 54provisioning 54recertification 54separation of duty 10, 54service selection 54

policy enforcement 3provisioning

overview 60provisioning policies 54provisioning policy 3

Rrecertification 11recertification policies 54recertification policy 3reports 12

requirementsbrowser 19database server 16directory integrator 18directory server 17hardware 14, 15Java Runtime Environment 15JRE 15report server 19software 14, 15supported adapter levels 20Tivoli Reporting Server 19web application server 16

rolesclassification 9hierarchies 9owners 9relationships 9

Sseparation of duty 10separation of duty policies 54service definition file 46service selection policies 54service types 46services 46, 47

TTivoli Common Reporting 12Tivoli Reporting Server

requirements 19

Uuser recertification 11users 43

Vviews

default 52

Wworkflow extensions 13workflows

entitlement 56operation 56

73

SIM Overview

Documents

Transcript of SIM Overview